On Aug 10, 2005, at 6:13 AM, Michael.Dillon@btradianz.com wrote:
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)?
A black hat who is not Chinese has published some slides with far more explicit step-by-step details of how to crack IOS using the techniques that Lynn glossed over in his presentation. This person also claims to have source code available on his website for download but I didn't look to know for sure.
I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. If so, I think "far more explicit step-by-step" is quite an over characterization of what she presented. If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.
Since all blackhats tend to communicate with each other to share ideas and to brag about their exploits, it is entirely possible that this Cisco exploit began in China.
That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat as his actions, notification of vendor, confirmation of a patch, and release, are not characteristic of a black hat. I'd suggest that generalization is incorrect in any case, researchers of any hat, in my experience, keep their secrets amongst a small group.
It is a nice myth to believe that a company like ISS does all their own work in-house and that their employees are all super gurus. But I would hope that most of you realize this is not true. Companies like ISS leverage the work of blackhats just like any hacker does. That's why I don't think gagging Lynn or ISS or the Blackhat conference will have any positive effect whatsoever. In fact, I would argue that this legal manouevering has had a net negative effect because it has now been widely published that Cisco exploits are possible. This means that many more hackers are now trying to craft their own exploits and own Cisco routers.
I agree that this was a very large public relations blunder on the part of ISS and Cisco. Their actions caused undue attention to be placed on this issue and put both groups on the wrong side of a very public argument. On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best "If you put him and a (Cisco) box in a room, the box breaks." Having spoken with him throughout development of this technique, I can assure you that it was not developed, and further, not propagated to anyone outside of ISS with Lynn's knowledge. He has taken every care possible to ensure that this did not leak. That's not to say it will not, certain members within ISS were keen on originally releasing this to the public before informing Cisco which prompted Lynn to resign on the spot before he was talked into returning after they dropping the subject of uninformed public release.
Now I believe that Open Source software techniques can solve this root problem because many eyes can find more bugs. This doesn't just mean *BSD and Linux. There are also systems like OSKit http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/ that are more appropriate for building things like routers.
"Many eyes can find more bugs" implies several things. It implies that a large group of people are investigating bugs, and that the are qualified to find bugs of this nature. I would argue that the number that meet both criteria is small in the open source world. That is not to imply that there are untalented people in the FOSS community, only that they are not interested in locating bugs or ensuring security of a specialized routing operating system as their primary function. It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.