This news story from PCWorld reports that a group of hackers has re-opened its source code shop online after it was forced to shut down in July, a few days after it surfaced. The shop, Source Code Club, was selling the source code of Enterasys Dragon IDS 6.1 for just $16,000 and the source code of file sharing software by Napster for $10,000. The Source Code Club said that it was selling corporate intelligence to its customers.
Now the Source Code Club is back after a hibernation of 3 months. It has hiked the price of Enterasys Dragon IDS & Napster Software to $19,000 and $12,000 respectively & is also offering the source code of Cisco Systems’ PIX Firewall 6.3.1 for $24,000, labelling itself this time as a Corporate Espionage Service.
The noteworthy thing is that Cisco’s PIX Firewall is deployed on many corporate networks. So what’s in next? If the source code is open & public, so are its vulnerabilities, which hackers or rival corporates may leverage to their advantage, making espionage, theft of business plans, product blueprints a child’s play. Is your network safe? Cisco hasn’t commented on this news yet but its certainly dangerous to their market.
Some people whom I know, may argue that why should the corporates who’ve deployed Cisco’s PIX Firewall worry? Its Cisco who has to worry. How are the corporate networks vulnerable? Afterall, if there’s an Open-Source product, its source is freely available, yet companies use it effectively, Linux being a good example.
To this, I’d say that in Open-Source projects, the thing is that both you & the hacker has the source code & you can modify it before deploying it on your network. The hacker will know only know of vulnerabilities present in the original code that both you & him downloaded but if you’ve modified the code & plugged the holes, the hacker has no way of bypassing them as he doesn’t have access to the changes you made.
But in this case, only the hacker has access to the source code & not you. You only have the final product which may have the holes which the hacker can discover by seeing the code & thus exploit them. So, as corporate who has deployed Cisco’s PIX Firewall, you have every reason to feel insecure.