Cisco Source Code Up For Sale: Only $24,000 292
spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations.
Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."
Take a cue from SCO (Score:5, Funny)
Better yet, take a cue from Autodesk (Score:3, Insightful)
Re:Better yet, take a cue from Autodesk (Score:5, Insightful)
Funny! Microsoft had a firewall do this before Cisco! 'Course, they don't have a financial interest in maintaining the distinction that a "Firewall is not a Router".
Re:Take a cue from SCO (Score:5, Funny)
What? (Score:4, Funny)
put it on eBay, make money (Score:2, Interesting)
Put it on eBay and people will pay 4 times what it's worth, then re-sell it for half what they bought it for 2 months later. Reverse-economics.
Re:Better idea (Score:3, Funny)
Good thing I'm running 6.3(4) (Score:3, Funny)
$24k? (Score:5, Funny)
Re:$24k? (Score:4, Insightful)
Re:This is a problem for the /. crowd? (Score:3, Funny)
Buy! BUY!!
Re:This is a problem for the /. crowd? (Score:4, Insightful)
When the source is open(ed), its a great thing.
This is not!
Re:This is a problem for the /. crowd? (Score:4, Insightful)
It is closed because they wrote the code and they have the right to release it as they please. They have to respsct your decision to open your source code and you have to respect theirs to keep theirs closed. It is a product that they sell. If they open the source, they lose much of the capibility to sell it. It's really not that hard to understand.
Now that's irony! (Score:5, Insightful)
Re:Now that's irony! (Score:5, Insightful)
Re:Now that's irony! (Score:5, Insightful)
Re:Now that's irony! (Score:4, Insightful)
Re:Now that's irony! (Score:2)
Re:Now that's irony! (Score:2, Informative)
Funny, it used to be called social engineering.
At least... (Score:5, Funny)
But still i sense the good old "want to sell something? Advertise with a slashdot story" sprit
Re:At least... (Score:5, Funny)
A female russian spy escaped cisco with the source code after sneaking by an army of cisco security armed with AK-47s. She walked all the way to Ebay headquarters bearfoot and delivered 40 floppies in a pizza box. Her only weapon was a 10BaseT ethernet cable.
Re:At least... (Score:3, Funny)
I'm not into furries. Thanks anyway.
Will buy Linux (Score:5, Funny)
Re:Will buy Linux (Score:4, Funny)
Re:Will buy Linux (Score:3, Funny)
I got an even better deal; I licensed my Linux for $35/month which includes DSL and unlimited lifetime OS upgrades...
Of course, the toll-free telephone support line seems disconnected: 1-800-DEV-NULL
Re:Will buy Linux (Score:5, Funny)
at first i thought that said "troll-free telephone support line".
Re:Will buy Linux (Score:3, Funny)
oh no.. I just slashdotted some poor bastards at 1-800-338-6855. I wonder who they are?
Re:Will buy Linux (Score:3, Informative)
buying stolen property? (Score:4, Insightful)
Re:buying stolen property? (Score:2)
Again? This is the first time I'd heard of them (Score:2, Informative)
http://www.google.com/search?hl=en&q=%22Source+Co
Re:Again? This is the first time I'd heard of them (Score:2)
offtopic moderation troll ... (Score:2, Funny)
i mean, i didn't get points when i suggested:
http://www.google.ca/search?hl=en&q=you+guys+are+a +bunch+of+knobs&btnG=Google+Search&meta=/ [google.ca]
http://www.google.ca/search?hl=en&q=slashdot+moder ator+iq+zero&btnG=Search&meta=/ [google.ca]
http://www.google.ca/search?hl=en&q=filter+out+the +noise%2C+dammit&btnG=Search&meta=/ [google.ca]
yours faithfully,
BUY IT NOW (Score:2, Funny)
Anonymous collection of hackers? (Score:5, Insightful)
Re:Anonymous collection of hackers? (Score:5, Insightful)
No. If we could, Nigerian scams, and old people loosing their life savings could be prevented.
Just have the money wired to you, and pick it up outside the country. Even inside the country, it's nearly impossible to track, because you can show up at any branch, anywhere.
Re:Anonymous collection of hackers? (Score:4, Insightful)
And we'd be able to follow the money of drug dealers, kidnappers, terrorists, etc.
It's harder than CSI makes it sound.
Re:Anonymous collection of hackers? (Score:5, Interesting)
Re:Anonymous collection of hackers? (Score:2)
The DDOS blackmailers usually request money transfers using this method or "we dstroy your DNS" as they so elequently put it
Re:Anonymous collection of hackers? (Score:2, Informative)
Re:Anonymous collection of hackers? (Score:2)
Yes, obviously....that's why the illegal drugs and prostitution were completely wiped out decades ago.
There are tons of way to get money anonymously. Anyone smart knows that. I should be getting my million dollars anonymously anytime now, just as s
I would buy it (Score:5, Funny)
Re:I would buy it (Score:3, Informative)
Someone mod this funny! At the risk of ruining the joke by explaining it, it's a reference to the fact that drug dealers in California are required to pay tax.
Re:I would buy it (Score:2)
I always thought it was income tax evasion but I could be wrong. Some states actually tax illegal drugs specifically (although it was ruled unconstitutional somewhere because it was in breach of double jeopardy laws). I'm pretty sure California's laws in this respect were mentioned on slashdot some time ago, but I can't find the specific article.
A bit more (Score:5, Informative)
Also on offer, apparently, is the Enterasys Dragon IDS 6.1 intrusion detection system (IDS) software for $16,000 and an old Napster file sharing code, a snip at $10,000.
The original name behind the group was one Larry Hobbles who now seems to have disappeared. The Source Code Club is now said to be hawking a list of other stolen code to anyone who buys one full copy of the source code for sale.
Re:A bit more (Score:2, Funny)
Yes, and they also offer a BSD-licensed copy of Linux for $50,000.
Here's the post on usenet (Score:2)
and not smart... or very smart and this is a scam... If I were selling it, first thing would be to contact key agencies/companies anonymously, not this freak high-profile thing. sounds bad. and there are no md5 or something of a few files to prove it is the real thing.
Seen IOS and other srcs years ago... This is what they get for playing the closed source game: FEAR.
Re:Here's the post on usenet (Score:2, Insightful)
Pretty Pointless... (Score:5, Insightful)
You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version.
So it's really only good if you want to look for bugs in PIX that you can exploit, and since this is being sold by a group of hackers, you can bet that they've already looked for everything possibly exploitable.
Not even close (Score:5, Insightful)
In addition, Cisco spends hundreds of thousands of dollars in their support organization identifying hard-to-find interoperability issues and exception cases, testing things out in the lab, and then coding up fixes. All of these real-world experiences and corresponding code work-arounds that impact every other firewall/VPN/routing product on the market are captured in this source code.
Cisco PIXes have proprietary integration with third-party products, such as IDS systems, content-filtering proxies (e.g. WebSense), etc. This source code surely exposes these APIs, which are covered by Cisco's own NDA with these companies and are coveted by anyone trying to integrate with such closed-source commercial offerings.
Were it legal, it'd be a bargain!
Re:Not even close (Score:3, Interesting)
Stateful packet filtering is not an art. You could just as easily look at the code for a BSD-licensed packet filter, and get the same functionality.
You could bribe someone who has signed an NDA for less than $24,000, and you'd get actual specs, not just source code
Re:Pretty Pointless... (Score:2)
I think SCO would beg to differ...
oh well (Score:5, Interesting)
Also the 'IDS' features of the pix are static and pretty mundane and not tied to the IDS product so i am sure most people know how to get around them.
Weekend project (Score:4, Interesting)
2)Purchase Linksys W54G from BestBuy
2.5) Port SCC code onto W54G.
3)Resell Modded Linksys W54G to Fry's Electronics
4)Profit!!!!
Cisco Link Status Meter (Score:2)
FBI Sting (Score:2, Informative)
Re:FBI Sting (Score:2)
Re:FBI Sting (Score:2)
On that basis, a "sting" that ended up with an undisclosed arrest - or a pair of concrete boots - would not be unimaginable. Under either
Shouldn't matter (Score:2, Informative)
So what if the source code is available? If the device is any good, availability of source code shouldn't make any difference to the security.
Re:Shouldn't matter (Score:2)
White Elephant (Score:2, Informative)
About the only thing you can do with it, without *understanding it*, is compile it and use the binary (and stealing the binary in the first place is much easier than the source.)
The effort required to understand a large programme is vast. It's far easier just to buy a license.
--
Toby
Use the source Luke.... (Score:4, Insightful)
I disagree with the above statement.
Having the source to even a large program can be incredibly useful. Obtaining the source would lead to a higher level of understanding of the way Pix firewalls work. Knowing exactly how it is coded, being a closed-source product, you would now have the possiblity to have exclusive knowledge to flaws in the code.
Now, one hacker trying to sort through all of the code by oneself could take a very long while, unless it is well documented. Consider the possiblity that a hacker group acquired it. Say 12 hackers. You could divide it up and find flaws much quicker.
Given the wide use of Pix firewalls, it could end up being a skeleton key to thousands of corporate networks, assuming of course that it is the real deal.
All code has at least one bug...
Pointless (Score:4, Insightful)
Re:Pointless (Score:2)
"Wait a minute, why is it written in LOGO? Something's not right..."
Is it a sting operation? (Score:2)
puts on tinfoil hat
suppose for just a minute that you wanted to contact, trace, and/or otherwise smoke out large numbers of people interested in buying source code to security applications. Might one approach be to
(a) publicize a code theft
(b) pose as a 'known' hacker organization selling the code
(c) fully investigate everyone who contacts you
I'm lea
Details (Score:5, Informative)
Sure enough, here's the CISCO Pix file listing [google.com] and the "newsletter" [google.com].
Here's their newsletter (Score:3, Informative)
$24K ...hmm. (Score:5, Funny)
Re:$24K ...hmm. (Score:2)
Quoted from http://www.hundland.com/scripts/Fight-Club_third.h tm [hundland.com]
It's like the mantra goes.... (Score:3, Funny)
wow! firewall! (Score:5, Funny)
Out of Date (Score:3, Interesting)
Source Code! (Score:2)
Eastern block blockheads (Score:2)
well after working with pix's the last few years (Score:2, Flamebait)
a pix firewall.
firewall? (Score:3, Funny)
$24KUSD? dont think so.
feds? (Score:2)
Erm ... you trust 'em? (Score:2)
HAHAHAHAHAH (Score:2)
Re:HAHAHAHAHAH (Score:2)
I don't want to see that happen.
GJC
Why trust these guys? (Score:4, Interesting)
The SCC team does not expect you to trust us. To address this problem, we will split up the information into many files and you may purchase each part for a fraction of the total price. As your confidence grows with SCC, you may feel compelled to purchase these parts in bulk. Here is an example:
We are offering you a ~1 gigabyte compressed file for $10,000. We offer this file in 20 50 megabyte parts at $500 per part (10,000/20). You send us $500, we send you part 1. You send another $500, we send part 2. You choose to send $1000 and we send parts 3 and 4, etc etc. The rate that you purchase pieces is entirely up to you. As your confidence grows, we know that you will choose bigger pieces.
We also include detailed instructions on how to decrypt and put together the peices, it is a simple process that can be done with any unix computer.
The problem with this scheme is that critical elements of the source can be intentionally withheld and that those pieces could be sold in all likelihood at a ridiculous amount. I mean if a moronic company actually decided to buy source code from these guys, and they are spending $5,000 on each "piece" of the code, they will want the entire thing. This goes beyond just scamming the software companies... this is almost similar to a Nigerian 419 scam [rica.net] in a way.
Who says its illegal? (Score:2)
Non-News Item (Score:2, Informative)
Between all the 0-days for Checkpoint and PIX, I honestly don't understand why anyone in their right mi
Wish they would sell video drivers! (Score:3, Insightful)
Re:Pirated? (Score:5, Insightful)
But really it's just to generate bad publicity for cisco
Re:Pirated? (Score:2, Funny)
Why would they give a fuck? They're 24k up.
Someone paying 24k (Score:5, Insightful)
The only real reason to want the code is to find exploitable holes in the software. If you're paying 24k so you can do that you presumably want to use those exploits for a purpose. Releasing the sourcecode and risking exploits becoming public (and then patched) devalues your investment.
Re:Someone paying 24k (Score:5, Funny)
Re:Someone paying 24k (Score:2)
In the end, what choice do we have? If we take it as truth that open-source is more secure, then it also applies to routers.
BGP and other applicable protocols are available as RFCs
And anyhow, it seems BGP isn't all that secure [slashdot.org] to begin with.
Re:Someone paying 24k (Score:2)
Pay 24k, sell 5 copies at 10k.
Profit!
Re:Ummm (Score:2)
Re:No worries... (Score:2, Insightful)
Re:"blatant violation of copyright regulations" (Score:2)
The 'blatant' vs 'flagrant' distinction isn't between seen and heard, even though blatant's roots are from 'to blab'. The difference is that blatant describes something that's done in an exessively noticeable manner, where flagrant describes something that's done is so excessively it's noticeable. Note the difference.
Re:"blatant violation of copyright regulations" (Score:2)
(As a side note, blatant is a word that Spenser made up to describe a thousand-tounged monster, while flagrant literally means flaming.)
Re:"blatant violation of copyright regulations" (Score:2)
From The American Heritage® Dictionary of the English Language, Fourth Edition: (emphasis mine)
It is not surprising that blatant and flagrant are often confused, since the words have overlapping meanings. Both attribute conspicuousness and offensiveness to certain acts. Blatant emphasizes the failure to conceal the act. Flagrant, on the other hand, emphasizes the serious wrongdoi
Re:Proof open source is better. (Score:3, Insightful)
Re: (Score:2)
Re:Money exchange? (Score:5, Interesting)
Of course, there's also the chance they could totally get away with it too...but not likely. Criminals always think they're smarter then the people after them, but they only have to make one mistake to kiss it all goodbye. Or just wait until the statute of limitations is up.
Re:Money exchange? (Score:2)
Re:Why bother? (Score:3, Interesting)
Just for yuks, you might want to consider M0n0wall [m0n0.ch]. I'm evaluating it for a client right now, and it's very impressive (BSD-based with a good PHP interface.) I'm running it on a PCEngines WRAP 1C-2 [pcengines.ch] board (cheaper & faster than Soekris) and it works a charm (I ditched my cantankerous PC firewall for this a while ago.)