Slashdot Mirror
Lynn Settles With Cisco, Investigated By FBI
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.
Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.
____
~ |rip/\/\aster /\/\onkey
The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen.
The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
I'm a virgo and on Slashdot. Coincidence? Yes.
Needs to be spread if we're to expect cisco to fix it.
Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...
Because [insert diety of choice] knows this has been ubber-effective so far.
Oh wel, this might as well be soviet russia!
Can you imagine the chaos?
I bet some people would even end up going outside.
I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.
I suppose I could look through my old cached history of webpages and pretend that I was online!
...and told us that it will be the year we all live in from now on.
Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?
libertarianswag.com
What exactly was CISCO suing over? It seems to me that CISCO didn't like what he had to say, but that doesn't give you a right to sue somebody. Obviously, they weren't alleging libel or slander, since everything he said was apparently true. I don't recall allegations that he misappropriated trade secrets or something. Did he just give up so that he didn't have to defend a baseless suit?
Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.
I don't practice what I preach because I'm not the kind of person that I'm preaching to.
First, according to this new article, Lynn would have been allowed to speak if Cisco was allowed to speak as well.
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or philosophically disagree with this, but in major network infrastructure, there is a place for stable, predictable commercial support. Along with that sometimes comes commercial and/or proprietary code - code which is kept proprietary for competitive advantage. This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.
Further, the FBI is investigating not because of some corporatist government conspiracy, and is not being used as Cisco's own "police force". It is investigating a claim of a complaint it received, as it is compelled to do by its very reason for existence, and doesn't even know if a crime has been committed. Would you want law enforcement agencies to not investigate allegations of crime, whatever your opinion of this particular instance aside?
Even Lynn's own lawyer says "that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.
Granick said she did not think the FBI would arrest Lynn.
"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over."
So please, let's not overreact.
I found this linked on Nick84's site (http://www.rootsecure.net/): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf
If I'm correct, it's the slides that were taken off of the hand out cd.
Another link from a Wired article:
http://cryptome.org/lynn-cisco.zip
Irongeek's Hacking Videos / Security Videos and Articles
Also, if Cisco did know about it and kept it under wraps while they worked on the problem I call that common sense not secrecy. How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?
You got any karma man? I really neeed it. Just a little hit! Come on!
"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."
In other words, probably not really in trouble with the FBI.
The world's only surviving livewriter.
No, sometimes this is the only way to make progress. Companies (more appropriately managers) are content to live in the dark on security issues instead of dealing with them. In my experience, money is the only concern in respect to most PHB's, and the only way to make a change is to expose it in a critical manner. I applaude this guy.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
Everyone together now:Meanwhile, back at the ranch, some Eastern European "security expert" is busy cheerfully 0wn1ng j00 when you order that book from Amazon. Checked your credit card statement lately?
political_news.c: warning: comparison is always true due to limited range of data type
"The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The FBI is investigating Michael Lynn... after he revealed ...
Congress shall make no law ... abridging the freedom of speech, or of the press.
He's being investigated for what, now? Talking?
Secession is the right of all sentient beings.
If it weren't at least somewhat effective the Internet wouldn't even exist because the black hats wold pwn everyone's machines.
You got any karma man? I really neeed it. Just a little hit! Come on!
A lot of you are saying the information on this vulnerability, which could cripple the Internet if taken advantage of, in order for Cisco to fix it?
I may be just a simple caveman, but this sounds like a tremendously bad idea... someone would take advantage of it sooner or later...
The Internet dropping, even for a few hours, would have a profoundly negative impact on the world economy...
I mean, geez, just think about it...
MoM++ - A Classic Expanded - [Master of Magic 1.5]
http://mompp.sourceforge.net/
He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."
Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.
I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The problem isn' that Cisco hadn't fixed this problem. They did, months ago. BUT, they didn't tell anyone what their patch fixed, so there are people out there running old versions because they don't know that the patch is CRITICAL to their security, mostly out of fear of munging their network up with a new IOS version.
there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!
Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.
Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.
I'm a virgo and on Slashdot. Coincidence? Yes.
The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.
before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem
Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.
I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.
If we're not allowed to test holes, it reminds me of that old saying, "Who will guard the guards?"
Are you saying that they didn't strongly urge customers to install the patch? I can't get into their download site without a password, so I can't verify your statement one way or the other. Please support it.
You got any karma man? I really neeed it. Just a little hit! Come on!
How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?
i would feel "oh shit. i better fix that now"
vodka, straight up, thank you!
The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA that he has run afoul of, most likely they'll prosecute.
I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.
My feeling is that unfortunately this just isn't a big enough issue on Joe Citizen's radar. There's a war in Iraq, the government is spending money like it's going out of style, there are disagreements over almost every social issue imaginable, and that monster SUV he bought last year now costs him $85/week to fill up. Some computer guy revealing Cisco vulnerabilities isn't high on his list, so it won't be high on his legislators' lists either.
Read the EFF's Fair Use FAQ
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
You got any karma man? I really neeed it. Just a little hit! Come on!
Here the coverage Tom's Hardware has. Some nice pictures, now I at least know what the guy looks like.
. php
http://www.tomsnetworking.com/Sections-article131
...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.
Both are harmful, and neither benefit security optimally.
As with most things, the most beneficial position is usually a balance between extremes.
Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.
Apparently the FBI thinks computer security works the same way.
Weaselmancer
rediculous.
Of course, with the internet down we could all agree to meet and pretend to chat with each other in the big blue room. I'd even be willing to use my face to emulate emoticons, if that'll help.
Relax, see here and here. Now take a deep breath
Cisco is quoted as saying:
Cisco denied that the flaw was as critical as Lynn said it was
Then what really is the problem?
Wow! Sure is a good thing we have the first amendment to club them over the head with... or has it been completely repealed now? Like the 4th?
What?
But my situation was a little different - it was something like, "I swear officer, she told me she was 18, I SWEAR!!!!!!"
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
Do you have any idea who is at Black Hat these days? It is a huge security convention sponsored by hundreds of major computer and security vendors, even Microsoft is a sponsor. Heck the Department of Defense, the Army, West Point, Stanford Law School, etc. all had people giving presentations. If you want to get the word out when a major threat is being ignored, blackhat is a pretty good place to do it. It seems to have worked, don't you think?
This sounds like another DeCSS.
If anyone has copies of the stuff Cisco wants censored, we could all host it and make torrents of it. Those who are less brave can use something like FreeNet to host it.
If hundreds of thousands of people host it, it will be a giant embarassment for Cisco and there will be nothing the authorities can do to stop it.
Lord High Crapflooder The Right Honourable Vlad Craig Esther McDavenpherson III
Destroyer of Mercatur.Net
More information here. Blowing the whistle here is roughly equivalent to sending the info to US-CERT except that US-CERT probably doesn't allow whistle-blowing against a vendor....
Check out my sci-fi/humor trilogy at PatriotsBooks.
I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.
Everyone is aware that the presentation has been published on numerous mailing lists and websites, right?
no video, but a full writeup has already been on the net for a few days... in fact the Proof-of-concept seems to be up too. but you have to compile it yourself.
o it/
http://www.antiserver.it.nyud.net:8090/Cisco-Expl
https://www.gnu.org/philosophy/free-sw.html
I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk.
How do you know this? That seems to be what everyone is basing their assumptions on the seriousness of the vulnerability on. I'm sorry, but people quit and resign over petty conflicts all the time. Just because this person is a security researcher doesn't make him a martyr, and doesn't necessitate that his resignation was some noble act for the good of the global internet community. You and he may believe that it was, and I'll be willing to consider the possibility that it was as well.
But the real issue here was that Lynn didn't want Cisco to speak at the forum with him, essentially giving its side of the story, instead of a somewhat vague assertion that Cisco's general irresponsibility will someday lead to an exploit bringing the internet to its knees. There is no specific outstanding vulnerability. Merely an assertion that Cisco didn't handle a previous vulnerability, which Lynn alleges was serious (but we don't know that for sure), urgently enough. I'm sorry, but someone quitting their job doesn't lend more credibility to the facts of a claim. The facts themselves, however, would.
Crafted IPv6 packet vulnerability.
5 0729-ipv6.shtml
s p
http://www.cisco.com/warp/public/707/cisco-sa-200
http://www.eweek.com/article2/0,1759,1841669,00.a
Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.
As a consumer I think I have the right to know about this. Giving the vendor some time to fix the bug is the usual procedure and is common courtesy. I don't know if Lynn gave cisco a window to fix the bugs. I know from experience how vendors can sometimes try to pull this window forever. At some point, the bug must be exposed. This way vendors are forced to fix their sh.. Maybe Lynn exposed this prematurely, which should probably have some consequences for him professionally (but legally? I don't think so) The real villains here are Cisco: An important point of full disclosure is that the bad guys and the good guys have the same information at the same time. This is opposed to the bad guys having the information, while the good guys are in the dark... Which is the present situation: Cisco are leaving their customers in the dark right now. Cisco is definately in the wrong covering this up. (How am I supposed to protect my cisco router if the details of the attack are secret). I am sure the real "blackhats" are exploiting it this very moment. So what Cisco is doing is basically giving the blackhats free hands while tying up the hands of their customers. Somebody should sue the h... out of Cisco!
If you call the police, and claim someone stole your TV, tell them who it was and where they live, the police will investigate that person. Why? Well that's their job. If it turns out you were making shit up, you might get in trouble for filing a false police report later, but they'll still investigate the person. They don't just assume you are lying, I mean unless they investigate and reach their own conclusions, how will they know?
We want the police (the FBI is just the federal police) to investigate reports of crimes. We want them to do so in as unbiased fashion as possible. We don't want them to just assume that reports are false unless they are presented with overwhelming evidence, we want them to go and look for their own evidence and reach their own conclsuions.
Hey, how bout we try a proper analogy:
How would you like it if you had your security number written on a piece of paper stuck to the side of your house and some kid told you he knew about it and said you should take that down. After you told him no, he rand around the neighborhood and told everyone.
I'd be embarassed too, but it'd be my own damn fault.
If anyone needs investigated, or any new laws need to be written, it should concentrate on Cisco and other majors who sit on known vulnerabilities for months (or years).
I'll vote for whatever congressdroid steps up with a "Software Infrastructure accountability act of 2005" that actually codifies the "right" sequence/timetable for this sort of thing.
Unlike the rest of the world, we have such great Freedom of SpeE&F@%&**#$@HDTH+H+[NO CARRIER]
You should always give these type of presentations at the "White Hat Security Researchers Conference of Law Enforcing Good Guys", not the "Black Hat Hacker Convention of Nefarious Ne'er-do-wells and Juvenile Deliquents".
try { do() || do_not(); } catch (JediException err) { yoda(err); }
The Motion Picture Association of America and Regal Entertainment corporation have assured me that the theater is perfectly safe, and that any reports of fire are greatly exaggerated.
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
PDF:
Lynn-cisco.pdf"
I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!
The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.
The whole thing sickens me.
because of this, that would bring Al-Qaeda to a screeching halt. The wouldn't be able to plan any attacks. They'd have to go to the libraries, then *bam*, we got'em!
No data, no cry
Or you're misinterpretting events. Check out a prior post: http://slashdot.org/comments.pl?sid=05/07/29/18502 34
Cisco already HAS a fix. AND HAS HAD that fix out since April. They are pissed because it was exposed that there was a SERIOUS flaw in their previous IOS software, which Cisco had not disclosed to the public, even though they made a patch, and basically told people that it was an update, NOT THAT IS FIXED A MAJOR SECURITY FLAW, since that would cause the public to think that Cisco screwed up, and we can't have that can we?
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Present the info, but stay anonymous.
Use a fake name. Wear some kind of disguise to the Black Hat conference (or wherever you're doing your presentation), do your security-flaw-revealing presentation in the disguise and then quickly run off stage and change.
This is no longer the home of the free and I haven't noticed a lot of bravery lately...
ahem, I am not sure if anybody else saw this but CISCO has SCO in it.. just an observation :)
There is no specific outstanding vulnerability. Merely an assertion that Cisco didn't handle a previous vulnerability...
Actually, if you look at the presentation you'll see he presented a walkthrough of exploiting the shellcode which Cisco has done nothing (yet) to mitigate. The (fixed) exploit he mentions was merely an example of how to get on the box, but there are obviously going to be more ways to do that and quite likely someone already knows some of them. He also explains that while this is not the end of the world, the hardware abstraction Cisco is pursuing will make this type of attack work on many more routers.
Obviously as soon as the press gets involved all sorts of misconceptions, simplifications, and dramatization immediately drowns out the factual info. I don't know Lynn, but I know a number of people who do and from what I have heard he is probably trying to do the right thing.
As for Cisco wanting to have their fair say, it was my understanding that they were originally going to present the flaw with him, but backed out. Perhaps I was misinformed.
It never ceases to amaze me that companies and the government can take this kind of action for somebody merely giving a presentation on the security vulnerabilities of a router, or a chunk of code, or how to bypass encryption. What the hell has happened to us?
When I was growing up, my grandmother told me there's three things I should never talk about in public: sex, politics, and religion. I guess now we can say the three things you should never talk about in public are security vulnerabilities, P2P, and political dissent.
Dear America, I miss you. Come home soon.
I didn't know that!
I am very small, utmostly microscopic.
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
You need to install an RTFM interface.
He didn't work for Cisco, he worked for Internet Security Systems. The FBI does not investigate charges of contract breach. They are civil matters.
[This space for rent]
If you dare mention that the emperor isn't wearing any clothes, you will surely get beheaded for it.
If the internet didn't exist they wouldn't be able to pwn my computer unless I let them into my house. /pedantic
Stop Global Warming!
Just say no to irreversible processes!
No way.
If you tell companies like Cisco "it's okay to write garbage software, some good samaritan will report it 'through the proper channels'", what exactly is the incentive for them to do better next time? And why the hell do *we* have to do Cisco's work for them? Mr Lynn has no obligation to Cisco whatsoever. I don't even know why he bothered waiting, put this info out THE MOMENT YOU FIND IT.
Cisco should feel *something* when they fuck up. Lower market share, lower revenue, bad PR, whatever. Not hand-holding and pat on the shoulder and "that's okay Cisco, do better next time".
This is serious stuff, I don't want Cisco to think they can call the lawyers whenever something like this happens. I want them to sweat.
In the mean time, time to do a Freenet search for his paper. I can't believe all of the copies were destroyed.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I read the presentation. (here).
Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!
There's no indication Lynn stole ANYTHING from Cisco, or broke any law.
Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.
Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.
Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:
978-936-1297 mkhalili@cisco.com
Also, some total jerk looked up her address and posted it (here). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!
http://www.thebricktestament.com/the_law/when_to_
Execute the delivery of the information in a way that protects him is what's got him in trouble.
This guy's smart enough comprehend the exploit, he utterly failed in communicating it.
Never in a million years do you just blurt something out like this. I don't care how bad it is. Figure out the proper channels and work them.
That's what a focused and intelligent adult interaction with the world looks like.
Now, I admit he needed a Karl Rove power broker/media bulldog to keep the story from spinning against him. But he really needed to spend some time figuring out how to deliver the message to insulate himself better.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Is anyone else feeling a little deja vu here?
A big software company gets mad at a researcher giving a speech on a security flaw in their software and attempts to sue them. They get the FBI involved before realizing that they're taking a lot of PR damage and then suddenly act all buddy-buddy with the person they went on the attack against. In the meantime, the FBI doesn't give up just because the company now wants to polish its image, and the researcher's life is negatively impacted.
Sounds like Adobe and Dmitri Sklyarov, doesn't it?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
1. Read Slashdot article slamming Cisco for attempting security through obscurity and unfairly siccing the FBI on the whistleblower.
2. Short-sell Cisco stock or buy put options.
3. PROFIT!!!!
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
I don't think they are investigating Lynn per say but the Information that he has found. There is a problem were software and hardware vendors keep this type of vulnerablity information sacred ( so they can fix it){bullshit they don't want to spend the extra money to fix it}. In any event i think we will see this investigation turn to cisco. This is a National Security Issue and If it's True that Cisco has all of this information and has been sitting on it, then i hope the government through the book at them. And my friends say why to you have 4 internet firewalls, well besides the paranoia it's just extra defense.
Woah, that ladder does look safe!
WRONG! you are no longer allowed to point out potential security weaknesses to people who have paid money for something. Discussing the weakness of a product is wrong, and will in fact lead to the ladder breaking by itself. Inform the ladder manufacturer, and I am sure they will recall all ladders sold.
For fucks sake, everyone has no idea about security, there is no such thing as security in computing ONLY programs that are sub-standard and do not do their job properly.
Since this has become mainstream, the whole ideal has become warped, and not the onus is on the consumer to bear the risk, IN SILENCE, for fear of prosecution, because it is illegal to discover and discuss the flaws in software you have paid for.
This guy is a consumer, he paid for and analysed his product, which is no more different than talking about the fruit you bought at the market, or the shaving cream you use. He voiced his opinion that stated that the software was buggy, and would fail under certain circumstances. Not allowing him this right, or anyone else is wrong, and you cannot put the onus of security in shutting up everyone and anyone, because the next person will not nicely talk about it, but strike, oh no that will never happen. Code red, slammer, and a million other worms have costs BUSINESSES who pay the fucking FBI's wages BILLIONS. SO GO AND FUCK YOURSELF FBI, YOU FUCKING IGNORANT PIECES OF SHIT
*muttly mutterings*
To confirm you're not a script,
please type the word in this image: descry random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
They could always pay to have it fixed. The author says much of the code is secure, so why not take undertake a massive effort to overhaul the suspect portions, and then offer a $75 cash incentive for each router a tech patches or a substantial discount for a replacement router? They do have serial #'s so patching could be tracked, perhaps they could even use some relatively inexpensive hardware or software verification module. It could generate a code to verify proper patch status, or even incorporate patching functions in this simple device.
This might hurt business less in the long run than a widespread, debilitating breakdown. It will be expensive, probably ~$120 a pop in the end, considering payout, as well as the cost of verification hardware/software devlopment and production, but they'll reduce the destruction for their customer's businesses and to their own image.
I don't know just how much this would cut into Cisco's revenues, which would of course reduce short term profits and thus investment interest. Someone up there should be weighing something like this though, however painful it sounds. It would also set Cisco apart in market where cheaper competitors are taking away Cisco's profits. How many of them would go to such lengths in the event of a vulnerability? Companies love insuring themselves against everything.
The Obvious Question.. Is releasing trade secrets by a non contractual party a civl case or criminal case? If its civil than FBIO i snot investigating on Trade Secrets calims but soemthing else such as Code Stealign and etc.. Remember, our security hero was not a contractual party ot any cisco product..or am I worng on this point?
Fred Grott(aka shareme) http://mobilebytes.wordpress.com
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously.
He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
You are being MICROattacked, from various angles, in a SOFT manner.
Most tier 1 and 2 ISPs upgrade their code in a timely fashion. They're also on a mix of Cisco, Juniper, and Foundry (and I hear someone actually uses Extreme). Some third-rate companies or pretenders might have problems in a situation like this, but the effect has been greatly exaggerated.
The disclosure aspect is sad, but it's not like this is anything new. Might want to get the lawyer hooked up *after* you quit your job to release the paper, and *before* you head out to the conference. Don't expect any different behavior from companies until the next regime change...
Apparently buffer overflows within IOS aren't that hard to create, and so all the usual attack approaches can be used. That's the real story. And apparently IOS is a single-address-space unprotected OS, so anything can clobber anything. There's so much stuff in IOS now that there just has to be trouble.
Now I see why they're switching their larger routers to QNX, which is a protected-mode microkernel OS.
that he is even able to talk about having gag order on him. It seems that the gov. these days is all about slapping anybody with a gag order such as Sibel Edmunds. I wonder how many other gag orders there are.
I prefer the "u" in honour as it seems to be missing these days.
I'm a non-IT, non-programmer type, so I'm really an outsider looking in.
In many press-releases and conferences and what-not, the U.S. Gov't always refers to the Internet as critical infrastructure. I agree it is: a lot of e-commerce, day trading, exchaning of new, etc takes place on it everyday.
Instead of spending time "investigating" people who might or might not be committing a crime on the Internet, would it not be a better use of resources to instead help make the Internet more secure? Fine, a lot of the internet works on equipment and IP of the private industry (a good part based in the U.S. too). Should the gov't not attempt to make law, something where companies must in X number of day issue patches for critical software (say 60 or 90 days, less is better)? What about establishing some sort of industry standard ISO-type stuff for computer security? Fines might not be a good idea if a patch is late, but something should be done. The threat of lawsuits is deterrrent enough for the industry but gov't should be more positively involved in this matter.
I'm all for the FBI doing their job: investigating and preventing crimes. The government should also try and involve itself and the industry for preventative and "patching" standards with-in the industry.
Sibel Edmunds. The interesting thing about her if you believe the rumours, is that this may also hit democrats just as hard as the republicans. Supposedly, it will topple GWB's admin, but it may put ex-clinton ppl in prison as well.
I prefer the "u" in honour as it seems to be missing these days.
That's Socialist talk, you . . . you liberal!
I remember sigs. Oh, a simpler time!
Is that the "proper channels" weren't at all interested in conveying the info to everyone- because it was bad for business.
At that point, you're left with two decisions- let it all blow up, or whistle blow.
Considering what I know of Michael (I worked with him for some time at one of his previous jobs- Michael, if you're seeing this, try to get in touch with me, you already know how...) he had only one- to whistle blow.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
What it really boils down to is Cisco knows their code/firmware is about as well written as Microsoft windows and just about as secure. They just don't want everyone else to know about it.
My karma is not a Chameleon.
Cisco should be punished, not Lynn. This issue is a problem caused by Cisco to its customers.
OK, I'm not so naïve. I understand Cisco, their methods and their motivation... but I don't have to like it. And it's good to explain the truth to people.
Try Ubuntu GNU/Linux, it's great!!!
While Lynn did good work discovering this flaw I don't agree with his actions in the slightest. Cisco made the fix and released a patch in a timely fashion. Who is he to dictate how Cisco goes about announcing it? Is he the boss of Cisco because he found a flaw?
Granted, it would be advised to mark the patch as critical and give it some press. But is that required?
Personally, Lynn's the ultimate loser here. He stands to watch his career go straight down the shitter and for what? Some ego-centric power play? I don't think any corporation will want to bring him in at the risk of him pulling some stunt like this on them if he gets his nose bent out of joint.
And as to the FBI, they're just doing their job -- they got a complaint so they flat foot it a bit and check it out. I'm sure they'll bug out of it soon enough.
And while Cisco and ISS maybe playing hardball, I can understand why. The dude started a fire and they damn well sure want to stomp it out.
And it seems that both ISS and Cisco were willing to allow him to make this public disclosure -- they just wanted some PR guys their to do damage control and make sure their side was accurately reflected. But for whatever reason, Lynn would have none of that -- so he quit his job and gave them all a big F-U.
Personally, this guy sounds like a complete ass-hat and I question his real intentions here. There are many alternative ways he could have raised the issues he wanted to bring to bear.
Showing up at a black hat conference and giving a how to on this exploit was certainly never going to do anything more than harm Cisco.
What I want to know, is if Lynn really did want to help out, why he couldn't have set up a blog that merely discussed the abstract points of the security update and explain why the patch was critical and then post to slashdot or other IT news site to generate the publicity?
If he'd simply cast his ego aside and thought things through a bit better, and worked with all parties involved he'd probably still have a job and the message would have gone out in a far more positive manner.
-- Just calling it as I see it.
Hello Slashdotters, I just got off the phone with Mike. There is a paypal account setup as a defense fund, please spread the word. Before you ask, it's Mike's paypal account, and he is a "Verified Premier Member".
It is abaddon (at) io . com
James Schallau
Sure, free speech and all that... He did nothing illegal, but he should have put a bit more thought in to the whys and hows of the release.
First, nobody has yet attacked via this vector. There are no examples of concept code out there. Had someone exploited this vector, then it makes sense to educate the public that it exists and why. Until then, I think the moral thing would be to STFU. Cisco has a right to be angry (though not to use heavy-handed tactics).
Second, I would find his position to be much more moral if he had given this information anonymously to the conference, or some other such forum. The fact that he put his name on it smacks of a grab for infamy. His goals, if they were truly altruistic, should not have included his identity because that was irrelevant to his presentation.
He's no hero in my book. I'll give him credit for trying to do the right thing, but I still see his actions as ultimately counterproductive.
Nearly fifty percent of all graduates come from the bottom half of the class!
DONE! I modded it to -13.2.
This is the most stupid use of Federal Intelligence and policeing ever;
One must assume that the politicised senior
executives have not the wit to understand the
benefit of timely disclosure of security exploits
and the fact that the black hats will know without
public fanfare.
The FBI and the DHS have a job that SLOULD fully
occupy them, find Ussama bin Laden, and kill him.
When they have done that they can turn to lesser
priorities.
By the title I mean, not necessarily in their technical sense, but they are vulnerable through market forces.
Let's face it, companies pay through the nose for Cisco kit, mostly simply through conitnuity purchasing.
Yes, the Cisco kit generally performs as advertised, but I doubt that that has ever influenced someone who had the responsibility for buying the kit.
The market is crying out for a network supplier who can provide the goods & functionality of the Cisco kit for what is deservedly a fraction of the price that Cisco charge.
Cisco have a terrible support policy, unless you purchase your particular item with support you're knackered.
Compare that to even Microsoft, who at least have a larve knowledge base freely available, have reviewed their security updates and made their OS secure as any closed OS can become.
Cisco lag behind in their field far further than any of the other companies in IT.
Their strategy? Invoke achievablie certification which gains advocates for their products. Sign those advocates up to virtual-non-disclosure and reap the benefits.
Anyone that wants a copy of the presentation; email me: joel[dot]helgeson[at]gmail[dot]com with the subject of "CISCO" and I'll reply with the presentation.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
what a crock of shit - cisco should be thanking this guy for finding their bug in the first place.
doesn't the FBI have anything better to do like find Osama bin laden and their followers.
One other thing is why didn't all their ccna's or whatever find the bug? Aren't they certified?
My snort logs still pick up unpatched cisco routers at work all the time.
Email me here if you'd like a copy of the presentation.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Maybe the GP made the mistake of reading the story title? You can sort of begin to see a hint there how cooperating with Cisco might not always produce the results you wanted. The GP is spared from going to room 101 -- this time.
Anyhow, from my limited understanding, Cisco claimed that the exploit had already been patched since April, the patch supplied to customers and they deny that it was ever anything approaching a critical issue. The civil charges were settled, supposedly. So, then, if the original complaint was satisfied, who is the damaged party that they are investigating him on behalf of? Tick. Tock. But wait... the plot thickens.
Quoting him from the wired article:
Extremely disappointed? Didn't he mean to say double-plus unappointed? That is, if he actually exists. I did not claim that he ever existed, by the way, just in case all archives of his existence suddenly disappear.
critical routers supporting the internet
Phew, good thing those are made by Juniper.
> he has agreed to pay a $10,000 fine and
> accept a three-year suspension of his national
> security clearance.
Wow, if I got it right this guy intentionally DESTROYED DOCUMENTS TAKEN FROM YOUR COUNTRYS ARCHIVE and he will GET BACK his security clearance after a while?
Looks like you're fucked, basically.
k2r
that I seem to detect a bit of yellow showing through that particular Black Hat.
Not a good sign... it requires gutsy people to push the envelope, in order for progress to occur.
Lynn showed what he's made off... and so did Cisco and Black Hat.
All in all, not a good day for anyone... except maybe admins that now know a bit more about their Cisco system then they did before.
I hope...
There is no sig like the old sig, so this is it.
This is a plan on how someone could kill the President of a United States. Wait until the POTUS is known to be inside 1600 Pensylvania Av then either A) Detonate a Truck filled with high explosive outside the oval office, or B) Hijack an airliner and crash it into the building.
Wow the FBI better lock me up for giving away this tottally non-obvious information to the terrorists. Hell I even gave them the address and everything.
Or maybe talking about obvious and non-specific information with the intent to prevent such an attack occuring is something people should be rewarded for?
========
CINC, 4th Penguin Legion
That's what Cisco is doing here.. YES, they ARE using the FBI and "national security" as a cover for a personal vendetta.
What they're basically asking is because their software is insecure, they've not reported the info to the public for 4 months, but this guy did, they want the FBI to "investigate" until they FIND something to charge him with. Because and FBI investigation is punishement in and of itself... It should take no more than 5 minutes for the FBI to realize this is a open & shut whistleblower case and Cisco is wasting their time. Unfortunately, the FBI doesn't care about what a person's RIGHTS are, only if they can find some crime you committed.. after all, they'll have to find something to justify spending the $100k's they've already spent!!! Going back to Cisco and fining them for a "false" police report almost never happens.
The oft quoted example of shouting 'fire' in a theatre...
Or defaming people, ie 'hackstraw is a paedophile', etc
Not that I disagree with your presumed sentiment. Cisco *are* out of order here.