Why Cisco's Attempt To Suppress Security Researcher Backfired
from the everybody's-hacking-now dept
Last week, we noted just how ridiculous it was that Cisco thought it could make the discussion of a massive security exploit disappear by ripping some pages out of a presentation, demanding all video tape from the presentation and getting the speaker to agree not to discuss the issue again. All that really did, in true Streisand Effect means, was make damn sure that a lot of security researchers have spent the whole weekend trying to break Cisco's software based on what they know. Yes, this would have gotten some attention if the original plans for a presentation had gone off as planned -- but Cisco's reaction drew that much more attention to it and made it quite clear that Cisco was really, really worried about it. You would have thought that the company would recognize how this response would play out, but apparently no one told them how the internet works on these types of issues.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
What if...
[ link to this | view in thread ]
Lawyers Making Money
[ link to this | view in thread ]
Re: What if...
[ link to this | view in thread ]
Re: Re: What if...
Sounds neat, but goes against how exploits are developed.
Let's say that I want to take over Cisco 7200 class transit routers, one of the most common peers in the current BGP cloud. Do I start launching random attacks against live Internet routers at randomly selected universities?
No!
What I do is go out on eBay and dovebid and pick up a a few variants of the Cisco router I'm targeting, plug them into my 100% isolated from the Internet test lab, and start my cheap imported Russian hackers pounding away at them.
So after a few weeks I have a tried and true exploit, without overly committing any crime, and without giving Cisco or any researcher with a sniffer on the backbone any sign of what I am developing.
The term "0day" is generally used to refer to such an exploit only when it has been developed to fruition without even the underlying vulnerability being exploited having been revealed to the vendor nor the public.
[ link to this | view in thread ]