Slashdot Mirror
Lynn Settles With Cisco, Investigated By FBI
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.
Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.
____
~ |rip/\/\aster /\/\onkey
The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen.
The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
I'm a virgo and on Slashdot. Coincidence? Yes.
Needs to be spread if we're to expect cisco to fix it.
Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...
Can you imagine the chaos?
I bet some people would even end up going outside.
I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.
I suppose I could look through my old cached history of webpages and pretend that I was online!
...and told us that it will be the year we all live in from now on.
Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?
libertarianswag.com
What exactly was CISCO suing over? It seems to me that CISCO didn't like what he had to say, but that doesn't give you a right to sue somebody. Obviously, they weren't alleging libel or slander, since everything he said was apparently true. I don't recall allegations that he misappropriated trade secrets or something. Did he just give up so that he didn't have to defend a baseless suit?
Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.
I don't practice what I preach because I'm not the kind of person that I'm preaching to.
First, according to this new article, Lynn would have been allowed to speak if Cisco was allowed to speak as well.
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or philosophically disagree with this, but in major network infrastructure, there is a place for stable, predictable commercial support. Along with that sometimes comes commercial and/or proprietary code - code which is kept proprietary for competitive advantage. This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.
Further, the FBI is investigating not because of some corporatist government conspiracy, and is not being used as Cisco's own "police force". It is investigating a claim of a complaint it received, as it is compelled to do by its very reason for existence, and doesn't even know if a crime has been committed. Would you want law enforcement agencies to not investigate allegations of crime, whatever your opinion of this particular instance aside?
Even Lynn's own lawyer says "that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.
Granick said she did not think the FBI would arrest Lynn.
"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over."
So please, let's not overreact.
I found this linked on Nick84's site (http://www.rootsecure.net/): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf
If I'm correct, it's the slides that were taken off of the hand out cd.
Another link from a Wired article:
http://cryptome.org/lynn-cisco.zip
Irongeek's Hacking Videos / Security Videos and Articles
Also, if Cisco did know about it and kept it under wraps while they worked on the problem I call that common sense not secrecy. How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?
You got any karma man? I really neeed it. Just a little hit! Come on!
"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."
In other words, probably not really in trouble with the FBI.
The world's only surviving livewriter.
No, sometimes this is the only way to make progress. Companies (more appropriately managers) are content to live in the dark on security issues instead of dealing with them. In my experience, money is the only concern in respect to most PHB's, and the only way to make a change is to expose it in a critical manner. I applaude this guy.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
"The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The FBI is investigating Michael Lynn... after he revealed ...
Congress shall make no law ... abridging the freedom of speech, or of the press.
He's being investigated for what, now? Talking?
Secession is the right of all sentient beings.
He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."
Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.
I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!
Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.
Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.
I'm a virgo and on Slashdot. Coincidence? Yes.
The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.
before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem
Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.
I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.
If we're not allowed to test holes, it reminds me of that old saying, "Who will guard the guards?"
How is this funny or relevant?
Since when is it evil for a law enforcement agency to follow up on a complaint, even if the complaint is later found to be invalid? Or should law enforcement agencies be able to predict the future, and just skip the investigative step, and automatically know whether a crime has been committed? It might have been absurd or vindictive for ISS and/or Cisco to approach the FBI, but when someone approaches the FBI and claims a crime has been committed, would you prefer that the FBI did nothing? It HAS to investigate, just like the police still respond to even 911 hangups. If nothing is wrong and no crime has been committed, it's dropped. But when a complaint is initiated, the investigative step MUST take place, else, how would law enforcement even function?
The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA that he has run afoul of, most likely they'll prosecute.
I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.
My feeling is that unfortunately this just isn't a big enough issue on Joe Citizen's radar. There's a war in Iraq, the government is spending money like it's going out of style, there are disagreements over almost every social issue imaginable, and that monster SUV he bought last year now costs him $85/week to fill up. Some computer guy revealing Cisco vulnerabilities isn't high on his list, so it won't be high on his legislators' lists either.
Read the EFF's Fair Use FAQ
...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.
Both are harmful, and neither benefit security optimally.
As with most things, the most beneficial position is usually a balance between extremes.
Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.
Apparently the FBI thinks computer security works the same way.
Weaselmancer
rediculous.
Of course, with the internet down we could all agree to meet and pretend to chat with each other in the big blue room. I'd even be willing to use my face to emulate emoticons, if that'll help.
In soviet russia this is funny and relevant.
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
Do you have any idea who is at Black Hat these days? It is a huge security convention sponsored by hundreds of major computer and security vendors, even Microsoft is a sponsor. Heck the Department of Defense, the Army, West Point, Stanford Law School, etc. all had people giving presentations. If you want to get the word out when a major threat is being ignored, blackhat is a pretty good place to do it. It seems to have worked, don't you think?
I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.
Crafted IPv6 packet vulnerability.
5 0729-ipv6.shtml
s p
http://www.cisco.com/warp/public/707/cisco-sa-200
http://www.eweek.com/article2/0,1759,1841669,00.a
Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.
You should always give these type of presentations at the "White Hat Security Researchers Conference of Law Enforcing Good Guys", not the "Black Hat Hacker Convention of Nefarious Ne'er-do-wells and Juvenile Deliquents".
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!
The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.
The whole thing sickens me.
In the mean time, time to do a Freenet search for his paper. I can't believe all of the copies were destroyed.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I read the presentation. (here).
Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!
There's no indication Lynn stole ANYTHING from Cisco, or broke any law.
Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.
Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.
Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:
978-936-1297 mkhalili@cisco.com
Also, some total jerk looked up her address and posted it (here). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!
http://www.thebricktestament.com/the_law/when_to_
They could always pay to have it fixed. The author says much of the code is secure, so why not take undertake a massive effort to overhaul the suspect portions, and then offer a $75 cash incentive for each router a tech patches or a substantial discount for a replacement router? They do have serial #'s so patching could be tracked, perhaps they could even use some relatively inexpensive hardware or software verification module. It could generate a code to verify proper patch status, or even incorporate patching functions in this simple device.
This might hurt business less in the long run than a widespread, debilitating breakdown. It will be expensive, probably ~$120 a pop in the end, considering payout, as well as the cost of verification hardware/software devlopment and production, but they'll reduce the destruction for their customer's businesses and to their own image.
I don't know just how much this would cut into Cisco's revenues, which would of course reduce short term profits and thus investment interest. Someone up there should be weighing something like this though, however painful it sounds. It would also set Cisco apart in market where cheaper competitors are taking away Cisco's profits. How many of them would go to such lengths in the event of a vulnerability? Companies love insuring themselves against everything.
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously.
He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
You are being MICROattacked, from various angles, in a SOFT manner.
Sibel Edmunds. The interesting thing about her if you believe the rumours, is that this may also hit democrats just as hard as the republicans. Supposedly, it will topple GWB's admin, but it may put ex-clinton ppl in prison as well.
I prefer the "u" in honour as it seems to be missing these days.