Tuesday, August 02, 2005

More Resources on Ciscogate

The media is now calling the Lynn affair "Ciscogate." I'm using this term now because it's so much easier to Google. Multiple new articles provide good reading, including Exploit writers team up to target Cisco routers by Rob Lemos and Router Flaw Is a Ticking Bomb by Kim Zetter. The latter is an interview with Mike Lynn that has several choice quotes:

"Cisco said, 'You guys are lying. It is impossible to execute shell code on Cisco IOS.' At that point (ISS) management was annoyed.... They were like, 'Mike, your new research project is Cisco IOS. Go find out how to exploit bugs on Cisco IOS so we can prove these people wrong...'

[Cisco] also sent out an engineer ... who described himself as an IOS architect.... I was told he helped design parts of the source code.... And his jaw hit the ground. He was very impressed, he was just (saying), 'Wow, that's cool.' That was June 14th.

WN [Wired News]: Cisco saw your Black Hat presentation long before they decided to pull it. When did they see it?

Lynn: Probably June 14th, the day that they came out (to Atlanta). We told them about the vulnerabilities well before (that)...

[ISS] actually wanted to distribute the full working exploit very widely inside the company.... I was told ... 'Give this to all the sales engineers and to all the pen testers...'

I told them, 'You do realize if you do that, it's going to leak?' And (one of the ISS guys) says, 'That's Cisco's problem.' And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm...

At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago...

[Wired News]: (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.)

(Then) it was two weeks ago, I was first told that Cisco might want to come onto (the) stage with me and say a couple words. And I said, provided the words aren't something to the effect that 'he's a liar,' I'm OK with it....

[Wired News]: (However, the plan changed even more and Lynn was told to remove any mention of reverse engineering from his talk or cancel the presentation. If he did neither, he would be fired.)

Mind you this is a complete reversal. Like a week or so prior, the night of the close of the fiscal quarter, and they were all celebrating that they hit the numbers, the [ISS] CEO invited me out for a beer, and he just couldn't say enough awesome things about this talk.

WN: Was Cisco threatening them?

Lynn: I asked point-blank, 'Are you being threatened by Cisco?' They said no.... To be perfectly honest, I don't think there was any legal threat. I think that it was more of a 'scratch our back and we'll scratch yours.'

(Cisco asked him to wait a year until it could release a new version of its operating system. When he didn't back down, Cisco threatened a lawsuit against Lynn and Black Hat. Then with Black Hat's cooperation, Cisco arranged to tear out pages with images of Lynn's slides from the conference book.)"

There you go. Now you see the operation of the respective "market leaders" in their fields: Cisco in networking and ISS in security. Notice how the CEOs of both companies (ISS' Noonan and Cisco's Chambers) are members of the National Infrastructure Advisory Council. This is how their companies practice "responsibility" in matters affecting national security. One company (ISS) is ready to distribute devastating exploit code to make the competition look bad, while the other embarks on futile attempts to hide that fact that its products are broken.

This disturbs me greatly. Why would anyone wonder why my first post was Free Michael Lynn?

At least Mike will be involved in improving the country's security. From the same Wired interview:

"Lynn: US-CERT (Computer Emergency Response Team) asked me if I would come up to D.C. in a week or two and help them formulate the nation's strategy for cybersecurity."

Presentations from Black Hat (besides Mike Lynn's) are now online. Check you favorite BitTorrent search engine for Mike's slides.

PS: Here's an article on debugging memory on a Cisco 1600.

No comments: