Network News

X My Profile
View More Activity

Black Hat Day 1: A Cover Up?

Blackhat_wpni_1LAS VEGAS, July 27: One of the primary reasons companies send their computer security experts to the annual Black Hat security conference here is to learn about new security vulnerabilities that bad guys could use to disrupt Internet communications that most of us rely upon to send e-mail and browse the Web.

The most popular speakers at the gathering typically are security researchers who have discovered new flaws in the hardware and software designed to ensure that the Web page you request is the same one that is served, and that your e-mail gets routed to its destination without incident.

The first "scandal" to emerge from Black Hat 2005 (so far, at least) is the omission of some 30 pages of text from the 1,000-page-plus conference presentation materials, which were handed out to conference attendees when they registered on Tuesday. The missing pages -- literally ripped from the massive handout -- apparently detailed the specifics of a serious security flaw present in Cisco Systems routers, devices that route the majority of Internet traffic on the Web today.

Michael Lynn, a researcher for Atlanta-based Internet Security Systems, was slated to follow the conference's keynote address Wednesday with a discussion of the Cisco hardware flaw. As of this writing, however, none of the conference organizers knew whether Lynn was expected to even show up, much less present his findings.

People close to the situation say the incident highlights the constant tension between security researchers who discover bugs in widely used technology and the companies that make those products. Neither Lynn nor Cisco officials were immediately available for comment. It's only the conference's first day, however, so I'll continue to try to find out more about this flaw.

The only "official" comment on the missing pages on the Cisco flaw was a photographed copy of a notice distributed with each bundle of conference materials. The notice states: "Due to some last minute changes beyond Black Hat's control, and at the request of the presenter, the included materials aren't up to the standards Black Hat tries to meet. Black Hat will be the first to apologize. We hope the vendors involved will follow suit."

I'll be following suit too ...

By Brian Krebs  |  July 27, 2005; 5:52 AM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Paying a Bounty for Security Flaws
Next: Black Hat Day 1: Update on Cisco-gate


I'm fairly impressed that you're covering this event. It's rare to see a mainstream newspaper cover one of these events, and it's even rarer to see them do so in an even-handed way. So thanks for your coverage, and I hope you have a interesting and educational experience.

Posted by: Yacine | July 27, 2005 9:45 AM | Report abuse

I was also surprised - pleasantly surprised - that WP was covering Black Hat. I look forward to reading more!

Posted by: Anonymous | July 27, 2005 10:32 AM | Report abuse

Note that Mike Lynn was going to present on exploiting IOS to use vulnerabilities in code to run arbitrary code of the attacker's choosing. This is a huge deal, since a problem with IOS that was formerly limited to a DoS could be leveraged to add configuration commands to the IOS configuration, or other nasty things.

Posted by: Joshua Wright | July 27, 2005 11:32 AM | Report abuse

Glad you are there, looking forward to your very informative articles and thanks to the WP for sending you!

Posted by: Jamboe | July 27, 2005 11:44 AM | Report abuse

I was really (pleasantly) surprised to see a BlackHat article as a headline on the article as well. Thanks for your coverage.

Posted by: Anonymous | July 27, 2005 12:07 PM | Report abuse

Interesting post. Hurray to the post for covering such an important yet little known event.

Posted by: Micka | July 27, 2005 2:38 PM | Report abuse

The Blog that was referenced above statest that Mike Lynn was able to present after all. Care to give an update?
Also.. I'd like to echo the folks in saying thank you for covering Black Hat.

Posted by: Conchubor | July 27, 2005 3:54 PM | Report abuse

Conchubor :

Thanks for visiting!

I posted a link to a CRN article a few minutes ago which covers the most current info.

Posted by: k | July 27, 2005 4:10 PM | Report abuse

Mikes' put a great deal of work into exploring the posssible exploitation of cisco routers. He was going to make his incredible work public (Without giving out to much information to the general public). It's his right to. This is a field that has already been explored by previous hackers (phenoelite's Ultima Ratio project) but had only been advanced so far. Mike's outstanding research was going to both prove that it is possible to spawn a remote connection of a IOS-shell to a foriegn host via heap overflows without having the router crash/reload IOS software. It is important that information like this be made public. This way other security researches can study, learn, and guard against such attacks in the future. Also, a great deal of the time if vulnerablities like this are not made public they are not handled by vendors (as can be seen by the recent articles on Oracles failure to fix vulns after some 500+ days of notification). The notification of vendors and awaited public disclosure has proven to be one of the most effective ways to increase security as a whole. Just look at how much security has increased in just the past 5 years. Mike is a hero trying to be silenced by corp giants. He deserves the utmost respect for his remarkable work.

Posted by: xort | July 27, 2005 5:03 PM | Report abuse

I've heard (read: this is hearsay!) that Cisco threatened the conference organizer, Jeff Moss, with some sort of restraining order. Has anyone else heard this / can anyone confirm this? And does anyone else know if DMCA was invoked as the legal method to do so? The entire playing field of vulnerability research is in quite a bit of flux right now, with commercial funding models on one side, irresponsibility on the other (*cough* Oracle *cough* *cough*), and things like DMCA threatening to drive research back underground. What a mess. Thanks for covering this though, as it's more relevant than many realize, I fear.

Posted by: gshipley | July 27, 2005 6:32 PM | Report abuse

I passed Mike in the hallway after having lunch with Brian and Mike indicated that he has a meeting this afternoon with the EFF. He expects to lose this battle. Although I for one am in awe of his admirable ethical stance.

Posted by: Myrcurial | July 27, 2005 6:58 PM | Report abuse

Nice work covering this developing story. Cisco/ISS have successfully bit the hand that feeds them. I feel sorry for the other security researchers that still work at ISS. What a major tactical and strategic blunder by both Cisco and ISS.

Posted by: Anonymous | July 27, 2005 11:46 PM | Report abuse

Another vast right-wing conspiracy.

Posted by: googliegoogle | July 28, 2005 4:45 PM | Report abuse

who's got the torrent of the presentation???

Posted by: who? | July 28, 2005 6:24 PM | Report abuse

Does anyone has the presentation?

Posted by: Anonymous | July 29, 2005 3:19 AM | Report abuse

Kudos to Mr Lynn; a curse on both Cisco and ISS for wanting to cover things up. Not gewd, I say, and a perfect reason to avoid their security products.

Posted by: Johann | July 29, 2005 10:47 AM | Report abuse

Please, someone who got mr. Lynn's material (I think it is BH_US_05-Lynn.pdf) would be so kind to foward it to "" or "" ? I'm a system admin and I'm concerned about the security of my cisco routers.

Thank you very much.

Posted by: acdsp | July 29, 2005 12:51 PM | Report abuse

if anyone is interested, there's an unedited copy of the original Lynnn presentation at

Posted by: Anonymous | July 29, 2005 3:34 PM | Report abuse

Here is the URL for the presentations:

and another talk about this at Defcon:

Posted by: SecurityGuy | July 30, 2005 11:30 PM | Report abuse

Did Michael Lynn was fired from ISS because of this incident?

Posted by: Chrimo | August 1, 2005 11:42 AM | Report abuse

you can also get them hosted at my website on the front page at

Posted by: nrotschafer | August 1, 2005 3:18 PM | Report abuse

I have seen them at also...

Posted by: Anonymous | August 1, 2005 3:19 PM | Report abuse

Googlie Google = dumba$$. This has nothing to do with U.S. politics. Cisco doesn't want to ruin their reputation and would do anything to keep it - even involving lawyers. Funny, they're using left-wing tactics to shut the public up.

Posted by: Anonymous | August 1, 2005 7:06 PM | Report abuse

Googlie Google = dumba$$. This has nothing to do with U.S. politics. Cisco doesn't want to ruin their reputation and would do anything to keep it - even involving lawyers. Funny, they're using left-wing tactics to shut the public up.

Posted by: GooglieGoogleIdiot | August 1, 2005 7:08 PM | Report abuse

Perhaps Mr. Lynn would have been better served by discussing this security threat with the vendor as opposed to opening it up to a known hacker crowd @ black hat. It's incredibly irresponsible in my ever so humble opinion. Since he was aware of the vulnerability, and the publicity that he created, the "fear" that he had by announcing it to the world will only serve to exploit the flaw as opposed to actually protecting those that he claims were at risk
It's pathetic at best

Posted by: Lynn-sucks | August 1, 2005 8:53 PM | Report abuse

Abaddon absolutely did the right thing. Cisco's position that this is fixed is absolutely incorrect. What they have done is made sure that new systems are not vulnerable from the XML vector for any new equipment. They have severely underplayed the potential for disaster here and made no active effort at all to strongly encourage their federal customers fix this immediately. Shame on them for letting it get this far. I am not sure what the basis of ISS's claim that they have a fix for this is based on. Are they going to put a Proventia box in front of the router? Shame on ISS for letting a vendor sweep this under. While Cisco has a big problem with its gear and IOS, ISS has a far bigger problem in that the trust level they have developed over the years is absolutely gone. Matters of national security cannot be driven by corporate greed. It was bad enough when Enron destroyed the peoples ability to retire. Mike has made the single strongest case for open source and full disclosure. I too have known Mike for years and I am immensely proud of him. People are not harping on the real problem, that being that once virtual processes are an integral part of IOS this will be easy to script and worm.

Posted by: Warguppy | August 2, 2005 3:24 AM | Report abuse

Your site is realy very interesting.

Posted by: Online casino | April 14, 2006 10:17 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company