Cisco to blame

NME readers hold Cisco at fault for suing security researcher Michael Lynn after he showed how to hack its routers at a black hat convention.

  • E-Mail
By  Simon Duddy Published  September 19, 2005

Network Middle East newsletter readers have overwhelmingly identified Cisco as the party to blame when the vendor sued security researcher Michael Lynn after he demonstrated how to hack its routers at July’s Las Vegas Black Hat convention. The newsletter poll asked — Which party was in the wrong when Michael Lynn exposed the Cisco router flaw? 55% of pollsters put the blame squarely at the feet of Cisco, while 16% singled out Lynn as the bad guy. A further 16% felt that both should accept some blame for the ugly incident, while 13% felt neither was at fault. Cisco, along with ISS, slapped an injunction on Lynn after he resigned from ISS and defied their wishes by giving a demonstration on how to exploit a flaw in Cisco’s router IOS. Some commentators saw this as heavy handed and voiced concerns that the action could gag potential whistle blowers and that un-disclosed flaws could prove dangerous to the internet. “This certainly puts a chill on having those professional researchers who care about their clients and about the ethics of disclosure,” said security consultant Robert Hillery. “It will mean that the network and security community may be reluctant to reveal vulnerabilities that large vendors wish to keep under wraps. This will create a false sense of security because these vulnerabilities will remain obscure only to the defenders, not the attackers, who will be handed a greater advantage,” he added. Cisco said it did not object to a flaw being identified but took action because Lynn and Black Hat chose to address the issue outside of established industry practices and procedures for responsible disclosure. “The bottom line is Lynn was irresponsible, we believe he illegally obtained information through reverse engineering Cisco code and disclosed it with the proper authorisation,” said Marc Musgrove, corporate relations manager for technologies at Cisco EMEA. “It was not a new vulnerability but rather showed how known vulnerabilities could be exploited. As a responsible company we had to act in the interests of our customers and partners. It is standard business practice to use all means available to protect customers.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code