Feeds

Settlement reached in Cisco flaw dispute

'Cisco has a gazillion dollars and he is an unemployed guy'

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

LAS VEGAS A researcher who showed off a way to remotely compromise Cisco routers has to turn over all materials and agree not to further disseminate information on the flaws or the technique he used to run code on the popular network hardware.

The settlement, finalized Thursday afternoon, brought to a close a controversy that exploded on Wednesday morning when researcher Michael Lynn tendered his resignation to network protection firm Internet Security Systems in order to give a presentation on Cisco security at the Black Hat Security Conference.

"I think I did the right thing, but it was scary," he told reporters in Las Vegas at a Thursday afternoon press conference. "There was a potential for a serious problem coming in the future. I didn't think that the nation's interests were served by waiting a year, when there would be a possibility of a router worm."

Lynn and his attorney agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which follows Black Hat. In addition, Lynn must hand over the names of any websites or people to whom he gave or sold the information. The permanent injunction does not prevent Lynn from doing further research on Cisco products, provided it is done legally.

Cisco disputed that Lynn's actions were aimed at helping protect the Internet.

"Cisco’s actions (regarding) Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure," the networking giant said in a statement on Thursday. "It is Cisco’s opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet."

On Wednesday, Lynn showed off a way to compromise Cisco Internet Operating System (IOS), the core software for the company's popular routing and gateway hardware. Using such techniques, which Lynn and other security experts believe the Chinese are likely already exploiting, an attacker could run programs on Cisco routers.

While some security experts at Black Hat said that they never doubted running code on the routers was possible, the prevailing wisdom was that Cisco network hardware had enough safeguards in place that external code could not be run on the systems.

"No one really thought this (running code on Cisco routers) was possible, until Wednesday, so no one really looked to defend against it," Lynn said. "A router is like any computer in that, when it has a vulnerability, you can hack it."

The presentation followed three weeks of negotiations between Cisco, Internet Security Systems and the Black Hat Conference management to resolve the situation. Under pressure from Cisco, ISS had withdrawn the presentation on Monday, and the Black Hat Conference management allowed the network giant's employees to rip out the 10-page presentation from the conference proceedings.

The settlement is reasonable, said Jennifer Granick, executive director for Stanford University's Center for Internet and Society and the attorney representing Lynn in the negotiations. Because it does not prevent Lynn from further research into Cisco's hardware and software, provided access to both is done legally, the researcher can continue to analyze Cisco's security measures, she said.

Moreover, Lynn would have been at a disadvantage if he tried to fight the networking giant, she said.

"Cisco has a gazillion dollars and he is an unemployed guy," Granick said. "It is hard to take on someone with deep pockets."

Other researchers believed that the settlement prematurely closed the chapter on a case that could have highlighted the legitimate concerns of independent security researchers.

"The whole attempt at security through obscurity is amazing, especially when a big company like Cisco tries to keep a researcher quiet," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security.

Cisco will likely need to repair relations with the security research community, if they want cooperation, rather than contention, in the future, Maiffret said.

"People are definitely going to want to find more vulnerabilities," because they know they can gain control of a router, he said. "And now people aren't going to care to report things to Cisco."

The incident also foreshadows what future legal spats might look like, said Stanford's Granick. Cisco had argued during talks that reverse engineering is against the end-user license agreement (EULA). Such "no reverse engineering" clauses are a common provision in such licenses, and while the average user does not need to care about that, the provision could stifle legitimate security research if courts agree to enforce it, she said.

"You have EULAs that tell people they can't reverse engineer and companies who are ready to levy the most severe penalties for anyone who breaks those agreements," Granick said. "It is time to begin to worry about the rights that companies are trying to take away from us." ®

Related stories

Cisco, ISS file suit against rogue researcher
Cisco patches security software
Cisco source code theft part of 'mega-hack'
Unholy trio pose DDoS risk for Cisco kit
Cisco patches VoIP vuln

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.