Slashdot Mirror
Researcher Resigns Over New Cisco Router Flaw
An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN.
Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."
I must have missed the "master password" thing.
That was from a while back. They had set up a master "backdoor" password in a version of IOS and ended up getting ridiculed for it quite heavily.
He told them in April, according to BoingBoing, and they still hadn't fixed the problem totally.
How long should it take?
0 7/update_to_cisco.html
http://blogs.washingtonpost.com/securityfix/2005/
The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months, and that up until earlier this week, a Cisco executive was slated to co-present the findings with Lynn at Black Hat.
Our friend Mojgan Khalili is the Cisco employee mentioned in the article, who said the security researcher broke the law -- "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."
If you'd like to write to Mojgan and say that you don't like their attitude toward full disclosure, or their attack on the guy who's working hard to make things secure, here is his information.
If nothing else, you could ask him "what law did the guy break, biatch!?!"
Mojgan Khalili
Cisco Systems, Inc.
978-936-1297
mkhalili@cisco.com
http://www.thebricktestament.com/the_law/when_to_
You're a prick. RTFA. He waited 4 (in words FOUR) months for Cisco to fix this until he finally made it public.
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
Long enough to make sure the fix works without breaking some other function. Or would you prefer that they release the updates without making sure that something important - like, say, BGP updates - still works? That'd be *real* smart.
I, personally, would prefer that Cisco makes sure that they haven't added new unintended features to IOS before they release new code.
Not sure if you really are Mike, but your facts are 100% correct. It wasn't a new vulnerability, just a new way to exploit a known vulnerability which has already been patched. Also, if I read correctly, you need to be directly connected to the router to execute the vulnerability; it's a not a remote attack.
--- RFC 1149 Compliant.
But it only became "wide open" with the public disclosure of exactly how to exploit it.
He used an already patched exploit to show the vuln. He only showed how easy it would be were you to find a new, unpatched exploit.
Also, from an interview at security focus
"It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."
The bad guys already know about this, Lynn believes it's time the rest of us found out.
you're all figments of my deranged imagination