Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Resigns Over New Cisco Router Flaw

samzenpus posted more than 9 years ago | from the don't-go-down-with-the-ship dept.

Security 423

An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN. Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."

Sorry! There are no comments related to the filter you selected.

I took the CCNA (-1, Offtopic)

thundercatslair (809424) | more than 9 years ago | (#13184306)

Now it is expired.

Re:I took the CCNA (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13184354)

I hope you did not pay for it in a futile attempt to gain more traction on the employment-market.

If so, you are a moron.

1. Shower
2. Don't be so fucking ugly
3. ???
4. Get a job!!!

I heard MSCEs make women cream their pants nowadays.

Re:I took the CCNA (-1, Redundant)

thundercatslair (809424) | more than 9 years ago | (#13184391)

No, only for comedic value. You see in high school I took the useless cisco class it was so dumb that we basicly cheated on every test because all you had to do was open a new window. All we did was slack off and we still got over 90's so I was the only one of my friends to get it, we all laughed for a little while.

the post with the most! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13184308)

firsties! woot.

Re:the post with the most! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13184406)

The award for the post with to most goes to ... NOT YOU!

Not You: Iiiiiiiiiiiiih! Iiiiiiiiiiiiiiiiiiih! *jump* *jump* *put tits back in dress*

I wonder... (1, Interesting)

leonmergen (807379) | more than 9 years ago | (#13184312)

From the article:

According to several people who made it on time to the 9 a.m. presentation, Lynn began his talk with a discussion about security issues surrounding services that allow people to make Internet-based telephone calls. Then, they said, Lynn suddenly changed topics and began discussing the highly technical details of his research into the Cisco flaw, saying he would rather quit his job at ISS than keep the information from conference attendees.

Why would anyone, after clearly being informed NOT to talk about this information, talk about this information ?

I know, freedom of information ideals and the like, but couldn't he at least have waited a few weeks to see how Cisco responds, instead of simply revealing the information of a hardware-level exploit

Re:I wonder... (5, Insightful)

lordkuri (514498) | more than 9 years ago | (#13184324)

but couldn't he at least have waited a few weeks to see how Cisco responds

Cisco seems to suffer from the same stupidity that most other large corporations do. They'll take a report, and sit on it for weeks, and sometimes months. Full Disclosure is usually the only way to get them to actually fix the issues in a timely manner.

Re:I wonder... (3, Insightful)

turnstyle (588788) | more than 9 years ago | (#13184546)

Would you similarly welcome the disclosure of a security flaw at your bank, hospital, etc. that granted access to your private/personal records?

Personally, I'd probably rather the bank/hospital had a few weeks to establish a plan, rather than have to bang something out in an emergency, and whilst the records have already been made much more vulnerable.

Re:I wonder... (2, Insightful)

lordkuri (514498) | more than 9 years ago | (#13184601)

Would you similarly welcome the disclosure of a security flaw at your bank, hospital, etc. that granted access to your private/personal records?

Actually, yes I would. I'd much rather they fix or at least stopgap the issue instead of it sitting there wide open for all to see and/or exploit for months.

Re:I wonder... (0)

turnstyle (588788) | more than 9 years ago | (#13184640)

"Actually, yes I would. I'd much rather they fix or at least stopgap the issue instead of it sitting there wide open for all to see and/or exploit for months."

But it only became "wide open" with the public disclosure of exactly how to exploit it.

Re:I wonder... (4, Interesting)

n0-0p (325773) | more than 9 years ago | (#13184604)

That was true a few years ago, but its rarely the case these days. Once you contact the correct people at the vendor they generally move fairly quickly to resolve the issue. Independant researchers can contact CERT and they'll handle all of this legwork for you and make sure you get the credit. Of course the patching process still takes time for development, porting across platforms, and regression testing. So you do have to cut the vendors some slack.

In the case of ISS there's almost no excuse for not getting some serious cooperation from the vendor. ISS has the weight and all the contacts they need to notify the vendors and get a fairly quick response. This was either an extreme circumstance, or Michael had another job lined up and he wanted to exit with a big splash. For that matter, he may have just made enough noise about his Blackhat presentation that he didn't want to have to pull it back.

On an entertaining side note, Blackhat actually reburned all the CD's and cut his section out of the convention notes. Cisco must have come down pretty heavy for them to pull such a strong CYA move.

Re:I wonder... (3, Insightful)

thogard (43403) | more than 9 years ago | (#13184621)

Months? There are outstanding issues on their 2900 switches that have been unfixed there for years.

I don't buy cisco gear anymore.

Re:I wonder... (5, Insightful)

xappax (876447) | more than 9 years ago | (#13184337)

Companies like Cisco, Microsoft, etc. are generally made to look really bad when security flaws are exposed in their products.

The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.

Then they get to look super-secure, since they were "too quick" for the bad hackers.

Some people, however, think that the only thing that'll get companies to take security more seriously is if they are actually made to look really bad, and maybe some of their products actually get hacked.

Unfortunately, when you're dealing with some giant businesses cost/benefit analysis, the only thing that can get them to take notice is a little carnage.

Is it worth it? I dunno, but it's certainly arguable.

Re:I wonder... (4, Interesting)

Cereal Box (4286) | more than 9 years ago | (#13184489)

The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.

Then they get to look super-secure, since they were "too quick" for the bad hackers.


... And this happens in the Open Source world too. Mozilla, for instance, has "classified" bugs, which are not opened up to the public until a fix (or whatever) is available. Take for instance, the Windows chrome:// bug from a few months to a year ago. They sat on it for over a year (and it was classified, of course), and didn't do anything until an exploit appeared in the wild. The fix was issued right away. "Too quick" for the hackers, indeed.

What I'm getting at is don't say that this sort of behavior is limited solely to closed source software. No one wants to have the pressure of handling a security fix WHILE an exploit is out in the wild. Would you rather have the opportunity to fix a security flaw while no one else (but the person who discovered it) knew about it, or would you prefer the person who discovered it announce it to the world and release an exploit first?

Re:I wonder... (1)

PepeGSay (847429) | more than 9 years ago | (#13184528)

"the only thing that can get them to take notice is a little carnage". That is what the COST analysis is for! You guys think Cisco has inlimited developers sitting in the wings to fix your problem of the week? They don't. They have to priotitize things. Some egotistical loser like this guy releases the info into the wild and all he does is *artificially* inflate the priority of an issue.

Using this type of logic Cisco should be spending all of its resources on finding only unidentified bugs because one of those undidentified bugs has the possibility, no matter how remote, of actually ending the world.

Re:I wonder... (1)

DenDave (700621) | more than 9 years ago | (#13184537)

And think of the millions of customers who may now save big time because the exploit is out in the open and will be fixed quickly.

Nah, any serious person will see that disclosing risks is the only way to go. Hiding them just makes things dangerous, they don't go away.

Re:I wonder... (4, Insightful)

Tet (2721) | more than 9 years ago | (#13184340)

couldn't he at least have waited a few weeks to see how Cisco responds

Yes, he could. But then again, I suspect he already did. The traditional approach was to tell the vendor, and announce the flaw publicly 28 days later. That gave a vendor sufficient time to code and test a patch. However, many vendors (and Cisco seem to be particularly bad about this) sit on problems like this for several months and take no immediate action. I'd be far from surprised to hear Cisco were notified of this 3 months ago, hence Lynn's frustration and his decision to publicly talk about the flaw. I don't actually know what happened, and the above is just speculation. I suspect there's more than a grain of truth to it, though.

Re:I wonder... (3, Insightful)

leonmergen (807379) | more than 9 years ago | (#13184355)

Yes, he could. But then again, I suspect he already did.

From the article:

"The decision was made on Monday to pull the presentation because we wanted to make sure the research was fully baked."

In other words, the research was not even finished yet. Isn't that a little impatient, and might there be a little chance that the researcher in question would have liked the attention he would've gotten if he presented this information at Black Hat, which was part of why he made the decision to pull out the information anyway ?

They Had Been Working on it for *4 Months*! (5, Informative)

Anonymous Coward | more than 9 years ago | (#13184399)

How long should it take?

http://blogs.washingtonpost.com/securityfix/2005/0 7/update_to_cisco.html [washingtonpost.com]

The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months, and that up until earlier this week, a Cisco executive was slated to co-present the findings with Lynn at Black Hat.

Re:They Had Been Working on it for *4 Months*! (1, Funny)

RegularFry (137639) | more than 9 years ago | (#13184493)

"Working with" might just mean that ISS told Cisco, and they said "Yeah... We're working on it. We'll get back to you on that."

Re:I wonder... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#13184431)

When do you reckon the research would have been finished? Another few weeks? A couple of months? Why not give it a couple of years, just to be on the safe side...

What the hell do you expect them to say? "The decision was made on Monday to pull the presentation because it would make us look like morons caught with our pants down around our ankles...?"

Re:I wonder... (1)

Kirth (183) | more than 9 years ago | (#13184466)

... announce the flaw publicly 28 days later

No, that's not the "traditional" approach just because some security-companies seem to think 28 days might be "fair" or whatever. I'd go with a week, no more. And D.J.Bernstein considers immediate release to be the correct way.

Re:I wonder... (0)

Anonymous Coward | more than 9 years ago | (#13184358)

Why would anyone, after clearly being informed NOT to talk about this information, talk about this information ?

Well, first amendment, Constitution, free speech, things like that.

And: Cisco says the the problem is not a security vulnerability.

So, if it isn't a security problem, there is no reasonable requirement for wait for Cisco to prepare a fix before discussing it.

Re:I wonder... (4, Informative)

takkaria (782795) | more than 9 years ago | (#13184360)

He told them in April, according to BoingBoing [boingboing.net] , and they still hadn't fixed the problem totally.

Re:I wonder... (3, Insightful)

Lumpy (12016) | more than 9 years ago | (#13184387)

Well if you worked for the Secret service and knew that the president was having young girls kidnapped so he could rape them would you keep your mouth shut? It's about scruples. These flaws seriousally bother this man to the point that he is willing to give up his career and life as he knows it to get the information out.

this means it is very big, probably one of those one person can disable the whole net easily or snoop on all internet traffic without traceability.

I know of people that quit their jobs to blow the whistle and these men and women need to be held up as the heros of our time as they are the ones who not only have lots more guts that the rest of us, but are certianly more driven to not violate their core values.

I commend this man, he should be look up to.

Re:I wonder... (0)

Anonymous Coward | more than 9 years ago | (#13184397)

Because he's an honest human being and is not a "yes man"...

I respect him for it.

(Anyone that "kisses ass" like he was asked to is to put it bluntly, an ass-kissing 'yes man').

If CISCO can't get their shit together about security, which their routers are LARGELY about?

Then they ought to get out of the market... Am I being too 'unforgiving'? No, not anymore than anyone that busts on Windows is from the Linux/Unix/BSD camps!

APK

Re:I wonder... (1)

MECC (8478) | more than 9 years ago | (#13184471)


he at least have waited a few weeks to see how Cisco responds

He waited a few months. [washingtonpost.com]

Re:I wonder... (1)

hotbutteredhtml (613549) | more than 9 years ago | (#13184609)

"Why would anyone, after clearly being informed NOT to talk about this information, talk about this information ?"

The first rule about Cisco flaws, is NOT to talk about Cisco flaws!

Cisco has gone downhill recently (1)

lordkuri (514498) | more than 9 years ago | (#13184313)

Am I the only one that's noticed that Cisco has really gone downhill in the last few years? It seems that there have been more problems found in the last 2-3 years than ever. Besides, a "master password"??? What the hell are they thinking?

Re:Cisco has gone downhill recently (4, Insightful)

wikki (13091) | more than 9 years ago | (#13184342)

I must have missed the "master password" thing.

As far as Cisco going down hill I don't really agree with that. Currently Cisco is expanding their product offerings into new unexplored territories such as IP Telephony. I have installed and supported several of these systems. As long as you follow thier design, install, and support guidelines they are as robust and as problem free as any other platform that i've worked with.

I think most people on Slashdot understand the complexities of the internet world. A minor change here can have a huge, uexpected, impact across the network or application. However, if time tested procedures for upgrades and testing are followed nothing has really changed. I think what may be giving a Cisco a bad name is all of the under qualified people out there installing their systems. The MS world of patch it, reboot, and go about your business does not fly when you critical systems are involved.

Re:Cisco has gone downhill recently (4, Informative)

lordkuri (514498) | more than 9 years ago | (#13184350)

I must have missed the "master password" thing.

That was from a while back. They had set up a master "backdoor" password in a version of IOS and ended up getting ridiculed for it quite heavily.

Re:Cisco has gone downhill recently (0)

Anonymous Coward | more than 9 years ago | (#13184475)

I recently tried to purchase a Cisco router for my growing hosting business and Cisco could not seem to advise my on a solution. They even set my up with a sales rep that could not even help me and never called me back. I went with Netopia. I would say this is the direction Cisco is going. Like so many other companies they have gone to the land of "We are major players and no longer have to try". Router flaws, clueless sales staff, and bad ideas like purchasing a poor excuse for a home based router company seem to be the big ideas at Cisco. Oh well. You would think Carly Fiorina has taken the helm.

Re:Cisco has gone downhill recently (1)

SgtChaireBourne (457691) | more than 9 years ago | (#13184518)

Probably not going down hill. They've never made great products. Good products, over priced products, but not great.

Expectations are rising, however, and there is starting to be some competition in the router / switch market nowadays. Juniper is the first that comes to mind.

It's All Good... (5, Funny)

Cytlid (95255) | more than 9 years ago | (#13184318)

It's ok, really it is. Karl Rove gave him the information.

Re:It's All Good... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13184444)

Actually it is ok because Sandy Burger then destroyed the evidence.

Hmmm, perhaps he needs whistleblower protection? (4, Interesting)

meburke (736645) | more than 9 years ago | (#13184320)

As dependent on as our economy is upon routers, and Cisco in particular, it seems that his disclosure was definitely in the public interest, and if he isn't entitled to whistleblower protection, we need to mount a campaign to get him protected. Write your Congressoid.

Re:Hmmm, perhaps he needs whistleblower protection (0)

Anonymous Coward | more than 9 years ago | (#13184361)

I *think* Cisco's gripe with this, is the bug could only be known by someone with access to the code. Hence their argument that it was illegal.
Just speculation...

Why? (4, Interesting)

MyNameIsFred (543994) | more than 9 years ago | (#13184363)

The articles cited are light on details. But nowhere do the articles suggest that Cisco was burying the flaw. In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix. In my mind whistle blower protection is valid if the whistle blower is uncovering corruption. Which does not appear to be the case here. Based on the information presented, the system was working on the problem, he just wasn't happy with it.

Re:Why? (-1)

Anonymous Coward | more than 9 years ago | (#13184539)

They've been working on a fix for 4 months. How long should they get?

Re:Why? (2, Interesting)

Fenresulven (516459) | more than 9 years ago | (#13184559)

In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix.

For four months... Come on, how long should he be required to wait?

Re:Hmmm, perhaps he needs whistleblower protection (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13184364)

grow up

not applicable... (1, Informative)

John Seminal (698722) | more than 9 years ago | (#13184381)

you can't get whistleblower protection under these circumstances.

you could get protection if you come out and reveal your employer is a racist who told you he refuses to comply with the law and hire blacks, or fired women who got pregnant rather than give them the benifits the law requires.

i think this guy might go to jail for what he did.

Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees

of all the places to reveal the information, why give it to black hats? it is like going to a criminal convention and telling them how to turn off security cameras at one bank chain.

if someone used the information he handed out, this guy should be locked up because he will be directly responsible for the damage that is caused.

Re:not applicable... (1)

NitsujTPU (19263) | more than 9 years ago | (#13184429)

you could get protection if you come out and reveal your employer is a racist who told you he refuses to comply with the law and hire blacks, or fired women who got pregnant rather than give them the benifits the law requires.

Yeah... your definition of whistleblower protection is a little bit too narrow mmmmmkay?

Whistleblower protection covers any number of criminal acts. Fortunately for most companies, having giant gaping security holes isn't illegal. However, whistleblower protection would also apply, for instance, in the case that you were working for an agency that was burying nuclear waste in a playground rather than a proper disposal channel.

Re:not applicable... (2, Informative)

lachlan76 (770870) | more than 9 years ago | (#13184490)

Umm you do know that Black Hat is a security conference? Mostly attended by security professionals?

Re:not applicable... (1)

amodm (876842) | more than 9 years ago | (#13184608)

You do know that BlackHat is one of the most respected security conferences, don't you ?? Its typically the security researchers who attend, not criminals. If this fact fails to ignite the filament of your head.......well, why would a criminal attend a widely publicized conference ?

Re:Hmmm, perhaps he needs whistleblower protection (0, Redundant)

wikki (13091) | more than 9 years ago | (#13184384)

The whistleblower protection thing always seemed pretty silly to me. It not like you are going to want to keep your job after you blow the lid on some company.

I guess it also has protections against possible legal action, but this guy doens't sound like he's in any legal trouble.

Re:Hmmm, perhaps he needs whistleblower protection (2, Insightful)

soma_0806 (893202) | more than 9 years ago | (#13184389)

I agree that disclosure, in general, is clearly in the public interest, but this cannot always be the case.

We simply do not have enough details here to declare this disclosure "good" or "bad." Although Cisco is claiming the information was on vulnerabilities that have been fixed, that could be a PR move to stave off a stock plummet or put a stop to proliferation of the information to those that may want to use the vulnerability to bad ends.

We also can't be sure of what "fixed" truly means. How tested are these fixes? Are they complete fixes or do some variations on the vulnerabilities revealed still exist? The questions go on and on.

I'm all for protecting Whistleblowers, but only if they have done all they could to ensure that they are not causing more damage by revealing information that can still be used against current users. I'm not saying that this is clearly not the case here, only that we need more time before we declare this guy our champion.

Re:Hmmm, perhaps he needs whistleblower protection (1, Funny)

Anonymous Coward | more than 9 years ago | (#13184401)

Write your Congressoid.

Spelling! Did you mean Clowngressman?

Re:Hmmm, perhaps he needs whistleblower protection (-1)

Anonymous Coward | more than 9 years ago | (#13184614)

Write your Congressoid.


Write TO your Congressoid, write TO your Congressoid, you fucking illiterate piece of shit!!!!

new flaws (1)

lseltzer (311306) | more than 9 years ago | (#13184322)

Actually, one of the questions I have is how new the flaws really are. They have been patched, but how long ago? How much uprading has been done? If it had been widely upgraded I suppose Cisco would have less reason to fear disclosure

Re:new flaws (5, Interesting)

megla (859600) | more than 9 years ago | (#13184339)

The thing is (from what the articles say) it's not about one particular flaw. It's that ANY overflow flaw can be exploited to take control of Cisco IOS, which is bad news. Add Cisco's plan to abstract the hardware from IOS and then you've got a major problem. Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue. Or check their bloody code of course.

Re:new flaws (1)

SimilarityEngine (892055) | more than 9 years ago | (#13184467)

Basicly, it's about time Cisco implimented some form of DEP protection ... Or check their bloody code of course.

The latter, preferably. It is dangerous to rely on DEP alone (or rather, NX protection - DEP is M$ terminology). There is some info here [computerworld.com.au] , where the following point is noted:

We ran the same test on a desktop with an AMD Athlon 64 processor and a laptop with a new Intel Pentium M chip, and the attack program got nowhere. This defense wasn't without its cost: Each time, the computer crashed as the attacking program tried to batter its way into the NX-protected neighborhood. A single buffer overflow should be blocked without incident by NX, but this barrage was too much.

So even with DEP/NX, it is still may be possible to do a DoS attack, even if you can't gain control of the machine.

Re:new flaws (1)

Megane (129182) | more than 9 years ago | (#13184531)

Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue.

That's a nice thought, but most IOS platforms run on PowerPC, so what Intel and AMD have is rather irrelevant. (Not that PPC doesn't have something similar, of course.)

Re:new flaws (-1)

Anonymous Coward | more than 9 years ago | (#13184533)

The hardware flaw has NOT been fixed (nor can it be easily fixed without replacing the hardware), and no patch has been issued to prevent it's use. RTFA.

Good.... (1)

Chineseyes (691744) | more than 9 years ago | (#13184323)

This man worked for a company and should have gone through the proper channels *BEFORE* just leaking the vulnerabilities. If he had taken this to Cisco and they told him to buzz off then I would have more sympathy for the guy, but this is just irresponsible and he deserves what he gets. There is a proper place to take vulnerabilities and that wasn't one of them.

Re:Good.... (1)

jav1231 (539129) | more than 9 years ago | (#13184333)

True, but I'm confused. Was Black Hat only made aware that Cisco/ISS didn't want this discussed and THEN started ripping the pages out? Or was Lynn under the impression that he could talk about this and there was a change of mind at the last minute? Not that he should or shouldn't have done what he did, but this might explain it.

Re:Good.... (3, Informative)

Kirth (183) | more than 9 years ago | (#13184499)

You're a prick. RTFA. He waited 4 (in words FOUR) months for Cisco to fix this until he finally made it public.

Re:Good.... (1)

RegularFry (137639) | more than 9 years ago | (#13184513)

More than that. As far as I can make out, this guy *was* the proper channel.

This could have been avoided by using apt-get (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13184331)

It saddens me to see high profile networking equipment manufacturers like Cisco overlooking simple, open source solutions to overcome what are essentially highly avoidable security mistakes. Everybody knows that routers function by routing 'packets' of data from one network to another. It seems to me that apt-get, the premier 'packet management' software, could have been used, without incident. This would have saved Cisco considerable trouble, and been a boon to the embattled Debian software project.

I look forward to the community's response!

Re:This could have been avoided by using apt-get (4, Insightful)

tomstdenis (446163) | more than 9 years ago | (#13184376)

How do you apt-get hardware?

The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.

That said you have firmware that controls the hardware which could be "apt-get" though in reality I'd rather see an open source firmware that was also provided as binary images you could just upload.

Do you really want some MCSE throw-back building a firmware image when they can hardly manage cmd.exe?

hehehee sick.

Tom

Re:This could have been avoided by using apt-get (2, Informative)

Anonymous Coward | more than 9 years ago | (#13184555)

The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.

What do you think a Cisco router is? Traditionally, an underpowered general purpose CPU running a somewhat-specialized operating system.

Unless you're talking about the "big boys" (Catalyst switches, Cisco 10000s, etc) switching is not done in hardware.

Re:This could have been avoided by using apt-get (1)

jlenn0n (235141) | more than 9 years ago | (#13184561)

The cisco routers are no more than what you're suggesting anyways. The routers run on motorola 68030s. Like your old macintosh you threw out or use as a fishtank now.

They run code to route packets on a "general purpose processor." Kinda like your 386 with BSD, except without the bloated kernel.

If you want speed and efficiency, move to a Multilayer switch, where the decisions are done in ASICs.

Re:This could have been avoided by using apt-get (1)

tomstdenis (446163) | more than 9 years ago | (#13184635)

Then what's the point?

To be honest I'm not that much into "corporate networking". I think most small companies [200 people] can be easily served by commodity FutureShop equipment.

In the case of where I work we have a 24 port switch, a dedicated bind/etc server and a linksys router plugged into a DSL. It works well for all of us here and we routinely traffic data efficiently from one box to another [e.g. to send stuff to the lab].

Tom

Re:This could have been avoided by using apt-get (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13184394)

I look forward to the community's response!

Your a fuck tard. When will people undestand that not every single thing can be solved with Open Source. Open Source may have a solution for a company, but its not always the route that companys want to take. Sometimes they *want* to have their own stuff so that they have full control over it (IP and everything attached).

Re:This could have been avoided by using apt-get (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13184416)

Your a fuck tard.


I believe you're missing an apostrophe. So I guess you're the fucktard.


By the way, you just got trolled fucking big time, cockbiter. Debian Troll's Best rides again. I still got it.

INCOMING CLUE ASSISTANCE (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13184453)

GP was funny. Laugh.

Before I cry.

Cisco themselves said it was not a new flaw (5, Insightful)

EmagGeek (574360) | more than 9 years ago | (#13184336)

In TFA, Cisco themselves said that he did not disclose any new vulnerabilies... so... what is the BFD?

Later, Cisco said it was all bent out of shape because they follow an "industry established disclosure process" and because Mr. Lynn "illegally" obtained the information...

Hey, Cisco, I have news for you. "Industry established disclosure process" != "Law"

Get over yourselves, admit that you're a bunch of fuckups that can't make secure networking equipment, and move along..

Re:Cisco themselves said it was not a new flaw (0)

Anonymous Coward | more than 9 years ago | (#13184373)

it was probably "illegally" obtained as ISS is contracted by CISCO to provide security testing and research under contracts and non disclosure agreements. Hence using information learned through this process without permission from cisco most definitely would come under the banner of "illegally obtained".

Re:Cisco themselves said it was not a new flaw (1)

'nother poster (700681) | more than 9 years ago | (#13184536)

It would have been legally obtained, but illegally disclosed in that case. Note the thing is called a "Non Disclosure" , not a "Non Obtainment", agreement.

(Not a lawyer and all that. Just working from my time in gradeschool english.)

Re:Cisco themselves said it was not a new flaw (3, Interesting)

Joehonkie (665142) | more than 9 years ago | (#13184410)

Where does it at all apply that the one follows from the other? Presumably they are saying that he was involved in confidential research into the flaws and was not supposed to make any statement on his own. His simply quitting the company does not remove his obligations. He was not some outside agent who found out about this flaw independantly and cannot be expected to be treated as such.

Re:Cisco themselves said it was not a new flaw (2, Informative)

wild_berry (448019) | more than 9 years ago | (#13184494)

The latest update (here [washingtonpost.com] , but expect more updates at http://blogs.washingtonpost.com/securityfix/ [washingtonpost.com] ) says that he "is said to have illegally reverse-engineered Cisco source code" (why bother reverse-engineering sources?*) to discover the vulnerability and that Cisco and ISS had four months of work in progress on the issue before this presentation.

He may have misused information from his former job at ISS and be operating outside the bounds of his ISS employee contract allowed him to act.

*: I can see how, if the source codes contain hash numbers which are generated elsewhere and need cracking, that there would be reverse-engineering the source code. If it was recovering the source code from a compiled binary, why not say so? If breaking the DMCA by decompiling an encrypted binary, why not tell us?

A 5 letter word for ... (0, Flamebait)

Anonymous Coward | more than 9 years ago | (#13184379)

CISCO - Cr4ppy Internet Security COde

Re:A 5 letter word for ... (0, Insightful)

Anonymous Coward | more than 9 years ago | (#13184535)

CiscoIsSCO?

Contact for Cisco's Point man on this (3, Informative)

putko (753330) | more than 9 years ago | (#13184400)

Our friend Mojgan Khalili is the Cisco employee mentioned in the article, who said the security researcher broke the law -- "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

If you'd like to write to Mojgan and say that you don't like their attitude toward full disclosure, or their attack on the guy who's working hard to make things secure, here is his information.

If nothing else, you could ask him "what law did the guy break, biatch!?!"

Mojgan Khalili
Cisco Systems, Inc.
978-936-1297
mkhalili@cisco.com

THAT WOULD BE VERY HARD! (0, Funny)

Anonymous Coward | more than 9 years ago | (#13184455)


"he" is a woman, and we nerds have hard time talking to those :(

Mod Parent Down! (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13184477)

Calling for personal attacks and then giving out the person's personal number in a public forum is not appropriate to Slashdot.

Re:Contact for Cisco's Point man on this (0)

Anonymous Coward | more than 9 years ago | (#13184501)

I just used Tor to mailbomb that idiot with hundreds of thousand of messages demanding that they drop the lawsuit and apologize publicly by the end of the day.

The whole community is behind you Michael, if they don't drop the lawsuit, then I suggest that nobody buys cisco no more.

Information wants to be free, but somebody has to free it!

Re:Contact for Cisco's Point man on this (2, Funny)

aussie_a (778472) | more than 9 years ago | (#13184505)

Dear Mr Slashdotter,

I represent our friend Mojgan Khalili who has recently been come into some large sums of money. It turns out that CISCO has been paid by many Blackhatters to leave security vulnerabilities in their software. I am unable to have the money in my account as I am currently on the board of directors, but I feel terrible over what my company has been doing.

I request that you allow me to transfer the money to your account, so that it may eventually be transferred to Michael Lynn's account. For your troubles, I am willing to give you 10% of the five million dollars (U.S.). This is negotaitable if this does not meet your satisfaction.

Yours truly
Former ambassador of Nig^H^H^H^H^H^H^H^H^H^H^H
Mojgan Khalili's friend.

C'mon, editors. At least scan the article. (2, Funny)

ki4iib (902605) | more than 9 years ago | (#13184403)

I know, I know. Mod me redundant. This is slashdot. The editors are on crack. Who Rs TFing A? But really. Not a security flaw? No, Cisco said it wasn't a NEW security flaw, but an extension of older ones. There's kind of a difference between "Not" and "Older-but-born-again". Mod me into oblivion now.

Responsible Behavior? (5, Insightful)

Cmdr. Marille (189584) | more than 9 years ago | (#13184407)

I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.

Cisco is actually very upfront and cooperative when you report things which might be a vulnerability (I have personally dealt with PSIRT). The people who work there are actually so polite, it's kind of annoying (I have been thanked about 2 dozen times for reporting a very minor finding).

They do however expect you to play by the rules. Even if you are the person who found a bug, you are expected to let Engineers fix the bug before you release the information.
Also, there is policy in place, which makes sure major ISPs (Carriers) are informed first, so they can do upgrades before the PSIRT release is made public.

All that makes sense, since we are really talking about essential infrastructure.

Of course, all that kind of takes away the coolness of reporting a vulnerability and you will get a lot less publicity (cisco credits you) than what you would get, if you just post to some mailing list.

If he really released information he researched at ISS without consent, well, he should face consequences. Because I obviously was to gain from it (getting a new job, making a name or himself). Hopefully he wasn't just doing it for the publicity.

Re:Responsible Behavior? (0)

Anonymous Coward | more than 9 years ago | (#13184476)

+1 On Target

Let me say I'm totally in favor of free disclosure, unless there's a personal motive involved. I think it's great he found a bug, and a serious one at that. But large companies with a huge customer-base can't just flip a 0day (weeker, etc.) bug around at the same speed we can report them. Plus the consequences have to be considered. "If I go public with this next week, will it take down an internet backbone? Yeah, maybe."
  I'm guessing Cisco was still getting their customer base updated with the fix and he was miffed he didn't get his public kudos. So he quit his job and went public anyway. Totally irresponsible, IMHO.

Good-bye cisca (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13184414)

Hello Juniper.

Read between the lines (5, Insightful)

Overzeetop (214511) | more than 9 years ago | (#13184427)

Okay, this sounds pretty simple. Michael Lynn finds a (new) explit of Cisco routers and its a doosey. He informs ISS, who informs Cisco. Cisco management can't believe that such a serious flaw exists, since they've know about the possibility, but its been written off as minor in the past. Lynn presses his case to his supers, and they get down and dirty with Cicso. Cisco craps its pants because the flaw is everywhere, and it's going to cost real money to fix, and could hurt company Q results.

Cisco agrees with ISS taht they're going to do something about it, but it's going to take a bunch of resesarch and time. They'll keep it quiet for a few years while they put th fix in the pipline for new models. They'll work on a firmware fix, but its back burner as long as the explot isn't public. If ISS keeps its mouth shut, they can still do work for Cisco.

Lynn hears that his research is to be hush-hush, and that Cisco will work on it, but it could be a while before there's an actual patch. No arguing that the flaw is critical will make ISS management, with a financial gun to its head, budge.

Lynn flips ISS the bird, 'cause he thinks its a major security issue, and presents his research anyway. Cisco and ISS claim they're working ont it, and that its and old flaw, and nothing really serious. And they're quietly looking for a man to fir Lynn with concrete shoes for blowing their cover.

Seems pretty clear to me.

Can't wait till car makers catch on to this (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13184448)

Should a security problem be made public? Should it not? If you were driving a car that really needed to be recalled - wouldn't you want to know about it?

Already some industries are copying the ridiculous EULA's the computer industry has come up with.

How long before other companies with something to hide start screaming about trade secrets, etc. to shut someone up?

Re:Can't wait till car makers catch on to this (1)

achilstone (671328) | more than 9 years ago | (#13184519)

Yes finally most car makers install deadlocks and engine immobilisers as standard, it took them years of people complaining about lack of security before they finally did something about it. I wonder how long it will take Cisco?

The land of the free or fee? (1)

Ice Tiger (10883) | more than 9 years ago | (#13184462)

So he discloses a vulnerability in a product and faces legal action? What kind of reaction is this?

Re:The land of the free or fee? (1)

Digital Warfare (746982) | more than 9 years ago | (#13184470)

A Desperate one, it would seem.

Existing security vulnerabilities? (4, Insightful)

Saggi (462624) | more than 9 years ago | (#13184472)

Contradiction?

Quote: "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."

Quote: "... Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

If his research regards known and exsisting vulnerabilities how could they be illegal obtained? This can only happen if Cisco sits on the vulnerabilities for some time. If this is the case its a poor excuse by Cisco to state that its not a new vulnerability.

In my humble opinion its new when first made public. ... and I can never find out why pople can get sued for disclosure of something dangerous to a lot of costumers.

If I use their routers I would like to know if they can be hacked. If they can get hacked I would like the oppotunity to take them offline if I need to protect my business.

If I don't have that oppotunity - and I loose data/values/etc due to an attack, I'll have to keep Cisco responsible.

Full Disclosure (3, Insightful)

miffo.swe (547642) | more than 9 years ago | (#13184480)

I dont believe in keeping an exploit away from the public until the vendor gets his thumbs out of the dark place that smells funny. First of all i really think much more work needs to be put down into securing the systems before they are released, this includes various linux vendors. Its insane today with the user being the Q&A and security department for the vendors.

Full disclosure is a nice cushion for people who really didnt do their job in the first place. It doesnt in no way help the users. Before the exploit is released publicly you can bet your backside its used for company spying and other shoddy activities.

A company shouldnt be afraid of scriptkiddies, theyre harmless compared to their competitors armed with their most secret info. Full disclosure makes it possible for a company to atlest try to mitigate that threat. Other disclosure puts them in the whims of the vendors.

Lawsuit? Lynn says "bring it on" (4, Interesting)

kriegsman (55737) | more than 9 years ago | (#13184506)

From today's Wall Street Journal:
When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he got started, Mr. Lynn said, "What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on."
Somehow, I suspect he's going to get what he asked for.

-Mark

Re:Lawsuit? Lynn says "bring it on" (1)

tomstdenis (446163) | more than 9 years ago | (#13184540)

I've long booed the EFF but if the picture I'm getting here is correct I'd gladly donate some money to aid in his defense [or settlement].

That is of course, provided that he at least tried the normal avenues. Under NDA means you're under NDA. Whistleblowing is only possible after management has ignored you.

If he just jumped the gun and released the info publicly he deserves to get sued. Think about it. If every employee who was slightly upset just decided to walk off with trade secrets there would be no competition.

Fuck, why not have Intel/AMD picnics? Granted I'd think that would be cool [as far as technology goes] it would also totally ruin the companies...

I'm sure we haven't heard the last of this story.

Tom

Surely a decent way of resolving these issues (2, Interesting)

goldcd (587052) | more than 9 years ago | (#13184508)

that would keep all parties happy, is a modification of the current craze for bug-bounties.
Flaw is reported, accepted and cash is paid on a daily/weekly basis until the issue is resolved.
Submitters would get more for a complex bug that involves more work to fix it and the can happily keep their gobs shut from announcing the problem as they're getting paid to be quiet.
Just a thought..

creators resigned to disempowering unprecedented (1)

already_gone (848753) | more than 9 years ago | (#13184521)

evile.

it would appear as though they've had their fill of yOUR greed/fear/ego based life0cidal nonsense. not a big surprise to many of US.

although evile may holding many of US hostage under some corepirate nazi pr ?firm? concocted, greed/fear/ego based hypenosys, most of US will come to yOUR senses before, during, or after the big flash occurs.

for each of the creators' innocents harmed, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available.

vote with (what's left in) yOUR wallet. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi life0cidal glowbull warmongering execrable.

some of US should consider ourselves very fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate.

it's right in the manual, 'world without end', etc....

as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis.

concern about the course of events that will occur should the corepirate nazi life0cidal execrable fail to be intervened upon is in order.

'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

Nothing to worry about (3, Funny)

Dachannien (617929) | more than 9 years ago | (#13184524)

Let the Cisco network defend itself. Just like on 24. [infoworld.com]

OK well lets see: (1)

tod_miller (792541) | more than 9 years ago | (#13184541)

Cisco says the the problem is not a security vulnerability

and...

Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS

Surely the defense would be: Your honour, obviously there was no vunerability in the beginning, because look, Cisco said themselves that the ability to take over the router, and sniff for pr0n on the network is a feature, not a vunerability!

Of course, he is write, Cisco suing him for disclosing a vunerability means it was a vunerability, and therefore this would be like suing someone for saying something TRUE about you (or a politician, who are ripe targets).

So are they suing hom for saying it was a vunerability, or for disclosing the vunerability. Assholes, gotta love large over hyped bitch corps.

Dyslexia (well I dont have it, but...) (1)

tod_miller (792541) | more than 9 years ago | (#13184565)

We all have it - I was typing right, while thinking about a different possible branch of that sentence that contained the verb write.

I suck

The Wash. Post had the heads-up yesterday (1)

museumpeace (735109) | more than 9 years ago | (#13184547)

, hours before anyone else would publish...they just didn't have the whole story.

which is probably why slashdot didn't post my version yesterday [slashdot.org] .

update:The Wash. Post had the heads-up yesterday (1)

museumpeace (735109) | more than 9 years ago | (#13184639)

WaPo has a copy of the Cisco/ISS restraining order against Lynn:
In the order, which was jointly filed by ISS and Cisco, Lynn is said to have illegally reverse-engineered Cisco source code and that he stands to profit from this research. A copy of the document, obtained by washingtonpost.com, reads: "Cisco believes that Lynn is also disclosing ISS and Cisco proprietary information outside of the context of a formal presentation as well."

Just what did all these parties think Black Hat Con was about anyway, if not to expose vulnerabilities?

Flash upgradable = NOT impervious to remote execs (0)

Anonymous Coward | more than 9 years ago | (#13184562)

"...Cisco's IOS, the operating system that runs the San Jose, Calif.-based networking giant's routers, has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows, the agenda said..."

Anything that is flash upgradable and networked can be attacked. Anyone who says anything else is either working in marketing or lacks knowledge.

Sued for what?! (1)

MirrororriM (801308) | more than 9 years ago | (#13184607)

Yeah, he explained a vulnerability on Cisco equipment and he works for a security firm. What I don't understand is did he sign anything stating he wouldn't spout out the information?

Well, if he didn't sign anything and can get sued, then I guess that I could get in trouble for telling people about astalavista.box.sk right? Just because you speak about a vulnerability (or other questionable content), it doesn't mean you are responsible for the malicious assholes that abuse it. The abusers are responsible for their own actions.

I'm not saying that I agree with the fact that he told a large group of black hats about a Cisco vulnerability, but legally, what did he do wrong?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?