Researcher Defends Decision to Spill Beans on IOS Flaw

Federal Court orders Michael Lynn to stop working on IOS and surrender all related materials. Meanwhile, Lynn acknowledges that he deceived organizers of Black Hat Briefings about his controversial presentation.

A former Internet Security Systems Inc. researcher sued by Cisco Systems Inc. and ISS after he revealed the details of a serious flaw in Ciscos Internet Operating System responded to the lawsuit Thursday, saying that he was complying with a Federal District Court order to stop talking about the flaw but did not regret breaking ranks with his employer and disclosing the hole.

Michael Lynn, the researcher who provoked a firestorm of controversy on Wednesday with his presentation on IOS at the Black Hat Briefings conference in Las Vegas, said he did not regret his actions and thinks he did "the right thing" by publicizing the hole.

"It was pretty scary, but the real important message was the potential for a serious problem coming in the future," he said.

Lynns comments came on the same day that a Federal District Court in California issued a permanent injunction against him and Black Hat. The injunction instructed Lynn to surrender all information on the IOS vulnerability to Cisco and refrain from working with or reverse engineering Cisco code in the future.

Lynn was also instructed to provide ISS and Cisco with the names of any individuals with whom he shared vulnerability data. Lynn said on Thursday that he had not shared the vulnerability information with anyone else.

In a statement, Cisco said Thursday that the company was "gratified with the courts actions" in issuing the injunction against Lynn and Black Hat, and that Cisco and ISS took legal action only as a "last resort, to stop continued irresponsible public disclosure of illegally obtained proprietary information."

/zimages/4/28571.gifClick here to read David Courseys column on Ciscos response to Lynns disclosures.

Lynns talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," concerned research he did into flaws in IOS that could allow attackers to amplify the effects of existing vulnerabilities in IOS.

Lynns strategy could potentially give remote attackers access to the IOS "shell," from which the attacker could control the device. With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

A last-minute decision by ISS and Cisco to withdraw the IOS presentation led to a dramatic series of events, in which Cisco sent representatives to Las Vegas and physically removed copies of Lynns presentation from conference materials, going so far as to rip around 20 pages from the conference proceedings and demanding that CDs containing a copy of the presentation not be distributed.

In a press conference at Black hat on Thursday, Lynn acknowledged that he deceived show organizers and ISS on Wednesday, telling them he intended to comply with the request not to speak about the IOS flaw. Once in front of the packed conference hall, however, Lynn announced to a packed audience that he had quit ISS and would discuss the hole. He proceeded to give a full presentation on the IOS flaw to the cheers of a packed conference hall.

On Wednesday, Cisco and ISS filed a joint lawsuit in U.S. District Court in San Jose, Calif., charging Lynn and Black Hat with copyright infringement, misappropriation of trade secrets and breach of contract. The companies also obtained a temporary restraining order against Lynn and Black Hat to prevent them from discussing the flaw in IOS.

In the statement Thursday, Cisco said it would not take further legal action against Lynn once he and Black Hat comply with the terms of the injunction.

/zimages/4/28571.gifOpera plugs three security holes. Click here to read more.

Cisco and ISS stated that they resorted to legal action only as a last resort, to protect Ciscos proprietary code and because Lynn and Black Hat were acting outside of "industry best practices" and in a manner that would "harm the Internet."

Lynn disagreed, saying that he did not reveal details in his presentation that would enable anyone to exploit the IOS weakness. He said his point in giving the talk was to show IT experts that routers, which are the backbone of the global Internet, are also vulnerable to software exploits.

"The important thing is that vulnerabilities can be seriously exploited on network infrastructure," he said.

Questions still surround the events of Tuesday and Wednesday. Lynn and Black Hat CEO Jeff Moss portrayed the last minute move to purge the presentation from show materials as the result of botched communication and decision making on the part of ISS and Cisco executives.

A Cisco spokesman contested those charges, and suggested that company officials were intentionally kept in the dark about the presentation, and noted Lynns own admission that he had deceived ISS and Black Hat organizers before giving his presentation.

Still, a Cisco spokesman expressed hope Thursday that the story, in which Cisco was often portrayed as a Goliath to Lynns David, was winding down.

"Were not out to get Michael Lynn. We want to get beyond this," the spokesman said.

While Lynn would not comment on whether he was out of the woods legally, he did say that he was hoping to move on. "Whats next? Id like to find a job," he said.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.