Vulnerability Restraints or Reputation Suicide?

Doubtless anyone who follows Internet security has heard by now of the case of Michael Lynn, currently under a restraining order by Cisco and Internet Security Systems (ISS). While working for ISS, Lynn discovered a vulnerability in Cisco router code and told Cisco about it in April. Apparently the flaw was fixed shortly afterwards. Lynn was scheduled to give a presentation on the flaw at the Black Hat Conference in Las Vegas this week, with the cooperation of Cisco and ISS. However, Cisco decided not to permit that, and went so far as to have its employees physically remove the ten page presentation from the already-printed conference proceedings.

Nonetheless, within two hours of the scheduled presentation time, Lynn quit his job with ISS and proceeded to give the presentation anyway, wearing a white hat labelled Good. Shortly afterwards, Cisco and ISS slapped a restraining order on Lynn and the conference to stop them from distributing the presentation or discussing it.

The rest of the chattering classes were not under restraining order, however, and within two days of the presentation a PDF of Michael Lynn’s slides was available on the Internet

Update: that link now displays a cease-and-desist letter and a copy of the injunction; a copy of the slides has turned up in Germany.

and discussions were rampant everywhere from security professionals such as Bruce Schneier, who could be expected to defend Lynn, to the Wall Street Journal (WSJ).

The WSJ, usually known as a supporter of big business, headlined its story with

Cisco Tries to Squelch Claim About a Flaw In Its Internet Routers

and referred to Cisco’s actions with the restraining order as "threatening".

Now, this all could have turned out differently. The vulnerability had already been fixed months before, so public disclosure would have seemed the normal course. In his presentation, Lynn didn’t even reveal any known unfixed vulnerabilities. He went so far as to say:

Keep your firmware images up to date and you will probably be fine

Given that every real black hat miscreant has access to the same debugger and disassembler that Lynn used, it’s safe to assume that crackers already knew about this vulnerability, and that publication could have encouraged anyone who hadn’t patched their firmware to do so, especially since Cisco already had three months to encourage their customers through private channels to do that.

Why did Cisco and ISS instead go for a restraining order?

"We don’t want them to further discuss it," said Cisco spokesman John Noh. "This is about protecting our intellectual property."

Elsewhere how intellectual property comes into was explained as:

Cisco maintains Mr. Lynn found the flaw by reverse-engineering its product, which the San Jose, Calif., company said violates the law.

An ISS spokesman, on the other hand, said the presentation shouldn’t have been given because it was incomplete.

Update: Cisco has published a press release and a security advisory, both on 29 July, two days after the conference talk.

Whatever the reason for the restraining order, this probably won’t be the last time companies have to decide how to balance intellectual property, fixing bugs, informing customers, getting customers to deploy the fixes, and the vendor’s own reputation. The bigger the company, the higher the stakes, not only for the company, but also for its customers and those affected by its software.

Miscreants will still have motivation to crack code and security professionals and vendors will still need to find ways to deal with it. Lynn’s slides spell out why such vulnerabilities could be important, including wide deployment. It is well known that many ISPs pick a single router vendor, so within a given ISP that vendor’s routers could be a monoculture. The slides go on to list some motivations that people might have for taking advantage of such lack of diversity:

Keys To The Kingdom (MITM)

  • Control the network traffic
  • Packet sniff in far off lands
  • Modify traffic
  • Break weakly authenticated encryption (passwords, etc)

Routers in major ISPs would be optimal places for Man in the Middle (MITM) attacks. That point about packet sniffing in far off lands could be a coy reference to widespread allegations that Cisco has provided hooks in its routers for the Chinese government to use for packet sniffing. Lest anyone think I’m picking on Cisco, similar allegations of modifying software to the specifications of the Chinese government have been heard about many other companies, including Symantec, Yahoo!, and Google. If such router hooks really exist, they would be a gold mine for miscreants, who could sniff packets not only in far off lands, but perhaps also in nearby lands, if the same software turns out to exist on routers in countries other than China. Even if those hooks don’t exist, gaining access to a router could enable sniffing anyway, plus the other things Michael Lynn mentioned.

In fact miscreants are motivated and active:

"The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I’d rather have disclosure and let everybody respond."

As for disclosure, not only were the plaintiffs not able to restrain the Internet nor the bloggers nor the press, Michael Lynn didn’t even have to quit his job and give the presentation to get his point across. He could have just stood up there and said he couldn’t give the presentation, and it’s pretty likely a copy of the PDF would have made its way to the Internet within two days anyway.

This isn’t really about Cisco; the principles illustrated here are larger than that. Security by obscurity just doesn’t work, no matter how big you are, and even if you have the law backing you up.

Which would you rather have? A public relations disaster brought on by not disclosing a fixed vulnerability? Or a reputation burnished by assisting security researchers in publishing such a vulnerability?


1 thought on “Vulnerability Restraints or Reputation Suicide?

  1. The Quiet Earth

    Waterloo in Vegas

    The Story So Far
    By now you all have read about Michael Lynn’s presentation at Black Hat 2005. Let’s, nevertheless, recap: ISS X-Force did contract for Cisco to check IOS for (possible) security vulnerabilities. It comes as no surprise that they found…

Comments are closed.