RSS
Twitter
Oh, Look At That: Cisco Says There's A Big Flaw In IOS
from the hmm dept
Wait, wasn't there a big mess a few months back when a security researcher tried to let people know that Cisco's IOS was insecure and had vulnerabilities that could cause all sorts of problems to the internet? So, here we are a bit later on and what does Cisco do? They're suddenly saying that, oh yeah, IOS appears to have a major flaw that could cause all sorts of problems to the internet. Now, exactly what was wrong with letting people know that this was an issue two months ago?
Reader Comments (rss)
(Flattened / Threaded)
No Subject Given
To say that this "event" was badly managed would be an understatement. I hope that Cisco has some lessons learned from this and established some procedures for coping with user-reported flaws.
(reply to this comment) (link to this comment)
No Subject Given
thats all well and good but big companies like to do something which is called 'responsible vunrability disclosure'
if it takes 6 months to come up with a fix for some problem then whats the point in announcing it until the the fix is available. as long as few ppl as possible know about the flaw then its less of an issue. its only when the flaw becomes widely publicised that it becomes a problem
(reply to this comment) (link to this comment)
Re: No Subject Given
I don't buy that.
1) YES, it DOES take time to fix a problem...but keeping admins in the dark UNTIL a fix is available means simply this:
- the people who COULD try and take steps to protect themselves are in the dark and unaware, the ONLY people who are aware are the company itself and the hackers who would take advantage of the situation.
and:
2) it has been proven time and again that without public revelation of these problems, fixes are either much longer in coming, lower in priority or not forthcoming AT ALL. No bad PR = no incentive to invest money and resources to fix problems.
The companies who push for "responsible vulnerability disclosure" the most are usually the ones who have consistently resisted and rebuffed attempts to inform them of problems.
(reply to this comment) (link to this comment)
Re: No Subject Given
Solid reasoning, that. If fewer people know about the threat then fewer people are likely to exploit it. But by the same reasoning the fewer people who know about the vulnerability the fewer can protect against it. Also, the fewer people who know of the vulnerability the fewer people can properly frame the danger it poses. And let us not forget, the fewer people informed of the vulnerability the fewer can demand redress from the manufacturer.
But 'Responsible Vulnerability Disclosure' is what is needed. Unfortunately 'Responsible Vulnerability Disclosure' is often an euphemism for 'Security Through Obscurity' in fact, if not in marketspeak.
Is it responsible to prevent people from mediating the threat through some other action alternate to patches from the manufacturer?
Is it responsible to believe that what one researcher discovers no others will?
Is it responsible to trust to a bureaucratic corporate structure to fix a vulnerability without further external prompting?
So when a researcher discovers a vulnerability he is implicitly responsible for seeing it mended. First through addressing it with the manufacturer with full disclosure of the facts and extent of the vulnerability. Then by allowing a reasonable time to elapse for the manufacturer to repair and announce, with proper attribution as to discovery, the vulnerability. Finally, failing a reasonable manufacturer response the responsible thing to do is to announce the existence of the exploit to enable users to protect themselves and force action from the manufacturer.
Because is it really responsible to base your security on the stupidity of hackers?
(reply to this comment) (link to this comment)
huh!
I'm wondering just what "all sorts of problems" means. Not a very difinitive description of the problem.
-TC
(reply to this comment) (link to this comment)
Re: huh!
TC, click on the link to see the detailed story
(reply to this comment) (link to this comment)
Cisco flaw
Is there any reason to suspect this is the same flaw discussed last month?
(reply to this comment) (link to this comment)
Full Disclosure
My opinion is that companies should notify their registered/contractual customers via letter. When companies such as Cisco or Microsoft determine that there is indeed a flaw, and the companies are as vital to the operation of corporations as they are, then that disclosure is a must. I would not be opposed to legislation being implemented that forces companies to disclose these types of flaws. Especially since these companies are purported to be the heart and soul of so many corporations. The FTC should categorize companies into different levels of responsibility and require disclosure based on those categories. But hey, that's just me... Hasta
(reply to this comment) (link to this comment)
Re: No Subject Given
Cisco lets all the big ISPs and telcos know about the flaws first to give them a chance to patch their thousands of routers. Then they tell big corporations and then everyone, which by then hopefully most of the important bits of the internet are fixed.
(reply to this comment) (link to this comment)
Add Your Comment