Lessons to Learn from Cisco vs. Lynn

Opinion: By suing the ISS researcher who disclosed their flaw, Cisco looks like a bully and draws extra attention to its vulnerability.

Cisco, those folks that make professional-style routers so beloved by Internet types, beat up a fellow trying to share some research (done while he was employed by Internet Security Systems) at the recent Black Hat security conference in Las Vegas.

Cisco filed a request on July 27 for a temporary restraining order in the U.S. District Court for the Northern District of California against Michael Lynn and the Black Hat organizers to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," as John Noh, a Cisco spokesman, put it.

Noh also said, according to reports, that "It is our belief that the information that Lynn presented at Black Hat is information that was illegally obtained and violated our intellectual property rights."

It appears that Lynn was involved in decompiling Ciscos software for research while he was employed at ISS, and Cisco thinks that kind of activity violated their rights. Lynn delivered a talk July 27 on IOS (the Cisco OS) shellcode that showed how using a known vulnerability attack code could be run on a router if one was directly (not remotely) connected to it.

ISS had decided two days earlier to pull the talk (at Ciscos urging), but Lynn resigned from ISS and went ahead with it anyway. The exploit involves a way using IPv6 to fool the router into thinking that it is crashing, so that it does not initiate the shutdown sequence.

Jennifer Granick, who was the attorney for Lynn, noted on her blog that "The lawyers scrambled, and we were able to settle the case cheaply and expeditiously within 24 hours. … Mikes responsibilities under the settlement agreement are almost complete, and I expect the civil case to be dismissed very soon." There were also reports of FBI agents on the Black Hat conference floor asking questions about Lynn.

The flaw has been fixed in recent (since April) IOS releases, according to Cisco.

/zimages/2/28571.gifClick here to read more reaction to the Cisco/Lynn case.

Further compounding the situation is the tactic that ISS is using against sites that have posted a PDF file describing the exploit. They have sent a cease-and-desist letter to Richard Forno and his InfoWarrior.org site, accusing Forno of publishing stolen proprietary information. Further legal action is threatened by the letter. Forno has pulled the slides from the site.

The big question surrounding this entire affair is: What constitutes "responsible disclosure"? Lynn thinks he should be allowed to talk about a security flaw that has been patched for months, even though it involves breaking an NDA, because of its critical nature.

Cisco customers are concerned about having to find out the true consequences of the flaw from a third party, rather than from Cisco. Cisco comes out of this affair looking like a major bully trying to hide a problem rather than confront it. And all the attention caused by the legal fluffing around can only draw attention to what otherwise might have been a quiet tech session.

It simply shows once again that security through obscurity will never work for anyone, not even Cisco.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.