First things first: There is now a legal defense fund accepting contributions on behalf of ex-ISS researcher Mike Lynn, who now faces a possible FBI criminal investigation. You can PayPal donations to abaddon@IO.com. EFF will get any leftover funds.
The annual Black Hat computer-security conference has become a forum for experts to disclose vulnerabilities in tech products, often rankling the products' makers. But few companies go to the lengths that Cisco Systems Inc. did this week to suppress information about a flaw in its software that directs Internet traffic.
Cisco threatened legal action to stop the conference's organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco's Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed.
Over the past four days, Cisco's management turned a molehill into Mount Everest, and they're still shoveling furiously. I admit I'm a fan of hyperbole, but stupidity on this scale defies exaggeration.
Lynne's presentation was an unlikely candidate for a Wall Street Journal feature until Cisco squeezed its "deal" out of the invertebrates who pass for executives at Internet Security Systems. Then, with each subsequent move -- harassing and threatening both Lynn and the Black Hat organizers; alleging that Lynn broke the law by following wiely accepted responsible disclosure procedures; and finally, slapping restraining orders on him and on several sites mirroring his presentation materials -- Cisco turned up the media spotlight again and again, systematically achieving the exact opposite of what it wanted.
You'd expect this kind of behavior from a record-industry executive, bless its shriveled little heart. You're getting it, unfortunately, from the executives at a company whose hardware touches most of the planet's Internet traffic.
Cisco's management may or may not care about the PR fallout -- that will pass in time, anyway. They certainly care, however, that hundreds of sites are mirroring Lynn's presentation by now, including many in jurisdictions where a U.S. court order is gonna leave 'em laughing until they wet their pants.
Or if a Web mirror is just too twentieth-century for you, there's always BitTorrent or anonymity-shielding equivalents such as I2P and TOR: all open-source, and all decentralized, headless, and utterly impossible to cleanse by court order.
Incidentally, Lynn settled Cisco's lawsuit against him late last week by agreeing not to comment any further and to return any related information to ISS. That was good news: Lynn followed his conscience well past the point where his own sense of self-preservation should have stopped him, and of course he's now unemployed (one of his slides during the Black Hat talk was apparently a copy of his resume)
Lynn accomplished his goal: Cisco won't have the luxury of sweeping a major security problem under the rug or playing it off as old news. The material in Lynn's presentation and his comments before settling with Cisco are enough to ensure that the company works with customers to patch the vulnerabilities and that its customers have the information they need to keep Cisco honest.
"A few years ago it was rumored that ISS would hold back on certain things because (they're in the business of) providing solutions," [Ali-Reza] Anghaie, [a senior security engineer with an aerospace firm, who was in the audience,] said. "But now you've got full public confirmation that they'll submit to the will of a Cisco or Microsoft, and that's not fair to their customers.... If they're willing to back down and leave an employee ... out to hang, well what are they going to do for customers?"
At this point, it's safe to say that ISS and its remaining customers, if there are any, deserve one another.
Finally: Will Cisco manage to change the subject before its customers think too long and hard about the implications of Lynn's research? I doubt it, although the payback is likely to be a far more drawn-out affair than Lynn's weekend trip to hell. Litigation is never a good thing, but in this case, a shareholder lawsuit might work wonders on the quality of Cisco's decision-making processes.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.