Cisco Seeks to Quiet Software Flaw Talk
(AP) Cisco Seeks to Quiet Software Flaw Talk
By MATTHEW FORDAHL
AP Technology Writer
SAN JOSE, Calif.
Cisco Systems Inc. and a computer security firm ordered pages torn out of a conference's binders and even turned to the courts in an attempt to squelch a researcher's speech on flaws in software that routes data over the Internet. The researcher, Michael Lynn, would not be silenced.
He quit his job and gave a presentation anyway on the potential vulnerability of equipment from the world's largest maker of network routers and switches. Now, Lynn faces legal trouble and the companies -- and security flaw -- are reaping a whirlwind of undesired publicity.
The incident at this week's Black Hat conference in Las Vegas raises the issue of when to go public with a security problem. Security firms and computer vendors generally agree to do so when there's a patch -- or fix -- available.
But it's not always so simple. In the latest case, Lynn and other researchers at Internet Security Systems Inc. discovered a technique that could allow someone to seize control of a Cisco router by exploiting a vulnerability in its operating system.
That flaw was patched in April, but it's possible that the same technique could be used to exploit other vulnerabilities in Cisco routers. Cisco and ISS said they decided to pull out of the talk because the research was premature.
Lynn, who quit his job at Atlanta-based ISS hours before he was scheduled to speak, apparently felt the issue was serious enough to talk about with fellow researchers at the Black Hat conference.
Lynn did not immediately return messages for comment on Thursday.
On Wednesday, he told attendees he had an obligation to report his findings.
"I feel I had to do what's right for the country and the national infrastructure," he said, according to the Web site SecurityFocus.com. "It has been confirmed that bad people are working on this. The right thing to do here is to make sure that everyone knows that it's vulnerable."
And that's the point of the Black Hat conference, said organizer Jeff Moss. The event attracts thousands of computer security experts from business, academia and government.
"The point of the talk was to demonstrate there's a problem -- that you need to update all your software as soon as you can because of these types of problems," said Moss. "It wasn't a roadmap to world destruction."
After the presentation, Cisco and ISS obtained an order from a federal judge in San Francisco forbidding further discussion of the problem. In a court document, the companies claim Lynn illegally reverse-engineered Cisco's source code.
Cisco said it encourages independent research into security but added the company follows standard procedures for disclosure.
"We feel strongly that Mike Lynn's presentation was presented prematurely and did not follow proper industry disclosure rules," the company said in a statement released by spokeswoman Mojgan Khalili.
Chris Rouland, chief technology officer at ISS, said his company and Cisco agreed that the research was premature.
Rouland also said Cisco did not pressure ISS into canceling the presentation that both companies were to have delivered together.
"We decided it would be in everyone's interest to further research the issue and defer it to another security conference," he said.
It's not clear why the decision was made only a few days before the conference was to begin. Moss said ISS first contacted Black Hat several weeks ago about the possibility of pulling presentation material from the handouts given to every attendee.
Until last week, ISS never followed through with a request to actually remove the material.
That changed this week when Cisco and ISS hired a team of temporary workers to yank about 20 pages from thousands of conference binders and replace compact discs with presentation materials.
"The speech had been vetted like two or three times through ISS's PR department. Everything was great, and ISS was contacting the media telling them to come see this talk," Moss said. "Then last Thursday or last Friday there was a total about-face on ISS's part."
[ Back To Contact Center Solutions's Homepage ]