Slashdot Mirror
Lynn Settles With Cisco, Investigated By FBI
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.
Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.
____
~ |rip/\/\aster /\/\onkey
The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen.
The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
I'm a virgo and on Slashdot. Coincidence? Yes.
Needs to be spread if we're to expect cisco to fix it.
Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...
Because [insert diety of choice] knows this has been ubber-effective so far.
Oh wel, this might as well be soviet russia!
Can you imagine the chaos?
I bet some people would even end up going outside.
I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.
I suppose I could look through my old cached history of webpages and pretend that I was online!
HELLO WORLD
60691 60691
HELLO WORLD
41529 41529 37391 37391 16079 16079 00583 00583 28145 28145 10248 10248
65200 65200 54451 54451 61814 61814 71645 71645 89370 89370 83390 83390
83850 83850 35222 35222 82600 82600 32861 32861 14891 14891 84629 84629
98985 98985 62184 62184 78713 78713 69353 69353 67395 67395 47211 47211
04383 04383 03368 03368 19687 19687 63126 63126 75503 75503 60948 60948
21683 21683 71130 71130 24901 24901 14226 14226 49885 49885 29738 29738
15491 15491 63673 63673 71613 71613 53775 53775
K-BYE
...and told us that it will be the year we all live in from now on.
Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?
libertarianswag.com
What exactly was CISCO suing over? It seems to me that CISCO didn't like what he had to say, but that doesn't give you a right to sue somebody. Obviously, they weren't alleging libel or slander, since everything he said was apparently true. I don't recall allegations that he misappropriated trade secrets or something. Did he just give up so that he didn't have to defend a baseless suit?
Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.
I don't practice what I preach because I'm not the kind of person that I'm preaching to.
First, according to this new article, Lynn would have been allowed to speak if Cisco was allowed to speak as well.
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or philosophically disagree with this, but in major network infrastructure, there is a place for stable, predictable commercial support. Along with that sometimes comes commercial and/or proprietary code - code which is kept proprietary for competitive advantage. This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.
Further, the FBI is investigating not because of some corporatist government conspiracy, and is not being used as Cisco's own "police force". It is investigating a claim of a complaint it received, as it is compelled to do by its very reason for existence, and doesn't even know if a crime has been committed. Would you want law enforcement agencies to not investigate allegations of crime, whatever your opinion of this particular instance aside?
Even Lynn's own lawyer says "that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.
Granick said she did not think the FBI would arrest Lynn.
"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over."
So please, let's not overreact.
I found this linked on Nick84's site (http://www.rootsecure.net/): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf
If I'm correct, it's the slides that were taken off of the hand out cd.
Another link from a Wired article:
http://cryptome.org/lynn-cisco.zip
Irongeek's Hacking Videos / Security Videos and Articles
Also, if Cisco did know about it and kept it under wraps while they worked on the problem I call that common sense not secrecy. How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?
You got any karma man? I really neeed it. Just a little hit! Come on!
"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."
In other words, probably not really in trouble with the FBI.
The world's only surviving livewriter.
...until the videotape of his presentation that conference organizers promised "never to distribute" hits the net?
No, sometimes this is the only way to make progress. Companies (more appropriately managers) are content to live in the dark on security issues instead of dealing with them. In my experience, money is the only concern in respect to most PHB's, and the only way to make a change is to expose it in a critical manner. I applaude this guy.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Everyone together now:Meanwhile, back at the ranch, some Eastern European "security expert" is busy cheerfully 0wn1ng j00 when you order that book from Amazon. Checked your credit card statement lately?
political_news.c: warning: comparison is always true due to limited range of data type
"The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The FBI is investigating Michael Lynn... after he revealed ...
Congress shall make no law ... abridging the freedom of speech, or of the press.
He's being investigated for what, now? Talking?
Secession is the right of all sentient beings.
If it weren't at least somewhat effective the Internet wouldn't even exist because the black hats wold pwn everyone's machines.
You got any karma man? I really neeed it. Just a little hit! Come on!
A lot of you are saying the information on this vulnerability, which could cripple the Internet if taken advantage of, in order for Cisco to fix it?
I may be just a simple caveman, but this sounds like a tremendously bad idea... someone would take advantage of it sooner or later...
The Internet dropping, even for a few hours, would have a profoundly negative impact on the world economy...
I mean, geez, just think about it...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."
Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.
I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The problem isn' that Cisco hadn't fixed this problem. They did, months ago. BUT, they didn't tell anyone what their patch fixed, so there are people out there running old versions because they don't know that the patch is CRITICAL to their security, mostly out of fear of munging their network up with a new IOS version.
there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!
Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.
Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.
I'm a virgo and on Slashdot. Coincidence? Yes.
"The FBI is continuing to blindly follow the widely disproven security policy known as 'security through obscurity' by stopping the free flow of information regarding critical vulnerabilities to the men and women who run America's Internet infastructure, ensuring that they can't use this knowledge to make fixes, reduce their risk profile, or find alternatives."
Nice job FBI. Why not halt the free flow of traffic reports while you're at it? Terrorists could use those too you know.
The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.
Anybody investigating Cisco? How did they allow this hole into their routers? Did they do it intentionally? Is a competitor or someone more nefarious among their ranks? Or are their programmers simply incompetent?
Will the FBI check them out? Is anyone going to hold them accountable for their mistake?
Or has our industry degraded to the point that incompetence is rewarded, and vigilance is punished? Why on earth would Cisco or anybody else even bother *trying* to write secure software if this is how they react? I guess lawyers are cheaper than good programmers?
Personally, the real victim here is you and I or any admin who has to deal with Cisco junk. I can't tell my clients if they are secure.
I hope Cisco reveals the full technical details of this problem as quickly as possible. The only reason I use Cisco is for the hardware. The software is closed-source and I have to trust Cisco to keep it secure. They dropped the ball completely.
before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem
Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.
I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.
If we're not allowed to test holes, it reminds me of that old saying, "Who will guard the guards?"
Are you saying that they didn't strongly urge customers to install the patch? I can't get into their download site without a password, so I can't verify your statement one way or the other. Please support it.
You got any karma man? I really neeed it. Just a little hit! Come on!
How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?
i would feel "oh shit. i better fix that now"
vodka, straight up, thank you!
The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA that he has run afoul of, most likely they'll prosecute.
I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.
My feeling is that unfortunately this just isn't a big enough issue on Joe Citizen's radar. There's a war in Iraq, the government is spending money like it's going out of style, there are disagreements over almost every social issue imaginable, and that monster SUV he bought last year now costs him $85/week to fill up. Some computer guy revealing Cisco vulnerabilities isn't high on his list, so it won't be high on his legislators' lists either.
Read the EFF's Fair Use FAQ
Or you could get off you ass and get a password. It isn't hard, fill out the form. If it is that interesting to you, go look it up, don't try to make someone else do it for you.
Lazy.
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
You got any karma man? I really neeed it. Just a little hit! Come on!
Here the coverage Tom's Hardware has. Some nice pictures, now I at least know what the guy looks like.
. php
http://www.tomsnetworking.com/Sections-article131
...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.
Both are harmful, and neither benefit security optimally.
As with most things, the most beneficial position is usually a balance between extremes.
Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.
Apparently the FBI thinks computer security works the same way.
Weaselmancer
rediculous.
" Congress shall make no law ... abridging the freedom of speech, or of the press.
He's being investigated for what, now? Talking?"
*crowded theater*
FIRE! FIRE!
Of course, with the internet down we could all agree to meet and pretend to chat with each other in the big blue room. I'd even be willing to use my face to emulate emoticons, if that'll help.
Relax, see here and here. Now take a deep breath
He's the one who made the statement. He should support it.
Coward.
Offtopic, but I don't know where else to post it: When did Slashdot's search on the main page change to Google Slashdot?
It's much better!
Cisco is quoted as saying:
Cisco denied that the flaw was as critical as Lynn said it was
Then what really is the problem?
Wow! Sure is a good thing we have the first amendment to club them over the head with... or has it been completely repealed now? Like the 4th?
What?
But my situation was a little different - it was something like, "I swear officer, she told me she was 18, I SWEAR!!!!!!"
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
Do you have any idea who is at Black Hat these days? It is a huge security convention sponsored by hundreds of major computer and security vendors, even Microsoft is a sponsor. Heck the Department of Defense, the Army, West Point, Stanford Law School, etc. all had people giving presentations. If you want to get the word out when a major threat is being ignored, blackhat is a pretty good place to do it. It seems to have worked, don't you think?
This sounds like another DeCSS.
If anyone has copies of the stuff Cisco wants censored, we could all host it and make torrents of it. Those who are less brave can use something like FreeNet to host it.
If hundreds of thousands of people host it, it will be a giant embarassment for Cisco and there will be nothing the authorities can do to stop it.
Lord High Crapflooder The Right Honourable Vlad Craig Esther McDavenpherson III
Destroyer of Mercatur.Net
More information here. Blowing the whistle here is roughly equivalent to sending the info to US-CERT except that US-CERT probably doesn't allow whistle-blowing against a vendor....
Check out my sci-fi/humor trilogy at PatriotsBooks.
I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.
I think someone needs to tell the FBI to go screw itself... Cisco too for that matter. It just keeps getting worse and worse. De Fuehrer Dubya, Congress and the Patriot Act should all be dismissed so we can just start over again (a new Constitutional Congress maybe)
Everyone is aware that the presentation has been published on numerous mailing lists and websites, right?
Does anyone have a link to the transcript/slides/video/audio of the presentation? If so, please post below!
This is a good example of mod abuse. Mods, please don't mod posts down just because the guy doesn't agree with you!
This wouldn't be so bad, but if anyone has ever tried to locate a patched IOS update, you know it's not the easiest thing unless you are paying cisco for support. Clicking on download ios software from cisco.com brings you to some special code access bullsh*t? No lazy sysadmins are going to bother even registering for that bs - Why don't you be good little Cisco guys and make IOS downloads registration-free?
EOF
I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk.
How do you know this? That seems to be what everyone is basing their assumptions on the seriousness of the vulnerability on. I'm sorry, but people quit and resign over petty conflicts all the time. Just because this person is a security researcher doesn't make him a martyr, and doesn't necessitate that his resignation was some noble act for the good of the global internet community. You and he may believe that it was, and I'll be willing to consider the possibility that it was as well.
But the real issue here was that Lynn didn't want Cisco to speak at the forum with him, essentially giving its side of the story, instead of a somewhat vague assertion that Cisco's general irresponsibility will someday lead to an exploit bringing the internet to its knees. There is no specific outstanding vulnerability. Merely an assertion that Cisco didn't handle a previous vulnerability, which Lynn alleges was serious (but we don't know that for sure), urgently enough. I'm sorry, but someone quitting their job doesn't lend more credibility to the facts of a claim. The facts themselves, however, would.
Crafted IPv6 packet vulnerability.
5 0729-ipv6.shtml
s p
http://www.cisco.com/warp/public/707/cisco-sa-200
http://www.eweek.com/article2/0,1759,1841669,00.a
Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.
As a consumer I think I have the right to know about this. Giving the vendor some time to fix the bug is the usual procedure and is common courtesy. I don't know if Lynn gave cisco a window to fix the bugs. I know from experience how vendors can sometimes try to pull this window forever. At some point, the bug must be exposed. This way vendors are forced to fix their sh.. Maybe Lynn exposed this prematurely, which should probably have some consequences for him professionally (but legally? I don't think so) The real villains here are Cisco: An important point of full disclosure is that the bad guys and the good guys have the same information at the same time. This is opposed to the bad guys having the information, while the good guys are in the dark... Which is the present situation: Cisco are leaving their customers in the dark right now. Cisco is definately in the wrong covering this up. (How am I supposed to protect my cisco router if the details of the attack are secret). I am sure the real "blackhats" are exploiting it this very moment. So what Cisco is doing is basically giving the blackhats free hands while tying up the hands of their customers. Somebody should sue the h... out of Cisco!
If you call the police, and claim someone stole your TV, tell them who it was and where they live, the police will investigate that person. Why? Well that's their job. If it turns out you were making shit up, you might get in trouble for filing a false police report later, but they'll still investigate the person. They don't just assume you are lying, I mean unless they investigate and reach their own conclusions, how will they know?
We want the police (the FBI is just the federal police) to investigate reports of crimes. We want them to do so in as unbiased fashion as possible. We don't want them to just assume that reports are false unless they are presented with overwhelming evidence, we want them to go and look for their own evidence and reach their own conclsuions.
Hey, how bout we try a proper analogy:
How would you like it if you had your security number written on a piece of paper stuck to the side of your house and some kid told you he knew about it and said you should take that down. After you told him no, he rand around the neighborhood and told everyone.
I'd be embarassed too, but it'd be my own damn fault.
If anyone needs investigated, or any new laws need to be written, it should concentrate on Cisco and other majors who sit on known vulnerabilities for months (or years).
I'll vote for whatever congressdroid steps up with a "Software Infrastructure accountability act of 2005" that actually codifies the "right" sequence/timetable for this sort of thing.
Unlike the rest of the world, we have such great Freedom of SpeE&F@%&**#$@HDTH+H+[NO CARRIER]
You should always give these type of presentations at the "White Hat Security Researchers Conference of Law Enforcing Good Guys", not the "Black Hat Hacker Convention of Nefarious Ne'er-do-wells and Juvenile Deliquents".
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The Motion Picture Association of America and Regal Entertainment corporation have assured me that the theater is perfectly safe, and that any reports of fire are greatly exaggerated.
Can someone explain to me how this is illegal? If I give a speech about how newspaper stands are unguarded, and you can take all the papers but only pay for one, am I guilty of something?
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
PDF:
Lynn-cisco.pdf"
I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!
The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.
The whole thing sickens me.
If you do not think this is right, just make the information available. Look at what happened in the DECSS case and the lawyers "won" that one.
When will companies learn that information wants to be free. I would not have thought to even look for the information before... but when it is illegal.
Guess what, now this will be mandatory reading.
Way to discourage us CISCO.
Oh, and those that buy CISCO for security... you are being lied to. There are many reasons for buying CISCO( reliability, speed, nice engineers) but security is not one of them.
because of this, that would bring Al-Qaeda to a screeching halt. The wouldn't be able to plan any attacks. They'd have to go to the libraries, then *bam*, we got'em!
No data, no cry
Or you're misinterpretting events. Check out a prior post: http://slashdot.org/comments.pl?sid=05/07/29/18502 34
Cisco already HAS a fix. AND HAS HAD that fix out since April. They are pissed because it was exposed that there was a SERIOUS flaw in their previous IOS software, which Cisco had not disclosed to the public, even though they made a patch, and basically told people that it was an update, NOT THAT IS FIXED A MAJOR SECURITY FLAW, since that would cause the public to think that Cisco screwed up, and we can't have that can we?
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Present the info, but stay anonymous.
Use a fake name. Wear some kind of disguise to the Black Hat conference (or wherever you're doing your presentation), do your security-flaw-revealing presentation in the disguise and then quickly run off stage and change.
This is no longer the home of the free and I haven't noticed a lot of bravery lately...
ahem, I am not sure if anybody else saw this but CISCO has SCO in it.. just an observation :)
There is no specific outstanding vulnerability. Merely an assertion that Cisco didn't handle a previous vulnerability...
Actually, if you look at the presentation you'll see he presented a walkthrough of exploiting the shellcode which Cisco has done nothing (yet) to mitigate. The (fixed) exploit he mentions was merely an example of how to get on the box, but there are obviously going to be more ways to do that and quite likely someone already knows some of them. He also explains that while this is not the end of the world, the hardware abstraction Cisco is pursuing will make this type of attack work on many more routers.
Obviously as soon as the press gets involved all sorts of misconceptions, simplifications, and dramatization immediately drowns out the factual info. I don't know Lynn, but I know a number of people who do and from what I have heard he is probably trying to do the right thing.
As for Cisco wanting to have their fair say, it was my understanding that they were originally going to present the flaw with him, but backed out. Perhaps I was misinformed.
-1 : "patching shouldn't/can't happen like it does in the open source community" - Lazy sysadmin. It could and should!
-1 : "broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues" - Public Comments. It should be broadcast so we can talk about it on
-1 : "not because of some corporatist government conspiracy" - not paranoid enough. The faults of the world are USUALLY part of some government conspiracy.
-1 : "probably something to do with intellectual property and that it most likely came from Cisco or ISS." - IP = bad. Inherited from groupthink, IP = bad. The international space station clearly has nothing to do with this. therefore this post is advocating slander against the good name of the ISS.
-1 : "So please, let's not overreact" - you must be new here. This is the point of this website.
In conclusion, I believe the results speak for themselves. Please mod down to no less than -6
Does anyone know why Cisco and ISS waited until virtually the last minute to compell Lynn to drop his presentation? So far from the accounts that I've read there's been no information as to why Cisco suddenly reversed it's position on Lynn's presentation. Could Cisco have been under pressure by DHS to not allow Lynn to disclose the vulnerabilities? Nobody seems to know what Cisco's motives are here.
It never ceases to amaze me that companies and the government can take this kind of action for somebody merely giving a presentation on the security vulnerabilities of a router, or a chunk of code, or how to bypass encryption. What the hell has happened to us?
When I was growing up, my grandmother told me there's three things I should never talk about in public: sex, politics, and religion. I guess now we can say the three things you should never talk about in public are security vulnerabilities, P2P, and political dissent.
Dear America, I miss you. Come home soon.
I didn't know that!
I am very small, utmostly microscopic.
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
You need to install an RTFM interface.
He didn't work for Cisco, he worked for Internet Security Systems. The FBI does not investigate charges of contract breach. They are civil matters.
[This space for rent]
If you dare mention that the emperor isn't wearing any clothes, you will surely get beheaded for it.
If the internet didn't exist they wouldn't be able to pwn my computer unless I let them into my house. /pedantic
Stop Global Warming!
Just say no to irreversible processes!
No way.
If you tell companies like Cisco "it's okay to write garbage software, some good samaritan will report it 'through the proper channels'", what exactly is the incentive for them to do better next time? And why the hell do *we* have to do Cisco's work for them? Mr Lynn has no obligation to Cisco whatsoever. I don't even know why he bothered waiting, put this info out THE MOMENT YOU FIND IT.
Cisco should feel *something* when they fuck up. Lower market share, lower revenue, bad PR, whatever. Not hand-holding and pat on the shoulder and "that's okay Cisco, do better next time".
This is serious stuff, I don't want Cisco to think they can call the lawyers whenever something like this happens. I want them to sweat.
In the mean time, time to do a Freenet search for his paper. I can't believe all of the copies were destroyed.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I read the presentation. (here).
Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!
There's no indication Lynn stole ANYTHING from Cisco, or broke any law.
Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.
Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.
Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:
978-936-1297 mkhalili@cisco.com
Also, some total jerk looked up her address and posted it (here). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!
http://www.thebricktestament.com/the_law/when_to_
I've lost all respect for Cisco over this. You'd think he'd thank the guy for the heads up on the defect and also for NOT revealing how to exploit the flaw.
Shame on Cisco for not taking the high road on this. It is precisely the kind of behavior that Cisco exhibited that has caused many people to hate Microsoft and dump Windows in favor of Linux and *BSD.
Does this mean the beginning of the end of Cisco's dominance in internetworking, and the rise of Juniper and others? I hope so, because if Cisco were knocked off their pedestal as a backlash to their idiotic tantrum toward Lynn, it might force them to be a bit more forthcoming, and possibly even downright friendly toward people who report bugs in their system.
Disclaimer: I have no affiliation with Juniper and do not stock nor do I recommend their products (but may in the future). I do sell Cisco products and DO like their products but I find their attitude regarding and response to this matter beyond deplorable.
Furthermore: why the F*** are they getting the FBI involved when reverse engineering is 100% legal?
Bastards.
One thing is for sure... someone should have listened to Richard Clarke *before* 9/11 (let alone after 9/11...)
Here's a pdf of the presentation he gave.
s _contro.html
http://www.boingboing.net/2005/07/29/michael_lynn
-ch0p
Execute the delivery of the information in a way that protects him is what's got him in trouble.
This guy's smart enough comprehend the exploit, he utterly failed in communicating it.
Never in a million years do you just blurt something out like this. I don't care how bad it is. Figure out the proper channels and work them.
That's what a focused and intelligent adult interaction with the world looks like.
Now, I admit he needed a Karl Rove power broker/media bulldog to keep the story from spinning against him. But he really needed to spend some time figuring out how to deliver the message to insulate himself better.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Is anyone else feeling a little deja vu here?
A big software company gets mad at a researcher giving a speech on a security flaw in their software and attempts to sue them. They get the FBI involved before realizing that they're taking a lot of PR damage and then suddenly act all buddy-buddy with the person they went on the attack against. In the meantime, the FBI doesn't give up just because the company now wants to polish its image, and the researcher's life is negatively impacted.
Sounds like Adobe and Dmitri Sklyarov, doesn't it?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
TLAs such as TNA bring in FCC or even the FTC when shown on TV.
I'm not 100% clear on *all* of the details about the timeline, but I know Mike personally, and I feel pretty confident that he did in fact give them plenty of time to respond better than they did.
1. Read Slashdot article slamming Cisco for attempting security through obscurity and unfairly siccing the FBI on the whistleblower.
2. Short-sell Cisco stock or buy put options.
3. PROFIT!!!!
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
I don't think they are investigating Lynn per say but the Information that he has found. There is a problem were software and hardware vendors keep this type of vulnerablity information sacred ( so they can fix it){bullshit they don't want to spend the extra money to fix it}. In any event i think we will see this investigation turn to cisco. This is a National Security Issue and If it's True that Cisco has all of this information and has been sitting on it, then i hope the government through the book at them. And my friends say why to you have 4 internet firewalls, well besides the paranoia it's just extra defense.
Woah, that ladder does look safe!
WRONG! you are no longer allowed to point out potential security weaknesses to people who have paid money for something. Discussing the weakness of a product is wrong, and will in fact lead to the ladder breaking by itself. Inform the ladder manufacturer, and I am sure they will recall all ladders sold.
For fucks sake, everyone has no idea about security, there is no such thing as security in computing ONLY programs that are sub-standard and do not do their job properly.
Since this has become mainstream, the whole ideal has become warped, and not the onus is on the consumer to bear the risk, IN SILENCE, for fear of prosecution, because it is illegal to discover and discuss the flaws in software you have paid for.
This guy is a consumer, he paid for and analysed his product, which is no more different than talking about the fruit you bought at the market, or the shaving cream you use. He voiced his opinion that stated that the software was buggy, and would fail under certain circumstances. Not allowing him this right, or anyone else is wrong, and you cannot put the onus of security in shutting up everyone and anyone, because the next person will not nicely talk about it, but strike, oh no that will never happen. Code red, slammer, and a million other worms have costs BUSINESSES who pay the fucking FBI's wages BILLIONS. SO GO AND FUCK YOURSELF FBI, YOU FUCKING IGNORANT PIECES OF SHIT
*muttly mutterings*
To confirm you're not a script,
please type the word in this image: descry random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
They could always pay to have it fixed. The author says much of the code is secure, so why not take undertake a massive effort to overhaul the suspect portions, and then offer a $75 cash incentive for each router a tech patches or a substantial discount for a replacement router? They do have serial #'s so patching could be tracked, perhaps they could even use some relatively inexpensive hardware or software verification module. It could generate a code to verify proper patch status, or even incorporate patching functions in this simple device.
This might hurt business less in the long run than a widespread, debilitating breakdown. It will be expensive, probably ~$120 a pop in the end, considering payout, as well as the cost of verification hardware/software devlopment and production, but they'll reduce the destruction for their customer's businesses and to their own image.
I don't know just how much this would cut into Cisco's revenues, which would of course reduce short term profits and thus investment interest. Someone up there should be weighing something like this though, however painful it sounds. It would also set Cisco apart in market where cheaper competitors are taking away Cisco's profits. How many of them would go to such lengths in the event of a vulnerability? Companies love insuring themselves against everything.
The Obvious Question.. Is releasing trade secrets by a non contractual party a civl case or criminal case? If its civil than FBIO i snot investigating on Trade Secrets calims but soemthing else such as Code Stealign and etc.. Remember, our security hero was not a contractual party ot any cisco product..or am I worng on this point?
Fred Grott(aka shareme) http://mobilebytes.wordpress.com
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously.
He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
You are being MICROattacked, from various angles, in a SOFT manner.
Since he posted an uncorrected vulnerability which could cause damage to Cisco and many of Cisco's clients then he falls under laws concerning computer security, break-ins, etc. He distributed how-to information on breaking into Cisco routers. So he's a criminal cracker.
Put the egotistical dickhead behind bars and throw away the key. We really can't permit nutballs like this to go free. He has no responsibility: he's a sociopath.
Most tier 1 and 2 ISPs upgrade their code in a timely fashion. They're also on a mix of Cisco, Juniper, and Foundry (and I hear someone actually uses Extreme). Some third-rate companies or pretenders might have problems in a situation like this, but the effect has been greatly exaggerated.
The disclosure aspect is sad, but it's not like this is anything new. Might want to get the lawyer hooked up *after* you quit your job to release the paper, and *before* you head out to the conference. Don't expect any different behavior from companies until the next regime change...
Apparently buffer overflows within IOS aren't that hard to create, and so all the usual attack approaches can be used. That's the real story. And apparently IOS is a single-address-space unprotected OS, so anything can clobber anything. There's so much stuff in IOS now that there just has to be trouble.
Now I see why they're switching their larger routers to QNX, which is a protected-mode microkernel OS.
that he is even able to talk about having gag order on him. It seems that the gov. these days is all about slapping anybody with a gag order such as Sibel Edmunds. I wonder how many other gag orders there are.
I prefer the "u" in honour as it seems to be missing these days.
I'm a non-IT, non-programmer type, so I'm really an outsider looking in.
In many press-releases and conferences and what-not, the U.S. Gov't always refers to the Internet as critical infrastructure. I agree it is: a lot of e-commerce, day trading, exchaning of new, etc takes place on it everyday.
Instead of spending time "investigating" people who might or might not be committing a crime on the Internet, would it not be a better use of resources to instead help make the Internet more secure? Fine, a lot of the internet works on equipment and IP of the private industry (a good part based in the U.S. too). Should the gov't not attempt to make law, something where companies must in X number of day issue patches for critical software (say 60 or 90 days, less is better)? What about establishing some sort of industry standard ISO-type stuff for computer security? Fines might not be a good idea if a patch is late, but something should be done. The threat of lawsuits is deterrrent enough for the industry but gov't should be more positively involved in this matter.
I'm all for the FBI doing their job: investigating and preventing crimes. The government should also try and involve itself and the industry for preventative and "patching" standards with-in the industry.
Sibel Edmunds. The interesting thing about her if you believe the rumours, is that this may also hit democrats just as hard as the republicans. Supposedly, it will topple GWB's admin, but it may put ex-clinton ppl in prison as well.
I prefer the "u" in honour as it seems to be missing these days.
That's Socialist talk, you . . . you liberal!
I remember sigs. Oh, a simpler time!
Is that the "proper channels" weren't at all interested in conveying the info to everyone- because it was bad for business.
At that point, you're left with two decisions- let it all blow up, or whistle blow.
Considering what I know of Michael (I worked with him for some time at one of his previous jobs- Michael, if you're seeing this, try to get in touch with me, you already know how...) he had only one- to whistle blow.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
What it really boils down to is Cisco knows their code/firmware is about as well written as Microsoft windows and just about as secure. They just don't want everyone else to know about it.
My karma is not a Chameleon.
He stole 5 documents, that were in national archives. He destroyed 3, but left two. It is possible that something of interest was on the 3, but according to all others, it was not. It sounds to me like somebody who was thinking of doing a cover-up of making a bad decision and decided against it.
In contrast, Nixon had ppl go out and do a break in. Then he and others did a massive cover-up and he would have gotten away with it except for deep throat. Regan traded guns to delay American hostage release a full year. Then there was a cover-up with a number of lies and of course RR saying the immortal words, of "I do not recall".
Now, you have a white house that outs a CIA agent by which all of her contacts are totally compromised. For what? an election again.
All of these are worse than somebody who aborted doing a cover-up of material that could prove embarrassing (but nothing criminal). However, I do think that he should do time for it (just as Nixon and Reagan should have done time, Rove should be shot for the traitor that he is, and GWB/Cheney should do time for aiding and comforting the enemy).
Cisco should be punished, not Lynn. This issue is a problem caused by Cisco to its customers.
OK, I'm not so naïve. I understand Cisco, their methods and their motivation... but I don't have to like it. And it's good to explain the truth to people.
Try Ubuntu GNU/Linux, it's great!!!
Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ). Following your conscience (in a way that was by some reports rash and poorly thought out) does not necessarily give you immunity from the consequences of your action.
I don't believe you're in any position to know that given the nature of the information publically available. Now, Cisco did *contend* that this was the case, but we don't have *any* copies of the agreement(s) in question, nor do we know which, if any, he agreed to. That makes ALL the difference here.
FWIW, Lynn followed responsible disclosure practices and Cisco does not appear to have in this case, based on the representations made about the vulnerability by both parties. This is both patched and being actively exploited from what they've said; it SHOULD be made fully public, and I don't think they've done this at all. That pitiful advisory I saw on Bugtraq is so thin on details it just doesn't cut it.
While Lynn did good work discovering this flaw I don't agree with his actions in the slightest. Cisco made the fix and released a patch in a timely fashion. Who is he to dictate how Cisco goes about announcing it? Is he the boss of Cisco because he found a flaw?
Granted, it would be advised to mark the patch as critical and give it some press. But is that required?
Personally, Lynn's the ultimate loser here. He stands to watch his career go straight down the shitter and for what? Some ego-centric power play? I don't think any corporation will want to bring him in at the risk of him pulling some stunt like this on them if he gets his nose bent out of joint.
And as to the FBI, they're just doing their job -- they got a complaint so they flat foot it a bit and check it out. I'm sure they'll bug out of it soon enough.
And while Cisco and ISS maybe playing hardball, I can understand why. The dude started a fire and they damn well sure want to stomp it out.
And it seems that both ISS and Cisco were willing to allow him to make this public disclosure -- they just wanted some PR guys their to do damage control and make sure their side was accurately reflected. But for whatever reason, Lynn would have none of that -- so he quit his job and gave them all a big F-U.
Personally, this guy sounds like a complete ass-hat and I question his real intentions here. There are many alternative ways he could have raised the issues he wanted to bring to bear.
Showing up at a black hat conference and giving a how to on this exploit was certainly never going to do anything more than harm Cisco.
What I want to know, is if Lynn really did want to help out, why he couldn't have set up a blog that merely discussed the abstract points of the security update and explain why the patch was critical and then post to slashdot or other IT news site to generate the publicity?
If he'd simply cast his ego aside and thought things through a bit better, and worked with all parties involved he'd probably still have a job and the message would have gone out in a far more positive manner.
-- Just calling it as I see it.
Hello Slashdotters, I just got off the phone with Mike. There is a paypal account setup as a defense fund, please spread the word. Before you ask, it's Mike's paypal account, and he is a "Verified Premier Member".
It is abaddon (at) io . com
James Schallau
"One day people in this country will realize that congresscritters and senators don't listen to their constituents anymore, and they haven't done so for a very long time. Mostly they listen to corporations and their lobbies."
Gee, you know, this reminds me of the other vote that people apparently don't exercise. Voting with your dollars. Apparently that kind of voting is even harder than the other one.
Just don't speak out against a corporation.
Sure, free speech and all that... He did nothing illegal, but he should have put a bit more thought in to the whys and hows of the release.
First, nobody has yet attacked via this vector. There are no examples of concept code out there. Had someone exploited this vector, then it makes sense to educate the public that it exists and why. Until then, I think the moral thing would be to STFU. Cisco has a right to be angry (though not to use heavy-handed tactics).
Second, I would find his position to be much more moral if he had given this information anonymously to the conference, or some other such forum. The fact that he put his name on it smacks of a grab for infamy. His goals, if they were truly altruistic, should not have included his identity because that was irrelevant to his presentation.
He's no hero in my book. I'll give him credit for trying to do the right thing, but I still see his actions as ultimately counterproductive.
Nearly fifty percent of all graduates come from the bottom half of the class!
Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back").
The FBI doesn't work like that. They're much like a wind-up toy in that respect: once you turn that key, there's no stopping them until they run themselves out.
What's set in motion is unstoppable at this point.
This is the most stupid use of Federal Intelligence and policeing ever;
One must assume that the politicised senior
executives have not the wit to understand the
benefit of timely disclosure of security exploits
and the fact that the black hats will know without
public fanfare.
The FBI and the DHS have a job that SLOULD fully
occupy them, find Ussama bin Laden, and kill him.
When they have done that they can turn to lesser
priorities.
By the title I mean, not necessarily in their technical sense, but they are vulnerable through market forces.
Let's face it, companies pay through the nose for Cisco kit, mostly simply through conitnuity purchasing.
Yes, the Cisco kit generally performs as advertised, but I doubt that that has ever influenced someone who had the responsibility for buying the kit.
The market is crying out for a network supplier who can provide the goods & functionality of the Cisco kit for what is deservedly a fraction of the price that Cisco charge.
Cisco have a terrible support policy, unless you purchase your particular item with support you're knackered.
Compare that to even Microsoft, who at least have a larve knowledge base freely available, have reviewed their security updates and made their OS secure as any closed OS can become.
Cisco lag behind in their field far further than any of the other companies in IT.
Their strategy? Invoke achievablie certification which gains advocates for their products. Sign those advocates up to virtual-non-disclosure and reap the benefits.
You should be able to get the file in a few seconds from http://cryptome.org.nyud.net:8090/lynn-cisco.zip.
She helped land her husband the job about investigating whether or not Saddam tried to get nuclear materials (and if you think Saddam wasn't trying to get nuclear materials just Google Osirik. And who's that with Saddam? Why it's the leader of the "Coalition of the Bribed"...)
Then, after getting home, Joe Wilson goes on the attack against Bush.
Just like in the summer before the election that "anonymous" CIA published a book bashing Bush.
That's two senior CIA agents that played in politics against a sitting President, trying to stymie his reelection bid.
The CIA is lucky Bush didn't bulldoze the place. IMO the Plame "outing" was a warning shot - and almost certainly a perfectly legal if nasty one. Bitch all you want, but if your tried to bring down your workplace CEO or President in your company's next board meeting, you'd be in dip shit too.
Lets Kick Check Heaps In The Nuts! -Michael Lynn
He's being investigated for what, now? Talking?
Shouting fire in a crowded theater... Next!
Really... you guys are going to have to try a LITTLE bit harder now that the highest court in the land has interpreted "public use" to mean "private office complex." The US Constitution is nothing more than a keepsake these days. Wake up and smell the freedom fries, they don't actually abide by the thing any longer.
Anyone that wants a copy of the presentation; email me: joel[dot]helgeson[at]gmail[dot]com with the subject of "CISCO" and I'll reply with the presentation.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
what a crock of shit - cisco should be thanking this guy for finding their bug in the first place.
doesn't the FBI have anything better to do like find Osama bin laden and their followers.
One other thing is why didn't all their ccna's or whatever find the bug? Aren't they certified?
My snort logs still pick up unpatched cisco routers at work all the time.
Email me here if you'd like a copy of the presentation.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Maybe the GP made the mistake of reading the story title? You can sort of begin to see a hint there how cooperating with Cisco might not always produce the results you wanted. The GP is spared from going to room 101 -- this time.
Anyhow, from my limited understanding, Cisco claimed that the exploit had already been patched since April, the patch supplied to customers and they deny that it was ever anything approaching a critical issue. The civil charges were settled, supposedly. So, then, if the original complaint was satisfied, who is the damaged party that they are investigating him on behalf of? Tick. Tock. But wait... the plot thickens.
Quoting him from the wired article:
Extremely disappointed? Didn't he mean to say double-plus unappointed? That is, if he actually exists. I did not claim that he ever existed, by the way, just in case all archives of his existence suddenly disappear.
I disagree with CISCO's position and believe that every effort should be made to release this information. The more it becomes available, the sooner CISCO will fix the problem.
d f
The document: http://pr3d4t0r.ifrance.com/pr3d4t0r/lynn-cisco.p
Cheers,
pr3d4t0r
critical routers supporting the internet
Phew, good thing those are made by Juniper.
> he has agreed to pay a $10,000 fine and
> accept a three-year suspension of his national
> security clearance.
Wow, if I got it right this guy intentionally DESTROYED DOCUMENTS TAKEN FROM YOUR COUNTRYS ARCHIVE and he will GET BACK his security clearance after a while?
Looks like you're fucked, basically.
k2r
that I seem to detect a bit of yellow showing through that particular Black Hat.
Not a good sign... it requires gutsy people to push the envelope, in order for progress to occur.
Lynn showed what he's made off... and so did Cisco and Black Hat.
All in all, not a good day for anyone... except maybe admins that now know a bit more about their Cisco system then they did before.
I hope...
There is no sig like the old sig, so this is it.
This is a plan on how someone could kill the President of a United States. Wait until the POTUS is known to be inside 1600 Pensylvania Av then either A) Detonate a Truck filled with high explosive outside the oval office, or B) Hijack an airliner and crash it into the building.
Wow the FBI better lock me up for giving away this tottally non-obvious information to the terrorists. Hell I even gave them the address and everything.
Or maybe talking about obvious and non-specific information with the intent to prevent such an attack occuring is something people should be rewarded for?
========
CINC, 4th Penguin Legion
That's what Cisco is doing here.. YES, they ARE using the FBI and "national security" as a cover for a personal vendetta.
What they're basically asking is because their software is insecure, they've not reported the info to the public for 4 months, but this guy did, they want the FBI to "investigate" until they FIND something to charge him with. Because and FBI investigation is punishement in and of itself... It should take no more than 5 minutes for the FBI to realize this is a open & shut whistleblower case and Cisco is wasting their time. Unfortunately, the FBI doesn't care about what a person's RIGHTS are, only if they can find some crime you committed.. after all, they'll have to find something to justify spending the $100k's they've already spent!!! Going back to Cisco and fining them for a "false" police report almost never happens.
The oft quoted example of shouting 'fire' in a theatre...
Or defaming people, ie 'hackstraw is a paedophile', etc
Not that I disagree with your presumed sentiment. Cisco *are* out of order here.