Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Your Rights Online

Cisco Source Code Up For Sale: Only $24,000 292

Posted by CowboyNeal
from the hot-products dept.
spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations. Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."
This discussion has been archived. No new comments can be posted.

Cisco Source Code Up For Sale: Only $24,000

Comments Filter:
  • by Anonymous Coward on Thursday November 04, 2004 @06:41PM (#10729754)
    Take a cue from SCO and drop the price to $699. That way EVERYONE will buy it!
  • by Anonymous Coward on Thursday November 04, 2004 @06:42PM (#10729766)
    Although I bet I'm screwed anyhow...
  • $24k? (Score:5, Funny)

    by miles31337 (539573) on Thursday November 04, 2004 @06:42PM (#10729767)
    From my experience with PIXen, it's certainly not worth that...
  • Now that's irony! (Score:5, Insightful)

    by plierhead (570797) on Thursday November 04, 2004 @06:43PM (#10729775) Journal
    One can only marvel at the irony - someone stealing the source code for "a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks"!!!
  • At least... (Score:5, Funny)

    by imsabbel (611519) on Thursday November 04, 2004 @06:43PM (#10729781)
    there is no ebay-link this time...
    But still i sense the good old "want to sell something? Advertise with a slashdot story" sprit :)
    • by superpulpsicle (533373) on Thursday November 04, 2004 @10:01PM (#10731292)
      I know slashdotters, make some shit up. Source code is worth nothing until it comes out of some good story.

      A female russian spy escaped cisco with the source code after sneaking by an army of cisco security armed with AK-47s. She walked all the way to Ebay headquarters bearfoot and delivered 40 floppies in a pizza box. Her only weapon was a 10BaseT ethernet cable.

  • by Anonymous Coward on Thursday November 04, 2004 @06:43PM (#10729782)
    Anyone here has the source code for Linux OS? I'll pay roughly $2-3 grands via Yahoo Paydirect.
  • by spacerodent (790183) on Thursday November 04, 2004 @06:44PM (#10729788)
    with all the legal cases on "stealing" mp3s could they charge these people with posession of stolen property?
    • no, they couldnt. the analogy between IP and R(eal)Property is just that, an analogy. yes, many similar laws exist for both, but the laws for one do NOT apply to the other. there is no law against HAVING illegally copied software. unless you use the "running it is COPYing it into memory!" idiot's argument then RUNNING illegally copied software isnt illegal either. just copying it is. ill be posting higher in the tree another very interesting point.
  • BUY IT NOW (Score:2, Funny)

    by Anonymous Coward
    and goto jail tomorrow....
  • by jeblucas (560748) <`jeblucas' `at' `gmail.com'> on Thursday November 04, 2004 @06:45PM (#10729798) Homepage Journal
    Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.
    • by evilviper (135110) on Thursday November 04, 2004 @06:51PM (#10729869) Journal
      Can't we just follow the money?

      No. If we could, Nigerian scams, and old people loosing their life savings could be prevented.

      Just have the money wired to you, and pick it up outside the country. Even inside the country, it's nearly impossible to track, because you can show up at any branch, anywhere.
    • by cmowire (254489) on Thursday November 04, 2004 @06:52PM (#10729887) Homepage
      Oh, sure.

      And we'd be able to follow the money of drug dealers, kidnappers, terrorists, etc.

      It's harder than CSI makes it sound.
      • by commodoresloat (172735) on Thursday November 04, 2004 @07:58PM (#10730425)
        Actually, we ARE able to follow a lot of this money, the big transactions at least. More often than not, the money trail goes through very powerful banking interests who have an incentive to keep such trails hidden, and the enforcement falls to agents of governments who have an incentive not to break up these "hidden" economic networks. Read Modern Jihad for an excellent overview of the trail of money funding terrorism for example. The author makes the point that the economic network funding terrorism is also funding many above ground and legit enterprises, and that governments have resisted attacking economic networks that they too depend on for many things (including, ironically, many counterterrorism efforts). I would not be surprised to learn that the same point can be made about other forms of organized crime.
    • Western Union transfer maybe?

      The DDOS blackmailers usually request money transfers using this method or "we dstroy your DNS" as they so elequently put it :)
    • Yes it certainly will have to go somewhere. When dealing in multiple $24K transactions that place is a un-named, numbered account. Somewhere. I would put it in the Caymans or some such. In fact I would probably pass it around through a few such accounts in places with non-exctradition to 'clean' it up a bit. If you have enough of it, money laundering is shockingly simple in principle.
    • Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.

      Yes, obviously....that's why the illegal drugs and prostitution were completely wiped out decades ago.

      There are tons of way to get money anonymously. Anyone smart knows that. I should be getting my million dollars anonymously anytime now, just as s
  • by lateralus_1024 (583730) <mattbaha@gm[ ].com ['ail' in gap]> on Thursday November 04, 2004 @06:45PM (#10729799)
    but i'm in California and I don't want to pay tax on it.
    • Re:I would buy it (Score:3, Informative)

      by spuzzzzzzz (807185)
      BAHAHAHAHA!

      Someone mod this funny! At the risk of ruining the joke by explaining it, it's a reference to the fact that drug dealers in California are required to pay tax.
  • A bit more (Score:5, Informative)

    by erick99 (743982) <homerun@gmail.com> on Thursday November 04, 2004 @06:46PM (#10729821)
    I found this in another article about the same story:

    Also on offer, apparently, is the Enterasys Dragon IDS 6.1 intrusion detection system (IDS) software for $16,000 and an old Napster file sharing code, a snip at $10,000.

    The original name behind the group was one Larry Hobbles who now seems to have disappeared. The Source Code Club is now said to be hawking a list of other stolen code to anyone who buys one full copy of the source code for sale.

    • by ion_ (176174)

      Also on offer, apparently, is the Enterasys Dragon IDS 6.1 intrusion detection system (IDS) software for $16,000 and an old Napster file sharing code, a snip at $10,000.

      Yes, and they also offer a BSD-licensed copy of Linux for $50,000.

  • hell, some time ago ppl used to "free" source code like this just for fun. only greedy kids [google.co.uk] nowadays it seems ;)
    and not smart... or very smart and this is a scam... If I were selling it, first thing would be to contact key agencies/companies anonymously, not this freak high-profile thing. sounds bad. and there are no md5 or something of a few files to prove it is the real thing.
    Seen IOS and other srcs years ago... This is what they get for playing the closed source game: FEAR. :)
  • by evilviper (135110) on Thursday November 04, 2004 @06:48PM (#10729838) Journal
    So, for 24k, you can buy the PIX source code... For what?

    You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version.

    So it's really only good if you want to look for bugs in PIX that you can exploit, and since this is being sold by a group of hackers, you can bet that they've already looked for everything possibly exploitable.
    • Not even close (Score:5, Insightful)

      by Plasmic (26063) on Thursday November 04, 2004 @07:09PM (#10730025)
      The value of this intellectual property is not defined by the cut-and-pasteability of source code into a company's product. Certainly, this is not the likely application for any would-be buyers. Instead, knowing how the #1 router company in the world implements stateful packet-filtering on an embedded device is a very worthy piece of knowledge that can be used as a basis for the design of anything that touches a packet.

      In addition, Cisco spends hundreds of thousands of dollars in their support organization identifying hard-to-find interoperability issues and exception cases, testing things out in the lab, and then coding up fixes. All of these real-world experiences and corresponding code work-arounds that impact every other firewall/VPN/routing product on the market are captured in this source code.

      Cisco PIXes have proprietary integration with third-party products, such as IDS systems, content-filtering proxies (e.g. WebSense), etc. This source code surely exposes these APIs, which are covered by Cisco's own NDA with these companies and are coveted by anyone trying to integrate with such closed-source commercial offerings.

      Were it legal, it'd be a bargain!
      • Re:Not even close (Score:3, Interesting)

        by evilviper (135110)

        knowing how the #1 router company in the world implements stateful packet-filtering [...] can be used as a basis for the design of anything that touches a packet.

        Stateful packet filtering is not an art. You could just as easily look at the code for a BSD-licensed packet filter, and get the same functionality.

        This source code surely exposes these APIs, which are covered by Cisco's own NDA

        You could bribe someone who has signed an NDA for less than $24,000, and you'd get actual specs, not just source code

    • "You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version."

      I think SCO would beg to differ...

  • oh well (Score:5, Interesting)

    by hpavc (129350) on Thursday November 04, 2004 @06:51PM (#10729875)
    If you follow (or try) the people that can read tcpdump (or simular) logging like plain english and then in turn generate the packets to interact (exploit) what they see. I doubt having pix source code would matter much.

    Also the 'IDS' features of the pix are static and pretty mundane and not tied to the IDS product so i am sure most people know how to get around them.
  • Weekend project (Score:4, Interesting)

    by lateralus_1024 (583730) <mattbaha@gm[ ].com ['ail' in gap]> on Thursday November 04, 2004 @06:51PM (#10729877)
    1)Purchase SCC's code: $24k
    2)Purchase Linksys W54G from BestBuy
    2.5) Port SCC code onto W54G.
    3)Resell Modded Linksys W54G to Fry's Electronics
    4)Profit!!!!
  • Boy I'd love to get my hands on the source of the Cisco Link Statnus meter so I could hack it and have a working LSM for my 350 series Cisco radiocard in Linux.
  • FBI Sting (Score:2, Informative)

    by Honest Man (539717)
    Who'd bet this is more likely an FBI sting to get people who would use/modify/resell this code.... It wouldn't be the 1st time they did it.
  • Shouldn't matter (Score:2, Informative)

    by Anonymous Coward

    So what if the source code is available? If the device is any good, availability of source code shouldn't make any difference to the security.

  • I'm not sure the source code to a huge programme is useful.

    About the only thing you can do with it, without *understanding it*, is compile it and use the binary (and stealing the binary in the first place is much easier than the source.)

    The effort required to understand a large programme is vast. It's far easier just to buy a license.

    --
    Toby
    • by kalvyn (561263) on Thursday November 04, 2004 @07:24PM (#10730134)

      I disagree with the above statement.

      Having the source to even a large program can be incredibly useful. Obtaining the source would lead to a higher level of understanding of the way Pix firewalls work. Knowing exactly how it is coded, being a closed-source product, you would now have the possiblity to have exclusive knowledge to flaws in the code.

      Now, one hacker trying to sort through all of the code by oneself could take a very long while, unless it is well documented. Consider the possiblity that a hacker group acquired it. Say 12 hackers. You could divide it up and find flaws much quicker.

      Given the wide use of Pix firewalls, it could end up being a skeleton key to thousands of corporate networks, assuming of course that it is the real deal.


      All code has at least one bug...
  • Pointless (Score:4, Insightful)

    by retro128 (318602) on Thursday November 04, 2004 @07:06PM (#10730006)
    Anyone who would pay for this would have to be an absolute idiot. First of all there is no guarantee the source code even the real thing. If it isn't as advertised, what are you going to do? Take an anonymous Russian hacking group that you knowingly bought stoken IP from to court? It's like the guy who calls the police and files a report about his pot stash being stolen.
    • Anyone who would pay for this would have to be an absolute idiot. First of all there is no guarantee the source code even the real thing.

      "Wait a minute, why is it written in LOGO? Something's not right..."
  • I know it's probably not, I'd be impressed if law enforcement was smart enough to try this, and it would likely be viewed as entrapment if they did, but...

    puts on tinfoil hat

    suppose for just a minute that you wanted to contact, trace, and/or otherwise smoke out large numbers of people interested in buying source code to security applications. Might one approach be to
    (a) publicize a code theft
    (b) pose as a 'known' hacker organization selling the code
    (c) fully investigate everyone who contacts you

    I'm lea

  • Details (Score:5, Informative)

    by Rabin Vincent (642528) on Thursday November 04, 2004 @07:09PM (#10730024) Homepage
    The group posted to FullDisclosure [seclists.org] that they will post further announcements in alt.gap.international.sales [google.com].

    Sure enough, here's the CISCO Pix file listing [google.com] and the "newsletter" [google.com].

  • by SinaSa (709393) on Thursday November 04, 2004 @07:10PM (#10730032) Homepage
    I wonder how they work out the values for the source they steal. Is it just based on how long it took them to get it, or do they have a formula like the Ed Norton one in Fight Club?
  • by Anonymous Coward on Thursday November 04, 2004 @07:11PM (#10730051)
    Information wants to cost 24 thousand dollars!
  • by RelliK (4466) on Thursday November 04, 2004 @07:18PM (#10730091)
    pssst, there is another firewall you can download from here [kernel.org] for free!!! Can you believe that??? But shhh! keep it quiet or they'll shut down the mirror.
  • Out of Date (Score:3, Interesting)

    by msaulters (130992) on Thursday November 04, 2004 @07:19PM (#10730097) Homepage
    Geez, 6.3.1 is so old, I've already had to upgrade my Pix twice due to software errors that would cause the box to reset itself under moderate load. Current version is 6.3.4, and there have been a load of fixes. Maybe someone will want to buy it so they can write their own fixes & see if they work better than Cisco's updated version.
  • Get Your Red Hot source Code! Only 24k for you, today!
  • I've thought (sterotypically) that old Eastern block countries are backward and generally lawless (everything is for sale.) So ASS-U-ME'ing the thieves are from one of "those" countries, what's to prevent one of these companies that had their code "stolen" to put out a contract on those thieves? Once the word gets out, I think it would be a much more effective deterrant than say... a couple years in jail.
  • I would rather have the source code for MS bob than
    a pix firewall.
  • firewall? (Score:3, Funny)

    by digifuzz (182844) on Thursday November 04, 2004 @07:41PM (#10730265) Homepage
    if someone stole the source then its not a very effective at keeping people out, is it?

    $24KUSD? dont think so.
  • Um....ok, pretend I want to buy it, but I'm really a fed. How will they know when they try to collect? This seems like it would be mind boggling easy to catch them red handed, so if there's an angle I'm missing on this someone please fill me in.

  • Not that I particularly trust Cisco, but I wouldn't trust these guys - or any such shadowy group - without going through a MAJOR code audit first. Not sure I'd even pay 24,000 without some guarantee of getting the code.
  • The SCC are my new hero's - i'm sure they'll be caught sooner than later, but damn thats fucking awesome in a hilarious way.
    • No, it's not awesome at all. It's terribly sad, because it's just the kind of ammunition that some assholes need to start calling all open source/free software advocates code theives.

      I don't want to see that happen.

      GJC
  • by Xoo (178947) on Thursday November 04, 2004 @07:57PM (#10730420) Journal
    From the newsgroup thread [google.com]...

    The SCC team does not expect you to trust us. To address this problem, we will split up the information into many files and you may purchase each part for a fraction of the total price. As your confidence grows with SCC, you may feel compelled to purchase these parts in bulk. Here is an example:
    We are offering you a ~1 gigabyte compressed file for $10,000. We offer this file in 20 50 megabyte parts at $500 per part (10,000/20). You send us $500, we send you part 1. You send another $500, we send part 2. You choose to send $1000 and we send parts 3 and 4, etc etc. The rate that you purchase pieces is entirely up to you. As your confidence grows, we know that you will choose bigger pieces.
    We also include detailed instructions on how to decrypt and put together the peices, it is a simple process that can be done with any unix computer.


    The problem with this scheme is that critical elements of the source can be intentionally withheld and that those pieces could be sold in all likelihood at a ridiculous amount. I mean if a moronic company actually decided to buy source code from these guys, and they are spending $5,000 on each "piece" of the code, they will want the entire thing. This goes beyond just scamming the software companies... this is almost similar to a Nigerian 419 scam [rica.net] in a way.
  • I hate to be the only one to bring this up, but who says they are breaking copyright law? Assume they only have one copy, and they are selling THAT one copy. If a Cisco employee legally produced a copy of the source code then there is no *COPYRIGHT* law against that copy changing hands as many times as the possessor desires, for profit or otherwise. Yes, someone somewhere probably broke a contract, which carries separate legal ramifications, but in this scenario absolutely no copyright laws have been bro
  • Non-News Item (Score:2, Informative)

    by funk49 (416343)
    Really, I really don't understand why this is a big deal. Anyone worth their salt in trying to take the code and develop the 'sploits doesn't need the source to get 'em. Many groups out there have already reverse-engineered the OS without the source and have plenty of 0-day exploits for the PIX, as well as Checkpoint and many other vendors. These groups are commerical R&D groups as well as hackers.

    Between all the 0-days for Checkpoint and PIX, I honestly don't understand why anyone in their right mi
  • by iplayfast (166447) on Thursday November 04, 2004 @11:27PM (#10731777)
    Or make them Open source and claim for their own! (after all if it's close source, who knows where it came from). (joke).

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...