Lynn Settles With Cisco, Investigated By FBI

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

The real issue is...

[maotx]

The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen.

The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.

BS

Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...

1984 Called...

[bc90021]

...and told us that it will be the year we all live in from now on.

Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

PDF of the Presentation

[Irongeek_ADC]

I found this linked on Nick84's site (http://www.rootsecure.net/): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf If I'm correct, it's the slides that were taken off of the hand out cd. Another link from a Wired article: http://cryptome.org/lynn-cisco.zip

Re:No good deed goes unpunished.

[Stevix]

the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

Wile E. Coyote school of security

[Weaselmancer]

Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

Apparently the FBI thinks computer security works the same way.

Re:No good deed goes unpunished.

[goldspider]

"...because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it."

Nice strawman, but that of course isn't what the (predictably modded-down) parent said.

All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.