Free Michael Lynn
Ex-ISS X-Force researcher Mike Lynn is in a world of hurt right now. Yesterday he delivered a briefing at Black Hat on Cisco security flaws. Lynn decided to resign from ISS instead of complying with the wishes of his employer and Cisco to keep his discoveries quiet. For a lot more detail, I strongly recommend reading the Brian Krebs Security Fix blog hosted by the Washington Post. Krebs is in Las Vegas and has spoken with Lynn, who "has been served with a temporary restraining order designed to prevent him from discussing any more details about the flaw...[and] is sheduled to appear in federal district court at 8:00 a.m. Thursday." (!) I think it's time to start a Free Michael Lynn campaign to pay for his legal bills.
Update: Within this Slashdot thread is a comment by someone claiming to be Mike Lynn. Here is Cisco's statement. Also, SecurityFocus has a good article with this statement:
"Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any serious buffer overrun or heap overflow, adding that running code on a router is a serious threat."
What is the problem, then? Maybe this?
"During his presentation, Lynn outlined an eight step process using any known, but unpatched flaw, to compromise a Cisco IOS-based router. While he did not publish any vulnerabilities, Lynn said that finding new flaws would not be hard."
Good grief. The outcome of this situation could be very important for the future of security research.
Update 2: Here is the relevant text on reverse engineering from the Digital Millennium Copyright Act.
Update: Within this Slashdot thread is a comment by someone claiming to be Mike Lynn. Here is Cisco's statement. Also, SecurityFocus has a good article with this statement:
"Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any serious buffer overrun or heap overflow, adding that running code on a router is a serious threat."
What is the problem, then? Maybe this?
"During his presentation, Lynn outlined an eight step process using any known, but unpatched flaw, to compromise a Cisco IOS-based router. While he did not publish any vulnerabilities, Lynn said that finding new flaws would not be hard."
Good grief. The outcome of this situation could be very important for the future of security research.
Update 2: Here is the relevant text on reverse engineering from the Digital Millennium Copyright Act.
Comments
I completely support full disclosure, but in return I respect the well-being of all parties involved to get it fixed.
(If this were say, a nuclear weapon launch controller, would you still advocate going public w/ the info?).
Chuck
My 2 cents...
ouch.
You cite a great example of intruders already being aware of a vulnerability, while the rest of us get rooted.