Cisco Products Have Backdoors 555
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
Cisco's Life Lesson - Maybe not. (Score:5, Insightful)
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Well, that depends. (Score:2)
Re:Well, that depends. (Score:2, Interesting)
Re:Well, that depends. (Score:5, Informative)
Re:Well, that depends. (Score:4, Interesting)
hash = getHash(password)
if (hash) {
return (*hash == *storedhash);
} else {
logAuthError("Hash could not be found");
return FALSE;
}
Looks correct, but if I modify getHash to return NULL when the password is a certain string, and logAuthError is actually buried in a separate header, it doesn't actually log an error, it returns TRUE.
Re:Well, that depends. (Score:2)
On another note, I guess the guys at the school lab need to hear this one.
Re:Well, that depends. (Score:3, Informative)
For the same money you'd spend on a Cisco switch you can probably buy a Nortel that'll run circles around the Cisco.
Or, if your tripping over the bags of cash or their just blocking the door, you could spring for a Juniper...
Don't get me wrong, Cisco stuff works, it's just really expensive and their are cheaper more capable equipment on the market...
Re:Well, that depends. (Score:3, Informative)
Or, you could buy a Big Iron [nwfusion.com] switch from Foundry [foundrynet.com] that will blow away most of the offerings from Cisco.
Re:Well, that depends. (Score:5, Interesting)
That's a silly comment. Up until a few hours ago you would have thought Cisco was pretty good. Now they have done a really stupid thing and have been caught red-handed.
The question we should be asking is what else have they done that their customers would object to if they knew about it?
Call me paranoid, but this is exactly the sort of behaviour that I expect from software/hardware manufacturers. Cisco just happened to get caught doing it.
Re:Well, that depends. (Score:3, Offtopic)
I don't mean to be a grammar troll, but clearly you used the wrong tense:
"Cisco actually had a better track record...."
Re:Well, that depends. (Score:4, Funny)
See, what he is explaining is that due to Ciscos inherent stupidity at adding an override all password, their track record, that was once the shit, is now just shit. Get it???
Re:Well, that depends. (Score:5, Insightful)
They continuously use codebase from the opensource parts of the software world and lie about it. The only OSS component they currently admit to is the regexp library. In fact they have used code from xntpd (and were bug for bug vulnerable to NTP exploits), OpenSSL, OpenSSH, so on so forth, ad naseum. When a vulnerability in any of these comes around they never admit it because the IOS sacred cow is supposedly pure and not infected by any opensource (besides regexp). This continues until someone starts running the exploits versus their gear. And after that
They constantly have idiotic ideas like CDP which are insecure by design and turned on by default.
They have promoted a very long list of outright lies including security ones in the exam preparation materials and exam question. That is also besides the fact that Cisco does not consider the analysis for correctness and sane security practice of these materials to be fair use and disallows quoting them. Here is one that has managed to get through:
http://lists.netsys.com/pipermail/full-
There are many others.
So on so forth. Ad naseum. If you think that Microsoft is vile you definitely have not had to do a lot of network engineering especially with Cisco kit...
Re:Cisco's Life Lesson - Maybe not. (Score:2)
Assuming the word has gotten out somehow, I'm not sure how they can change the password on all those systems that are currently out there, without raising the public awareness to the level that motivates them to apply the neccisary patches.
Re:Cisco's Life Lesson - Maybe not. (Score:4, Interesting)
Upgrading firmware or substantive software is always a process of weighing costs v benefits. The costant cost of upgrade is that something breaks and renders years of investment at risk. Bodies in motion tend to stay in motion is almost as true for computers as physical bodies with mass.
So while "just as installable" may be an accurate way of saying a password change is just as installable as a username/password removale, what you are not addressing is the alert that is often needed to light the fire of sysadmins to apply that fix. In this case, anything less than disclosure would have been seen as disengenious as many would not have been given accurate enough information to perform the cost benefit analysis of upgrading.
And a post on
I'm not seeing where you are comeing from or where you are going with this. But it seems important, you may wish to elucidate.
Re:Cisco's Life Lesson - Maybe not. (Score:2, Insightful)
Doesn't sound like much of a fix to me... That barely comes into the category of workaround. Maybe issue-evasion.
I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now. I wonder how long it'll be before we find out what the user/pass pairs are?
USER/PASS (Score:5, Funny)
What do you bet the id set is joshua/pencil?
Re:Cisco's Life Lesson - Maybe not. (Score:5, Insightful)
What makes you think that they don't have a backdoor username/pw as well? It may not be hard coded (they could both be strings that are determined by a hash function, based on the date/time or some other changing value), but I'd bet you they're there, at least on any high end equipment. Why? So that the damn thing is supportable remotely... even after some idiot admin screws up everything else. And, no, resetting the firmware on these things to restore the default admin password isn't acceptable -- simply because in doing so you'd lose all the other settings (bad for two reasons -- 1) they usually take hours or days to setup correctly, 2) if you're accessing the box for support, you probably want to see what the hell happened in case it was a bug).
Re:Cisco's Life Lesson - Maybe not. (Score:5, Informative)
The process goes like this:
Boot device with console cable
Hit ctrl-c during boot
use the proper command to change the configuration register to 0x2142, which means "Start up using OS from flash, but IGNORE configuration in NVRAM".
Use the proper command to boot the device.
You'll then be staring at "Password: " where it will accept an empty string. The configuration is still there (type show startup-config and you'll see the whole thing), but ignored.
Enable yourself. copy start run (bring everything back up).
config t (begin configuration)
username blah password blabla priv 15 (if you have multiple usernames + priv levels)
enable secret blabla (big-daddy enable password)
line vty 0 4 (telnet access)
login
password bla
exit
config-reg 0x2102 (stop ignoring the configuration)
exit
copy run start (save that daddy)
Re:Cisco's Life Lesson - Maybe not. (Score:3, Informative)
Second, once you have the device configured properly, you should back up your configuration with TFTP or over the console to make recovery easy. This way, even if the device itself is fried, you can just dump your config onto a replacement unit and get on with your day.
Re:Cisco's Life Lesson - Maybe not. (Score:3, Interesting)
Exactly. I'd tried "we don't have a backup of the router config" pretty much the same as "we don't have a backup of the webserver" when deciding how badly I'd have to lart the respective administrator. Even little home routers often have
Re:Cisco's Life Lesson - Maybe not. (Score:5, Interesting)
I do not.
IMO, you definitely do not understand how Cisco marketing functions. It took me 5+ years of dealing with it to start understanding it. Basically, every single IOS release they shipped is bug ridden beyond any reasonable limits. Any other company shipping such crap would have failed long ago. They did not. The reason is that they have created cottage industries of "certified specialists" all over the world which will make sure that their customers and employers will never buy anything but Cisco and never hire an unfettered one. Just have a look how many banks run "Cisco Only Networks". The reason for this is simple. They are employed because there is always something wrong and there is always something to fix. Cisco knows this and it will never ever kill what makes 90% of its enterprise sales.
This is also the reason why even Cisco supplied GUI or centralised management solutions never manage some features. This is also the reason why there is no way in hell for you to get anywhere trying to manage Cisco gear using industry standard protocols. Ever tried to do some alteration of IP parameteres on Cisco via SNMP? I am not even talking about rocket science like the diff-serv MIB or the BGP MIB. Ever tried to hook it a proper element manager without few Ms of glue code that does direct CLI? Dream on...
Re:Cisco's Life Lesson - Maybe not. (Score:5, Funny)
Cisco has an evil backdoor that works (initially) at the ethernet level. You send several specially crafted frames to a MAC on the local segment or special packets to the outside interface and the unit will open up a back connection to Cisco. The PIX and ACLs in their router products will not log these or otherwise alert you to their existence. Once the connection is made, Cisco can mirror selected bits of your LAN traffic. Being that most of the internet's traffic flows over Cisco products...
Some history:
In 1928 an American inventor (Henry P. Acket) was working on a method to send extremely low voltage electrical impulses over wires as a covert means of communications. He succeeded in that he was able to use the telephone companies' wires to speak to friends without paying a telephone tax. Early on, his friend Charles Isco was able to put a backdoor in the vacuum tubes with nothing more than a few drops of solder, some tin and flux. Charles showed Acket this and provided some wax cylinders of Acket's supposedly private conversation.
The FBI heard of this and took all their patent-pending information. Acket and Isco were paid the then huge sums of $1M and $500K respectively to shut up.
Fast forward to the 60's.
Early in 1963, J. Edgar Hoover was perusing the FBI archives when he spotted these plans from 35 years prior. He didn't believe it but one of his technical people played Hoover a tape recording made with a successor of the equipment. The tape was of Hoover making dinner reservations at Le Grande Fiste, a homosexual dinner club. Hoover went through the roof. He destroyed all the paperwork and equipment. After months of extreme drug therapy which rendered the technician nearly incoherent, Hoover had him framed for a crime we are all familiar with. The technician's name? Lee Harvey Oswald.
Ahh.. the technology survived
In the 1980s some people from Stanford University were going through recordings of Oswalds. Playing them backwards they could hear the terms "Black Helicopters", "Area 51" and "Backdoor Device". The truly learned already know about black helicopters and Area 51.. but what was this "Backdoor Device" Oswalds was rambling about? Those investigators, Len Bosack and Sandy Lerner, went on to form Cisco.
If you look inside any Cisco product you'll find a small vacuum tube with hacked in piece of tin, some solder and flux.
I present this information at grave risk to myself.
Re:Cisco's Life Lesson - Maybe not. (Score:5, Funny)
I got to this point:
The technician's name? Lee Harvey Oswald.
Before realizing something was wrong with this post.
Re:Cisco's Life Lesson - Maybe not. (Score:4, Funny)
Wally: You are the wind beneath my wings.
Dilbert: Next week I'll tell him the packet must be lost in the "ether" net.
A.C., I could fly higher than an eagle...
Re:Cisco's Life Lesson - Maybe not. (Score:5, Interesting)
I.e. in order to get in through the backdoor, you need to hold down a button for 10 seconds, and the login will be enabled for the next 2 minutes (which should be enough time to change the admin pw if it is forgotten). This would require that the site be physically secure; however would prevent those from remotely accessing the backdoor (unless someone is actually there to hit this 'switch).
Re:Cisco's Life Lesson - Maybe not. (Score:3, Insightful)
Password recovery can be disabled. (Score:3, Informative)
Re:Cisco's Life Lesson - Maybe not. (Score:3, Funny)
Cisco doesn't make mistakes, they define new industry de-facto standards. Expect Juniper to issue a press-release shortly about some of their products having a backdoor as well. They're always followers.
Re:Cisco's Life Lesson - Maybe not. (Score:3, Interesting)
Nobody but a few key developers have a clue that the fix is not actually a fix.
It's just a theory, and if you look at my post, I fully admit - it's paranoid.
Re:Cisco's Life Lesson - Maybe not. (Score:3, Interesting)
I'm very sorry, but if I found out that someone had backdoor'd one of my systems I;d like to know why, and "I thought you were too stupid to ensure your own data" is not an excuse I'd be willing take!
Yes, but - WIRELESS (Score:5, Insightful)
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Re:Yes, but - WIRELESS (Score:3, Insightful)
Second, your proximity to a wireless device doesn't mean you have administrative access even to the device you are associated with.
As has been pointed out repeatedly in this thread, access to the administrative interface of Cisco devices can easily be restricted through the use of a simple Access Control List.
I could give you the vty (telnet) and enable passwords to 100s of devices I've set up that are connected to the Internet right no
I... (Score:2, Insightful)
Re:I... (Score:3, Insightful)
What makes you think that this was a Cisco policy? It's far more likely that this is the work of some rogue coder within Cisco who added it without anyone else's knowledge. It's not as though adding a backdoor password is very tough for somebody who has access to the relevant code. If there aren't detailed code reviews, a backdoor could hide out for a very, very long time.
Re:I... (Score:5, Insightful)
Like the parent said...boneheaded.
And the username/password pair is... (Score:5, Funny)
Re:And the username/password pair is... (Score:5, Funny)
Re:And the username/password pair is... (Score:5, Funny)
Re:And the username/password pair is... (Score:5, Funny)
Re:And the username/password pair is... (Score:5, Funny)
No pr0n when I connect there, but I'll be damned, THAT BUGGER HAS A COPY OF ALL MY FILES!
Re:And the username/password pair is... (Score:3, Funny)
Re:And the username/password pair is... (Score:2, Funny)
1... 2... 3... 4... 5... 6...
Re:And the username/password pair is... (Score:2, Funny)
Re:And the username/password pair is... (Score:5, Funny)
I quote from bash.org [bash.org]:
Re:And the username/password pair is... (Score:2, Redundant)
Trust No One (Score:5, Insightful)
Radio cards? (Score:2, Interesting)
Can we really trust closed-source vendors? (Score:5, Insightful)
But what can anyone do? Are there any open-source makers of networking hardware?
yep (Score:5, Informative)
Taliban Master-Plan to Destroy America (Score:5, Funny)
Taliban leader speaking:
OK troops, here's what we'll do; we will sub-contract from the Pakistanis that are sub-contracting from the Indians that are sub-contracting from the Americans that are outsourcing their I.T. operations, and when WE are the ones coding everything for the Americans, we slip in trojans, viruses and everything else we can think of to screw with their heads!
Once they are all helpless because they've outsourced all the jobs that require an education, we show up and sell them all Edsel automobiles and when they've all killed themselves on the road, we simply take over the country.
Simple.
Your giving away all our secrets! (Score:5, Funny)
There is no workaround. (Score:5, Interesting)
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
Re:There is no workaround. (Score:2)
Yeah, I remember working for a company that made network storage devices. We had to make sure that we not only didn't have a back door, but that we didn't even know the root password. Lest we be implicated in any information leaked from the company.
Yet we wanted to be able to fix a device even if they forgot their root password. What we settled for was a root password reset that was entirely visible to them at the time so if someone malicious did try to get their information they would at least know as it
Well, definately not buying any of those... (Score:3, Informative)
No workarounds? (Score:5, Insightful)
The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.
However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.
Re:No workarounds? (Score:5, Informative)
It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).
Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).
So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.
You have to understand bug-fix parlance... (Score:5, Informative)
The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.
Recovering passwords (Score:3, Interesting)
I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.
Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the
Your answer (Score:4, Funny)
Yes. Lord, next you'll be asking about patents.
It needs to be there (Score:5, Interesting)
Re:It needs to be there (Score:5, Insightful)
Re:It needs to be there (Score:2, Interesting)
Re:It needs to be there (Score:2)
Re:It needs to be there (Score:5, Insightful)
If I buy a 50 quid wall safe and lose my key, I could probably go into any locksmiths and get a replacement key for that model safe. If I spend 1,000,000 on a bank vault I'd like to think that no generic or master key existed...
Backing away from the analogy quietly for a moment..I think it would be pretty simple(for Cisco) to enable the backdoor login only via a console connected to the serial port and not remotely..
No it doesn't (Score:5, Interesting)
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
Re:It needs to be there (Score:3, Informative)
Cisco already provides a 'pasword retrieval' for all their routers. The trick is you have to be on site to perform the recovery.
Why there needs to be a master password that can be accessed from ANYWHERE, I don't know. At least make it only wo
Re:It needs to be there (Score:3, Insightful)
I took a short (20 minute) job today, which involved fixing a customer's Cisco Catalyst 2924. There was an enable password set, but no one knew what it was. They wanted to make some network changes, most of which involved changing a couple port configurations. Zzz...
So I, not responsible for the lost password, took the "punishment" for the old admin loosing the password. Aparently the guy doesn't work for them anymore or whatever. Hell, I got p
And that username/password is (Score:2, Funny)
In a word... (Score:2)
I'm sure they do extensive checking against this sort of thing.
You can't trust ANYONE. (Score:5, Insightful)
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
Re:You can't trust ANYONE. (Score:5, Insightful)
True, but highly unlikley.
Because I transfered it. Perhaps via serial cable or over a cable not on a public network.
I draw the line at blatent backdoors. The difficulty of breaking into my router by giving me a bad compiler is FAR FAR FAR more difficult than a backdoor admin account. Once that gets out anyone can log in and do what they like.
Re:You can't trust ANYONE. (Score:3, Insightful)
And do you even have this option with closed source? You don't.
Believe me, if the end application is valuable enough, someone will take the time and effort to run down the entire audit trail you described, if given the source code to do so. Personally, I like having the option. Trust,
Re:You can't trust ANYONE. (Score:3, Informative)
Re:You can't trust ANYONE. (Score:3, Insightful)
and when you log in, you get... (Score:5, Funny)
Shall we play a game?
Back to the good old days for hackers (Score:3, Interesting)
Register, or else (Score:5, Insightful)
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
Does Cisco know wha'ts going on? (Score:5, Insightful)
"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."
This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?
Why can software/hardware companies get way with "We tried our best, honest!" ?
Re:Does Cisco know wha'ts going on? (Score:3, Interesting)
to match the luggage combination (Score:2)
Cisco is not alone. It's industry wide practice. (Score:5, Informative)
It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.
Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.
On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.
So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
Eventually every back door has to be used... (Score:5, Insightful)
Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:
Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.
Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.
Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.
-Adam
No (Score:4, Insightful)
Simple question, with an even simpler answer: No.
If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.
Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.
But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."
If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.
Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.
But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.
This reminds me... (Score:3, Interesting)
Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.
So, Cisco, how about opening that up? Come on, be a pal....
Surprising, but not that surprising (Score:5, Insightful)
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
/.-ers just don't get it.... (Score:5, Insightful)
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
Negligence (Score:4, Interesting)
A Cisco exec should do hard time for this.
"Can we trust closed-source vendors?" NO! (Score:4, Interesting)
From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This should be shortened to: "Can we trust closed-source vendors?"
History has shown that we cannot.
Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft [lugod.org]. I counted more than 200 in 2002, and things have gotten worse since then.
(This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)
Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.
Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.
Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!
I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
Backdoors are here to stay. (Score:3, Interesting)
Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.
However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.
Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
Can't you people READ THE F**KING ARTICLE ? (Score:3, Informative)
If you read further, you would note that Cisco has already released patches for the problem.
If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.
Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.
And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"
No Refund - firmware fix (Score:4, Informative)
Re:No Refund - firmware fix (Score:5, Funny)
Re:Refund? (Score:2)
Legal action? (Score:2)
Good question. Perhaps a better question might be, what are the people who purchased these going to do to CISCO?
Perhaps a legal action? Breach of contract anyone? Promissory fraud? Negligent representation?
Re:Open Source (Score:2, Insightful)
Auditing the compiler's code doesn't guaranteee anything either. It too had to be compiled, and the compiler's compiler may have been compromised.
Re:Linksys (Score:2, Informative)
No excuse for a master password. Mind you, I'm not saying there isn't one, just that there is no need for one.
Re:Firmware? (Score:5, Insightful)
Do they plan on releasing a firmware update?
RTFA [cisco.com].
If so, how do we know they aren't going to put another backdoor into that and simply change the information?
You don't.
Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
If you own the affected products and require open source firmware patches then you should have thought of that before you bought the product. If you require open source hardware then buy open source hardware.
Re:Firmware? (Score:2, Insightful)
It's software, it's been fixed, nothing to see here. Move along.
Re:you ungrateful motherfuckers (Score:3, Interesting)
No, Cisco is bad because they stuck a backdoor into their product that potentially fucked over a bunch of their customers.
I bet half your jobs depend on cisco.
And what kind of half-assed argument is that? Just because people use their products doesn't mean that their jobs depend on Cisco. Cisco can be ripped out and replaced just like most vendors. Get some Foundry or Nortel equipment.
Oh yeah, and fuck you too.
Re:true dat? (Score:3, Funny)