Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Where Does Truth Lie in Lynn/Cisco Case?



 By: Larry Seltzer
2005-08-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: Michael Lynn is an ambiguous hero at best. The information he revealed about flaws in Cisco's IOS needed to be disclosed at some point, but when and where was not his to say.

Theres general agreement among security researchers that disclosure of security vulnerabilities is a good thing. There isnt, however, agreement in the industry as to what full disclosure is and what the best practices are.

Some say that immediate and complete disclosure of all details, including exploit code, is the best thing. I hope most people recognize that this would be an insane path to tread. Instead, vendors generally subscribe to an even more ambiguously named standard, responsible disclosure. Fuzzily put, this means that researchers disclose their findings to the vendor/author of the product and give them a chance to investigate and fix problems and distribute the fixes before disclosing the vulnerability.

But these arent the only valid concerns for a researcher, as was illustrated in the recent case of now-former Internet Security Systems researcher Michael Lynn in his Black Hat presentation last week, during which he discussed his ISS-funded research into flaws in Ciscos Internetwork Operating System. Contracts and confidentiality are important too, and all indications are that Lynn blew off his companys obligations. This was not his job to do, and whoever hires him next should know they cant trust him with confidential materials. If youve seen the presentation (Ciscos trying its best to clean it up, but its easily available) youll notice that he quit his job first, but then he went on to give a presentation with slides that had ISS copyright notices all over them. Is this purely legalism? I dont think so.

I got the presentation off the Full-Disclosure list, where the person who sent it declared the old and trite motto "information wants to be free." First, lets do away with the flowery metaphors: Information wants nothing. People want information to be free. Of course they do, especially if its valuable information. I want gasoline to be free too, but its harder to steal than information, so my cliches go unspoken.

Resource Library:

Second, theres a difference between binding people to confidentiality agreements and censorship, and its somewhere near the difference between civil and criminal liability. If the government had ordered Black Hat and ISS and Lynn not to disclose the information, that would be censorship. There was some noise during all this about the FBI investigating Lynn; were he to be criminally prosecuted for disclosing this information that would be censorship. (Although consider the contemporaneous issue of the investigation of the leak of Valerie Plames name and status at the CIA; didnt that information "want to be free"?)

Lynn defends his decision to reveal details of the IOS flaw. Click here to read more.

Was there an attempt at responsible disclosure in the Lynn/Cisco case? Its hard to say, since there seems to be some obfuscation going on. I dont think Cisco is disclosing everything yet, even if, as we reported, they are disclosing a lot more than they had been. Cisco now discloses a vulnerability in IPv6 processing that could completely compromise a router. They list vulnerable and not vulnerable versions of their products.

As I understand the issue that Lynn discussed in his presentation, the real problem is not this specific vulnerability, which his presentation never actually refers to, but the fact that once you find such a vulnerability you can create a shell internally and execute what you want through it.

Lynn makes clear that conventional avenues of exploitation, like stack and heap overflows, are hard because Cisco is aware of them and goes to great lengths to avoid them. But its impossible to completely avoid them. Lynn is also clear that you can mitigate the problem by staying up to date on your IOS versions. This isnt because they fix the problem, just that newer versions make it harder to find and use known attack vectors, such as the IPv6 problem. Ciscos advisories dont really talk about the shell code problem, and they dont indicate that the "fixed" versions address it either.

So its hard to say whether either Cisco or Lynn violated responsible disclosure. The real issue is how long it has been since Cisco and Lynn understood the full import of the issue and whether they know if there has been any actual exploitation out there. We on the outside dont really know enough to judge this aspect of the situation until someone publishes a timeline.

Its also important to note that I dont actually know if any of Lynns claims are true. That Cisco is not directly denying them doesnt make them completely true, but it indicates that theres something to them and Cisco doesnt want to talk about it.

You may have noticed that Im talking about the same vulnerabilities I criticized Lynn for disclosing. This is part of that same distinction between censorship and confidentiality. I have no confidentiality agreement with Cisco, and the information is out there. Its possible to talk about it responsibly or otherwise. Its also responsible to ask if Cisco, after all that has happened, is serving their customers best interests at this point. If IOS has an architectural flaw that is not easily fixed, as many researchers now speculate, what can Cisco do to protect their customers?

Asking if Cisco is holding back on information, restricting myself to what I actually know and qualifying statements where necessary is, I hope, responsible and honest. Avoiding it would be like pretending Valerie Plame isnt really in the CIA.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer



  Reader Comments: Where Does Truth Lie in Lynn/Cisco Case?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}kw⸲Z4C'ƘwBC/{{<1msO/g?q㭒9ӫRUT*I7~vv~/IVu [d>;{Y"I͝7o ݟ42J> ڮNF&!5MQ5~wT]1Z>u3Mq@nsz[Y|O l$oQP}d[TھoOé }! {>$|%hш("xLGk92Pn |! ЫVnxд[iPL}%jmdKG r(˪hih9f J|PbT9ȗ;}ްt3 k`Pf;9͞훟+J\.;gW}`h-v8Z(+.:^O.oa@ X_ȷ&D_@"QYT4.D SmbjJM7Jaߤ+A/ usL2,eB~9_CjyZ ՔedJ_X_KGɏ}=Úy> mdʹ,|S+C7k@B988m&To(2 W .͌Fx-Coo K. r &Ss~$M m}Κb.L2w<-K^\ʗV/PP(_(jJTw97cD qxz!TkI$$#'^IbGsQ Lj\GtW;Q]e KBMꇔ8]7Oۭ ]u/{]tZ0*=cq2Q`+EbXT7w A:} 5Kz ^(o+0rMt[ԒL0òÌNGs<ӁFSQ:u|>16eŞ!|Pe>mX= <7p}HO!¤pf8=Uuuә=Tԃ1E, i -D:ز=@XhQp\so0 [Sˁ@#` Vz>PY@YTum':(c >Gz:4Lp3P Hx9/Wr:@/@\JI1/"D' 0 tfG0E|GN B@7$W$_Kq/\fD0˛.Os$c{HX.%QYLp[̗/1JdAӴU QPס!ܲ%s 08.fXFZ1jwBa ús2QaS &$ V@h. ˄r&=6=gȪcTϑ* *)vKb[0r s2y0vݡN@Q.ju/gQMú[! eiF=՜s ;A|5 i!SL'YeoaƷ>b8`Owl{(`R rQV+j4%j<-B_Pe\Ƀ%30Qل͆2Ij6<:umk9zo곱Ķ'?[˟Q-C."P*ua5+ JMa&s8`5ߓq rb0~b=1ߝ;8Z'9:j-NKi{y^ؕ.[R\|zn H= 3ˉ^*1&T s]ՙt-RF_`EEX?~3;2Ne o٦iߧ3Ob#jI8R°f>v9& ƐI<*&lw妪+yƅ-/Gݎ,ߊ<s|o#12l3/6zvI% e2Q*L'd&B3٣M䱧2ۊϘ0RAq_8Qࢌ5<yx=`",;ȄZ+"&` Rթ6!0/7˃A%*LCf.O{E{c>t[e f,Ɗz*R֊Z587 E)W%Zf=1qL<B39Th/OpWrywM7ZOvo¦[HM9 S+0 .:# -rdsֽi>UOZҁЂ͹7u4s=X\h``">iV1HkTk %_=ʜuN"x썿YKۇ12E Ra5t 'w*1X=I(T\nƚ =VIyQw_/am(}gNq&mo^k9dқi9q,2d8F1 ;e9ز5,_ۂa0JnԹutL9s30Mk(,xg5DcC>A 򅃃AE+=G}T%2ԹSm'U`9nw=|R׳,*WPTČe橲o;Uwi;ԙ/E}!K`KXU,UUz, 9{R,#\xZ[g;ZXa\ kєXkxs)6-ܝ`dN|KOT064eD3_<r_ra)1uył5Q]h-pyr `P?f48ێVqDM"?R )02?0VJvH0jRX+JJY|a:pnɘَُ(%!h2MJ=xm5}uMOs 'xGl |ÙUΔ8T) %PjZԿۑNX\4\RRE$Axi3J%_-TˠK< JXxN+אT ҅ǗWXMl\ryxKLݯL$AD&!ܚVnF3,Պ 6ǟ c]uՇ~~(ٽzE5 VmJV~ZgZj1 Κb2 ;?RP77!)2i/.:>?節:Ns;aAVvvXj\/0J˓/\'0uԹhoA//t,P K1J^$IpW,ǽY jt.KFm}6x0^|Bn߽p.Z;Kyԫe[cw[wj .THCB[ȧ5 k3d<)M !eF:$Ms& THPa A`eZ'k.,zak5B\ _ǵ'7 M%u8aZxy~W kn~ oUktZ{|. L׀{*q]>'6ky60 `<AȥErɢgzF>g'u _f} rt4zUv:pR<<-x<" m{3خI'{OHDy ?9/{:IB@V)o ?"ȋdSݏkԛC21tZ.rڜSɶ~ O|12|Rla<E~c<-9ǀ `:c<5|@+,JAUbݩe3E)v\wb 6xc,xb1 ?ݞne)0±y7@|;=Ɇ'5];SuNԢMq9F=7FsYמmGMb[;؁/G.x9r o52"&Omfk;c bXeknOUB?K.}:﷯IS 09jJs $Thx9wnv{.xbQ/=!K3ƪo9q>rA;^:^_dx)?eN|ZX[q@CR3ۉ1%$(\[eK{CȊ̕S.{r> N&Zp~2&n_%3 Տ[^괨Ϡt44jjݵ1Kٽ:Trxo~T]eڰwߵ} }zمi#Jˢz5.q-kjyAJTklH ZGp\>VH2?LÕWc#ZU>9f0b_%L^ۯ Q3}%>}Kf2򌗿U5^Tzi dW6wA-*R${n)]xzwkm%t'+&c˲iu,%F_*w8[`($<^"=1TJB|U*6ksQW:RA.:NM^R}JJgb%"X"AX#flx 7g[HUzqѺI W%#$T'%k5AE5ۓ~I!a0># ~5> #|]9[PܼVS@f ʦS~y Sw\>'L% Z:6ujL  ¡|e2lAls{9rSyqOJD Atf1=C`@BDeSz7Ym DMSCSt 3Ӣw)|"&lIL%-q ͭo%A5IKZ_D̐K `[[[[ˇKJ^|Q$P J7']̥NU}Tk)k=#s.{eM Մ4W?߰ /?H, H|[ϯ{zEzԁLTc$c4 o -t-_@<_ aGⰱZ̓z%Ф~!axeƸ\k Î=Y"d 0Ѭ{;IS: 5a$ nPB#_y*‘p+[UPJmZRobK@.(I x܁Vqs=cK]"WNl$*놣aYNP<Yl`Y2u=Kxa8J鵙j>ĆIDUS-_'M_vf fˆ ~Gpgb`ffG/0?b6Waf|\[uH9Wd98u7`:----G僯<ڔXR҅03̷0)*m]/K=)&k|xy"A"Ό3" +~"m p_M_?FVCW\O@ pnҳ.crXw KwIݯOC77 u1`ló-{f[/]9 _ifWRILIsM/Vlū,4籏EJ{f;z~YCգ 8f/z>u<]VweƒmI% W^ߓtZV 5YZV,Rcd$o. FSe<5L~`pR? =|g#=8\bOQ] ~vAγYbz>ن&S_7.Ux ᅻ\-J '*Ls[xO& CTpݰE-{S7o.i 27,qE!T\-cli5L1'w"#l`?_,<~Vxrr49TF_@JtTr':-"Rﮔއ=9)Pft<^2KYm .KH\zCԷ@WGnŤ8y+o !v&(((v[_n'Q РC>x| [$0>Ho[x?PoW<#$HtK/Rv w;b_+TZ9t^XThW"/:1ŤW\' j [&#xnH@mgZ^YMTiRWNxQgޙB*ؠnMw(a,:D,YP’+CM\ I}8RF5 5A^ ;&B.Tj9D0NEV>N7"w9aձD]TbI2=^㿤nݩj.$ \9ћyћE\Hc}55P(5t=풷Zb !.'˘z 'O &^<Eh*@$:TE]L.U*ĚiXZ k>AhsL75܈Gbvmmz^CrJ[7܇tc]8^q=o7ݝB GnVuDfCSnW-I\j}Qa~ 103WD2"lMЗEh坔Ipʬ"ץ&F̾%D&0nRNSpqݗǶ jVR-wq9)icr] xmX?Օ>.," O:4gQ^(\.Jsmd kXу) d}cJ'.`{V,(#tA:?iG$`y`6z>ߞBDF]K,-}f1r ĪT,Boe%boi{u >X`)_ә!'tjBoG.v#rM-^xGyj,Z` ׶0z }DK:c 3K.lO/^9eEt[ݨIjwAf'9qM`srZe29 C5CaW~RL?ou\_eFҞ4k}MATЈ`\]==Zih&Ǵ5F;]|_%n)E/iSxPx O`L5b ҼڤշBCP |TًR<j^=56 Y@83qܖ.TdɹLC+ .'(ё8M;bx[WJ>jΣl9YhT!ɝ8d& {Ex@ X!slo+2'U}\H>K,1$.+23!jlulߴ?<:};oFxX2tQ BO90vNUq% 6aVAO{b0V)g~s,Q"MIաu珽ِ :>$|>[#GB)Wmr$G[Ѿ?q#s"~! g L-1dpqCT#0hbGBCOs+uǴ'1i`JÀ0'lt 7z>fSˈ'1Q3D0͘0,͜1;d Gn犩1j R-@c"U|8 nj\Jsz{T< +D:]R,("&go#C Q@ؐ͝$(*if0Rb(vP.\Nu8ԩ 4tHu<25|sPk7 >t`QG61T]oNM~rLl@s.aV;8PA<P,^eN4xP\{>_3\m~;Cd'8 K1c~ŭR͗'K]AnjxXQʱ/x*fE3LblӘ]ILQY^@pA##2dh8{߇;sKQkZ9h]]"k"6}8_w%9jwo+$>VuO>w>v.Wם>^Hf&cQ0,geXE)3]9ULj5WCZqxIxqD_1}ter5#U6e5ĂVzut6هu+s+at?gg:^9֣&[}uRLjs@qr>oIi.5+:qNyY_94;')_'?t.SN ?2͟{)埠sFEJ\)_4ߋ^.RswRA>/R"E>QG/SSϠ,P (H)LKПL.M b`_) *E>A~SR 忬/!E>BǴrc }Sw7i 7){ߤw"NR!(oY 'No\8G)L(E^iWAa uyR~)yv"^R4BK S[{?v'y CNWX=m _P^xڞqڭ&C)dq]l %^/ Q$HV CAX[LO0,z'ϊX'AW|w\YfuX+r1V鄘j ׋:w,y|=*U1==ux@ߝQY/]J =D7?剹?|Ka*[AFܻğaf50W.\vظ(q 2$>SG0GZ \\WܝZHPsrdmXoCd y^$N7\G,T+ WXv-JKC/c h;ayL4XV+q1Nla}k??}}:\޷Ck6m'S }MgLXV.)pA c0Ԓܤh=I"wMMw=jxO_vÅ͹D|31x>L74Hƙ JP()UTj%SnG;F&Ci>;CRL`F|]L-TR`"1 *sޣP`2_4U–` U/81C=b{hì[ƭop E1Хciȸ˘E͛YȌ IU7/ႽگHJDͶ%,j,N#vlOmw^͆$7$IǤStl'ήq'm'sFۙZC{KX&5(W#Zfb6@#dϽC!φE1<:n2[tgt:_=F.T'\0=oRx| b˺Y&K9Q- $ Tp]Onw¦&EL%O|w d^.#σQ,yC7Zr8=bՇ6^! iBЋ_uI{۽6F6ɪ1inBL -LÝ/`51DV\Œk,%`a5m"k n𪣧c@U?m oݫ655~ɑit(V) kDF(d#byT}^Y7RAu;6.6<T򌣜 h[8TgK\۞@ZWt&xb'/ՀPxm[_zbxfJ~Ʈ.' V_d~O~% n}]*l#YұߞR 4DO "Ntx9=|IN4'كt6p63ܐ}olI CWux r9E W9>O|0vGĦRy &qژLZ*,JNbx,/ k$⿞Н.Q -9!muy3;<v; sfC&+_2ҵE>v/-8GyJ1nP.! ,N(2y<-b7r/e[M ^X (K# LwEN85vKѪv"a^5oqCJ]3LA5*<g{**۶툡6r!*l XEڤZ-Qa[؞cP=xNTWyZ|DmU>m0ـE\X 5ı Ea1 +o= e6϶NN72"4#* $(jVI&;;uh6 L;l<ڕؐn/gs4bGP1LsQfoԝˆ'TUx|{[й"!ˣż"fD0ȮmN9*DD6~h(͸M(8,R67Wv!{lpFk-^<|%?l,8rbTwo$v)VS _Xћ\Q?14Uk<[}7Q?8[wpڟzT;oٍK(u?i3$CTE)34Mk++,ICYаd͸G2,~)]TqWj!~pʱe\ /@^y^jfd=R螘@c[}>OkeP|X*Rߑg}>j[  !DE9pzgۥc7SfÑ Z3*,DA)}j5? UK` VđMx)t_vۤw|=?' ƏJ} *1.;x W"d'vHGZ=*h fu4J֢3Sgn}3㒊xFEvYp :}`kbj1xk:@f!xd#Bšϻ"0 /n3O\©[foP@'%S=6@&#z.ZnB.6^3Yk6R7KmI6, 0uz҄APA*M~/C( tbtڤzY_&PSU 4@&,ѿbXg+\Mq ⻎֓#ᜀxwǏ2w{1!53FHr=̢ ʼn7@sfxͽ6 <҂΍OkcZ̧YmЮ=MtD6m ֶE|1?աi?80HC*u3 {JWP B?vbShD2H &D~p _ {r7>To;nIYb<1Zp2 /s'I/IuNn:|>bk xh;nF>Gۨu 7Oij6E oyIՈAIvJG% eY[+B|W d.Ix7 cJ)JS`0T{И-Ym v,}3:, 7=/ιĜc0Ůᯏ$MƝ78嶣4=wϋJ= o06vQ,W&Ǧ=T,o~Bz%:D#|NėkB@XxŠE|CLqx7?Oy/ —Owa \50a:cGm-;X#+ea}vޑϕz}7*RXBX-TwZI EBf<kǏcæ$p #Ltlͬ dMf>K2 MfWveG=s <\h-Hق!ٷА{ٗN[OWPB: zգ7z_ۇSnba<*iwޟWwϻׇ G*Q'RPDS\u'$!v w:9\W[̼mP3Ez[ [;HRl"$ oտ2&c}ar/Պ`mPZveغ^f6%}(|Pr qk+˔Kթ+w3+iFDOeV&Ze/ao wU: