Lynn Settles With Cisco, Investigated By FBI

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

Re:I hope they nail him to the wall!

[dj_cel]

No, sometimes this is the only way to make progress. Companies (more appropriately managers) are content to live in the dark on security issues instead of dealing with them. In my experience, money is the only concern in respect to most PHB's, and the only way to make a change is to expose it in a critical manner. I applaude this guy.

Hmm

[StreetFire.net]

If we're not allowed to test holes, it reminds me of that old saying, "Who will guard the guards?"

It may or may not be illegal

[Infonaut]

Again... how is this "illegal".

The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA [wikipedia.org] that he has run afoul of, most likely they'll prosecute.

I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.

My feeling is that unfortunately this just isn't a big enough issue on Joe Citizen's radar. There's a war in Iraq, the government is spending money like it's going out of style, there are disagreements over almost every social issue imaginable, and that monster SUV he bought last year now costs him $85/week to fill up. Some computer guy revealing Cisco vulnerabilities isn't high on his list, so it won't be high on his legislators' lists either.

Re:No good deed goes unpunished.

[wfberg]

the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

Yes, and this is exactly why the FBI should get involved! The army has stringent oversight procedures for this sort of thing, and to reveal flaws in top-secret installations without even going up the chain of command is tantamount to treason!

Oh wait. The dude isn't in the army. Or in government. Actually, his former employer settled the case. So the overriding federal government interest in this is...? Why, you might be forgiven to think "nothing at all, in fact, this sort of thing is precisely why such liberties as freedom of the press exist; even though this is a lone individual, surely some type of whistle-blower protection would exist that covers this, otherwise the public would never be made aware of critical flaws in the nation's privately-owned infrastructur until it was too late!"

But apparently, you'd be wrong. You see, by merely mentioning, without even going in to much specifics, that it might be possible for some-one else to exploit a flaw in Cisco's equipment, this guy has clearly commited a thought-crime. That's because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it. You see, no difference there at all.

Of course, this is also why trains never run on time. If the published time tables were accurate, the railways would get prosecuted by the FBI for inviting people to commit suicide by throwing themselves in front of the 18:02 train.. Bet you didn't know that!

I wonder what would happen...

[Todd Knarr]

I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.

Re:No good deed goes unpunished.

[Alcilbiades]

I really hate to side with big business or governmental intrusion, but broadcasting to the world was irresponsible. We live in a society that does have laws. He had to break the law to get the information he got so why should he be investigated. Not only did he break the law but he published his research so that malicious hackers will have a specific area to target.

It is time people grow up and realize that actions have consequences. And no it isn't THOUGHT POLICE. That idea is about "correct" or "incorrect" thought. The problem this guy had was he didn't "think" he just got an idea and went with it. What do you think the government would have done if he would have given general information about weaknesses in NORAD or some other very important national security installation. So, the moral of the story is if you find away to bypass, break, or abuse security systems that could pose a threat to the general population you best not tell everyone and their brother about it.

Re:I hope they nail him to the wall!

[Anonymous Coward]

No way.

If you tell companies like Cisco "it's okay to write garbage software, some good samaritan will report it 'through the proper channels'", what exactly is the incentive for them to do better next time? And why the hell do *we* have to do Cisco's work for them? Mr Lynn has no obligation to Cisco whatsoever. I don't even know why he bothered waiting, put this info out THE MOMENT YOU FIND IT.

Cisco should feel *something* when they fuck up. Lower market share, lower revenue, bad PR, whatever. Not hand-holding and pat on the shoulder and "that's okay Cisco, do better next time".

This is serious stuff, I don't want Cisco to think they can call the lawyers whenever something like this happens. I want them to sweat.

Re:No good deed goes unpunished.

[PriceIke]

Actually, what Sandy Burger did [washingtonpost.com] makes Watergate AND this Plame nonsense look like a college prank. But I don't see any outrage in Mediaville over that.

I'm sorry, was that off-topic? Well, since the parent was modded "interesting" I guess it isn't.

I looked at the presentation!

[putko]

I read the presentation. (here [cryptome.org]).

Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!

There's no indication Lynn stole ANYTHING from Cisco, or broke any law.

Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.

Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law [slashdot.org] (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.

Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:

978-936-1297 mkhalili@cisco.com

Also, some total jerk looked up her address and posted it (here [slashdot.org]). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!

Re:PDF of the Presentation

[Anonymous Coward]

I have been following the Ciscogate affair (from a distance, that is) for professional reasons and yes, this PDF is genuine.

And for what it's worth: I think Lynn deserves enormous respect and gratitude from most of us.

• users are better off. As a result of his work my employer, (medium sized NSP), it's become clear that we need to make major changes, fast, to our network infrastructure m'ment... like, we need to apply patches. NOW. And get support... this is looking like a 7 figure sum,.. but we're going to be a lot more secure this time next week than we are today, and more importantly more secure than we were *before he gave his takl*.
• Secondly, he stood up for the ethical Right Thing (by resigning and doing the preso);
• and thirdly, by surrendering to the inevitable (by signing the Cisco/ISS gagging order) he's drawn attention to the deep crapness of BOTH Cisco and ISS, as well as highlighting the fuckedness of the system that allows legally-discovered facts to be very very nearly completely suppressed.

(Note: Cisco, allegedly at the behest of certain TLAs, pulled the plug on the preso only a day or two before it was due to be delivered. How many vendors are there out there who wouldn't allow a researcher to go within a million miles of Blackhat / Defcom, & who are succesfully suppressing information about critical security vulns at the expense of their customers?) Finally I think he's stood up in the name of security researchers everywhere. It sets a precedent, and a standard, for those people who find themselves in a similar position in future.

Companies should offer rewards for patching

[EMIce]

They could always pay to have it fixed. The author says much of the code is secure, so why not take undertake a massive effort to overhaul the suspect portions, and then offer a $75 cash incentive for each router a tech patches or a substantial discount for a replacement router? They do have serial #'s so patching could be tracked, perhaps they could even use some relatively inexpensive hardware or software verification module. It could generate a code to verify proper patch status, or even incorporate patching functions in this simple device.

This might hurt business less in the long run than a widespread, debilitating breakdown. It will be expensive, probably ~$120 a pop in the end, considering payout, as well as the cost of verification hardware/software devlopment and production, but they'll reduce the destruction for their customer's businesses and to their own image.

I don't know just how much this would cut into Cisco's revenues, which would of course reduce short term profits and thus investment interest. Someone up there should be weighing something like this though, however painful it sounds. It would also set Cisco apart in market where cheaper competitors are taking away Cisco's profits. How many of them would go to such lengths in the event of a vulnerability? Companies love insuring themselves against everything.

Be mroe afraid of what is left gaged

[WindBourne]

Sibel Edmunds. [justacitizen.org] The interesting thing about her if you believe the rumours, is that this may also hit democrats just as hard as the republicans. Supposedly, it will topple GWB's admin, but it may put ex-clinton ppl in prison as well.

Re:No good deed goes unpunished.

[Anonymous Coward]

Free speach isn't really free speach. There is always something you can't say. This is basically like yelling FIRE! in a theater, except, he was/may have been attempting to show how to start said "fire"...

Honestly, I agree with the FBI investigating. If this flaw is that bad, you don't talk about it to the people that really know how to start trouble before going to a company - thats just inviting trouble. Even stating what the flaw attacks on the routers can show others where to start their own research into this flaw.

Don't get me wrong, I'm all about security, but he should have at least attempted to go through the proper channels. The FBI has basically gone after him about the possibility of the amount of damage he could have caused society - we can no longer exist without the internet. Hell, I pace the room when my connection goes down.

Re:No good deed goes unpunished.

[Flower]

Ok, exactly what law did he break? The more information that we get about the situation it becomes more and more evident that Mr. Lynn broke no law.

You can't bring up the injunction. That means nothing since the suit was settled. Mr. Lynn did not have to make any admission of wrong-doing nor pay restitution. More than likely Lynn's lawyer brought up how much it would cost to defend himself and Mr. Lynn decided that it would be better to keep making car and house payments than fight in the courts.

And it doesn't even matter that he can't talk about it any longer. The presentation hit BlackHat. I'm over here in the Mid-West and a printout of his slides are hanging outside my cube wall for any of my co-workers to go over. The stuff I'm not getting is being talked about on various blogs and I can just follow the trail of links to educate myself on what this exactly means. So where is the great admission of guilt in the injunction? Nowhere. The injunction is nothing but a PR wash for Cisco.

So what about the FBI investigation? Where are the charges? Where's the conviction? Taking his stuff and following up on Cisco's complaint is SOP for the FBI. I'm not seeing any law breaking here.

Until you've got something a heck of a lot more specific than "he broke the law and there are consequences for that" we don't have much to talk about because that axiom just isn't flying currently.

Re:It may or may not be illegal

[Infonaut]

I'm glad you still have the proper democratic reflex a citizen should have when confronted with issues, but really you should realize "writing to your congressman" nowadays amounts to pushing a button that's been disconnected.

The powerful have always had more influence on elected officials than average Joes. No doubt about it. But particularly on issues that are not on the top of your representative's agenda, a concise and well-articulated opinion can matter. The most successful politicians are those who follow Tip O'Neill's dictum that "All politics is local." It is of course easier to make things happen at the local level, because the constituencies are smaller. But Congressional staffers do take note of the letters that come in, and they let their bosses know how they are trending. The flip side of the frequent complaint that politicians will go whichever direction the wind pushes them is that when they hear enough voices from their constitutents, they will act. After all, the next election is always just around the corner.

I don't assume that my individual letters make a difference, but I do feel that when I have more involvement in the system, my gripes are more legitimate. I am taking the time and effort to be a citizen, and while my efforts may not result in any change, I know for certain that not doing anything won't help. I'd say apathy only encourage a less democratic process, because when we expect less from our institutions, we are rewarded with less.