Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lynn Settles With Cisco, Investigated By FBI

Posted by Zonk on from the bad-friday dept.

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

21 of 357 comments (clear)

  1. No good deed goes unpunished. by TripMaster+Monkey · · Score: 3, Insightful


    What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.

    Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:No good deed goes unpunished. by Stevix · · Score: 5, Insightful

      the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

    2. Re:No good deed goes unpunished. by daveschroeder · · Score: 4, Insightful

      Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.

      Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.

      And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.

    3. Re:No good deed goes unpunished. by James_Aguilar · · Score: 3, Insightful

      Well, first of all, it's not "undoubted" that Cisco would have experienced losses if the flaw had gone unreported. According to them, they were busy fixing it, and though I know we hate to listen to the big evil corporations, there is the slightest possibility that they weren't lying.

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ). Following your conscience (in a way that was by some reports rash and poorly thought out) does not necessarily give you immunity from the consequences of your action.

      As a security researcher, he of all people, should know the high stakes in that game. It's not like either Cisco's or the FBI's actions couldn't have been anticipated by anyone who thought the whole thing through to its logical conclusion. Hopefully, he had prepared himself for the inevitable results of his actions before he took them. Otherwise, I feel really bad for him.

    4. Re:No good deed goes unpunished. by goldspider · · Score: 5, Insightful
      "...because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it."

      Nice strawman, but that of course isn't what the (predictably modded-down) parent said.

      All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.

      --
      "Ask not what your country can do for you." --John F. Kennedy
    5. Re:No good deed goes unpunished. by Alien+Being · · Score: 3, Insightful

      Right, and they'll claim that her identify is supersensitive, yet they won't prosecute someone who publishes the info (Novak). They will, however, prosecute someone who protects the info(Miller).

      For crying out loud people, just because you voted for Bush doesn't mean you owe him your undying support. Oust the bastard. This shit makes Watergate look like a college prank.

    6. Re:No good deed goes unpunished. by mcclungsr · · Score: 4, Insightful

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).

      I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.

      Even if it was a crime, does that really give Cisco any rights to his work at all?

    7. Re:No good deed goes unpunished. by cayenne8 · · Score: 3, Insightful
      "All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure."

      I guess I'm at a loss here....how is this not protected under free speech, and therefore not subject to start an investigation into some illegality. He wasn't inciting people to do anything wrong (rioting, etc)...he merely gave a presentation stating facts as his research had shown him...

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    8. Re:No good deed goes unpunished. by cayenne8 · · Score: 3, Insightful
      "He had to break the law to get the information he got so why should he be investigated. Not only did he break the law but he published his research so that malicious hackers will have a specific area to target."

      Exactly what law did he break? He reversed engineered as part of research Cisco routers. He gave a presentation that is clearly protected free speech. Just because you give information, that if used wrong, would harm something, as long as you're not inciting or telling people to cause harm to others....you've broken no law.

      There's tons of books out there that tell you how to make an atomic bomb...perfectly legal. You can describe pressure points on the human, that can kill, etc. Information is free to dissiminate. It is a tough part of free speech, but, really who are YOU going to trust to limit it, and say what information can and cannot be released?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  2. BS by Anonymous Coward · · Score: 5, Insightful

    Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...

  3. 1984 Called... by bc90021 · · Score: 5, Insightful

    ...and told us that it will be the year we all live in from now on.

    Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

    --
    libertarianswag.com
  4. Let's cut the tinfoil a bit by BlackCobra43 · · Score: 3, Insightful

    FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.

    --
    I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
  5. Free speech by jdavidb · · Score: 3, Insightful

    "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

    The FBI is investigating Michael Lynn... after he revealed ...

    Congress shall make no law ... abridging the freedom of speech, or of the press.

    He's being investigated for what, now? Talking?

    --
    Secession is the right of all sentient beings.
  6. This doesn't pass the "fire in theater" test by davidwr · · Score: 3, Insightful

    He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."

    Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.

    I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. Re:I hope they nail him to the wall! by maotx · · Score: 4, Insightful

    there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!

    Two things:
    First, Cisco was already aware of the problem and had released a patch for it last April.

    Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  8. Re:I hope they nail him to the wall! by LurkerXXX · · Score: 4, Insightful
    He did inform them. Many months ago. They've had a fix out for 3 months for part of the problem he pinted out. They haven't fixed the rest yet. He went through the right channels. They haven't fixed it yet. There have been many many examples with them, Microsoft, and even recently mozilla, where bugs were reported and the vendor took over a year to finally getting around to fix the problem. And that was only after the problem had been 'leaked' to the public.

    The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.

  9. Re:I hope they nail him to the wall! by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem

    Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.

    I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.

  10. There is a range... by daveschroeder · · Score: 3, Insightful

    ...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.

    Both are harmful, and neither benefit security optimally.

    As with most things, the most beneficial position is usually a balance between extremes.

  11. Wile E. Coyote school of security by Weaselmancer · · Score: 5, Insightful

    Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

    Apparently the FBI thinks computer security works the same way.

    --
    Weaselmancer
    rediculous.
  12. Wow my Hats off to you Americans by DarthVain · · Score: 4, Insightful

    I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!

    The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.

    The whole thing sickens me.

  13. Re:It may or may not be illegal by Dan+Ost · · Score: 3, Insightful

    While I would be the first to agree that a healthy amount of cynicism is, well, healthy, too much cynicism is as dangerous as not enough. The truth is that there are still lawmakers who value the opinions of their constituents, especially if their constituent attempts to educate them on an issue that they were ignorant of.

    It may not look like it from the outside, but I would suspect that the majority of lawmakers still attempt to cling to the ideals they started with and, when given the opportunity, will attempt to act according to them.

    Don't limit your options just because cynicism dicates that they're pointless. You might be right and it's a wasted effort, but if you're wrong, you've voluntarily missed an opportunity.

    --

    *sigh* back to work...