Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Linux
Commentary: If only Cisco code had been open source
By Eric S. Raymond
on
May 17, 2004 (8:00:00 AM)
Share
Print
Comments
The 15 May 2004 theft and publishing of the source code for Cisco's
IOS router firmware could mean a wave of exploits against the critical
router infrastructure of the Internet will be on its way. If that
happens, it will be because Cisco ignored one of the iron rules of
network security -- and experts the world over will be muttering
"if only IOS had been open source."
The iron rule is Kerckhoffs' Law, which states, "A cryptosystem should be designed to be secure if everything is known about it except the key information." Now that the source code of IOS is circulating in the cracker/phreak underground, we're going to find out if IOS followed that rule. If it didn't, we'll find out the hard way.
What has this got to do with open source? Well, if IOS had been open source to begin with, we'd have a firm basis for believing that it passes the Kerckhoffs test: Open source keeps you honest that way. As it is, customers' first notice that it wasn't is likely to be chaos and havoc from router compromises.
Claude Shannon, the inventor of information theory, restated Kerckhoffs' Law as: "[Assume] the enemy knows the system." Here's Raymond's Reformulation for the 21st century: "Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, *never trust closed source*."
Maybe the theft will be a good enough reason for Cisco customers to check out open source alternatives like XORP or FREESCO. And that's not just a good idea for router firmware, either. As the Netsky and Sasser worms pound on your Windows machines, ask yourself: "Is there a better way?"
Millions of Linux users already know the answer is yes.
Comments
on Commentary: If only Cisco code had been open sourceNote: Comments are owned by the poster. We are not responsible for their content.
>If IOS was open source, Cisco probably wouldn't > be around.
Uh no..... Cisco would be around, just not
facing the prospect of apologizing to all the
customers for having insecure code in the
hands of crackers. Cisco is a hardware
company that thinks it's a software company.
Nice try troll. Thanks for playing our game.
BTW, how much is Billy paying for your
f-f-f-f-u-d?? Or does he just expect you to
do it as a matter of course?
Uh no..... Cisco would be around, just not
facing the prospect of apologizing to all the
customers for having insecure code in the
hands of crackers. Cisco is a hardware
company that thinks it's a software company.
Nice try troll. Thanks for playing our game.
BTW, how much is Billy paying for your
f-f-f-f-u-d?? Or does he just expect you to
do it as a matter of course?
Actually, I worked for Cisco for two years. I think that puts me in a bit of a better position to say than you. Most of what makes Cisco Cisco is IOS. If IOS was open, everyone could use it and people would undercut Cisco on hardware. This may sound great to you, since Cisco would have to drive prices down to compete. So yeah, OSS would be great for you there, but my point stands that Cisco wouldn't be what it is today. It would be far less profitable.
I have to agree with the troll(Yes, you, routermonkey). After working on Cisco routers/pix/switches/etc- all they are are intel boxes with standard nic's in the end. They are commodity hardware. The value that Cisco adds is in giving functionality to IOS.
They charge us about 60K a year just to allow us to upgrade this functionality. That hardware isn't anything special comparing apples to apples. It's the ease of managing large amounts of commodity hardware that makes Cisco's products/services worth more than Linksys.
I don't think that Cisco losing it's code is bad though. I think the demand for service is still there because most folks want their stuff updated and will pay for it to be done. Linux distro's do this now- Clarkconnect, RedHat, etc.
I just don't think Cisco realizes that they can win on this one. They are such tight asses, I doubt they will ever see it. And their design philosophy is a full embrace of the hidden and sometimes completely stupid(Enterprise VOIP Phone Centers running on Microsoft Exchange?!?! WTF are you Smoking!). And I think they shitcanned their last linux VPN programmers. '2.6 kernel?! Wha Wha'z that Bozz?' You get the jist...
Another case in point- ever try to navigate through their http site? Holy shitballs.. you need a priveledged account just to download a free patch from 2 years ago. It's insane- but everyone having their code now may make them more receptive to consumer access and consumer pressures.
We'll see. It can end well- but again, I don't think Cisco can see past the panic of the proprietary. I hope they prove me wrong. They do try to provide good service to their customers- so they already have one foot in the right direction. Whether or not the other foot kicks themselves in the ass remains to be seen.
-Thor
They charge us about 60K a year just to allow us to upgrade this functionality. That hardware isn't anything special comparing apples to apples. It's the ease of managing large amounts of commodity hardware that makes Cisco's products/services worth more than Linksys.
I don't think that Cisco losing it's code is bad though. I think the demand for service is still there because most folks want their stuff updated and will pay for it to be done. Linux distro's do this now- Clarkconnect, RedHat, etc.
I just don't think Cisco realizes that they can win on this one. They are such tight asses, I doubt they will ever see it. And their design philosophy is a full embrace of the hidden and sometimes completely stupid(Enterprise VOIP Phone Centers running on Microsoft Exchange?!?! WTF are you Smoking!). And I think they shitcanned their last linux VPN programmers. '2.6 kernel?! Wha Wha'z that Bozz?' You get the jist...
Another case in point- ever try to navigate through their http site? Holy shitballs.. you need a priveledged account just to download a free patch from 2 years ago. It's insane- but everyone having their code now may make them more receptive to consumer access and consumer pressures.
We'll see. It can end well- but again, I don't think Cisco can see past the panic of the proprietary. I hope they prove me wrong. They do try to provide good service to their customers- so they already have one foot in the right direction. Whether or not the other foot kicks themselves in the ass remains to be seen.
-Thor
Just want to say that having a license that doesn't allow Cisco IOS code to be run on anything but Cisco's own machines would still make the code open, and would effectively prevent any competitors from getting the same edge.
Actualy I have to agree with the orgininal poster. Cisco wouldn't be what it is today if it's IOS was opensource. They took a risk keeping there IOS closed in that it would help them out leverage the competitors on software technology. It paid off till now. They (and we) can only hope that they had some very very extensive code reviews behind those closed doors (for some reason I doubt this). That's the gamble they took, we'll have to wait and see if the lost in the long run.
Just fud.
If the IOS were open source then Cisco would have been able to devote MORE attention to the hardware.
And since Cisco would have been the only vendor of that hardware (can we say PATENT) then they STILL would have had the edge.
They DO make excellent hardware.
If the IOS were open source then Cisco would have been able to devote MORE attention to the hardware.
And since Cisco would have been the only vendor of that hardware (can we say PATENT) then they STILL would have had the edge.
They DO make excellent hardware.
They make far better software. Face it, they would have been undercut by someone. A lot of other companies make fine hardware too, but where these other companies lose is that they don't have IOS.
The IOS is dirt stupid.
The brilliant part of the Cisco is the hardware that performs the wire switching.
Everything else is just table lookup for routes, and VPN support, and command interpretation.
Old principles, easily reproduced anyway.
The brilliant part of the Cisco is the hardware that performs the wire switching.
Everything else is just table lookup for routes, and VPN support, and command interpretation.
Old principles, easily reproduced anyway.
I worked for Cisco. I can assure you, most people bought Cisco products because of IOS.
I worked for Cabletron, a Cisco competitor. Cisco hardware was never that great. It was IOS that people (unfortunately for us) that people wanted. LOTS of other companies made much better/faster/cheaper hardware, but when all the network techs are trained on Cisco, it doesn't matter.
NOT.
What an immature response to a company's misfortune. Kick 'em while he's down, that'll do it! Yeah right.
Open source or not, the code would still have security flaws. Sorry, ESR, the proclimation "make thee open source, and all ye ills shall be cured" is plain and simple zealoutry, and does not show the true approach the "Open source community" should be showing right now.
What an immature response to a company's misfortune. Kick 'em while he's down, that'll do it! Yeah right.
Open source or not, the code would still have security flaws. Sorry, ESR, the proclimation "make thee open source, and all ye ills shall be cured" is plain and simple zealoutry, and does not show the true approach the "Open source community" should be showing right now.
I agree. As for using "freesco" or "XORP", if you LOOK at those projects, they are not a Cisco router by any means. Yeah, if you want IP only super limited functionality like a SOHO gateway, they may work for ya, but read the "about" pages. XORP doesn't even have a 1.0 release and claims it's at "research" status. Neither claim support for a T1 interface. I'm not dissing the projects, but a standard cisco router is LIGHTYEARS ahead in terms of functionality, protocol support, managability, failover support, etc. Maybe 5 YEARS from now, that will change, but then we need MUCH more diverse special interface cards and a better bus than PCI. Even then, we are only talking about competition at the entry level space - a small market for Cisco in reality.
Cisco has also been pretty good to Linux: VPN client support, free use of conference room for SVLUG, etc.
There are other reasons not to use Cisco however such as their horrible resale policies (license goes with purchaser - not hardware,) limited support (HP Procurve switches have free LIFETIME support and upgrades,) and the fact that you pay 2 - 10 TIMES more for those "benefits", etc. I would like to see cisco improve in these areas. For smaller shops, it doesn't make much sense to use Cisco. In the enterprise, it does. Open source is a non-issue here.
Cisco has also been pretty good to Linux: VPN client support, free use of conference room for SVLUG, etc.
There are other reasons not to use Cisco however such as their horrible resale policies (license goes with purchaser - not hardware,) limited support (HP Procurve switches have free LIFETIME support and upgrades,) and the fact that you pay 2 - 10 TIMES more for those "benefits", etc. I would like to see cisco improve in these areas. For smaller shops, it doesn't make much sense to use Cisco. In the enterprise, it does. Open source is a non-issue here.
All of Cisco's magic is in IOS and not so much in the hardware. For cooler hardware, look at Juniper.
Sometimes I wish you open source zealots just go away and play in your parallel universe where everything is free. Let those of us who rely on closed source business to make a living wallow in our misery of making ends meet.
That's right keep badgering companies to open source stuff. You seem to want to reduce all companies to your lowest common denomitor of mediocrity.
Sometimes I wish you open source zealots just go away and play in your parallel universe where everything is free. Let those of us who rely on closed source business to make a living wallow in our misery of making ends meet.
That's right keep badgering companies to open source stuff. You seem to want to reduce all companies to your lowest common denomitor of mediocrity.
I thought newsforge was our parallel universe to play in j/k
<nobr> <wbr></nobr>...but really,
A lot of people are finding that the gap in their budget created by proprietary software is exactly the distance by which their ends are failing to meet.
<nobr> <wbr></nobr>...but really,
A lot of people are finding that the gap in their budget created by proprietary software is exactly the distance by which their ends are failing to meet.
Once again we have someone who cannot or will not see the difference between free as in price and free as in speech. Open source can be sold. Lots of companies are doing it, HP, IBM, RedHat, etc. The difference is that those comjpanies recognize that the business model for F/OSS requires them to rely on being able to better support the product than their opposition can. When the product itself is free (in both senses) the only way to compete is on service and support.
Companies can no longer rely on closed-source, secret-code, lock-in to keep their customers paying exoribant rents for inferior software. Those that recognize the benefits of working in the open source world (inexpensive software, development costs spread among thousands of companies and individuals, faster response to problems, etc.) will succeed. Those who insist on fighting the revolution will soon find themselves consigned to the dustheap of history; cast aside as the business equivalent of the dodo. When will the nay-sayers realize that none of their arguments hold water and figure out how to compete in the new world instead of crying piteously about how unfair open source competition is? Our opponents are getting desperate as can be seen by their resort to the courts and lawsuits instead of competing in the marketplace of ideas, goods, and services.
Just my $.02,
Ron
Companies can no longer rely on closed-source, secret-code, lock-in to keep their customers paying exoribant rents for inferior software. Those that recognize the benefits of working in the open source world (inexpensive software, development costs spread among thousands of companies and individuals, faster response to problems, etc.) will succeed. Those who insist on fighting the revolution will soon find themselves consigned to the dustheap of history; cast aside as the business equivalent of the dodo. When will the nay-sayers realize that none of their arguments hold water and figure out how to compete in the new world instead of crying piteously about how unfair open source competition is? Our opponents are getting desperate as can be seen by their resort to the courts and lawsuits instead of competing in the marketplace of ideas, goods, and services.
Just my $.02,
Ron
While Open Source makes the most sense for truly secure, networked systems, this was not a given when CISCO started manufacturing routers, switches, etc. There are quite a few PhD's who would argue that it's impossible to build a sufficiently profitable company of their size/type using OS methodologies anyway, and others who would deny that it's any more secure (dumbasses in my view).
Now that the IOS cat's out of the bag, it may be a good time for them to review whether or not it's possible to create healthy profits on future products while opening the code for development and review. Having worked with them and their equipment extensively, I doubt it. The hardware is not as well known or as widely distributed as Intel's / AMD's x86 architecture, so the # of developers available or even interested is going to be small.
If a competitor is able to provide equivalent speed, hardware and leverage OS to provide inexpensive security and updates, then all bets are off. A lot of customers are going to jump ship if they don't have to pay extended support costs. But until then, I don't think it makes sense in this case.
And I sure as hell am a Linux zealot, but have the advantage of working with it in the real world sans the rose colored glasses.
Now that the IOS cat's out of the bag, it may be a good time for them to review whether or not it's possible to create healthy profits on future products while opening the code for development and review. Having worked with them and their equipment extensively, I doubt it. The hardware is not as well known or as widely distributed as Intel's / AMD's x86 architecture, so the # of developers available or even interested is going to be small.
If a competitor is able to provide equivalent speed, hardware and leverage OS to provide inexpensive security and updates, then all bets are off. A lot of customers are going to jump ship if they don't have to pay extended support costs. But until then, I don't think it makes sense in this case.
And I sure as hell am a Linux zealot, but have the advantage of working with it in the real world sans the rose colored glasses.
And they have every right to keep it closed source. Such responses as "Should have been open sourced" are just plain immature. How are Open Source advocates supposed to be taken seriously when they proclaim that an answer to everything is opening up your source code. Cisco chose to keep IOS closed and that's fine with me. I was expecting a site such as NewsForge to remain proffessional; instead, author of the article makes Free Software community look like a bunch of teenagers screaming to open source everything, without regard for personal preference or business model.
> Such responses as "Should have been open sourced" are just plain immature.
Which is why that wasn't what the article was about. The article was about the net security of Cisco's customers, who have every right to expect the highest possible standards of behaviour in their suppliers. As was pointed out in the article, open sourced software is more likely to be secure.
You can't get much more mature than that.
Who'd be a customer?
Anon
Which is why that wasn't what the article was about. The article was about the net security of Cisco's customers, who have every right to expect the highest possible standards of behaviour in their suppliers. As was pointed out in the article, open sourced software is more likely to be secure.
You can't get much more mature than that.
Who'd be a customer?
Anon
Is there a source to back up this "more likely" claim?
That was helpful. Thanks. I'll site this post in the next paper I write on the topic.
I am going to abdigate from having an opinion on the matter until I'm able to find and download the source code(and recompile it). This is all theoretical until it gets packaged by a warez group or splashed across 1500 bittorrent seeds.
And the poster below is correct, until that time. Because after that time, WE own IOS. Not a great business model if one straw breaks it. In any case, to be continued.
And the poster below is correct, until that time. Because after that time, WE own IOS. Not a great business model if one straw breaks it. In any case, to be continued.
Am I missing something? Doesn't Cisco still own the rights to the stolen code? This in no way, shape, or form affects the licensing of the code. Cisco is just opened up to corporate espionage (probably how this all started anyway) and little pricks that have nothing better to do with their time than to try enlarge their penises by being the first to come up with the next 0-day.
The trolls are really out in force here. Instead of addressing the central point that the "code theft" would have been much less of an event had the code been open source, they perform ad hominem attacks on the author. At least that's less foolish than trying to claim that security is best assured through obscurity.
Pardon my ignorance, but what's the point of a discussion forum if anyone that disagrees with you is considered a troll? I've seen one attack on the author, it was a mild one at best. The issue most of are refuting is the "better way" conclusion. Who would opening IOS be better for? And where is the proof that IOS would be better off if it were open? Cisco has a lot of well-paid highly skilled people working on IOS. How much would "the community" really be able to contribute? Yeah, maybe someone will catch something, but the fact is, most people wouldn't enhance the codebase -- they'd just have gotten IOS for free.
I guess back around 1990 you could have made the same claim about Unix-like operating systems. "Show me the proof that opening code up to an operating system would really produce a good product. It sounds like recipe for a bunch of freeloaders instead." But then Linux and the BSD's sound like a neat answer to those objections.
I wouldn't say Linux works better than a closed source UNIX either.
Now you really are trolling. You make a bald assertion without anything to back it up. You know that assertion is likely to inflame many in this forum. I rest my case. The trolls really are out in force.
Actually, I'm just refuting a "bald assertion" you made, which really was irrelevant to the case at hand. The only people that would get "inflamed" by that comment are blind zealots, which I suppose you are. That's fine. If you like to just talk with your buddies and always agree with one another, that's fine. But don't be a hypocrite about it. If you say "OSS is great" with nothing to back it up, and I say "no, it's not great in all cases" with insider knowledge that it wouldn't have been great for Cisco, then it would seem logical that you're the one trolling, not me. Then rather than deal with the issue at hand, you make a half-assed analogy to UNIX, with nothing to back that up, so I addressed that issue, and you cried "foul" again. In summary, I apologize if having an open mind makes me a troll, but I'd take that over being a hypocrite any day of the week.
fud
Posted by: Anonymous Coward on May 18, 2004 04:18 AM#