Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities
from the interesting-reasoning dept
One of the more popular questions that always comes up in computer security is how a security researcher should deal with vulnerability information. Almost everyone seems to agree that the company responsible should be informed. But, what if they don't do anything or respond? What if they don't really fix the problem? Is there a point at which it makes sense to reveal the vulnerability publicly? The reasoning behind that strategy isn't to punish the company, but on the assumption that other, more malicious hackers, have probably discovered the same hole. Publishing the vulnerability publicly makes people realize that their systems are not secure and need to be fixed -- and, in those cases, many people view the release of such information as a public service. Obviously, the companies responsible for the vulnerability often take a less kind view of this practice. Time and time again we hear stories about security researchers who discover some kind of vulnerability and are attacked and face legal consequences for revealing the info. The latest such case involves what sounds like a pretty serious vulnerability in Cisco's IOS, the operating system that runs most of their routers, which power large parts of the internet. The researcher who discovered the flaws was prepared to give a speech on the vulnerabilities, but Cisco freaked out about it -- demanding that his company stop him from giving the talk and sending Cisco employees to rip out the ten page presentation that had already been printed into every conference program. The security company backed down, but the researcher in question quit and gave the presentation anyway, leading Cisco and his former employer to sue him and the conference itself. So, is this guy recklessly revealing info that will allow hackers to cause serious problems? Or do they already know how to do that, and he's just a whistleblower letting us know of the problem? What may be most revealing about this, however, is what Cisco has said in response. They don't seem to be saying that they only wished Michael Lynn had kept quiet long enough for them to fix these vulnerabilities. Nope. Instead, they say they're suing because this was an "illegal publication of proprietary material," which certainly seems to imply they would have preferred to have hidden this entire issue away. It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem. For example, Oracle recently responded to complaints that it was too slow to fix a certain security hole by pointing out all of the work that goes into fixing such holes properly.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
At least its only civil for now
This guy is somewhat lucky that they didnt try to get charges filed against him, although the DMCA doesnt seem to apply since its not a copyprotection system, the hacking statute doesnt seem to apply since its not unauthorized access, so there seems to be little left aside from the now failed attempt they did against me saying that by releasing information I am somehow liable if anyone in the future unknown to me uses that information to do harm and that by telling people the company has to fix their system with a whole new fix (my appeal was in the same district in California his civil suit is in so maybe the local AUSA has kept current on their case law reading).
So far all they are saying is to not talk about it anymore, but if this goes through its a VERY bad thing in the end. He got the information by disassembling and working that way. The next step is to say you cant use a debugger and after that you wont be able to probe programs for potential problems or use strace/truss or ... Ultimately everyone is harmed by attempts to quiet security researchers.
To quote Richard Clarke at the 2002 Black Hat (then cyber security advisor to president Bush) "you need to tell anyone who will listen". Oddly this was about a month off of my trial, and at the same convention that the cisco mess is over.
http://reviews.cnet.com/4520-3513_7-5127811-1.html http://news.zdnet.com/2100-1009_22-9474 09.html
[ link to this | view in chronology ]
Polish that Grammar
[ link to this | view in chronology ]
Re: Polish that Grammar
[ link to this | view in chronology ]
Re: Polish that Grammar
[ link to this | view in chronology ]
Re: Polish that Grammar
[ link to this | view in chronology ]
Fixed
Except Cisco already fixed this vulnerability. It was found in April and a fix was availible in May. The main issue, I think, this guy had was Cisco didn't make it clear that this update in May had fixes for some big security issues.
The talk gave a general description of exploiting a buffer overflow for arbitrary code execution and then went on to demonstrate with this particular vulnerability. Cisco has a rather crazy method of assessing the severity of issues. This issue, which allowed for arbitrary code execution, was concidered a fix for a possible DOS in release notes.
[ link to this | view in chronology ]
Proprietary?
Just for that, I feel like suing Cisco next time one of their exploits affects me. After all, they're claiming full ownership here, apparently even over the exploit.
That's called gross negligence - "Intentional failure to perform a duty, reckless disregard of the consequences as affecting the life or property of another", and in most places, is a criminal offense, not just civil.
I think this researcher was the only one here not guilty of gross negligence. Good luck to him in his pending suit, hope he counter sues!
[ link to this | view in chronology ]
No Subject Given
[ link to this | view in chronology ]