Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wired Interviews Mike Lynn

Posted by timothy on from the not-captain-sisko dept.

ndansmith writes "Wired has got an interview with Mike Lynn, who revealed a major vulnerability in Cisco IOS at Black Hat 2005 in Las Vegas, and who has subsequently become the subject of an FBI investigation. A quote from Mike Lynn: 'Cisco said, "You guys are lying. It is impossible to execute shell code on Cisco IOS." At that point (ISS) management was annoyed.... They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong."'"

3 of 194 comments (clear)

  1. Finding vulnerabilities != being a criminal by Zweideutig · · Score: 3, Insightful

    I am tired of hearing about people basically volunteering to audit software and find problems, and then get accused for it. Lets go after the crackers that just read securityfocus for the latest exploit, and then exploit it so they can "vandalize." UNIX (the kind under the UNIX trademark) had many weaknesses that made it luaghably insecure in its day, but dedicated hackers (not crackers, I mean skilled creators) found many vulnerabilities, which of course were fixed and UNIX (including the *BSD derivatives and branded UNIX such as Solaris) has become quite secure today thanks to this. I apprieciated the effort of those who contributed their findings. There is a difference between reporting a broken safe lock in a bank, and exploiting it to obtain the contents (robbery.) This ignorance irritates me.

    --
    Powered by caffeine and sugar; BSD
  2. Let's at least get close to reality here... by djrogers · · Score: 2, Insightful

    He didn't reveal ANY vulnerabilities in IOS. I'm going to say this again, slowly: Micheal ... Lynn ... did ... not ... reveal ... any ... new ... vulnerabilities ... in ... IOS.

    What he did was prove that existing and future vulnerabilities in IOS _could_ be exploited to run shellcode, while it was previously thought that a DoS was the 'best' a hacker could do to an IOS box. He used a 4-5 month old (patched) vulnerability to demonstrate this...

    --
    Think outside the... Hey, where'd the friggin' box go?
  3. Intentions/methods notwithstanding by MECC · · Score: 2, Insightful

    Whether or not Mike Lynn did what he did out of ego, altruism, professional integrity, or whether or not it fell within the normal bounds of how to disclose a vulnerability, while interesting discussions, are perhaps less interesting than the possibility that Cisco wanted to spin their way out, rather than code their way out.

    If [cC]isco adopts the spinout method of handling vulnerabilities, or if that mentality takes hold within their corporate culture, the impact on the internet will without question be swift and negative. True, they'll get also get swiftly eclipsed by competitors, but in the meantime there would be Internet-wide trouble.

    --
    "We are all geniuses when we dream"
    - E.M. Cioran