RSSCisco, Researcher Settle Flaw Tussle
By Ed Oswald | Published July 29, 2005, 12:10 PM
Cisco said it has settled a dispute with a former researcher from Internet Security Systems who had quit his job so he would be free to give a speech about a flaw in Cisco routers at the yearly Black Hat conference in Las Vegas. The communications hardware maker had threatened legal action if the presentation was given.
Any source code that researcher Michael Lynn had in his possession must be returned to Cisco under the agreement. Lynn will also be barred from ever giving a presentation on the topic again. The settlement appears to be a win for the company, which felt the release of the flaw was "premature" and dangerous to customers.
Lynn, on the other hand, said after he made the speech that nothing malicious was intended by his presentation and claimed it was aimed at getting Cisco customers to upgrade their firmware, which remedies many of the problems he highlighted.
Cisco and ISS pursued legal action against Lynn and Black Hat to prevent any further information on the vulnerability from being released.
It also appears as if Cisco is also trying to sweep any evidence of the presentation ever happening under the rug. As part of the settlement reached in San Francisco court Thursday, Black Hat will turn over any video of the presentation.
"We are gratified with the court's actions. Cisco and ISS took action only as a last resort, to stop continued irresponsible public disclosure of illegally obtained proprietary information," Cisco said in a statement.
However, it seems as if Lynn disagrees with Cisco's stand, and told the Associated Press that the company never admitted that somebody could take control of their routers. "They fought that argument for a long time. You can see how far they're willing to go. I demonstrated it live on stage. That debate is over now."
lol. he quit his job. poor kid.
Score: 0
|What an idiot you shouldn't quit your employer just to get a speaking gig continue to work there and fix the problem.
Score: 0
|Perhaps you need to read the article more carefully. Mr. Lynn's issue with Cisco was that they were in denial there was a problem to fix. If his version of the events is accurate it wasn't a matter of staying there and fixing the problem but rather getting Cisco to acknowledge the problem so that customer would know about about the fix and apply.
It would appear that Cisco seemed more concerned about the bad PR of having to fix a security flaw rather then being mature about it and being open when flaws are discovered so that customers can fix them before they are exploited.
Score: 0
|wormeyman, some people have pride in their research. I respect Lynn's decision to quit the company for the speaking arrangement. It shows that he not only cares about exposing potentially harmful vulnerabilities that were obviously ignored, but that he isn't some corporate tool that listens to everything his employer tells him. Go back to your pencil pushing, wormeyman and shmoozin' with your boss on a golf course. Loser.
As for Blackhat handing over the video, I'm willing to bet that video will be leaked out on P2P Networks (if it already hasn't). The fine folks at Blackhat aren't ones to bow down to authority that easily. I mean, think about it... the same guy who runs Blackhat runs Def Con. =)
Score: 0
|