Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities
from the interesting-reasoning dept
One of the more popular questions that always comes up in computer security is how a security researcher should deal with vulnerability information. Almost everyone seems to agree that the company responsible should be informed. But, what if they don’t do anything or respond? What if they don’t really fix the problem? Is there a point at which it makes sense to reveal the vulnerability publicly? The reasoning behind that strategy isn’t to punish the company, but on the assumption that other, more malicious hackers, have probably discovered the same hole. Publishing the vulnerability publicly makes people realize that their systems are not secure and need to be fixed — and, in those cases, many people view the release of such information as a public service. Obviously, the companies responsible for the vulnerability often take a less kind view of this practice. Time and time again we hear stories about security researchers who discover some kind of vulnerability and are attacked and face legal consequences for revealing the info. The latest such case involves what sounds like a pretty serious vulnerability in Cisco’s IOS, the operating system that runs most of their routers, which power large parts of the internet. The researcher who discovered the flaws was prepared to give a speech on the vulnerabilities, but Cisco freaked out about it — demanding that his company stop him from giving the talk and sending Cisco employees to rip out the ten page presentation that had already been printed into every conference program. The security company backed down, but the researcher in question quit and gave the presentation anyway, leading Cisco and his former employer to sue him and the conference itself. So, is this guy recklessly revealing info that will allow hackers to cause serious problems? Or do they already know how to do that, and he’s just a whistleblower letting us know of the problem? What may be most revealing about this, however, is what Cisco has said in response. They don’t seem to be saying that they only wished Michael Lynn had kept quiet long enough for them to fix these vulnerabilities. Nope. Instead, they say they’re suing because this was an “illegal publication of proprietary material,” which certainly seems to imply they would have preferred to have hidden this entire issue away. It certainly would have sounded more convincing if they responded by saying they needed more time to fix the problem. For example, Oracle recently responded to complaints that it was too slow to fix a certain security hole by pointing out all of the work that goes into fixing such holes properly.
Comments on “Cisco Coming Down Hard On Whistleblower Who Found Vulnerabilities”
At least its only civil for now
At least this guy is only facing a restraining order and its only a civil matter for now. Being the person named in one of the links for going to jail over reporting a security problem (after 8 months of the company knowing about it *and* having a fix which only took copying 2 patched files to their server but never actually doing this) I told people affected (I could do nothing, tell those affected or tell everyone. Doing nothing seemed to be unwise since the hole was not even that secret, http referer info, telling everyone seemed bad because I felt that this company would not fix it if that were the case and it would lead to break ins by pointing attention to it, telling those affected (of which I was one since I was allowed to keep my account) seemed to be the only choice left. Eventually the govt admitted error and my conviction overturned but what a way to lose a few years of your life.
This guy is somewhat lucky that they didnt try to get charges filed against him, although the DMCA doesnt seem to apply since its not a copyprotection system, the hacking statute doesnt seem to apply since its not unauthorized access, so there seems to be little left aside from the now failed attempt they did against me saying that by releasing information I am somehow liable if anyone in the future unknown to me uses that information to do harm and that by telling people the company has to fix their system with a whole new fix (my appeal was in the same district in California his civil suit is in so maybe the local AUSA has kept current on their case law reading).
So far all they are saying is to not talk about it anymore, but if this goes through its a VERY bad thing in the end. He got the information by disassembling and working that way. The next step is to say you cant use a debugger and after that you wont be able to probe programs for potential problems or use strace/truss or … Ultimately everyone is harmed by attempts to quiet security researchers.
To quote Richard Clarke at the 2002 Black Hat (then cyber security advisor to president Bush) “you need to tell anyone who will listen”. Oddly this was about a month off of my trial, and at the same convention that the cisco mess is over.
http://reviews.cnet.com/4520-3513_7-5127811-1.html
http://news.zdnet.com/2100-1009_22-947409.html
Polish that Grammar
Wow, what a long paragraph. You may want to review your grammar rules before writing an article you want people to read.
Re: Polish that Grammar
You read it…
Re: Re: Polish that Grammar
Yes, but with some difficulty because of the poor grammar.
Re: Polish that Grammar
Seriously Guero, eat some pipe if thats the most product comment yo have after reading that
Fixed
Except Cisco already fixed this vulnerability. It was found in April and a fix was availible in May. The main issue, I think, this guy had was Cisco didn’t make it clear that this update in May had fixes for some big security issues.
The talk gave a general description of exploiting a buffer overflow for arbitrary code execution and then went on to demonstrate with this particular vulnerability. Cisco has a rather crazy method of assessing the severity of issues. This issue, which allowed for arbitrary code execution, was concidered a fix for a possible DOS in release notes.
Proprietary?
If an exploit affects a “majority” of the systems the Internet runs all… anyone actually give 2 craps and a cream who owns the code? (Yeah, I read it was fixed, but the underlying fault of code execution seems to remain.)
Just for that, I feel like suing Cisco next time one of their exploits affects me. After all, they’re claiming full ownership here, apparently even over the exploit.
That’s called gross negligence – “Intentional failure to perform a duty, reckless disregard of the consequences as affecting the life or property of another”, and in most places, is a criminal offense, not just civil.
I think this researcher was the only one here not guilty of gross negligence. Good luck to him in his pending suit, hope he counter sues!
No Subject Given
The initial vulnerability was fixed by Cisco, but the underlying problem remains. The Security Focus article discussing the Lynne case says:
Right now, an attack designed for a particular vulnerability won’t let someone take simultaneous control of the Internet’s routers, because different routers run different software patched to different levels. But this won’t stop attackers in the future, according to the Security Focus article.