It looks as if Cisco’s cease and desist letters to Web sites hosting Michael Lynn’s banned Blackhat presentation detailing a critical flaw in the company’s IOS operating system are not having the effect the company desires. An increasing number of other Web sites are now making available Lynn’s presentation to whomever cares to read or download it.
<a href=”
There’s stuff that needs to be kept secret. If this was an easy flaw to crack, I’d say sure, post it.
Look, if you think posting sensitive information is no big deal, how come all you guys were up in arms when crackers posted Visa credit card accounts?. If you guys think “information wants to be free”, be a real man and post your bank account, social security and passport number – after all these are just pieces of information about YOU
On the other hand, if Cisco knew about the exploit (they did) and continued to advertise the fact that arbitrary shell code cannot be executed on their systems, that would be lying. If your bank advertised an impenetrable vault and that was their *sole* reason for earning customers’ trust, I’d say it’s perfectly responsible to notify them of any serious flaws and, if they don’t respond appropriately, notify the public.
Cisco made this a big issue by flying off the handle when they could have simply advertised that a fix exists and pushed clients to upgrade. In the very least they could have informed clients that the possibility of an exploit exists. They chose secrecy and this is what happens when a security issue is swept under the rug.
Any company that makes its money peddling security has an obligation be secure, or risk obselescence.
Think about it this way: if Cisco products are the only things standing between your personal information and the Wild Wild Web, would you like to know if an exploit exists that might serve access to that information? Would you feel it was morally irresponsible for Cisco to suppress knowledge of this exploit as opposed to addressing it?
I would and I do. That’s why I don’t pity Cisco at all.
Anyone who was actually there or bothered to look at the slides would know that the exploit detailed in the slides has already been fixed by Cisco. The version of IOS that is vulnerable to the particular exploit is no longer available (they no longer have old versions available on their site). The reason Cisco is making a big fuss is because they dont want people to know that IOS can be exploited, not that it is an 0-day exploit. Next time, RTFA!
Precisely.
if you are in charge of critical cisco, or for that matter ANY critical system and your not installing security patchs you get what you deserve….
Its like complaining when you got a virus ‘but I updated the defenitions last month!’
Absolutely agreed.
1. If Cisco has stated that their are no known security issues with IOS, and there is, and they knew about it, that’s false and misleading advertising. At least, in Australia, that’s a serious offence. We’ve had companies forced to do a total product recall based on this sort of thing.
2. This is worrying, in that the DMCA has been used to issue take down notices that affect the freedom of speech. I see no reason why a corporation should have more rights than an individual, furthermore, an individual that has the right to vote (whereas a corporation does not have the right to vote, and should never have that right).
I’m pretty damn sure that the founding fathers would be rolling over in their graves in pure anger at what has become of their beloved country.
Dave
do you even believe what you are babbling about?
here is a tip, pull your head out of your ass and you just MIGHT realize that a potential exploit is a lot different than a credit card number.
btw Social security numbers are worthless, give me your name and ill tell you what your SSN is (it is is in thousands of public records and easy to find)
I think the way the information was released was highly irresponsible. Publishing a flaw to a bunch of people who know how and probably will use it is dangerous. In this ragard cisco is right.
Cisco is NOT thinking ahead. What happens when it becomes a huge legal liability to publish these flaws and the person who found it doesn’t want to report it to cisco? It gets posted on some obscure website in poland and now you have an underground community with at least a weeks lead time before the rest of the world even knows what’s going on. However irresponsible the disclosure, it was still a public disclusure. It didn’t come in the form cisco wanted but I’ll take it.
The point of Lynn’s talk was not the particular exploit that Cisco fixed earlier, but that the same KIND of exploit was still feasible.
Some lawyer, PR person or VP on Cisco’s staff had a meltdown and ordered the JOINT talk planned with ISS and Lynn to be cancelled and then tried to prevent Lynn from talking altogether, using “thug” tactics to do it. They also put the Black Hat conference in a bad position due to the late cancellation – changing the conference documents and CDs would have cost $20K, reportedly.
Lynn and ISS had worked with Cisco for months on this vulnerability. Cisco had assisted them with software tools to do so.
Then at the last minute, Cisco panics about the legal liability of SAYING they’d left in a CLASS of vulnerabilities and the potential for class action lawsuits, users suing if they get hacked, and general bad PR.
So then they proceeded to destroy their credibility and ruin their PR by behaving like morons about it.
ISS caved in under the pressure, but Lynn didn’t. This makes him someone with integrity who believes that revealing that thousands of unpatched routers have a dangerous flaw is the right thing to do – and most of the Cisco users I’ve seen quoted in the trade press agree with that. They want to KNOW what their problems are.
And now everyone knows you can’t trust Cisco to eyeball their stuff, and you can’t trust them to reveal it when they do.
Which means that it’s time for the government to force Cisco to open source IOS so that it’s flaws can be discerned and eliminated. This is a national security issue now.
Cisco should be saying, here is the patch. not “stop revealing the security problems with our software”.
when you say that, it looks bad to customers. i wanna hear yes, there is a problem, here is the patch.
fact of the matter is Cisco IOS had a serious secuirty flaw, and all hardware running it needed to be patched. Keeping it secrete ment the only people who would know about it would be those deploying the exploit, Lynn waited till cisco had a patched version before making it public. Now no one has an excuse not to patch the flaw. If someone fails to deploy the fix, it’s their own fault. CISCO has done nothing but shame their otherwise good name. Cisco makes great products, and everyone who talked about the exploit at BH / Defcon admitted that the flaw was extremely hard to deploy because the product was developed so well. To bad cicsco didn’t have faith in themselves enough to just handle this properly…. now if i can just get rid of this hangover from defcon life will be good again!