Slashdot Mirror
Researcher Resigns Over New Cisco Router Flaw
An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN.
Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."
From the article:
According to several people who made it on time to the 9 a.m. presentation, Lynn began his talk with a discussion about security issues surrounding services that allow people to make Internet-based telephone calls. Then, they said, Lynn suddenly changed topics and began discussing the highly technical details of his research into the Cisco flaw, saying he would rather quit his job at ISS than keep the information from conference attendees.
Why would anyone, after clearly being informed NOT to talk about this information, talk about this information ?
I know, freedom of information ideals and the like, but couldn't he at least have waited a few weeks to see how Cisco responds, instead of simply revealing the information of a hardware-level exploit
- Leon Mergen
http://www.solatis.com
Am I the only one that's noticed that Cisco has really gone downhill in the last few years? It seems that there have been more problems found in the last 2-3 years than ever. Besides, a "master password"??? What the hell are they thinking?
It's ok, really it is. Karl Rove gave him the information.
FLR
As dependent on as our economy is upon routers, and Cisco in particular, it seems that his disclosure was definitely in the public interest, and if he isn't entitled to whistleblower protection, we need to mount a campaign to get him protected. Write your Congressoid.
"The mind works quicker than you think!"
Actually, one of the questions I have is how new the flaws really are. They have been patched, but how long ago? How much uprading has been done? If it had been widely upgraded I suppose Cisco would have less reason to fear disclosure
This man worked for a company and should have gone through the proper channels *BEFORE* just leaking the vulnerabilities. If he had taken this to Cisco and they told him to buzz off then I would have more sympathy for the guy, but this is just irresponsible and he deserves what he gets. There is a proper place to take vulnerabilities and that wasn't one of them.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
In TFA, Cisco themselves said that he did not disclose any new vulnerabilies... so... what is the BFD?
Later, Cisco said it was all bent out of shape because they follow an "industry established disclosure process" and because Mr. Lynn "illegally" obtained the information...
Hey, Cisco, I have news for you. "Industry established disclosure process" != "Law"
Get over yourselves, admit that you're a bunch of fuckups that can't make secure networking equipment, and move along..
I *think* Cisco's gripe with this, is the bug could only be known by someone with access to the code. Hence their argument that it was illegal.
Just speculation...
The articles cited are light on details. But nowhere do the articles suggest that Cisco was burying the flaw. In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix. In my mind whistle blower protection is valid if the whistle blower is uncovering corruption. Which does not appear to be the case here. Based on the information presented, the system was working on the problem, he just wasn't happy with it.
How do you apt-get hardware?
The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.
That said you have firmware that controls the hardware which could be "apt-get" though in reality I'd rather see an open source firmware that was also provided as binary images you could just upload.
Do you really want some MCSE throw-back building a firmware image when they can hardly manage cmd.exe?
hehehee sick.
Tom
Someday, I'll have a real sig.
CISCO - Cr4ppy Internet Security COde
you could get protection if you come out and reveal your employer is a racist who told you he refuses to comply with the law and hire blacks, or fired women who got pregnant rather than give them the benifits the law requires.
i think this guy might go to jail for what he did.
Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees
of all the places to reveal the information, why give it to black hats? it is like going to a criminal convention and telling them how to turn off security cameras at one bank chain.
if someone used the information he handed out, this guy should be locked up because he will be directly responsible for the damage that is caused.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
The whistleblower protection thing always seemed pretty silly to me. It not like you are going to want to keep your job after you blow the lid on some company.
I guess it also has protections against possible legal action, but this guy doens't sound like he's in any legal trouble.
I agree that disclosure, in general, is clearly in the public interest, but this cannot always be the case.
We simply do not have enough details here to declare this disclosure "good" or "bad." Although Cisco is claiming the information was on vulnerabilities that have been fixed, that could be a PR move to stave off a stock plummet or put a stop to proliferation of the information to those that may want to use the vulnerability to bad ends.
We also can't be sure of what "fixed" truly means. How tested are these fixes? Are they complete fixes or do some variations on the vulnerabilities revealed still exist? The questions go on and on.
I'm all for protecting Whistleblowers, but only if they have done all they could to ensure that they are not causing more damage by revealing information that can still be used against current users. I'm not saying that this is clearly not the case here, only that we need more time before we declare this guy our champion.
How long should it take?
0 7/update_to_cisco.html
http://blogs.washingtonpost.com/securityfix/2005/
The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months, and that up until earlier this week, a Cisco executive was slated to co-present the findings with Lynn at Black Hat.
Our friend Mojgan Khalili is the Cisco employee mentioned in the article, who said the security researcher broke the law -- "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."
If you'd like to write to Mojgan and say that you don't like their attitude toward full disclosure, or their attack on the guy who's working hard to make things secure, here is his information.
If nothing else, you could ask him "what law did the guy break, biatch!?!"
Mojgan Khalili
Cisco Systems, Inc.
978-936-1297
mkhalili@cisco.com
http://www.thebricktestament.com/the_law/when_to_
Spelling! Did you mean Clowngressman?
I know, I know. Mod me redundant. This is slashdot. The editors are on crack. Who Rs TFing A? But really. Not a security flaw? No, Cisco said it wasn't a NEW security flaw, but an extension of older ones. There's kind of a difference between "Not" and "Older-but-born-again". Mod me into oblivion now.
I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.
Cisco is actually very upfront and cooperative when you report things which might be a vulnerability (I have personally dealt with PSIRT). The people who work there are actually so polite, it's kind of annoying (I have been thanked about 2 dozen times for reporting a very minor finding).
They do however expect you to play by the rules. Even if you are the person who found a bug, you are expected to let Engineers fix the bug before you release the information.
Also, there is policy in place, which makes sure major ISPs (Carriers) are informed first, so they can do upgrades before the PSIRT release is made public.
All that makes sense, since we are really talking about essential infrastructure.
Of course, all that kind of takes away the coolness of reporting a vulnerability and you will get a lot less publicity (cisco credits you) than what you would get, if you just post to some mailing list.
If he really released information he researched at ISS without consent, well, he should face consequences. Because I obviously was to gain from it (getting a new job, making a name or himself). Hopefully he wasn't just doing it for the publicity.
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
Okay, this sounds pretty simple. Michael Lynn finds a (new) explit of Cisco routers and its a doosey. He informs ISS, who informs Cisco. Cisco management can't believe that such a serious flaw exists, since they've know about the possibility, but its been written off as minor in the past. Lynn presses his case to his supers, and they get down and dirty with Cicso. Cisco craps its pants because the flaw is everywhere, and it's going to cost real money to fix, and could hurt company Q results.
Cisco agrees with ISS taht they're going to do something about it, but it's going to take a bunch of resesarch and time. They'll keep it quiet for a few years while they put th fix in the pipline for new models. They'll work on a firmware fix, but its back burner as long as the explot isn't public. If ISS keeps its mouth shut, they can still do work for Cisco.
Lynn hears that his research is to be hush-hush, and that Cisco will work on it, but it could be a while before there's an actual patch. No arguing that the flaw is critical will make ISS management, with a financial gun to its head, budge.
Lynn flips ISS the bird, 'cause he thinks its a major security issue, and presents his research anyway. Cisco and ISS claim they're working ont it, and that its and old flaw, and nothing really serious. And they're quietly looking for a man to fir Lynn with concrete shoes for blowing their cover.
Seems pretty clear to me.
Is it just my observation, or are there way too many stupid people in the world?
Should a security problem be made public? Should it not? If you were driving a car that really needed to be recalled - wouldn't you want to know about it?
Already some industries are copying the ridiculous EULA's the computer industry has come up with.
How long before other companies with something to hide start screaming about trade secrets, etc. to shut someone up?
"he" is a woman, and we nerds have hard time talking to those
So he discloses a vulnerability in a product and faces legal action? What kind of reaction is this?
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Contradiction?
... and I can never find out why pople can get sued for disclosure of something dangerous to a lot of costumers.
Quote: "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."
Quote: "... Mr. Lynn a platform to publicly disseminate the information he illegally obtained."
If his research regards known and exsisting vulnerabilities how could they be illegal obtained? This can only happen if Cisco sits on the vulnerabilities for some time. If this is the case its a poor excuse by Cisco to state that its not a new vulnerability.
In my humble opinion its new when first made public.
If I use their routers I would like to know if they can be hacked. If they can get hacked I would like the oppotunity to take them offline if I need to protect my business.
If I don't have that oppotunity - and I loose data/values/etc due to an attack, I'll have to keep Cisco responsible.
-:) Oh no - not again.
www.rednebula.com
Calling for personal attacks and then giving out the person's personal number in a public forum is not appropriate to Slashdot.
I dont believe in keeping an exploit away from the public until the vendor gets his thumbs out of the dark place that smells funny. First of all i really think much more work needs to be put down into securing the systems before they are released, this includes various linux vendors. Its insane today with the user being the Q&A and security department for the vendors.
Full disclosure is a nice cushion for people who really didnt do their job in the first place. It doesnt in no way help the users. Before the exploit is released publicly you can bet your backside its used for company spying and other shoddy activities.
A company shouldnt be afraid of scriptkiddies, theyre harmless compared to their competitors armed with their most secret info. Full disclosure makes it possible for a company to atlest try to mitigate that threat. Other disclosure puts them in the whims of the vendors.
HTTP/1.1 400
-Mark
that would keep all parties happy, is a modification of the current craze for bug-bounties.
Flaw is reported, accepted and cash is paid on a daily/weekly basis until the issue is resolved.
Submitters would get more for a complex bug that involves more work to fix it and the can happily keep their gobs shut from announcing the problem as they're getting paid to be quiet.
Just a thought..
Let the Cisco network defend itself. Just like on 24.
I've long booed the EFF but if the picture I'm getting here is correct I'd gladly donate some money to aid in his defense [or settlement].
That is of course, provided that he at least tried the normal avenues. Under NDA means you're under NDA. Whistleblowing is only possible after management has ignored you.
If he just jumped the gun and released the info publicly he deserves to get sued. Think about it. If every employee who was slightly upset just decided to walk off with trade secrets there would be no competition.
Fuck, why not have Intel/AMD picnics? Granted I'd think that would be cool [as far as technology goes] it would also totally ruin the companies...
I'm sure we haven't heard the last of this story.
Tom
Someday, I'll have a real sig.
Cisco says the the problem is not a security vulnerability
and...
Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS
Surely the defense would be: Your honour, obviously there was no vunerability in the beginning, because look, Cisco said themselves that the ability to take over the router, and sniff for pr0n on the network is a feature, not a vunerability!
Of course, he is write, Cisco suing him for disclosing a vunerability means it was a vunerability, and therefore this would be like suing someone for saying something TRUE about you (or a politician, who are ripe targets).
So are they suing hom for saying it was a vunerability, or for disclosing the vunerability. Assholes, gotta love large over hyped bitch corps.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
, hours before anyone else would publish...they just didn't have the whole story.
which is probably why slashdot didn't post my version yesterday.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.
What do you think a Cisco router is? Traditionally, an underpowered general purpose CPU running a somewhat-specialized operating system.
Unless you're talking about the "big boys" (Catalyst switches, Cisco 10000s, etc) switching is not done in hardware.
The cisco routers are no more than what you're suggesting anyways. The routers run on motorola 68030s. Like your old macintosh you threw out or use as a fishtank now.
They run code to route packets on a "general purpose processor." Kinda like your 386 with BSD, except without the bloated kernel.
If you want speed and efficiency, move to a Multilayer switch, where the decisions are done in ASICs.
Failure is not an option.
"...Cisco's IOS, the operating system that runs the San Jose, Calif.-based networking giant's routers, has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows, the agenda said..."
Anything that is flash upgradable and networked can be attacked. Anyone who says anything else is either working in marketing or lacks knowledge.
We all have it - I was typing right, while thinking about a different possible branch of that sentence that contained the verb write.
I suck
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Well, if he didn't sign anything and can get sued, then I guess that I could get in trouble for telling people about astalavista.box.sk right? Just because you speak about a vulnerability (or other questionable content), it doesn't mean you are responsible for the malicious assholes that abuse it. The abusers are responsible for their own actions.
I'm not saying that I agree with the fact that he told a large group of black hats about a Cisco vulnerability, but legally, what did he do wrong?
Content Management System: A pretentious way of saying "text editor."
Then what's the point?
To be honest I'm not that much into "corporate networking". I think most small companies [200 people] can be easily served by commodity FutureShop equipment.
In the case of where I work we have a 24 port switch, a dedicated bind/etc server and a linksys router plugged into a DSL. It works well for all of us here and we routinely traffic data efficiently from one box to another [e.g. to send stuff to the lab].
Tom
Someday, I'll have a real sig.
Just what did all these parties think Black Hat Con was about anyway, if not to expose vulnerabilities?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights,"
Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said. [emphasis added]
So basically, Cisco is claiming that decompiling their object code is illegal.
Isn't it a greater violation of the customer's rights to prohibit them from decompiling the code on their own equipment to check for security vulnerabilities?
We've come to the point where corporations believe they have the right to impose conditions of operation on equipment they no longer own. If Cisco sells someone a router, the customer now owns it. Cisco doesn't have any right to impose any conditions of use on the new owner, because they no longer legally own the product. The owner has the right (and some would claim even the responsibility) to decompile their router's code to check for potential vulnerabilities.
It seems that Cisco believes that even after they've sold it to you, they still own your router. And who knows, maybe this vulnerability was deliberately placed so they could own your router anytime they pleased...
The society for a thought-free internet welcomes you.
If they have grounds to sue this chap. Then I'd say alot of people have grounds to sue CISCO for wantingly selling a faulty product unfit for the job. So if CISCO realy want to be known as anal dweebs then I'm sure there is alot of loo paper that can be thrown there way as well.
The filing in US District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman. "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights," Noh added.
Ok, let's look at this objectively, shall we? Proprietary information belonging to Cisco and ISS is nonsense. That information should belong to the customers who bought the router so they can take the appropriate steps; for example, a customer should be able to replace an affected router with something else if they're concerned about the problem, or modify the software on the router to alleviate the problem itself (and this is again another example of where OSS is so important).
In terms of violating intellectual property rights, what about violating the property rights of the people who own the router? What rights do they have in this whole situation? Are they expected to sit their with their collective thumbs up their collective asses and wait randomly for a fix? Don't the people who use the routers have the right to uninterrupted network services? What happens if this router belongs to a large ISP and a DoS attack brings the router down? Are they supposed to be stuck with the bill? I'll tell you this much - if this happened, Cisco would never credit them with the cost of service refunds to their end customers. Of course, this would be hypocritical on Cisco's part for obvious reasons, but I digress.
"Some people, however, think that the only thing that'll get companies to take security more seriously is if they are actually made to look really bad, and maybe some of their products actually get hacked."
Except Cisco were told back in April. What they did was fix this particular buffer overflow without tackling the method used to run the code. This was what incensed him so much, they half fixed it, enough to get by with for today.
So yes, they had already had their warning and chosen to ignore it.
One word: Publicity.
Ok, a few more words as well. I don't mean any negative connotation here in the sense of being self-serving, although that is certainly a distinct possibility. Still, if he thought it was an important enough flaw, maybe he's sacrificing himself for the greater good. It's difficult to know his true intentions at this stage, but certainly there are many valid reasons to ignore the will of those whom would censor you.
Whistleblower protections are anything but silly. In some cases the whistleblower's employer might be the only one in the area; e.g. Alaskan pipeline. In other cases it is in the public benefit for the whistleblower to remain on the job and continue acting as a check against illegal and/or unsafe company practices; e.g. Ford Pinto, Alaskan pipeline/oil drilling.
Unfortantely most whistleblowers are shunned by the public. This is sad and just plain wrong.
"Would you be more or less likely to vote for the current president in the upcoming election if you knew he was having young girls kidnapped so he could rape them?"
sounds like another win for the Turd Blossom...
EOM
How can he be sued if "the problem is not a security vulnerability"
Way to go, Cisco.
The global economy is a great thing until you feel it locally.
Haha, god you're naive. Good luck convincing your congressman that someone who is eager feeding his ego to keep his promises and give Cisco some time publishes his still unfinished research of a critical vulnerability that affects most of the internet at a black hat convention? Yeah, good luck. Let me hear how it went.
Don't Cisco routers run on the PowerPC and basically have a similar Network controller chipset as Apple desktops and xserves?
... or is this truly more software related than hardware related as "cisco routers" implies?
I thought I read that Cisco is the largest customer for PowerPCs.
Why wouldn't this vulnerability also be inherent to Macs
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
From the (update) article:
"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights," Noh added. Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said.
So, he reverse engineered their software (presumably using demonstrable decompilation techniques) to obtain all or part of the source code which he then studies to ascertain any potential vulnerabilities. Oh dear, this is a violation of their intellectual property.
Please enlighten us Cisco:
Much obliged, do take your time...
Your comment about needing "carnage" to press a business into action was often true five years ago, but it is rarely the case now. The present business climate is not accepting of security flaws and big businesses often press the vendors these days.
They can't press the vendors if they don't know there is a problem. For the market to work most efficiently to solve a problem it needs the most perfect information.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
would this be part (just like the master password thing) of the hole designed in the thing by cisco for the NSA to access any and all routers ?
LOL. That's a home networking setup. You don't have a clue about the corporate networking sector do you? Apt-get rules the roost there, my friend. Apt-get rules the roost...
Remember Skylarov ? Adobe vs Elcomsoft... That is the law my friend !
...Cisco feels that that makes it a week(sic) excuse.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...ever agree to the presentation in the first place then? That is one of the weirder aspects here. Both Cisco and ISS management knew about and condoned the paper and talk right up until the last minute. It was given to the defcon show people to publish, it was in the written and digitized media, THEN removed. What changed at the last minute?
This is not a problem of disclosing a major vulnerabilty before the vulnerable company could react.
The flaw had been privately disclosed a few months ago. Cisco, for its own reasons, didn't intend to distribute a fix before long (next year!). Too major a flaw? Publicity? Too much work already? Internal politics?
Obviously, Michael Lynn couldn't live with the idea of leaving this flaw open, and decided to disclose it publicly, thus forcing Cisco to aknowledge it and fix it. Also obviously, this wasn't the only reason. He seemed disgusted by the industry's approach to this kind of problem.
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
You do realize that you have now come full circle and are arguing that all you really need is a 386 and BSD, don't you?
Nevermind having missed that the original post was a blatent joke of the Emily Litella variety. Can you say, "Oh. That's different. Nevermind."?
KFG
will be shut down in 5 minutes.
I'm always amazed that companies think they have, or do have the right to sue someone for pointing out a flaw in their product. "Only in the software industry". If Chevy sells a new pickup that has seatbelts that don't work properly in a crash, and I find out, damn straight i'm telling the whole world. And if chevy tried to sue me for it they'd get laughed out of court. There should be absolutely no legal grounds for a company to sue someone over pointing out the flaws in their product. It's their own damn fault for not making a secure product in the first place.
Can't say for sure. But two points:
A clear case of corruption would be if Cisco tried to "kill the messenger", bury the problem,conceal its existence, so they wouldn't have to spend more resources dealing with it.
I'm not inclined to believe Cisco would do that. Rather, they'd attack the problem with as many resources as they think it deserves.
But in the real world of shades of gray it's hard to determine whether Cisco is working on the bug with all necessary and sufficient expeditious diligence, or they are needlessly and carelessly dragging their feet because fixing the problem looks to be an expensive proposition.
Personally, I think the annual reports of companies like Cisco, MS, Oracle, IBM, Sun, etc. should be required to provide an after-the-fact one-year history of their bug handling, notification, fix, distribution (with all the legal baggage that financial reporting and auditing requires), and how many of their customers' systems were vulnerable, and actually exploited (anonymous is OK there). That kind of full disclosure would provide potential customers with at least the historical information they need to make an informed decision in a functioning free market.
"Provided by the management for your protection."
Like I said...a home LAN. That's fine. You and your 'enterprise' are getting along just fine with some networking equipment from Walmart and a recycled PC that you found in the dumpster of your local elementary school...12 years ago. I don't mean to disparage that. It's just that when the big boys talk about routing packets, they do it with apt-get. Come back and post another comment when you're on a big person's LAN...an adult LAN...an APT-GET LAN!!!
You exposed your tits! Woot!
Michael Lynn was right is divulging this to the public and not going directly to Cisco. These companies get this information and sit on it for months.. Mean while x many customers have there underwear pulled over their heads. Cisco Will not have to fix these issues immediately rather than waiting until they seems fit. I aloud Mr. Lynn
um ... you need the sort of help that can be personally dispensed with a 9mm "tool" aimed at the head.
I've been on "big people lans" and they generally suck. At nortel it was nothing to have regular "sludge" periods where you basically couldn't open/save anything and took the chance for a good walk around the campus [hey healthplan?].
Just because you have a "cisco box" in your cabinet doesn't mean your network is running properly.
Tom
Someday, I'll have a real sig.
you had me at #!
There are various protocols that are directly used by VoIP - these would include things like SIP, UDP connections for the streamed audio and other fairly mundane stuff. For videoconferencing (a related technology), you'd probably use IGMP to set up the multicast conference.
Of these, IGMPv3 (the newest version of IGMP) is the only one the router would really need to talk. It is also a variable-length structure, which means crappy implementations may be subject to buffer overflow. On a liklihood scale of 0-10, where 0 is impossible and 10 is a certainly, I'd put this at a 2 or 3.
There are also indirect protocols used with VoIP. Most VoIP setups that want any decent quality will use bandwidth management schemes, such as QoS. Cisco routers support a number of QoS functions. Some are local, but IIRC, some will propogate between Cisco routers. It could be there is something exploitable in such a mechanism. On the same scale as before, I'd put this at a 4, as I doubt the QoS code has been as extensively tested by consumers or by crackers.
A third option is that it is only tangental to VoIP. The easiest way to secure VoIP is to set up IPSec tunnels. Could there be a flaw in IPSec that can be exploited? There are two candidate areas here - one would be a flaw that made it possible to spoof legit connections without the Cisco router being able to tell. The second, and more serious for Cisco, would be if there's a bug in IKE/ISAKMP where a malformed and/or oversized packet did Really Nasty Things.
Again, IPSec isn't widely deployed so the bulk of the testing it will have received will have been from Cisco itself and not from users (who are always much more creative in creating bizare network scenarios). Of all of the options I've outlined, it would also be the strongest candidate for a follow-on discussion after talking about the security of Internet Telephony. It is also the most complex, in terms of packet exchanges, putting it at a higher risk of having bugs. Again, on the scale I gave, I'll put this at a 6.
Finally, a lot of router technology (not just Cisco's products) are open to ARP cache poisoning, router table poisoning and the like. In a VoIP scenario, these could be used to redirect a call as a means of wiretapping it without duplicating it. This would fall in the category of VoIP security and router security. Normally, routers are set up so that they can't get routing information from anyone. However, one place I worked, I did see a fairly major ISP fry three of its routers with circular routes.
It is possible, then, that Cisco's handling of router-level traffic is suspect - perhaps there's a buffer overflow somewhere that allows escalated priviledges to another networked device. The problem here is that this IS in an area that has been extensively used and tested in the field by Joe Average Customer. And if Joe Average Customer cam crew up, they will screw up.
Knowledge of such a bug would not be kept under wraps, simply because too many people would be experiencing it first-hand. (Same reason Windows bugs aren't secret for long.) So although this is a well-known problem with networks, I would say that the chances of this being the bug Cisco is fighting tooth-and-claw with is about a 2.
The only way we'll know if I'm even remotely close, though, is if Cisco or the researcher says something definite. Either that, or some Black Hat skilled in the Dark Electronic Arts reverse-engineers the defect from what has been said and publishes their observations.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'm curious, in the general case, where does it say I have a
legal obligation to provide any such information to the
vendor at all? Is it contained in the user manual? Driver
disk?
If I walk by a paper vending machine and see that the lock
is broken and people are just helping themself to papers, am
I legally obligated to call that company to alert them?
Why should softare/hardware companies be treated any
different than consumer product companies? Many times the
first you hear of a defect is through TV or the press - not
the company. Do they then run out and sue the reporter or
person who discovered the problem?
I can see moral arguments in certain extreme cases, but that
does not necessarily transfer to a legal obligation.
It's really funny to see that quote because they ALWAYS tell you to upgrade the IOS no matter what problem is reported to them... classic response from Cisco!
It's not the destination that matters, but rather the journey.
If you don't reveal the vulnerabilities, the companies will sit on them while they review, discuss, delay, "review" some more, etc. Meanwhile, organizations that use that technology are potentially at risk that a black hat may discover it. If you are a security professional at my company and you don't do your due diligence in protecting the company's data, you will be fired, sued, tarred and feathered and worse because you have opened up our company to lawsuits.
If you do reveal the vulnerability to the vendor, the vendor will come after you because you have exposed them to lawsuits.
The only conclusion: Well, you decide what the third alternative would be. I don't want to be sued.
This is outrageous.
Sure enough, the little company that I'd joined soon grew and grew and grew. Soon, it was one of the largest telecoms suppliers in the world. So why didn't we just increase network capacity as we grew? Well...I was so confident with my little LAN that I formally requested that the networking budget be frozen until 2012. Imagine how silly I felt when I was trying to support a worldwide organisation of over 30,000 employees with an 8-port hub! There was only one thing I could do. Yes...splice the shit out of the ethernet cables coming out of the hub, and write some advanced packet management software to handle all the multiplexed data.
My mother had an old 486SX system in her basement that she'd stopped using several years ago since it was completely fucking obsolete, but for Nortel, it was the perfect hardware solution. The only thing missing was software. I thought about the problem at hand. What do I have? TCP/IP packets flying everywhere on CAT5 cables, spliced around 7,500 times over. What do I need to do? Manage those packets. What's another name for a packet? A PACKAGE! And what manages packages? apt-get, fuck you Tom...apt-get!!!!!
I spent the next few days furiously extending the source code to apt-get to deal with TCP/IP 'packages', as well as its native currency, the .deb package. It was no trivial feat. It required some very clever hardware tricks to get it to run at full speed on the ancient 486SX hardware, including full MMX, SSE and 3DNow! acceleration. I found out later that the Intel 486SX chip didn't actually support any of those instruction sets, so I had to spend an extra day writing an emulation layer.
No matter. By the end of the week, I had my new Debian/apt-get package management system in place, busily apt-get installing TCP/IP packages across our entire network. Of course, given the restrictions of our hardware, we were bound to come across minor slowdowns from time to time. And that's what you experienced Tom. And for that I'm sorry. I really am. I could have done better. My co-workers suggested I could have used Gentoo's 'emerge' system to better optimise those TCP/IP packets better to the 486SX system. Maybe I could have. But Tom...you have to understand...I only did it because I had to. You do understand that Tom...Tom? Are you still there Tom?
I know where you're going and I agree with your point - but I wanted to address that this particular bug is a bad example.
This bug relied on OS-registered protocol handlers, and the exploit was an innate insecurity of Microsoft's handler. It was delayed due to debate on how to fix - and being a programmer I understand why you don't want specific workaround code for someone else's bug, when what you have should work fine.
But you see the results, Mozilla ended up changing to fix this because even Microsoft wasn't moving. IE has special behavior to get around it, rather than fix the problem in Windows itself.
OK, so there's all this talk about how hackers could "potentially" do this and "potentially" do that in terms of taking over key Internet routers.
What's the worst that could ha... [NO CARRIER]
If corporations don't impose conditions of operation for equipment they develop, at which point are warranties invalidated?
Very true.
There's a large difference, however, between voiding Lynn's warranty, and suing him.
Microsoft is to software what Budweiser is to beer.
Last time I looked, there is no such thing as "intellectual property rights". There is copyright law, patent law, and trademark law. These three are commonly grouped as "intellectual property" in the media, but that phrase has no legal standing.
As far as I can tell, no Cisco copyright was violated; no patents were infringed; and no trademarks were fraudulently used. Thus nothing illegal has occurred.
The only remaining possibility in the U.S. is a violation of the DMCA, which Cisco hasn't mentioned. The DMCA is pretty complex, but as far as I can see, the only way it would apply here is if Cisco had encrypted their information and Lynn had decrypted it for commercial purposes. I don't know if compiling source code to object code counts as encryption for the DMCA, and the purposes of the "decryption" are a fair stretch in that context anyway. So I don't see that as being a legal problem here either.
If he signed an IP rights contract as part of his job then he may be in violation of an IP rights contract signed with ISS and ISS can sue him. I do agree that Cisco may have no direct ability to sue him but they can sue ISS for there employee violating an agreement to supress the information for a given period of time. Which would then also allow ISS to try and recover those damages from the employee who violated there IP contract.
Now they're going up the network stack with high-value applications such as Message Queueing. These use Intel CPUs on a a router blade.
One of the articles I read mentioned that he put his resume up as the last slide. Does anyone know where to get it? I want to put it into our internal HR systems and see if there is a position for him anywhere. Anyone who would quit his job over a principle like this is worth working with.
It must be a *really* bad hole - they might just as well hang a "crack me" sign on their heads. Either that, or they've hired security experts from Microsoft.
"We are all geniuses when we dream"
- E.M. Cioran
That's a lot of typing just to troll.
You sir, are amazing.
Tom
Someday, I'll have a real sig.
They're actively helping China violate human rights by having created and helping maintain the Great Firewall. And now they're threating security researchers rather than trying to write secure software. (Which is just stuff they lifted from open source and patched anyway.)
If you read the article you can plainly see that ISS and Cisco have had a restraining order imposed; this is not a "law suit", but it certainly does not preclude them from doing that as well. Disclaimer: I am not a lawyer nor do I play one on TV nor did I stay in a Holiday Inn Select last night.
I had some downtime while the 486SX rebooted.
If Lynn had discovered what he did as an independent researcher, he would have been justified in revealing it as he did. Cisco and ISS could complain, but they couldn't touch him.
However, he was an employee of ISS. As such he is bound by his employment agreement with them and probably by nondisclosure agreements with Cisco. His research is the intellectual property of ISS. Quitting doesn't change that.
He had absolutely no right to do what he did. I almost feel sorry for him because he's going into a battle he can't possibly win.
He not only shot himself in the foot, but he backstabbed Black Hat's J. Moss by telling him he wouldn't talk about it, then doing it anyway.
But I'd say that it's more like checking the neighbor's front door and finding it unlocked, then putting a big sign on their front lawn with an arrow and the words "Free Stuff" on it.
Whether I'm legally liable for such an action, I can't answer. But from a moral standpoint, I'd say it would be wrong.
Taking this (somewhat silly) analogy further, the question is, if my neighbor leaves their front door unlocked when they go out, and I've told them about it repeatedly for four weeks, is putting up the sign still wrong?
Lost in the slashcrud, as always, is the balance between getting corporations to be accountable and fix flaws, and keeping unpublished flaws from being exploited during the "window of vulnerablity" before they're fixed. Most comments here make the issue seem like an all-or-nothing, zero-sum game.
I don't think it's that simple.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Yea, and the Nazi Guards were just following orders right? Free Lynn! Fight the Power!
Two words "Professional obligation".
There used to be two general ways to handle security flaws when you discovered them. Either you could privately exploit the hell out of them. Or you could just privately report them to the company involved and wait patiently for them to release a fix.
However there is a big problem with this particular model. The problem is that companies like Cisco, Microsoft, etc. don't really seem to think that exploits that allow people to remotely execute administrator level code are really that big of deal, and they figure that they can just create a patch when "we get around to it" or "next year".
Meanwhile, do you really think that you are the only person in the entire world who is guaranteed to find the exploit? The black hats of the world have probably already found the exploit anyway in many cases. It's just the customers who are suffering because a patch is not available.
This model of waiting around forever was a dismal failure. So, security professionals found that by publicly releasing their findings, they could force companies to take security more seriously. The responsible way to do this is to first inform the company privately of your finding, and give them a reasonable chance to fix it.
What you think is reasonable is up to you, *not* them. They are playing by your rules. You are not playing by theirs. Remember, that you are being nice to them by not just publicly releasing the exploit the day that you found it. So, they should respect that. If they do not, that is their problem. Still, as a professional, you should rise above them and try to give them a reasonable time to fix the problem.
Now in this case, what he did was he informed them 4 months ago of the vulnerability along with a proof of concept. They decided not to fix the problem. They claimed there was no problem. He waited patiently for *4 months*. They said that this wasn't really a vulnerability. Then, they knew well in advance of his presentation at Black Hat, and yet they still chose not to fix the problem.
So, what is he supposed to do? As a security professional, it is his ethical obligation to publicly disclose his findings at that point.
In conclusion, Cisco should spend more money on engineers instead of lawyers.
Randy.Flood@RHCE2B.COM
So if Cisco has all kinds of security problems, who should we buy routers and switches from? Is there any vendor of network gear that specializes in secure, hardened solutions?
he did troll you something awful though...
The rationale behind why public disclosure of a security flaw (knowing that the 'bad guys' will hear about it too) is based on the idea that (a) customers have a right to know that they are at risk and also need to apply a fix as soon as it's available, and (b) companies should face pressure (even extreme pressure) to prioritize the fixes for these bugs.
It's pretty much accepted across the industry that the disclosure that there is a vulnerability is a "good thing". Indiscriminately revealing the gory details about how to exploit the vulnerability is a "bad thing".
After reading all the articles, it sounds like the exploit was discovered months ago, the patch has been available for months, and though Mr. Lynn demonstrated that the exploit is real (usually required to establish credibility) he did not expose the gory details necessary to allow someone to exploit the attack on their own.
So what's the big deal?
I'm particularly annoyed with Cisco's comment about Mr. Lynn having "illegally" obtained his information. Frankly, it's in the best interest of the public, the Internet, and the security world that security researches will decompile code to search for exploits. The security indsutry accepts that "security through obscurity" is a very bad idea. Vetted code is deemed secure because the gory details have been explosed to a wide audience and *still* no exploits could be found -- NOT because nobody was allowed to know how it all worked.
Not really. It's hard to tell zealots from trolls.
To my credit I did tell him to suicide early on in the thread.
tom
Someday, I'll have a real sig.
This is kind of a disturbing new trend, celebrity tell-all technies pulling these publicity stunts, along the lines of the "I f***ed " celebrity wannabees.
Really this flaw is well known, every competent admin I know patches their routers within days of release, and "I'm just doing this to draw attention to all the yadda yadda yadda" is just a bunch of press whoring.
The root cause of all this is that "security" is now a standalone specialty with a self-appointed celebrity 3l33t of high priests marketing their services to clueless PHBs, and hordes of clueless posturing wannabees. When in fact every garden-variety technie should know all this stuff anyway, and I wouldn't hire anyone who didn't for even the lowliest project. I've hired and worked around some of the high priests in the past and I was impressed on only a few occasions.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
from tfa: "The only "official" comment on the missing pages on the Cisco flaw was a photographed copy of a notice distributed with each bundle of conference materials. The notice states: Due to some last minute changes beyond Black Hat's control, and at the request of the presenter, the included materials aren't up to the standards Black Hat tries to meet. Black Hat will be the first to apologize. We hope the vendors involved will follow suit."
Sounds like the vendors did follow suit. A lawsuit, that is. There are limits to free speech, in this case, unfortunately.
There's also the legal concept of "trade secrets". If I give you "secret" information which is required by you to do your job, like, for example, the secret formula for coke, and I tell you it's secret, and I take active steps to keep it secret, then you're generally prohibited from disseminating it later.
The actual protections vary state by state, but generally speaking a company can, and will, sue the shit out of you if you unlawfully disclose trade secrets, even after your termination. You can then defend yourself by demonstrating that the material in question *wasn't* in fact secret, or that the company wasn't taking care to protect it anyway, but that's a matter for a trial court, not a hearing, so it's very hard to get a theft of trade secrets case dismissed pre-trial.
As a result, suing somebody for theft of trade secrets is a common way for large corporations with on-call legal teams to fuck with smaller companies that, for example, hire away their engineers or executives. Whether or not there was an actual theft of trade secrets, the smaller company (with less time and money on hand) still has to defend the case.
> A widespread attack could badly hurt the Internet, he said.
or A widespread monoculture/monopoly could badly hurt the Internet
The guy is a sociopathic nerd who's pissed because he didn't get his way. He needs to be, Hell, he will be criminally prosecuted for publishing his findings publicly.
This nutcase is going to cost us lots of money for his ego stroke. He's going to the Big House for at least 8 years.
As you've already been told, Lynn did NOT work for Cisco, nor does ISS work "for / with" them. The mutual effort was a result of Lynn finding the flaw in the first place, and notifying them about it.
Four months ago.
However, the more damningly flawed portion of your argument is that 'now Cisco doesn't have time to fix the problem'. <snort>
Could you please provide proof that this flaw hasn't been actively exploited since even before the time at which Lynn found it?
It is, needless to say, impossible to prove a negative.
If you're not living on the edge, you're just taking up space!
you are assuming that the security professional is the first one to discover it.
For all he know, it's been exploited for weeks.
Ideally, we could say here is an exploit. In a week I'll release it to the public. Unfortuanatly, he would get sued, and the exploit would go unpatched for a while.
The Kruger Dunning explains most post on
Who's got a torrent of the original CD and presentation?
I for one don't buy this "intellectual property violation" BS for one second. The guy has access to a router - the guy discovers a flaw. The guy tells cisco. Cisco sits on their hands for whatever reason. Guy feels compelled to share the info to protect people against the flaw.
In my book - he's a hero and gets a medal, not served with a lawsuit.
Cisco might not like the egg on their face, but if they'd done their jobs better - they wouldn't have it to deal with. If they'd gotten back to him and said "hey, we're working on it - can we pay you to consult with our programming team for some insight if we need it?" - they might have actually staved off this debacle....
no no, they brought it on themselves... fuck the PR and legal spinning - the researcher was right, they're wrong and they know it - they're just trying to save face in the stock market - but ya know what, ain't gonna work.,.,. maybe if they apologize to the guy - but otherwise, nope...
Are you saying that nobody should release code until they have tested all possible circumstances under which failure could occur?
That'll be pretty hard for anything with more than fifty lines of code. Are you prepared to wait 15 or 20 months for patches to vulnerabilities that are being exploited now?
In contrast, attempting to hide problems and punishing those who reveal details only loses more trust, because a company that does it once has surely done it a hundred times, and we must now be concerned with potentially hundreds of other, undisclosed flaws without even so much as a thrown bone to help work around the problems.
Can't they see that they are doing exactly the OPPOSITE of what they should be doing?
I thought they did have Intel/AMD picnics - Comdex and FOSE and the like...
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
If my bank's vault turns out to be made of cardboard, I'll find a different bank. I can't do that if I don't know about their cardboard vault.
Which is, of course, why my bank (and Cisco) don't want the plastic lock revealed.
Lynn better hope for a better outcome than George Bush got when he told the insurgents in Iraq to 'bring it on'.
trying to fix everything by throwing vowels at it.
Enough is enough, people!
If I can't smoke and swear I'm fucked.
I am in favor of full responsible disclosur (give the vendor a deadline and stick to it unless you KNOW they are moving on it)
Still, most exploits seem to be reverse-engineered from patches. Compare the patch to what came before and you have a serious clue to the problem.
That's in the public world; I don't claim to have any insight into privately held 0-day exploits. I suppose that a there are some blackhats as clever as the white, with equivalent labs.
Was Lynn only told afterwards to keep quiet about what he found, or did do the security research under terms of a NDA? Cisco might well have gotten an NDA if they provided unusual access to IOS, such as source code. If so, then even if everything you say is true, Cisco may well have been correct in calling the disclosure illegal.
Whether it was ethical, of course, would remain a debatable proposition, but I would judge the burden of proof to shift to require showing that it was ethical, despite the unlawful nature of the act.
//Information does not want to be free; it wants to breed.
(As I posted about a year or two ago...)
All corporations (I'm talking about large corporations with hundreds or thousands of employees) are like trains, planes, or other large pieces of equipment. They can not stop and/or turn on a dime. (As the saying goes.)
As in my previous posting on this subject - think of a bus which is going madly down the road at 100mph. Within a mile of where the bus (ie: the company) is is a bridge which has collapsed (ie: the problem). If you start a mile back from the bridge you can easily stop the bus and save everyone (ie: anyone who uses the company's product). If you wait until there is only 1/2 of a mile the bus can still be saved but they might have to slow down a lot faster and they could blow some tires and maybe have an accident. (Thus hurting some of their customers.) Or you could wait until there is only 1/4 of a mile and try to stop the bus. Here, since a bus travelling 100mph travels 100 * (5280ft/60/60) = 146.6666ft per second. It means that the bus has less than 10 seconds to stop. Most porbably, unless the bus driver causes the bus to fall over onto its side - the bus will most likely go over the bridge and kill everyone.
The same holds true for talking about problems in ANY WAY, SHAPE, or FORM when it comes to computer software or computer hardware. You can't just jump out there and start screaming there is a problem because the bus can't stop that fast to prevent disaster. Nor can you tell a company about a problem, wait a couple of hours, days, or even weeks and get mad because nothing has been done. It takes a while to bring the bus to a stop, pick up on what you have to say, and then to start back up again.
What's a good rule of thumb? Three to six months minimum depending upon how severe the problem is. If it is just a one or two line coding problem - three months. If it is a major change due to parts of a program having to be either completely re-written or major portions having to be changed - six months. And remember - that is a MINIMUM requirement. Normal length of time to fix? More probably two to three times those minimums. That's because you are not the only person who may have found a problem as well as the fact that they are trying to put in new features that have been requested. The same people work on both things at the same time.
So people who find problems need to think in months - not weeks, days, hours, minutes, or seconds. Because that is how long it will take to fix a problem. In fact, sometimes something that looks really simple turns out to be a real mess to fix. It all depends upon the way in which some software was originally written. So you can't base how fast the company fixes something by what you may think is a fair amount of time. You just need to be patient while the company does what it can to fix the problem.
Now, as for the company - it is extremely important for companies to keep everyone up-to-date on any/all progress made to fix a certain problem. This can even be automated somewhat. But it is very important not to try to hide the problem because as anyone knows - that is what gets a company in trouble. Trying to hide things that is.
Someone put a black hole in my pocket and now I'm broke.
http://www.tomshardware.com/hardnews/20050728_1520 37.html
Just removing the link... isn't that security by obscurity? ;-)H _US_05-Lynn.pdf
http://www.blackhat.com/presentations/bh-usa-05/B
A flaw in a software product is totally different that having 'unsecure seatbelt': in the first one thief/crackers are trying to use it to gain money/advantage, the other one is purely a safety problem.
If you announced publicly a fault in cars which allow thief to steal cars without first contacting the cars manufacturers (I don't say this what occured here), I suppose that the company wouldn't be too much happy..
Mike has fallen for the maketing of all these firms that supposedly "pay" for vulnerabilities. He's telling everyone that he believes it's his responsibility to stop a "Digital Pearl Harbor" when in reality he's just attempting to market himself so as to increase his net worth.
I've long booed the EFF
Out of curiosity, why? While I do occasionally (read: once in a very great while) disagree with their position on something, the vast majority of their work is pretty clearly for the public good. I feel that my membership fees are well spent.
I can see someone maybe not being an active supporter if they simply aren't interested, but why "boo" them?
I like my women like my coffee... pale and bitter.
The Command Line Interface in IOS is based upon BASH.
Cisco needs to be threatened with a GPL violation lawsuit.
In a shocking development, researchers in China report that Huawei routers exhibit the exact same vulnerabilities as those found in Cisco devices.
"Cisco, for its own reasons, didn't intend to distribute a fix before long (next year!). Too major a flaw? Publicity? Too much work already? Internal politics?"
The two most important words, and the reason for not putting this info out there?
STOCK PRICE.
Greedy damn bastards don't give a rat's ass about their customers. The share holders are the people that the company is providing the customer service and security enchancements to. They have completely forgotten who keeps them in business.
It used to be that companies made decisions to keep their customers happy and to make sure that they had a competetive edge to stay in the customer's financial field of view. These days companies make decisions that screw their customers to inflate stockholder's portfolios and then sue anyone who contradicts the marketing department's ultra-spin.
Nice. Freaking nice.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
The only "work" they've proven competent to handle is making beds of dorks' donated cash for themselves and their friends to roll around in.
Name one other thing they've ever done right.
One.
Or don't. Because lying is wrong.
Breech of contract is a civil tort, as far as I'm aware, but I'm not sure that it's a crime (as appears to be implied by the *illegal* comment), although I'm not a lawyer. There are also various "whistleblower" statutes, though I make no claims about how they do or might apply here.
All said, it appears to me that Cisco was caught with their pants down here, that they have been sitting on this for months for whatever reason, and the lawsuit is just a smokescreen to cover the bad PR.
I have no way of knowing (and neither do you, for that matter), any of the details of any NDA he may or may not have signed, but after this I'm sure as hell not going to take Cisco's word for it when they've clearly contradicted themselves in the quotes given us (look at how they variously characterize the severity of the issue--it's either new or it's not, huh?). I also fear if vulnerabilities ever get the status of "trade secrets" (which is the ONLY sort of IP I can imagine applying here--I sure as hell hope they haven't patented buffer and heap overflows, and it doesn't mention any sort of copyrighted exploit code, not to mention the fact that copyright does NOT cover methods and concepts [see Gates Rubber Co. v. Bando Chem. Indus. Ltd., 9 F. 3d (10th Cir. 1993)]) because that would *really* hurt computer security as a whole. We'd simply end up in the bad old days when the black hats had all the power, there was no one and nothing to protect you, and anyone even attempting to be a legitimate security researcher was the target of many lawsuits and much hostility.
But again, I'm no lawyer (and I somehow doubt you're one) and even if we *were* lawyers licensed to practice that area of law in the relevant jurisdictions, NEITHER of us knows enough to go about saying whether what he did is or is not illegal.
Now, I'm not saying it's unreasonable to assume he's under an NDA--my *guess* would be that he is--but it's not reasonable to guess exactly what that NDA may or may not cover and just to what extent it might get upheld.
Still, in a moral sense (and not a legal one), I believe what this guy did was right. We clearly have an old vulnerability, believed to be *currently exploited by blackhats* and a company that thinks they can hide all this with lawsuits. Just for the record, most reasonable definitions of responsible disclosure say that if you know or have reason to believe that a vulnerability is currently being exploited, it is your *duty* to tell everyone about it.
In the mean time, Cisco just went down another peg in the trust metrics I use to evaluate my purchasing decisions. I buy from companies I trust and I reccomend the same. I reccomend against any company I feel I cannot trust.
cisco is indeed down the hill, maybe not techno wise, but business/marketing wise for sure. Allowing vulnerabilities to rot and mould inside their flagship software IOS.
But don't be surprised. Cisco is not the only Moloch sized USS Enterprise Corporation, who deliberately downgrades or even _sabotages_ its own products for the cause of undermining foreign customers and businesses to illegally gather extra information (Cisco : see the story, Dell : purportedly a key logger is inside their laptops, Microsoft : Flawed EULA agreements forcing the customer to agree that Microsoft has the right to take remote measurements on any windows machine on the globe. Food and Medicine Corporations undermining the health of all their customers. The list is endless.
Its good to see a honest and experienced employee and insider of the router industry finally takes on these weird practices, like it should be done.
Oh did i forget the 7 dwarfs of Big Tabacco ? Check out movies like "The Insider". What about "Erin Brockovich" ? All mind-boggling and edged chair Hollywood productions of real stories, on how the last few honest and genuine people left take on the Atrocities to mankind by Big Industry.
Robert
In this article http://www.boingboing.net/2005/07/27/security_rese archer_.html they say that this was planned for public disclosure back in April. Permission was given by both ISS and Cisco. I want to know about these vulnerabilities ASAP. Not after code is developed that runs the latest spammers' zombie on my router. Hmmm, is Cisco the next Windows?
jc2it "Humor is mankind's greatest blessing." -Mark Twain
my, so much text.
5 -Lynn-decrypted.pdf">here's an unencrypted copy of the PDF for the presentation.
http://www.angelfire.com/ego2/hellomother/BH_US_0
ZDnet reports that David Lynn and Cisco have agreed to a legal settlement. Lynn doesnt't talk about the matter at Blackhat or Defcon and returns all related material to Cisco. I suppose Cisco drops its charges against him, though that's not mentioned.
I'm glad for Michael Lynn that this affair ended quickly and not too harshly. Kudos to him for his courage.
Here is one of the many e-mails I do on a weekly basis. This one was to LinkSys (Cisco) routers which, since it ties in with this discussion, I thought I'd post so you can see what I mean by talking to the company. Granted - this is NOT an earth shattering exploit - but it is still along the same lines as what is being talked about here.
:-)
;-)
Thank you very much for taking the time to give us such valuable feedback. Rest assured that we shall continue to exert our best efforts in order to meet and even exceed your needs and expectations. Please feel free to get in touch with us again should you have other queries. I will forward this concern to the appropriate department as well.
Thank you once again for contacting Linksys Customer Support.
If you have further questions, please send us an E-mail at support@linksys.com so that we may further assist you.
Sincerely,
Christian Lara C. Diamante
Linksys - A Division of Cisco Systems, Inc.
Product Support Specialist
1-800-326-7114
support@linksys.com
Customer 07/27/2005 10:14 AM
I just purchased a LinkSys wireless router (WRT54G) and everything came up fine and works fine (although someone should check the English on some of the sentences). Anyway, I was using an SMC wireless router and there is one thing missing from the LinkSys web page: logout. I know - you just go to where ever else it is you wish to go. Think of it as closure. You open the web page, do whatever, and then you close the web page. Only, with LinkSys - you don't close the web page. So that makes people wonder if they've left the web pages open to anyone who wants to just come in and muck around with their system.
You see, with a login and logout you have a flag which says someone either has or they have not logged in to the box. If someone logs out of the box and then someone else tries to read the history of the web browser or even just tries to use the back button, the box would know if the person was still logged in or not and could just put up a blank web page with something like "You are not logged in" or something like that. That would give peace of mind to everyone who owns a LinkSys router.
Just a thought.
BTW: I just noticed that your comment web page does not have a "Preview" button so someone can make sure that what they typed and how they typed it could be reviewed before sending it on. Again, I know you can just scroll back - but why do you think all of the forums on the net have this capability? Because people need and use it - that's why. Another "Just a thought" thing.
Notice that I do not attack them, condemn them, or anything like that. I tell them the facts of what the current set up is, I tell them what I think will improve things, say thank you, and leave. And you know what - this method works very well. I have seen more positive things happen using the above method than when someone has screamed, ranted, raved, or tried to grab their fifteen seconds of fame. And I have done the above for LOTS of companies and gotten LOTS of things done. And for my time and patience in these matters I've been given free programs, extra time on leased programs, and acknowlegements in programs going all the way back to the 1980s. That's what doing things this way will get you. Lots of fame and nice benefits sometimes. Not always - but sometimes.
By the way - would you like fries with that?
Someone put a black hole in my pocket and now I'm broke.
Just how "formerly" was it? Suppose Bob was most famous for having been a researcher at Xerox PARC, but he left and went to work at Microsoft, and then he quit? You might write "Bob, formerly a researcher at Xerox PARC, resigned today (from his job at Microsoft) rather than..."
Now, you might think this is picky and stupid and not really that ambiguous, but the thing is the submitter made it needlessly froofy and obfuscated by pushing the employer into a separate descriptive phrase, when it would have read just fine to say:
"Michael Lynn resigned today from his job as a reseacher at Internet Security Systems rather than..."
He's probably planning to counter with an Anti-SLAPP (Strategic Lawsuit Against Public Participation) countercomplaint. That would work well in a case like this.
The presentation is on Cryptome.com
I'm no expert, or even profess to know anything about how to own Cisco routers. I was making the argument more along the lines of how this is kind of a disturbing new trend, celebrity tell-all technies, and smells like a publicity stunt. There are better, collegial ways to share this information, without putting ones credibility at stake.
A couple of times in my career as a senior sysadmin I've been ambushed by so-called security "auditors" by being called into meetings and being told "we like totally 0wn3d your systems". When I asked how, I was told "d00d that's a seekrit". I was skeptical, and I was never asked to take additional measures beyond the usual comprehensive, and as far as I can tell, effective measures. As far as I am concerned, it's "put up or shut up" with these so-called security experts.
Unfortunately, it took some legal hardball for Lynn to finally put up or shut up with regard to his Cisco exploits. I'm not saying he's a poseur himself, but I'm not sympathetic to hearing about his legal woes. It damages his integrity by showing he does not respect NDAs and was drumming up consulting business after expecting to get fired. If anything I expect so-called security consultants to lay low, regardless of what they think of their clients' practices.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
http://www.jwdt.com/~paysan/lynn-cisco.pdf
Oh happy day