Monthly Archives: July 2005

Vulnerability Restraints or Reputation Suicide?

Doubtless anyone who follows Internet security has heard by now of the case of Michael Lynn, currently under a restraining order by Cisco and Internet Security Systems (ISS). While working for ISS, Lynn discovered a vulnerability in Cisco router code and told Cisco about it in April. Apparently the flaw was fixed shortly afterwards. Lynn was scheduled to give a presentation on the flaw at the Black Hat Conference in Las Vegas this week, with the cooperation of Cisco and ISS. However, Cisco decided not to permit that, and went so far as to have its employees physically remove the ten page presentation from the already-printed conference proceedings.

Nonetheless, within two hours of the scheduled presentation time, Lynn quit his job with ISS and proceeded to give the presentation anyway, wearing a white hat labelled Good. Shortly afterwards, Cisco and ISS slapped a restraining order on Lynn and the conference to stop them from distributing the presentation or discussing it.

The rest of the chattering classes were not under restraining order, however, and within two days of the presentation a PDF of Michael Lynn’s slides was available on the Internet

Update: that link now displays a cease-and-desist letter and a copy of the injunction; a copy of the slides has turned up in Germany.

and discussions were rampant everywhere from security professionals such as Bruce Schneier, who could be expected to defend Lynn, to the Wall Street Journal (WSJ).

Continue reading

Duopoly Is Not Security

Interesting article in the Inquirer in the U.K.: Intel to cut Linux out of the content market by Charlie Demerjian, 15 July 2005. It says Intel is preparing to release, with a third of a billion dollar ad campaign, a digital media platform called East Fork. And that East Fork won’t support Linux; it will, of course, support Microsoft, specifically Microsoft Media Center 2006 (MCE 2006).

“I say captive because although it will support other shells that are not MCE 2006, it will only support other shells, but not programs. This is not the same as being open in any way shape or form, you are locked in, period. That’s not to say that there will not be choices. There have to be at least two providers in each country where it launches to provide the content, but the blessed ones are the only ones.”

Two providers aren’t enough different from a monopoly. Especially when both providers are subject to the same content restrictions, i.e., they’re basically mandated to supply the same thing.

Why would Intel want to lock down a music and movie player? Because it implements Digital Rights Management (DRM) that limits what you can do with the content. If you could run Linux on it, doubtless somebody would try to come up with a way around the DRM.

So why not just use Linux on another platform? It’s not clear that is still legal, considering all the legislation passed or pending about DRM. If DRM is so good, why does it need legislation to prevent people from circumventing it?

The bigger question is still why the music and motion picture industries can’t

a. produce more content people actually want to buy

b. come up with a business model that incorporates digital distribution via the Internet and other media instead of trying to legislate it out of existence; Steve Jobs has proved it’s possible with the iPod; is he really the only content mogul who can do it?

In any case, it’s not clear to me how DRM brings anybody security. A few companies will profit off it in the near term, after which either it will die because people will find a way to circumvent it anyway, even though some people will go to jail and legal and legislative resources will be wasted on such cases that could have been spent on dealing with real security issues. Or DRM will become the standard, which will mean that it will become one of the biggest targets for crackers; think of all the bots they could make out of networked media players….