Why Cisco's Attempt To Suppress Security Researcher Backfired
from the everybody's-hacking-now dept
Last week, we noted just how ridiculous it was that Cisco thought it could make the discussion of a massive security exploit disappear by ripping some pages out of a presentation, demanding all video tape from the presentation and getting the speaker to agree not to discuss the issue again. All that really did, in true Streisand Effect means, was make damn sure that a lot of security researchers have spent the whole weekend trying to break Cisco’s software based on what they know. Yes, this would have gotten some attention if the original plans for a presentation had gone off as planned — but Cisco’s reaction drew that much more attention to it and made it quite clear that Cisco was really, really worried about it. You would have thought that the company would recognize how this response would play out, but apparently no one told them how the internet works on these types of issues.
Comments on “Why Cisco's Attempt To Suppress Security Researcher Backfired”
What if...
What if they developed security software that was programmed to increased its security and complexity with every attempt to break into it? What if Cisco had did this and that they could go throught the Streisand effect and actually end up with a more formidable product intentionally? Maybe with every break-in, the code would change and build upon itself from the last attempt? This almost sounds as if it should exist already…
Re: What if...
The idea of evolutionary software is nice, but we’re not they’re yet. Nowhere close to AI period, much less the kind required for that. (I’m not saying we shouldn’t be trying to get there, just that it couldn’t happen today.)
Re: Re: What if...
Sounds neat, but goes against how exploits are developed.
Let’s say that I want to take over Cisco 7200 class transit routers, one of the most common peers in the current BGP cloud. Do I start launching random attacks against live Internet routers at randomly selected universities?
No!
What I do is go out on eBay and dovebid and pick up a a few variants of the Cisco router I’m targeting, plug them into my 100% isolated from the Internet test lab, and start my cheap imported Russian hackers pounding away at them.
So after a few weeks I have a tried and true exploit, without overly committing any crime, and without giving Cisco or any researcher with a sniffer on the backbone any sign of what I am developing.
The term “0day” is generally used to refer to such an exploit only when it has been developed to fruition without even the underlying vulnerability being exploited having been revealed to the vendor nor the public.
Lawyers Making Money
At least the lawyers are making money. On some mirrors the PDF from the presentation has been replaced by a threatening letter from a law firm representing Cisco. However the mirror in Russia is still up… imagine that. I’m sure Cisco is being billed for each usless letter and the wasted time spent trying to supress the information. That said, after reading though it I can see why the presentation has Cisco’s underwear in a bunch. Although you’d think by now the smart people there would have anticipated such events and would be better prepared to handle them.