Should You Worry About Cisco's Source Code?By Steven Vaughan-Nichols | Posted 2004-05-17 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Some think the theft of Cisco's IOS source code will prove damaging to the Internet, while others say they're sure the company will be able to quickly stop attempts to exploit its code.Should ISPs, Web hosting companies and network administratorsthe people who live and die by their Cisco routersbe worried about the possible consequences of Cisco Systems Inc.'s IOS source code being stolen? Certainly, in the past, Cisco's IOS, like almost all software, has been shown to have security vulnerabilities.
For example, last year a vulnerability was found, and fixed, in Cisco routers and switches running IOS software that were configured to work Internet Protocol version 4 (IPv4) packetswhich meant that essentially all of them were vulnerable to distributed-denial-of-service (DDoS) attacks.
"While this theft is a major issue for Cisco, in general I do not believe it presents a grave threat to the Internet," Wade said. "There is a chance that, armed with the code, a hacker may be able to create a denial-of-service attack.
"However, I imagine that the Cisco ISO software is engineered well enough to stand up to such an attack. Even if an exploit is found, Cisco will be able to provide a patch in a timely manner.
"The interesting point that this theft brings up is the stark contrast between the philosophies of open-source and proprietary systems," Wade said. "With open source, anyone can, and many do, contribute to make the product better. This openness creates a more transparent process.
"With proprietary systems, security is provided through obscurity. If there is a problem with the software, no one will see it unless the code is stolen or released to the general public," he said.
Eric S. Raymond, president of the Open-Source Initiative, also zeroed in on this point. "The theft and publishing of the source code for Cisco's IOS router firmware may mean a wave of exploits against the critical router infrastructure of the Internet may be on its way," Raymond said.
"If that happens, it will be because Cisco ignored one of the iron rules of network securityand experts the world over will be muttering, 'If only IOS had been open-source.'"
In paraphrasing Kerckhoffs' principle, Raymond said, "A cryptosystem should be designed to be secure if everything is known about it except the key information. "Now that the source code of IOS is circulating in the cracker/phreak underground, we're going to find out if IOS followed that rule. If they didn't, we'll find out the hard way," he said.
"What has this got to do with open source?" Raymond asked. "Well, if IOS had been open-source to begin with, we'd have a firm basis for believing that it passes the Kerckhoffs' testopen source keeps you honest that way. As it is, customers' first notice that they didn't is likely to be chaos and havoc from router compromises.
"Claude Shannon, the inventor of information theory, restated Kerckhoffs' law as: '[Assume] the enemy knows the system,'" Raymond said.
He then offered his own version for the 21st century: "Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, never trust closed source."