RSSCisco Router Flaw Goes Public
By Ed Oswald | Published July 28, 2005, 2:24 PM
Each year, the Black Hat security conference gathers to talk about security vulnerabilities within currently available technologies.
Obviously, manufacturers are not too happy with these disclosures, but this week Cisco went as far as threatening legal action against conference organizers if a presenter was allowed to reveal potentially damaging information about the company's routers.
Michael Lynn, a former researcher with Internet Security Systems, showed how hackers could gain control of Cisco Internet routers. The flaws could potentially pose a security risk to both corporations and government entities, which use Cisco's products in large numbers.
Lynn quit his job with ISS before making the presentation after executives from the company demanded he remove sensitive portions. Cisco instructed its own workers to tear 20 pages of information, as well as destroy some 2,000 CDs containing information on the presentation.
Cisco and ISS are also pursuing legal action against Lynn and Black Hat to prevent any further information on the vulnerability from being released. Cisco maintains that Lynn somehow obtained the information used in the presentation illegally.
Claiming the release of the flaw was "premature," Cisco is justifying its actions as a way to protect its customers.
Lynn, on the other hand, says nothing malicious is intended by his presentation, claiming it is aimed at getting Cisco customers to upgrade their firmware, which remedies many of the problems highlighted in his presentation.
While Lynn initially agreed to cancel the presentation, that changed when he took the stage. Lynn had quit his job with ISS shortly before the presentation, which meant he was no longer bound by the agreement ISS had struck with Cisco.
"What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on," Lynn said after giving the presentation.
I've always told people there is nothing like failsafe especially with internet security and finally someone is proving it.
For Cisco they are demonstrating their weakness what a pitty they can't even promise to work on it but threaten to sue them who are warning them 00000 to Cisco.
And finally like someone said it's a job to fine bugs where did Gates Bill start from...
Score: 0
|Would any of the auto makers sue a TV network over airing information on a engineering flaw in ther automobiles. I think this totally goes to the heart of the consumers right to know
Score: 0
|Cisco should be thanking him! Cisco is not that bullet-proof! It is abit of an scare-tactic but hey it will scare those admins into upgrading their firmware like they should.
Finding bugs and backdoors is apart of life, what is the big deal? They got legal actions pending for the love of it all!
If you ask me they should just fix it and call it a day.
Score: 0
|Booooo Cisco
Score: 0
|YAY! bring the net to its knees. I hate the net. I had a rather lucrative computer bulletin board service (the type they had before there weas a net, not the forums they now call bulletin board services.) I miss making the thousands I used to make before the net came along and killed free enterprise.
*sardonic laugh*
Score: 0
|*******************
******************
*****************
****************
Cisco eats boogers.
****************
*****************
******************
*******************
Score: 0
|So I cheat on my wife, well her friend found out that I was cheating on my wife. So she told me, hey I found out your cheating and I'm going to tell your wife. I say, Oh no your not, I'll sue you in order to protect my children.
The point is, The exploit was found, not created. Cisco's in the company at fault, and now they need to PROTECT THEIR CHILDREN.
In my mind that makes sense, my point is, if their's an exploit/hole in hardware/software I use, I want to be notified so I can patch and this type of public attention will have Cisco very busy to release the upgrade needed to protect us. Sueing a "hacker" not to tell anyone is a horrible idea, that buys cisco time to create a patch, however gives the hacker the chance to tell his friends and it would be an "underground" secret until the patch was finally released, Which would rendered the exploit useless.
Score: 0
|Well close analogy, but a little off. Lynn was an employee, he would more represent a CHILD of Cisco and not a friend.. Router users would more represent as the neighbors, not children. And Cisco did NOT know about the flaw when it was made, but someone cheating WOULD know. So to more accuratly say this, "So my wife cheated on me. My son found out that my wife was cheating and he was going to tell me. I say, "Oh no you're not, I'll sue you in order to keep me from realizing the truth and going to marriage counselling to get it all fixed... And the neighbors (consumers) will never have to know."
Anyways, pointless post I had here, but sounded a little better. ;]
Score: 0
|nice imagination. i have a chin.....
Score: 0
|they knew about this flawa year ago and still have done nothing, thats why he made the presentation, maybe you should think before you type..
Score: 0
|I'm as much for freedom of info as anyone but that could potentially effect the internet core routers... In which case no one would be laughing.
Score: 0
|Actually....
I would laugh, because without laughing hey.....what do you have?
Score: 0
|It's his world; we just live in it.
Applause for the juevos.
Score: 0
|Score: 0
|By acting like deranged jerks at a public forum where hundreds of specialists in computer security were meeting, Cisco management has guaranteed that this product flaw would receive the greatest possible amount of attention worldwide.You would have thought that a company, with the reputation like Cisco's, would have been able to hire better managers, mangers who thought before acting.
Score: 0
|