Slashdot message and discussion.
Printable View
even IF it's true I think it won't have any effect on anything really because
1) I doubt many people will ever see the full claimed 800 mb of code
2) I expect cisco's code to be secure enough to handle this, looking at the ammount of cisco routers and their importance
3) similar issues in the past also didn't have much effect
4) really important routers will be fixed/replaced in time by good admins
5) I can think up more reasons, but blah
besides that I don't really believe it yet
Even if the full source is out there, I agree with neel on this one. It's Cisco, not MS.
I'm going to see if I can procure a copy of the source. Should be interesting.
Keep in mind it's still copyrighted. No publishing of code here please.Quote:
I'm going to see if I can procure a copy of the source. Should be interesting.
I wouldn't do it.
It's proprietary code for a current system.
I'm a good boy now.
I agree primarily with Neel, but I also agree for a slightly different reason. Even the Microsoft code leak took a while before an exploit resulted. The recent Bitmap image Trojan is a result of that leak- but that isn't very serious thus far.
I expect Cisco code to be potentially more secure than Microsoft code- for one thing IOS has far fewer bells and whistles. The decreased focus and functionality means there is less to be flawed.
On a different note, I can think of a couple reasons why Cisco isn't sounding any alarms (yet) even if this story is true:
a) they may want to go back through their own IOS code first to determine if there are any vulnerabilities to even be concerned with and
b) the attackers in alleged possession of the source code would still have to sift through it all to find vulnerabilities themselves before they could begin to exploit anything.
I think one of the reasons an exploit based on the Microsoft code leak took so long is that malicious exploit developers are primarily a lazy bunch. They like to wait for vulnerability announcements and patch releases so that they have a specific service or part of the program to target and a patch to reverse-engineer to find out exactly how to exploit the vulnerability.
Having the source code does open up the possibility of exploits- but only after someone invests the time and effort into researching the code to find its weaknesses.
Just my $.02