Oh, Look At That: Cisco Says There's A Big Flaw In IOS

from the hmm dept

Wait, wasn’t there a big mess a few months back when a security researcher tried to let people know that Cisco’s IOS was insecure and had vulnerabilities that could cause all sorts of problems to the internet? So, here we are a bit later on and what does Cisco do? They’re suddenly saying that, oh yeah, IOS appears to have a major flaw that could cause all sorts of problems to the internet. Now, exactly what was wrong with letting people know that this was an issue two months ago?

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Oh, Look At That: Cisco Says There's A Big Flaw In IOS”

Subscribe: RSS Leave a comment
pat says:

No Subject Given

thats all well and good but big companies like to do something which is called ‘responsible vunrability disclosure’
if it takes 6 months to come up with a fix for some problem then whats the point in announcing it until the the fix is available. as long as few ppl as possible know about the flaw then its less of an issue. its only when the flaw becomes widely publicised that it becomes a problem

thecaptain says:

Re: No Subject Given

I don’t buy that.

1) YES, it DOES take time to fix a problem…but keeping admins in the dark UNTIL a fix is available means simply this:

– the people who COULD try and take steps to protect themselves are in the dark and unaware, the ONLY people who are aware are the company itself and the hackers who would take advantage of the situation.


2) it has been proven time and again that without public revelation of these problems, fixes are either much longer in coming, lower in priority or not forthcoming AT ALL. No bad PR = no incentive to invest money and resources to fix problems.

The companies who push for “responsible vulnerability disclosure” the most are usually the ones who have consistently resisted and rebuffed attempts to inform them of problems.

Dan Philpott says:

Re: No Subject Given

Solid reasoning, that. If fewer people know about the threat then fewer people are likely to exploit it. But by the same reasoning the fewer people who know about the vulnerability the fewer can protect against it. Also, the fewer people who know of the vulnerability the fewer people can properly frame the danger it poses. And let us not forget, the fewer people informed of the vulnerability the fewer can demand redress from the manufacturer.
But ‘Responsible Vulnerability Disclosure’ is what is needed. Unfortunately ‘Responsible Vulnerability Disclosure’ is often an euphemism for ‘Security Through Obscurity’ in fact, if not in marketspeak.
Is it responsible to prevent people from mediating the threat through some other action alternate to patches from the manufacturer?
Is it responsible to believe that what one researcher discovers no others will?
Is it responsible to trust to a bureaucratic corporate structure to fix a vulnerability without further external prompting?
So when a researcher discovers a vulnerability he is implicitly responsible for seeing it mended. First through addressing it with the manufacturer with full disclosure of the facts and extent of the vulnerability. Then by allowing a reasonable time to elapse for the manufacturer to repair and announce, with proper attribution as to discovery, the vulnerability. Finally, failing a reasonable manufacturer response the responsible thing to do is to announce the existence of the exploit to enable users to protect themselves and force action from the manufacturer.
Because is it really responsible to base your security on the stupidity of hackers?

Carlos Blanco says:

Full Disclosure

My opinion is that companies should notify their registered/contractual customers via letter. When companies such as Cisco or Microsoft determine that there is indeed a flaw, and the companies are as vital to the operation of corporations as they are, then that disclosure is a must.

I would not be opposed to legislation being implemented that forces companies to disclose these types of flaws. Especially since these companies are purported to be the heart and soul of so many corporations.
The FTC should categorize companies into different levels of responsibility and require disclosure based on those categories.

But hey, that’s just me…


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...