July 30, 2005 10:15 PM PDT

Hackers rally behind Cisco flaw finder

LAS VEGAS--Attendees at the Defcon security event denounced the way Cisco Systems and Internet Security Systems dealt with Michael Lynn after he showed that it is possible to hack Cisco routers.

Lynn stirred the Black Hat security conference here Wednesday by quitting his job at ISS, a move taken so that he could demonstrate that he could gain control of a Cisco router by exploiting a security flaw. He did so in defiance of Cisco and ISS, which had agreed to cancel the talk. Cisco and ISS subsequently sued Lynn and the Black Hat organizers, charging public disclosure of illegally obtained proprietary information.

While corporate America may frown at Lynn's actions, he is a hero at Defcon, the more informal gathering of security professionals and enthusiasts that follows Black Hat. T-shirts with anti-Cisco prints have been selling well, and hackers have set up a PayPal account to collect money for a legal defense fund. Jennifer Granick, Lynn's lawyer, is being hailed as his savior.

On Saturday, network security specialist Raven Alder gave a presentation on the vulnerability of the Net's infrastructure. She did not repeat Lynn's demonstration, but Alder said Lynn's disclosure was important to the security of the Net. The room was packed and roiled about what some people at Defcon call "Cisco-gate."

"For the first time it looks like you can really remotely own a Cisco box," Alder said. "This is a scary thing if you are a network operator. This is a real threat."

Lynn had said that exploitation of the flaw could bring the Internet to its knees. He also warned that criminal hackers may already be working to exploit it.

In her presentation, Alder gave guidelines on how to test network infrastructure security. She criticized Cisco for not publishing an advisory on the security vulnerability exploited by Lynn until Friday, even though the network giant fixed it in April.

In its advisory, Cisco confirmed that older versions of its Internetwork Operating System are flawed in the way they process IPv6 packets. A specially crafted data packet could let a miscreant gain control over the router, but an attack is possible only from a local network segment and only on systems configured for IPv6, Cisco said.

Alder disputed Cisco's argument that the flaw can be exploited only from the local network, saying it is indeed a remote vulnerability. Others in the audience agreed. "It is possible to escalate an attack and get close enough to the router to attack it," said Robert Hansen a computer security graduate student at the University of Iowa.

Alder then blasted Cisco for going after Lynn.

"Cisco, you are really screwing up," she said, followed by a round of applause. "Suing researchers is not going to make you secure. Alienating the security community is not going to encourage people to come to you and report problems and work with you."

Even federal authorities at Defcon are talking about Lynn and responsible disclosure, if only because everybody is asking them. Jim Christy, director of the U.S. Department of Defense's cybercrime center, had no direct opinion on Lynn's actions. "You have to share information, but you have to share it through the correct channels," he said

Alder was afraid that she too would be sued. "I am being paranoid because being paranoid pays," she said. Representatives from the Electronic Frontier Foundation sat in the front row during her talk. A burly man followed her around the Alexis Park resort for protection--her own "goon," she said. Goons are the security guards at Defcon.

Lynn settled his differences with Cisco and ISS on Thursday in a deal under which he agreed never to repeat the information he gave at Black Hat. He also has to hand over any Cisco source code in his possession.

Lynn has yet to be spotted at Defcon.

20 comments

Join the conversation!
Add your comment
world-famous
No too long ago, skilled hackers were rewarded with fat salaries and fancy titles after being busted for their shenanigans. Now, Max Vision -- a world-famous incarcerated hacker-turned-security-expert once making $250 an hour -- is happy to be getting minimum wage.

Davis,
<a class="jive-link-external" href="http://www.my-loan-insurance.co.uk/" target="_newWindow">http://www.my-loan-insurance.co.uk/</a>
Posted by ip_fresh (59 comments )
Reply Link Flag
world-famous
No too long ago, skilled hackers were rewarded with fat salaries and fancy titles after being busted for their shenanigans. Now, Max Vision -- a world-famous incarcerated hacker-turned-security-expert once making $250 an hour -- is happy to be getting minimum wage.

Davis,
<a class="jive-link-external" href="http://www.my-loan-insurance.co.uk/" target="_newWindow">http://www.my-loan-insurance.co.uk/</a>
Posted by ip_fresh (59 comments )
Reply Link Flag
Big IT versus small consumers is no brainer for US
Mr. AT Alishtari, Founder and POA, EDI Secure LLLP, says the new megalith is big IT, an impossible idea ten years ago. The big IT companies want no criticism of the way they do business as if the creativity that built big IT is somehow negative when it is focused on their flaws to protect public and private ID.

Well folks, this is cyclical. In the old days, IBM and ATT were giants and people even indicated in movies like Soylent Green they might take over the world. That is fanciful but today the big IT basically is leaning on the White House not to make the now official NIST level 4 authentication using two factor authentication with offline devices mandatory although all the other G8 nations have done it or are making it law too.

Big IT, lobbied the U.S. administration politically, copying the old boy's network. Everyone now sees the White House put into effect a global plan to do two factor authentication with an offline device, as US Commerce Dept NIST level 4, since the cyber treaty, US allies and mostly knowledgeable consumers demand it. In this case, the White House is to be congradulated.
Posted by (66 comments )
Reply Link Flag
My ThinkPad is....People!
sorry, couldnt resist.
Posted by (402 comments )
Link Flag
To update my earlier comments in context, I include the below...
A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Mr. Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
Big IT versus small consumers is no brainer for US
Mr. AT Alishtari, Founder and POA, EDI Secure LLLP, says the new megalith is big IT, an impossible idea ten years ago. The big IT companies want no criticism of the way they do business as if the creativity that built big IT is somehow negative when it is focused on their flaws to protect public and private ID.

Well folks, this is cyclical. In the old days, IBM and ATT were giants and people even indicated in movies like Soylent Green they might take over the world. That is fanciful but today the big IT basically is leaning on the White House not to make the now official NIST level 4 authentication using two factor authentication with offline devices mandatory although all the other G8 nations have done it or are making it law too.

Big IT, lobbied the U.S. administration politically, copying the old boy's network. Everyone now sees the White House put into effect a global plan to do two factor authentication with an offline device, as US Commerce Dept NIST level 4, since the cyber treaty, US allies and mostly knowledgeable consumers demand it. In this case, the White House is to be congradulated.
Posted by (66 comments )
Reply Link Flag
My ThinkPad is....People!
sorry, couldnt resist.
Posted by (402 comments )
Link Flag
To update my earlier comments in context, I include the below...
A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Mr. Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
Your site is getting more annoying day by day
I do not want to fill out your questionnaire. I come here for news, not your annoying popups.
Posted by Harfeld Bilgewing (60 comments )
Reply Link Flag
Ive never ever ever
gotten a pop up on cnet
Posted by volterwd (466 comments )
Link Flag
Adware/Spyware...
You need to clean out your adware and spyware programs, they are making your life hell...
Posted by zaznet (1138 comments )
Link Flag
Your site is getting more annoying day by day
I do not want to fill out your questionnaire. I come here for news, not your annoying popups.
Posted by Harfeld Bilgewing (60 comments )
Reply Link Flag
Ive never ever ever
gotten a pop up on cnet
Posted by volterwd (466 comments )
Link Flag
Adware/Spyware...
You need to clean out your adware and spyware programs, they are making your life hell...
Posted by zaznet (1138 comments )
Link Flag
backdoors for the people
that jpeg bug sure took a long time fix...
I experienced it in 1998!! in a fractal image off
a news group... dang thing installed a trojen..
stop fooling yourselves folks.. your subconscious
fears are real. and even you if you try to make
your way around the invisible beast... even
acting like an angel.. your insight and
predictable behavior will nail you.. and if you
silently and invisably protest.. even
gentilally... you will get harrassed...
especially during times like these... Ciscos
behavior should be expected.. research cray
dudes...

virtualization works... I am no rich engineer or
even a hacker.. but if you control the
environment around something it can minimize the
amount of uncontrolled variables in an equation.
security experts call this stuff buffer zones..

why dont you people get off your high horses and
talk about what does work rather than what does
not... and what happend to those linux boxes with
all those nic cards and bus extenders? those
things still around? Hey ISCSI is the future you
know.. some of those nics or host bus adapters I
should say are worth drooling over...

Ok I will shut up now... as soon as my openwrt
compiles.....
Posted by (187 comments )
Reply Link Flag
backdoors for the people
that jpeg bug sure took a long time fix...
I experienced it in 1998!! in a fractal image off
a news group... dang thing installed a trojen..
stop fooling yourselves folks.. your subconscious
fears are real. and even you if you try to make
your way around the invisible beast... even
acting like an angel.. your insight and
predictable behavior will nail you.. and if you
silently and invisably protest.. even
gentilally... you will get harrassed...
especially during times like these... Ciscos
behavior should be expected.. research cray
dudes...

virtualization works... I am no rich engineer or
even a hacker.. but if you control the
environment around something it can minimize the
amount of uncontrolled variables in an equation.
security experts call this stuff buffer zones..

why dont you people get off your high horses and
talk about what does work rather than what does
not... and what happend to those linux boxes with
all those nic cards and bus extenders? those
things still around? Hey ISCSI is the future you
know.. some of those nics or host bus adapters I
should say are worth drooling over...

Ok I will shut up now... as soon as my openwrt
compiles.....
Posted by (187 comments )
Reply Link Flag
Losing battle.
He worked for ISS, the researcher was part of a team, not some lone ranger. The work he did while at ISS belongs to ISS and is thus illegal for him to disclose without their direct permission. As a responsible release of information ISS postponed it's demonstration in coordination with Cisco. This shows cooperation between the researchers and the company.

In a 5 year old fit one worker for ISS quit and ran to tell mommy. I'm sorry, but I just don't see why everyone is going to "rally" behind this guy for being so stupid.

If he really just wanted to ensure the information got out, all he had to do was a "hand off" to someone else, or to dozens of others in a way that wouldn't be easily tracked back to him. At that point ISS and Cisco would need to prove it reasonable that a crim was committed in such information transfer while not knowing who provided the info in order to subpeana anyone about it.

I seriously doubt this guy is going to have an easy time of finding a new job, especialy where any kind of trust is an issue.
Posted by zaznet (1138 comments )
Reply Link Flag
Losing battle.
He worked for ISS, the researcher was part of a team, not some lone ranger. The work he did while at ISS belongs to ISS and is thus illegal for him to disclose without their direct permission. As a responsible release of information ISS postponed it's demonstration in coordination with Cisco. This shows cooperation between the researchers and the company.

In a 5 year old fit one worker for ISS quit and ran to tell mommy. I'm sorry, but I just don't see why everyone is going to "rally" behind this guy for being so stupid.

If he really just wanted to ensure the information got out, all he had to do was a "hand off" to someone else, or to dozens of others in a way that wouldn't be easily tracked back to him. At that point ISS and Cisco would need to prove it reasonable that a crim was committed in such information transfer while not knowing who provided the info in order to subpeana anyone about it.

I seriously doubt this guy is going to have an easy time of finding a new job, especialy where any kind of trust is an issue.
Posted by zaznet (1138 comments )
Reply Link Flag
should be sneeky
So the best critic here can say is he should have been more sneeky,
what a lame excuse for good security, it is sad that thats the only
way to do it in the US now a days, but hey, who ever said Greed
was a bad thing, sorry to see he is not making any money off this.
Posted by (35 comments )
Reply Link Flag
should be sneeky
So the best critic here can say is he should have been more sneeky,
what a lame excuse for good security, it is sad that thats the only
way to do it in the US now a days, but hey, who ever said Greed
was a bad thing, sorry to see he is not making any money off this.
Posted by (35 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.