Slashdot Mirror
Wired Interviews Mike Lynn
ndansmith writes "Wired has got an interview with Mike Lynn, who revealed a major vulnerability in Cisco IOS at Black Hat 2005 in Las Vegas, and who has subsequently become the subject of an FBI investigation. A quote from Mike Lynn: 'Cisco said, "You guys are lying. It is impossible to execute shell code on Cisco IOS." At that point (ISS) management was annoyed.... They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong."'"
its easy to get investigated by the FBI.
there has been a pizza van outside my house for weeks.. no wait its a flower delivery van now.. wait now the telephone repair man.
lameness filter thwarted.
all your routers are belong to us
I still fail to see how this story relates to Google. Slashdot must be slipping. :)
Cover your eyes and click this link!
Apparently the FBI is a whole bureau specializing into such things.
1. I was at the talk and he mentioned that he found some of the exploits after translating chinese hacking sites. It seems our Chinese hacking brothers know a lot more than we think they do...
2. Someone mentioned that this might of been a set up to use Lynn as a scapegoat. Orchestrate a leak of the exploit and then cry to the hills about 'national security' rather than see that someone in Cisco is an incomptent fool at coding.
They are handling this whole thing all wrong. All they've done is draw more attention to this problem, and make people wonder what else they are hiding. They've succeeded in making a lot of people angry at them that are either people who influence buying their products, or people who may be active in developing attacks against their products. Neither of these groups of people are a good idea for a company like Cisco to antagonize. If they had just downplayed the whole thing, nobody but a handful of people would even know about it, and it would have blown over quickly. Now they look like jerks, and the information is all over the net and given the "forbidden fruit" syndrome, it will get spread around even more.
Start.com has been known for ages. Its a sandbox experiment, and theyve already released 1 and 2 already, along with "My web" Editors messed up again? o.O
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
I am tired of hearing about people basically volunteering to audit software and find problems, and then get accused for it. Lets go after the crackers that just read securityfocus for the latest exploit, and then exploit it so they can "vandalize." UNIX (the kind under the UNIX trademark) had many weaknesses that made it luaghably insecure in its day, but dedicated hackers (not crackers, I mean skilled creators) found many vulnerabilities, which of course were fixed and UNIX (including the *BSD derivatives and branded UNIX such as Solaris) has become quite secure today thanks to this. I apprieciated the effort of those who contributed their findings. There is a difference between reporting a broken safe lock in a bank, and exploiting it to obtain the contents (robbery.) This ignorance irritates me.
Powered by caffeine and sugar; BSD
The mod system seems to be down today. No one is getting mod points and almost nothing's been modded up today. Anyone know what's up ?
Please mod parent redundant :)
So where is Cisco in all of this? Have they released patches yet? I am hoping they will do a wide sweep of patches for all users (even those without support contracts) as they did back in 2004.
Juniper is looking better all the time.
Yesterday I was like drooling when I like saw this girl like. And I like couldn't get over it. Man I was like in heaven like.
How about we cut the teen speak?
These posts express my own personal views, not those of my employer
What is this new trend to post a reply that is relavent to the previously posted story in the thread for the next story? Is this a new attempt to troll?
Powered by caffeine and sugar; BSD
No mods!
Microsoft is good!
Linux is the debil!
Cats and Dogs living together!
MASS HYSTERIA!
I don't know about the Cisco thing, but I know I'll never forgive him for The Herschel Walker trade.
Another thread with all comments below 3? Either fix the moderation, or post a story explaining what's going on. For those of us who normally browse at 4 or 5, the signal to noise level when having to read it like it is now is quite unbearable.
As for Mike Lynn, I read this Wired story yesterday. It really sheds some light over the details of the whole affair. Prior to this interview, I thought Lynn seemed like someone eager to get publicity, and who had chosen to discloise this exploit for that reason. I don't believe that anymore. He comes across as a very reasonable guy, and it seems like he followed the procedure as well as one could have any reason to expect. The vulnerability still sounds scary though.
They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong."
Like, not only speech, but even our writing has like sunk to the level of the California valley girl, like.
Met Mike a few years ago. He's a pretty cool guy, and he's done some really neat stuff in the pass. I think that he enjoys working for ISS, since they give him a chance to do what he would be doing anyway.
The fact that he wanted to make sure that the exploit didn't get out gives me an idea of how bad this really is, considering some of the things that he has released. The fact that he's not willing to release this exploit means that it's probably possible to 0wn just about any router on the planet running IOS. That's not good.
So far Cisco has managed to keep this off the main-stream radar. That's definately keeping their accountants happy..
One of Cisco's arguments, or at least so I heard on a CBC radio program that's name escapes me, is that he discovered this flaw through reverse engineering which is specifically banned in the license agreement. They seem to be implying that the flaw would be no danger since it is a closed source product, had he not 'illegally' reverse engineered their code and that the threat therefore only exists because of him. Security through obscurity, and a good example of why closed source solutions should not be used in situations where security and accountability are important [voting machines anyone?]
he was interviewed. big deal. if he is interviewed again, we will have another /. story about him?.
The bastard ruined the Minnesota Vikings for YEARS with that damned Herschel Walker trade!
Comment removed based on user account deletion
From what I gather from the story is that the flaw isn't a huge deal - Cisco's reaction appears to be the more significant security flaw.
Security is as much a state of mind as it is a peice of technology.
I wonder if someone climbing the corporate ladder is afraid of getting into big ass trouble.
You can get your copy lynne-cisco.zip from cryptome.org.
The I is an acronym! IT COULD MEAN ANYTHING!!
BEHOLD THE POWER OF THE
F(dot!)B(dot!)I(dot!dot!dot!EXCLAMATION POINT!SHIFTPLUSONE!ONE!TILDE!AT SYMBOL!EXCLAMATION POoOoooINT!!!)
LET GO OF YOUR CONCEPTS AND SIMULACRA OF ACRONOMORPHISMS! THE FBI IS A SYMBOL! YOU ARE THE PERCIEVER OF THAT SYMBOL! IT IS BASED ON CONTEXT! DESTROY THE CONTEXT, DESTROY YOURSELF!!!!
To confirm you're not a script,
please type the word in this image: [crotch]
FOR SHAME!!!
01780115012
Lady Justice is not just blindfolded, she is actually blind.
OMGROFFLE he noticed that someone else has the same name!
I raise a glass of lmaonade in saltydog's honor.
Here is the Cisco information on the bug and patches
But this particular bug may not be the real news. The real news is running shell code on Cisco via an exploit. Or as Cisco puts it "Upon successful exploitation, the device may reload or be open to further exploitation." If this technique is not tied to this specific exploit but to architectural problems in IOS, Cisco worms could become a problem.
Given that Cisco had source code stolen, there is almost no limit to what a worm could do. Spyware on routers would be much more efficient.
I can't believe it. She was so vigorous and full of life, but now she is just a dehydrated, festering pile of dead brain cells. She fought valiantly against those who eventually brought her to Jesus, following that bright flashing light with her eye for a couple of seconds to prove she had cognitive abilities, but somehow they still determined that she was in a persistently unintelligent state. I personally think Jeb Bush let her die because he was afraid she might defeat him in the next governor's race, given the collective intelligence and ballot-casting ability of his fellow Floridians. If only she had followed the bankrupt Atkins diet plan instead of the Karen Carpenter plan, she might still be here. It's sad, really. Why did we all have to suffer for 15 years?
Like, I just want to me like Mike
" For those of us who normally browse at 4 or 5,"
Oh brother. Why bother coming here at all then?
The best comments are not at 4 or 5. They're typically at -1 2.
Does anyone think it's odd that of the last seven stories, not a single one has a comment modded higher than 3? What's up?
---
funny commercials
because this guy knows his shit. They want this guy working for them....
The Doormat
If you're not outraged, then you're not paying attention.
Lynn's Presentation
The Cease and Desist Order
Go ahead and grab them, and stick up mirrors all over the world. This is the one PDF that they don't want you to see, and they are trying to stop. The public will not be denied this information!
Quick! Put the image of a pink golfball on a field of half eaten hohos in your mind to block t3h m1nd r34d3rz!
*hands over tinfoil hat*
Seriously, though. If a company goes to the FBI and says "We think so and so has broken a law." they are supposed to look into it if a crime could have plausably been comitted. Kinda like calling the cops and reporting 'suspicious' activity. Its nearly always harmless.
Cisco is using this to try to shut him up, but its not the FBIs fault.
10:1 acouple weeks from now the feebs will say 'move along, nothing to see here' and Cisco will then file a civil suit.
Remember folks, slashdot doesn't have a -1 "disagree" moderation!
Uh, if you can...
Thats right. I pwn you mods! You are at my beck and call.
Well informative, though I know very little about cisco or routers in general. I quite enjoyed this article.
He didn't reveal ANY vulnerabilities in IOS. I'm going to say this again, slowly: Micheal ... Lynn ... did ... not ... reveal ... any ... new ... vulnerabilities ... in ... IOS.
What he did was prove that existing and future vulnerabilities in IOS _could_ be exploited to run shellcode, while it was previously thought that a DoS was the 'best' a hacker could do to an IOS box. He used a 4-5 month old (patched) vulnerability to demonstrate this...
Think outside the... Hey, where'd the friggin' box go?
http://downloads.oreilly.com/make/cisco.mov
prove him wrong
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Shiggity shiggity shwaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.(sound of a can of coke being snapped open)
So, I was wondering. Do lions and cougars and shit have nine lives or is that just feline domesticus? If I throw a Puma out a high-rise apartment building, will it land on it's feet?
I have no questions about Dogs; because I know the answer to the only question worth asking,
DOGS CAN LOOK UP.
The nature of power demands that at some time people will be made scapegoats because somebody stuffed up.
In the Hebrew bible two male goats were to be brought to the place of sacrifice along with a bull as part of the Korbanot ("sacrifices") in the Temple in Jerusalem. The high priest then cast lots for the two goats. One goat was offered as a burnt offering, as was the bull. The second goat was the scapegoat. The high priest placed his hands on the head of the goat and confessed the sins of the people of Israel. The goat was then led away into the wilderness, bearing the sins of the people with it, to be claimed by the fallen angel Azazel.
Scapegoating is an important tool of propaganda and is used to lay the smack down on the scapegoat to bear the blame for a problem so the little sheeple can be happy again and those in power get away scott free. It's roots lie in the social psychological concept of the fundamental attribution bias. Where there is a tendency for people to over-emphasize dispositional, or personality-based, explanations for behaviors observed in others while under-emphasizing the role and power of situational influences on the same behavior.
Basically Cisco will blame outside forces rather than concede that they were the problem and the way the propaganda works is that outsiders will look on the stuff up as Cisco's fault, so Cisco have to lay out a sacrificial scapegoat so as to manage the perceptions of their audience/shareholders/government.
That's how you assign blame and that's how you play the game of power.
Google: mike lynn blackhat cisco ios and have a good time.
If you understand both IOS and assembler pcode, you can catch his drift. These are chinks in the otherwise solid armor that Cisco has.
The exposure of this, along with other security bugs that organizations have, ranging from Microsoft down to Linus's best code, are important to know at the second of apparency. That's when both the good guys and the bad guys can get to work. I hope the bad guys lose, and they usually do. But prevention of exposure is just a ticking bomb. This kind of bomb kills most of the Internet as we know it. And maybe it'll give Cisco a wake up call that it better diffuse the bomb and improve their quality.
The slides speak for themselves. High five to Mike Lynn and all who are tenacious enough to bring security solidification to the core of the net. And a fie on those that would stop him, and all those that endeavor to bring quality to communications. And to all of those that went to Defcon, be proud to be a part of liberty. It smells of good dirt.
---- Teach Peace. It's Cheaper Than War.
In Soviet America, we shoot the whistleblowers
I don't think I've seen NANOG buzzing this much about one topic since the infamous Verisign .com wildcard.
This kind of turned into a worst-case PR situation for Cisco -- they screwed up on their product, they tried to cover it up, and then they hassled the guy that released the information.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
The poster clearly doesn't understand that, if the grandparent was true, and thus worthy of being modded up, it would be impossible to do so. ^_^
First, let me start out by saying that I was initially quite skeptical of Mike's intentions when I first heard about this. It is completely normal in the security industry for researchers to know about *serious* flaws in widely deployed operating systems and applications, weeks if not months ahead of any vulnerability disclosure. That's why I initially found it incredulous that a researcher woud break ranks simply because a vendor (in this case Cisco) was dragging its feet over a vulnerability. Surely, it had to be ego, right? Normally, and so long as no public exploitation of said vulnerability has been discovered, white hat researchers just accept the seemingly slow reaction time on the part of vendors and move on with full disclosure when they're ready to address the vulnerability with a patch.
This situation does appear to be different however, in that Cisco was making moves to obfuscate the true nature of the vulnerability -- not a wise idea. As we all know: security through obscurity is bad. Furthermore, Mike believes the extent of the problem would only grow in the future as Cisco moves to consolidate the operating system used by all their routers. If everyone naively believes that Cisco IOS (and network hardware in general) are not subject to the same types of vulnerabilites that have plagued software for decades, they must be led to the truth. It can and Mike brought our attention to it.
Though I can't tell if Mike truly had altruistic intentions from the get go, I can vouch for the plausibility of his account of the goings on inside ISS when the Cisco router flaw was discovered. Companies in the security industry are constantly playing battles of wits to find new vulnerabilities, and use them as ammunition against other IDS vendors in enterprise bake-offs. There's quite an obvious and direct correlation between fiding a flaw the other guys aren't covering and demonstrating it in action to seal a hard fought competitive enterprise deal. It can mean literally millions of dollars to the bottom line for a given quarter. Typically, you're trying to find a way to outsmart the other guy's IDS into missing an attack (vulnerability coverage through private research, DoS attack, some combination of fragmented packets that takes it to its knees, etc...) but rarely (if ever, in my recollection) does it amount to Sales demonstrating a serious zero-day exploit against network hardware itself. There's a big difference, and I'd be very surprised if ISS would be stupid enough to allow Sales to use such an obviously dangerous exploit publicly. It seems to me that Mike's recollection of internal discussions on this matter, including the comments about Witty, to be a sort of informal geek-to-geek roundtable and not in any way likely to be the company's final strategy on the matter, regardless of his supposed resignation threat.
Anyway, interesting read, and if he's truly all in it for egotistical purposes, he certainly made a strong case for his altruistic side in that interview.
3.42% ;)
WHAT?!
I had some mod points briefly, but they disappeared before I could use them. Conjecture: something's amiss with the duration of awarded mod points. We're being given points, but they're disappearing before we can use them.
I hope that after I die the one word people use to describe me is "resurrected."
Cisco's 'solid armour' as you put it has been based on two concepts:
1) There was no known way to execute shellcode due to the idle process responsible for doing heap pointer 'validation'. Thnsis prevented the possibility of executing shell code and essentially limited the attack vectors for overflows to DoS.
2) Some level of obscurity regarding the IOS inner workings.
Is that what you consider solid armour?
While Lynns presentation was mostly old news, it did something very important. It eliminated point #1 above. This makings it significantly more attractive to a would-be attacker. Creating a DoS condition is fine, but has no real value to a hacker other than the few obvious ones used by packet warriors. Being able to fully compromise a router and install your software is much more interesting and valuable.
Hey, but at least you guys went to the Super Bowl in 98...oh wait. No. You got beat by the Falcons.
(Nelson voice:)Ha ha!
Mike Lynn sounds like a good guy, his point of view is very understandable. He wanted to alert people that Cisco is just as hackable as others. The other stories were villifying him but his own words explained why he did what he did. I must say, Kudos to him.
Honestly He's the kind of Admin I respect, rather then play ball only with the corporation, he lets everyone know the problem so everyone can handle the situation. He claims there was a fix out in six monthes ago for his bug? I don't see why Cisco is flipping out if what he says is true, but if he made even one system admin update their router, then he did a good job in my book.
I find Cisco and Posse's attempt to corral copies of the report amusing. Besides the fact that they are making a scene in front of a crowd which relishes just such a challenge, haven't they heard of the multitudes of software developed for exactly this kind of response - distributed, anonymous, encrypted file storage and distribution?
From the sidelines it is quite entertaining.
Let the authentication fail and read the following:
IMPORTANT NOTICE:
Andrew Yeomans
Same thing happened to me. I got my 5 points yesterday morning -- they vanished before noon. Something's amiss.
More on topic -- the funny thing about Cisco's role in all this is that I tend to trust companies that come forward and speak out forcefully in admitting a problem with a product. It makes me confident that they will fix it and fix it right.
By going after the guy that dared discuss the problem I've lost trust in Cisco. If they didn't want this discussed it makes me wonder if they might have a bunch of other problems that they've succeeded in keeping hidden. The harder they go after him, the less trust I have in their products.
Life is short: void the warranty.
> Cisco is a large company. They obviously didn't know the extent of the problem until it was demonstrated to them.
Well, I wouldn't necessarily commit to 'obviously', but yes, it is possible that they did not understand the extent of the problem.
One problem many advocates of open source have with how large companies deal with security issues is that the company in question wishes to reserve -all rights- to evaluating the severity and proper response to security issues to their own management. As most companies do. Quis custodiet ipsos custodes?
The problem is that Cisco and others are taking the stand that 'this is our business'. Once Cisco offered to stand guard for other people, it stopped being Cisco's business.
Bottom line: to a -large- number of Cisco's customers, -retaining all rights to determining the disposition of security issues- is not acceptable.
> It was irresponsible for Mike to go ahead with his talk without allowing Cisco time to reassess the threat.
This is predicated on the assumption that obscurity effectively reduces the level of vulnerability. I'm not going to debate this here; I'm just saying that not everyone agrees with that proposition. You -cannot- use it as the basis for an unchallenged demand for more time until -after- the issue is dealt with in at -least- an interdisciplinary task force set up to resolve standard responses. Possibly this will require handling in the courts. But it will not go unchallenged.
> Put yourself in Cisco's shoes: someone points out a vulnerability, they tell you about it, you
> spend 6 months fixing a zillion IOS images, release the images and the security alert, and
> then BAM!, the individual says, "by the way, it was much worse then I initially told you and I
> plan to talk about it in about 2 months".
Several problems here:
6 months response time from Cisco would be -much- faster than we have come to expect from vendors. A not unexpected time frame would be 2 to 5 years. In addition, 6 months is, from a certain standpoint, -much- too long. Not "too slow, Cisco; you should be faster", but "too slow; the window is too large and an exploit is -very- likely to occur in the wild."
That's part of the problem. Vendors want more time to deal with these issues, and that is -not- unreasonable. But customers want the damn systems secured, and that is -also- not unreasonable. There is a very real problem here. Neither the ideal for the customers nor the ideal for the vendors is going to happen. We need to explore other alternatives, and this is not going to happen as long as vendors keep a lock on security issues.
It doesn't necessarily have to be out in the open for the world. But it's got to be open to industry people outside the company, who can -force- the company to respond against it's wishes. People who -did not create- the vulnerable product have to be the ones to decide how long it takes to fix, how to fix it, and how to deploy the fixes.
> At that point, you would need some time to understand what the issues are an formulate a
> response. Perhaps up to six months. And it is irresponsible to disclose the vulnerability
> without allowing Cisco time to assess the problem. Mike could have found an even bigger
> issue. Perhaps Cisco needed to research it further.
Cogent arguments all. The -only- problem is that neither Cisco, nor any other vendor, has a sufficient currency of trust and goodwill among their customers to force compliance with this.
This is true at least until they are willing to be far more open about how security issues will be addressed, and include members of the security community and customer representatives with opposing viewpoints to -veto- decisions by Cisco. Until these outsiders can force Cisco to take actions that Cisco management is unhappy with, there will be a problem here.
And using the big legal stick to punish researchers is -not- building up that currency of trust.
Thanks, you made some very good arguments.
And Lynn is attempting to cover his ass: claiming that ISS gave him permission to reverse-engineer, even though they couldn't legally do that and he knew so. So he's just another dumbass cracker who can't resist playing with the toys. Does anyone doubt that there are millions of hackers who could do the reverse-engineering and find the same thing? The difference is that he violated an agreement with Cisco and did it; an honest person wouldn't.
I'm glad the exploit was found, but the way it was done is clearly illegal. There are legal and illegal ways to do this; we should not encourage the illegals. The people involved appear to be sociopaths. Why so many in IT idolize such people is beyond me. It encourages borderline developers who can't do productive work to turn to cracking. Instead such people should be burned at the stake with full television coverage. Then we'd truly see how many crackers crack systems for the "good of the many".
This vulnerability takes advantage of a heap overflow. Cisco has released a patch for this specific heap overflow. That only temporarily fixes the problem. The same basic technique can be used for another heap overflow to do the same thing. The underlying architecture needs to be fixed to truly mitigate this issue. Too little, too late...thanks Cisco.
"They were like"? Come on!
The proper usage is "They were like all".
What the hell is up with the mod points? Every story has only like 2 or 3 comments that are scored above 2.
Whether or not Mike Lynn did what he did out of ego, altruism, professional integrity, or whether or not it fell within the normal bounds of how to disclose a vulnerability, while interesting discussions, are perhaps less interesting than the possibility that Cisco wanted to spin their way out, rather than code their way out.
If [cC]isco adopts the spinout method of handling vulnerabilities, or if that mentality takes hold within their corporate culture, the impact on the internet will without question be swift and negative. True, they'll get also get swiftly eclipsed by competitors, but in the meantime there would be Internet-wide trouble.
"We are all geniuses when we dream"
- E.M. Cioran
heh
Telling a sports joke on slashdot is like telling a sex joke in a convent.
I, for one, welcome our pointless overlords.
Computer/Network Systems Engineer would be a more accurate description. He's designed his own, and the very first, wireless intrusion detection and prevention system (Intrusion prevention? Yep- AirIDS was designed to chaff and other things to make it very difficult for a snooper to obtain a solid lock on an AP's WEP key without needing WPA upgrades...). I remember having numerous conversations with him about it while we were working on projects at Coollogic when they were still just doing set-top boxes. There was a difference of opinion on several levels with some of the management and he quit (for good reason...won't go into details there) which was a disappointment to me because the management that was the problem was fired (Which would tickle him to no end, along with all the details about the same...)
Right now, I'm one of the people waiting to line up to give the man a shiny new job- and one in the same arena that he's been working in for the past 3-4 years running. I'm just trying to find a way to reach him since all my contact means have kind of gone poof with him being dismissed from ISS as a researcher. Any of you all that know Mike personally, I'd love to get contact info from him so I can get back in touch at the very least.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
...were already knocking on the door.
It's probably a good thing that Mike did what he did- the ability to run arbitrary code on a Cisco box is far more serious than Cisco's spinning it.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
If you really want to be investigated, why don't you be one of many to read his presentation? Here, I've even transcribed Lynn's presentation to text instead of that huge, ugly PDF. As a bonus, the assembly readings are now readable. For all I know, they consider this criminal even though I consider this not only a fair use but a public service. The bad guys already know this stuff; we need to let the legitimate security professionals in on this! Insofar as I can give permission, copy and paste this anywhere you please. It's still probably copyrighted to the ISS, though, but it's Cisco suing over it, even though anyone with a router can get those assembly listings, they're probably fair use since they're such small portions of the router software, and I have no dealings or contracts with Cisco binding me not to release such things (I don't own any Cisco gear), so if anything, only ISS should have grounds to sue me, and they don't seem to care to.
[ Page 1 - The Holy Grail ]
Cisco IOS Shellcode And Exploitation Techniques by Michael Lynn of Internet Security Systems
[ Page 2 - Another Unbreakable System ]
[Editor's note: This page shows a picture of what I presume to be the Titanic.]
[ Page 3 - Why You Should Care ]
* Wide Deployment
- Switches
- Routers
- Access Points
* Keys To The Kingdom (MITM)
- Control the network traffic
- Packet sniff in far off lands
- Modify traffic
- Break weakly authenticated encryption (passwords, etc.)
[ Page 4 - Some Review: Basic Techniques ]
* Stack Overflows
- Overwrite return address on the stack
* Heap Overflows (Pointer Exchange)
- Tranditionally we use heap chunk linkage
- Any linked list will do
Typical linked list delink looks like:
foo->prev->next = foo->next; foo->next->prev = foo->prev;
[ Page 5 - Misconceptions ]
* Routers And Switches Are Just Hardware
* It Is Not Possible To Overthrow Buffers On IOS
* There Is Now Way To Exploit Buffer Overflows On IOS
* Every Router Is So Different That An Exploit Might Work On One Router But Never Another
[ Page 6 - Wrong! ]
* Routers And Switches Run Software On General Purpose CPUs
* Buffers Do Exist And It Is Not So Rare That They Overrun
* Exploitation Is Possible
* Exploitation Can Be Made Reliable And Cross Platform (more on this later)
[ Page 7 - IOS Basics ]
* Monolithic
- No loadable modules (yet)
- All addresses are static
- All addresses are different per build
* Real Time OS
- If you are running you own the CPU (mostly)
- We have to exit or yeild properly or we will crash
- Once our code is running we have won any race
* Stability
- IOS tends to favor rebooting over correcting errors
[ Page 8 - A Word On Code Quality ]
* Much Better Than Most Platforms
- They check heap linkage
- They are very aware of integer issues
- They almost never use the stack
- They have a process to check all heaps
- Very old, very well tested code
* Bugs Exist Anyways
- Green pastures
- We can get around some checks
- Will will use some of these checks against them
[ Page 9 - The Dreaded Check Heaps Process ]
* Walks All Heaps Looking For Bad Linkage
- Even if our chunk is not freed check heaps will detect bad linkage
- Is run every 30 to 60 seconds depending on load
* This Is the Main Reason Heap Overflows Can Be Hard
[ Page 10 - Rules of Engagement ]
* Stack Overflows
- Rare, but if we find one, its fair game
* Heap Overflows
- They check next and previous pointers
- We either have to beat check heaps or not offend it
- We must either know the values for the previous pointer or we must get around this somehow
* Monolithic Architecture
- For heap overflows we
They changed almost all of his sentences, with a lot of ellipses and modified expressions.
I realize that an editor would want to make shure that an article contains proper english sentences, but this level of rewording makes me wonder about the motivation behind it.
And the footnote on page one only underlines this, where a seemingly minor detail is qualified with the comment "This sentence was inadvertently omitted in an earlier version of this story." Makes one wonder how many people were actually working on this text, and how many lawyers were involved.
AirIDS seems interesting but I can't find much about it (the project seems dead). Is the anti-WEP cracking part similar to FakeAP or does it use more advanced techniques ?
Sadly, Michael pulled it a while back. It was before FakeAP amongst other things. He's a pretty good White Hat, when you get down to brass tacks- it's just that his current employer sold him out out of fear of Cisco's legal might. Sad, really. He's something of the real thing- even if I can't manage to get him in our fold, someone ought to snap him up all the same...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Assuming you can provide them with enough info to make what the company was doing suspicious.
Remember folks, slashdot doesn't have a -1 "disagree" moderation!