Rupert Goodwins' Diary

Monday 17/5/2004All software ends up as open source, if only because you can't keep a secret forever. And software, like all engineering, is fundamentally visible: anything that people can make, people can understand.

Monday 17/5/2004
All software ends up as open source, if only because you can't keep a secret forever. And software, like all engineering, is fundamentally visible: anything that people can make, people can understand. Thus, when some piece of code is described as the 'crown jewels' of a particular company the analogy is flawed - the real Crown Jewels currently reside a few hundred yards to my left, in the Tower of London, and there they'll stay until Judgement Day if the security's good enough. Not so code, which can be disassembled and understood by anyone with the time, knowledge and patience to analyse it.

But that's boring. Much better to just waltz in over the Net and steal the source code. It's quick, efficient and terminally embarrassing if the code you steal just happens to belong to a company that makes its living out of network security. So stand up Cisco, who suffered just such an event. Today we learn that a large chunk of its router operating system, IOS, has been extracted somehow and released into the wild.

This is worrying. Cisco is a fully paid-up member of the 'Security by Obscurity' fan club, which has as its motto "If you can't see it, you can't hack it" and which persists in the crown jewel model of software. IOS runs on most of the routers that run the Internet, and the idea that their innermost souls have been laid bare to passing hackers is not comforting. Neither is the idea that if Cisco can't keep their own systems secure, how on earth are we supposed to manage?

But soft! Comforting words issue from the Cisco kids. The software was not leaked through a security hole. Nor was it stolen by an employee or a contractor. Which leaves, um… Pixies! Yes, the Code Pixies took it! But that still leaves the small problem of what terrible secrets have been laid bare. No, no need to worry there. It was only the code for the IPV6 protocol, and nobody uses that anyway.

Ah. This would be the IPV6 stuff that Cisco has spent ages telling us was the thrilling wave of the future, then. Don't worry about the blagger stealing the crown jewels - they were just cubic zirconium after all. Amazing what you learn when stuff goes open, eh?