5/18/2004 -- Cisco Systems Inc. yesterday confirmed that it was investigating the theft of its IOS source code. The FBI has also confirmed that it is looking into the theft, as well.

Because so little information is available, its impossible at this point to determine the scope of the theft. But one researcher we spoke to downplayed the risk, noting that the theft of Microsoft Corp.s Windows source code hasnt yet born fruit, and pointing out that some security professionals believe Ciscos code is much tighter than Redmonds.

Even so, because Ciscos products provide vital infrastructure services in many enterprise IT organizations, as well as in the public Internet as a whole, the potential for harm is as great, if not greater, than that associated with the Windows source code theft.

The theft came to light this weekend, when two sample snippets of the alleged IOS version 12.3 code were posted to a Russian Web site called securitylab.ru. No one knows exactly how much code has been pilfered, but some estimates based on information provided by the securitylab.ru site put the total as high as 800 MB.

The potential for fear, uncertainty and doubt is high, but, for a variety of reasons, the impact of the IOS code theft is probably going to be pretty low, says Joel Conover, a principal analyst of enterprise infrastructure with consultancy Current Analysis Inc. He concedes, however, that the theft is nothing short of a PR nightmare for Cisco.

Theres an interesting observation made from some people that supposedly know & that Ciscos code is likely a lot tighter than Microsofts, comments Conover. He stresses: Thats not my speculation -- that seems to be the speculation of people who are out there in the field.

Microsofts Windows source code has been more or less open-sourced for several months now, but its still not clear that crackers have devised attacks which exploit previously hidden weaknesses in the code. Conover thinks that the same will probably be true in Ciscos case. Given that Microsofts code didnt really yield any particularly valuable exploits, one can assume that regardless of what happens with Ciscos IOS code floating out there, I don think its going to reveal a lot of really valuable stuff, he comments.

One potential upside to the theft upside, that is, insofar as it might mitigate potential damage is that the IOS code would be unofficially open-sourced, so to speak, and distributed on Web sites, Internet relay chat rooms, and peer-to-peer networks, as Microsofts Windows code was. The hope, of course, would be that white hat hackers and security professionals could identify potential problem areas or other issues before attackers have a chance to exploit them.

This scenario hasnt yet panned out, however, and Conover cites one pretty substantial downside for Cisco if it does. It puts all of that technology potentially out there where any competitor can look that over and try to leverage that intellectual property, he concludes. -Stephen Swoyer