Lynn Settles With Cisco, Investigated By FBI 357
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
No good deed goes unpunished. (Score:3, Insightful)
What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.
Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.
Bummer (Score:2, Insightful)
BS (Score:5, Insightful)
1984 Called... (Score:5, Insightful)
Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?
What was the suit about? (Score:3, Insightful)
Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.
Please, don't overreact. (Score:2, Insightful)
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or philosophically disagree with this, but in major network infrastructure, there is a place for stable, predictable commercial support. Along with that sometimes comes commercial and/or proprietary code - code which is kept proprietary for competitive advantage. This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.
Further, the FBI is investigating not because of some corporatist government conspiracy, and is not being used as Cisco's own "police force". It is investigating a claim of a complaint it received, as it is compelled to do by its very reason for existence, and doesn't even know if a crime has been committed. Would you want law enforcement agencies to not investigate allegations of crime, whatever your opinion of this particular instance aside?
Even Lynn's own lawyer says "that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.
Granick said she did not think the FBI would arrest Lynn.
"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over."
So please, let's not overreact.
Re:I hope they nail him to the wall! (Score:2, Insightful)
Re:No good deed goes unpunished. (Score:5, Insightful)
Re:No good deed goes unpunished. (Score:1, Insightful)
Let's cut the tinfoil a bit (Score:3, Insightful)
Free speech (Score:4, Insightful)
"The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The FBI is investigating Michael Lynn... after he revealed ...
Congress shall make no law ... abridging the freedom of speech, or of the press.
He's being investigated for what, now? Talking?
This doesn't pass the "fire in theater" test (Score:3, Insightful)
Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.
I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.
Re:I hope they nail him to the wall! (Score:1, Insightful)
Re:I hope they nail him to the wall! (Score:5, Insightful)
Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.
Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.
Re:I hope they nail him to the wall! (Score:5, Insightful)
The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.
Re:No good deed goes unpunished. (Score:5, Insightful)
Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.
And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.
Re:I hope they nail him to the wall! (Score:5, Insightful)
before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem
Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.
I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.
Re:1984 Called... (Score:3, Insightful)
This IS the point here. Although and investigation is not an arrest - it will still disrupt his life is massive ways.
Re:In Soviet Russia ... (Score:3, Insightful)
Since when is it evil for a law enforcement agency to follow up on a complaint, even if the complaint is later found to be invalid? Or should law enforcement agencies be able to predict the future, and just skip the investigative step, and automatically know whether a crime has been committed? It might have been absurd or vindictive for ISS and/or Cisco to approach the FBI, but when someone approaches the FBI and claims a crime has been committed, would you prefer that the FBI did nothing? It HAS to investigate, just like the police still respond to even 911 hangups. If nothing is wrong and no crime has been committed, it's dropped. But when a complaint is initiated, the investigative step MUST take place, else, how would law enforcement even function?
Re:BS (Score:1, Insightful)
alot of companies have non disclosure clauses in their contract and you can bet yer ass this was a breach of contract.
but like the previous person said teh fbi decided not to get involved and this is a breach of contract which in this country is illegal =)
There is a range... (Score:4, Insightful)
Both are harmful, and neither benefit security optimally.
As with most things, the most beneficial position is usually a balance between extremes.
Wile E. Coyote school of security (Score:5, Insightful)
Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.
Apparently the FBI thinks computer security works the same way.
Comment removed (Score:4, Insightful)
Re:No good deed goes unpunished. (Score:1, Insightful)
Unless, of course, you [wikipedia.org] happen to work for the CIA as an undercover agent. Then, Bush Co. will out your ass at the drop of a dime.
Re:Please, don't overreact. (Score:3, Insightful)
You're sort of straw-manning here. The problem isn't that Cisco didn't fix the vulnerability in time, the problem is that they didn't tell anyone it was a critical update. That's a far cry from open-sourcing their code or personally explaining how the vulnerability works.
Re:No good deed goes unpunished. (Score:5, Insightful)
Nice strawman, but that of course isn't what the (predictably modded-down) parent said.
All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.
Re:1984 Called... (Score:2, Insightful)
I think you need to read the article more carefully. The FBI started investigating before the agreement was reached because someone had come to them complaining that a crime has been committed. Like an earlier poster said, it's their job to investigate when people claim a crime has been committed, if only to determine whether or not a crime has actually been committed. For all we know (and from the sounds of it), one hasn't, the investigation is going to be (possibly already) dropped, and that's all that comes of it.
As to pinging a router, all the FBI would hear at first is "I think someone committed a crime", told to them by the pinged party. The FBI would ask them what happened (which would be considered an investigation), the person would say they'd been pinged, the FBI would ask what else, the person would say that's it, and the FBI would probably laugh and stop the investigation. Basically, it's the FBI's job to investigate when a private citizen says a crime has been committed (and it falls under federal jurisdiction). While no one wants the FBI doing more than their job description tells them to do (the original one), I'd say it's fair to expect and allow them to do the basic job they were created to do.
anonymity (Score:2, Insightful)
The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.
Re:I hope they nail him to the wall! (Score:1, Insightful)
How would you like it if you had your security number written on a piece of paper stuck to the side of your house and some kid told you he knew about it and said you should take that down. After you told him no, he rand around the neighborhood and told everyone.
I'd be embarassed too, but it'd be my own damn fault.
Wow my Hats off to you Americans (Score:4, Insightful)
The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.
The whole thing sickens me.
Re:No good deed goes unpunished. (Score:3, Insightful)
For crying out loud people, just because you voted for Bush doesn't mean you owe him your undying support. Oust the bastard. This shit makes Watergate look like a college prank.
Re:No good deed goes unpunished. (Score:2, Insightful)
I think the question isn't whether the government should investigate an allegation of a crime, but what is the crime being committed? What law with a criminal penalty may have been broken?
Without knowing a great deal about this case, the only laws even remotely relevant to this would seem to be trade secret law. Even that, I would think, would not apply unless he had some special relationship with Cisco (eg. was an employee, or had special access to the source code through another organization) or if he had signed an NDA. I had the impression (perhaps mistakenly) that trade secret law would anyways be a civil matter, not the subject of a criminal prosecution.
Unless someone can say that there was a complaint accusing him of a crime, what would they be investigating? Simply "doing something we don't like" or "hurts our profitability" is not a crime. And if Cisco or someone else just fabricated a charge, that's a problem (and they should, but of course won't, get into a serious amount of trouble over that).
Re:It may or may not be illegal (Score:4, Insightful)
It may not look like it from the outside, but I would suspect that the majority of lawmakers still attempt to cling to the ideals they started with and, when given the opportunity, will attempt to act according to them.
Don't limit your options just because cynicism dicates that they're pointless. You might be right and it's a wasted effort, but if you're wrong, you've voluntarily missed an opportunity.
Re:The real issue is... (Score:3, Insightful)
Free speech is now a crime. If Cisco released the same information that Lynn did, they will have the FBI after them as well.
WTF is going on in this country?
The Emperor is Stark Raving Naked (Score:1, Insightful)
Re:Free speech (Score:3, Insightful)
Welcome to nine-headed Pope land! It is far easier to argue that the 1st Amendment has no limits on it whatsoever than to accept that life is not composed of absolutes. If you believe that any manner of speech is fine, you are more than welcome to your views (and kudos to your tenacity). However, you should also note that the language of the 1st Amendment specifically states that "Congress shall make no law..." That means that it provides protection only from Federal prosecution and meddling. The 1st Amendment only applies to the 50 States because that same nine-headed Pope which you deride applied them to the States. If you want to accept that the nine-headed Pope does not have the power to interpret the Constitution, than you also have to accept that your State is thereby free to restrict your speech in any manner it wishes, without being burdened with Constitutional considerations.
Your choice. Personally, I prefer to accept that our society is far too complicated to limit ourselves to the extremes of interpretation.
Re:No good deed goes unpunished. (Score:4, Insightful)
Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).
I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.
Even if it was a crime, does that really give Cisco any rights to his work at all?
Re:No good deed goes unpunished. (Score:4, Insightful)
I guess I'm at a loss here....how is this not protected under free speech, and therefore not subject to start an investigation into some illegality. He wasn't inciting people to do anything wrong (rioting, etc)...he merely gave a presentation stating facts as his research had shown him...
Re:No good deed goes unpunished. (Score:4, Insightful)
Exactly what law did he break? He reversed engineered as part of research Cisco routers. He gave a presentation that is clearly protected free speech. Just because you give information, that if used wrong, would harm something, as long as you're not inciting or telling people to cause harm to others....you've broken no law.
There's tons of books out there that tell you how to make an atomic bomb...perfectly legal. You can describe pressure points on the human, that can kill, etc. Information is free to dissiminate. It is a tough part of free speech, but, really who are YOU going to trust to limit it, and say what information can and cannot be released?
Re:BS (Score:3, Insightful)
Re:No good deed goes unpunished. (Score:2, Insightful)
Nor did he focus any more attention than was likely there before. If you don't think people have been trying to hack those routers your nuts. Cause they had every reason to believe there was already a flaw and they were looking. all this guy did was show everyone something we already know.
Further, you are wrong that he had to break the law to do what he did. Just because the FBI is investigating doesn't mean a criminal law was actually broken. As for a civil law being broken that is debatable since the lawsuit was settled which has nothing to with his actually being liable (since you are never guilty in a civil trial iirc).
And finally the difference between this and publicly outtin NORAD is that there is little question that he would, in fact, have had to break several very serious laws to obtain that information as would the person or persons that helped him get it. So there is NO comparison between this and the disclosure of classified government information.
Re:No good deed goes unpunished. (Score:1, Insightful)
Rushing his results out doesn't avert a future digital Pearl Harbor.