Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lynn Settles With Cisco, Investigated By FBI

Posted by Zonk on from the bad-friday dept.

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

11 of 357 comments (clear)

  1. BS by Anonymous Coward · · Score: 5, Insightful

    Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...

  2. 1984 Called... by bc90021 · · Score: 5, Insightful

    ...and told us that it will be the year we all live in from now on.

    Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

    --
    libertarianswag.com
  3. Re:No good deed goes unpunished. by Stevix · · Score: 5, Insightful

    the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

  4. Re:I hope they nail him to the wall! by maotx · · Score: 4, Insightful

    there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!

    Two things:
    First, Cisco was already aware of the problem and had released a patch for it last April.

    Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  5. Re:I hope they nail him to the wall! by LurkerXXX · · Score: 4, Insightful
    He did inform them. Many months ago. They've had a fix out for 3 months for part of the problem he pinted out. They haven't fixed the rest yet. He went through the right channels. They haven't fixed it yet. There have been many many examples with them, Microsoft, and even recently mozilla, where bugs were reported and the vendor took over a year to finally getting around to fix the problem. And that was only after the problem had been 'leaked' to the public.

    The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.

  6. Re:No good deed goes unpunished. by daveschroeder · · Score: 4, Insightful

    Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.

    Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.

    And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.

  7. Re:I hope they nail him to the wall! by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem

    Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.

    I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.

  8. Wile E. Coyote school of security by Weaselmancer · · Score: 5, Insightful

    Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

    Apparently the FBI thinks computer security works the same way.

    --
    Weaselmancer
    rediculous.
  9. Re:No good deed goes unpunished. by goldspider · · Score: 5, Insightful
    "...because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it."

    Nice strawman, but that of course isn't what the (predictably modded-down) parent said.

    All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.

    --
    "Ask not what your country can do for you." --John F. Kennedy
  10. Wow my Hats off to you Americans by DarthVain · · Score: 4, Insightful

    I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!

    The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.

    The whole thing sickens me.

  11. Re:No good deed goes unpunished. by mcclungsr · · Score: 4, Insightful

    Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).

    I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.

    Even if it was a crime, does that really give Cisco any rights to his work at all?