Re: Cisco 675 Denial of Service Attack

[Damir Rajnovic <gaus () CISCO COM>]

Hello again,

At 23:31 05/12/2000 -0800, J Edgar Hoover wrote:
> premium price for a premium brand product for my home, and now I'm
> following up by providing free a service that is worth more than the
> product itself.

We are doing what we can. If that is not sufficient we will try better.
If we can not satisfy customers they can choose not to use Cisco. We
know that we are not the only one (despite what marketing is saying).
These are facts of life and we must live with them.

> It is the unfortunate truth that neither the advisory or patch will help
> the average home user. They will probably never know about them. Which

Which is sad but true. Then again, we can not do anything there. We
are trying to address forums like Bugtraq in a hope that people who
are in charge will notice our advisories and upgrade their boxes.
We can not force anyone to upgrade.

> brings up another point... why is a product like this, destined for a home
> user, shipped with such poor default security? The problems with SNMP have

Good question. I am also asking that question over and over. Not only
for DSL. I still do not have an answer (well, I do, time to market, people
do not pay for security but features, competitors, blah, blah) which
will satisfy me.

> Cisco really think home users want anonymous remote users seeing their

Think? I do not think. Ask my wife, she will confirm that. PSIRT tries
to correct things. Unfortunately, most of the people think in the terms
of flashing lights and nice GUIs.

> The IP filter rules made mistakes wrt incoming and outgoing directions.

I will check that and if that is true it will be fixed (hopefully in
10 months or so 8-) ).

> Which situation is worse for the corporate bottom line, "Cisco releases
> patches for most of their routers" or "15 year old canadian cripples
> internet with Cisco bug"?

I do not know. I ask people who are buying Cisco. Personally, I would
love to be without both titles if possible. I do not consider releasing
patches as a success. It is just a sign that we have not done job
properly the first time (whenever that was). Even less I would like
your second title.

> You probably already have some highly skilled technical people. Do they
> audit products before they ship? Are recommendations applied to products
> before they go to market? If the answer is no, I'd say the core problem is
> more corporate than technical.

Answer to all questions is yes. We do have technical people and are seeking
more. We do have recommendations and tests are done. Sometimes tests are
not sufficient sometimes something else happen to be broken. I can not
answer that fully. We are using corporate and technical measures to fix
whenever we find something that is broken. But still, shit happens.

Cheers,

Gaus
==============
Damir Rajnovic <psirt () cisco com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
Phone: +44 7715 546 033
4 The Square, Stockley Park, Uxbridge, MIDDLESEX UB11 1BN, GB
==============
There is no insolvable problems. Question remains: can you
accept the solution?