Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities

from the interesting-reasoning dept

One of the more popular questions that always comes up in computer security is how a security researcher should deal with vulnerability information. Almost everyone seems to agree that the company responsible should be informed. But, what if they don’t do anything or respond? What if they don’t really fix the problem? Is there a point at which it makes sense to reveal the vulnerability publicly? The reasoning behind that strategy isn’t to punish the company, but on the assumption that other, more malicious hackers, have probably discovered the same hole. Publishing the vulnerability publicly makes people realize that their systems are not secure and need to be fixed — and, in those cases, many people view the release of such information as a public service. Obviously, the companies responsible for the vulnerability often take a less kind view of this practice. Time and time again we hear stories about security researchers who discover some kind of vulnerability and are attacked and face legal consequences for revealing the info. The latest such case involves what sounds like a pretty serious vulnerability in Cisco’s IOS, the operating system that runs most of their routers, which power large parts of the internet. The researcher who discovered the flaws was prepared to give a speech on the vulnerabilities, but Cisco freaked out about it — demanding that his company stop him from giving the talk and sending Cisco employees to rip out the ten page presentation that had already been printed into every conference program. The security company backed down, but the researcher in question quit and gave the presentation anyway, leading Cisco and his former employer to sue him and the conference itself. So, is this guy recklessly revealing info that will allow hackers to cause serious problems? Or do they already know how to do that, and he’s just a whistleblower letting us know of the problem? What may be most revealing about this, however, is what Cisco has said in response. They don’t seem to be saying that they only wished Michael Lynn had kept quiet long enough for them to fix these vulnerabilities. Nope. Instead, they say they’re suing because this was an “illegal publication of proprietary material,” which certainly seems to imply they would have preferred to have hidden this entire issue away. It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem. For example, Oracle recently responded to complaints that it was too slow to fix a certain security hole by pointing out all of the work that goes into fixing such holes properly.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities”

Subscribe: RSS Leave a comment
Bret McDanel (user link) says:

At least its only civil for now

At least this guy is only facing a restraining order and its only a civil matter for now. Being the person named in one of the links for going to jail over reporting a security problem (after 8 months of the company knowing about it *and* having a fix which only took copying 2 patched files to their server but never actually doing this) I told people affected (I could do nothing, tell those affected or tell everyone. Doing nothing seemed to be unwise since the hole was not even that secret, http referer info, telling everyone seemed bad because I felt that this company would not fix it if that were the case and it would lead to break ins by pointing attention to it, telling those affected (of which I was one since I was allowed to keep my account) seemed to be the only choice left. Eventually the govt admitted error and my conviction overturned but what a way to lose a few years of your life.

This guy is somewhat lucky that they didnt try to get charges filed against him, although the DMCA doesnt seem to apply since its not a copyprotection system, the hacking statute doesnt seem to apply since its not unauthorized access, so there seems to be little left aside from the now failed attempt they did against me saying that by releasing information I am somehow liable if anyone in the future unknown to me uses that information to do harm and that by telling people the company has to fix their system with a whole new fix (my appeal was in the same district in California his civil suit is in so maybe the local AUSA has kept current on their case law reading).

So far all they are saying is to not talk about it anymore, but if this goes through its a VERY bad thing in the end. He got the information by disassembling and working that way. The next step is to say you cant use a debugger and after that you wont be able to probe programs for potential problems or use strace/truss or … Ultimately everyone is harmed by attempts to quiet security researchers.

To quote Richard Clarke at the 2002 Black Hat (then cyber security advisor to president Bush) “you need to tell anyone who will listen”. Oddly this was about a month off of my trial, and at the same convention that the cisco mess is over.

Michael Greb (user link) says:


It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem.

Except Cisco already fixed this vulnerability. It was found in April and a fix was availible in May. The main issue, I think, this guy had was Cisco didn’t make it clear that this update in May had fixes for some big security issues.

The talk gave a general description of exploiting a buffer overflow for arbitrary code execution and then went on to demonstrate with this particular vulnerability. Cisco has a rather crazy method of assessing the severity of issues. This issue, which allowed for arbitrary code execution, was concidered a fix for a possible DOS in release notes.

Anon says:


If an exploit affects a “majority” of the systems the Internet runs all… anyone actually give 2 craps and a cream who owns the code? (Yeah, I read it was fixed, but the underlying fault of code execution seems to remain.)
Just for that, I feel like suing Cisco next time one of their exploits affects me. After all, they’re claiming full ownership here, apparently even over the exploit.
That’s called gross negligence – “Intentional failure to perform a duty, reckless disregard of the consequences as affecting the life or property of another”, and in most places, is a criminal offense, not just civil.
I think this researcher was the only one here not guilty of gross negligence. Good luck to him in his pending suit, hope he counter sues!

Anonymous Coward says:

No Subject Given

The initial vulnerability was fixed by Cisco, but the underlying problem remains. The Security Focus article discussing the Lynne case says:

Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any serious buffer overrun or heap overflow…. The networking giant[Cisco] … did nothing to prevent attackers from running programs on the devices using the broad techniques Lynn described, the researcher said.

Right now, an attack designed for a particular vulnerability won’t let someone take simultaneous control of the Internet’s routers, because different routers run different software patched to different levels. But this won’t stop attackers in the future, according to the Security Focus article.

Cisco plans in the future to abstract the architecture of the router operating system…, which could have a side effect of making a single attack work against all routers. Rather then knowing the various memory addresses, or offsets, needed to compromise systems, a single offset could work, Lynn said.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...