Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wired Interviews Mike Lynn

Posted by timothy on from the not-captain-sisko dept.

ndansmith writes "Wired has got an interview with Mike Lynn, who revealed a major vulnerability in Cisco IOS at Black Hat 2005 in Las Vegas, and who has subsequently become the subject of an FBI investigation. A quote from Mike Lynn: 'Cisco said, "You guys are lying. It is impossible to execute shell code on Cisco IOS." At that point (ISS) management was annoyed.... They were like, "Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong."'"

8 of 194 comments (clear)

  1. Finding vulnerabilities != being a criminal by Zweideutig · · Score: 3, Insightful

    I am tired of hearing about people basically volunteering to audit software and find problems, and then get accused for it. Lets go after the crackers that just read securityfocus for the latest exploit, and then exploit it so they can "vandalize." UNIX (the kind under the UNIX trademark) had many weaknesses that made it luaghably insecure in its day, but dedicated hackers (not crackers, I mean skilled creators) found many vulnerabilities, which of course were fixed and UNIX (including the *BSD derivatives and branded UNIX such as Solaris) has become quite secure today thanks to this. I apprieciated the effort of those who contributed their findings. There is a difference between reporting a broken safe lock in a bank, and exploiting it to obtain the contents (robbery.) This ignorance irritates me.

    --
    Powered by caffeine and sugar; BSD
  2. Get your forbidden fruit here by tomhudson · · Score: 2, Informative
    Well, they weren't exactly able to keep it out of other peoples' hands, even after threats, and destroying CDs, and ripping pages out of the presentation booklets.

    You can get your copy lynne-cisco.zip from cryptome.org.

  3. Offtopic: Moderation anomoly? by imuffin · · Score: 2, Funny

    Does anyone think it's odd that of the last seven stories, not a single one has a comment modded higher than 3? What's up?

    ---
    funny commercials

  4. Let's at least get close to reality here... by djrogers · · Score: 2, Insightful

    He didn't reveal ANY vulnerabilities in IOS. I'm going to say this again, slowly: Micheal ... Lynn ... did ... not ... reveal ... any ... new ... vulnerabilities ... in ... IOS.

    What he did was prove that existing and future vulnerabilities in IOS _could_ be exploited to run shellcode, while it was previously thought that a DoS was the 'best' a hacker could do to an IOS box. He used a 4-5 month old (patched) vulnerability to demonstrate this...

    --
    Think outside the... Hey, where'd the friggin' box go?
  5. MOD PARENT UP by Trogre · · Score: 2, Funny

    prove him wrong

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  6. Take care getting Cisco patches - compromised! by AYeomans · · Score: 2, Interesting
    Goto http://www.cisco.com/cgi-bin/login
    Let the authentication fail and read the following:

    IMPORTANT NOTICE:
    • Cisco has determined that Cisco.com password protection has been compromised.
    • As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.
    • If you do not receive your new password within five minutes, please contact the Technical Support Center.
    • This incident does not appear to be due to a weakness in Cisco products or technologies.
    --
    Andrew Yeomans
  7. Intentions/methods notwithstanding by MECC · · Score: 2, Insightful

    Whether or not Mike Lynn did what he did out of ego, altruism, professional integrity, or whether or not it fell within the normal bounds of how to disclose a vulnerability, while interesting discussions, are perhaps less interesting than the possibility that Cisco wanted to spin their way out, rather than code their way out.

    If [cC]isco adopts the spinout method of handling vulnerabilities, or if that mentality takes hold within their corporate culture, the impact on the internet will without question be swift and negative. True, they'll get also get swiftly eclipsed by competitors, but in the meantime there would be Internet-wide trouble.

    --
    "We are all geniuses when we dream"
    - E.M. Cioran
  8. Well, Mike's a lot more than an admin... by Svartalf · · Score: 2, Interesting

    Computer/Network Systems Engineer would be a more accurate description. He's designed his own, and the very first, wireless intrusion detection and prevention system (Intrusion prevention? Yep- AirIDS was designed to chaff and other things to make it very difficult for a snooper to obtain a solid lock on an AP's WEP key without needing WPA upgrades...). I remember having numerous conversations with him about it while we were working on projects at Coollogic when they were still just doing set-top boxes. There was a difference of opinion on several levels with some of the management and he quit (for good reason...won't go into details there) which was a disappointment to me because the management that was the problem was fired (Which would tickle him to no end, along with all the details about the same...)

    Right now, I'm one of the people waiting to line up to give the man a shiny new job- and one in the same arena that he's been working in for the past 3-4 years running. I'm just trying to find a way to reach him since all my contact means have kind of gone poof with him being dismissed from ISS as a researcher. Any of you all that know Mike personally, I'd love to get contact info from him so I can get back in touch at the very least.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas