By Larry Loeb
August 12, 2005
Opinion: By suing the ISS researcher who disclosed their flaw, Cisco
looks like a bully and draws extra attention to its vulnerability.
Cisco, those folks that make professional-style routers so beloved by
Internet types, beat up a fellow trying to share some research (done
while he was employed by Internet Security Systems) at the recent
Black Hat security conference in Las Vegas.
Cisco filed a request on July 27 for a temporary restraining order in
the U.S. District Court for the Northern District of California
against Michael Lynn and the Black Hat organizers to prevent Lynn and
Black Hat from "further disclosing proprietary information belonging
to Cisco and ISS," as John Noh, a Cisco spokesman, put it.
Noh also said, according to reports, that "It is our belief that the
information that Lynn presented at Black Hat is information that was
illegally obtained and violated our intellectual property rights."
It appears that Lynn was involved in decompiling Cisco's software for
research while he was employed at ISS, and Cisco thinks that kind of
activity violated their rights. Lynn delivered a talk July 27 on IOS
(the Cisco OS) shellcode that showed how using a known vulnerability
attack code could be run on a router if one was directly (not
remotely) connected to it.
ISS had decided two days earlier to pull the talk (at Cisco's urging),
but Lynn resigned from ISS and went ahead with it anyway. The exploit
involves a way using IPv6 to fool the router into thinking that it is
crashing, so that it does not initiate the shutdown sequence.
Jennifer Granick, who was the attorney for Lynn, noted on her blog
that "The lawyers scrambled, and we were able to settle the case
cheaply and expeditiously within 24 hours. =85 Mike's responsibilities
under the settlement agreement are almost complete, and I expect the
civil case to be dismissed very soon." There were also reports of FBI
agents on the Black Hat conference floor asking questions about Lynn.
The flaw has been fixed in recent (since April) IOS releases,
according to Cisco.
Further compounding the situation is the tactic that ISS is using
against sites that have posted a PDF file describing the exploit. They
have sent a cease-and-desist letter to Richard Forno and his
InfoWarrior.org site, accusing Forno of publishing stolen proprietary
information. Further legal action is threatened by the letter. Forno
has pulled the slides from the site.
The big question surrounding this entire affair is: What constitutes
"responsible disclosure"? Lynn thinks he should be allowed to talk
about a security flaw that has been patched for months, even though it
involves breaking an NDA, because of its critical nature.
Cisco customers are concerned about having to find out the true
consequences of the flaw from a third party, rather than from Cisco.
Cisco comes out of this affair looking like a major bully trying to
hide a problem rather than confront it. And all the attention caused
by the legal fluffing around can only draw attention to what otherwise
might have been a quiet tech session.
It simply shows once again that security through obscurity will never
work for anyone, not even Cisco.
Sept 16-18th, 2005
San Diego, California