Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Researcher Resigns Over New Cisco Router Flaw

Posted by samzenpus on Thu Jul 28, 2005 07:02 AM
from the don't-go-down-with-the-ship dept.
Security News IT
An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN. Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Researcher Resigns Over New Cisco Router Flaw 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • It's All Good... (Score:5, Funny)

    by Cytlid (95255) * on Thursday July 28 2005, @07:07AM (#13184318) Homepage
    It's ok, really it is. Karl Rove gave him the information.

  • Hmmm, perhaps he needs whistleblower protection? (Score:5, Interesting)

    by meburke (736645) on Thursday July 28 2005, @07:07AM (#13184320)
    As dependent on as our economy is upon routers, and Cisco in particular, it seems that his disclosure was definitely in the public interest, and if he isn't entitled to whistleblower protection, we need to mount a campaign to get him protected. Write your Congressoid.

    • Why? (Score:5, Interesting)

      by MyNameIsFred (543994) on Thursday July 28 2005, @07:19AM (#13184363)
      The articles cited are light on details. But nowhere do the articles suggest that Cisco was burying the flaw. In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix. In my mind whistle blower protection is valid if the whistle blower is uncovering corruption. Which does not appear to be the case here. Based on the information presented, the system was working on the problem, he just wasn't happy with it.

          • What idiots modded this thread informative? (Score:5, Insightful)

            by wcdw (179126) on Thursday July 28 2005, @12:12PM (#13187345) Homepage
            As you've already been told, Lynn did NOT work for Cisco, nor does ISS work "for / with" them. The mutual effort was a result of Lynn finding the flaw in the first place, and notifying them about it.

            Four months ago.

            However, the more damningly flawed portion of your argument is that 'now Cisco doesn't have time to fix the problem'. <snort>

            Could you please provide proof that this flaw hasn't been actively exploited since even before the time at which Lynn found it?

            It is, needless to say, impossible to prove a negative.
  • In TFA, Cisco themselves said that he did not disclose any new vulnerabilies... so... what is the BFD?

    Later, Cisco said it was all bent out of shape because they follow an "industry established disclosure process" and because Mr. Lynn "illegally" obtained the information...

    Hey, Cisco, I have news for you. "Industry established disclosure process" != "Law"

    Get over yourselves, admit that you're a bunch of fuckups that can't make secure networking equipment, and move along..
    • Where does it at all apply that the one follows from the other? Presumably they are saying that he was involved in confidential research into the flaws and was not supposed to make any statement on his own. His simply quitting the company does not remove his obligations. He was not some outside agent who found out about this flaw independantly and cannot be expected to be treated as such.
    • The latest update (here [washingtonpost.com], but expect more updates at http://blogs.washingtonpost.com/securityfix/ [washingtonpost.com]) says that he "is said to have illegally reverse-engineered Cisco source code" (why bother reverse-engineering sources?*) to discover the vulnerability and that Cisco and ISS had four months of work in progress on the issue before this presentation.

      He may have misused information from his former job at ISS and be operating outside the bounds of his ISS employee contract allowed him to act.

      *: I can see how, if th

  • Contact for Cisco's Point man on this (Score:3, Informative)

    by putko (753330) on Thursday July 28 2005, @07:24AM (#13184400) Homepage Journal
    Our friend Mojgan Khalili is the Cisco employee mentioned in the article, who said the security researcher broke the law -- "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

    If you'd like to write to Mojgan and say that you don't like their attitude toward full disclosure, or their attack on the guy who's working hard to make things secure, here is his information.

    If nothing else, you could ask him "what law did the guy break, biatch!?!"

    Mojgan Khalili
    Cisco Systems, Inc.
    978-936-1297
    mkhalili@cisco.com

        • Re:Mod Parent Down! (Score:4, Insightful)

          by MikeBabcock (65886) <mtb-slashdot@mikebabcock.ca> on Thursday July 28 2005, @09:18AM (#13185321) Homepage Journal
          Ok, how's this, its perfectly reasonable to put out publically his E-mail address at work, but I expect nobody to post photos or personal addresses or wife's name, or anything like that.

          *Personal* attacks should never be used, even against someone who might deserve it; it misrepresents our ideology.

          However, a personal complaint about corporate policy is perfectly reasonable.

          "Why is it that you, representing Cisco said that ... "

  • Responsible Behavior? (Score:5, Insightful)

    by Cmdr. Marille (189584) on Thursday July 28 2005, @07:26AM (#13184407)
    I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.

    Cisco is actually very upfront and cooperative when you report things which might be a vulnerability (I have personally dealt with PSIRT). The people who work there are actually so polite, it's kind of annoying (I have been thanked about 2 dozen times for reporting a very minor finding).

    They do however expect you to play by the rules. Even if you are the person who found a bug, you are expected to let Engineers fix the bug before you release the information.
    Also, there is policy in place, which makes sure major ISPs (Carriers) are informed first, so they can do upgrades before the PSIRT release is made public.

    All that makes sense, since we are really talking about essential infrastructure.

    Of course, all that kind of takes away the coolness of reporting a vulnerability and you will get a lot less publicity (cisco credits you) than what you would get, if you just post to some mailing list.

    If he really released information he researched at ISS without consent, well, he should face consequences. Because I obviously was to gain from it (getting a new job, making a name or himself). Hopefully he wasn't just doing it for the publicity.

    • "Cisco credits you"-when they're not attacking you (Score:5, Interesting)

      by toby (759) * on Thursday July 28 2005, @09:10AM (#13185255) Homepage Journal
      See the unfortunate case [kerneltrap.org] of Fernando Gont, and his attempts to responsibly disclose ICMP implementation flaws (not even a Cisco-specific problem):
      Once Fernando understood the vulnerabilities he'd found in the ICMP protocol, he began to try and safely report the problem ... To begin, he wrote an internet draft which he submitted to the IETF in August of 2004. At that time he contacted CERT/CC and NISCC, and privately notified several open source projects ... as well as larger vendors such as Microsoft, Cisco, and Sun Microsystems. ...

      Around this same time, Fernando began receiving emails from Cisco who had numerous technical questions about his solutions to the problems. He continued to reply thoroughly to all their questions, until two months later when he received an email from Cisco's lawyer claiming that Cisco held a patent on his work. He asked their lawyer for specifics, but they refused to reveal any details. For two more months this continued, until Fernando was cc'd on an email thread between Cisco, Linus Torvalds, and David Miller. Reading back through the thread, Fernando found where David Miller had asked Cisco how they could possibly patent sequence tracking as Linux had been doing it for many years, and later in the same thread Cisco noted that they had withdrawn their patent. ...

      While the patent issue was happening with Cisco, CERT/CC created a mailing list to allow vendors to communicate amongst themselves about the newly discovered vulnerability. "They blamed me for submitting my work," Fernando said in exasperation. "One of Cisco's managers of PSIRT said I was cooperating with terrorists, because a terrorist could have gotten the information in the paper I wrote!" Fernando was familiar with intellectual property arguments with last year's Slipping In The Window paper, so he had intentionally publicly published his findings to prevent it from being patented. "Then they accused me of working with terrorists, and even still tried to patent my work!" He noted that he now suspected had he actually worked exclusively with Cisco as they had requested, they probably would have managed to patent all of his ideas. ...

      Fernando also found Microsoft difficult to work with. "Microsoft's acknowledgment policy says that you must report the issues to them 'confidentially'", he explained. As he chose to contact CERT and various open source projects as well, he claimed that they refused to give him credit for the discovery. Only with much effort did he finally get them to acknowledge that he had discovered the issue.

  • Read between the lines (Score:5, Insightful)

    by Overzeetop (214511) on Thursday July 28 2005, @07:30AM (#13184427) Journal
    Okay, this sounds pretty simple. Michael Lynn finds a (new) explit of Cisco routers and its a doosey. He informs ISS, who informs Cisco. Cisco management can't believe that such a serious flaw exists, since they've know about the possibility, but its been written off as minor in the past. Lynn presses his case to his supers, and they get down and dirty with Cicso. Cisco craps its pants because the flaw is everywhere, and it's going to cost real money to fix, and could hurt company Q results.

    Cisco agrees with ISS taht they're going to do something about it, but it's going to take a bunch of resesarch and time. They'll keep it quiet for a few years while they put th fix in the pipline for new models. They'll work on a firmware fix, but its back burner as long as the explot isn't public. If ISS keeps its mouth shut, they can still do work for Cisco.

    Lynn hears that his research is to be hush-hush, and that Cisco will work on it, but it could be a while before there's an actual patch. No arguing that the flaw is critical will make ISS management, with a financial gun to its head, budge.

    Lynn flips ISS the bird, 'cause he thinks its a major security issue, and presents his research anyway. Cisco and ISS claim they're working ont it, and that its and old flaw, and nothing really serious. And they're quietly looking for a man to fir Lynn with concrete shoes for blowing their cover.

    Seems pretty clear to me.

  • Existing security vulnerabilities? (Score:5, Insightful)

    by Saggi (462624) on Thursday July 28 2005, @07:38AM (#13184472) Homepage
    Contradiction?

    Quote: "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."

    Quote: "... Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

    If his research regards known and exsisting vulnerabilities how could they be illegal obtained? This can only happen if Cisco sits on the vulnerabilities for some time. If this is the case its a poor excuse by Cisco to state that its not a new vulnerability.

    In my humble opinion its new when first made public. ... and I can never find out why pople can get sued for disclosure of something dangerous to a lot of costumers.

    If I use their routers I would like to know if they can be hacked. If they can get hacked I would like the oppotunity to take them offline if I need to protect my business.

    If I don't have that oppotunity - and I loose data/values/etc due to an attack, I'll have to keep Cisco responsible.

  • Full Disclosure (Score:4, Insightful)

    by miffo.swe (547642) <daniel&solle,se> on Thursday July 28 2005, @07:39AM (#13184480) Homepage Journal
    I dont believe in keeping an exploit away from the public until the vendor gets his thumbs out of the dark place that smells funny. First of all i really think much more work needs to be put down into securing the systems before they are released, this includes various linux vendors. Its insane today with the user being the Q&A and security department for the vendors.

    Full disclosure is a nice cushion for people who really didnt do their job in the first place. It doesnt in no way help the users. Before the exploit is released publicly you can bet your backside its used for company spying and other shoddy activities.

    A company shouldnt be afraid of scriptkiddies, theyre harmless compared to their competitors armed with their most secret info. Full disclosure makes it possible for a company to atlest try to mitigate that threat. Other disclosure puts them in the whims of the vendors.

  • Lawsuit? Lynn says "bring it on" (Score:5, Interesting)

    by kriegsman (55737) on Thursday July 28 2005, @07:44AM (#13184506) Homepage
    From today's Wall Street Journal:
    When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he got started, Mr. Lynn said, "What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on."
    Somehow, I suspect he's going to get what he asked for.

    -Mark

  • Surely a decent way of resolving these issues (Score:3, Interesting)

    by goldcd (587052) on Thursday July 28 2005, @07:45AM (#13184508) Homepage
    that would keep all parties happy, is a modification of the current craze for bug-bounties.
    Flaw is reported, accepted and cash is paid on a daily/weekly basis until the issue is resolved.
    Submitters would get more for a complex bug that involves more work to fix it and the can happily keep their gobs shut from announcing the problem as they're getting paid to be quiet.
    Just a thought..

  • Nothing to worry about (Score:4, Funny)

    by Dachannien (617929) on Thursday July 28 2005, @07:47AM (#13184524)
    Let the Cisco network defend itself. Just like on 24. [infoworld.com]

  • Dangerous Precedent... (Score:5, Interesting)

    by gillbates (106458) on Thursday July 28 2005, @08:04AM (#13184646) Homepage Journal

    "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights,"

    Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said. [emphasis added]

    So basically, Cisco is claiming that decompiling their object code is illegal.

    Isn't it a greater violation of the customer's rights to prohibit them from decompiling the code on their own equipment to check for security vulnerabilities?

    We've come to the point where corporations believe they have the right to impose conditions of operation on equipment they no longer own. If Cisco sells someone a router, the customer now owns it. Cisco doesn't have any right to impose any conditions of use on the new owner, because they no longer legally own the product. The owner has the right (and some would claim even the responsibility) to decompile their router's code to check for potential vulnerabilities.

    It seems that Cisco believes that even after they've sold it to you, they still own your router. And who knows, maybe this vulnerability was deliberately placed so they could own your router anytime they pleased...

  • Whose rights were violated again? Hmm? (Score:4, Interesting)

    by StandardCell (589682) on Thursday July 28 2005, @08:05AM (#13184659)
    The filing in US District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman. "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights," Noh added.

    Ok, let's look at this objectively, shall we? Proprietary information belonging to Cisco and ISS is nonsense. That information should belong to the customers who bought the router so they can take the appropriate steps; for example, a customer should be able to replace an affected router with something else if they're concerned about the problem, or modify the software on the router to alleviate the problem itself (and this is again another example of where OSS is so important).

    In terms of violating intellectual property rights, what about violating the property rights of the people who own the router? What rights do they have in this whole situation? Are they expected to sit their with their collective thumbs up their collective asses and wait randomly for a fix? Don't the people who use the routers have the right to uninterrupted network services? What happens if this router belongs to a large ISP and a DoS attack brings the router down? Are they supposed to be stuck with the bill? I'll tell you this much - if this happened, Cisco would never credit them with the cost of service refunds to their end customers. Of course, this would be hypocritical on Cisco's part for obvious reasons, but I digress.
  • This is not a problem of disclosing a major vulnerabilty before the vulnerable company could react.

    The flaw had been privately disclosed a few months ago. Cisco, for its own reasons, didn't intend to distribute a fix before long (next year!). Too major a flaw? Publicity? Too much work already? Internal politics?

    Obviously, Michael Lynn couldn't live with the idea of leaving this flaw open, and decided to disclose it publicly, thus forcing Cisco to aknowledge it and fix it. Also obviously, this wasn't the only reason. He seemed disgusted by the industry's approach to this kind of problem.

  • I'm always amazed by this... (Score:5, Insightful)

    by Anonymous Coward on Thursday July 28 2005, @08:47AM (#13185031)
    I'm always amazed that companies think they have, or do have the right to sue someone for pointing out a flaw in their product. "Only in the software industry". If Chevy sells a new pickup that has seatbelts that don't work properly in a crash, and I find out, damn straight i'm telling the whole world. And if chevy tried to sue me for it they'd get laughed out of court. There should be absolutely no legal grounds for a company to sue someone over pointing out the flaws in their product. It's their own damn fault for not making a secure product in the first place.

    • Re:I wonder... (Score:5, Insightful)

      by lordkuri (514498) on Thursday July 28 2005, @07:09AM (#13184324)
      but couldn't he at least have waited a few weeks to see how Cisco responds

      Cisco seems to suffer from the same stupidity that most other large corporations do. They'll take a report, and sit on it for weeks, and sometimes months. Full Disclosure is usually the only way to get them to actually fix the issues in a timely manner.

      • Re:I wonder... (Score:4, Insightful)

        by turnstyle (588788) on Thursday July 28 2005, @07:51AM (#13184546) Homepage
        Would you similarly welcome the disclosure of a security flaw at your bank, hospital, etc. that granted access to your private/personal records?

        Personally, I'd probably rather the bank/hospital had a few weeks to establish a plan, rather than have to bang something out in an emergency, and whilst the records have already been made much more vulnerable.

        • Would you similarly welcome the disclosure of a security flaw at your bank, hospital, etc. that granted access to your private/personal records?

          Actually, yes I would. I'd much rather they fix or at least stopgap the issue instead of it sitting there wide open for all to see and/or exploit for months.

            • Re:I wonder... (Score:4, Insightful)

              by lordkuri (514498) on Thursday July 28 2005, @08:07AM (#13184675)
              But it only became "wide open" with the public disclosure of exactly how to exploit it.

              c'mon... you're telling me that out of 5+ billion people on this planet, that only the person that found the exploit is the one that knows about it?

              surely you're not that niaeve?

              • Re:I wonder... (Score:4, Interesting)

                by garcia (6573) * on Thursday July 28 2005, @08:20AM (#13184795) Homepage
                c'mon... you're telling me that out of 5+ billion people on this planet, that only the person that found the exploit is the one that knows about it?

                We know, from the last time a story about this topic was posted, that Cisco was alerted to the issue and had supposedly "been working on a fix" during that time.

                So, no, we aren't that dumb -- what's dumb is that they believe that they can threaten people with lawsuits to keep them quiet.

                This is nothing but a corporate scare tactic to keep people from disclosing issues w/their shit in the future.

            • Re:I wonder... (Score:4, Informative)

              by hetairoi (63927) on Thursday July 28 2005, @09:56AM (#13185761) Homepage
              But it only became "wide open" with the public disclosure of exactly how to exploit it.

              He used an already patched exploit to show the vuln. He only showed how easy it would be were you to find a new, unpatched exploit.

              Also, from an interview at security focus [securityfocus.com]

              "It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."

              The bad guys already know about this, Lynn believes it's time the rest of us found out.

        • Re:I wonder... (Score:5, Insightful)

          by schon (31600) on Thursday July 28 2005, @08:09AM (#13184693) Homepage
          I'd probably rather the bank/hospital had a few weeks to establish a plan, rather than have to bang something out in an emergency, and whilst the records have already been made much more vulnerable.

          Your preference suffers from the flawed (although typically wide-spread) assumtion that only one person is smart enough to discover the flaw.

          If a white hat can discover it, then a black hat can too - and black hats are constantly looking. Vulnerabilities need to be *FIXED*, not discussed for weeks in private meetings.

          • Re:I wonder... (Score:4, Interesting)

            by nasor (690345) on Thursday July 28 2005, @09:46AM (#13185663)
            You often hear that, but I wonder if it's always a valid line of reasoning. Do you think it's more of a risk for a few malicious people to possibly know about an exploit while the company takes its time fixing the problem, or for the entire world to definitely know about it while the company scrambles to cobble together a quick fix?

            Some security flaws require such detailed technical understanding of the systems involved that not many people are really likely to uncover them. If a professional security researcher with very specialized knowledge who works full time trying to uncover new exploits succeeds in finding something, it doesn't n necessarily follow that many other people will, or even that anyone else will. It's certainly possible that someone else will find it, but I think people should try to balance the possibility of some malicious people knowing about the flaw for a long time against the certainty of everyone knowing about the flaw for a shorter time.

        • Re:I wonder... (Score:5, Interesting)

          by abaddon314159 (606227) on Thursday July 28 2005, @09:19AM (#13185327)
          I am Michael Lynn...I'd like to clarify things

          Cisco was notified of the vulnerability in question many months ago and the issue has been patched for about 3 months now.

          Furthermore I did not disclose the details of this vulnerability at all. The presentation was merely a demonstration that IOS was exploitable just like any other OS.

          • Re:I wonder... (Score:5, Informative)

            by saridder (103936) on Thursday July 28 2005, @09:26AM (#13185413) Homepage
            Not sure if you really are Mike, but your facts are 100% correct. It wasn't a new vulnerability, just a new way to exploit a known vulnerability which has already been patched. Also, if I read correctly, you need to be directly connected to the router to execute the vulnerability; it's a not a remote attack.

      • Re:I wonder... (Score:5, Interesting)

        by n0-0p (325773) on Thursday July 28 2005, @07:59AM (#13184604)
        That was true a few years ago, but its rarely the case these days. Once you contact the correct people at the vendor they generally move fairly quickly to resolve the issue. Independant researchers can contact CERT and they'll handle all of this legwork for you and make sure you get the credit. Of course the patching process still takes time for development, porting across platforms, and regression testing. So you do have to cut the vendors some slack.

        In the case of ISS there's almost no excuse for not getting some serious cooperation from the vendor. ISS has the weight and all the contacts they need to notify the vendors and get a fairly quick response. This was either an extreme circumstance, or Michael had another job lined up and he wanted to exit with a big splash. For that matter, he may have just made enough noise about his Blackhat presentation that he didn't want to have to pull it back.

        On an entertaining side note, Blackhat actually reburned all the CD's and cut his section out of the convention notes. Cisco must have come down pretty heavy for them to pull such a strong CYA move.

      • Re:I wonder... (Score:4, Insightful)

        by thogard (43403) on Thursday July 28 2005, @08:01AM (#13184621) Homepage
        Months? There are outstanding issues on their 2900 switches that have been unfixed there for years.

        I don't buy cisco gear anymore.

    • Re:I wonder... (Score:5, Insightful)

      by xappax (876447) on Thursday July 28 2005, @07:13AM (#13184337)
      Companies like Cisco, Microsoft, etc. are generally made to look really bad when security flaws are exposed in their products.

      The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.

      Then they get to look super-secure, since they were "too quick" for the bad hackers.

      Some people, however, think that the only thing that'll get companies to take security more seriously is if they are actually made to look really bad, and maybe some of their products actually get hacked.

      Unfortunately, when you're dealing with some giant businesses cost/benefit analysis, the only thing that can get them to take notice is a little carnage.

      Is it worth it? I dunno, but it's certainly arguable.

      • Re:I wonder... (Score:5, Interesting)

        by Cereal Box (4286) on Thursday July 28 2005, @07:41AM (#13184489)
        The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.

        Then they get to look super-secure, since they were "too quick" for the bad hackers.

        ... And this happens in the Open Source world too. Mozilla, for instance, has "classified" bugs, which are not opened up to the public until a fix (or whatever) is available. Take for instance, the Windows chrome:// bug from a few months to a year ago. They sat on it for over a year (and it was classified, of course), and didn't do anything until an exploit appeared in the wild. The fix was issued right away. "Too quick" for the hackers, indeed.

        What I'm getting at is don't say that this sort of behavior is limited solely to closed source software. No one wants to have the pressure of handling a security fix WHILE an exploit is out in the wild. Would you rather have the opportunity to fix a security flaw while no one else (but the person who discovered it) knew about it, or would you prefer the person who discovered it announce it to the world and release an exploit first?
        • It seems like a pretty basic concept, but I guess it should be pointed out that just because an exploit hasn't been presented by a security professional at Black Hat doesn't mean there aren't some sleazy Croatian identity thieves (for example) who are abusing this vulnerability left and right.

          As long as it's a secret that only a few seriously malicious hackers know, the cost to Cisco is virtually nill. "Oh, your network got hacked? Well, it sure wasn't through your Cisco routers: check it out - we've go

    • Re:I wonder... (Score:5, Insightful)

      by Tet (2721) <slashdot.astradyne@co@uk> on Thursday July 28 2005, @07:13AM (#13184340) Homepage Journal
      couldn't he at least have waited a few weeks to see how Cisco responds

      Yes, he could. But then again, I suspect he already did. The traditional approach was to tell the vendor, and announce the flaw publicly 28 days later. That gave a vendor sufficient time to code and test a patch. However, many vendors (and Cisco seem to be particularly bad about this) sit on problems like this for several months and take no immediate action. I'd be far from surprised to hear Cisco were notified of this 3 months ago, hence Lynn's frustration and his decision to publicly talk about the flaw. I don't actually know what happened, and the above is just speculation. I suspect there's more than a grain of truth to it, though.

      • Re:I wonder... (Score:4, Insightful)

        by leonmergen (807379) * <(moc.liamg) (ta) (negreml)> on Thursday July 28 2005, @07:17AM (#13184355) Homepage

        Yes, he could. But then again, I suspect he already did.

        From the article:

        "The decision was made on Monday to pull the presentation because we wanted to make sure the research was fully baked."

        In other words, the research was not even finished yet. Isn't that a little impatient, and might there be a little chance that the researcher in question would have liked the attention he would've gotten if he presented this information at Black Hat, which was part of why he made the decision to pull out the information anyway ?

    • Re:I wonder... (Score:4, Informative)

      by takkaria (782795) <takkaria@NoSPaM.gmail.com> on Thursday July 28 2005, @07:18AM (#13184360) Homepage
      He told them in April, according to BoingBoing [boingboing.net], and they still hadn't fixed the problem totally.
    • Well if you worked for the Secret service and knew that the president was having young girls kidnapped so he could rape them would you keep your mouth shut? It's about scruples. These flaws seriousally bother this man to the point that he is willing to give up his career and life as he knows it to get the information out.

      this means it is very big, probably one of those one person can disable the whole net easily or snoop on all internet traffic without traceability.

      I know of people that quit their jobs to

      • Professional Obligation (Score:4, Interesting)

        by randyflood (183756) on Thursday July 28 2005, @10:37AM (#13186174) Homepage Journal
        Two words "Professional obligation".

        There used to be two general ways to handle security flaws when you discovered them. Either you could privately exploit the hell out of them. Or you could just privately report them to the company involved and wait patiently for them to release a fix.

        However there is a big problem with this particular model. The problem is that companies like Cisco, Microsoft, etc. don't really seem to think that exploits that allow people to remotely execute administrator level code are really that big of deal, and they figure that they can just create a patch when "we get around to it" or "next year".

        Meanwhile, do you really think that you are the only person in the entire world who is guaranteed to find the exploit? The black hats of the world have probably already found the exploit anyway in many cases. It's just the customers who are suffering because a patch is not available.

        This model of waiting around forever was a dismal failure. So, security professionals found that by publicly releasing their findings, they could force companies to take security more seriously. The responsible way to do this is to first inform the company privately of your finding, and give them a reasonable chance to fix it.

        What you think is reasonable is up to you, *not* them. They are playing by your rules. You are not playing by theirs. Remember, that you are being nice to them by not just publicly releasing the exploit the day that you found it. So, they should respect that. If they do not, that is their problem. Still, as a professional, you should rise above them and try to give them a reasonable time to fix the problem.

        Now in this case, what he did was he informed them 4 months ago of the vulnerability along with a proof of concept. They decided not to fix the problem. They claimed there was no problem. He waited patiently for *4 months*. They said that this wasn't really a vulnerability. Then, they knew well in advance of his presentation at Black Hat, and yet they still chose not to fix the problem.

        So, what is he supposed to do? As a security professional, it is his ethical obligation to publicly disclose his findings at that point.

        In conclusion, Cisco should spend more money on engineers instead of lawyers.

    • Re:new flaws (Score:5, Interesting)

      by megla (859600) on Thursday July 28 2005, @07:13AM (#13184339)
      The thing is (from what the articles say) it's not about one particular flaw. It's that ANY overflow flaw can be exploited to take control of Cisco IOS, which is bad news. Add Cisco's plan to abstract the hardware from IOS and then you've got a major problem. Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue. Or check their bloody code of course.

    • Re:Cisco has gone downhill recently (Score:5, Insightful)

      by wikki (13091) on Thursday July 28 2005, @07:13AM (#13184342)
      I must have missed the "master password" thing.

      As far as Cisco going down hill I don't really agree with that. Currently Cisco is expanding their product offerings into new unexplored territories such as IP Telephony. I have installed and supported several of these systems. As long as you follow thier design, install, and support guidelines they are as robust and as problem free as any other platform that i've worked with.

      I think most people on Slashdot understand the complexities of the internet world. A minor change here can have a huge, uexpected, impact across the network or application. However, if time tested procedures for upgrades and testing are followed nothing has really changed. I think what may be giving a Cisco a bad name is all of the under qualified people out there installing their systems. The MS world of patch it, reboot, and go about your business does not fly when you critical systems are involved.

      • Re:Cisco has gone downhill recently (Score:5, Informative)

        by lordkuri (514498) on Thursday July 28 2005, @07:15AM (#13184350)
        I must have missed the "master password" thing.

        That was from a while back. They had set up a master "backdoor" password in a version of IOS and ended up getting ridiculed for it quite heavily.

        • Re:Cisco has gone downhill recently (Score:4, Interesting)

          by ciroknight (601098) on Thursday July 28 2005, @08:32AM (#13184911)
          Ridiculed? They built a backdoor into their product that was such a security flaw that it made IT professionals worldwide look at Cisco in awe. Who the hell would use a master password for a product that's going to be in the server rooms of a thousand businesses?

          I don't think "ridiculed" is the right word at all. They deserved the attention that was directed at them, as a master password is no small oversight. That'd be like Windows shipping with a master password.

        • Re:Cisco has gone downhill recently (Score:4, Interesting)

          by mysticgoat (582871) on Thursday July 28 2005, @10:00AM (#13185811) Journal

          [re "master password thing"]That was from a while back. They had set up a master "backdoor" password in a version of IOS

          So since that didn't work, they put a backdoor into the hardware, then slapped a superficial patch on the first (of a number of possible exploits) that has come to public attention. And now they are persecuting the guy who has publicized the underlying flaw, which they have neither patched nor fixed.

          So I think it is time for these questions:

          1. When did Cisco first become aware of this hardware backdoor, and was it purposefully put into place?
          2. Who have they shared this knowledge with?
          3. Who has been listening in on which routers, for how long have they been doing it, and for what purpose?

          I guess I'd better get myself a new tinfoil hat. This one is worn out...

    • How do you apt-get hardware?

      The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.

      That said you have firmware that controls the hardware which could be "apt-get" though in reality I'd rather see an open source firmware that was also provided as binary images you could just upload.

      Do you really want some MCSE throw-back building a firmware image when they can hardly manage cmd.exe?

      hehehee sick.

      Tom

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.