Forgot your password?
typodupeerror
Security News IT

Researcher Resigns Over New Cisco Router Flaw 423

Posted by samzenpus
from the don't-go-down-with-the-ship dept.
An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN. Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."
This discussion has been archived. No new comments can be posted.

Researcher Resigns Over New Cisco Router Flaw

Comments Filter:
  • Am I the only one that's noticed that Cisco has really gone downhill in the last few years? It seems that there have been more problems found in the last 2-3 years than ever. Besides, a "master password"??? What the hell are they thinking?
    • by wikki (13091) on Thursday July 28, 2005 @08:13AM (#13184342)
      I must have missed the "master password" thing.

      As far as Cisco going down hill I don't really agree with that. Currently Cisco is expanding their product offerings into new unexplored territories such as IP Telephony. I have installed and supported several of these systems. As long as you follow thier design, install, and support guidelines they are as robust and as problem free as any other platform that i've worked with.

      I think most people on Slashdot understand the complexities of the internet world. A minor change here can have a huge, uexpected, impact across the network or application. However, if time tested procedures for upgrades and testing are followed nothing has really changed. I think what may be giving a Cisco a bad name is all of the under qualified people out there installing their systems. The MS world of patch it, reboot, and go about your business does not fly when you critical systems are involved.
      • by lordkuri (514498) on Thursday July 28, 2005 @08:15AM (#13184350)
        I must have missed the "master password" thing.

        That was from a while back. They had set up a master "backdoor" password in a version of IOS and ended up getting ridiculed for it quite heavily.
        • by ciroknight (601098) on Thursday July 28, 2005 @09:32AM (#13184911)
          Ridiculed? They built a backdoor into their product that was such a security flaw that it made IT professionals worldwide look at Cisco in awe. Who the hell would use a master password for a product that's going to be in the server rooms of a thousand businesses?

          I don't think "ridiculed" is the right word at all. They deserved the attention that was directed at them, as a master password is no small oversight. That'd be like Windows shipping with a master password.
        • by mysticgoat (582871) on Thursday July 28, 2005 @11:00AM (#13185811) Homepage Journal

          [re "master password thing"]That was from a while back. They had set up a master "backdoor" password in a version of IOS

          So since that didn't work, they put a backdoor into the hardware, then slapped a superficial patch on the first (of a number of possible exploits) that has come to public attention. And now they are persecuting the guy who has publicized the underlying flaw, which they have neither patched nor fixed.

          So I think it is time for these questions:

          1. When did Cisco first become aware of this hardware backdoor, and was it purposefully put into place?
          2. Who have they shared this knowledge with?
          3. Who has been listening in on which routers, for how long have they been doing it, and for what purpose?

          I guess I'd better get myself a new tinfoil hat. This one is worn out...

  • by Cytlid (95255) * on Thursday July 28, 2005 @08:07AM (#13184318)
    It's ok, really it is. Karl Rove gave him the information.
  • by meburke (736645) on Thursday July 28, 2005 @08:07AM (#13184320)
    As dependent on as our economy is upon routers, and Cisco in particular, it seems that his disclosure was definitely in the public interest, and if he isn't entitled to whistleblower protection, we need to mount a campaign to get him protected. Write your Congressoid.
    • Why? (Score:5, Interesting)

      by MyNameIsFred (543994) on Thursday July 28, 2005 @08:19AM (#13184363)
      The articles cited are light on details. But nowhere do the articles suggest that Cisco was burying the flaw. In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix. In my mind whistle blower protection is valid if the whistle blower is uncovering corruption. Which does not appear to be the case here. Based on the information presented, the system was working on the problem, he just wasn't happy with it.
      • Re:Why? (Score:2, Interesting)

        by Fenresulven (516459)
        In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix.

        For four months... Come on, how long should he be required to wait?
      • by 4of12 (97621)
        uncovering corruption. Which does not appear to be the case here.

        Can't say for sure. But two points:

        1. It costs Cisco a lot of money to quickly put their best people onto researching the problem, coming up with a fix, testing, and distributing it to installed sites. The faster they have to do this, or even if they have to do it at all, costs them money. Since they're in business to make money (reduce costs) you can see where this line of reasoning might carry management that was completely focussed on the
    • not applicable... (Score:2, Informative)

      by John Seminal (698722)
      you can't get whistleblower protection under these circumstances.

      you could get protection if you come out and reveal your employer is a racist who told you he refuses to comply with the law and hire blacks, or fired women who got pregnant rather than give them the benifits the law requires.

      i think this guy might go to jail for what he did.

      Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat at

      • you could get protection if you come out and reveal your employer is a racist who told you he refuses to comply with the law and hire blacks, or fired women who got pregnant rather than give them the benifits the law requires.

        Yeah... your definition of whistleblower protection is a little bit too narrow mmmmmkay?

        Whistleblower protection covers any number of criminal acts. Fortunately for most companies, having giant gaping security holes isn't illegal. However, whistleblower protection would also a
      • Re:not applicable... (Score:3, Informative)

        by lachlan76 (770870)
        Umm you do know that Black Hat is a security conference? Mostly attended by security professionals?
    • I agree that disclosure, in general, is clearly in the public interest, but this cannot always be the case.

      We simply do not have enough details here to declare this disclosure "good" or "bad." Although Cisco is claiming the information was on vulnerabilities that have been fixed, that could be a PR move to stave off a stock plummet or put a stop to proliferation of the information to those that may want to use the vulnerability to bad ends.

      We also can't be sure of what "fixed" truly means. How tested

  • Actually, one of the questions I have is how new the flaws really are. They have been patched, but how long ago? How much uprading has been done? If it had been widely upgraded I suppose Cisco would have less reason to fear disclosure
    • Re:new flaws (Score:5, Interesting)

      by megla (859600) on Thursday July 28, 2005 @08:13AM (#13184339)
      The thing is (from what the articles say) it's not about one particular flaw. It's that ANY overflow flaw can be exploited to take control of Cisco IOS, which is bad news. Add Cisco's plan to abstract the hardware from IOS and then you've got a major problem. Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue. Or check their bloody code of course.
      • Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue.

        That's a nice thought, but most IOS platforms run on PowerPC, so what Intel and AMD have is rather irrelevant. (Not that PPC doesn't have something similar, of course.)

  • by EmagGeek (574360) <gterich&aol,com> on Thursday July 28, 2005 @08:12AM (#13184336) Journal
    In TFA, Cisco themselves said that he did not disclose any new vulnerabilies... so... what is the BFD?

    Later, Cisco said it was all bent out of shape because they follow an "industry established disclosure process" and because Mr. Lynn "illegally" obtained the information...

    Hey, Cisco, I have news for you. "Industry established disclosure process" != "Law"

    Get over yourselves, admit that you're a bunch of fuckups that can't make secure networking equipment, and move along..
    • Where does it at all apply that the one follows from the other? Presumably they are saying that he was involved in confidential research into the flaws and was not supposed to make any statement on his own. His simply quitting the company does not remove his obligations. He was not some outside agent who found out about this flaw independantly and cannot be expected to be treated as such.
    • The latest update (here [washingtonpost.com], but expect more updates at http://blogs.washingtonpost.com/securityfix/ [washingtonpost.com]) says that he "is said to have illegally reverse-engineered Cisco source code" (why bother reverse-engineering sources?*) to discover the vulnerability and that Cisco and ISS had four months of work in progress on the issue before this presentation.

      He may have misused information from his former job at ISS and be operating outside the bounds of his ISS employee contract allowed him to act.

      *: I can see how, if th
  • by putko (753330) on Thursday July 28, 2005 @08:24AM (#13184400) Homepage Journal
    Our friend Mojgan Khalili is the Cisco employee mentioned in the article, who said the security researcher broke the law -- "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

    If you'd like to write to Mojgan and say that you don't like their attitude toward full disclosure, or their attack on the guy who's working hard to make things secure, here is his information.

    If nothing else, you could ask him "what law did the guy break, biatch!?!"

    Mojgan Khalili
    Cisco Systems, Inc.
    978-936-1297
    mkhalili@cisco.com
    • Dear Mr Slashdotter,

      I represent our friend Mojgan Khalili who has recently been come into some large sums of money. It turns out that CISCO has been paid by many Blackhatters to leave security vulnerabilities in their software. I am unable to have the money in my account as I am currently on the board of directors, but I feel terrible over what my company has been doing.

      I request that you allow me to transfer the money to your account, so that it may eventually be transferred to Michael Lynn's account. For
    • If nothing else, you could ask him "what law did the guy break, biatch!?!"

      How mature. I'm sure you'll make exactly the point you intend to make that way.
  • I know, I know. Mod me redundant. This is slashdot. The editors are on crack. Who Rs TFing A? But really. Not a security flaw? No, Cisco said it wasn't a NEW security flaw, but an extension of older ones. There's kind of a difference between "Not" and "Older-but-born-again". Mod me into oblivion now.
  • by Cmdr. Marille (189584) on Thursday July 28, 2005 @08:26AM (#13184407)
    I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.

    Cisco is actually very upfront and cooperative when you report things which might be a vulnerability (I have personally dealt with PSIRT). The people who work there are actually so polite, it's kind of annoying (I have been thanked about 2 dozen times for reporting a very minor finding).

    They do however expect you to play by the rules. Even if you are the person who found a bug, you are expected to let Engineers fix the bug before you release the information.
    Also, there is policy in place, which makes sure major ISPs (Carriers) are informed first, so they can do upgrades before the PSIRT release is made public.

    All that makes sense, since we are really talking about essential infrastructure.

    Of course, all that kind of takes away the coolness of reporting a vulnerability and you will get a lot less publicity (cisco credits you) than what you would get, if you just post to some mailing list.

    If he really released information he researched at ISS without consent, well, he should face consequences. Because I obviously was to gain from it (getting a new job, making a name or himself). Hopefully he wasn't just doing it for the publicity.
    • by justins (80659)
      I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.

      It's hard to imagine giving the finger to his employer in a very public manner was good for his long term employability.
    • by toby (759) * on Thursday July 28, 2005 @10:10AM (#13185255) Homepage Journal
      See the unfortunate case [kerneltrap.org] of Fernando Gont, and his attempts to responsibly disclose ICMP implementation flaws (not even a Cisco-specific problem):
      Once Fernando understood the vulnerabilities he'd found in the ICMP protocol, he began to try and safely report the problem ... To begin, he wrote an internet draft which he submitted to the IETF in August of 2004. At that time he contacted CERT/CC and NISCC, and privately notified several open source projects ... as well as larger vendors such as Microsoft, Cisco, and Sun Microsystems. ...

      Around this same time, Fernando began receiving emails from Cisco who had numerous technical questions about his solutions to the problems. He continued to reply thoroughly to all their questions, until two months later when he received an email from Cisco's lawyer claiming that Cisco held a patent on his work. He asked their lawyer for specifics, but they refused to reveal any details. For two more months this continued, until Fernando was cc'd on an email thread between Cisco, Linus Torvalds, and David Miller. Reading back through the thread, Fernando found where David Miller had asked Cisco how they could possibly patent sequence tracking as Linux had been doing it for many years, and later in the same thread Cisco noted that they had withdrawn their patent. ...

      While the patent issue was happening with Cisco, CERT/CC created a mailing list to allow vendors to communicate amongst themselves about the newly discovered vulnerability. "They blamed me for submitting my work," Fernando said in exasperation. "One of Cisco's managers of PSIRT said I was cooperating with terrorists, because a terrorist could have gotten the information in the paper I wrote!" Fernando was familiar with intellectual property arguments with last year's Slipping In The Window paper, so he had intentionally publicly published his findings to prevent it from being patented. "Then they accused me of working with terrorists, and even still tried to patent my work!" He noted that he now suspected had he actually worked exclusively with Cisco as they had requested, they probably would have managed to patent all of his ideas. ...

      Fernando also found Microsoft difficult to work with. "Microsoft's acknowledgment policy says that you must report the issues to them 'confidentially'", he explained. As he chose to contact CERT and various open source projects as well, he claimed that they refused to give him credit for the discovery. Only with much effort did he finally get them to acknowledge that he had discovered the issue.

  • by Overzeetop (214511) on Thursday July 28, 2005 @08:30AM (#13184427) Journal
    Okay, this sounds pretty simple. Michael Lynn finds a (new) explit of Cisco routers and its a doosey. He informs ISS, who informs Cisco. Cisco management can't believe that such a serious flaw exists, since they've know about the possibility, but its been written off as minor in the past. Lynn presses his case to his supers, and they get down and dirty with Cicso. Cisco craps its pants because the flaw is everywhere, and it's going to cost real money to fix, and could hurt company Q results.

    Cisco agrees with ISS taht they're going to do something about it, but it's going to take a bunch of resesarch and time. They'll keep it quiet for a few years while they put th fix in the pipline for new models. They'll work on a firmware fix, but its back burner as long as the explot isn't public. If ISS keeps its mouth shut, they can still do work for Cisco.

    Lynn hears that his research is to be hush-hush, and that Cisco will work on it, but it could be a while before there's an actual patch. No arguing that the flaw is critical will make ISS management, with a financial gun to its head, budge.

    Lynn flips ISS the bird, 'cause he thinks its a major security issue, and presents his research anyway. Cisco and ISS claim they're working ont it, and that its and old flaw, and nothing really serious. And they're quietly looking for a man to fir Lynn with concrete shoes for blowing their cover.

    Seems pretty clear to me.
  • So he discloses a vulnerability in a product and faces legal action? What kind of reaction is this?
  • by Saggi (462624) on Thursday July 28, 2005 @08:38AM (#13184472) Homepage
    Contradiction?

    Quote: "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."

    Quote: "... Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

    If his research regards known and exsisting vulnerabilities how could they be illegal obtained? This can only happen if Cisco sits on the vulnerabilities for some time. If this is the case its a poor excuse by Cisco to state that its not a new vulnerability.

    In my humble opinion its new when first made public. ... and I can never find out why pople can get sued for disclosure of something dangerous to a lot of costumers.

    If I use their routers I would like to know if they can be hacked. If they can get hacked I would like the oppotunity to take them offline if I need to protect my business.

    If I don't have that oppotunity - and I loose data/values/etc due to an attack, I'll have to keep Cisco responsible.
  • Full Disclosure (Score:4, Insightful)

    by miffo.swe (547642) <daniel.hedblomNO@SPAMgmail.com> on Thursday July 28, 2005 @08:39AM (#13184480) Homepage Journal
    I dont believe in keeping an exploit away from the public until the vendor gets his thumbs out of the dark place that smells funny. First of all i really think much more work needs to be put down into securing the systems before they are released, this includes various linux vendors. Its insane today with the user being the Q&A and security department for the vendors.

    Full disclosure is a nice cushion for people who really didnt do their job in the first place. It doesnt in no way help the users. Before the exploit is released publicly you can bet your backside its used for company spying and other shoddy activities.

    A company shouldnt be afraid of scriptkiddies, theyre harmless compared to their competitors armed with their most secret info. Full disclosure makes it possible for a company to atlest try to mitigate that threat. Other disclosure puts them in the whims of the vendors.
  • by kriegsman (55737) on Thursday July 28, 2005 @08:44AM (#13184506) Homepage
    From today's Wall Street Journal:
    When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he got started, Mr. Lynn said, "What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on."
    Somehow, I suspect he's going to get what he asked for.

    -Mark
    • I've long booed the EFF but if the picture I'm getting here is correct I'd gladly donate some money to aid in his defense [or settlement].

      That is of course, provided that he at least tried the normal avenues. Under NDA means you're under NDA. Whistleblowing is only possible after management has ignored you.

      If he just jumped the gun and released the info publicly he deserves to get sued. Think about it. If every employee who was slightly upset just decided to walk off with trade secrets there would be no
  • by goldcd (587052) on Thursday July 28, 2005 @08:45AM (#13184508) Homepage
    that would keep all parties happy, is a modification of the current craze for bug-bounties.
    Flaw is reported, accepted and cash is paid on a daily/weekly basis until the issue is resolved.
    Submitters would get more for a complex bug that involves more work to fix it and the can happily keep their gobs shut from announcing the problem as they're getting paid to be quiet.
    Just a thought..
  • by Dachannien (617929) on Thursday July 28, 2005 @08:47AM (#13184524)
    Let the Cisco network defend itself. Just like on 24. [infoworld.com]

  • Cisco says the the problem is not a security vulnerability

    and...

    Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS

    Surely the defense would be: Your honour, obviously there was no vunerability in the beginning, because look, Cisco said themselves that the ability to take over the router, and sniff for pr0n on the network is a feature, not a vunerability!

    Of course, he is write, Cisco suing him
  • , hours before anyone else would publish...they just didn't have the whole story.

    which is probably why slashdot didn't post my version yesterday [slashdot.org].
    • WaPo has a copy of the Cisco/ISS restraining order against Lynn:

      In the order, which was jointly filed by ISS and Cisco, Lynn is said to have illegally reverse-engineered Cisco source code and that he stands to profit from this research. A copy of the document, obtained by washingtonpost.com, reads: "Cisco believes that Lynn is also disclosing ISS and Cisco proprietary information outside of the context of a formal presentation as well."

      Just what did all these parties think Black Hat Con was about anyway, i

  • by gillbates (106458) on Thursday July 28, 2005 @09:04AM (#13184646) Homepage Journal

    "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights,"

    Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said. [emphasis added]

    So basically, Cisco is claiming that decompiling their object code is illegal.

    Isn't it a greater violation of the customer's rights to prohibit them from decompiling the code on their own equipment to check for security vulnerabilities?

    We've come to the point where corporations believe they have the right to impose conditions of operation on equipment they no longer own. If Cisco sells someone a router, the customer now owns it. Cisco doesn't have any right to impose any conditions of use on the new owner, because they no longer legally own the product. The owner has the right (and some would claim even the responsibility) to decompile their router's code to check for potential vulnerabilities.

    It seems that Cisco believes that even after they've sold it to you, they still own your router. And who knows, maybe this vulnerability was deliberately placed so they could own your router anytime they pleased...

  • by StandardCell (589682) on Thursday July 28, 2005 @09:05AM (#13184659)
    The filing in US District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," said John Noh, a Cisco spokesman. "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights," Noh added.

    Ok, let's look at this objectively, shall we? Proprietary information belonging to Cisco and ISS is nonsense. That information should belong to the customers who bought the router so they can take the appropriate steps; for example, a customer should be able to replace an affected router with something else if they're concerned about the problem, or modify the software on the router to alleviate the problem itself (and this is again another example of where OSS is so important).

    In terms of violating intellectual property rights, what about violating the property rights of the people who own the router? What rights do they have in this whole situation? Are they expected to sit their with their collective thumbs up their collective asses and wait randomly for a fix? Don't the people who use the routers have the right to uninterrupted network services? What happens if this router belongs to a large ISP and a DoS attack brings the router down? Are they supposed to be stuck with the bill? I'll tell you this much - if this happened, Cisco would never credit them with the cost of service refunds to their end customers. Of course, this would be hypocritical on Cisco's part for obvious reasons, but I digress.
  • sued? (Score:3, Interesting)

    by digidave (259925) on Thursday July 28, 2005 @09:14AM (#13184750)
    How can he be sued if "the problem is not a security vulnerability"

    Way to go, Cisco.
  • by AceJohnny (253840) <jlargentaye@g m a i l .com> on Thursday July 28, 2005 @09:33AM (#13184925) Journal
    This is not a problem of disclosing a major vulnerabilty before the vulnerable company could react.

    The flaw had been privately disclosed a few months ago. Cisco, for its own reasons, didn't intend to distribute a fix before long (next year!). Too major a flaw? Publicity? Too much work already? Internal politics?

    Obviously, Michael Lynn couldn't live with the idea of leaving this flaw open, and decided to disclose it publicly, thus forcing Cisco to aknowledge it and fix it. Also obviously, this wasn't the only reason. He seemed disgusted by the industry's approach to this kind of problem.
  • by Anonymous Coward on Thursday July 28, 2005 @09:47AM (#13185031)
    I'm always amazed that companies think they have, or do have the right to sue someone for pointing out a flaw in their product. "Only in the software industry". If Chevy sells a new pickup that has seatbelts that don't work properly in a crash, and I find out, damn straight i'm telling the whole world. And if chevy tried to sue me for it they'd get laughed out of court. There should be absolutely no legal grounds for a company to sue someone over pointing out the flaws in their product. It's their own damn fault for not making a secure product in the first place.
  • by MECC (8478) * on Thursday July 28, 2005 @10:57AM (#13185782)

    It must be a *really* bad hole - they might just as well hang a "crack me" sign on their heads. Either that, or they've hired security experts from Microsoft.
  • Cisco settles! (Score:3, Informative)

    by qcomp (694740) on Thursday July 28, 2005 @10:35PM (#13191825)
    ZDnet reports [zdnet.com] that David Lynn and Cisco have agreed to a legal settlement. Lynn doesnt't talk about the matter at Blackhat or Defcon and returns all related material to Cisco. I suppose Cisco drops its charges against him, though that's not mentioned.
    I'm glad for Michael Lynn that this affair ended quickly and not too harshly. Kudos to him for his courage.

Help! I'm trapped in a PDP 11/70!

Working...