Slashdot Mirror
Wired Interviews Mike Lynn
ndansmith writes "Wired has got an interview with Mike Lynn, who revealed a major vulnerability in Cisco IOS at Black Hat 2005 in Las Vegas, and who has subsequently become the subject of an FBI investigation. A quote from Mike Lynn: 'Cisco said, "You guys are lying. It is impossible to execute shell code on Cisco IOS." At that point (ISS) management was annoyed.... They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong."'"
its easy to get investigated by the FBI.
there has been a pizza van outside my house for weeks.. no wait its a flower delivery van now.. wait now the telephone repair man.
lameness filter thwarted.
I still fail to see how this story relates to Google. Slashdot must be slipping. :)
Cover your eyes and click this link!
Start.com has been known for ages. Its a sandbox experiment, and theyve already released 1 and 2 already, along with "My web" Editors messed up again? o.O
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
I am tired of hearing about people basically volunteering to audit software and find problems, and then get accused for it. Lets go after the crackers that just read securityfocus for the latest exploit, and then exploit it so they can "vandalize." UNIX (the kind under the UNIX trademark) had many weaknesses that made it luaghably insecure in its day, but dedicated hackers (not crackers, I mean skilled creators) found many vulnerabilities, which of course were fixed and UNIX (including the *BSD derivatives and branded UNIX such as Solaris) has become quite secure today thanks to this. I apprieciated the effort of those who contributed their findings. There is a difference between reporting a broken safe lock in a bank, and exploiting it to obtain the contents (robbery.) This ignorance irritates me.
Powered by caffeine and sugar; BSD
Please mod parent redundant :)
So where is Cisco in all of this? Have they released patches yet? I am hoping they will do a wide sweep of patches for all users (even those without support contracts) as they did back in 2004.
Juniper is looking better all the time.
Yesterday I was like drooling when I like saw this girl like. And I like couldn't get over it. Man I was like in heaven like.
How about we cut the teen speak?
These posts express my own personal views, not those of my employer
No mods!
Microsoft is good!
Linux is the debil!
Cats and Dogs living together!
MASS HYSTERIA!
I don't know about the Cisco thing, but I know I'll never forgive him for The Herschel Walker trade.
They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong."
Like, not only speech, but even our writing has like sunk to the level of the California valley girl, like.
One of Cisco's arguments, or at least so I heard on a CBC radio program that's name escapes me, is that he discovered this flaw through reverse engineering which is specifically banned in the license agreement. They seem to be implying that the flaw would be no danger since it is a closed source product, had he not 'illegally' reverse engineered their code and that the threat therefore only exists because of him. Security through obscurity, and a good example of why closed source solutions should not be used in situations where security and accountability are important [voting machines anyone?]
The bastard ruined the Minnesota Vikings for YEARS with that damned Herschel Walker trade!
Comment removed based on user account deletion
You can get your copy lynne-cisco.zip from cryptome.org.
Lady Justice is not just blindfolded, she is actually blind.
Here is the Cisco information on the bug and patches
But this particular bug may not be the real news. The real news is running shell code on Cisco via an exploit. Or as Cisco puts it "Upon successful exploitation, the device may reload or be open to further exploitation." If this technique is not tied to this specific exploit but to architectural problems in IOS, Cisco worms could become a problem.
Given that Cisco had source code stolen, there is almost no limit to what a worm could do. Spyware on routers would be much more efficient.
So much for keeping it secret ...
Does anyone think it's odd that of the last seven stories, not a single one has a comment modded higher than 3? What's up?
---
funny commercials
because this guy knows his shit. They want this guy working for them....
The Doormat
If you're not outraged, then you're not paying attention.
Quick! Put the image of a pink golfball on a field of half eaten hohos in your mind to block t3h m1nd r34d3rz!
*hands over tinfoil hat*
Seriously, though. If a company goes to the FBI and says "We think so and so has broken a law." they are supposed to look into it if a crime could have plausably been comitted. Kinda like calling the cops and reporting 'suspicious' activity. Its nearly always harmless.
Cisco is using this to try to shut him up, but its not the FBIs fault.
10:1 acouple weeks from now the feebs will say 'move along, nothing to see here' and Cisco will then file a civil suit.
Remember folks, slashdot doesn't have a -1 "disagree" moderation!
Well informative, though I know very little about cisco or routers in general. I quite enjoyed this article.
He didn't reveal ANY vulnerabilities in IOS. I'm going to say this again, slowly: Micheal ... Lynn ... did ... not ... reveal ... any ... new ... vulnerabilities ... in ... IOS.
What he did was prove that existing and future vulnerabilities in IOS _could_ be exploited to run shellcode, while it was previously thought that a DoS was the 'best' a hacker could do to an IOS box. He used a 4-5 month old (patched) vulnerability to demonstrate this...
Think outside the... Hey, where'd the friggin' box go?
http://downloads.oreilly.com/make/cisco.mov
prove him wrong
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
...and that's how you get Capone!
Google: mike lynn blackhat cisco ios and have a good time.
If you understand both IOS and assembler pcode, you can catch his drift. These are chinks in the otherwise solid armor that Cisco has.
The exposure of this, along with other security bugs that organizations have, ranging from Microsoft down to Linus's best code, are important to know at the second of apparency. That's when both the good guys and the bad guys can get to work. I hope the bad guys lose, and they usually do. But prevention of exposure is just a ticking bomb. This kind of bomb kills most of the Internet as we know it. And maybe it'll give Cisco a wake up call that it better diffuse the bomb and improve their quality.
The slides speak for themselves. High five to Mike Lynn and all who are tenacious enough to bring security solidification to the core of the net. And a fie on those that would stop him, and all those that endeavor to bring quality to communications. And to all of those that went to Defcon, be proud to be a part of liberty. It smells of good dirt.
---- Teach Peace. It's Cheaper Than War.
I don't think I've seen NANOG buzzing this much about one topic since the infamous Verisign .com wildcard.
This kind of turned into a worst-case PR situation for Cisco -- they screwed up on their product, they tried to cover it up, and then they hassled the guy that released the information.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
The nature of power demands that at some time people will be made scapegoats because somebody stuffed up.
As Jenny Holzer said, "Deviants are sacrificed to increase group solidarity."
When I was a kid, we only had one Darth.
The poster clearly doesn't understand that, if the grandparent was true, and thus worthy of being modded up, it would be impossible to do so. ^_^
Or, "Society honours its live conformists, and its dead rebels."
"Old man yells at systemd"
It's the spread of tabbed browsing.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Cisco is a large company. They obviously didn't know the extent of the problem until it was demonstated to them. It was irresponsible for Mike to go ahead with his talk without allowing Cisco time to reassess the threat. Put yourself in Cisco's shoes: someone points out a vulnerability, they tell you about it, you spend 6 months fixing a zillion IOS images, release the images and the security alert, and then BAM!, the individual says, "by the way, it was much worse then I initially told you and I plan to talk about it in about 2 months". At that point, you would need some time to understand what the issues are an formulate a response. Perhaps up to six months. And it is irrisponsible to disclose the vulnerability without allowing Cisco time to assess the problem. Mike could have found an even bigger issue. Perhaps Cisco needed to research it further.
P.S. Slashdot is definitely broken. Not that that ever stopped anyone.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
WHAT?!
I'm still looking for the head and tail of your post..
I had some mod points briefly, but they disappeared before I could use them. Conjecture: something's amiss with the duration of awarded mod points. We're being given points, but they're disappearing before we can use them.
I hope that after I die the one word people use to describe me is "resurrected."
Cisco's 'solid armour' as you put it has been based on two concepts:
1) There was no known way to execute shellcode due to the idle process responsible for doing heap pointer 'validation'. Thnsis prevented the possibility of executing shell code and essentially limited the attack vectors for overflows to DoS.
2) Some level of obscurity regarding the IOS inner workings.
Is that what you consider solid armour?
While Lynns presentation was mostly old news, it did something very important. It eliminated point #1 above. This makings it significantly more attractive to a would-be attacker. Creating a DoS condition is fine, but has no real value to a hacker other than the few obvious ones used by packet warriors. Being able to fully compromise a router and install your software is much more interesting and valuable.
the individual says, "by the way, it was much worse then I initially told you and I plan to talk about it in about 2 months". At that point, you would need some time to understand what the issues are an formulate a response.
I think that the issue was more Cisco refusing to accep that the vulnerability was way serious, and tried to downplay it.
You would be right if Cisco would have been listening from the start.
Hey, but at least you guys went to the Super Bowl in 98...oh wait. No. You got beat by the Falcons.
(Nelson voice:)Ha ha!
lots of sub-systems have been up and down for most of the week, maybe some upgrades going in or changing servers or something.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Mike Lynn sounds like a good guy, his point of view is very understandable. He wanted to alert people that Cisco is just as hackable as others. The other stories were villifying him but his own words explained why he did what he did. I must say, Kudos to him.
Honestly He's the kind of Admin I respect, rather then play ball only with the corporation, he lets everyone know the problem so everyone can handle the situation. He claims there was a fix out in six monthes ago for his bug? I don't see why Cisco is flipping out if what he says is true, but if he made even one system admin update their router, then he did a good job in my book.
I find Cisco and Posse's attempt to corral copies of the report amusing. Besides the fact that they are making a scene in front of a crowd which relishes just such a challenge, haven't they heard of the multitudes of software developed for exactly this kind of response - distributed, anonymous, encrypted file storage and distribution?
From the sidelines it is quite entertaining.
Let the authentication fail and read the following:
IMPORTANT NOTICE:
Andrew Yeomans
Same thing happened to me. I got my 5 points yesterday morning -- they vanished before noon. Something's amiss.
More on topic -- the funny thing about Cisco's role in all this is that I tend to trust companies that come forward and speak out forcefully in admitting a problem with a product. It makes me confident that they will fix it and fix it right.
By going after the guy that dared discuss the problem I've lost trust in Cisco. If they didn't want this discussed it makes me wonder if they might have a bunch of other problems that they've succeeded in keeping hidden. The harder they go after him, the less trust I have in their products.
Life is short: void the warranty.
> Cisco is a large company. They obviously didn't know the extent of the problem until it was demonstrated to them.
Well, I wouldn't necessarily commit to 'obviously', but yes, it is possible that they did not understand the extent of the problem.
One problem many advocates of open source have with how large companies deal with security issues is that the company in question wishes to reserve -all rights- to evaluating the severity and proper response to security issues to their own management. As most companies do. Quis custodiet ipsos custodes?
The problem is that Cisco and others are taking the stand that 'this is our business'. Once Cisco offered to stand guard for other people, it stopped being Cisco's business.
Bottom line: to a -large- number of Cisco's customers, -retaining all rights to determining the disposition of security issues- is not acceptable.
> It was irresponsible for Mike to go ahead with his talk without allowing Cisco time to reassess the threat.
This is predicated on the assumption that obscurity effectively reduces the level of vulnerability. I'm not going to debate this here; I'm just saying that not everyone agrees with that proposition. You -cannot- use it as the basis for an unchallenged demand for more time until -after- the issue is dealt with in at -least- an interdisciplinary task force set up to resolve standard responses. Possibly this will require handling in the courts. But it will not go unchallenged.
> Put yourself in Cisco's shoes: someone points out a vulnerability, they tell you about it, you
> spend 6 months fixing a zillion IOS images, release the images and the security alert, and
> then BAM!, the individual says, "by the way, it was much worse then I initially told you and I
> plan to talk about it in about 2 months".
Several problems here:
6 months response time from Cisco would be -much- faster than we have come to expect from vendors. A not unexpected time frame would be 2 to 5 years. In addition, 6 months is, from a certain standpoint, -much- too long. Not "too slow, Cisco; you should be faster", but "too slow; the window is too large and an exploit is -very- likely to occur in the wild."
That's part of the problem. Vendors want more time to deal with these issues, and that is -not- unreasonable. But customers want the damn systems secured, and that is -also- not unreasonable. There is a very real problem here. Neither the ideal for the customers nor the ideal for the vendors is going to happen. We need to explore other alternatives, and this is not going to happen as long as vendors keep a lock on security issues.
It doesn't necessarily have to be out in the open for the world. But it's got to be open to industry people outside the company, who can -force- the company to respond against it's wishes. People who -did not create- the vulnerable product have to be the ones to decide how long it takes to fix, how to fix it, and how to deploy the fixes.
> At that point, you would need some time to understand what the issues are an formulate a
> response. Perhaps up to six months. And it is irresponsible to disclose the vulnerability
> without allowing Cisco time to assess the problem. Mike could have found an even bigger
> issue. Perhaps Cisco needed to research it further.
Cogent arguments all. The -only- problem is that neither Cisco, nor any other vendor, has a sufficient currency of trust and goodwill among their customers to force compliance with this.
This is true at least until they are willing to be far more open about how security issues will be addressed, and include members of the security community and customer representatives with opposing viewpoints to -veto- decisions by Cisco. Until these outsiders can force Cisco to take actions that Cisco management is unhappy with, there will be a problem here.
And using the big legal stick to punish researchers is -not- building up that currency of trust.
Thanks, you made some very good arguments.
Whether or not Mike Lynn did what he did out of ego, altruism, professional integrity, or whether or not it fell within the normal bounds of how to disclose a vulnerability, while interesting discussions, are perhaps less interesting than the possibility that Cisco wanted to spin their way out, rather than code their way out.
If [cC]isco adopts the spinout method of handling vulnerabilities, or if that mentality takes hold within their corporate culture, the impact on the internet will without question be swift and negative. True, they'll get also get swiftly eclipsed by competitors, but in the meantime there would be Internet-wide trouble.
"We are all geniuses when we dream"
- E.M. Cioran
This type of discussion always assumes that the first public disclosure of a vulnerability is the actual initial discovery of the vulnerability. That's not a very comforting assumption.
Computer/Network Systems Engineer would be a more accurate description. He's designed his own, and the very first, wireless intrusion detection and prevention system (Intrusion prevention? Yep- AirIDS was designed to chaff and other things to make it very difficult for a snooper to obtain a solid lock on an AP's WEP key without needing WPA upgrades...). I remember having numerous conversations with him about it while we were working on projects at Coollogic when they were still just doing set-top boxes. There was a difference of opinion on several levels with some of the management and he quit (for good reason...won't go into details there) which was a disappointment to me because the management that was the problem was fired (Which would tickle him to no end, along with all the details about the same...)
Right now, I'm one of the people waiting to line up to give the man a shiny new job- and one in the same arena that he's been working in for the past 3-4 years running. I'm just trying to find a way to reach him since all my contact means have kind of gone poof with him being dismissed from ISS as a researcher. Any of you all that know Mike personally, I'd love to get contact info from him so I can get back in touch at the very least.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
...were already knocking on the door.
It's probably a good thing that Mike did what he did- the ability to run arbitrary code on a Cisco box is far more serious than Cisco's spinning it.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Umm, bullshit. Mike spoke to CISCO about this and they refused to listen. It's been 4 months since CISCO patched this (not just worked on it but PATCHED) with a slipstream patch not even noted as critical. CISCO had plenty of time and had they not sat around with their thumbs in their ass telling ISS they couldn't duplicate the problem even with full access to source and access to ALL of Mike's research then they deserve what they get. Yes, that is the way it apparently went down.
Add to that - Mike got a good bit of a headstart on this by reading translated WEB pages freely available on the 'net. Translated from what you might ask - try Chinese. Mike also got some help from a previous BlackHat talk. This was stated by Mike during his talk. Last but not least CISCO is beta testing a new architecture that would no longer require an attacker to work their ass off finding the offsets for each IOS version before attacking, the new architecture would allow a single offset to work on ALL machines. So far I've yet to see CISCO saying anything about changing how that's going to be done.
So what would six months have bought us? What would the one YEAR that CISCO had asked for bought us? BlackHats were ALREADY working on this and you had better believe that had CISCO rolled out this new architecture they would've been happy. Mike sat up and rang the alarm bell and so far as I can tell he gave CISCO PLENTY of warning so trynig to say that he didn't follow industry practices is nutz - especially trying to use that as some basis for a lawsuit.
He was under NO legal obligation to tell them ANYTHING and when he tried to warn them they didn't believe him nor could their techs get it together enough to duplicate it. So far as I'm concerned he did a much better job of warning people than CISCO who have proven themselves to be nearly as bad as Adobe in all of this.
CISCOGate indeed....
Build it, Drive it, Improve it! Hybridz.org
They changed almost all of his sentences, with a lot of ellipses and modified expressions.
I realize that an editor would want to make shure that an article contains proper english sentences, but this level of rewording makes me wonder about the motivation behind it.
And the footnote on page one only underlines this, where a seemingly minor detail is qualified with the comment "This sentence was inadvertently omitted in an earlier version of this story." Makes one wonder how many people were actually working on this text, and how many lawyers were involved.
Sadly, Michael pulled it a while back. It was before FakeAP amongst other things. He's a pretty good White Hat, when you get down to brass tacks- it's just that his current employer sold him out out of fear of Cisco's legal might. Sad, really. He's something of the real thing- even if I can't manage to get him in our fold, someone ought to snap him up all the same...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Assuming you can provide them with enough info to make what the company was doing suspicious.
Remember folks, slashdot doesn't have a -1 "disagree" moderation!