Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities

from the interesting-reasoning dept

One of the more popular questions that always comes up in computer security is how a security researcher should deal with vulnerability information. Almost everyone seems to agree that the company responsible should be informed. But, what if they don't do anything or respond? What if they don't really fix the problem? Is there a point at which it makes sense to reveal the vulnerability publicly? The reasoning behind that strategy isn't to punish the company, but on the assumption that other, more malicious hackers, have probably discovered the same hole. Publishing the vulnerability publicly makes people realize that their systems are not secure and need to be fixed -- and, in those cases, many people view the release of such information as a public service. Obviously, the companies responsible for the vulnerability often take a less kind view of this practice. Time and time again we hear stories about security researchers who discover some kind of vulnerability and are attacked and face legal consequences for revealing the info. The latest such case involves what sounds like a pretty serious vulnerability in Cisco's IOS, the operating system that runs most of their routers, which power large parts of the internet. The researcher who discovered the flaws was prepared to give a speech on the vulnerabilities, but Cisco freaked out about it -- demanding that his company stop him from giving the talk and sending Cisco employees to rip out the ten page presentation that had already been printed into every conference program. The security company backed down, but the researcher in question quit and gave the presentation anyway, leading Cisco and his former employer to sue him and the conference itself. So, is this guy recklessly revealing info that will allow hackers to cause serious problems? Or do they already know how to do that, and he's just a whistleblower letting us know of the problem? What may be most revealing about this, however, is what Cisco has said in response. They don't seem to be saying that they only wished Michael Lynn had kept quiet long enough for them to fix these vulnerabilities. Nope. Instead, they say they're suing because this was an "illegal publication of proprietary material," which certainly seems to imply they would have preferred to have hidden this entire issue away. It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem. For example, Oracle recently responded to complaints that it was too slow to fix a certain security hole by pointing out all of the work that goes into fixing such holes properly.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Bret McDanel, 28 Jul 2005 @ 3:33am

    At least its only civil for now

    At least this guy is only facing a restraining order and its only a civil matter for now. Being the person named in one of the links for going to jail over reporting a security problem (after 8 months of the company knowing about it *and* having a fix which only took copying 2 patched files to their server but never actually doing this) I told people affected (I could do nothing, tell those affected or tell everyone. Doing nothing seemed to be unwise since the hole was not even that secret, http referer info, telling everyone seemed bad because I felt that this company would not fix it if that were the case and it would lead to break ins by pointing attention to it, telling those affected (of which I was one since I was allowed to keep my account) seemed to be the only choice left. Eventually the govt admitted error and my conviction overturned but what a way to lose a few years of your life.

    This guy is somewhat lucky that they didnt try to get charges filed against him, although the DMCA doesnt seem to apply since its not a copyprotection system, the hacking statute doesnt seem to apply since its not unauthorized access, so there seems to be little left aside from the now failed attempt they did against me saying that by releasing information I am somehow liable if anyone in the future unknown to me uses that information to do harm and that by telling people the company has to fix their system with a whole new fix (my appeal was in the same district in California his civil suit is in so maybe the local AUSA has kept current on their case law reading).

    So far all they are saying is to not talk about it anymore, but if this goes through its a VERY bad thing in the end. He got the information by disassembling and working that way. The next step is to say you cant use a debugger and after that you wont be able to probe programs for potential problems or use strace/truss or ... Ultimately everyone is harmed by attempts to quiet security researchers.

    To quote Richard Clarke at the 2002 Black Hat (then cyber security advisor to president Bush) "you need to tell anyone who will listen". Oddly this was about a month off of my trial, and at the same convention that the cisco mess is over.

    http://reviews.cnet.com/4520-3513_7-5127811-1.html http://news.zdnet.com/2100-1009_22-9474 09.html

    link to this | view in chronology ]

  • identicon
    Michael Smith, 28 Jul 2005 @ 5:56am

    Polish that Grammar

    Wow, what a long paragraph. You may want to review your grammar rules before writing an article you want people to read.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Jul 2005 @ 9:43am

      Re: Polish that Grammar

      You read it...

      link to this | view in chronology ]

      • identicon
        Rick Prather, 31 Jul 2005 @ 11:05pm

        Re: Polish that Grammar

        Yes, but with some difficulty because of the poor grammar.

        link to this | view in chronology ]

    • identicon
      yodaddy, 28 Jul 2005 @ 12:44pm

      Re: Polish that Grammar

      Seriously Guero, eat some pipe if thats the most product comment yo have after reading that

      link to this | view in chronology ]

  • identicon
    Michael Greb, 28 Jul 2005 @ 9:53am

    Fixed

    It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem.

    Except Cisco already fixed this vulnerability. It was found in April and a fix was availible in May. The main issue, I think, this guy had was Cisco didn't make it clear that this update in May had fixes for some big security issues.

    The talk gave a general description of exploiting a buffer overflow for arbitrary code execution and then went on to demonstrate with this particular vulnerability. Cisco has a rather crazy method of assessing the severity of issues. This issue, which allowed for arbitrary code execution, was concidered a fix for a possible DOS in release notes.

    link to this | view in chronology ]

  • identicon
    Anon, 28 Jul 2005 @ 10:29am

    Proprietary?

    If an exploit affects a "majority" of the systems the Internet runs all... anyone actually give 2 craps and a cream who owns the code? (Yeah, I read it was fixed, but the underlying fault of code execution seems to remain.)
    Just for that, I feel like suing Cisco next time one of their exploits affects me. After all, they're claiming full ownership here, apparently even over the exploit.
    That's called gross negligence - "Intentional failure to perform a duty, reckless disregard of the consequences as affecting the life or property of another", and in most places, is a criminal offense, not just civil.
    I think this researcher was the only one here not guilty of gross negligence. Good luck to him in his pending suit, hope he counter sues!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Jul 2005 @ 11:44am

    No Subject Given

    The initial vulnerability was fixed by Cisco, but the underlying problem remains. The Security Focus article discussing the Lynne case says:
    Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any serious buffer overrun or heap overflow.... The networking giant[Cisco] ... did nothing to prevent attackers from running programs on the devices using the broad techniques Lynn described, the researcher said.
    Right now, an attack designed for a particular vulnerability won't let someone take simultaneous control of the Internet's routers, because different routers run different software patched to different levels. But this won't stop attackers in the future, according to the Security Focus article.
    Cisco plans in the future to abstract the architecture of the router operating system..., which could have a side effect of making a single attack work against all routers. Rather then knowing the various memory addresses, or offsets, needed to compromise systems, a single offset could work, Lynn said.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.