tag:blogger.com,1999:blog-4088979.post112255333592639926..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Free Michael LynnRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-1128152700408852392005-10-01T03:45:00.000-04:002005-10-01T03:45:00.000-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1125605048844059072005-09-01T16:04:00.000-04:002005-09-01T16:04:00.000-04:00Quoting from this article: "I think it's funny bec...Quoting from <A HREF="http://www.securityfocus.com/columnists/351" REL="nofollow">this article</A>: "I think it's funny because you had a working exploit in 2001, and nearly 4 years later someone (Michael Lynn) got something similar. But thanks to someone (Cisco) that chose to sue him, there was a big buzz, and all the people suddenly discovered that, "wow, IOS is exploitable, yes, you can get a shell there too". Now a lot of people want to be the first to reach the goal: make public some working shellcode." A good reading for any Cisco devices owner/0wner 8-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122968909764439722005-08-02T03:48:00.000-04:002005-08-02T03:48:00.000-04:00Abaddon absolutely did the right thing. Cisco's po...Abaddon absolutely did the right thing. Cisco's position that this is fixed is absolutely incorrect. What they have done is made sure that new systems are not vulnerable from the XML vector for any new equipment. They have severely underplayed the potential for disaster here and made no active effort at all to strongly encourage their federal customers fix this immediately. Shame on them for letting it get this far. I am not sure what the basis of ISS's claim that they have a fix for this is based on. Are they going to put a Proventia box in front of the router? Shame on ISS for letting a vendor sweep this under. While Cisco has a big problem with its gear and IOS, ISS has a far bigger problem in that the trust level they have developed over the years is absolutely gone. Matters of national security cannot be driven by corporate greed. It was bad enough when Enron destroyed the peoples ability to retire. Mike has made the single strongest case for open source and full disclosure. I too have known Mike for years and I am immensely proud of him. People are not harping on the real problem, that being that once virtual processes are an integral part of IOS this will be easy to script and worm.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122584207133968192005-07-28T16:56:00.000-04:002005-07-28T16:56:00.000-04:00Justin,You cite a great example of intruders alrea...Justin,<BR/><BR/>You cite a great example of intruders already being aware of a vulnerability, while the rest of us get rooted.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122583989584519412005-07-28T16:53:00.000-04:002005-07-28T16:53:00.000-04:00btw, this article -- http://netsec.blogspot.com/20...btw, this article -- http://netsec.blogspot.com/2005_07_24_netsec_archive.html#112252461636474700 -- notes 'he discovered clues that there was an issue being exploited when reading translated Chinese hacker sites that alluded to the issue.'<BR/><BR/>ouch.Justin Masonhttps://www.blogger.com/profile/16955170493368020909noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122580195501969272005-07-28T15:49:00.000-04:002005-07-28T15:49:00.000-04:00Don't like what Cisco is doing? You dont agree wit...Don't like what Cisco is doing? You dont agree with their attempt to shut out full disclosure? Quit buying their products. While I feel for Michael Lynn, if he signed a NDA, then he is in breach with ISS and at fault, as sad as it is. <BR/><BR/>My 2 cents...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122569332523380352005-07-28T12:48:00.000-04:002005-07-28T12:48:00.000-04:00It will be interesting to see what happens. Defini...It will be interesting to see what happens. Definitely an interesting story nonetheless..<BR/><BR/>ChuckAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122566592588063942005-07-28T12:03:00.000-04:002005-07-28T12:03:00.000-04:00ISS and Cisco were working together, and presumabl...ISS and Cisco were working together, and <I>presumably</I> had an NDA to get this fixed, allowing customers to be notified privately. The heat appears to be Michael violated the NDA, not so much the flaw itself. <BR/><BR/> I completely support full disclosure, but in return I respect the well-being of all parties involved to get it fixed.<BR/>(If this were say, a nuclear weapon launch controller, would you still advocate going public w/ the info?).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122564565122513342005-07-28T11:29:00.000-04:002005-07-28T11:29:00.000-04:00Yes, but "Remove the Restraining Order on Michael ...Yes, but "Remove the Restraining Order on Michael Lynn" is a lousy rallying cry. :)Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1122563642946623222005-07-28T11:14:00.000-04:002005-07-28T11:14:00.000-04:00"Free" is a misleading verb. It is not like he is..."Free" is a misleading verb. It is not like he is being incarcerated -- should the injunction be granted, he is simply being told to shut up. That, IMNSHO, would be very bad, but not nearly as bad as getting tossed in jail.Anonymousnoreply@blogger.com