Network News

X My Profile
View More Activity

Black Hat Day 2: Peace Breaks Out

Blackhat_wpni_1_2LAS VEGAS, July 28 -- Michael Lynn, the security researcher whose talk yesterday about new flaws in Cisco Systems routers landed him in court this morning, has settled the legal dispute with Cisco and his former employer, Atlanta-based Internet Security Systems.

Under the terms of a permanent injunction signed by a federal judge this afternoon, Lynn will be forever barred from discussing the details about his research into the vulnerabilities he claimed to have discovered in the widely used Cisco hardware.

According to a copy of the injunction obtained by, the settlement also requires Lynn to "prepare complete mirror images of all computer data in his possession or control. ISS and Lynn shall appoint a third party forensic expert to verify, in the presence of ISS and Lynn (or his representative), on the mirror image, that Lynn has provided to ISS and/or Cisco any ISS- or Cisco-owned materials."

After said expert is done with the data, all of the Cisco-related information on Lynn's computer hard drive must be securely deleted. 

Black Hat Inc., the sponsor of the eponymous conference, was also targeted by the injunction and will be required to destroy any and all video recordings of Lynn's presentation.

The conference organizers were slated to hold a press conference about the whole mess this afternoon. I will file an update if the briefing adds anything substantial to the story.  But just because Lynn, Cisco and ISS have made peace won't please security experts gathered here.  What more can the companies disclose about Lynn's research?  If the flaw is indeed serious, when will a patch be made available, and how will they work with Cisco's huge customer roster to make sure the fixes are rolled out quickly and efficiently?

The whole background on this controversy can be read in my postings from yesterday: "A Cover Up?", "Update on Cisco-gate" and "The Latest on Lynn and Cisco."

By Brian Krebs  |  July 28, 2005; 10:16 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Pranks, Parties and Personalities
Next: Text of the Cisco-ISS-Lynn-Black Hat Agreement


This article is not quite correct. These are not "new flaws", these are issues that have (probably) always existed within Cisco firmware. Flaws in code are nothing new; what makes this unique is that prior to Lynn's research, nobody had published a way to take a specific type of vulnerability called a buffer overflow and exploit it further to give a command shell. Methodologies for doing this have existed on other platforms for (literally) decades.

Hiding the details of this research doesn't make anyone safer; we must assume that others have already found this information. All it does is make it harder for people to assess their own risk, which makes it harder to mitigate.

Posted by: Anonymous | July 29, 2005 5:51 AM | Report abuse

So now instead of Fermat's Last Theorem w're gonna have Lynn's Last Exploit

Posted by: roland | July 29, 2005 9:55 AM | Report abuse

Nice one, Cisco. Nice, ISS. Really nice.

Security by obscurity.

How often have we not heard the likes of Schneier and Ranum denounce this practice, and suddenly here we have two MAJOR security players practicing and condining the very same flawed strategy!

What have we now? Mr Lynn has made his presentation to Black Hat, and a few (10? 50? 100?) people have been lucky enough to have attended. They know the procedure now, so they can explout the next buffer overflow vulnerability in a Cisco product far enough to get a command shell. The rest of the community can't, and as of now we do not understand the process described by Mr Lynn.

But the hacker underground soon will. And we all know how knowledge works: once people know that something is possible, more and more people will figure it out, eventually. Most of these will be black hats, and soon we'll have a few scripts circulating on newsgroups and bulletin boards.

Cisco and ISS, can you see where this leaves us, your meal tickets? VERY VULNERABLE INDEED.

I am disgusted that Cisco should make itself guilty of this practice, and even more so that ISS should support them in keeping the method under wraps. Shame on you, and a curse.

I believe that customers and consumers should pressurize vendors into following the practices we want them to follow by voting with our wallets.

The mob I work for, for one, will be avoiding security products from either Cisco or ISS from now on.

So should others.

Posted by: Johann | July 29, 2005 11:02 AM | Report abuse

And if it's already supposedly been fixed then why try to hide it? Hiding behind an injunction for flaws in your product is like serving the scientific community with an injunction and telling them to forget everything they know about the atomic bomb. It didn't work then and it won't work now.
Cisco, if you are that insecure about your product design then maybe it's time we stop using Cisco products.
ISS, Are you or Are you not a security vendor? If you have knowledge of a flaw and bow down to Cisco not to reveal it then what's the purpose of subscribing to your services. Will you only publish what the vendors want you to publish? That is useless and so is your company. If you have any gonads at all you will rehire Mr. Lynn as he seems like the only one in your company that's worth having.

Fred Dunn

Posted by: If there's a flaw, fix it... | July 29, 2005 1:56 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company