News Corp. Likes Those Dot Coms Where The Kids Hang Out; Buys IGN
Sony Ericsson's Music Phone In Short Supply

Oh, Look At That: Cisco Says There's A Big Flaw In IOS

Say That Again

from the hmm dept

Thu, Sep 8th 2005 3:58amMike Masnick
Wait, wasn't there a big mess a few months back when a security researcher tried to let people know that Cisco's IOS was insecure and had vulnerabilities that could cause all sorts of problems to the internet? So, here we are a bit later on and what does Cisco do? They're suddenly saying that, oh yeah, IOS appears to have a major flaw that could cause all sorts of problems to the internet. Now, exactly what was wrong with letting people know that this was an issue two months ago?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

9 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Bob3000, 8 Sep 2005 @ 4:30am

    No Subject Given

    To say that this "event" was badly managed would be an understatement. I hope that Cisco has some lessons learned from this and established some procedures for coping with user-reported flaws.

    link to this | view in chronology ]

    • identicon
      chris, 8 Sep 2005 @ 12:30pm

      Re: No Subject Given

      Cisco lets all the big ISPs and telcos know about the flaws first to give them a chance to patch their thousands of routers. Then they tell big corporations and then everyone, which by then hopefully most of the important bits of the internet are fixed.

      link to this | view in chronology ]

  • identicon
    pat, 8 Sep 2005 @ 6:10am

    No Subject Given

    thats all well and good but big companies like to do something which is called 'responsible vunrability disclosure'
    if it takes 6 months to come up with a fix for some problem then whats the point in announcing it until the the fix is available. as long as few ppl as possible know about the flaw then its less of an issue. its only when the flaw becomes widely publicised that it becomes a problem

    link to this | view in chronology ]

    • identicon
      thecaptain, 8 Sep 2005 @ 7:07am

      Re: No Subject Given

      I don't buy that.

      1) YES, it DOES take time to fix a problem...but keeping admins in the dark UNTIL a fix is available means simply this:

      - the people who COULD try and take steps to protect themselves are in the dark and unaware, the ONLY people who are aware are the company itself and the hackers who would take advantage of the situation.

      and:

      2) it has been proven time and again that without public revelation of these problems, fixes are either much longer in coming, lower in priority or not forthcoming AT ALL. No bad PR = no incentive to invest money and resources to fix problems.

      The companies who push for "responsible vulnerability disclosure" the most are usually the ones who have consistently resisted and rebuffed attempts to inform them of problems.

      link to this | view in chronology ]

    • identicon
      Dan Philpott, 8 Sep 2005 @ 7:20am

      Re: No Subject Given

      Solid reasoning, that. If fewer people know about the threat then fewer people are likely to exploit it. But by the same reasoning the fewer people who know about the vulnerability the fewer can protect against it. Also, the fewer people who know of the vulnerability the fewer people can properly frame the danger it poses. And let us not forget, the fewer people informed of the vulnerability the fewer can demand redress from the manufacturer.
      But 'Responsible Vulnerability Disclosure' is what is needed. Unfortunately 'Responsible Vulnerability Disclosure' is often an euphemism for 'Security Through Obscurity' in fact, if not in marketspeak.
      Is it responsible to prevent people from mediating the threat through some other action alternate to patches from the manufacturer?
      Is it responsible to believe that what one researcher discovers no others will?
      Is it responsible to trust to a bureaucratic corporate structure to fix a vulnerability without further external prompting?
      So when a researcher discovers a vulnerability he is implicitly responsible for seeing it mended. First through addressing it with the manufacturer with full disclosure of the facts and extent of the vulnerability. Then by allowing a reasonable time to elapse for the manufacturer to repair and announce, with proper attribution as to discovery, the vulnerability. Finally, failing a reasonable manufacturer response the responsible thing to do is to announce the existence of the exploit to enable users to protect themselves and force action from the manufacturer.
      Because is it really responsible to base your security on the stupidity of hackers?

      link to this | view in chronology ]

  • identicon
    TC Harp, 8 Sep 2005 @ 8:11am

    huh!

    I'm wondering just what "all sorts of problems" means. Not a very difinitive description of the problem.

    -TC

    link to this | view in chronology ]

  • identicon
    USlacker, 8 Sep 2005 @ 9:52am

    Cisco flaw

    Is there any reason to suspect this is the same flaw discussed last month?

    link to this | view in chronology ]

  • identicon
    Carlos Blanco, 8 Sep 2005 @ 9:58am

    Full Disclosure

    My opinion is that companies should notify their registered/contractual customers via letter. When companies such as Cisco or Microsoft determine that there is indeed a flaw, and the companies are as vital to the operation of corporations as they are, then that disclosure is a must. I would not be opposed to legislation being implemented that forces companies to disclose these types of flaws. Especially since these companies are purported to be the heart and soul of so many corporations. The FTC should categorize companies into different levels of responsibility and require disclosure based on those categories. But hey, that's just me... Hasta

    link to this | view in chronology ]


News Corp. Likes Those Dot Coms Where The Kids Hang Out; Buys IGN
Sony Ericsson's Music Phone In Short Supply
Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

Friday

19:39 Important Announcement: Techdirt Is Migrating To A New Platform (0)
More arrow

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.