Lynn Settles With Cisco, Investigated By FBI 357
Following up on yesterday's story, daria42 writes "Security researcher Michael Lynn has settled a dispute with Cisco over his presentation on hacking the company's routers, which was given at the Black Hat security conference in Las Vegas this week. The two parties and Black Hat organisers have agreed not to further discuss the presentation, which contained techniques Lynn said could bring the Internet to its knees." Not all is good news, though. jzeejunk writes "The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
No good deed goes unpunished. (Score:3, Insightful)
What a load of horseshit. Lynn follows his conscience and speaks up about Cisco's security vulnerabilities, and not only is he severely slapped down by this permanent injunction (which I don't consider 'good news' in any sense), but now the FBI has decided to get involved. It'll be chilling to watch them pull his life apart and examine each bit under a microscope over months or years.
Lynn exposed a serious security flaw that could have been used to compromise networks throughout the nation. Cisco should be rewarding him for protecting them against losses they would no doubt have experienced in the future if this flaw went unreported. As for the government, they should be pinning a medal on Lynn, not investigating him.
Re:No good deed goes unpunished. (Score:5, Insightful)
Re:No good deed goes unpunished. (Score:5, Interesting)
Yes, and this is exactly why the FBI should get involved! The army has stringent oversight procedures for this sort of thing, and to reveal flaws in top-secret installations without even going up the chain of command is tantamount to treason!
Oh wait. The dude isn't in the army. Or in government. Actually, his former employer settled the case. So the overriding federal government interest in this is...? Why, you might be forgiven to think "nothing at all, in fact, this sort of thing is precisely why such liberties as freedom of the press exist; even though this is a lone individual, surely some type of whistle-blower protection would exist that covers this, otherwise the public would never be made aware of critical flaws in the nation's privately-owned infrastructur until it was too late!"
But apparently, you'd be wrong. You see, by merely mentioning, without even going in to much specifics, that it might be possible for some-one else to exploit a flaw in Cisco's equipment, this guy has clearly commited a thought-crime. That's because warning people about security flaws is exactly the same as instructing people in cyberwarfare, and issueing commands to them to act on your behalve to bring down Western Civilization as we know it. You see, no difference there at all.
Of course, this is also why trains never run on time. If the published time tables were accurate, the railways would get prosecuted by the FBI for inviting people to commit suicide by throwing themselves in front of the 18:02 train.. Bet you didn't know that!
Re:No good deed goes unpunished. (Score:5, Insightful)
Nice strawman, but that of course isn't what the (predictably modded-down) parent said.
All he's saying is that you shouldn't be surprised when the FBI investigates you after you tell a whole conference of interested parties how to take down a critical infrastructure.
Re:No good deed goes unpunished. (Score:2, Informative)
Re:No good deed goes unpunished. (Score:4, Insightful)
I guess I'm at a loss here....how is this not protected under free speech, and therefore not subject to start an investigation into some illegality. He wasn't inciting people to do anything wrong (rioting, etc)...he merely gave a presentation stating facts as his research had shown him...
Re:No good deed goes unpunished. (Score:2)
Bullshit. Cisco has just as much interest in ensuring their kit is safe from insider attacks as the government. If they wanted to prevent loose lips from sinking ships, they wouldn't have settled.
Did this guy publish an exploit? No. Any details not know already? No.
From TFA:
Although Lynn demonstrated for the audience what hackers could do to a router if they expl
Re:No good deed goes unpunished. (Score:4, Insightful)
Exactly what law did he break? He reversed engineered as part of research Cisco routers. He gave a presentation that is clearly protected free speech. Just because you give information, that if used wrong, would harm something, as long as you're not inciting or telling people to cause harm to others....you've broken no law.
There's tons of books out there that tell you how to make an atomic bomb...perfectly legal. You can describe pressure points on the human, that can kill, etc. Information is free to dissiminate. It is a tough part of free speech, but, really who are YOU going to trust to limit it, and say what information can and cannot be released?
Re:No good deed goes unpunished. (Score:3, Interesting)
You can't bring up the injunction. That means nothing since the suit was settled. Mr. Lynn did not have to make any admission of wrong-doing nor pay restitution. More than likely Lynn's lawyer brought up how much it would cost to defend himself and Mr. Lynn decided that it would be better to keep making car and house payments than fight in the courts.
And it does
Re:No good deed goes unpunished. (Score:5, Insightful)
Further, Lynn himself admitted that the vulnerability had already been patched by a Cisco update. Lynn's issue is that he didn't believe Cisco presented the vulnerability (or its patch) in an urgent enough fashion.
And "the government" isn't doing anything save for investigating an allegation of a crime, as it is charged with doing when it receives a complaint. Should the police no longer respond when 911 is dialed unless it's absolutely certain a crime is being committed? Is this not what "investigation" is for? Sorry, I don't buy into the conspiracies.
Re:No good deed goes unpunished. (Score:5, Informative)
One specific buffer overflow vulnerability was patched. But Lynn's presentation was a general approach to exploit any buffer overflow, with dire consequences. There is likely more exploitable code inside those routers; it's just a matter of time before some is found. At that point Lynn's attack could be executed.
Re:No good deed goes unpunished. (Score:2, Insightful)
I think the question isn't whether the government should investigate an allegation of a crime, but what is the crime being committed? What law with a criminal penalty may have been broken?
Without knowing a great deal about this case, the only laws even remotely relevant to this would seem to be trade secret law. Even that, I would think, would not apply
Comment removed (Score:4, Insightful)
Re:No good deed goes unpunished. (Score:4, Insightful)
Second, it's Cisco's right to do what they want with his research, since he did *break the law* in order to release it ( decompiling code + license agreement -> ?=( ).
I'm not a lawyer of course, but a license agreement is essentially a contract, right? Aren't you implying that he committed a crime, when this is perhaps a breach of contract? I could be mistaken.
Even if it was a crime, does that really give Cisco any rights to his work at all?
Re:No good deed goes unpunished. (Score:3, Insightful)
For crying out loud people, just because you voted for Bush doesn't mean you owe him your undying support. Oust the bastard. This shit makes Watergate look like a college prank.
Re:No good deed goes unpunished. (Score:4, Interesting)
Actually, what Sandy Burger did [washingtonpost.com] makes Watergate AND this Plame nonsense look like a college prank. But I don't see any outrage in Mediaville over that.
I'm sorry, was that off-topic? Well, since the parent was modded "interesting" I guess it isn't.
Be mroe afraid of what is left gaged (Score:3, Interesting)
The real issue is... (Score:5, Informative)
The reality of it is that Cisco fixed the exploit last April with a patch and no longer offers the vulnerable IOS for download on their site. The problem with that though is that they did not inform anyone what the patch fixed and who needed to download it. Most people who are vulnerable to this attack are those who have not updated to Cisco's version as of April (which are a few I'm sure. No point on upgrading a working system with a patch that could break you.)
The real problem is Cisco and their disregard to release information over a severe vulnerability in order to press forward their new OS next year.
There is a range... (Score:4, Insightful)
Both are harmful, and neither benefit security optimally.
As with most things, the most beneficial position is usually a balance between extremes.
Re:The real issue is... (Score:3, Insightful)
Free speech is now a crime. If Cisco released the same information that Lynn did, they will have the FBI after them as well.
WTF is going on in this country?
Cisco issues advisory (Score:3, Informative)
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Bummer (Score:2, Insightful)
BS (Score:5, Insightful)
It may or may not be illegal (Score:3, Interesting)
The FBI is most likely investigating to determine whether there is a case against Lynn. If they find something in the DMCA [wikipedia.org] that he has run afoul of, most likely they'll prosecute.
I've been writing letters to my Congressman and Senators about the DMCA for some time, but they're not listening. Until we can get legislators in office who actually understand how the DMCA casts a chill on issues like the Lynn fiasco, this sort of thing will continue.
My feeling is that unfortu
Re:It may or may not be illegal (Score:3, Informative)
One day people in this country will realize that congresscritters and senators don't listen to their constituents anymore, and they haven't done so for a very long time. Mostly they listen to corporations and their lobbies.
I'm glad you still have the proper democratic reflex a citizen should have when confronted with issues, but really you should realize "writing to your congressman" nowadays amo
Re:It may or may not be illegal (Score:4, Insightful)
It may not look like it from the outside, but I would suspect that the majority of lawmakers still attempt to cling to the ideals they started with and, when given the opportunity, will attempt to act according to them.
Don't limit your options just because cynicism dicates that they're pointless. You might be right and it's a wasted effort, but if you're wrong, you've voluntarily missed an opportunity.
Re:It may or may not be illegal (Score:3, Interesting)
The powerful have always had more influence on elected officials than average Joes. No doubt about it. But particularly on issues that are not on the top of your representative's agenda, a concise and well-articulated opinion can matter. The most successful politicians are those who
Re:BS (Score:2)
Re:BS (Score:3, Insightful)
In Soviet Russia ... (Score:2, Funny)
Re:In Soviet Russia ... (Score:3, Insightful)
Since when is it evil for a law enforcement agency to follow up on a complaint, even if the complaint is later found to be invalid? Or should law enforcement agencies be able to predict the future, and just skip the investigative step, and automatically know whether a crime has been committed? It might have been absurd or vindictive for ISS and/or Cisco to approach the FBI, but when someone approaches the FBI and claims a crime has been committed, would you prefer that the FBI
Re:In Soviet Russia ... (Score:2, Funny)
Goodness... (Score:5, Funny)
Can you imagine the chaos?
I bet some people would even end up going outside.
I would probably crawl up into a ball and cry until it was fixed; with my girlfriend consoling me.
I suppose I could look through my old cached history of webpages and pretend that I was online!
Re:Goodness... (Score:2)
Woah, they can talk now?
Looks like I need an upgrade...;)
Re:Goodness... (Score:3, Funny)
1984 Called... (Score:5, Insightful)
Regardless of what you think about Lynn's tactics, or Cisco's, or ISS's, or Blackhat's, the bottom line is that the FBI is now investigating. The government is going after a private citizen for releasing information about routers, because it's "critical to the national ingfrastructure". How long before pinging a router is an "investigable offence" for causing a drop in router resources?
Re:1984 Called... (Score:3, Insightful)
This IS the point here. Although and investigation is not an arrest - it will still disrupt his life is massive ways.
Re:1984 Called... (Score:4, Funny)
Relax (Score:2)
Re:1984 Called... (Score:2)
Re:1984 Called... (Score:2, Insightful)
I think you need to read the article more carefully. The FBI started investigating before the agreement was reached because someone had come to them complaining that a crime has been committed. Like an earlier poster said, it's their job to investigate when people claim a crime has been committed, if only to determine whether or not a crime has actually been committed. For all we know (and from the sounds of it), one hasn't, the investigation is going to be (possibly already) dropped, and that's all that
What was the suit about? (Score:3, Insightful)
Was his disclosure good for the internet in the short term? Probably not. However, unless there is some law that I'm missing, describing how to use a bomb is not the same as advocating that it be used.
Please, don't overreact. (Score:2, Insightful)
In other words, give Cisco the opportunity to explain that patching vulnerabilities in major commercial vendor-supported code isn't just something that happens instantaneously. I'm not saying Cisco is completely in the clear here, but no everything shouldn't be open source, and patching shouldn't/can't happen like it does in the open source community. Some people will no doubt fundamentally or p
Re:Please, don't overreact. (Score:3, Insightful)
You're sort of straw-manning here. The problem isn't that Cisco didn't fix the vulnerability in time, the problem is that they didn't tell anyone it was a critical update. That's a far cry
Re:Please, don't overreact. (Score:2)
The problem here is that Lynn is claiming this was some kind of end-times doomsday vulnerability, and Cisco claiming it wasn't a big deal.
I'm frankly not inclined to believe either one of them.
We still don't know the EXACT nature of the vul
Or let's put it another way (Score:2)
We want the police (the FBI is just the federal police) to investigate repo
Lawyer's quotes (Score:2)
You are making a *LARGE* assumption... (Score:4, Informative)
He gave Cisco *FOUR MONTHS* to fix it, which is hardly "instantaneous".
PDF of the Presentation (Score:5, Informative)
TFA (Score:4, Informative)
In other words, probably not really in trouble with the FBI.
Let's cut the tinfoil a bit (Score:3, Insightful)
Always shoot the messenger (Score:2)
Everyone together now:Meanwhile, back at the ranch, some Eastern European "security expert" is busy cheerfully 0wn1ng j00 when you order that book from Amazon. Checked your credit card statement lately?
Free speech (Score:4, Insightful)
"The FBI is investigating computer security researcher Michael Lynn for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them."
The FBI is investigating Michael Lynn... after he revealed ...
Congress shall make no law ... abridging the freedom of speech, or of the press.
He's being investigated for what, now? Talking?
Re:Free speech (Score:2)
In this particular case, and IANAL, they could be seeing whether his actions might be inciteful to others. The reality, however, is that they will quietly look at this and decide that no crime was committed.
Re:Free speech (Score:2)
Re:Free speech (Score:3, Insightful)
Welcome to nine-headed Pope land! It is far easier to argue that the 1st Amendment has no limits on it whatsoever than to accept that life is not composed of absolutes. If you believe that any manner of speech is fine, you are more than welcome to your views (and kudos to your tenacity). However, you should also note that the language of the
Re:Free speech (Score:2)
yes, but what he is talking about isnt exactly his opinions on politics or what have you
Congress shall make no law ... abridging the freedom of speech, or of the press about politics.
No, I don't see those words in my Constitution.
if I worked at a company, and decided to 'practice free speech' by harping all of my employers trade secrets, i would no doubt be fired for screwing over the company
Exactly. You would be punished by the company, not by the government, because what you had done would n
Wait, let me get this right? (Score:2)
I may be just a simple caveman, but this sounds like a tremendously bad idea... someone would take advantage of it sooner or later...
The Internet dropping, even for a few hours, would have a profoundly negative impact on the world economy...
I mean, geez, just think about it...
Re:Wait, let me get this right? (Score:2)
On the other hand, knowing about the problem I can now take steps to mitigate it by, for example, making sure my back-up routers are not made by Cisco, or by replacing vulnerable equipment with other types that aren't vulnerable. Of course this would hurt Cisco, which is the reason IMHO they tried to shut the guy up.
Re:Wait, let me get this right? (Score:2)
Cisco would be hurt, no secrets would be divulged, and Cisco would still try to fix the problem before it was discovered...
Of course, without the specifics, the information may be seen as less valid, but if they investigate the source, and the source is a trusted expert (as in this case)
Re:Wait, let me get this right? (Score:2)
I need specific details for a couple of things. Firstly is to evaluate whether this is a real problem. A lot of problems are highly configuration-specific, and I need to test not just whether it's a problem in the general case but also whether it's a problem that I can be bit by given the configuration of my particular network. In addition, I need to be able to test any fixes Cisco might put out. Vendors have had histories of putting out "fixes" just to say they have, but the fix only deals with the one par
Re:Wait, let me get this right? (Score:2)
So what you are saying is that it's a really bad thing for Cisco to cover up a problem that can cause that instead of fixing the problem?
If only companies weren't allowed to cover up something like that. Oh wait, employees with consciences could blow the whistle. Oh wait, one did, and then he was threatened with a lawsuit and investigated by the FBI.
Anyone reminded of Adobe vs Skylarov? As soon as he was arrested, Adobe changed their mind and avoided bad publicity by backing off. Now that the FBI
Re:Wait, let me get this right? (Score:2)
No, covering up a wide-affecting vulnerability should ALSO have consequences.
However, spreading the vulnerability is ALSO just inviting someone to use it.
Sure, Cisco would have to fix it then, but the damage would already be done...
You think too much in blacks and whites, saying 'spreading that information is not a good idea' does not mean that Cisco is doing right, there is a possible conclusion that can be drawn (that I have drawn)
Re:Wait, let me get this right? (Score:2)
Get it right: Cisco is mad because it was exposed (Score:2)
Re:Wait, let me get this right? (Score:2)
A lot of companies use E-mail to arrange things, do online ordering (could mean millions in losses for online only companies)
Such an "attack" would destabalize faith in tech stocks and businesses... prices drop, the companies make adjustments to try and cover these losses... this can cause loss of jobs, revenue, etc...
It'd be a sharp blow... not as bad as blowing up a building, but it'd be a low point for the year, probably...
This doesn't pass the "fire in theater" test (Score:3, Insightful)
Someone should challenge the trade-secret-protection criminal laws on 1st ammendment grounds - yes, there is tort, and yes, restraining orders may be appropriate in rare circumstances, but a criminal conviction, I think not. It's time to give the local jury pool a lesson on free speech and jury nullification.
I hope they drop this ASAP, and if they don't, the ACLU should get involved. This is America, not Soviet Russia.
Re:This doesn't pass the "fire in theater" test (Score:2)
On the other hand, I think this is a case of someone making an ethical decision to violate an NDA because, by his lights, the risk he faces is not as bad as Cisco continuing to have
Re:This doesn't pass the "fire in theater" test (Score:2)
Re:This doesn't pass the "fire in theater" test (Score:2)
The mere existence of the vulnerability on such a popular piece of routing hardware likely would result in someone, somewhere, knowing about it and biding his/her time for the right opportunity to exploit it. The odds are pretty good....
Someone shouting and scaring peo
No fires, nothing to see here.... (Score:2)
Hmm (Score:2, Interesting)
Toms Hardware Pics of Slides (Score:2)
http://www.tomsnetworking.com/Sections-article131
Wile E. Coyote school of security (Score:5, Insightful)
Wile E. Coyote can walk off a cliff and doesn't fall - until the Roadrunner points out there's no ground under his feet.
Apparently the FBI thinks computer security works the same way.
Use a brain, go to jail. (Score:2, Funny)
I don't see why they should care (Score:2)
Cisco is quoted as saying:
Cisco denied that the flaw was as critical as Lynn said it was
Then what really is the problem?
I wonder what would happen... (Score:3, Interesting)
I wonder what would happen if a large user of network equipment, who depends on that equipment operating properly to stay in business, filed against Cisco on this? After all, they know how dependent others are on their equipment, they knew their errors in coding had put those other people at risk, and they not only didn't do anything about the situation they actively tried to block information from the people who'd be harmed. Seems to me that if a dangerous situation existed and the person responsible for it actively tried to keep the people endangered from finding out about it, that's usually grounds for additional penalties against the responsible party.
Cisco discloses actual vulnerability (Score:4, Informative)
http://www.cisco.com/warp/public/707/cisco-sa-200
http://www.eweek.com/article2/0,1759,1841669,00.a
Upshot is that if you aren't running IPv6 on the router, this doesn't affect you.
anonymity (Score:2, Insightful)
The lesson to be learned here is that full, immediate and anonymous disclosure is the best way to publish vulnerabilities. It's too bad that vendors and law enforcement have scared the shit out of such that this is necessary, but they too have to live with the consequences of their actions.
God Bless America(TM) (Score:2)
Big mistake - wrong conference (Score:4, Funny)
Details of Cisco security hole (Score:2, Informative)
Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, th
Re:Details of Cisco security hole (Score:2)
That's because it's not the right vulnerability.
Helevius
Wow my Hats off to you Americans (Score:4, Insightful)
The bottom line is that Lynn is a whistle blower, and the FBI should be investigating Cisco for innappropiate conduct by trying to hide (not fix) a serious vunrability that could effect the entire country.
The whole thing sickens me.
Moral of the story (Score:2)
Use a fake name. Wear some kind of disguise to the Black Hat conference (or wherever you're doing your presentation), do your security-flaw-revealing presentation in the disguise and then quickly run off stage and change.
This is no longer the home of the free and I haven't noticed a lot of bravery lately...
The internet has knees? (Score:2)
So you didn't go through proper channels... (Score:3, Informative)
In the mean time, time to do a Freenet search for his paper. I can't believe all of the copies were destroyed.
I looked at the presentation! (Score:5, Interesting)
Lynn shows how to do a remote exploit on Cisco's firmware. This is impressive because the router runs software that attempts to detect inconsistencies. It will reset itself and start up afresh. The big deal is that Lynn shows how an exploit can fix things up and avoid those measures. Basically, his technique is like a ninja, that breaks into a building through a window, but then immediately reassembles the window before the security guard making his rounds can notice that the window got destroyed. That's it!
There's no indication Lynn stole ANYTHING from Cisco, or broke any law.
Lynn apparently "reverse engineered" the OS in order to do this. That's usually fine; it is his right to do that.
Considering this, I'm pretty pissed that Cisco's spokeswoman, Mojdan Khalili, said that Lynn broke the law [slashdot.org] (without saying what law it was). I think that could be libel (or slander -- I'm not a lawyer) -- in any case, Mojdan Khalili, working for Cisco, just ruined this guys rep, and sicced the FBI on his ass.
Perhaps if you write her, she will get Cisco to ask the FBI to lay off the good researcher (ask her to have Cisco "take it all back"). From yesterday, here's her contact info:
978-936-1297 mkhalili@cisco.com
Also, some total jerk looked up her address and posted it (here [slashdot.org]). I think that's totally inappropriate; if you show up on her doorstep and bother her, I hope she calls the FBI on you, you freak!
Companies should offer rewards for patching (Score:3, Interesting)
This might hurt business less in the long run than a widespread, debilitating breakdown. It will be expensive, probably ~$120 a pop in the end, considering payout, as well as the cost of verification hardware/software devlopment and production, but they'll reduce the destruction for their customer's businesses and to their own image.
I don't know just how much this would cut into Cisco's revenues, which would of course reduce short term profits and thus investment interest. Someone up there should be weighing something like this though, however painful it sounds. It would also set Cisco apart in market where cheaper competitors are taking away Cisco's profits. How many of them would go to such lengths in the event of a vulnerability? Companies love insuring themselves against everything.
Re:I hope they nail him to the wall! (Score:2, Insightful)
Re:I hope they nail him to the wall! (Score:3, Interesting)
Re:I hope they nail him to the wall! (Score:5, Insightful)
Two things:
First, Cisco was already aware of the problem and had released a patch for it last April.
Second, Blackhat is not about blackhats. It is about security and is visited by some of the most renown security professionals including ranking officials in the CIA, NSA, and other 3 letter acronyms.
Re:I hope they nail him to the wall! (Score:5, Insightful)
The hole exists. Sometimes it takes shouting about it to get it fixed. He gave them time. If you think 3+ months is enough time or not is a debatable point. But he DID notify them through channels.
Re:I hope they nail him to the wall! (Score:2)
I'll vote for whatever congressdroid steps up with a "Software Infrastructure accountability act of 2005" that actually codifies the "right" sequence/timetable for this sort of thing.
Re:I hope they nail him to the wall! (Score:5, Insightful)
before everybody starts yelling about the need for these things to be reported, there are channels he could have gone through that would have made Cisco aware of the problem
Cisco was aware, in fact they were originally supposed to be co-presenting with him. Lynn contacted them four months ago. The problem is many of their customers were not aware of the problem, and despite reports to the contrary, while the exploit used to get onto the system has been fixed for a while, the ability to run arbitrary code has not. Now Cisco is working to abstract their hardware layer. Put these two items together and you get new routers, with a flaw, where a single, generic exploit can take them all out.
I know a lot less about networking and networking security than Mr. Lynn. I am willing to believe, however, that he would not give up a good, paying job and risk his future employment prospects unless he felt that this was a real and serious risk. Whistleblowers need to be protected and companies that willfully disregard warnings that their incompetence is threatening vital business and communications infrastructure around the world are the ones who should be investigated, not Mr. Lynn.
Re:I hope they nail him to the wall! (Score:2)
How do you know this? That seems to be what everyone is basing their assumptions on the seriousness of the vulnerability on. I'm sorry, but people quit and resign over petty conflicts all the time. Just because this person is a security researcher doesn't make him a martyr, and doesn't necessitate that his resignation was some noble act
Re:I hope they nail him to the wall! (Score:2)
There is no specific outstanding vulnerability. Merely an assertion that Cisco didn't handle a previous vulnerability...
Actually, if you look at the presentation you'll see he presented a walkthrough of exploiting the shellcode which Cisco has done nothing (yet) to mitigate. The (fixed) exploit he mentions was merely an example of how to get on the box, but there are obviously going to be more ways to do that and quite likely someone already knows some of them. He also explains that while this is not th
Re:I hope they nail him to the wall! (Score:3, Informative)
Why didn't he blow the whistle to the US-CERT, then? Yeah, this is a good idea, let's present it at a Black Hat convention. Jeez
Do you have any idea who is at Black Hat these days? It is a huge security convention sponsored by hundreds of major computer and security vendors, even Microsoft is a sponsor. Heck the Department of Defense, the Army, West Point, Stanford Law School, etc. all had people giving presentations. If you want to get the word out when a major threat is being ignored, blackhat is a pr
Re:I hope they nail him to the wall! (Score:2)
More information here [blackhat.com]. Blowing the whistle here is roughly equivalent to sending the info to US-CERT except that US-CERT probably doesn't allow whistle-blowing against a vendor....
Re:How long... (Score:2)
http://www.antiserver.it.nyud.net:8090/Cisco-Expl