Cisco VPN client exploit

Critisizing is much easier than appreciating... specially for big companies like Cisco would give a fair chance to people to point fingers wouldn't let the company down. Hacks and cracks are very common now a days... it's not just a Cisco product which is cracked but each and every product on earth has been cracked atleast once. It's not just the username and password which would keep you protected from attackers, intelligent people accompany phase 1 with xauth as a secondary level of protection are not affected by this... go ahead and try to break a token access and you would find another wall in front of you. As far as TAC support is concerned, huge companies like NASA etc go for Cisco product as they know they'll be well taken care of... and they are...!!! Which support would you call the best in world... Checkpoint, Juniper, Netgear, Nokia, D-link... can you even compare it with Cisco tech Support... just on the R&D of a new product before launcing, Cisco spends a huge amount on it with which it could even buy such companies mentioned above...just give a thought and let me know which tech support is better than Cisco in the field of networking....!!!


Cheers,
Rahul Pathania
Empowering The Internet Generation
www.ciscosearch.com

I don't work for Cisco or any other vendor of networking equipment, I'm an administrator. I am vendor neutral, I believe many companies have good and bad products, and I have dealt with tech support from many different companies. Cisco has the best tech support that I've encountered (so far) as I said before, although Marconi was very good too. A couple of times their engineers called me personally on TAC cases.

However, you can't deny the fact that Cisco used a very weak encryption method for it's local passwords on this VPN client. This is a conscious decision on their part, which I consider worse than a real "bug" which is usually due to an error or some other unintended consequence of the code. Sure, there are better ways of using this client that avoid the issue altogether, but why intentionally make a product that has a weakness? This is a question that has been getting more attention lately, so much so that some places are considering legislation that would make programmers liable for bugs in their software! Now I consider that ridiculous, but really, who should take the blame in the event sensitive information is stolen? Is it the programmers fault for not reviewing his or her code properly, is it the company's fault that produces the program, or is it the consumer's for buying it?

Point is, we as consumers shouldn't be satisfied with bugs and security vulnerabilities (e.g. Sony's rootkit), even as ubiquitous as they are becoming. I know it's probably an impossible ambition, but hopefully this attitude will bring use better things.

calm down, mr. cisco.. most have already stated that cisco tech support is very good. and most of us here agree that they do make (or buy as the case may be) some of the best networking equipment. That still doesn't mean there aren't certain aspects of their code or practices that aren't lacking.

So someone out there reverse engineered a weak encryption algorithm - isn't the first time, and won't be the last. don't get your panties in a bunch tyring to defend all that is cisco.