Doubtless anyone who follows Internet security has heard by now of the case of Michael Lynn, currently under a restraining order by Cisco and Internet Security Systems (ISS). While working for ISS, Lynn discovered a vulnerability in Cisco router code and told Cisco about it in April. Apparently the flaw was fixed shortly afterwards. Lynn was scheduled to give a presentation on the flaw at the Black Hat Conference in Las Vegas this week, with the cooperation of Cisco and ISS. However, Cisco decided not to permit that, and went so far as to have its employees physically remove the ten page presentation from the already-printed conference proceedings.
Nonetheless, within two hours of the scheduled presentation time, Lynn quit his job with ISS and proceeded to give the presentation anyway, wearing a white hat labelled Good. Shortly afterwards, Cisco and ISS slapped a restraining order on Lynn and the conference to stop them from distributing the presentation or discussing it.
The rest of the chattering classes were not under restraining order, however, and within two days of the presentation a PDF of Michael Lynn's slides was available on the Internet
Update: that link now displays a cease-and-desist letter and a copy of the injunction; a copy of the slides has turned up in Germany.
and discussions were rampant everywhere from security professionals such as Bruce Schneier, who could be expected to defend Lynn, to the Wall Street Journal (WSJ).
The WSJ, usually known as a supporter of big business, headlined its story with
and referred to Cisco's actions with the restraining order as "threatening".
Now, this all could have turned out differently. The vulnerability had already been fixed months before, so public disclosure would have seemed the normal course. In his presentation, Lynn didn't even reveal any known unfixed vulnerabilities. He went so far as to say:
Given that every real black hat miscreant has access to the same debugger and disassembler that Lynn used, it's safe to assume that crackers already knew about this vulnerability, and that publication could have encouraged anyone who hadn't patched their firmware to do so, especially since Cisco already had three months to encourage their customers through private channels to do that.
Why did Cisco and ISS instead go for a restraining order?
Elsewhere how intellectual property comes into was explained as:
An ISS spokesman, on the other hand, said the presentation shouldn't have been given because it was incomplete.
Whatever the reason for the restraining order, this probably won't be the last time companies have to decide how to balance intellectual property, fixing bugs, informing customers, getting customers to deploy the fixes, and the vendor's own reputation. The bigger the company, the higher the stakes, not only for the company, but also for its customers and those affected by its software.
Miscreants will still have motivation to crack code and security professionals and vendors will still need to find ways to deal with it. Lynn's slides spell out why such vulnerabilities could be important, including wide deployment. It is well known that many ISPs pick a single router vendor, so within a given ISP that vendor's routers could be a monoculture. The slides go on to list some motivations that people might have for taking advantage of such lack of diversity:
Keys To The Kingdom (MITM)
- Control the network traffic
- Packet sniff in far off lands
- Modify traffic
- Break weakly authenticated encryption (passwords, etc)
Routers in major ISPs would be optimal places for Man in the Middle (MITM) attacks. That point about packet sniffing in far off lands could be a coy reference to widespread allegations that Cisco has provided hooks in its routers for the Chinese government to use for packet sniffing. Lest anyone think I'm picking on Cisco, similar allegations of modifying software to the specifications of the Chinese government have been heard about many other companies, including Symantec, Yahoo!, and Google. If such router hooks really exist, they would be a gold mine for miscreants, who could sniff packets not only in far off lands, but perhaps also in nearby lands, if the same software turns out to exist on routers in countries other than China. Even if those hooks don't exist, gaining access to a router could enable sniffing anyway, plus the other things Michael Lynn mentioned.
In fact miscreants are motivated and active:
"The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I'd rather have disclosure and let everybody respond."
As for disclosure, not only were the plaintiffs not able to restrain the Internet nor the bloggers nor the press, Michael Lynn didn't even have to quit his job and give the presentation to get his point across. He could have just stood up there and said he couldn't give the presentation, and it's pretty likely a copy of the PDF would have made its way to the Internet within two days anyway.
This isn't really about Cisco; the principles illustrated here are larger than that. Security by obscurity just doesn't work, no matter how big you are, and even if you have the law backing you up.
Which would you rather have? A public relations disaster brought on by not disclosing a fixed vulnerability? Or a reputation burnished by assisting security researchers in publishing such a vulnerability?