Cisco IOS Exploit Fiasco

I'm just wondering what people's opinion is of this:

Cisco IOS Exploit Revealed

What I am trying to understand, is how does this really affect anything? From my experience, when a new version of IOS comes out that fixes a security vulnerability, it is tested immediately to ensure that it works correctly, then is deployed as soon as possible. The guy didn't actually show the specifics for how such an attack could be done, he just showed it could be done. This issue affects only IOS routers that have not been patched recently, so what's the harm? If anything, this reaffirms to us that we cannot take our routers for granted when it comes to malicious code.

The problem is that he really ticked off the big networking giant by basically breaching contract. He was originally paid by Cisco to research security flaws in its IOS. He was supposed to contact Cisco if he was to find a flaw, they would fix it, then release the details soon thereafter. He didn't follow this and released a general idea of how the IOS could be exploited. He backstabbed Cisco.. what did he expect? Praise? I think not.

I'm not surprised about the lawsuits. Obviously it is something that CISCO wouldn't like to be discussed in a public conference. Even if that vulnerability affects only an older version of IOS, it is a fact that a surprisingly large number of clients actually never concern themselves with updating and it is common for even more, to update with a delay. It may be a big mistake on the behalf of the administrator, just like leaving the default administration passwords for a router, but they both happen all the time!

Michael Lynn may have not published any exploitation code for that vulnerability, but that does not mean that by providing specific technical information on the vulnerability he didn't make it easy for others to create and distribute such a code. After all, the most difficult part is to discover and document sufficiently the nature of a vulnerability, afterwards the creation of a program to exploit it is less of a challenge.

Personally I don't like such actions against the free flow of information and the "security through obscurity" tactic is just not something to brag about -it is exactly the opposite of how opensource works and well, take example of the OpenBSD project, if you have done everything right, then you have nothing to hide. And even if you have done a mistake somewhere and someone finds it before you do, you should concentrate all of your resources in making sure all of your users update, and in triplechecking your software to avoid such situations in the future -instead of blaming the person that simply uncovered it. I am not talking specifically for that occasion, in this case it could have indeed been unethical from the part of Michael Lynn to release such information, especially if they were discovered through classified data that CISCO provided him with (like the IOS source code). Or perhaps not, one would need to know the details to judge -besides, justified or not, a similar reaction from CISCO would be iminent in whatever direction possible, judging from past occasions.

However, regardless of that, there is an other side, less romantic but more valid from the perspective of strategy. This perspective commands that you, as CISCO, need to do what youn can, to protect your customers from both your mistakes and theirs'. And truth is that if exploitation codes for your products become too common out in the internet, then many more systems will be compromised by more numerous and less technically capable attackers -and obviously nobody wants that. So you try to freeze the flaw of any information that could prove harmful in that direction, by all means (lawsuits, threats, etc.) and hope the vulnerability remains undisclosured for long enough to affect a minor number of clients when it hits the light : a less than ideal solution for a less than ideal situation. So in that case, the fact that Michael Lynn originally worked for Cisco, only made it easier to base a lawsuit against him. Strategically the only point that mattered, is that he released information potentially harmful for CISCO and that had to be disallowed by any means.

I agree with most of what you say, but I don't feel that Cisco utilizes the "security through obscurity" philosophy. They do put an emphasis on security and even though they have the pockets and the brains to strengthen it, exploits are bound to be found. The problem here was that Lynn had access to information no normal hacker would have. Therefore, he breached the trust that Cisco instilled in him and deserves exactly what he is getting.

But I'm curious as to why you mentioned openbsd and compared them to Cisco. Open source threatens Cisco's stronghold on the networking world so they are doing what any corporation would do: Protect their assets. (And unlike Microsoft, I believe Cisco deserves the large market share they have) OpenBSD is well known for security, but are they making the profit Cisco pulls in, employ thousands of american employees, or supporting certifications that has advanced careers for thousands around the world? Don't get me wrong I believe in open source, but I tend to lean more towards the importance of a good company like Cisco making profits and continuing to produce good networking devices rather then risk it by going open source.

Certainly CISCO is a great company which makes quality products, the best in it's field -well, if there was a competitive firm to challenge that, chances are it would be bought anyway -. And undoubtly, Cisco has developed many technologies that provide solutions to difficult problems and along with efficient marketing, this is how it came to be the No1 in sales.

However, as an opensource enthousiast I have a small complaint on how Cisco and other large companies protect their interests and what effect many times this has in the "overal good". More specifically, it is quite common for Cisco and other companies to throw legal threats or lawsuits, in cases which in my opinion as a user, is not fair. These cases mostly, are related either with reactions to the release of information potentially harmful to them, usually by independend researchers (mr. Lynn now, might have been the exception), or with the old-good topic of patents. I mentioned OpenBSD project for two reasons, firstly because it is the living proof that high quality software of commercial standards, need not be necessarily commercial, and secondly because in the past it has been the victim in a typical example of the second case (ridiculusly abusive use of patents) -the issue about Cisco's VRRP and IETF, if you have not read about, it is something worthwhile to check!-.

Now, I don't flame Cisco or anything for protecting it's interests, I just try to do the same as a user of free software -which relies on the community instead of expensive lawyers- and as someone who wants information to be able to flow freely. I might go as far as saying that I don't care about "the importance of a good company like Cisco making profits and continuing to produce good networking devices", if things that I consider more fundamental are at stake.

PS. While perhaps not relying into it, mostly all companies, including Cisco, utilize the "security through obscurity" philosophy in some degree IMHO.

PS2. I went out of topic I guess, I just seized the opportunity to speak my mind

Ahh good rebuttal . Anyways, thanks for clearing up the mentioning of openBSD because I was quite confused. Even after a good arguement like that, I still agree with Cisco's lawsuit tactics against Lynn because what he did was in fact, illegal.

But you also mentioned that you disagree with these lawsuits because they tend to go against your philosophies. I try to put it in perspective. Open source battle fields are the forums, that is, the community (unless the corporations bring them to court), whereas corporations tend to battle in terms of legality in the court room. The latter tends to be more public then the former, but both can be equally absurd. How else is a corporation going to get what it wants? The good old day's of cradle robbing have somewhat halted.. so they are left with few valid choices :twisted:. Just like men tend to protect their homes with guns, corporations protect their assets with the constitution because they have already exhausted every other immoral method.

I might also chip in that many companies, as of late, are going open source, Sun and Novell to name a few. I'm hoping that other companies follow their lead, but I think most of them are waiting to see if these companies turn a profit as a direct result of going open source. But to make the money microsoft and cisco make, you can probably go open source to a point, but you still need bloodthirsty capitalist tactics to keep the positive profit flow going (probably more so, since open source would create more compitition). Communities like openBSD take your philosophy head on, but they aren't in it for the money (at least I think so..). If they were indeed in it for the money, their philosophy and tactics would have to shift. But you have to agree that money makes the world go round, and that without the deep pockets of corporations (and governments), we would have never advanced this far in terms of technology.