Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lynn Settles With Cisco, Investigated By FBI

Posted by Zonk on from the bad-friday dept.

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

34 of 357 comments (clear)

  1. No good deed goes unpunished. by TripMaster+Monkey · · Score: 3, Insightful


    What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.

    Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:No good deed goes unpunished. by Stevix · · Score: 5, Insightful

      the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

    2. Re:No good deed goes unpunished. by daveschroeder · · Score: 4, Insightful

      Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.

      Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.

      And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.

    3. Re:No good deed goes unpunished. by wfberg · · Score: 4, Interesting

      the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

      Yes, and this is exactly why the FBI should get involved! The army has stringent oversight procedures for this sort of thing, and to reveal flaws in top-secret installations without even going up the chain of command is tantamount to treason!

      Oh wait. The dude isn't in the army. Or in government. Actually, his former employer settled the case. So the overriding federal government interest in this is...? Why, you might be forgiven to think "nothing at all, in fact, this sort of thing is precisely why such liberties as freedom of the press exist; even though this is a lone individual, surely some type of whistle-blower protection would exist that covers this, otherwise the public would never be made aware of critical flaws in the nation's privately-owned infrastructur until it was too late!"

      But apparently, you'd be wrong. You see, by merely mentioning, without even going in to much specifics, that it might be possible for some-one else to exploit a flaw in Cisco's equipment, this guy has clearly commited a thought-crime. That's because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it. You see, no difference there at all.

      Of course, this is also why trains never run on time. If the published time tables were accurate, the railways would get prosecuted by the FBI for inviting people to commit suicide by throwing themselves in front of the 18:02 train.. Bet you didn't know that!

      --
      SCO employee? Check out the bounty
    4. Re:No good deed goes unpunished. by James_Aguilar · · Score: 3, Insightful

      Well, first of all, it's not "undoubted" that Cisco would have experienced losses if the flaw had gone unreported. According to them, they were busy fixing it, and though I know we hate to listen to the big evil corporations, there is the slightest possibility that they weren't lying.

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ). Following your conscience (in a way that was by some reports rash and poorly thought out) does not necessarily give you immunity from the consequences of your action.

      As a security researcher, he of all people, should know the high stakes in that game. It's not like either Cisco's or the FBI's actions couldn't have been anticipated by anyone who thought the whole thing through to its logical conclusion. Hopefully, he had prepared himself for the inevitable results of his actions before he took them. Otherwise, I feel really bad for him.

    5. Re:No good deed goes unpunished. by cpeikert · · Score: 4, Informative

      Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update.

      One specific buffer overflow vulnerability was patched. But Lynn's presentation was a general approach to exploit any buffer overflow, with dire consequences. There is likely more exploitable code inside those routers; it's just a matter of time before some is found. At that point Lynn's attack could be executed.

    6. Re:No good deed goes unpunished. by goldspider · · Score: 5, Insightful
      "...because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it."

      Nice strawman, but that of course isn't what the (predictably modded-down) parent said.

      All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.

      --
      "Ask not what your country can do for you." --John F. Kennedy
    7. Re:No good deed goes unpunished. by Alien+Being · · Score: 3, Insightful

      Right, and they'll claim that her identify is supersensitive, yet they won't prosecute someone who publishes the info (Novak). They will, however, prosecute someone who protects the info(Miller).

      For crying out loud people, just because you voted for Bush doesn't mean you owe him your undying support. Oust the bastard. This shit makes Watergate look like a college prank.

    8. Re:No good deed goes unpunished. by PriceIke · · Score: 4, Interesting

      Actually, what Sandy Burger did makes Watergate AND this Plame nonsense look like a college prank. But I don't see any outrage in Mediaville over that.

      I'm sorry, was that off-topic? Well, since the parent was modded "interesting" I guess it isn't.

      --
      It's not a lie. It's the truth with lossy compression.
    9. Re:No good deed goes unpunished. by mcclungsr · · Score: 4, Insightful

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).

      I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.

      Even if it was a crime, does that really give Cisco any rights to his work at all?

    10. Re:No good deed goes unpunished. by cayenne8 · · Score: 3, Insightful
      "All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure."

      I guess I'm at a loss here....how is this not protected under free speech, and therefore not subject to start an investigation into some illegality. He wasn't inciting people to do anything wrong (rioting, etc)...he merely gave a presentation stating facts as his research had shown him...

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    11. Re:No good deed goes unpunished. by cayenne8 · · Score: 3, Insightful
      "He had to break the law to get the information he got so why should he be investigated. Not only did he break the law but he published his research so that malicious hackers will have a specific area to target."

      Exactly what law did he break? He reversed engineered as part of research Cisco routers. He gave a presentation that is clearly protected free speech. Just because you give information, that if used wrong, would harm something, as long as you're not inciting or telling people to cause harm to others....you've broken no law.

      There's tons of books out there that tell you how to make an atomic bomb...perfectly legal. You can describe pressure points on the human, that can kill, etc. Information is free to dissiminate. It is a tough part of free speech, but, really who are YOU going to trust to limit it, and say what information can and cannot be released?

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  2. The real issue is... by maotx · · Score: 5, Informative

    The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen.

    The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
    The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  3. BS by Anonymous Coward · · Score: 5, Insightful

    Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...

  4. Goodness... by coop0030 · · Score: 4, Funny
    which contained techniques Lynn said could bring the Internet to its knees.


    Can you imagine the chaos?

    I bet some people would even end up going outside.

    I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.

    I suppose I could look through my old cached history of webpages and pretend that I was online!
  5. 1984 Called... by bc90021 · · Score: 5, Insightful

    ...and told us that it will be the year we all live in from now on.

    Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

    --
    libertarianswag.com
    1. Re:1984 Called... by brer_rabbit · · Score: 3, Funny

      1984 is fine by me. Another year of playing Beach Head on the C64 while rockin' out to Frankie Goes to Hollywood would be good.

  6. PDF of the Presentation by Irongeek_ADC · · Score: 5, Informative

    I found this linked on Nick84's site (http://www.rootsecure.net/): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf If I'm correct, it's the slides that were taken off of the hand out cd. Another link from a Wired article: http://cryptome.org/lynn-cisco.zip

    --
    Irongeek's Hacking Videos / Security Videos and Articles
  7. TFA by MrAndrews · · Score: 3, Informative

    "There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."

    In other words, probably not really in trouble with the FBI.

    --
    The world's only surviving livewriter.
  8. Re:I hope they nail him to the wall! by dj_cel · · Score: 3, Interesting

    No, sometimes this is the only way to make progress. Companies (more appropriately managers) are content to live in the dark on security issues instead of dealing with them. In my experience, money is the only concern in respect to most PHB's, and the only way to make a change is to expose it in a critical manner. I applaude this guy.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  9. Let's cut the tinfoil a bit by BlackCobra43 · · Score: 3, Insightful

    FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.

    --
    I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
  10. Free speech by jdavidb · · Score: 3, Insightful

    "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

    The FBI is investigating Michael Lynn... after he revealed ...

    Congress shall make no law ... abridging the freedom of speech, or of the press.

    He's being investigated for what, now? Talking?

    --
    Secession is the right of all sentient beings.
  11. This doesn't pass the "fire in theater" test by davidwr · · Score: 3, Insightful

    He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."

    Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.

    I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  12. Re:I hope they nail him to the wall! by maotx · · Score: 4, Insightful

    there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!

    Two things:
    First, Cisco was already aware of the problem and had released a patch for it last April.

    Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  13. Re:I hope they nail him to the wall! by LurkerXXX · · Score: 4, Insightful
    He did inform them. Many months ago. They've had a fix out for 3 months for part of the problem he pinted out. They haven't fixed the rest yet. He went through the right channels. They haven't fixed it yet. There have been many many examples with them, Microsoft, and even recently mozilla, where bugs were reported and the vendor took over a year to finally getting around to fix the problem. And that was only after the problem had been 'leaked' to the public.

    The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.

  14. Re:I hope they nail him to the wall! by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem

    Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.

    I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.

  15. There is a range... by daveschroeder · · Score: 3, Insightful

    ...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.

    Both are harmful, and neither benefit security optimally.

    As with most things, the most beneficial position is usually a balance between extremes.

  16. Wile E. Coyote school of security by Weaselmancer · · Score: 5, Insightful

    Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

    Apparently the FBI thinks computer security works the same way.

    --
    Weaselmancer
    rediculous.
  17. Cisco discloses actual vulnerability by mdouglas · · Score: 3, Informative

    Crafted IPv6 packet vulnerability.

    http://www.cisco.com/warp/public/707/cisco-sa-2005 0729-ipv6.shtml

    http://www.eweek.com/article2/0,1759,1841669,00.as p

    Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.

  18. Big mistake - wrong conference by ch-chuck · · Score: 3, Funny

    You should always give these type of presentations at the "White Hat Security Researchers Conference of Law Enforcing Good Guys", not the "Black Hat Hacker Convention of Nefarious Ne'er-do-wells and Juvenile Deliquents".

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  19. Wow my Hats off to you Americans by DarthVain · · Score: 4, Insightful

    I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!

    The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.

    The whole thing sickens me.

  20. Re:It may or may not be illegal by Dan+Ost · · Score: 3, Insightful

    While I would be the first to agree that a healthy amount of cynicism is, well, healthy, too much cynicism is as dangerous as not enough. The truth is that there are still lawmakers who value the opinions of their constituents, especially if their constituent attempts to educate them on an issue that they were ignorant of.

    It may not look like it from the outside, but I would suspect that the majority of lawmakers still attempt to cling to the ideals they started with and, when given the opportunity, will attempt to act according to them.

    Don't limit your options just because cynicism dicates that they're pointless. You might be right and it's a wasted effort, but if you're wrong, you've voluntarily missed an opportunity.

    --

    *sigh* back to work...
  21. I looked at the presentation! by putko · · Score: 4, Interesting

    I read the presentation. (here).

    Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!

    There's no indication Lynn stole ANYTHING from Cisco, or broke any law.

    Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.

    Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.

    Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:

    978-936-1297 mkhalili@cisco.com

    Also, some total jerk looked up her address and posted it (here). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
  22. You are making a *LARGE* assumption... by schon · · Score: 3, Informative

    In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously.

    He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".