"Cisco Gate" at DEFCON and Black Hat - Page 3

Buck Fush · 08-02-2005, 10:14 PM

Quote:

Originally Posted by leejo

I don't read this as any vindication for Mr. Lynn, so the "wrong again" remark seems a little cute.

You’re right. That was just me lashing out because I didn’t appreciate you misquoting me.

Quote:

Originally Posted by Apophis

If I made the assumption that he was working on ISS's dime under an NDA then I would agree with you. But as I have previously stated, I have reason to believe this was NOT the case and this was his own research.

This shouldn’t matter since, if he was under an NDA, he almost assuredly was also under an Intellectual Property Rights Agreement which basically means that anything he developed while employed by the company which is consistent with what the company does automatically belongs to the company.

**Apophis** · 08-02-2005, 10:19 PM

Quote:

Originally Posted by Buck Fush

This shouldn’t matter since, if he was under an NDA, he almost assuredly was also under an Intellectual Property Rights Agreement which basically means that anything he developed while employed by the company which is consistent with what the company does automatically belongs to the company.

That's pretty crazy. I have an NDA with my company but anything I develop using my own resources is my own property. I'm not obligated to turn over any research materials to my employer that I develop in my home. Not unless I'm on the clock while i'm doing it.

**Apophis** · 08-02-2005, 10:31 PM

Quote:

Originally Posted by rs_al

The presentation being step by step may be a matter of opinion how much is too much information. What is not a matter of opinion is that it violated both ISS and Cisco's intellectual property rights.

Can you take this presentation and deliver me a functional exploit for this code within the next 6 hours? If it works I'll give you $250. If your opinion is that this document is a step by step process on how to recreate this exploit, you should have no problem in that recreation. If you can't recreate it, then you should reconsider your opinion that it's a "basic" step by step guide.

Quote:

The slideshow contains (as the injunction also notes) the decompiled source code from Cisco's IOS. I'm no fan of closed source, but it is illegal to do this. The slideshow that the lawsuit was filed against contains roughly 8 pages consisting only of source code. The distribution of this slideshow was halted by the injunction, so distributing it is illegal.

I would try and be fair here and call it ~91 lines of code rather than 8 pages. The chunks of code may span 8 pages, but we're only talking about a few lines of code in various snippits throughout the presentation. I guess it can be sensationalized and called "8 pages consisting only of source code", but that would require ignoring the ISS logo, page title and PowerPoint background graphics.

I do believe that releasing this code is against Cisco's TOS. But I also believe that fairness is in order when describing what was actually released.

Quote:

Additionally, he describes how to obtain decompiled code, with steps that directly contradict the Cisco EULA. This is what Cisco sued for- he was breaking the law. They weren't trying to cover up public knowledge of the flaw, they were trying to protect their intellectual property.

I'm not sure what the legal status is on this, I'm sure someone else here might know a little better. But is it illegal to tell someone how to do something that violates another company's TOS? If I were to post instructions on how to rip some CDs into MP3s that you could put up for download, am I breaking the law?

The only thing similar to this that I can think of was the whole Elcomsoft/Adobe issue when the FBI arrested Dmitry Sklyarov for distributing code that allowed people to freely copy Adobe eBooks. I believe that case was eventually dismissed and there was no successful prosecution in that case.

I do not believe that Cisco was simply trying to protect their intellectual property. I do believe they were trying to cover up as much public knowledge of the flaw as possible. But, you know what they say, if you read on the Internet that they were only trying to protect themselves then it MUST be true.

rs_al · 08-02-2005, 11:35 PM

Quote:

Originally Posted by Apophis

Can you take this presentation and deliver me a functional exploit for this code within the next 6 hours? If it works I'll give you $250. If your opinion is that this document is a step by step process on how to recreate this exploit, you should have no problem in that recreation. If you can't recreate it, then you should reconsider your opinion that it's a "basic" step by step guide.

That is not what I meant by opinion. The general misinformation in the news articles going around the net is that there were very few details, that it was mostly just a demo. I was saying that there were details, and there are some very detailed steps- they appear in numbered lists.
1.) do this
2.) do that
3.) do the other thing
Step... by... step.

Quote:

I would try and be fair here and call it ~91 lines of code rather than 8 pages. The chunks of code may span 8 pages, but we're only talking about a few lines of code in various snippits throughout the presentation. I guess it can be sensationalized and called "8 pages consisting only of source code", but that would require ignoring the ISS logo, page title and PowerPoint background graphics.

I do believe that releasing this code is against Cisco's TOS. But I also believe that fairness is in order when describing what was actually released.

I used 8 pages not to describe the amount of source but the amount of the slideshow dedicated to source code. Let's just say my number was a lot more fair than yours:

Quote:

I also have a copy of the full presentation and I don't see any actual source code or specifics on how to perform the attack.

Quote:

I'm not sure what the legal status is on this, I'm sure someone else here might know a little better. But is it illegal to tell someone how to do something that violates another company's TOS? If I were to post instructions on how to rip some CDs into MP3s that you could put up for download, am I breaking the law?

Probably not, but it does prove that the information in the slideshow was obtained illegally, which was part of Cisco's suit.

Quote:

The only thing similar to this that I can think of was the whole Elcomsoft/Adobe issue when the FBI arrested Dmitry Sklyarov for distributing code that allowed people to freely copy Adobe eBooks. I believe that case was eventually dismissed and there was no successful prosecution in that case.

It is similar in that it's a high profile case, yes. Dmitry broke Adobe's encryption scheme, which was not too different from ROT13. The case was complicated by international laws (he was Russian), the fact that the encoding scheme was pretty trivial, and that his software had legitimate business uses (he was using it to allow for DRM-controlled PDFs to be read on Russian platforms unsupported by Adobe).
What Dmitry did not do was decompile the Adobe Acrobat source code, add some comments, and start handing it out. Cisco did not sue because Lynn circumvented their software, they sued because he illegally distributed their source code - the DMCA was not involved.

Quote:

I do not believe that Cisco was simply trying to protect their intellectual property. I do believe they were trying to cover up as much public knowledge of the flaw as possible. But, you know what they say, if you read on the Internet that they were only trying to protect themselves then it MUST be true.

Well it's the exact opposite of what I've read. In between all the sensational "Cisco Gags Security Whistleblower" with little details on what has actually happened, I thought I'd show that he did, in fact, publish their source code illegally, that ISS did have a good reason to pull the presentation (they realized the code was illegal, and was pulling it at Cisco's request to prevent a lawsuit), and that Lynn did violate his employment contract with ISS by showing their presentation.

I did a little fact checking and came to a different conclusion than the rest of the internet, and shared those facts which have been overlooked on a lot of these news stories with you. Don't try to insult my intelligence. If anyone's riding the bandwagon here, it certainly isn't me.

**TheFeniX** · 08-03-2005, 12:57 AM

Quote:

Originally Posted by Apophis

Can you take this presentation and deliver me a functional exploit for this code within the next 6 hours? If it works I'll give you $250. If your opinion is that this document is a step by step process on how to recreate this exploit, you should have no problem in that recreation. If you can't recreate it, then you should reconsider your opinion that it's a "basic" step by step guide.

That's not a very fair bet. I could take "step-by-step" instructions on how to configure say... well, WPA + RADIUS wireless encryption and make it work. Could the average person with no knowledge of networking or wireless? Depends on how well they laid the plans out.

Since I'm in that particular field, I can make leaps in logic based upon my own experiences to fill in any "gaps" in the information. But even if I didn't have that ability, you couldn't argue that no one had it because the average user lacked it.

Does that make sense? I'm not sure either.

**Apophis** · 08-03-2005, 09:33 AM

Quote:

Originally Posted by TheFeniX

That's not a very fair bet. I could take "step-by-step" instructions on how to configure say... well, WPA + RADIUS wireless encryption and make it work. Could the average person with no knowledge of networking or wireless? Depends on how well they laid the plans out.

Since I'm in that particular field, I can make leaps in logic based upon my own experiences to fill in any "gaps" in the information. But even if I didn't have that ability, you couldn't argue that no one had it because the average user lacked it.

Does that make sense? I'm not sure either.

You make a big part of my point though. If you're going to call something a basic step-by-step guide and make it sound as though a particular document makes accomplishing the task easy for just anyone, you really should have the understanding and education behind your statement to be able to pull it off.

It's like me saying it's just a basic procedure to go fix the space shuttle while in orbit. I have not the education or experience to make that statement, and it's possible only 50 people on the face of the planet could do it.

I'm not saying that no-one can re-create the exploit based on the presentation, but that it's not some easy fly-by-night thing to accomplish and would take an enormous amount of R&D time of your own to be able to do anything with the work that Lynn did.

**Apophis** · 08-03-2005, 09:46 AM

Quote:

Originally Posted by rs_al

That is not what I meant by opinion. The general misinformation in the news articles going around the net is that there were very few details, that it was mostly just a demo. I was saying that there were details, and there are some very detailed steps- they appear in numbered lists.
1.) do this
2.) do that
3.) do the other thing
Step... by... step.

You must be speaking of the Shellcode Check List. And they are NOT very detailed. Let me quote those steps here for all to see and determine if they feel they are "detailed" steps.

1. Get Execution
2. Clean Up What We Broke
3. Spawn Process
4. Allocate and Setup TTY
5. Make Connect-Back TCB
6. Start Shell
7. Kill Logger Process
8. Exit Initial Process
9. World Domination

They are rather vague and do no include instructions as how to accomplish all these steps. This is also the ONLY numbered list in the presentation.

Quote:

I used 8 pages not to describe the amount of source but the amount of the slideshow dedicated to source code. Let's just say my number was a lot more fair than yours:

How was a number such as 8 pages more "fair" than 91 lines? A page of paper can print ~66 lines per page with normal type. 8 pages a potential of 528 lines. I counted the lines of code and they added to 91. I don't see how producing a vague number that implies there could be a lot more code there than there really is vs. an actual hard count of the number of lines of code is more "fair".

Quote:

It is similar in that it's a high profile case, yes. Dmitry broke Adobe's encryption scheme, which was not too different from ROT13. The case was complicated by international laws (he was Russian), the fact that the encoding scheme was pretty trivial, and that his software had legitimate business uses (he was using it to allow for DRM-controlled PDFs to be read on Russian platforms unsupported by Adobe).
What Dmitry did not do was decompile the Adobe Acrobat source code, add some comments, and start handing it out. Cisco did not sue because Lynn circumvented their software, they sued because he illegally distributed their source code - the DMCA was not involved.

Ahh, so Lynn is facing a civil suit, being sued by Cisco for violating their TOS whereas Dmitry was actually arrested by the FBI and was facing federal criminal charges. I see the difference. Dmitry committed a far worse crime indeed. ;-)

Quote:

I did a little fact checking and came to a different conclusion than the rest of the internet, and shared those facts which have been overlooked on a lot of these news stories with you. Don't try to insult my intelligence. If anyone's riding the bandwagon here, it certainly isn't me.

I'm not riding any bandwagon. But I am insisting that these "facts" that are presented remain accurate and fair to all parties. I don't agree with sensationalism and making things sound a whole lot worse than they are for the sake of winning an argument. It's a big part of why I stay out of this forum to begin with. But since this WAS my thread, I stayed involved. If you're going to try and take the high road and do this Internet based "fact checking" you need to be able to come back with facts. When you come back with half-facts, you're doing no one any good. Don't insult your own intelligence.

**Apophis** · 08-03-2005, 09:47 AM

Quote:

Originally Posted by rs_al

That is not what I meant by opinion. The general misinformation in the news articles going around the net is that there were very few details, that it was mostly just a demo. I was saying that there were details, and there are some very detailed steps- they appear in numbered lists.

There ARE very few real details. My point in asking you to reproduce the exploit is to prove that to you. If all the details are there, why not make a quick $250?

**Apophis** · 08-03-2005, 10:35 AM

Quote:

Originally Posted by rs_al

It is similar in that it's a high profile case, yes. Dmitry broke Adobe's encryption scheme, which was not too different from ROT13. The case was complicated by international laws (he was Russian), the fact that the encoding scheme was pretty trivial, and that his software had legitimate business uses (he was using it to allow for DRM-controlled PDFs to be read on Russian platforms unsupported by Adobe).

Do you have a source for the ROT13 comment? I've done some research on this particular vulnerability and found that eBooks are actually encrypted using an RC4 key 128 bits long. That seems to be a little harder than "ROT13".

**SephirothValentine** · 08-03-2005, 01:01 PM

Company greed at its finest

rs_al · 08-03-2005, 01:15 PM

Quote:

Originally Posted by Apophis

Do you have a source for the ROT13 comment? I've done some research on this particular vulnerability and found that eBooks are actually encrypted using an RC4 key 128 bits long. That seems to be a little harder than "ROT13".

Looks like the eBooks are encrypted however the user wants to do it, and some users didn't know a lot about encrypting. NPRG group in particular.

From
http://techupdate.zdnet.com/techupda...1118-2,00.html

Quote:

In slide 11, Sklyarov goes on to expose an encryption method used by New Paradigm Research Group, who use it to encode documents that they sell for approximately $3000 per copy. NPRG doesn't appear to be deceiving anyone, because they encrypt only their own documents. Since there isn't much potential for bootlegging of the industrial reports they sell, they probably don't lose anything from the fact that their encryption is laughably weak. It uses a cypher called rot13 that, for each letter, substitutes the letter that comes 13 places after it in the alphabet, looping from Z, back to A. Thus, A becomes N, and N becomes A. The Cryptoquote puzzles in newspapers use stronger code than this. Adobe ships a rot13 decoder as a toy example of how to encode e-books. I wonder if someone at NPRG didn't realize that the example was a toy.

Dmitry's actual slideshow can be found in different places on the net. http://anti-dmca.org/docs.html has it in original .ppt format.

So you are correct, this is not the Adobe eBookReader format, but was used by some companies to encrypt .pdf files.

rs_al · 08-03-2005, 01:30 PM

Quote:

Originally Posted by Apophis

Ahh, so Lynn is facing a civil suit, being sued by Cisco for violating their TOS whereas Dmitry was actually arrested by the FBI and was facing federal criminal charges. I see the difference. Dmitry committed a far worse crime indeed. ;-)

Lynn isn't facing any suit anymore, the lawsuit is over. Cisco and ISS just wanted an injunction to stop Lynn from distributing the slideshow containing IOS source code, and that's exactly what they got, in addition to prohibiting Lynn from using further decompiled source from Cisco.
http://news.google.com/news?hl=en&ne...=Cisco+settles

The federal investigation is ongoing of course- No one seems to know exactly what they are investigating (feds included :P).

As far as Dmitry's crime goes - well, lets just say I lovingly refer to my screwdrivers as "Circumvention Devices" in his memory.

Buck Fush · 08-03-2005, 01:49 PM

Quote:

Originally Posted by rs_al

Cisco and ISS just wanted an injunction to stop Lynn from distributing the slideshow containing IOS source code, and that's exactly what they got, in addition to prohibiting Lynn from using further decompiled source from Cisco.

The injunction also includes a gag order barring Lynn from ever again discussing his findings which all Cisco ever wanted: For Lynn to keep quiet.

**Apophis** · 08-03-2005, 03:33 PM

Quote:

Originally Posted by rs_al

Looks like the eBooks are encrypted however the user wants to do it, and some users didn't know a lot about encrypting. NPRG group in particular.

From
http://techupdate.zdnet.com/techupda...1118-2,00.html

Dmitry's actual slideshow can be found in different places on the net. http://anti-dmca.org/docs.html has it in original .ppt format.

So you are correct, this is not the Adobe eBookReader format, but was used by some companies to encrypt .pdf files.

I shutter to think that someone would actually use ROT13 to protect ANYTHING they wanted to secure. I use it on occasion as a joke, but certainly not on anything I would want to keep from prying eyes.

**Apophis** · 08-03-2005, 03:34 PM

Quote:

Originally Posted by rs_al

Lynn isn't facing any suit anymore, the lawsuit is over. Cisco and ISS just wanted an injunction to stop Lynn from distributing the slideshow containing IOS source code, and that's exactly what they got, in addition to prohibiting Lynn from using further decompiled source from Cisco.
http://news.google.com/news?hl=en&ne...=Cisco+settles

The federal investigation is ongoing of course- No one seems to know exactly what they are investigating (feds included :P).

As far as Dmitry's crime goes - well, lets just say I lovingly refer to my screwdrivers as "Circumvention Devices" in his memory.

My point was that Lynn's actions were a violation of corporate policy, Dmitry's actions were a violation of federal law.

08-03-2005, 01:01 PM	#40 (permalink)
SephirothValentine Join Date: Apr 2005 Location: VA Age: 21 Posts: 316	Re: "Cisco Gate" at DEFCON and Black Hat Company greed at its finest __________________ - "Children in the back seat cause accidents, accidents in the back seat cause children." - "All that is necessary for the triumph of evil is that good men do nothing." ~ SephVal <--> TG-303rd Master Sergeant (MSG) <--> Distinguished Sniper - Class I ~ COD4 Sniper <--> Owner of the Golden Dragunov

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Sponsored links

Sponsored links