Forgot your password?
typodupeerror
Security Government The Courts News IT

Lynn Settles With Cisco, Investigated By FBI 357

Posted by Zonk
from the bad-friday dept.
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
This discussion has been archived. No new comments can be posted.

Lynn Settles With Cisco, Investigated By FBI

Comments Filter:
  • by TripMaster Monkey (862126) * on Friday July 29, 2005 @03:19PM (#13197389)

    What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.

    Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.
    • by Stevix (861756) on Friday July 29, 2005 @03:24PM (#13197452)
      the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.
      • by wfberg (24378) on Friday July 29, 2005 @03:37PM (#13197617)
        the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

        Yes, and this is exactly why the FBI should get involved! The army has stringent oversight procedures for this sort of thing, and to reveal flaws in top-secret installations without even going up the chain of command is tantamount to treason!

        Oh wait. The dude isn't in the army. Or in government. Actually, his former employer settled the case. So the overriding federal government interest in this is...? Why, you might be forgiven to think "nothing at all, in fact, this sort of thing is precisely why such liberties as freedom of the press exist; even though this is a lone individual, surely some type of whistle-blower protection would exist that covers this, otherwise the public would never be made aware of critical flaws in the nation's privately-owned infrastructur until it was too late!"

        But apparently, you'd be wrong. You see, by merely mentioning, without even going in to much specifics, that it might be possible for some-one else to exploit a flaw in Cisco's equipment, this guy has clearly commited a thought-crime. That's because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it. You see, no difference there at all.

        Of course, this is also why trains never run on time. If the published time tables were accurate, the railways would get prosecuted by the FBI for inviting people to commit suicide by throwing themselves in front of the 18:02 train.. Bet you didn't know that!
        • by goldspider (445116) <ardrake79NO@SPAMgmail.com> on Friday July 29, 2005 @03:53PM (#13197784) Homepage
          "...because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it."

          Nice strawman, but that of course isn't what the (predictably modded-down) parent said.

          All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.

    • by daveschroeder (516195) * on Friday July 29, 2005 @03:28PM (#13197518)
      Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.

      Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.

      And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.
      • by cpeikert (9457) <cpeikert.alum@mit@edu> on Friday July 29, 2005 @03:47PM (#13197728) Homepage
        Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update.

        One specific buffer overflow vulnerability was patched. But Lynn's presentation was a general approach to exploit any buffer overflow, with dire consequences. There is likely more exploitable code inside those routers; it's just a matter of time before some is found. At that point Lynn's attack could be executed.
      • by Anonymous Coward
        "Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for"

        I think the question isn't whether the government should investigate an allegation of a crime, but what is the crime being committed? What law with a criminal penalty may have been broken?

        Without knowing a great deal about this case, the only laws even remotely relevant to this would seem to be trade secret law. Even that, I would think, would not apply
    • Well, first of all, it's not "undoubted" that Cisco would have experienced losses if the flaw had gone unreported. According to them, they were busy fixing it, and though I know we hate to listen to the big evil corporations, there is the slightest possibility that they weren't lying.

      Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ). Following your conscience (in a way that was by some reports rash and poorly thought out) does not necessarily give you immunity from the consequences of your action.

      As a security researcher, he of all people, should know the high stakes in that game. It's not like either Cisco's or the FBI's actions couldn't have been anticipated by anyone who thought the whole thing through to its logical conclusion. Hopefully, he had prepared himself for the inevitable results of his actions before he took them. Otherwise, I feel really bad for him.
      • by mcclungsr (74737) on Friday July 29, 2005 @04:50PM (#13198279) Homepage

        Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).

        I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.

        Even if it was a crime, does that really give Cisco any rights to his work at all?

  • The real issue is... (Score:5, Informative)

    by maotx (765127) <maotx@@@yahoo...com> on Friday July 29, 2005 @03:19PM (#13197392)
    The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell [wired.com] anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen. [slashdot.org]

    The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
    The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
    • by daveschroeder (516195) * on Friday July 29, 2005 @03:36PM (#13197608)
      ...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.

      Both are harmful, and neither benefit security optimally.

      As with most things, the most beneficial position is usually a balance between extremes.
    • the fact that Cisco would not tell anyone about it

      Free speech is now a crime. If Cisco released the same information that Lynn did, they will have the FBI after them as well.

      WTF is going on in this country?
    • http://www.cisco.com/warp/public/707/cisco-sa-200 5 0729-ipv6.shtml [cisco.com]

      Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

  • Bummer (Score:2, Insightful)

    by Kyrka (20144)
    Needs to be spread if we're to expect cisco to fix it.
  • BS (Score:5, Insightful)

    by Anonymous Coward on Friday July 29, 2005 @03:22PM (#13197417)
    Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...
    • Again... how is this "illegal".

      The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA [wikipedia.org] that he has run afoul of, most likely they'll prosecute.

      I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.

      My feeling is that unfortu

      • I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening.

        One day people in this country will realize that congresscritters and senators don't listen to their constituents anymore, and they haven't done so for a very long time. Mostly they listen to corporations and their lobbies.

        I'm glad you still have the proper democratic reflex a citizen should have when confronted with issues, but really you should realize "writing to your congressman" nowadays amo
        • by Dan Ost (415913) on Friday July 29, 2005 @04:15PM (#13197978)
          While I would be the first to agree that a healthy amount of cynicism is, well, healthy, too much cynicism is as dangerous as not enough. The truth is that there are still lawmakers who value the opinions of their constituents, especially if their constituent attempts to educate them on an issue that they were ignorant of.

          It may not look like it from the outside, but I would suspect that the majority of lawmakers still attempt to cling to the ideals they started with and, when given the opportunity, will attempt to act according to them.

          Don't limit your options just because cynicism dicates that they're pointless. You might be right and it's a wasted effort, but if you're wrong, you've voluntarily missed an opportunity.
        • I'm glad you still have the proper democratic reflex a citizen should have when confronted with issues, but really you should realize "writing to your congressman" nowadays amounts to pushing a button that's been disconnected.

          The powerful have always had more influence on elected officials than average Joes. No doubt about it. But particularly on issues that are not on the top of your representative's agenda, a concise and well-articulated opinion can matter. The most successful politicians are those who

    • Because this is computer suff. And computers are these magical things that think for themselves and no one understands them so they cant figure out how the laws should apply to them. If people stared to think of computers more as tools then modern slaves then we all be better off.
  • Oh wel, this might as well be soviet russia!
    • How is this funny or relevant?

      Since when is it evil for a law enforcement agency to follow up on a complaint, even if the complaint is later found to be invalid? Or should law enforcement agencies be able to predict the future, and just skip the investigative step, and automatically know whether a crime has been committed? It might have been absurd or vindictive for ISS and/or Cisco to approach the FBI, but when someone approaches the FBI and claims a crime has been committed, would you prefer that the FBI
  • Goodness... (Score:5, Funny)

    by coop0030 (263345) * on Friday July 29, 2005 @03:22PM (#13197421) Homepage
    which contained techniques Lynn said could bring the Internet to its knees.


    Can you imagine the chaos?

    I bet some people would even end up going outside.

    I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.

    I suppose I could look through my old cached history of webpages and pretend that I was online!
  • 1984 Called... (Score:5, Insightful)

    by bc90021 (43730) * <bc90021&bc90021,net> on Friday July 29, 2005 @03:22PM (#13197426) Homepage
    ...and told us that it will be the year we all live in from now on.

    Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

    • Mod parent up!

      This IS the point here. Although and investigation is not an arrest - it will still disrupt his life is massive ways.

    • Relax, see here [slashdot.org] and here [slashdot.org]. Now take a deep breath
    • 1984 has nothing on 2005... This might be known in history as the year liberty finally died.
    • Re:1984 Called... (Score:2, Insightful)

      by dasdrewid (653176)

      I think you need to read the article more carefully. The FBI started investigating before the agreement was reached because someone had come to them complaining that a crime has been committed. Like an earlier poster said, it's their job to investigate when people claim a crime has been committed, if only to determine whether or not a crime has actually been committed. For all we know (and from the sounds of it), one hasn't, the investigation is going to be (possibly already) dropped, and that's all that

  • by Blindman (36862) on Friday July 29, 2005 @03:23PM (#13197431) Journal
    What exactly was CISCO suing over? It seems to me that CISCO didn't like what he had to say, but that doesn't give you a right to sue somebody. Obviously, they weren't alleging libel or slander, since everything he said was apparently true. I don't recall allegations that he misappropriated trade secrets or something. Did he just give up so that he didn't have to defend a baseless suit?

    Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.
  • First, according to this new article, Lynn would have been allowed to speak if Cisco was allowed to speak as well.

    In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or p
    • This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.

      You're sort of straw-manning here. The problem isn't that Cisco didn't fix the vulnerability in time, the problem is that they didn't tell anyone it was a critical update. That's a far cry
      • You're sort of straw-manning here. The problem isn't that Cisco didn't fix the vulnerability in time, the problem is that they didn't tell anyone it was a critical update. That's a far cry from open-sourcing their code or personally explaining how the vulnerability works.

        The problem here is that Lynn is claiming this was some kind of end-times doomsday vulnerability, and Cisco claiming it wasn't a big deal.

        I'm frankly not inclined to believe either one of them.

        We still don't know the EXACT nature of the vul
    • If you call the police, and claim someone stole your TV, tell them who it was and where they live, the police will investigate that person. Why? Well that's their job. If it turns out you were making shit up, you might get in trouble for filing a false police report later, but they'll still investigate the person. They don't just assume you are lying, I mean unless they investigate and reach their own conclusions, how will they know?

      We want the police (the FBI is just the federal police) to investigate repo
    • As I'm sure you know most lawyers involved in a high profile case will commonly talk it up, putting the best possible face on it in public while having a different, private opinion. This is a good thing, not bad, and a realistic part of defending a client. Negative comments could quietly taint a jury pool. Imagine something like this:

      But Lynn's lawyer, Jennifer Granick, confirmed that the FBI told her it was investigating her client.

      Granick was quoted as saying "Oh God! Oh God! Oh God! What am I going t

    • by schon (31600) on Friday July 29, 2005 @05:48PM (#13198685)
      In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously.

      He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".
  • by Irongeek_ADC (903018) on Friday July 29, 2005 @03:24PM (#13197446) Homepage
    I found this linked on Nick84's site (http://www.rootsecure.net/ [rootsecure.net]): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf [infowarrior.org] If I'm correct, it's the slides that were taken off of the hand out cd. Another link from a Wired article: http://cryptome.org/lynn-cisco.zip [cryptome.org]
  • TFA (Score:4, Informative)

    by MrAndrews (456547) <<ac.9881> <ta> <mcm>> on Friday July 29, 2005 @03:25PM (#13197466) Homepage
    "There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."

    In other words, probably not really in trouble with the FBI.
  • by BlackCobra43 (596714) on Friday July 29, 2005 @03:25PM (#13197473)
    FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.
  • That way, the only news is good news!

    Everyone together now:
    kumbaya, my lord, kumbaya...
    Meanwhile, back at the ranch, some Eastern European "security expert" is busy cheerfully 0wn1ng j00 when you order that book from Amazon. Checked your credit card statement lately?
  • Free speech (Score:4, Insightful)

    by jdavidb (449077) on Friday July 29, 2005 @03:26PM (#13197486) Homepage Journal

    "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

    The FBI is investigating Michael Lynn... after he revealed ...

    Congress shall make no law ... abridging the freedom of speech, or of the press.

    He's being investigated for what, now? Talking?

    • Keep in mind that the 1st Amendment is not an absolute protection against saying anything, anytime, anywhere. The classic example is shouting "FIRE!" in a crowded theatre, though I prefer the thinking of someone with a bull horn outside you window at 2 am;-)

      In this particular case, and IANAL, they could be seeing whether his actions might be inciteful to others. The reality, however, is that they will quietly look at this and decide that no crime was committed.

  • A lot of you are saying the information on this vulnerability, which could cripple the Internet if taken advantage of, in order for Cisco to fix it?

    I may be just a simple caveman, but this sounds like a tremendously bad idea... someone would take advantage of it sooner or later...

    The Internet dropping, even for a few hours, would have a profoundly negative impact on the world economy...

    I mean, geez, just think about it...
    • On the other hand, knowing about the problem I can now take steps to mitigate it by, for example, making sure my back-up routers are not made by Cisco, or by replacing vulnerable equipment with other types that aren't vulnerable. Of course this would hurt Cisco, which is the reason IMHO they tried to shut the guy up.

      • It would be better then, to just blow the whistle without giving specific details which could be used to "bring the Internet to its knees" ...

        Cisco would be hurt, no secrets would be divulged, and Cisco would still try to fix the problem before it was discovered...

        Of course, without the specifics, the information may be seen as less valid, but if they investigate the source, and the source is a trusted expert (as in this case) ... then why do you need to know the specifics? ... I'm sure Lynn contacted Cisco
        • I need specific details for a couple of things. Firstly is to evaluate whether this is a real problem. A lot of problems are highly configuration-specific, and I need to test not just whether it's a problem in the general case but also whether it's a problem that I can be bit by given the configuration of my particular network. In addition, I need to be able to test any fixes Cisco might put out. Vendors have had histories of putting out "fixes" just to say they have, but the fix only deals with the one par

    • So what you are saying is that it's a really bad thing for Cisco to cover up a problem that can cause that instead of fixing the problem?

      If only companies weren't allowed to cover up something like that. Oh wait, employees with consciences could blow the whistle. Oh wait, one did, and then he was threatened with a lawsuit and investigated by the FBI.

      Anyone reminded of Adobe vs Skylarov? As soon as he was arrested, Adobe changed their mind and avoided bad publicity by backing off. Now that the FBI

      • Hmm, you seem to be reading very much into what I was saying.

        No, covering up a wide-affecting vulnerability should ALSO have consequences.

        However, spreading the vulnerability is ALSO just inviting someone to use it.

        Sure, Cisco would have to fix it then, but the damage would already be done...

        You think too much in blacks and whites, saying 'spreading that information is not a good idea' does not mean that Cisco is doing right, there is a possible conclusion that can be drawn (that I have drawn) ... that says
    • Are they saying that? I think they're saying Cisco should tell people when they have a huge security problem so they'll, I dunno... download the freakin patch.
    • Cisco already HAS a fix. AND HAS HAD that fix out since April. They are pissed because it was exposed that there was a SERIOUS flaw in their previous IOS software, which Cisco had not disclosed to the public, even though they made a patch, and basically told people that it was an update, NOT THAT IS FIXED A MAJOR SECURITY FLAW, since that would cause the public to think that Cisco screwed up, and we can't have that can we?
  • by davidwr (791652) on Friday July 29, 2005 @03:27PM (#13197498) Homepage Journal
    He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."

    Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.

    I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.
    • I'm not saying I agree that the FBI should be involved in this horseshit (I don't), but the way "Trade Secrets" tort works is that you sign and swear to an agreement to NOT disclose certain information. If you break that agreement, you've violated a contract and an oath, and the other party is legally entitled to go after you.

      On the other hand, I think this is a case of someone making an ethical decision to violate an NDA because, by his lights, the risk he faces is not as bad as Cisco continuing to have
    • Well, it doesn't look like he'll be facing any criminal charges, but I agree 100%. Trade secret violation as a criminal offense smacks of the kind of bullshit Adam Smith warned us would happen if businessmen were allowed to make the laws.
    • Actually, he -did- essentially yell 'fire' in a crowded theater. However, there was smoke, and thus it was a reasonable assumption that there was fire accompanying it, and that it simply had not spread widely enough for anyone to notice.

      The mere existence of the vulnerability on such a popular piece of routing hardware likely would result in someone, somewhere, knowing about it and biding his/her time for the right opportunity to exploit it. The odds are pretty good....

      Someone shouting and scaring peo

    • The Motion Picture Association of America and Regal Entertainment corporation have assured me that the theater is perfectly safe, and that any reports of fire are greatly exaggerated.
  • Hmm (Score:2, Interesting)

    If we're not allowed to test holes, it reminds me of that old saying, "Who will guard the guards?"
  • Here the coverage Tom's Hardware has. Some nice pictures, now I at least know what the guy looks like.

    http://www.tomsnetworking.com/Sections-article131. php [tomsnetworking.com]
  • by Weaselmancer (533834) on Friday July 29, 2005 @03:37PM (#13197612)

    Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

    Apparently the FBI thinks computer security works the same way.

  • Of course, with the internet down we could all agree to meet and pretend to chat with each other in the big blue room. I'd even be willing to use my face to emulate emoticons, if that'll help.

  • Cisco is quoted as saying:

    Cisco denied that the flaw was as critical as Lynn said it was

    Then what really is the problem?
  • by Todd Knarr (15451) on Friday July 29, 2005 @03:47PM (#13197723) Homepage

    I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.

  • by mdouglas (139166) on Friday July 29, 2005 @03:55PM (#13197798) Homepage
    Crafted IPv6 packet vulnerability.

    http://www.cisco.com/warp/public/707/cisco-sa-2005 0729-ipv6.shtml [cisco.com]

    http://www.eweek.com/article2/0,1759,1841669,00.as p [eweek.com]

    Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
  • anonymity (Score:2, Insightful)

    If Lynn just wanted to help people, he could have published his information anonymously. But he wanted to use this to build his reputation so he has to take whatever lumps he finds in the refined sugar of fame.

    The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.

  • Unlike the rest of the world, we have such great Freedom of SpeE&F@%&**#$@HDTH+H+[NO CARRIER]
     
  • by ch-chuck (9622) on Friday July 29, 2005 @04:04PM (#13197875) Homepage
    You should always give these type of presentations at the "White Hat Security Researchers Conference of Law Enforcing Good Guys", not the "Black Hat Hacker Convention of Nefarious Ne'er-do-wells and Juvenile Deliquents".

  • Either this has been posted or soon will be. To me, this doesn't seem like the "massive Internet outage" risk that Michael was talking about...

    Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, th

  • by DarthVain (724186) on Friday July 29, 2005 @04:07PM (#13197914)
    I may just be a simple Canadian, but wouldn't common sense dictate that this should read: Lynn awarded medal by greatful country, and FBI investigates Cisco Systems for possible negligance which would endanger the entire Country. Ok perhaps a bit long winded, but really come on people get with the program! Corporations seem to be getting out of control with the amount of power given to them. There are so many things wrong with this its unreal. First off is (seemingly) a Corporation influancing the FBI, a Federal Law enforcement adjency!

    The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.

    The whole thing sickens me.
  • Present the info, but stay anonymous.

    Use a fake name. Wear some kind of disguise to the Black Hat conference (or wherever you're doing your presentation), do your security-flaw-revealing presentation in the disguise and then quickly run off stage and change.

    This is no longer the home of the free and I haven't noticed a lot of bravery lately...
  • I didn't know that!
  • by Nom du Keyboard (633989) on Friday July 29, 2005 @04:33PM (#13198131)
    Next time he should just post the vulnerabilities to /. as AC. Clearly Cisco would rather punish him than fix their problems.

    In the mean time, time to do a Freenet search for his paper. I can't believe all of the copies were destroyed.

  • by putko (753330) on Friday July 29, 2005 @04:41PM (#13198203) Homepage Journal
    I read the presentation. (here [cryptome.org]).

    Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!

    There's no indication Lynn stole ANYTHING from Cisco, or broke any law.

    Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.

    Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law [slashdot.org] (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.

    Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:

    978-936-1297 mkhalili@cisco.com

    Also, some total jerk looked up her address and posted it (here [slashdot.org]). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!
  • by EMIce (30092) on Friday July 29, 2005 @05:40PM (#13198635) Homepage
    They could always pay to have it fixed. The author says much of the code is secure, so why not take undertake a massive effort to overhaul the suspect portions, and then offer a $75 cash incentive for each router a tech patches or a substantial discount for a replacement router? They do have serial #'s so patching could be tracked, perhaps they could even use some relatively inexpensive hardware or software verification module. It could generate a code to verify proper patch status, or even incorporate patching functions in this simple device.

    This might hurt business less in the long run than a widespread, debilitating breakdown. It will be expensive, probably ~$120 a pop in the end, considering payout, as well as the cost of verification hardware/software devlopment and production, but they'll reduce the destruction for their customer's businesses and to their own image.

    I don't know just how much this would cut into Cisco's revenues, which would of course reduce short term profits and thus investment interest. Someone up there should be weighing something like this though, however painful it sounds. It would also set Cisco apart in market where cheaper competitors are taking away Cisco's profits. How many of them would go to such lengths in the event of a vulnerability? Companies love insuring themselves against everything.

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...