Tag Archives: reputation vulnerability disclosure security by obscurity

Vulnerability Restraints or Reputation Suicide?

Doubtless anyone who follows Internet security has heard by now of the case of Michael Lynn, currently under a restraining order by Cisco and Internet Security Systems (ISS). While working for ISS, Lynn discovered a vulnerability in Cisco router code and told Cisco about it in April. Apparently the flaw was fixed shortly afterwards. Lynn was scheduled to give a presentation on the flaw at the Black Hat Conference in Las Vegas this week, with the cooperation of Cisco and ISS. However, Cisco decided not to permit that, and went so far as to have its employees physically remove the ten page presentation from the already-printed conference proceedings.

Nonetheless, within two hours of the scheduled presentation time, Lynn quit his job with ISS and proceeded to give the presentation anyway, wearing a white hat labelled Good. Shortly afterwards, Cisco and ISS slapped a restraining order on Lynn and the conference to stop them from distributing the presentation or discussing it.

The rest of the chattering classes were not under restraining order, however, and within two days of the presentation a PDF of Michael Lynn’s slides was available on the Internet

Update: that link now displays a cease-and-desist letter and a copy of the injunction; a copy of the slides has turned up in Germany.

and discussions were rampant everywhere from security professionals such as Bruce Schneier, who could be expected to defend Lynn, to the Wall Street Journal (WSJ).

Continue reading