Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lynn Settles With Cisco, Investigated By FBI

Posted by Zonk on from the bad-friday dept.

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

42 of 357 comments (clear)

  1. No good deed goes unpunished. by TripMaster+Monkey · · Score: 3, Insightful


    What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.

    Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:No good deed goes unpunished. by Stevix · · Score: 5, Insightful

      the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

    2. Re:No good deed goes unpunished. by IAmTheDave · · Score: 1, Insightful

      We forget that if the Bush administration has taught us anything, it's that secret is better. The FBI will investigate any leaking of information, because information is not to be shared with the masses. God forbid. I am TOTALLY reporting your ass to the thought police.

      --
      Excuse my speling.
      Making The Bar Project
    3. Re:No good deed goes unpunished. by daveschroeder · · Score: 4, Insightful

      Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.

      Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.

      And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.

    4. Re:No good deed goes unpunished. by James_Aguilar · · Score: 3, Insightful

      Well, first of all, it's not "undoubted" that Cisco would have experienced losses if the flaw had gone unreported. According to them, they were busy fixing it, and though I know we hate to listen to the big evil corporations, there is the slightest possibility that they weren't lying.

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ). Following your conscience (in a way that was by some reports rash and poorly thought out) does not necessarily give you immunity from the consequences of your action.

      As a security researcher, he of all people, should know the high stakes in that game. It's not like either Cisco's or the FBI's actions couldn't have been anticipated by anyone who thought the whole thing through to its logical conclusion. Hopefully, he had prepared himself for the inevitable results of his actions before he took them. Otherwise, I feel really bad for him.

    5. Re:No good deed goes unpunished. by Anonymous Coward · · Score: 1, Insightful

      We forget that if the Bush administration has taught us anything, it's that secret is better.

      Unless, of course, you happen to work for the CIA as an undercover agent. Then, Bush Co. will out your ass at the drop of a dime.

    6. Re:No good deed goes unpunished. by goldspider · · Score: 5, Insightful
      "...because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it."

      Nice strawman, but that of course isn't what the (predictably modded-down) parent said.

      All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.

      --
      "Ask not what your country can do for you." --John F. Kennedy
    7. Re:No good deed goes unpunished. by Alien+Being · · Score: 3, Insightful

      Right, and they'll claim that her identify is supersensitive, yet they won't prosecute someone who publishes the info (Novak). They will, however, prosecute someone who protects the info(Miller).

      For crying out loud people, just because you voted for Bush doesn't mean you owe him your undying support. Oust the bastard. This shit makes Watergate look like a college prank.

    8. Re:No good deed goes unpunished. by Anonymous Coward · · Score: 2, Insightful

      "Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for"

      I think the question isn't whether the government should investigate an allegation of a crime, but what is the crime being committed? What law with a criminal penalty may have been broken?

      Without knowing a great deal about this case, the only laws even remotely relevant to this would seem to be trade secret law. Even that, I would think, would not apply unless he had some special relationship with Cisco (eg. was an employee, or had special access to the source code through another organization) or if he had signed an NDA. I had the impression (perhaps mistakenly) that trade secret law would anyways be a civil matter, not the subject of a criminal prosecution.

      Unless someone can say that there was a complaint accusing him of a crime, what would they be investigating? Simply "doing something we don't like" or "hurts our profitability" is not a crime. And if Cisco or someone else just fabricated a charge, that's a problem (and they should, but of course won't, get into a serious amount of trouble over that).

    9. Re:No good deed goes unpunished. by mcclungsr · · Score: 4, Insightful

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).

      I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.

      Even if it was a crime, does that really give Cisco any rights to his work at all?

    10. Re:No good deed goes unpunished. by cayenne8 · · Score: 3, Insightful
      "All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure."

      I guess I'm at a loss here....how is this not protected under free speech, and therefore not subject to start an investigation into some illegality. He wasn't inciting people to do anything wrong (rioting, etc)...he merely gave a presentation stating facts as his research had shown him...

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    11. Re:No good deed goes unpunished. by cayenne8 · · Score: 3, Insightful
      "He had to break the law to get the information he got so why should he be investigated. Not only did he break the law but he published his research so that malicious hackers will have a specific area to target."

      Exactly what law did he break? He reversed engineered as part of research Cisco routers. He gave a presentation that is clearly protected free speech. Just because you give information, that if used wrong, would harm something, as long as you're not inciting or telling people to cause harm to others....you've broken no law.

      There's tons of books out there that tell you how to make an atomic bomb...perfectly legal. You can describe pressure points on the human, that can kill, etc. Information is free to dissiminate. It is a tough part of free speech, but, really who are YOU going to trust to limit it, and say what information can and cannot be released?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    12. Re:No good deed goes unpunished. by Jumperalex · · Score: 2, Insightful

      The problem with your anaylsis is that he did NOt publish info about how to break into anything as stated plainly in the article. He only showed what could be done.

      Nor did he focus any more attention than was likely there before. If you don't think people have been trying to hack those routers your nuts. Cause they had every reason to believe there was already a flaw and they were looking. all this guy did was show everyone something we already know.

      Further, you are wrong that he had to break the law to do what he did. Just because the FBI is investigating doesn't mean a criminal law was actually broken. As for a civil law being broken that is debatable since the lawsuit was settled which has nothing to with his actually being liable (since you are never guilty in a civil trial iirc).

      And finally the difference between this and publicly outtin NORAD is that there is little question that he would, in fact, have had to break several very serious laws to obtain that information as would the person or persons that helped him get it. So there is NO comparison between this and the disclosure of classified government information.

      --
      If you can't be good, be good at it!
    13. Re:No good deed goes unpunished. by Anonymous Coward · · Score: 1, Insightful

      What if his "research" showed that orange juice caused cancer? Or that reading led to brain tumors? Or that Hitler may have had it right in attempting to exterminate a race of humans? The point is that lots of people were concerned that Mike didn't have (or would not present) all the facts and others believe he got the facts wrong.

      Rushing his results out doesn't avert a future digital Pearl Harbor.

  2. Bummer by Kyrka · · Score: 2, Insightful

    Needs to be spread if we're to expect cisco to fix it.

  3. BS by Anonymous Coward · · Score: 5, Insightful

    Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...

    1. Re:BS by cp5i6 · · Score: 1, Insightful

      just the nature of the contract he signed when he took a job with cisco.

      alot of companies have non disclosure clauses in their contract and you can bet yer ass this was a breach of contract.

      but like the previous person said teh fbi decided not to get involved and this is a breach of contract which in this country is illegal =)

    2. Re:BS by arkanes · · Score: 2, Insightful

      For what it's worth, in other, not totally fucking insane industries, breaking an NDA in order to reveal an issue of public safety will get you protected under whistleblower laws.

  4. 1984 Called... by bc90021 · · Score: 5, Insightful

    ...and told us that it will be the year we all live in from now on.

    Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

    --
    libertarianswag.com
    1. Re:1984 Called... by Blue-Footed+Boobie · · Score: 2, Insightful
      Mod parent up!

      This IS the point here. Although and investigation is not an arrest - it will still disrupt his life is massive ways.

      --
      DAMN YOU OCTODOG! DAMN YOU TO HELL!
    2. Re:1984 Called... by dasdrewid · · Score: 2, Insightful

      I think you need to read the article more carefully. The FBI started investigating before the agreement was reached because someone had come to them complaining that a crime has been committed. Like an earlier poster said, it's their job to investigate when people claim a crime has been committed, if only to determine whether or not a crime has actually been committed. For all we know (and from the sounds of it), one hasn't, the investigation is going to be (possibly already) dropped, and that's all that comes of it.

      As to pinging a router, all the FBI would hear at first is "I think someone committed a crime", told to them by the pinged party. The FBI would ask them what happened (which would be considered an investigation), the person would say they'd been pinged, the FBI would ask what else, the person would say that's it, and the FBI would probably laugh and stop the investigation. Basically, it's the FBI's job to investigate when a private citizen says a crime has been committed (and it falls under federal jurisdiction). While no one wants the FBI doing more than their job description tells them to do (the original one), I'd say it's fair to expect and allow them to do the basic job they were created to do.

      --
      No trespassing. Violators will be shot. Survivors will be shot again.
  5. What was the suit about? by Blindman · · Score: 2, Insightful

    What exactly was CISCO suing over? It seems to me that CISCO didn't like what he had to say, but that doesn't give you a right to sue somebody. Obviously, they weren't alleging libel or slander, since everything he said was apparently true. I don't recall allegations that he misappropriated trade secrets or something. Did he just give up so that he didn't have to defend a baseless suit?

    Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.

    --
    I don't practice what I preach because I'm not the kind of person that I'm preaching to.
  6. Please, don't overreact. by daveschroeder · · Score: 2, Insightful

    First, according to this new article, Lynn would have been allowed to speak if Cisco was allowed to speak as well.

    In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or philosophically disagree with this, but in major network infrastructure, there is a place for stable, predictable commercial support. Along with that sometimes comes commercial and/or proprietary code - code which is kept proprietary for competitive advantage. This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.

    Further, the FBI is investigating not because of some corporatist government conspiracy, and is not being used as Cisco's own "police force". It is investigating a claim of a complaint it received, as it is compelled to do by its very reason for existence, and doesn't even know if a crime has been committed. Would you want law enforcement agencies to not investigate allegations of crime, whatever your opinion of this particular instance aside?

    Even Lynn's own lawyer says "that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.

    Granick said she did not think the FBI would arrest Lynn.

    "Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over."

    So please, let's not overreact.

    1. Re:Please, don't overreact. by loqi · · Score: 2, Insightful

      This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.

      You're sort of straw-manning here. The problem isn't that Cisco didn't fix the vulnerability in time, the problem is that they didn't tell anyone it was a critical update. That's a far cry from open-sourcing their code or personally explaining how the vulnerability works.

      --
      If other reasons we do lack, we swear no one will die when we attack
  7. Re:I hope they nail him to the wall! by donleyp · · Score: 2, Insightful

    Also, if Cisco did know about it and kept it under wraps while they worked on the problem I call that common sense not secrecy. How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?

    --
    You got any karma man? I really neeed it. Just a little hit! Come on!
  8. Let's cut the tinfoil a bit by BlackCobra43 · · Score: 3, Insightful

    FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.

    --
    I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
  9. Free speech by jdavidb · · Score: 3, Insightful

    "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

    The FBI is investigating Michael Lynn... after he revealed ...

    Congress shall make no law ... abridging the freedom of speech, or of the press.

    He's being investigated for what, now? Talking?

    --
    Secession is the right of all sentient beings.
    1. Re:Free speech by Shadow+Wrought · · Score: 2, Insightful
      If your copy doesn't show it either, then perhaps either you are wrong, or America doesnt really have a Constutution after all, but instead has a nine-headed Pope!

      Welcome to nine-headed Pope land! It is far easier to argue that the 1st Amendment has no limits on it whatsoever than to accept that life is not composed of absolutes. If you believe that any manner of speech is fine, you are more than welcome to your views (and kudos to your tenacity). However, you should also note that the language of the 1st Amendment specifically states that "Congress shall make no law..." That means that it provides protection only from Federal prosecution and meddling. The 1st Amendment only applies to the 50 States because that same nine-headed Pope which you deride applied them to the States. If you want to accept that the nine-headed Pope does not have the power to interpret the Constitution, than you also have to accept that your State is thereby free to restrict your speech in any manner it wishes, without being burdened with Constitutional considerations.

      Your choice. Personally, I prefer to accept that our society is far too complicated to limit ourselves to the extremes of interpretation.

      --
      If brevity is the soul of wit, then how does one explain Twitter?
  10. This doesn't pass the "fire in theater" test by davidwr · · Score: 3, Insightful

    He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."

    Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.

    I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  11. Re:I hope they nail him to the wall! by Anonymous Coward · · Score: 1, Insightful

    The problem isn' that Cisco hadn't fixed this problem. They did, months ago. BUT, they didn't tell anyone what their patch fixed, so there are people out there running old versions because they don't know that the patch is CRITICAL to their security, mostly out of fear of munging their network up with a new IOS version.

  12. Re:I hope they nail him to the wall! by maotx · · Score: 4, Insightful

    there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!

    Two things:
    First, Cisco was already aware of the problem and had released a patch for it last April.

    Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  13. Re:I hope they nail him to the wall! by LurkerXXX · · Score: 4, Insightful
    He did inform them. Many months ago. They've had a fix out for 3 months for part of the problem he pinted out. They haven't fixed the rest yet. He went through the right channels. They haven't fixed it yet. There have been many many examples with them, Microsoft, and even recently mozilla, where bugs were reported and the vendor took over a year to finally getting around to fix the problem. And that was only after the problem had been 'leaked' to the public.

    The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.

  14. Re:I hope they nail him to the wall! by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem

    Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.

    I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.

  15. Re:In Soviet Russia ... by daveschroeder · · Score: 2, Insightful

    How is this funny or relevant?

    Since when is it evil for a law enforcement agency to follow up on a complaint, even if the complaint is later found to be invalid? Or should law enforcement agencies be able to predict the future, and just skip the investigative step, and automatically know whether a crime has been committed? It might have been absurd or vindictive for ISS and/or Cisco to approach the FBI, but when someone approaches the FBI and claims a crime has been committed, would you prefer that the FBI did nothing? It HAS to investigate, just like the police still respond to even 911 hangups. If nothing is wrong and no crime has been committed, it's dropped. But when a complaint is initiated, the investigative step MUST take place, else, how would law enforcement even function?

  16. There is a range... by daveschroeder · · Score: 3, Insightful

    ...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.

    Both are harmful, and neither benefit security optimally.

    As with most things, the most beneficial position is usually a balance between extremes.

  17. Wile E. Coyote school of security by Weaselmancer · · Score: 5, Insightful

    Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

    Apparently the FBI thinks computer security works the same way.

    --
    Weaselmancer
    rediculous.
  18. anonymity by harkabeeparolyn · · Score: 2, Insightful
    If Lynn just wanted to help people, he could have published his information anonymously. But he wanted to use this to build his reputation so he has to take whatever lumps he finds in the refined sugar of fame.

    The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.

  19. Re:I hope they nail him to the wall! by Anonymous Coward · · Score: 1, Insightful

    Hey, how bout we try a proper analogy:

    How would you like it if you had your security number written on a piece of paper stuck to the side of your house and some kid told you he knew about it and said you should take that down. After you told him no, he rand around the neighborhood and told everyone.

    I'd be embarassed too, but it'd be my own damn fault.

  20. Wow my Hats off to you Americans by DarthVain · · Score: 4, Insightful

    I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!

    The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.

    The whole thing sickens me.

  21. Re:It may or may not be illegal by Dan+Ost · · Score: 3, Insightful

    While I would be the first to agree that a healthy amount of cynicism is, well, healthy, too much cynicism is as dangerous as not enough. The truth is that there are still lawmakers who value the opinions of their constituents, especially if their constituent attempts to educate them on an issue that they were ignorant of.

    It may not look like it from the outside, but I would suspect that the majority of lawmakers still attempt to cling to the ideals they started with and, when given the opportunity, will attempt to act according to them.

    Don't limit your options just because cynicism dicates that they're pointless. You might be right and it's a wasted effort, but if you're wrong, you've voluntarily missed an opportunity.

    --

    *sigh* back to work...
  22. Re:The real issue is... by hackstraw · · Score: 2, Insightful

    the fact that Cisco would not tell anyone about it

    Free speech is now a crime. If Cisco released the same information that Lynn did, they will have the FBI after them as well.

    WTF is going on in this country?

  23. The Emperor is Stark Raving Naked by Anonymous Coward · · Score: 1, Insightful

    If you dare mention that the emperor isn't wearing any clothes, you will surely get beheaded for it.