The cybersecurity world is buzzing with news about Cisco’s attempt to silence Michael Lynn’s discussion of a serious security flaw in the company’s product. Here’s the chronology, which I have pieced together from news reports (so the obvious caveats apply):
Michael Lynn worked for ISS, a company that sells security scanning software. In the course of his work, he found a serious security flaw in IOS, the operating system that runs on Cisco’s routers. (Routers are specialized computers that shunt Internet packets from link to link, getting them gradually from source to destination. Cisco is the leading maker of routers.)
It has long been believed that a buffer overflow bug (the most common types of security bug) in IOS could be exploited by a remote party to crash the router, but not to seize control of it. What Lynn discovered is a way for an attacker to leverage a buffer overflow bug in IOS into full control over the router. Buffer overflow bugs are common, and Cisco routers handle nearly all Internet traffic, so this is a big problem.
Lynn was planning to discuss this in a presentation Wednesday at the Black Hat conference. At the last minute Cisco convinced ISS (Lynn’s employer) to cancel the talk. Cisco employees ripped Lynn’s paper out of every copy of the already-printed conference proceedings, and ISS ordered Lynn to talk about another topic during his already-scheduled slot in the Black Hat conference schedule.
Lynn quit his ISS job and gave a presentation about the Cisco flaw.
Cisco ran to court, asking for an injunction barring Lynn from further disclosing the information. They argued that the information was a trade secret and Lynn had obtained it illegally by reverse engineering.
The parties have now agreed that Lynn will destroy any documents or files he has on the topic, and will refrain from disclosing the information to anyone. The Black Hat organizers will destroy their videotape of Lynn’s presentation.
What distinguishes this from the standard “vendor tries to silence security researcher” narrative is the role of ISS. Recall that Lynn did his research as an ISS employee. This kind of research is critical to ISS’s business – it has to know about flaws before it can help protect its customers from them. Which means that ISS can’t be happy with the assertion that the research done in ISS’s lab was illegal.
So it looks like all of the parties lose. Cisco failed to cover up its security vulnerability, and only drew more attention with the legal threats. Lynn is out of a job. And ISS is the big loser, with its research enterprise potentially at risk.
The public, on the other hand, got useful information about the (in)security of the Internet infrastructure. Despite Cisco’s legal action, the information is out there – Lynn’s PowerPoint presentation is already available at Cryptome.
[Updated at 11:10 AM with minor modification to the description of what Lynn discovered, and to add the last sentence about the information reaching the public via Cryptome.]
Update (1:10 PM): The FBI is investigating whether Lynn committed a crime by giving his talk. The possible crime, apparently, was the alleged disclosure of ISS trade secrets.
Cisco can still spin this to their advantage. They should be promoting this exploit as The Backdoor of Democracy as it may be the security hole that will allow Chinese citizens to have free access to the world wide web! Obviously, they don’t want anyone bruiting this about, the Chinese government might insist that they fix it! Let’s just see who gets there first, the Chinese government or Falun Gong.
Cisco is upset that (according to them) he presented this work before the normal disclosure process was finished. ISS is upset for the same reasons, since they probably lost the PR value of announcing this through their X-Force releases and since they are dependent on good relations with vendors like Cisco.
Unfortunately, no one will be fighting this on the most important issue — EULA validity, especially in the area of “no reverse engineering” clauses. Instead we get the side complaints that he used info developed on ISS’s dime in a way not authorized by his company.
The actual technical information is inconsequential — it’s a logical extension of FX’s previous work on Cisco overflows (see Phrack). You still need to find a new stack or heap overflow to use his techniques.
If he’s any good (haven’t heard of him before), he’ll end up at a real company like eEye or Immunity where they push vendors to actually respond in a timely manner to security findings. ISS is too closely related with vendors to have any real clout in vulnerability disclosure. (They have to partner with them for Proventia deployments).