Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Researcher Defends Decision to Spill Beans on IOS Flaw

    By
    Paul F. Roberts
    -
    July 29, 2005
    Share
    Facebook
    Twitter
    Linkedin

      A former Internet Security Systems Inc. researcher sued by Cisco Systems Inc. and ISS after he revealed the details of a serious flaw in Ciscos Internet Operating System responded to the lawsuit Thursday, saying that he was complying with a Federal District Court order to stop talking about the flaw but did not regret breaking ranks with his employer and disclosing the hole.

      Michael Lynn, the researcher who provoked a firestorm of controversy on Wednesday with his presentation on IOS at the Black Hat Briefings conference in Las Vegas, said he did not regret his actions and thinks he did “the right thing” by publicizing the hole.

      “It was pretty scary, but the real important message was the potential for a serious problem coming in the future,” he said.

      Lynns comments came on the same day that a Federal District Court in California issued a permanent injunction against him and Black Hat. The injunction instructed Lynn to surrender all information on the IOS vulnerability to Cisco and refrain from working with or reverse engineering Cisco code in the future.

      Lynn was also instructed to provide ISS and Cisco with the names of any individuals with whom he shared vulnerability data. Lynn said on Thursday that he had not shared the vulnerability information with anyone else.

      In a statement, Cisco said Thursday that the company was “gratified with the courts actions” in issuing the injunction against Lynn and Black Hat, and that Cisco and ISS took legal action only as a “last resort, to stop continued irresponsible public disclosure of illegally obtained proprietary information.”

      /zimages/4/28571.gifClick here to read David Courseys column on Ciscos response to Lynns disclosures.

      Lynns talk, “The Holy Grail: Cisco IOS Shellcode and Remote Execution,” concerned research he did into flaws in IOS that could allow attackers to amplify the effects of existing vulnerabilities in IOS.

      Lynns strategy could potentially give remote attackers access to the IOS “shell,” from which the attacker could control the device. With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

      A last-minute decision by ISS and Cisco to withdraw the IOS presentation led to a dramatic series of events, in which Cisco sent representatives to Las Vegas and physically removed copies of Lynns presentation from conference materials, going so far as to rip around 20 pages from the conference proceedings and demanding that CDs containing a copy of the presentation not be distributed.

      In a press conference at Black hat on Thursday, Lynn acknowledged that he deceived show organizers and ISS on Wednesday, telling them he intended to comply with the request not to speak about the IOS flaw. Once in front of the packed conference hall, however, Lynn announced to a packed audience that he had quit ISS and would discuss the hole. He proceeded to give a full presentation on the IOS flaw to the cheers of a packed conference hall.

      On Wednesday, Cisco and ISS filed a joint lawsuit in U.S. District Court in San Jose, Calif., charging Lynn and Black Hat with copyright infringement, misappropriation of trade secrets and breach of contract. The companies also obtained a temporary restraining order against Lynn and Black Hat to prevent them from discussing the flaw in IOS.

      In the statement Thursday, Cisco said it would not take further legal action against Lynn once he and Black Hat comply with the terms of the injunction.

      /zimages/4/28571.gifOpera plugs three security holes. Click here to read more.

      Cisco and ISS stated that they resorted to legal action only as a last resort, to protect Ciscos proprietary code and because Lynn and Black Hat were acting outside of “industry best practices” and in a manner that would “harm the Internet.”

      Lynn disagreed, saying that he did not reveal details in his presentation that would enable anyone to exploit the IOS weakness. He said his point in giving the talk was to show IT experts that routers, which are the backbone of the global Internet, are also vulnerable to software exploits.

      “The important thing is that vulnerabilities can be seriously exploited on network infrastructure,” he said.

      Questions still surround the events of Tuesday and Wednesday. Lynn and Black Hat CEO Jeff Moss portrayed the last minute move to purge the presentation from show materials as the result of botched communication and decision making on the part of ISS and Cisco executives.

      A Cisco spokesman contested those charges, and suggested that company officials were intentionally kept in the dark about the presentation, and noted Lynns own admission that he had deceived ISS and Black Hat organizers before giving his presentation.

      Still, a Cisco spokesman expressed hope Thursday that the story, in which Cisco was often portrayed as a Goliath to Lynns David, was winding down.

      “Were not out to get Michael Lynn. We want to get beyond this,” the spokesman said.

      While Lynn would not comment on whether he was out of the woods legally, he did say that he was hoping to move on. “Whats next? Id like to find a job,” he said.

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Paul F. Roberts
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×