Apparently this exploit was found from the stolen source code from a while back, so if he was reverse engineering that proprietary code, it would be illegal on his part without authorization from Cisco. Michael Lynn did not work for Cisco while he was researching this vulnerability, he was working for ISS, which in turn was working with Cisco in researching the vulnerability.
I believe closed source software is getting to the point where automobiles were in the 1960's, IMHO. Not very well designed for consumer's safety. Unfortunately, you can't just look at closed source software for problems like you could pop the hood of a car. At what point should companies like Cisco and Microsoft be held responsible for such undesirable effects as theft, loss, etc? If the consumers of a product can not protect themselves, then who is going to do it?
Re: Cisco IOS Exploit Fiasco
13 years 3 weeks ago #9414
Well, if he already had the code, then there was nothing to reverse engineer. It could be that he just went for a piece of fame, abusing access to information that was provided to him for his research purposes directly through Cisco and ISS. But I don't like to make speculations on the case since I really don't know the facts.
However and outside of that case, someone that discovered something on his own through detailed auditing and experimentation (it does sound less harsh and nasty than the term "reverse-engineering", right? Still it is the most common method for it!), seems to me that he has any right to make his findings public. This is his fundamental liberty. If he is nice enough to inform the author first and wait for the patch, then he is cool by any means. Even otherwise, nobody can take away from him the right to do anything he wants with the results of his research (well, appart from use them for unlawful activities of course). So I am more concerned, as I said before, about how easily a large corporation can manipulate the legal system to have things done her way. If it was just the Michael Lynn case then ok, but there are many cases involving many companies all the time. And perhaps on the field of security things are just annoying but have less severe direct consequences in practice. Through patern and intelectual property laws though, manipulating the legal system can severely hinder technological progress, competition and ultimately, our freedom of choise.
This is one of the reasons that I prefer to deal with opensource software, because things are crystal clear: nobody has any reason or way to place obstacles on the other's way, instead his work unavoidably benefits the rest. Nothing goes under the carpet. So in the end everything's moving towards the same direction. Sounds ideal huh?