By silicon.com, 1 August 2005 17:40
News of a potential weakness in Cisco routers has been causing a few sleepless nights. Sleepless nights for hackers who are working to exploit the problem, and sleepless nights for IT bosses wondering when the first attack will come.
Hackers, angered by Cisco's attempt to squash news of the potential flaw, are working non-stop to find a way to exploit it.
As one hacker put it: "The reason we're doing this is because someone said you can't."
Which is a fine response if you're an 11-year-old trying to steal one of your mum's freshly baked cookies.
But perhaps slightly less responsible when you are talking about developing an attack on the devices which direct traffic across the internet.
Because even if the hackers who are working on the attack are simply doing it for the thrill of the chase and to beef up their counter-cultural credibility, and have no intention of ever using it maliciously, someone else will.
Which means it's something companies have to start worrying about. No doubt many Cisco customers are deciding to get round to applying fixes to their router software to protect against the flaw.
The whole sorry episode puts the spotlight squarely back on IT's strange security ecosystem - where hackers can claim they are helping the industry by publicising security problems, and where vendors can be cast as the baddies for trying to suppress those details.
The user then is stuck somewhere in middle, trying to keep up with the latest must-have bug fix.
Perhaps some good will come of this. Companies will update their software to protect against the flaw, so that if and when an attack is launched it won't lead to widespread damage - which could have happened if a hacker had stumbled onto the flaw and decided to launch a sneak attack.
And perhaps the excitement the whole incident has provoked will give the industry cause to stop and think about the way it deals with product testing and security.
Of course no products can be perfectly secure when they are shipped, because that would stop innovation dead in its tracks. But at the moment there is a sense that too often the industry releases products too soon and just waits for the security researchers and hackers to spot flaws.
But as IT becomes so pervasive, can this uneasy balance - which leaves customers permanently scrambling to catch up - remain unchanged?
Comments
There are 2 comments. Join the discussion
1. Jack
Cisco has had problem after problem after problem with code security. As a Security Engineer I am fed-up with patching my routers every week. Cisco should fix the code. The code is broken!! Hackers and security experts find new security holes every month. What if some hacker finds a hole that the security teams don't find or that Cisco squashes the report with lawyers. We will have a very real problem, of getting hacked! Cisco, get the code fixed or we will buy competent products from Nortel, Juniper, etc, etc...
2. anonymous
This is nothing new. In the '70s Clive Sinclair marketed self-build amplifiers using scrap transistors that failed the minimum tests at Plesey, the manufacturer. In the '80s his Spectrum computers were never tested until the purchaser got them home. Then they had to wait 3 months for a replacement computer.....which also was not tested during manufacture.