Cisco Cover-up Concerns Cracker Conference
July 27, 2005 6:05 PM   Subscribe

The Wapo first reported that a security researcher Michael Lynn of ISS had discovered a critical hole in Cisco routers, was ready to present his findings at Blackhat, and then suddenly bowed out. Some began to cry "cover-up", and Cisco denied the vulnerability. Then, dramatically, Lynn resigned from ISS and gave his presentation, saying "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."
posted by sohcahtoa (12 comments total)
This is an interesting story, but the details are obviously sketchy at this early stage. Lynn's decisions to resign and present appear personally dramatic, but raise again the question of what responsible parties in possession of societally damaging information not widely known should do with it, but I'm not sure he is a whistleblower in the narrow sense, or likely to be afforded much personal protection. My initial reaction is that his problem is not unlike this person's in that what he discovered was inextricably linked with how he discovered it, i.e. he was working as a researcher, and the information he uncovered was itself a work for hire, probably governed by NDA and non-reverse engineering clauses in licenses and copyright agreements. Even if the latter were suspended by agreements between his employer, ISS, and Cisco, for research purposes, disclosure control probably wasn't.

So he probably is personally pretty hosed, and maybe not just in civil court. ISS get a lot of government business, and I suspect some phones are ringing in executive homes tonight from Washington callers, concerned about how ISS keeps its researchers findings under wraps in other areas. Nailing this guy on DMCA and other violations is going to be pretty small potatoes, I'm afraid for him.

Security by obscurity is, and always has been, an "operative" technique. Patch your systems, and pass the ammunition. Information hasn't wanted to be all that free, since 9/11, I guess.
posted by paulsc at 6:52 PM on July 27, 2005

ISS get a lot of government business, and I suspect some phones are ringing in executive homes tonight from Washington callers, concerned about how ISS keeps its researchers findings under wraps in other areas.
If he's charged with harming America I would imagine federal whistle-blower protection would apply. And I would hope the Washington callers would call Cisco since they sold the faulty product and tried to cover it up, not ISS.
posted by revgeorge at 7:08 PM on July 27, 2005

The way I read between the lines of the story is that although Cisco patched this hole already and will update the whole OS next year, Lynn is doing this because the IOS source has been stolen twice; he (claims) he found this hole via reverse-engineering; and so Cisco's routers are far more vulnerable than anyone thinks and Cisco isn't addressing the problem.

A less generous reading would be that Lynn is grandstanding.

An even less generous reading would be that Lynn got ahold of the source himself in order to find the exploit.
posted by Ethereal Bligh at 7:12 PM on July 27, 2005

EB, I seriously doubt he would have had to quit if he had stolen the source himself. I doubt he would have said he reverse engineered their code unless he had done it legitimately. If it wasn't legitimate research, the presentation would not have been cancelled at all, much less at ISS/Cisco's behest, and ISS/Cisco would definitely not have approved it in the first place.

I'm not sure why he quit and presented if the vulnerability was already fixed.. he's either grandstanding, genuinely concerned, or knows of other, currently valid exploits and is using this to press for higher standards before analysis of the stolen source reveals those exploits to the unethical.

Aside from legal action from his recent employer, he faces the classic whistleblower problem: he has destroyed his credibility (from employers' point of view). who's going to hire someone who spills the beans after being told explicitly not to? (not saying whistleblowing isn't a good thing, merely that employers rarely, if ever, think it is.)
posted by ulami at 7:31 PM on July 27, 2005

I seriously doubt he would have had to quit if he had stolen the source himself.

He probably didn't steal it himself, but I wouldn't be surprised if he got a copy of it to help find weak spots.
posted by Civil_Disobedient at 8:46 PM on July 27, 2005

What would be the problem with him obtaining a copy of it himself to find said weak spots? If he was taken to court for breaching national security, couldn't his defense be that by doing this, he was helping to protect national security?

I don't know enough about what's going on to be sure of anything, but if he genuinely is acting on behalf of the public and security at large then my hat is off to him.
posted by Dean Keaton at 10:58 PM on July 27, 2005

Everything changed after 9/11, DK — these days, the people genuinely trying to improve security by pointing out vulnerabilities are the first to be arrested.
posted by hattifattener at 11:49 PM on July 27, 2005

Why would he advertise, in an interview, that he had access to the source code if the only access he had was to a stolen copy? The guy's worried about being sued, would he admit to much more serious things so freely?

It's much more plausible, given the situation, that access to their source was a legitimate part of his job.
posted by ulami at 12:05 AM on July 28, 2005

Reverse engineering does not equal access to source code.

If you have source code there's no need to reverse engineer.

He is saying that the source code is easily available because it has been stolen twice recently.

Security by obscurity is never the proper approach. Responsible disclosure is the ethical avenue and if the vendor will not address the problems then general release is the correct and responsible thing to do.
posted by nofundy at 5:50 AM on July 28, 2005

Here's an update. Sounds kinda weird... cisco got pwn3d.

'Course, it is the black hat conference and all... I would imagine that all kinds of crazy things have been disclosed.
posted by ph00dz at 6:40 AM on July 28, 2005

Has anyone started a legal defense fund for this guy? I'd be happy to chip in.
posted by realcountrymusic at 7:16 AM on July 28, 2005

"Lynn is said to have illegally reverse-engineered Cisco source code"

What the hell does that mean? It makes no sense. The writer doesn't know what he's talking about.

With Cisco and ISS claiming criminal conduct, I can think of three possibilities. 1) they're lying (or mistaken); 2) Lynn used the source code to find the vulnerabilities; 3) Lynn reverse-engineered IOS as he claims, but without permission of Cisco and the argument against him is of DMCA form.

I really think the second possibility looks likely, given how Cisco has reacted to this and how they were initially okay with the revelation of the vulnerability. It also makes sense that Lynn would have been overzealous and foolish enough to use the source to find the vulnerability and thought he was being virtuous in doing so. Because, you see, the real problem is that the source code is available, not the particular vulnerability Lynn found. With access to the source, all sorts vulnerabilities are going to be discoverable. And going to a new version of IOS won't help unless they started from scratch. It makes sense that this is the point Lynn is trying to make.

The problem is that you simply can't get away with doing something illegal because "you meant well". We've had this discussion about people independently probing for security holes outside of their job mandate and getting in trouble for it. I can't break into your house and then claim that I was doing it only to show how you need to reinforce your security. Not unless I have your permission. Assuming that it's the case that Lynn had access to the source, what he could have done was ask Cisco for access to the source that the hacker community had in an effort to prove that, having such access, a bad vulnerability could be found. Cisco would likely have refused, of course, because always with access to the source are you going to be able to find deep vulnerabilities. Everyone knows this.
posted by Ethereal Bligh at 3:32 PM on July 28, 2005

« Older the sunlight of a public trial   |   Model Vs. Photographer Newer »

This thread has been archived and is closed to new comments