Slashdot Mirror
Lynn Settles With Cisco, Investigated By FBI
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen.
The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
I'm a virgo and on Slashdot. Coincidence? Yes.
Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...
Can you imagine the chaos?
I bet some people would even end up going outside.
I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.
I suppose I could look through my old cached history of webpages and pretend that I was online!
...and told us that it will be the year we all live in from now on.
Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?
libertarianswag.com
I found this linked on Nick84's site (http://www.rootsecure.net/): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf
If I'm correct, it's the slides that were taken off of the hand out cd.
Another link from a Wired article:
http://cryptome.org/lynn-cisco.zip
Irongeek's Hacking Videos / Security Videos and Articles
the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.
there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!
Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.
Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.
I'm a virgo and on Slashdot. Coincidence? Yes.
The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.
Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.
Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.
And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.
before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem
Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.
I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.
Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.
Apparently the FBI thinks computer security works the same way.
Weaselmancer
rediculous.
the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.
Yes, and this is exactly why the FBI should get involved! The army has stringent oversight procedures for this sort of thing, and to reveal flaws in top-secret installations without even going up the chain of command is tantamount to treason!
Oh wait. The dude isn't in the army. Or in government. Actually, his former employer settled the case. So the overriding federal government interest in this is...? Why, you might be forgiven to think "nothing at all, in fact, this sort of thing is precisely why such liberties as freedom of the press exist; even though this is a lone individual, surely some type of whistle-blower protection would exist that covers this, otherwise the public would never be made aware of critical flaws in the nation's privately-owned infrastructur until it was too late!"
But apparently, you'd be wrong. You see, by merely mentioning, without even going in to much specifics, that it might be possible for some-one else to exploit a flaw in Cisco's equipment, this guy has clearly commited a thought-crime. That's because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it. You see, no difference there at all.
Of course, this is also why trains never run on time. If the published time tables were accurate, the railways would get prosecuted by the FBI for inviting people to commit suicide by throwing themselves in front of the 18:02 train.. Bet you didn't know that!
SCO employee? Check out the bounty
Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update.
One specific buffer overflow vulnerability was patched. But Lynn's presentation was a general approach to exploit any buffer overflow, with dire consequences. There is likely more exploitable code inside those routers; it's just a matter of time before some is found. At that point Lynn's attack could be executed.
Nice strawman, but that of course isn't what the (predictably modded-down) parent said.
All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.
"Ask not what your country can do for you." --John F. Kennedy
I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!
The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.
The whole thing sickens me.
Actually, what Sandy Burger did makes Watergate AND this Plame nonsense look like a college prank. But I don't see any outrage in Mediaville over that.
I'm sorry, was that off-topic? Well, since the parent was modded "interesting" I guess it isn't.
It's not a lie. It's the truth with lossy compression.
I read the presentation. (here).
Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!
There's no indication Lynn stole ANYTHING from Cisco, or broke any law.
Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.
Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.
Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:
978-936-1297 mkhalili@cisco.com
Also, some total jerk looked up her address and posted it (here). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!
http://www.thebricktestament.com/the_law/when_to_
Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).
I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.
Even if it was a crime, does that really give Cisco any rights to his work at all?