• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

So long cisco, and thanks for all the code! UPDATE: FBI involved

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Originally posted by: Garion
Originally posted by: n0cmonkey
Originally posted by: Rainsford
Hmm, I lost some respect for Cisco because they allowed this to happen, but not TOO much respect, it can happen to almost anyone.

But that security through obscurity comment was a little, uh, retarded. No security person worth his or her weight in rat droppings thinks that's a valid security approach any more, at least I hope not.
Click to expand...

Cisco seems to think it's a valid way to do business. 😉
Click to expand...

You're just loving this one, aren't you, N0c? I find it rather ironically amusing - Cisco has been just ASKING for this for a while. Surprised it hasn't happened sooner. If you know what you're doing and try hard enough with a variety of different methods, there's always a way around nearly every security system. (Don't get me wrong - I'm a huge Cisco customer and I love their gear. They just need to tone down the attitude a bit)

You'd be surprised how easy it would be to penetrate a lot of large corporations. Not hard to get a digicam shot of a badge, create and print your own with your picture, then follow someone through a security door. As long as you look like you know what you're doing, you're golden and it's relatively easy to work your way into a building. Once you're in, it's not hard to find someone going to lunch that forgot to lock their terminal, install one key logger, and off you go...

Pssssst.. Anyone want the super-secret recipe for distilling Jack Daniels?

*grin*

- G
Click to expand...

Ummm. Easy there fella. Our formulas never touch a computer. Hard copies only, in two safes, in different parts of the country.

THAT's information security.

*grin*

NOC - calling the helpdesk for a password reset shouldn't work. The helpdesk should require last 4 digits of social or birthday or mother maiden name, etc. Some kind of a challenge
 
Originally posted by: spidey07
Ummm. Easy there fella. Our formulas never touch a computer. Hard copies only, in two safes, in different parts of the country.

THAT's information security.

*grin*
Click to expand...


Weren't we just talking about social engineering? 😉

NOC - calling the helpdesk for a password reset shouldn't work. The helpdesk should require last 4 digits of social or birthday or mother maiden name, etc. Some kind of a challenge
Click to expand...

Should is the key word there. Won't work everywhere, but I'm 100% positive there are places it will. 😉

And that information is kinda out there for password resets. I would never give that information to the help desk. :Q
 
speaking about social engineering, schneier in the latest crypto-gram mentions somethign about 70% of all users would trade their password for a bar of chocolate... but he does mention that that survey is not accurate (although there probaly are many people out there that would!).

chocolate? not good enough for me... a 6-pack of beer... now youre talking.
 
Originally posted by: groovin
speaking about social engineering, schneier in the latest crypto-gram mentions somethign about 70% of all users would trade their password for a bar of chocolate... but he does mention that that survey is not accurate (although there probaly are many people out there that would!).

chocolate? not good enough for me... a 6-pack of beer... now youre talking.
Click to expand...

I'd give them a password for a bar of dark chocolate. But it wouldn't be mine.
 
I like how there's absolutely no mention of that article in the news section of their homepage. I (and likely many others) would never have found that info if the media, and then you, hadn't linked to it.

Way to go Cisco, make yourself look even worse in an already bad situation.

I've said it before, and I'll say it again. Cisco needs to get their act together and start playing towards their customers a little bit more. They need to ditch the "I'm the baddest kid on this block" attitude...because they aint the baddest kid on the block anymore, and they havent been for a while.

What would have been nice of Cisco to do in this situation was to email that article to every customer of theirs that holds a SmartNet contract for a device that runs IOS. I dont think that's too much to ask for. Hey...MS did it for Blaster.

EDIT: I made a nice little post over on Cisco's forums about this. It doesnt look like ANYONE has even brought the subject up over there...sad. I'll be curious to see if anyone from Cisco replies to it.
 
Originally posted by: n0cmonkey
I just spent a night with Maker's Mark instead of JD. Should I be feeling worse than I am now? 😛
Click to expand...

And is the fact that you posted at 4:20 AM a pure coincidence? 😉
 
Originally posted by: Boscoh
I like how there's absolutely no mention of that article in the news section of their homepage. I (and likely many others) would never have found that info if the media, and then you, hadn't linked to it.

Way to go Cisco, make yourself look even worse in an already bad situation.

I've said it before, and I'll say it again. Cisco needs to get their act together and start playing towards their customers a little bit more. They need to ditch the "I'm the baddest kid on this block" attitude...because they aint the baddest kid on the block anymore, and they havent been for a while.

What would have been nice of Cisco to do in this situation was to email that article to every customer of theirs that holds a SmartNet contract for a device that runs IOS. I dont think that's too much to ask for. Hey...MS did it for Blaster.

EDIT: I made a nice little post over on Cisco's forums about this. It doesnt look like ANYONE has even brought the subject up over there...sad. I'll be curious to see if anyone from Cisco replies to it.
Click to expand...

link to thread?
 
Originally posted by: Boscoh
Originally posted by: n0cmonkey
I just spent a night with Maker's Mark instead of JD. Should I be feeling worse than I am now? 😛
Click to expand...

And is the fact that you posted at 4:20 AM a pure coincidence? 😉
Click to expand...

Yes. 4:20 lost all meaning to me years ago. 😉
 
zone-h

Looks like it comes from news.com I guess, but I don't feel like finding the original. They don't think this is really that big of a deal because people can't compile the code. 😕
 
I think it was Tony Li, or maybe someone else, that said they believe the Cisco source code is so well engineered that it's going to be very difficult to find holes that haven't already been found by Cisco.

I'm not too sure anything will come out of this that will "bring down the internet". I think it's going to hurt Cisco more on the business side of things. Their self-defending network initiative is really in question right now in a lot of people's minds, even given the fact that huge networks are very hard to secure. Also, their code is out there for the competition to analyze and find what makes IOS so efficient.

It's not the fact that this could be a serious issue for the security of their products that pisses me off. What gets me is that so many of Cisco's customers dont know that it might not be a serious issue, and a lot of them consider it EXTREMELY serious, and Cisco isn't really doing much to publicize the fact that it might not be.

Part of that makes me think it might be a CYA ploy. Kind of a 'Don't come out and make sure that everyone in the world hears that this might not be a serious issue...because we dont really KNOW that it isn't, we're kind of just giving that feeling to ease people's minds that are really looking into this' attitude. If Cisco were to come out and say this isnt a big deal and nothing will likely result from it, and then something does, they're screwed even more than they were to begin with. Thats the only reason I can find for Cisco not being more public about this.

I mean, if it's not a big deal...come out and say it, ease the minds of your customers. Right?
 
IOS might be well coded, but nothing is perfect. OpenSSH, one of the biggest (in terms of use) open source projects out there has had a number of holes on various platforms, including my much heralded OpenBSD.

Big holes might not be found right away, or maybe even ever. But I'd bet that they're there. 😉

Cisco is pulling the typical corporation thing on this one. Keep it as hush hush as possible, maybe no one will notice.
 
Originally posted by: n0cmonkey
IOS might be well coded, but nothing is perfect. OpenSSH, one of the biggest (in terms of use) open source projects out there has had a number of holes on various platforms, including my much heralded OpenBSD.

Big holes might not be found right away, or maybe even ever. But I'd bet that they're there. 😉

Cisco is pulling the typical corporation thing on this one. Keep it as hush hush as possible, maybe no one will notice.
Click to expand...

I view this incident as a big black eye for Cisco Systems. Especially since they've been pushing security as folks in this thread have already pointed out.

Why are they keeping it hush? Because bad PR is the worst thing to happen to any company - even rumors can hurt sales and reputation.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top