Friday, July 29, 2005

Cisco Systems: The 800lb. Mangy Gorilla

To put it nicely, I dislike Cisco Systems. I could go on about their sales techniques or other unpleasantness about them, but you don't really have to when you read things like this.
The Michael Lynn story keeps getting more interesting. The computer security researcher lost his job at Internet Security Systems today after he briefed Black Hat conference attendees about a flaw in the software that powers Internet routers made by Cisco Systems. The latest is that Lynn has been served with a temporary restraining order designed to prevent him from discussing any more details about the flaw.

In the order, which was jointly filed by ISS and Cisco, Lynn is said to have illegally reverse-engineered Cisco source code and that he stands to profit from this research. A copy of the document, obtained by washingtonpost.com, reads: "Cisco believes that Lynn is also disclosing ISS and Cisco proprietary information outside of the context of a formal presentation as well."
And
Cisco routers are used on nearly every major segment of the Internet infrastructure. By exploiting the flaws described in his talk today, Lynn said attackers could crash those systems or intercept Internet communications. An automated attack against the router flaw -- delivered through an Internet worm, for example -- could effectively darken much of the Internet, he said.
You see, Cisco claims to be this wonderful security solution, but then when they show up having big security flaws, they first try to brush it aside, while they scramble to provide a fix, then they sue whoever happens to have found the flaw to prevent disclosure. I'm a bit surprised that ISS is taking the wrong side of this, though likely it's because they have a big juicy contract with Cisco to provide security analysis. Not to mention they don't want to get into litigation if they can avoid it.

The primary issue it that to the best of my knowledge Lynn did break the law. Though contextually, most of what he found could be arrived at from other sources. Cisco had some of their code stolen earlier this year and it was posted on a website. You don't honestly think that it didn't fall into the wrong hands many many times while it was posted.

The issue with disclosure of these flaws is fairly obvious. Cisco doesn't want to have its reputation harmed, but people in the security field want the information on major flaws made public so that they can be fixed. When a flaw is found and Cisco tries to squash the reports of it, that will ensure that not all of the flawed systems will be fixed. If they don't all get fixed, someone will find a way to exploit them.

The end result is that Lynn gave the speech, but now has to remain silent on the topic.
Cisco Systems and a network security firm reached a settlement with a researcher who quit his job so he could deliver a speech on a flaw in Cisco software that routes data over the Internet. Michael Lynn, who left his job at Internet Security Systems hours before his speech, agreed never to repeat the information he gave at the Black Hat conference in Las Vegas on Wednesday. He also must return any proprietary Cisco source code in his possession. A Cisco representative was supposed to join Lynn on stage. But Cisco and ISS changed course and tried to substitute an alternate presentation. When the firms were blocked by Black Hat, they canceled. They also hired workers this week to yank related pages from handouts and substitute conference CDs. After Lynn quit his job and gave the presentation, they sought a court order barring him from discussing the matter further. (AP)
You kind of hope Lynn finds some real good job after this. I'm betting this is a decent resume point for a security investigator.


No comments: