Read Furor over Cisco IOS router exploit erupts at Black Hat. Is Cisco right or wrong in this case?
Update: Cisco, ISS, Michael Lynn and Black Hat sign legal accord (also see: Researcher at center of Cisco router-exploit controversy speaks out).
The best place to talk about enterprise networking.
|
|
WRONG... IF there is a
WRONG... IF there is a serious security issue then it should be discussed. reading that initially Cisco assisted in the research AND preparation of the materials - then freaked.... that should raise a HUGE flag for users... there must be more at risk than what was going to be in the presentation...
The lengths Cisco is going to attempting to squash any discussion or disclosure of the issue should raise many questions in itself... If they really (as the rumors going around imply) attempted to get White House involvement... does anybody really think the issue was limited to just what was in the presentation???
Think of the impact ISPs
Think of the impact ISPs could have on SPAM and all other hacking activity if they dropped customers completely? See the customer isn't the problem - they're the source of revenue. ISPs need to deal with this issue with the assistance of, not to the detriment of - their customers. Alientating customers by implementing serious changes without notification builds anomosity and distrust.
Cisco vs the Researcher
WRONG !
This smacks of typical Cisco behaviour when things don't go their way - bring out the heavy artillery (lawsuits).
Michael Lynn has done the correct thing & it looks like Cisco intend to persecute him for it.
Cisco don't like to look bad. But this sort of behaviour (destroying CD's, cutting out pages) just makes them look a whole lot worse.
They just don't get it.
Everyone screwed up....
This whole situation was f#$ed up on many fronts.
1. Once Lynn resigned, he had no rights to use the code or the presentation (copyright is a federal law, as is DMCA since the NDA for IOS covered ISS/employees, not desserters)
2. Cisco and ISS had a really bad PR day. It's kinda like when the hairdryer dies on a humid and windy day. Now most certainly Lynn didn't leave a whole lot of negotiating room ahead of time, but still...
3. There are always proper channels, but things should have been handled by Cisco towards their customers in such channels as well. Not an "oh, by the way, we fixed it four months ago just didn't tell anyone" sort of thing.
Lynn demonstrated a technique that's been around as long as there's been programs created. He did find a specific method to use it though. One that, while interesting, does not propogate (at least at this point in time) across the ENTIRE internet.
As it's dawned on some people though (including magazine's now) that this is the same sort of delivery scenario that preceeded one of those exciting Microsoft worms. A vulnerability highlighted at a security conference (all in the name of protection, right?) discussing a vulnerability that had been patched by Microsoft months earlier (yet again, how many people really patch on time?) and shortly thereafter some brilliant little coding dweebs figured out how to make a full-scale assault out of it...
Will that happen here? Who knows. Does that make it Cisco's fault? ISS's fault? Lynn's fault? Or the scripting guy's fault? Somehow this logic seems strikingly similar to the NRA's defending the right to own automatic or semi-automatic weapons by individuals. It's not their fault that most people who use weapons like that use them to kill people (or hunt entire flocks of ducks at one time). Right.
Pssst. The sky is falling.
Wrong, of course...
That's too easy for Cisco...
Anyway, I am more interested in the answer to the following question: this presentation had been announced, pre-published, advertised, etc... several weeks ago. So why was it blocked at the last time ?
Usual answer: this was too embarassing for Cisco, and they couldn't solve the issue...
So they divert the talk somewhere else...
Over the line
Gradius (via Feedback form):
I've always believed that a fine balance is required to protect constitutional freedom of speech while still protecting the competitive interests of corporations.
I believe that Mr. Lynn was excercising his constitutional freedoms. There is no libel involved, simply a exposé of what can arguably be considered technical facts.
If Cisco considers information about 'exploitable hardware' to be protected under patent and non-disclosure agreements, then it doesn't quite paint a rosy picture of their approach to firmware design, does it? Last time I checked, non-robustness wasn't considered a 'feature'.
Their heavy-handed approach is a transparent attempt to shift the focus from themselves onto Mr. Lynn.
To Cisco management: Don't waste time and money sueing others for highlighting your products' shortcomings. How about you rather spend the effort fixing them, eh?
RIGHT!
Cisco is obviously in the right, as proven by having more lawyers, more money and more clout than the conference organisers or Lynn. If it was wrong, then why would the injunction be in place, and why would the minnows have agreed to a legal settlement? Surely the much-vaunted US legal system protects the small guy.
Cisco vs Michael Lynn
I just wonder what Cisco is trying to achieve?
Secure networks for their customers?
This situation puts a very dark shadow on the marketing message about security, the internet etc.
I think Cisco showed its real face
Michael Lynn is dirty
Michael Lynn just wanted the fame behind this exploit. Even though he used resources from ISS and information Cisco trusted to ISS to get to this point. If Cisco and ISS would have been able to present this vulnerability in a correct manor, Mr. Lynn would have not been as famous to the security community as he currently is via this stunt. Instead he put his want to fame over our national security. I hope they throw the book at him…try reverse-engineering from San Quentin Mr. Lynn. I’m sure Bubba will launch a shell exploit in you’re a**
If he was an independent researcher that mentioned this to Cisco and they done nothing to fix it, then this would be different.
are you out of your
are you out of your MIND????
throw the book at Cisco - and then file a case-action suit to put them in their place....