leejo

Uh no I bet it was ISS's research and Lynn was the employee tasked with executing it.

Buck Fush

What you’re talking about is a trade secret. What we’re talking about here is information that the company was ready to release and only decided not to because a rich giant threatened to sue them to keep it quiet. Also, ISS may own the intellectual rights, but ultimately the work is his. I can’t tell you how I wrote the software that communicates with closed captioning encoders, but I can tell you THAT I wrote the software that communicates with closed captioning encoders.

I can see why ISS would have a problem with this, but the problem here is that Cisco threatened to sue ISS and that is the only reason they forbid Lynn from talking about this. Cisco is saying that it was illegal for ISS to reverse engineer their software. Although Cisco patched the flaw, they still refused to acknowledge that an attacker could do anything more than reboot an afflicted router. Lynn's research proved that this vulnerability could be exploited to gain root access to the router. Cisco still has not acknowledged that this is possible, so NO, they have not done the responsible thing. They are trying to hide a flaw by suing it out of existence. As a user of Cisco products, I applaud Lynn for doing the right thing. Yes, he violated any NDA he may have signed, but in this case I think it was necessary. This is something that hackers trying to get into my network already know. Why am I not entitled to the information.

leejo

[quoteYes, he violated any NDA he may have signed, but in this case I think it was necessary.[/quote]

So...an NDA in your mind is null and void if one of the signators decides it is? Now if I can work a clause like that into my mortgage...

In any case, I have a feeling a judge 'n jury will have to decide this one. Mr. Lynn is about to find out about the white man from town's magic.

Buck Fush

Nope. Not what I said. If this matter was taken to court, Lynn would almost definitely loose. I didn't say that the contract was null and void. Matter of fact, I specifically acknowledged that Lynn did violate his NDA but I felt he was right in doing so and I applaud the fact that he did what was right, not necessarily what was right for his pocketbook.

Wrong again.
Cisco, ISS, Michael Lynn and Black Hat sign legal accord

Apophis

I'm trying to obtain secondary confirmation, but conversations with presenters at DEFCON and Black Hat lead me to believe this was independent research and not research performed while on the ISS clock. The agreement initially was that Lynn was going to present it as ISS work when it was indeed his own.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

leejo

I don't read this as any vindication for Mr. Lynn, so the "wrong again" remark seems a little cute. His high powered attorney get everyone to agree that he will never talk about this again, that he will return all materials associated with his presentation, that Black Hat will turn over all videos of his presentation, all materials related to it, etc.

Looks like he gave them everything they could possibly want. And he's out of a job.

I also find your attitude about reneging on your word, and a contract is your word, curious. "What is right" to me means doing what you say you will do. A marriage vow isn't "until I decide you're a bitch", it's for life, and an NDA isn't "until I decide my company is wrong" it's PERIOD.

Anyway. Some of you clearly see this guy as some sort of hero. He's just another dime a dozen who thinks he's above the rules the rest of us have to live by to me.

Apophis

If I made the assumption that he was working on ISS's dime under an NDA then I would agree with you. But as I have previously stated, I have reason to believe this was NOT the case and this was his own research.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

rs_al

here's some more info.

There's a possible FBI investigation into an NDA violation:
http://www.wired.com/news/politics/0...w=wn_tophead_3

The flaw was patched in April. Cisco didn't announce it with a security bulliten until after blackhat though:
http://www.cisco.com/warp/public/707...729-ipv6.shtml
It is a buffer overrun in the ipv6 code, and can only be executed locally (it involves making a bad packet, so it cannot go beyond your local router). A bad flaw, to be sure. But could this "bring the Internet to its knees" as Lynn claimed? Was this worthy of the title "The Holy Grail: Cisco IOS Shellcode and Remote Execution"? Note the word "remote".

It is also entirely possible that Lynn himself only found the flaw after it had been patched, and only by decompiling the code. - possibly analyzing the patch itself.

Sounds like he was bored at his job and wanted to quit in a way that was sure to piss off his boss.

leejo

Yes of course you're right Apo. I'm assuming that an NDA was in force based on Cisco and ISS's quit legal action and the quick capitulation/settlement.

Apophis

The presentation given at DEFCON by Raven discussed the remote vs. local debate. She fiercely went after Cisco for munging the whole concept of local vs. remote exploits.

The exploit CAN be performed on a machine other than the router, which is generally referred to as a remote exploit. Local exploits require access to the machine being exploited. In most cases, these are things such as priviledge escalation hacks and the like.

Regardless of what Cisco says, this is indeed a REMOTE exploit.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Apophis

I attributed the quick action to a DMCA violation rather than an NDA violation.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

rs_al

If you're interested in learning more, there's a link to the injunction that was filed so you can see the actual reasons why the injunction was sought.
http://riskman.typepad.com/perilocit...ability_r.html

There's also a link to the actual presentation below the link that goes to the injunction document. This is the kind of stuff I like, that doesn't show up on the news sites: actual facts.

Fact is, he had actual source code and a lengthy description of how to do the exploit in his presentation, hardly the "demo" without any info implied by some stories.
Also, if I understand the presentation correctly, the source provided has been decompiled from Cisco's IOS.

We're talking just plain illegal, not neccessarily under the DMCA. as Cisco explicitly prohibits decompiling their source code (or even unzipping the IOS image) in their EULA, which Lynn violated.

Cisco messed up by not publishing a security advisory when they patched the flaw. The public had a right to be informed about it. But Lynn is no hero. He violated his NDA, he tried to publish actual code saying that it was in the name of informing the public of the flaw - when he was basically giving a step by step guide to exploiting it.

Informing the public of a vulnerability should not require disclosing decompiled source of the vulnerable product nor a step-by-step guide to how to exploit it. Lynn is just a 24 year old who's a little too full of himself.

Apophis

I didn't get any of my information from news sites. I only posted references to them so others could read. I got my information from Black Hat and DEFCON. (That's where I disappeared to last week and over the weekend).

I also have a copy of the full presentation and I don't see any actual source code or specifics on how to perform the attack. There's a lot of reference information in the presentation slides that show what portions of the code were vulnerable, but nothing in here that can be simply used to recreate the exploit without a **LOT** more independent research and development.

If you want to stick to what you call "actual facts", please also be reminded that the FBI is currently investigating a POSSIBLE breach of his NDA and that the possibility of charges being filed to that end are unknown.

As for his method of disclosure, please also be reminded that events such as Black Hat and DEFCON are not the same as your run of the mill Symantec updates. People attending these events expect to get much more in-depth as to the nature of the vulnerabilities and the attack vectors used to exploit them. These presentations are geared to hardcore security professionals, not average home Linux/UNIX/Cisco hobbyists.

Calling his presentation a "step by step" guide to exploiting the Cisco vulnerability is stretching it quite a lot.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

Apophis

On a very similar note, read about the recently disclosed vulnerabilities in Oracle and what security researchers ended up doing after Oracle failed to patch the vulnerability after TWO YEARS.

http://www.securityfocus.com/news/11252

This particular vulnerability allowed for the disclosure of the admin password hash allowing an attacker the ability to ultimately gain access to an Oracle database with escalated privileges.

This was also presented at Black Hat this year.

__________________
Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

rs_al

The presentation being step by step may be a matter of opinion how much is too much information. What is not a matter of opinion is that it violated both ISS and Cisco's intellectual property rights.

Signed by Lynn's attourney. He acknowldges he violated his employment contract by showing the presentation.

The slideshow contains (as the injunction also notes) the decompiled source code from Cisco's IOS. I'm no fan of closed source, but it is illegal to do this. The slideshow that the lawsuit was filed against contains roughly 8 pages consisting only of source code. The distribution of this slideshow was halted by the injunction, so distributing it is illegal.
Additionally, he describes how to obtain decompiled code, with steps that directly contradict the Cisco EULA. This is what Cisco sued for- he was breaking the law. They weren't trying to cover up public knowledge of the flaw, they were trying to protect their intellectual property.
The FBI's investigation is entirely seperate. In their cease and desist letter, ISS notes: "We also understand that the unlawful distribution of this information is the subject of a federal investigation". The "unlawful" part was established in the original lawsuit.

The flaw could have been disclosed, along with a lengthy description of the hows and the whats and the wheres, without breaking the law. But that's not how Lynn did it.