Reflecting on Cisco's flaws
/* The incident highlights the thorny issue of when to go public with a security problem. Security firms and computer vendors generally agree to do so when there's a patch - or fix - available. Cisco said it encourages independent security research but said in a statement that it felt Lynn's presentation "was presented prematurely and did not follow proper industry disclosure rules." [see footnote a] ... Worms - malicious programs that spread automatically - are less likely in today's version of Cisco's operating system because the underlying software is different enough for each device. That will change in the next release, making it possible to attack a wide swath of routers without adjusting the malware for each unique configuration. Such attacks, Lynn said, could modify routers en masse so that they cannot receive updates so they are always infected. Worse, attackers could erase instructions that tell the machine how to turn on. "The purpose of doing this presentation was to prevent a worm from being made," he said. His Las Vegas demonstration was stripped of any information that would lead anyone to figure out how the technique works, Lynn said. He also said he decided to defy his employer because Cisco's operating system source code had been stolen and posted on a hacker Web site. Additionally, Lynn said, he has seen discussions of Cisco vulnerabilities posted on Web sites for Chinese hackers. "Cisco has never told anybody that it was possible to take over one of their routers," Lynn said. "They fought that argument for a long time. You can see how far they're willing to go. I demonstrated it live on stage. That debate is over now." ... That changed when Cisco and ISS hired a team of temporary workers to yank about 20 pages from thousands of conference binders and replace compact discs with presentation materials. [footnote b] http://www.forbes.com/business/feeds/ap/2005/07/28/ap2163964.html */ Footnotes: (a) What are these "industry disclosure rules" and who made them? (b) Cisco Rent A Cops: "You have the right to unset alias echo, any echoing will be used against you in a GPL, OpenSource, XML, RPC, INSERT_LICENSE_HERE court of law." To reflect on earlier incorrect statements from some here, it is now clear that some of the presentation was perhaps based on code that was stolen earlier this year. Secondly for those who think some April fix worked you must have fell for those patches that came out on April 1st. Good old fools day. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy." - Sun Tzu
participants (1)
-
J. Oquendo