Network News

X My Profile
View More Activity

DefCon Day 1: Lynn Presentation Circulating on Internet

Defconlogo_1 LAS VEGAS, July 29 -- The full, unedited version of Michael Lynn's controversial presentation on flaws he claims to have uncovered in the software powering Cisco Systems's widely used Internet routers has been posted on a series of Web sites, and copies of it are being freely exchanged at the DefCon hacker conference here. (I believe one reader posted a link in the comments area of a previous post, but I'll let you find it on your own.)

This is the same presentation, of course, that Cisco and Lynn's former employer, Internet Security Systems, obtained a court injunction to have destroyed (see previous posts).

One DefCon attendee who asked not to be named told me today that an international consortium of hackers is now working around the clock to write software code that could be used to exploit the flaw Lynn uncovered. I have not been able to confirm that, but everyone here is saying they expect an exploit to be released sometime in the next few days.

Rumors also are flying that Lynn is about to be charged with federal crimes for releasing the details of his research. Lynn declined to talk to me when I reached him on his cell. His lawyer, Jennifer Grannick, confirmed that FBI agents were investigating the incident, but she said that Lynn had not yet been arrested or charged with any crime.

Lots of people here, including many who have real problems with what Lynn did and how he did it, acknowledge that if Lynn is charged it could very well discourage many security researchers from even approaching companies about vulnerabilities they have found in commercial software and hardware. In the end, this means the bad guys -- who are taking advantage of such flaws to break into companies, conduct cyber extortion and conduct espionage -- will be able to continue exploiting flaws.

By the way, a group of concerned hackers has set up a legal defense fund for Lynn. The PayPal account where anyone interested can send money is abbaddon@io.com.

By Brian Krebs  |  July 29, 2005; 11:13 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: DefCon Day 1: Hacker Mayhem
Next: DefCon Night 1: Team Kegbot

Comments

Just out of curiosity...when you work for a company and conduct your work using their resources (computer, electricity, etc.) and take money for doing so, generally, that company owns the fruits of your labors. When you quit (or get fired, as the case may be), do you then have the right to go public with the information you developed? Isn't this referred to as "intellectual property"?

Mr. Lynn could have handled things much differently...but of course, hindsight is 20/20. Looking back, say 10 yrs from now, I wonder how he's going to feel. Yes, he signed an employment contract and accepted money as payment for the work that he did...and at some point, he had to make the decision that his personal integrity meant less to him that something that could possibly happen...or perhaps better stated, would likely happen in the future.
Personally, that would have been a tough decision for me to make. Thinking about it, I might have gone about it a bit differently, but you know, I wasn't there and I'm not Mr. Lynn.

Best of luck to him.

H. Carvey (keydet89_at_yahoo_dot_com)
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Posted by: H. Carvey | August 2, 2005 4:50 PM | Report abuse

The entire point and the primary reasons for the Black Hat Security conference is for companies to send their employees to either: 1) give a presentation about a new security vulnerability, 2) learn about new security vulnerabilities, or 3) both present and learn about security vulnerabilities. It seems to me that CISCO could have done things differently and own up to the idea that there is a vulnerability and made arrangements for it to be fixed. They could have turned this into a positive community thing. However, CISCO and now ISS are fighting the wrong battle and putting the public and their reputations at a far more dangerous risk by their "(crap)legal" actions. What the hell do you expect, CISCO? Get with the program!

Posted by: Tony Freeman | August 2, 2005 9:37 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company