Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Researcher Defends Decision to Spill Beans on IOS Flaw



 By: Paul F. Roberts
2005-07-29
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Federal Court orders Michael Lynn to stop working on IOS and surrender all related materials. Meanwhile, Lynn acknowledges that he deceived organizers of Black Hat Briefings about his controversial presentation.

A former Internet Security Systems Inc. researcher sued by Cisco Systems Inc. and ISS after he revealed the details of a serious flaw in Ciscos Internet Operating System responded to the lawsuit Thursday, saying that he was complying with a Federal District Court order to stop talking about the flaw but did not regret breaking ranks with his employer and disclosing the hole.

Michael Lynn, the researcher who provoked a firestorm of controversy on Wednesday with his presentation on IOS at the Black Hat Briefings conference in Las Vegas, said he did not regret his actions and thinks he did "the right thing" by publicizing the hole.

"It was pretty scary, but the real important message was the potential for a serious problem coming in the future," he said.

Lynns comments came on the same day that a Federal District Court in California issued a permanent injunction against him and Black Hat. The injunction instructed Lynn to surrender all information on the IOS vulnerability to Cisco and refrain from working with or reverse engineering Cisco code in the future.

Lynn was also instructed to provide ISS and Cisco with the names of any individuals with whom he shared vulnerability data. Lynn said on Thursday that he had not shared the vulnerability information with anyone else.

Resource Library:
In a statement, Cisco said Thursday that the company was "gratified with the courts actions" in issuing the injunction against Lynn and Black Hat, and that Cisco and ISS took legal action only as a "last resort, to stop continued irresponsible public disclosure of illegally obtained proprietary information."

Click here to read David Courseys column on Ciscos response to Lynns disclosures.

Lynns talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," concerned research he did into flaws in IOS that could allow attackers to amplify the effects of existing vulnerabilities in IOS.

Lynns strategy could potentially give remote attackers access to the IOS "shell," from which the attacker could control the device. With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

A last-minute decision by ISS and Cisco to withdraw the IOS presentation led to a dramatic series of events, in which Cisco sent representatives to Las Vegas and physically removed copies of Lynns presentation from conference materials, going so far as to rip around 20 pages from the conference proceedings and demanding that CDs containing a copy of the presentation not be distributed.

In a press conference at Black hat on Thursday, Lynn acknowledged that he deceived show organizers and ISS on Wednesday, telling them he intended to comply with the request not to speak about the IOS flaw. Once in front of the packed conference hall, however, Lynn announced to a packed audience that he had quit ISS and would discuss the hole. He proceeded to give a full presentation on the IOS flaw to the cheers of a packed conference hall.

On Wednesday, Cisco and ISS filed a joint lawsuit in U.S. District Court in San Jose, Calif., charging Lynn and Black Hat with copyright infringement, misappropriation of trade secrets and breach of contract. The companies also obtained a temporary restraining order against Lynn and Black Hat to prevent them from discussing the flaw in IOS.

In the statement Thursday, Cisco said it would not take further legal action against Lynn once he and Black Hat comply with the terms of the injunction.

Opera plugs three security holes. Click here to read more.

Cisco and ISS stated that they resorted to legal action only as a last resort, to protect Ciscos proprietary code and because Lynn and Black Hat were acting outside of "industry best practices" and in a manner that would "harm the Internet."

Lynn disagreed, saying that he did not reveal details in his presentation that would enable anyone to exploit the IOS weakness. He said his point in giving the talk was to show IT experts that routers, which are the backbone of the global Internet, are also vulnerable to software exploits.

"The important thing is that vulnerabilities can be seriously exploited on network infrastructure," he said.

Questions still surround the events of Tuesday and Wednesday. Lynn and Black Hat CEO Jeff Moss portrayed the last minute move to purge the presentation from show materials as the result of botched communication and decision making on the part of ISS and Cisco executives.

A Cisco spokesman contested those charges, and suggested that company officials were intentionally kept in the dark about the presentation, and noted Lynns own admission that he had deceived ISS and Black Hat organizers before giving his presentation.

Still, a Cisco spokesman expressed hope Thursday that the story, in which Cisco was often portrayed as a Goliath to Lynns David, was winding down.

"Were not out to get Michael Lynn. We want to get beyond this," the spokesman said.

While Lynn would not comment on whether he was out of the woods legally, he did say that he was hoping to move on. "Whats next? Id like to find a job," he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Researcher Defends Decision to Spill Beans on IOS Flaw
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}v۸s{zv;/ڎ%۲򶔸3(ئH6IqzO' oHK$snPBP(@֛$9arsc |:Im"Iͭ~xC(3`(:AFA),G)~-sb7 #j+45Gl$J~x#AT{j" xL9 ƜM۲9'ԗo+Nve0-ڶAq>)2rʠ ~5[m(CJ/Z#?+B44IXߢر7?S=2t3ݛ6BT!GJ%h!1Qu _[ό3!X]~j4Lߵ=2 rt=yͰ /B1r!bL{{74ɟ *Y)N Dƞ4IC d#LJN`:t,#GΠȱZ.RG͌iAwtԭSzcG 3G(&$gF=~0[ QK8Q+ K?LGޅN؎MEnڏUl_k| s涱Gjrd˜HJ:)@2t-2Qɲn g32G7EȺJeW+~V*}xxgچs[=dTő3{{3j;S)yszY GA nm$uPwq\t?59N |#kLV)UjTڟ%ȇ t4,{BsoVs7-ݒhZIAv,f3} 3+i3*,AH~2/˫NMӃN;,OaV4*2V]鬘ȏU5u{#+r9l>:sِlnAZ|YkU[_l O{uH4-|kh`=r8Lwz+ ?u/d[: uPG0o-Yn_H!)M a(7F`X@7? iP2[q* ߰n^S@7o脺f-Mn #dh|]Fh-Aho*KLr &@Sk~$M 5ņ])!edJS;uR—W/(AK/5 5|*(If([΀/3A.r)i" 6=aL+^\~,j\'awWڲ9Q[ kK\MޢG\zcOVU..~:oz6LqJjpX.B2iKB0pj뛎Z_@r} /*{ hS2e8l ԰2nб>΃`DgE|F s>k uN< EC#ɠ:ڴb;\f&h`C:}ҍ:LZ? wbhx: C 00gwmLP#AтMx>tT؎]6}l299 L&& zrWtc`w VPC9N@FܧP}MrA}2g`sDo뷺iC1QB?x?Ȝ+) Ht=JII "D% T h4AEENmb$MHXVppTݞH:s&@T>Uh3aGe-n^ $ d6g2+IMihj1!UG,D`v9J,L.[ Oֱ25ڲ fkniқ͑ K{Һ<M -X#LCF3pEq<39`'s<m'(cRr׃ +L+f9L)A\_XHL[5mQ̴a85GS9_Aa" eBC`9N{Sg]2Q$':L:%\u;ıa漃d:Nyv7<&.Q1juΙ/ܑ-ӾO ߄^W 9uC \D r}͚X 4ؐ9|&Bw7Cnl@aehI**#wTw4?Ք{`ELE2a5?%ӻnR/0}ԙQ3BZsOsR#~r-YVk͒T^ӛA#~^/ B[+ҎY&9&ے8EqfP2D񥖲HD@CR)Ե ҊaY^`(y> Cx En҆TSs  Xߪ&TYw˟B zESZv/|4'Z>plZ`/R7,Ÿx;HycI_(%UI$[b"ud\6˰@eִ&3v,˹' zfdݾ'a(JuѧVȹi 3 M1zQ4U$og đavSc4&6wd70M9CLK/'3$!Oԟ'%E&x.5 dh*O|IFt8#XE~H4Ye nsn,wqZEL[vO`c)0v +J!,`;W.P9ufj(ؿ3~Ɋ~o3 خ crA=2]b9(k0qΣuO#%c#lʂu!MUm~,n`s]0>AG5h0qH&;3E6YҚo:+@5-r I h5=枏Kӥ ,ćۑ54}-tqCUjʾ_ZQW7{)|h#Q `! Kx{ZCA;bS(޻tVPBKg7gMEH]ac6U{z@n)ZG/vhTJD[>67=C˙ErN?dZIp|avJre$m@șY#uItLe``l"Z`|i,09|)3p3/?`gSV`pd?x{z&wܕ~5A^c_?J=[Lߴ@V1G`7=3#k(4Qw5rl2y6P]m*lƳ>AqHlw >7ԫ0&7JEVK`zցDZ%~HǞ1}]>th6ZCUӔ*eάɲ7(Ъ#iA/oyN1 Q;/v}b;_&I|SeYȃV)+i+T\U񋰷83pa-XRjuHU}E C/ PNJvݏGQ*~JePIutb*kZQ^?*4rOk,ش/A kpo= 2j>vR-̖M%4e3/ -9@X2DH"rys!}=^xsіs5A DHKrBVë^8Sjw>#E%'[; u{)&:}iN1`l %cAda+F+9eIG{CHY ?9/g`>IBܨn1pAZ~h_^iԎ8%4 \(?[ħ{, /䎱=;SN%M(k6iQtKb/rJ<:<^d:e,O&e=lI1 iKBih%b"C+Cg һl]OpVHpo&_xvId%yx42k85(~uNHlAJiIgԢᬖ^}+Y^N4~x=Na.սLU#EuX.n9Uwwk۾l3{ttQH4S `+#9ʼSsa( GW ./v6cNȣ&k{ ?ɄKGS>^Y=l}DK;,a43q-vb/[~\[("ΞkeCnWKgtFQ\tuo_)arІcAI#:j 2'|?Gdc:M"IQU֭UdU)I=Y)lEG㳑)G8b`@L6COځ{-3(GFnC]`b^s>TxBo~=ͤaW*]c;*;w}omVZtC.qۋB!&Vd/.%E OKt1Z/٦;HmBĬhg2h땫{ldz '|ȞF8^j[}xUyg,da}30[*=)Ιd<J;oݵM L ?#A;"J [ rUCaMPvpmU8"Zy$N0? W_L⎵zcQ(|]qzHV_N\^SGXd]FHb,iأ7%ZCs}dIAww9JwR;ZYLɒ+voWHJC9+,L +j)+cQƭ+rvF6frӖ'hxj\N7&ݲJŜ6b,-MObeDX/ӻU,I4 ]l:a1a0nQ/EמĩK4IVI V W7  z#욟HO&^4e jC|tVJn%RC^ <Xf3TnLӠUS!esҖtLW._~ ];_L1Uԛ0:҉>(OD=)%1k#!3;]WE=o7_V$&i~9<=<F,3CRиyg*}[`DdR_n$=0e+E@ `$LR F%S 6^ Di&ܐǼWzvciNZ9"d}Р G%&"q_# $!H5{"BlJ/;ERB7w?JQ$J p@ZӼ|)f877)#Lgggҕ7& ?eЄ? ! 5q]z6eTR؃eUp[3\G/.!kxg5X=6=ш,x_Z{cP]jU0^Q`/J)`}r~OٓӾVёՈ4W?_s|i%_[Rojo2 a 1u\DᣗY#|I-jضβ$\C6"a6xiE'ӫdk2f%nu߼RcR[eNp+QuK^[KpGN6@lW&ac6a+al޼;H3P,`Ks%təI~'{PVHxM:X?h3|q~6er1t;Sr d $g ڝ_g!9vVݙhJ 7L0-iaC_G/ :}ǕTE #`!}Q58'Y gs&-g s*irS K]P}1>ð>j#'/m#+1KN0if|i7AmaހVXK~Ʒ&^$}nIJBY򎪌2k;uXcVܧu=4 ƲԾ=#& ѧ|ux3}z@f%$ kgPuD^ޱe0S:q@hKl3K @oFYobZ',(tI8y畃[lE~ҡ\^o; QCZV)޲{`tW n0K/~,\4u\ݲeLH^&4`ASGog;DL0vKBttO6k?1[Ld6#Zxu_ :`VljkV(T#~]UѲF̊9t)RrWbp,őy볩V;c ~P2L3@84ƗY'2@$I3Ʊ)+}a87ET1,,JdnHsHy.Pvptg{Ϸw{s21W 5y|O_b/Y/<{pQ}u`2W˲뿑$yi1%1Y~Gj P5\6fC@ aT7gsض wχxGNsɌ1k߱Ex9Qv`܀w7*ZWqi{0spǗq9,!|L͞ΐ[AqCb$G:B/ :ä'2[id?W Y?`CP}]g71VIs^2UwT%HB~2gP;KOaR-M:' "Eo <7n˅=;P=q "Ȯ ON3f-21*VQ]kN9-i/ ȩ2n?̹F\(t[q1wPb!N4#|&IAwP] TeQOVtD`2%0-cWF%5z J 0;~BX^q)Q1&c~6cu\_QS[WZo[֓#d! `,%7vEa8`8(ĒAG¿'h#8iLʃaES, Y4K3c.ᅟZMUWK.}KBG2KN+ߕtW BZcīmWeskɣ.j"*," jD#0Z`?bTi |ɓbfă ZOka`;Xicj=!v}C` oJ.қ≠D37:UYi 7q~ ;,Ot%>^vЪЫ؇ZƒM)RӰp-S| i?NRUzB9wIfpzV =P^cƷϯđպԴzYܣ@VT9>=cwa:97'|z`'NB .kXGl31W*ZT0ouOZ3+Iу%B}sF%aϤGF$bX nzqv0m˖C/0RYki\Mcziv3%{ $0?sև5\+jLגZdyg Gth&f*1:V*)t|{o«I XPpUI٩vTD~ N &̋(LKt<.%:bm[A=~!zDLRO= nN8C roEVIz# ,@gEꊍBDQGB p4,CsF.׽v߾ꡇU Cy6 v&hu^̖~ G6grr`(0ߙ!k:,ehlų@^!& 5,Px-r9G}8ۛQ}ꢧ*% Iݹa?Ðs{IZ"aR1@Q>~1&QBE< ,i  YC) Q?LE+&"=lFLN: ;Cs%zH"V|8snj=J"r7 tR"#tQ:..( I[PXP؟OKL)awSIJAwͭ03L\Yej xpƩX<>swe~q#m>`5KqjldaQ(;b8M u߁3,ȏWHl(8sz1I(tCK/HzsRfdFqwȗ>0(-ŌCZS*Ф+t!dW`ǪZIWt'x2nVկX{z+iT( I+1;}^ni``fڟ,BuyywH_ۤwxչw}ֽsJ֊_nԝEs/4MfbvK5m+LJy22 6Sr=\h^EpɃwᝥ%;飱8ġ3U֣jUzq &6ٜCUZs:Пxq3/KL:FySA^^Z+!QqXmn8~(hOu{at/څfhR3`dzwP.7(- ʯ[.wsʑG@vN!f}ss?{(]~)4O;坣BsS3r'z^NG(]~rl<s<s{Csy}ρ?s>ʯʁsڿi:s$CPʑ%.N pr+AT/ޯ<8|sYU~vïUX^йZ*4ˑ*cܿ72~2A\v aqʍz^Syڞ馕i8Ү۸/6h}0^ZE/ޤq<~! 3l?V\[[,Oнۺ{g%%Iy=0?%Mu{1پWߕ\~SnE+tOq&R2#s"qG\%Ün1'\ 3{"X |8NtGY+wT/syk48 fVt{rMtKn y+ %>| #r%}ꂽExvYY5WlNA6KGҿN^Qև^֪_p3n4>|dOvHu6lC{>k'K*8 ߜ:S?|Y&@Y8'Rدhع+jzrt5pÅ̹H5q X1Y&4HjYj ~ZV-%\;`!"2t< ̈ɪ"+uw9 طV*r `" *s>P`2_7UJ` Њz!J1 4c֭dKb(p EУE˘/͛YȌN#^"_v3v_۱ CR1 1@ͭeV*q0*r>d%Q<8s`JJX>&\ʠaCao/XbKl[`\;yo=Y2gj y gy0\9KhMV=ȾwF=C19!<:,9Jw*tWЫȹ&S]" 9oє^\C ΅{*˗ XVy_t0=_cnnu–'*F'B:N7/ɱwؼ!A0BRhNY M^E` AO$80~.Ƥe.h0XASVLΊ[q|xL´k. $LitZ~|6h_uitkH,'g@诿J`Xkt0sa/7%N7"f9p<y x_ Z?y=y G#|ɝuxtNuaL{eS;;osһLx WsLJ ?>KGJ Ǝ$z #߀9/: C{1B9 H|\sEEבE,&J Z}J]gBZwlPFsa8 "s k!6K2cE\cͅx}pT\pίce'nfG6s0cX =w`?EcС2]SXn ՂY#rF31F#qyU YT8kits[/RT”sM1vm »=SY,> F_dvO~%B+*O 8>eCkgIrT~{F=*P=fZP;] f"0%Yz#Io=G}m_VeńK!أb4#UI;.~;JT>$##R.ܐOF{/)0XPyx ,CS6N>LCc? `fwl:WɿlعsӘ1J1А862B>кmQ޺%pmdxH VK0Su Ыvl>cx L7;*1ue|nHHUڧf2{O;:o90kn>Q$L{Ew=HJ D Ozn'`wD .7./Y& hWa!*e31KLP`dΙv&w>G}wd ȁ(d}j͜ԋOg0xeҕhOɬnq;Z?] m-!+$~Il=`u Vڔ+zyL1e~}=3G(qW",@zSqt3BW5`/=H]c(|9NhՆG0ޏq[7PR|@xS?0D\bXe܌1GYFEMhT[6ѩYy7T \7gTTTcצ2TxI;s[_@U =[=܋;}c\e ^f-1ثx g)C2^#s!? Ln3m^^kti(fѰ0 L[,lyEG%RJAC` 0F :ebr^Mz3 cJ\g{ۂ~Ge9LgѸ:=3E~}uw*aZ!%׫rXgWxozc|>[z0XjPtP9.wz0 9\Mhc{pfif#3SOxO<փ W=`#hxj"nh1)d'kI'60MÄ "5poq#yeәJpK8 g!0X^ZpTT/>%h72b59=ʧ=I~p <Ǹ0XVt*Nozgf?Pw/qsqT3t[?; o:ˌhT*.㉋۝ފY*>w'WGRXBYhI:ݫvH]:'ɊxYֿ`(XECh`bhP5]hZU%I#ov[b$- U.ɮRֺvᷮ gSXM*d.%rR++EiQ}&' CfGJ܄;66BKFslx61ͭ~?)