Wednesday, July 27, 2005
Security researcher quits job and blows whistle on Cisco’s fatal flaws (BoingBoing)
Michael Lynn is a security researcher who worked at the security firm ISS until yesterday. Now he’s under a restraining order from Cisco, arising from his disclosure of critical flaws in Cisco’s routers that threaten the world’s information infrastructure.
Lynn had found a buffer overflow exploit that lets an attacker take absolute control over Cisco routers. He sent the details to Cisco in April, but they still have not fully repaired the vulnerability. Since many of the world’s key routers are supplied by Cisco, this means Cisco’s foot-dragging places large parts of the world’s information infrastructure at grave risk of collapse. (more…)
Friday, July 29, 2005
Michael Lynn’s controversial Cisco security presentation (BoingBoing)
Here’s a PDF that purports to be Michael Lynn’s presentation on Cisco’s critical vulnerabilities (“The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques”), delivered at last week’s Black Hat conference. Lynn’s employer, ISS, wouldn’t let him deliver the talk (they’d been leant on by Cisco), so Lynn quit his job, walked onstage and delivered it anyway. (more..)
Friday, July 29, 2005
Cisco Harasses Security Researcher (Schneider on Security)
I’ve written about full disclosure, and how disclosing security vulnerabilities is our best mechanism for improving security — especially in a free-market system. (That essay is also worth reading for a general discussion of the security trade-offs.) I’ve also written about how security companies treat vulnerabilities as public-relations problems first and technical problems second. This week at BlackHat, security researcher Michael Lynn and Cisco demonstrated both points. (more…)
Whistleblower Faces FBI Probe (Wired News)
LAS VEGAS — The FBI is investigating a computer security researcher for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them.
Mike Lynn, a former researcher at Internet Security Systems, or ISS, said he was tipped off late Thursday night that the FBI was investigating him for violating trade secrets belonging to his former employer.
Lynn resigned from ISS Wednesday morning after his company and Cisco threatened to sue him if he spoke at the Black Hat security conference in Las Vegas about a serious vulnerability he found while reverse-engineering the operating system in Cisco routers. He said he conducted the reverse-engineering at the request of his company, which was concerned that Cisco wasn’t being forthright about a recent fix it had made to its operating system.
Lynn spoke anyway, discussing the flaw in Cisco IOS, the operating system that runs on Cisco routers, which are responsible for transferring data over much of the internet and private networks. (more…)
Saturday, July 30, 2005
Mike Lynn presentation mirrors and legal fund (BoingBoing)
You-all have come through with many, many mirrors for Mike Lynn’s controversial Black Hat presentation in which he quit his job, described critical vulnerabilities in Cisco equipment and got sued by his employer, the candyasses at ISS. See the end of the post for lots of links — the paranoid among you can verify mirrors via this MD-5 hash: 559942447c88086fa1304c38f9d0242c. (more…)