Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities
from the interesting-reasoning dept
One of the more popular questions that always comes up in computer security is how a security researcher should deal with vulnerability information. Almost everyone seems to agree that the company responsible should be informed. But, what if they don’t do anything or respond? What if they don’t really fix the problem? Is there a point at which it makes sense to reveal the vulnerability publicly? The reasoning behind that strategy isn’t to punish the company, but on the assumption that other, more malicious hackers, have probably discovered the same hole. Publishing the vulnerability publicly makes people realize that their systems are not secure and need to be fixed — and, in those cases, many people view the release of such information as a public service. Obviously, the companies responsible for the vulnerability often take a less kind view of this practice. Time and time again we hear stories about security researchers who discover some kind of vulnerability and are attacked and face legal consequences for revealing the info. The latest such case involves what sounds like a pretty serious vulnerability in Cisco’s IOS, the operating system that runs most of their routers, which power large parts of the internet. The researcher who discovered the flaws was prepared to give a speech on the vulnerabilities, but Cisco freaked out about it — demanding that his company stop him from giving the talk and sending Cisco employees to rip out the ten page presentation that had already been printed into every conference program. The security company backed down, but the researcher in question quit and gave the presentation anyway, leading Cisco and his former employer to sue him and the conference itself. So, is this guy recklessly revealing info that will allow hackers to cause serious problems? Or do they already know how to do that, and he’s just a whistleblower letting us know of the problem? What may be most revealing about this, however, is what Cisco has said in response. They don’t seem to be saying that they only wished Michael Lynn had kept quiet long enough for them to fix these vulnerabilities. Nope. Instead, they say they’re suing because this was an “illegal publication of proprietary material,” which certainly seems to imply they would have preferred to have hidden this entire issue away. It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem. For example, Oracle recently responded to complaints that it was too slow to fix a certain security hole by pointing out all of the work that goes into fixing such holes properly.