Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lynn Settles With Cisco, Investigated By FBI

Zonk posted more than 9 years ago | from the bad-friday dept.

Security 357

Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

Sorry! There are no comments related to the filter you selected.

No good deed goes unpunished. (3, Insightful)

TripMaster Monkey (862126) | more than 9 years ago | (#13197389)


What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.

Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.

Re:No good deed goes unpunished. (5, Insightful)

Stevix (861756) | more than 9 years ago | (#13197452)

the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

Re:No good deed goes unpunished. (4, Interesting)

wfberg (24378) | more than 9 years ago | (#13197617)

the issue is also about how he reported the flaw, not just tha he did. Cisco has its own vunerability submission protocols in house, be he instead showed his findings at a Black Hat conference instead, exposing it to any savvy hacker willing to act on them.

Yes, and this is exactly why the FBI should get involved! The army has stringent oversight procedures for this sort of thing, and to reveal flaws in top-secret installations without even going up the chain of command is tantamount to treason!

Oh wait. The dude isn't in the army. Or in government. Actually, his former employer settled the case. So the overriding federal government interest in this is...? Why, you might be forgiven to think "nothing at all, in fact, this sort of thing is precisely why such liberties as freedom of the press exist; even though this is a lone individual, surely some type of whistle-blower protection would exist that covers this, otherwise the public would never be made aware of critical flaws in the nation's privately-owned infrastructur until it was too late!"

But apparently, you'd be wrong. You see, by merely mentioning, without even going in to much specifics, that it might be possible for some-one else to exploit a flaw in Cisco's equipment, this guy has clearly commited a thought-crime. That's because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it. You see, no difference there at all.

Of course, this is also why trains never run on time. If the published time tables were accurate, the railways would get prosecuted by the FBI for inviting people to commit suicide by throwing themselves in front of the 18:02 train.. Bet you didn't know that!

Re:No good deed goes unpunished. (1, Insightful)

IAmTheDave (746256) | more than 9 years ago | (#13197456)

We forget that if the Bush administration has taught us anything, it's that secret is better. The FBI will investigate any leaking of information, because information is not to be shared with the masses. God forbid. I am TOTALLY reporting your ass to the thought police.

Re:No good deed goes unpunished. (0)

Anonymous Coward | more than 9 years ago | (#13197540)

This would be happening, Bush or no Bush.

Re:No good deed goes unpunished. (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13197660)


We forget that if the Bush administration has taught us anything, it's that secret is better.

Unless, of course, you [wikipedia.org] happen to work for the CIA as an undercover agent. Then, Bush Co. will out your ass at the drop of a dime.

Re:No good deed goes unpunished. (4, Insightful)

daveschroeder (516195) | more than 9 years ago | (#13197518)

Actually, the FBI has not "decided" to get involved. Lynn's own lawyer says she believes the FBI is merely following up on a complaint that it received from either Cisco or ISS before the settlement was reached. In other words, Cisco or ISS may have been (inappropriately or not, depending on your stand on trade secrets) attempting to silence Lynn, but the FBI wasn't just doing this on its own. Is the FBI not supposed to investigate allegations of crime? The FBI doesn't even know whether a crime has been committed.

Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.

And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.

Re:No good deed goes unpunished. (4, Informative)

cpeikert (9457) | more than 9 years ago | (#13197728)

Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update.

One specific buffer overflow vulnerability was patched. But Lynn's presentation was a general approach to exploit any buffer overflow, with dire consequences. There is likely more exploitable code inside those routers; it's just a matter of time before some is found. At that point Lynn's attack could be executed.

Re:No good deed goes unpunished. (-1)

Anonymous Coward | more than 9 years ago | (#13197522)

Good. Dirty hacker got what he deserved. Maybe this will be a lesson to the next punk who decides to mess with the best networking company in the world.

Re:No good deed goes unpunished. (0)

Anonymous Coward | more than 9 years ago | (#13197717)

The guy could have done some real damgage with what he found so dont knock him, others would have really done some damage, best networking company??? haha not according to what he found.

Re:No good deed goes unpunished. (3, Insightful)

James_Aguilar (890772) | more than 9 years ago | (#13197631)

Well, first of all, it's not "undoubted" that Cisco would have experienced losses if the flaw had gone unreported. According to them, they were busy fixing it, and though I know we hate to listen to the big evil corporations, there is the slightest possibility that they weren't lying.

Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ). Following your conscience (in a way that was by some reports rash and poorly thought out) does not necessarily give you immunity from the consequences of your action.

As a security researcher, he of all people, should know the high stakes in that game. It's not like either Cisco's or the FBI's actions couldn't have been anticipated by anyone who thought the whole thing through to its logical conclusion. Hopefully, he had prepared himself for the inevitable results of his actions before he took them. Otherwise, I feel really bad for him.

Re:No good deed goes unpunished. (1)

Clockwurk (577966) | more than 9 years ago | (#13197713)

Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported.

If the project is open source, there should be a push to have the flaw (and technical details) examined by the largest number of eyes possible (so that they can develop fixes).

If the software is closed source, the only person that can fix the flaw is the vendor and giving presentations to a bunch of hackers about exploiting the vulnerability doesn't seem very responsible.

The real issue is... (5, Informative)

maotx (765127) | more than 9 years ago | (#13197392)

The real issue at hand, at least with Cisco router owners, is not the fact that Lynn released information concerning the exploit, but the fact that Cisco would not tell [wired.com] anyone about it. Time and time again has shown how security through obscurity is not real security, especially when Cisco's source code had been stolen. [slashdot.org]

The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.

There is a range... (3, Insightful)

daveschroeder (516195) | more than 9 years ago | (#13197608)

...between "security through obscurity" and attempting to hide vulnerabilities, and broadcasting security issues as loudly as possible at public forums.

Both are harmful, and neither benefit security optimally.

As with most things, the most beneficial position is usually a balance between extremes.

Bummer (2, Insightful)

Kyrka (20144) | more than 9 years ago | (#13197397)

Needs to be spread if we're to expect cisco to fix it.

LINK TO TRANSCRIPT! (0)

Anonymous Coward | more than 9 years ago | (#13197748)

Does anyone have a link to the transcript/slides/video/audio of the presentation? If so, please post below!

I hope they nail him to the wall! (-1, Troll)

donleyp (745680) | more than 9 years ago | (#13197410)

And before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!

Re:I hope they nail him to the wall! (1)

Kyrka (20144) | more than 9 years ago | (#13197419)

Because [insert diety of choice] knows this has been ubber-effective so far.

Re:I hope they nail him to the wall! (1)

donleyp (745680) | more than 9 years ago | (#13197492)

If it weren't at least somewhat effective the Internet wouldn't even exist because the black hats wold pwn everyone's machines.

Re:I hope they nail him to the wall! (2, Insightful)

donleyp (745680) | more than 9 years ago | (#13197451)

Also, if Cisco did know about it and kept it under wraps while they worked on the problem I call that common sense not secrecy. How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?

Re:I hope they nail him to the wall! (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13197500)

The problem isn' that Cisco hadn't fixed this problem. They did, months ago. BUT, they didn't tell anyone what their patch fixed, so there are people out there running old versions because they don't know that the patch is CRITICAL to their security, mostly out of fear of munging their network up with a new IOS version.

Re:I hope they nail him to the wall! (1)

donleyp (745680) | more than 9 years ago | (#13197554)

Are you saying that they didn't strongly urge customers to install the patch? I can't get into their download site without a password, so I can't verify your statement one way or the other. Please support it.

Re:I hope they nail him to the wall! (0)

Anonymous Coward | more than 9 years ago | (#13197595)

Or you could get off you ass and get a password. It isn't hard, fill out the form. If it is that interesting to you, go look it up, don't try to make someone else do it for you.

Lazy.

Re:I hope they nail him to the wall! (0)

Anonymous Coward | more than 9 years ago | (#13197647)

He's the one who made the statement. He should support it.

Coward.

Re:I hope they nail him to the wall! (1)

Triumph The Insult C (586706) | more than 9 years ago | (#13197579)

How would you like it if someone posted a sign on your street giving the code to your alarm system or garage door opener?

i would feel "oh shit. i better fix that now"

Re:I hope they nail him to the wall! (3, Interesting)

dj_cel (744926) | more than 9 years ago | (#13197471)

No, sometimes this is the only way to make progress. Companies (more appropriately managers) are content to live in the dark on security issues instead of dealing with them. In my experience, money is the only concern in respect to most PHB's, and the only way to make a change is to expose it in a critical manner. I applaude this guy.

Re:I hope they nail him to the wall! (4, Insightful)

maotx (765127) | more than 9 years ago | (#13197507)

there are channels he could have gone through that would have made Cisco aware of the problem (if they weren't already) without endangering the safety of the nation's network by talking to a bunch of black hats!

Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.

Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.

Re:I hope they nail him to the wall! (4, Insightful)

LurkerXXX (667952) | more than 9 years ago | (#13197513)

He did inform them. Many months ago. They've had a fix out for 3 months for part of the problem he pinted out. They haven't fixed the rest yet. He went through the right channels. They haven't fixed it yet. There have been many many examples with them, Microsoft, and even recently mozilla, where bugs were reported and the vendor took over a year to finally getting around to fix the problem. And that was only after the problem had been 'leaked' to the public.

The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.

Re:I hope they nail him to the wall! (4, Insightful)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#13197525)

before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem

Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.

I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.

Re:I hope they nail him to the wall! (1)

donleyp (745680) | more than 9 years ago | (#13197596)

Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez

Re:I hope they nail him to the wall! (2, Informative)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#13197707)

Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez

Do you have any idea who is at Black Hat these days? It is a huge security convention sponsored by hundreds of major computer and security vendors, even Microsoft is a sponsor. Heck the Department of Defense, the Army, West Point, Stanford Law School, etc. all had people giving presentations. If you want to get the word out when a major threat is being ignored, blackhat is a pretty good place to do it. It seems to have worked, don't you think?

Re:I hope they nail him to the wall! (1)

dgatwood (11270) | more than 9 years ago | (#13197721)

It's not -a- black hat conference. It's -the- Black Hat USA conference. It's a (quite expensive) conference designed to train security professionals on issues relevant to securing the nation's network infrastructure.

More information here [blackhat.com] . Blowing the whistle here is roughly equivalent to sending the info to US-CERT except that US-CERT probably doesn't allow whistle-blowing against a vendor....

BS (5, Insightful)

Anonymous Coward | more than 9 years ago | (#13197417)

Again... how is this "illegal". When ford sold the pinto's that blew up when rearended, were mechanic's and insurance agenst who brought it to the light of the public sued? If you make a faulty design, you shouldn't have grounds to sue anyone who points it out. It's your own fault and no one else's. I didn't see the guy who figured out you could open all those bike locks with a bic pen going to prison or being investigated by the fbi...

It may or may not be illegal (2, Interesting)

Infonaut (96956) | more than 9 years ago | (#13197580)

Again... how is this "illegal".

The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA [wikipedia.org] that he has run afoul of, most likely they'll prosecute.

I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.

My feeling is that unfortunately this just isn't a big enough issue on Joe Citizen's radar. There's a war in Iraq, the government is spending money like it's going out of style, there are disagreements over almost every social issue imaginable, and that monster SUV he bought last year now costs him $85/week to fill up. Some computer guy revealing Cisco vulnerabilities isn't high on his list, so it won't be high on his legislators' lists either.

Re:BS (1, Insightful)

cp5i6 (544080) | more than 9 years ago | (#13197602)

just the nature of the contract he signed when he took a job with cisco.

alot of companies have non disclosure clauses in their contract and you can bet yer ass this was a breach of contract.

but like the previous person said teh fbi decided not to get involved and this is a breach of contract which in this country is illegal =)

Re:BS (1)

jellomizer (103300) | more than 9 years ago | (#13197605)

Because this is computer suff. And computers are these magical things that think for themselves and no one understands them so they cant figure out how the laws should apply to them. If people stared to think of computers more as tools then modern slaves then we all be better off.

In Soviet Russia ... (1, Funny)

sosume (680416) | more than 9 years ago | (#13197420)

Oh wel, this might as well be soviet russia!

Re:In Soviet Russia ... (2, Insightful)

daveschroeder (516195) | more than 9 years ago | (#13197560)

How is this funny or relevant?

Since when is it evil for a law enforcement agency to follow up on a complaint, even if the complaint is later found to be invalid? Or should law enforcement agencies be able to predict the future, and just skip the investigative step, and automatically know whether a crime has been committed? It might have been absurd or vindictive for ISS and/or Cisco to approach the FBI, but when someone approaches the FBI and claims a crime has been committed, would you prefer that the FBI did nothing? It HAS to investigate, just like the police still respond to even 911 hangups. If nothing is wrong and no crime has been committed, it's dropped. But when a complaint is initiated, the investigative step MUST take place, else, how would law enforcement even function?

Re:In Soviet Russia ... (2, Funny)

Anonymous Coward | more than 9 years ago | (#13197675)

In soviet russia this is funny and relevant.

Goodness... (4, Funny)

coop0030 (263345) | more than 9 years ago | (#13197421)

which contained techniques Lynn said could bring the Internet to its knees.


Can you imagine the chaos?

I bet some people would even end up going outside.

I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.

I suppose I could look through my old cached history of webpages and pretend that I was online!

Re:Goodness... (0, Offtopic)

DigitalReverend (901909) | more than 9 years ago | (#13197506)

Dude, you got a girlfriend? Where do I download one of them from?? =)

Re:Goodness... (0)

Anonymous Coward | more than 9 years ago | (#13197549)

I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.

Girlfriend? What do have one of those talking Realdolls?

Re:Goodness... (1)

coop0030 (263345) | more than 9 years ago | (#13197573)

Girlfriend? What do have one of those talking Realdolls?


Woah, they can talk now?

Looks like I need an upgrade...;)

Re:Goodness... (2, Funny)

rcamera (517595) | more than 9 years ago | (#13197720)

no, and that's the nice thing about them.

OUTGOING (0, Informative)

Anonymous Coward | more than 9 years ago | (#13197425)

HELLO WORLD
60691 60691
HELLO WORLD
41529 41529 37391 37391 16079 16079 00583 00583 28145 28145 10248 10248
65200 65200 54451 54451 61814 61814 71645 71645 89370 89370 83390 83390
83850 83850 35222 35222 82600 82600 32861 32861 14891 14891 84629 84629
98985 98985 62184 62184 78713 78713 69353 69353 67395 67395 47211 47211
04383 04383 03368 03368 19687 19687 63126 63126 75503 75503 60948 60948
21683 21683 71130 71130 24901 24901 14226 14226 49885 49885 29738 29738
15491 15491 63673 63673 71613 71613 53775 53775
K-BYE

1984 Called... (5, Insightful)

bc90021 (43730) | more than 9 years ago | (#13197426)

...and told us that it will be the year we all live in from now on.

Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?

Re:1984 Called... (2, Insightful)

Blue-Footed Boobie (799209) | more than 9 years ago | (#13197553)

Mod parent up!

This IS the point here. Although and investigation is not an arrest - it will still disrupt his life is massive ways.

Re:1984 Called... (1)

SilentShriek (903213) | more than 9 years ago | (#13197556)

How long before pinging a router is an "investigable offence" for causing a drop in router resources?

Not very long, if such an act could be considered "trespassing" or something to that effect. See the cybercrime parts of the Patriot Act: CCIPS [usdoj.gov]

Re:1984 Called... (1)

goldspider (445116) | more than 9 years ago | (#13197592)

Here we have a person revealing vulnerabilities of an unquestionably critical national infrastructure to a group of people that exists to cause network disruptions... ...and you expect the FBI to NOT investigate him??

Relax (1)

kevin_conaway (585204) | more than 9 years ago | (#13197644)

Relax, see here [slashdot.org] and here [slashdot.org] . Now take a deep breath

Re:1984 Called... (0)

Anonymous Coward | more than 9 years ago | (#13197716)

even more innocent [boingboing.net]

What was the suit about? (2, Insightful)

Blindman (36862) | more than 9 years ago | (#13197431)

What exactly was CISCO suing over? It seems to me that CISCO didn't like what he had to say, but that doesn't give you a right to sue somebody. Obviously, they weren't alleging libel or slander, since everything he said was apparently true. I don't recall allegations that he misappropriated trade secrets or something. Did he just give up so that he didn't have to defend a baseless suit?

Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.

Re:What was the suit about? (1)

Blindman (36862) | more than 9 years ago | (#13197488)

Nevermind. I see that there was a case of misappropration.

Please, don't overreact. (2, Insightful)

daveschroeder (516195) | more than 9 years ago | (#13197445)

First, according to this new article, Lynn would have been allowed to speak if Cisco was allowed to speak as well.

In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or philosophically disagree with this, but in major network infrastructure, there is a place for stable, predictable commercial support. Along with that sometimes comes commercial and/or proprietary code - code which is kept proprietary for competitive advantage. This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.

Further, the FBI is investigating not because of some corporatist government conspiracy, and is not being used as Cisco's own "police force". It is investigating a claim of a complaint it received, as it is compelled to do by its very reason for existence, and doesn't even know if a crime has been committed. Would you want law enforcement agencies to not investigate allegations of crime, whatever your opinion of this particular instance aside?

Even Lynn's own lawyer says "that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.

Granick said she did not think the FBI would arrest Lynn.

"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over."


So please, let's not overreact.

Re:Please, don't overreact. (2, Insightful)

loqi (754476) | more than 9 years ago | (#13197664)

This is not to say that flaws should not be revealed for the good of all, but speaking in generalities here, broadcasting everything as loudly and widely as possible to the public isn't necessarily the best way to address issues. Nor is hiding things in obscurity. But there is a scale here, and it's NOT black and white.

You're sort of straw-manning here. The problem isn't that Cisco didn't fix the vulnerability in time, the problem is that they didn't tell anyone it was a critical update. That's a far cry from open-sourcing their code or personally explaining how the vulnerability works.

PDF of the Presentation (5, Informative)

Irongeek_ADC (903018) | more than 9 years ago | (#13197446)

I found this linked on Nick84's site (http://www.rootsecure.net/ [rootsecure.net] ): http://www.infowarrior.org/users/rforno/lynn-cisco .pdf [infowarrior.org] If I'm correct, it's the slides that were taken off of the hand out cd. Another link from a Wired article: http://cryptome.org/lynn-cisco.zip [cryptome.org]

Re:PDF of the Presentation (1)

davidwr (791652) | more than 9 years ago | (#13197597)

http://cryptome.org/lynn-cisco.zip [cryptome.org] times out. The host appears to be in the USA, so I'm not sure if tis is the Wired/Slashdot/flash-mob effect or the FBI effect, it could be either one.

lynn-cisco.pdf appears to be up for the moment.

Re:PDF of the Presentation (1)

Irongeek_ADC (903018) | more than 9 years ago | (#13197629)

I was able to get the one from http://cryptome.org/lynn-cisco.zip [cryptome.org] with wget, but it took about 10 min.

23rd Post!!!! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13197463)

yeppers.

TFA (3, Informative)

MrAndrews (456547) | more than 9 years ago | (#13197466)

"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."

In other words, probably not really in trouble with the FBI.

How long... (0)

Anonymous Coward | more than 9 years ago | (#13197468)

...until the videotape of his presentation that conference organizers promised "never to distribute" hits the net?

This reminds me of a similar haunting question (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13197469)

What's the difference between a Jew and a canoe?

The canoe will eventually tip.

Regards,
timothy@monkey.org

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_
g_______________________________________________g_ _
o_/_____\_____________\____________/____\_______o_ _
a|_______|_____________\__________|______|______a_ _
t|_______`._____________|_________|_______:_____t_ _
s`________|_____________|________\|_______|_____s_ _
e_\_______|_/_______/__\\\___--___\\_______:____e_ _
x__\______\/____--~~__________~--__|_\_____|____x_ _
*___\______\_-~____________________~-_\____|____*_ _
g____\______\_________.--------.______\|___|____g_ _
o______\_____\______//_________(_(__>__\___|____o_ _
a_______\___.__C____)_________(_(____>__|__/____a_ _
t_______/\_|___C_____)/_FUCK_\_(_____>__|_/_____t_ _
s______/_/\|___C_____)___MY__|__(___>___/__\____s_ _
e_____|___(____C_____)\__ASS_/__//__/_/_____\___e_ _
x_____|____\__|_____\\_________//_(__/_______|__x_ _
*____|_\____\____)___`----___--'_____________|__*_ _
g____|__\______________\_______/____________/_|_g_ _
o___|______________/____|_____|__\____________|_o_ _
a___|_____________|____/_______\__\___________|_a_ _
t___|__________/_/____|_________|__\___________|t_ _
s___|_________/_/______\__/\___/____|__________|s_ _
e__|_________/_/________|____|_______|_________|e_ _
x__|__________|_________|____|_______|_________|x_ _
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_


Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Let's cut the tinfoil a bit (3, Insightful)

BlackCobra43 (596714) | more than 9 years ago | (#13197473)

FBI investigation =/= FBI hunting you down and cracking down on you and your ilk Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about.

Re:Let's cut the tinfoil a bit (1)

Half-Baked (771927) | more than 9 years ago | (#13197652)

Just think for a moment about how many thousands things the FBI is currently "investigating" that you will never hear about
Thank you patriot act

Re:Let's cut the tinfoil a bit (1)

pete6677 (681676) | more than 9 years ago | (#13197690)

According to a popup ad that I got this morning, the FBI is investigating me right now, unless I pay some guy $29.95 for this program that hides stuff from them. Sounds like a good deal, I better order it!

Always shoot the messenger (1)

tulare (244053) | more than 9 years ago | (#13197479)

That way, the only news is good news!

Everyone together now:
kumbaya, my lord, kumbaya...
Meanwhile, back at the ranch, some Eastern European "security expert" is busy cheerfully 0wn1ng j00 when you order that book from Amazon. Checked your credit card statement lately?

Free speech (3, Insightful)

jdavidb (449077) | more than 9 years ago | (#13197486)

"The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."

The FBI is investigating Michael Lynn... after he revealed ...

Congress shall make no law ... abridging the freedom of speech, or of the press.

He's being investigated for what, now? Talking?

Re:Free speech (0)

Anonymous Coward | more than 9 years ago | (#13197538)

i think cisco is claiming that his research is based upon information obtained under NDA while he was working at ISS. i'm not sure why the fbi is involved though, breaking an nda is a civil matter that could result in a lawsuit.

Re:Free speech (0)

Anonymous Coward | more than 9 years ago | (#13197589)

This is a dumb point. I'm sure he signed some sort of NDA in which he likely ceded his right to talk about some things.

People aren't allowed to talk about stuff all the time (think classified material) because they likely voluntarily gave up their rights to talk about it.

Free speech-Costly Responsability. (0)

Anonymous Coward | more than 9 years ago | (#13197620)

" Congress shall make no law ... abridging the freedom of speech, or of the press.

He's being investigated for what, now? Talking?"

*crowded theater*
FIRE! FIRE!

Re:Free speech (1)

Stevix (861756) | more than 9 years ago | (#13197654)

yes, but what he is talking about isnt exactly his opinions on politics or what have you, he is expressing information on no doubt private corporate information, or a vunerability thereof. if I worked at a company, and decided to 'practice free speech' by harping all of my employers trade secrets, i would no doubt be fired for screwing over the company, based on non-disclosure agreements. considering the impact this vunerability has on the infrastucture (think about the ramifications of shutting down the internet, including government networks, etc) The FBI sees this particular information as akin to 'speaking freely' about architectural flaws in the majority of large buildings that could bring them down with little effort, incuding government facilities. maybe a little overboard, but hey, they have been investigating more people for alot less recently.

Re:Free speech (1)

jdavidb (449077) | more than 9 years ago | (#13197731)

yes, but what he is talking about isnt exactly his opinions on politics or what have you

Congress shall make no law ... abridging the freedom of speech, or of the press about politics.

No, I don't see those words in my Constitution.

if I worked at a company, and decided to 'practice free speech' by harping all of my employers trade secrets, i would no doubt be fired for screwing over the company

Exactly. You would be punished by the company, not by the government, because what you had done would not be illegal but a violation of employment terms and/or contract. The FBI would have zero jurisdiction.

In the same way if you come to my house and start spewing religious garbage I don't want to hear I can refuse to listen and remove you from my property, but I still can't restrict your right to say what you believe. You can't be thrown in jail for saying it, but you can be forcibly removed from my property and made to say it elsewhere.

A company firing someone for 'practicing free speech' is simply exercising the right all of us have in a free speech society: you can say what you like, but I don't have to like it.

but hey, they have been investigating more people for alot less recently.

No doubt that makes it right.

Re:Free speech (1)

Shadow Wrought (586631) | more than 9 years ago | (#13197687)

Keep in mind that the 1st Amendment is not an absolute protection against saying anything, anytime, anywhere. The classic example is shouting "FIRE!" in a crowded theatre, though I prefer the thinking of someone with a bull horn outside you window at 2 am;-)

In this particular case, and IANAL, they could be seeing whether his actions might be inciteful to others. The reality, however, is that they will quietly look at this and decide that no crime was committed.

Wait, let me get this right? (1)

mister_llah (891540) | more than 9 years ago | (#13197496)

A lot of you are saying the information on this vulnerability, which could cripple the Internet if taken advantage of, in order for Cisco to fix it?

I may be just a simple caveman, but this sounds like a tremendously bad idea... someone would take advantage of it sooner or later...

The Internet dropping, even for a few hours, would have a profoundly negative impact on the world economy...

I mean, geez, just think about it...

Re:Wait, let me get this right? (1)

cp5i6 (544080) | more than 9 years ago | (#13197657)

Sigh... so I dont get my pr0n for 4 hours..

the horr....



wait a minute... AHH!!! I WONT GET MY PR0N FOR 4 HOURS!!!!!

Re:Wait, let me get this right? (1)

mister_llah (891540) | more than 9 years ago | (#13197700)

Well, beyond our user needs...

A lot of companies use E-mail to arrange things, do online ordering (could mean millions in losses for online only companies) ...

Such an "attack" would destabalize faith in tech stocks and businesses... prices drop, the companies make adjustments to try and cover these losses... this can cause loss of jobs, revenue, etc...

It'd be a sharp blow... not as bad as blowing up a building, but it'd be a low point for the year, probably...

Re:Wait, let me get this right? (1)

Todd Knarr (15451) | more than 9 years ago | (#13197688)

On the other hand, knowing about the problem I can now take steps to mitigate it by, for example, making sure my back-up routers are not made by Cisco, or by replacing vulnerable equipment with other types that aren't vulnerable. Of course this would hurt Cisco, which is the reason IMHO they tried to shut the guy up.

Re:Wait, let me get this right? (1)

mister_llah (891540) | more than 9 years ago | (#13197754)

It would be better then, to just blow the whistle without giving specific details which could be used to "bring the Internet to its knees" ...

Cisco would be hurt, no secrets would be divulged, and Cisco would still try to fix the problem before it was discovered...

Of course, without the specifics, the information may be seen as less valid, but if they investigate the source, and the source is a trusted expert (as in this case) ... then why do you need to know the specifics? ... I'm sure Lynn contacted Cisco, also, and notified them of this vulnerability...

Re:Wait, let me get this right? (1)

Linus Torvaalds (876626) | more than 9 years ago | (#13197689)

So what you are saying is that it's a really bad thing for Cisco to cover up a problem that can cause that instead of fixing the problem?

If only companies weren't allowed to cover up something like that. Oh wait, employees with consciences could blow the whistle. Oh wait, one did, and then he was threatened with a lawsuit and investigated by the FBI.

Anyone reminded of Adobe vs Skylarov? As soon as he was arrested, Adobe changed their mind and avoided bad publicity by backing off. Now that the FBI are investigating Lynn, Cisco are backing off to avoid bad publicity...

Re:Wait, let me get this right? (1)

mister_llah (891540) | more than 9 years ago | (#13197726)

Hmm, you seem to be reading very much into what I was saying.

No, covering up a wide-affecting vulnerability should ALSO have consequences.

However, spreading the vulnerability is ALSO just inviting someone to use it.

Sure, Cisco would have to fix it then, but the damage would already be done...

You think too much in blacks and whites, saying 'spreading that information is not a good idea' does not mean that Cisco is doing right, there is a possible conclusion that can be drawn (that I have drawn) ... that says BOTH are wrong...

Re:Wait, let me get this right? (1)

loqi (754476) | more than 9 years ago | (#13197692)

Are they saying that? I think they're saying Cisco should tell people when they have a huge security problem so they'll, I dunno... download the freakin patch.

Re:Wait, let me get this right? (0)

Anonymous Coward | more than 9 years ago | (#13197703)

a lot of isp's are using juniper routers. the internet is not vendor homogenous, no one vulnerability is going to kill the entire thing.

This doesn't pass the "fire in theater" test (3, Insightful)

davidwr (791652) | more than 9 years ago | (#13197498)

He wasn't revealing state secrets, and he didn't "yell fire in a crowded theater."

Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.

I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.

Re:This doesn't pass the "fire in theater" test (1)

tulare (244053) | more than 9 years ago | (#13197618)

I'm not saying I agree that the FBI should be involved in this horseshit (I don't), but the way "Trade Secrets" tort works is that you sign and swear to an agreement to NOT disclose certain information. If you break that agreement, you've violated a contract and an oath, and the other party is legally entitled to go after you.

On the other hand, I think this is a case of someone making an ethical decision to violate an NDA because, by his lights, the risk he faces is not as bad as Cisco continuing to have cranio-rectal inversion syndrome over this, not to mention all the half-brained dipsticks out there who haven't applied the months-old patch that fixes most of the problem.

Ethics versus NDA... it's a choice I haven't had to deal with, and for that I'm thankful.

Re:This doesn't pass the "fire in theater" test (0)

Anonymous Coward | more than 9 years ago | (#13197651)

Funny... the guy who founded the ACLU wanted to turn the United States into Soviet Russia. I wouldn't hold out hope for the ACLU to do what's in the best interests on the United States and its constitution.

Re:This doesn't pass the "fire in theater" test (1)

loqi (754476) | more than 9 years ago | (#13197752)

Well, it doesn't look like he'll be facing any criminal charges, but I agree 100%. Trade secret violation as a criminal offense smacks of the kind of bullshit Adam Smith warned us would happen if businessmen were allowed to make the laws.

Kill That Messenger (0)

Anonymous Coward | more than 9 years ago | (#13197512)

"The FBI is continuing to blindly follow the widely disproven security policy known as 'security through obscurity' by stopping the free flow of information regarding critical vulnerabilities to the men and women who run America's Internet infastructure, ensuring that they can't use this knowledge to make fixes, reduce their risk profile, or find alternatives."

Nice job FBI. Why not halt the free flow of traffic reports while you're at it? Terrorists could use those too you know.

What's happening to Cisco? (0)

Anonymous Coward | more than 9 years ago | (#13197514)

Anybody investigating Cisco? How did they allow this hole into their routers? Did they do it intentionally? Is a competitor or someone more nefarious among their ranks? Or are their programmers simply incompetent?

Will the FBI check them out? Is anyone going to hold them accountable for their mistake?

Or has our industry degraded to the point that incompetence is rewarded, and vigilance is punished? Why on earth would Cisco or anybody else even bother *trying* to write secure software if this is how they react? I guess lawyers are cheaper than good programmers?

Personally, the real victim here is you and I or any admin who has to deal with Cisco junk. I can't tell my clients if they are secure.

I hope Cisco reveals the full technical details of this problem as quickly as possible. The only reason I use Cisco is for the hardware. The software is closed-source and I have to trust Cisco to keep it secure. They dropped the ball completely.

Hmm (2, Interesting)

StreetFire.net (850652) | more than 9 years ago | (#13197528)

If we're not allowed to test holes, it reminds me of that old saying, "Who will guard the guards?"

Wile E. Coyote school of security (5, Insightful)

Weaselmancer (533834) | more than 9 years ago | (#13197612)

Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.

Apparently the FBI thinks computer security works the same way.

Use a brain, go to jail. (2, Funny)

mmell (832646) | more than 9 years ago | (#13197633)

Of course, with the internet down we could all agree to meet and pretend to chat with each other in the big blue room. I'd even be willing to use my face to emulate emoticons, if that'll help.

OT: Search on main page (0)

Anonymous Coward | more than 9 years ago | (#13197665)

Offtopic, but I don't know where else to post it: When did Slashdot's search on the main page change to Google Slashdot?

It's much better!

I don't see why they should care (1)

portwojc (201398) | more than 9 years ago | (#13197674)


Cisco is quoted as saying:

Cisco denied that the flaw was as critical as Lynn said it was

Then what really is the problem?

The FBI is investigating... (1)

iminplaya (723125) | more than 9 years ago | (#13197686)

Wow! Sure is a good thing we have the first amendment to club them over the head with... or has it been completely repealed now? Like the 4th?

I was in just about as much trouble as he is... (2, Funny)

1336.5 (901985) | more than 9 years ago | (#13197691)

But my situation was a little different - it was something like, "I swear officer, she told me she was 18, I SWEAR!!!!!!"

Copy of presentation/notes? (1)

Kiaser Wilhelm II (902309) | more than 9 years ago | (#13197719)

This sounds like another DeCSS.

If anyone has copies of the stuff Cisco wants censored, we could all host it and make torrents of it. Those who are less brave can use something like FreeNet to host it.

If hundreds of thousands of people host it, it will be a giant embarassment for Cisco and there will be nothing the authorities can do to stop it.

I wonder what would happen... (2, Interesting)

Todd Knarr (15451) | more than 9 years ago | (#13197723)

I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.

Well if ya ask me... (1)

perigee369 (837140) | more than 9 years ago | (#13197729)

I think someone needs to tell the FBI to go screw itself... Cisco too for that matter. It just keeps getting worse and worse. De Fuehrer Dubya, Congress and the Patriot Act should all be dismissed so we can just start over again (a new Constitutional Congress maybe)

Just so we're clear... (1)

ninja_assault_kitten (883141) | more than 9 years ago | (#13197734)

Everyone is aware that the presentation has been published on numerous mailing lists and websites [infowarrior.org] , right?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?