Securing Source Code Should Be a Priority

Cisco and others need to find a way to lock down their source code.

The efforts of the "Source Code Club" to sell the source code to Cisco firewalls may be despicable, but they may also be a blessing in disguise. By making a public show of Ciscos inability to keep its secrets to itself, these desperados may actually be doing us all a big favor.

This is not the first time Cisco has been targeted by source code thieves. In May, its IOS 12.3 code was compromised. IOS (Internetwork Operating System) is used in Cisco routers from home offices to branch offices, enterprise networks, and the Internet backbone itself.

The most recent theft involves source code for the firmware for Ciscos PIX 6.3.1 firewall, which the thieves are now offering to sell for $24,000 per copy.

Presuming these people have what they say they have, which seems fair enough, were much better off knowing that Cisco cant keep its crown jewels safe than not knowing. This is not a case where ignorance is bliss, though knowing the source code is out there doesnt directly point at what we should do about it.

Where the source code was stolen from, whether a partner, customer, or Cisco itself, doesnt really matter in terms of the potential damage. But it does highlight the difficulty vendors have in securing source code that other companies feel the need to evaluate on their own.

Its understandable that some organizations that depend on Cisco products would want to have a deep understanding of the software that runs them. Keeping that source code secure, however, can be a problem. Microsoft learned that in February, when partial copies of Windows NT 4 and 2000 source code were apparently stolen from a partner and posted on the Internet.

The theft of this Microsoft code doesnt seem to have resulted in any serious damage. Nor has the Cisco loss caused problems that we know of, though the potential damage is so great that even people who dont know a Cisco router from a toaster oven should be concerned.

/zimages/7/28571.gifClick here to read about the fallout from the theft of Ciscos IOS source code.

Given the broad use of Cisco routers, a hacker with access to source code could theoretically take down the entire Internet with an uncertain timetable for resumption of service. How would you patch all those routers if the Internet itself could not be used to deliver the patches?

As important as the Internet has become to global communications and commerce, such a failure could only be looked upon as a major calamity. Indeed, Ciscos source code is of such importance that its likely on a par with our top military secrets.

Ciscos loss of its PIX firewall source code is probably less serious, but only slightly given what a hack specifically engineered to take advantage of specific firewall vulnerabilities might accomplish.

Some people say these thefts point out the impossibility of keeping important software locked up and away from the bad guys. These same people say that if you cant guarantee 100 percent security, youre better off with no security at all.

At least, that is how I understand the argument that security software should be open source, allowing the broadest possible community to work on finding and solving vulnerabilities.

While I understand the attractiveness of such a scheme to its proponents, Id want to give it a lot of thought before turning over Internet security to such a utopian scheme. Its not so much that I am opposed to the idea, but I think the decision is important enough that it cant be taken lightly.

Until we discover some way to truly lock down (or completely open) source code, customers may have to accept that they wont get to evaluate such things as router operating systems for themselves. The danger of this software leaking out from customers may simply be too great.

Ciscos troubles are likely the result of attacks on the company itself rather than lax security by its customers or partners. Still, it only makes sense that the fewer targets that exist, the harder it will be for thieves to grab infrastructure source code.

As for securing Cisco itself, I wont try to tell the company how to stop losing its source code. It just has to be done and if Cisco wont do it, the government will eventually step in and impose its brand of secrecy in order to protect the Internet as a piece of our countrys—even the worlds—critical infrastructure.

But since security is never total and because the stakes are so high, we ought to look at how we design our networks and make them more resilient to attacks, even by people who know all the secrets. And if we have to, maybe the best approach really is to have no secrets at all.

Contributing Editor David Coursey has spent two decades writing about hardware, software and communications for business customers. Before joining, David was executive editor of ZDNet AnchorDesk and has been a columnist for PC World, ComputerWorld and other publications. Former executive producer of DEMO and other industry events, he also operates a technology consulting and event management business. A full bio and contact information may be found on his Web site (

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.