Cisco crapaganda

They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than
Lynn along with source code.

What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?

You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.

Quality control.

The general operating systems are not designed with a specific goal of high availability routing in mind, and while they display and can compete on some levels with specialized operating systems, they will loose out in the end. In this regard it is not open source environments that present the benefit, but as you say "thousands of highly skilled and dedicated people". There are very few of those people who are experienced in the realm of high end routing systems.

The general operating system can garner a large support base due to its broad market appeal, its use in both servers, low end routing hardware, and desktops. However, to develop strong support for a reduced feature set and circumscribed is difficult. The same number of dedicated developers will be reduced and the amount of time highly specialized developers will focus on that code base will be diminished.

You can see examples of similar behavior in the subsets of Linux developed for embedded systems, like the WAP Linksys routers.

That being said, who would continue to buy Cisco equipment if IOS was available elsewhere? The Chinese market is already flooded with Cisco knock-offs, the rest would most certainly follow if it was legal.

Out of curiosity, what, in your opinion, is the open source community's approach to security? I have seen differing approaches from different groups, some which are downright despicable (methods, not people).

There really is no such thing as closed source. The people
building these exploits are fully capable of taking
code from ROM or flash memory and reading what it does.

I've had some experience with reverse engineering and disassembly, and while it is true that you can analyze an image of a running program and find what it does that is a long, long step to having the kind of understanding of a program you can gain through the actual source code.

It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.

Obscurity should never be counted on as a sole security layer, but it does add a level of difficulty. One of the major themes in the security industry is mitigation. Obscurity does not add a level of security, but it does reduce the number of people who can easily accomplish a task. It raises the bar and reduces the pool of attackers.

Even if someone managed to eliminate Lynn and all past
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.

Did anyone ever think that?

Didn't Lynn come out and say flat out that he'd found a lot of information
on a Chinese website (with the implication that the website had even more
information than what he presented)?

No. Not at all. Lynn found information on Chinese websites indicating people were actively working to exploit IOS, not that anyone had actually done so.

> What techniques are you referencing? The technique Lynn demonstrated
> has not been seen anywhere in the wild, as far as I know. He, nor
> ISS, ever made the source code available to anyone outside of Cisco,
> or ISS. What publication are you referring to?

Didn't Lynn come out and say flat out that he'd found a lot of

information

on a Chinese website (with the implication that the website had even

more

information than what he presented)?

A black hat who is not Chinese has published some slides with
far more explicit step-by-step details of how to crack IOS using
the techniques that Lynn glossed over in his presentation. This
person also claims to have source code available on his website
for download but I didn't look to know for sure.

As for the Chinese connection, there is a fairly long document
circulating on the net from a couple of years back. It is translated
from Chinese and it is about modern techniques of information warfare.
I think a lot of people interested in network security are aware
that lots of Chinese hackers are at work out there and that
they are good at what they do. Since all blackhats tend to
communicate with each other to share ideas and to brag about
their exploits, it is entirely possible that this Cisco
exploit began in China.

It is a nice myth to believe that a company like ISS does all
their own work in-house and that their employees are all super
gurus. But I would hope that most of you realize this is not
true. Companies like ISS leverage the work of blackhats just
like any hacker does. That's why I don't think gagging Lynn or
ISS or the Blackhat conference will have any positive effect
whatsoever. In fact, I would argue that this legal manouevering
has had a net negative effect because it has now been widely
published that Cisco exploits are possible. This means that
many more hackers are now trying to craft their own exploits
and own Cisco routers.

Of course, in the end, Juniper is also vulnerable. Nortel is
vulnerable. Every manufacturer of routing/switching equipment
is vulnerable. Modern electronic devices are all built around
embedded computers with complex software running on them. The
root of all these vulnerabilities is our inability to write
complex software that is free of bugs.

Now I believe that Open Source software techniques can solve
this root problem because many eyes can find more bugs.
This doesn't just mean *BSD and Linux. There are also
systems like OSKit The OSKit Project
and RTAI http://www.rtai.org/ that are more appropriate
for building things like routers.

--Michael Dillon

What techniques are you referencing? The technique Lynn demonstrated
has not been seen anywhere in the wild, as far as I know. He, nor
ISS, ever made the source code available to anyone outside of Cisco,
or ISS. What publication are you referring to?

Didn't Lynn come out and say flat out that he'd found a lot of information
on a Chinese website (with the implication that the website had even more
information than what he presented)?

A black hat who is not Chinese has published some slides with
far more explicit step-by-step details of how to crack IOS using
the techniques that Lynn glossed over in his presentation. This
person also claims to have source code available on his website
for download but I didn't look to know for sure.

I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. If so, I think "far more explicit step-by-step" is quite an over characterization of what she presented. If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.

Since all blackhats tend to
communicate with each other to share ideas and to brag about
their exploits, it is entirely possible that this Cisco
exploit began in China.

That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat as his actions, notification of vendor, confirmation of a patch, and release, are not characteristic of a black hat. I'd suggest that generalization is incorrect in any case, researchers of any hat, in my experience, keep their secrets amongst a small group.

It is a nice myth to believe that a company like ISS does all
their own work in-house and that their employees are all super
gurus. But I would hope that most of you realize this is not
true. Companies like ISS leverage the work of blackhats just
like any hacker does. That's why I don't think gagging Lynn or
ISS or the Blackhat conference will have any positive effect
whatsoever. In fact, I would argue that this legal manouevering
has had a net negative effect because it has now been widely
published that Cisco exploits are possible. This means that
many more hackers are now trying to craft their own exploits
and own Cisco routers.

I agree that this was a very large public relations blunder on the part of ISS and Cisco. Their actions caused undue attention to be placed on this issue and put both groups on the wrong side of a very public argument. On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best "If you put him and a (Cisco) box in a room, the box breaks."

Having spoken with him throughout development of this technique, I can assure you that it was not developed, and further, not propagated to anyone outside of ISS with Lynn's knowledge. He has taken every care possible to ensure that this did not leak. That's not to say it will not, certain members within ISS were keen on originally releasing this to the public before informing Cisco which prompted Lynn to resign on the spot before he was talked into returning after they dropping the subject of uninformed public release.

Now I believe that Open Source software techniques can solve
this root problem because many eyes can find more bugs.
This doesn't just mean *BSD and Linux. There are also
systems like OSKit The OSKit Project
and RTAI http://www.rtai.org/ that are more appropriate
for building things like routers.

"Many eyes can find more bugs" implies several things. It implies that a large group of people are investigating bugs, and that the are qualified to find bugs of this nature. I would argue that the number that meet both criteria is small in the open source world. That is not to imply that there are untalented people in the FOSS community, only that they are not interested in locating bugs or ensuring security of a specialized routing operating system as their primary function.

It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.

If not, once again, I'd ask you to cite sources rather
than make broad sweeping statements about what is already available.
Appealing to some anonymous authority in order to claim the sky is
falling is hardly endearing.

I think that people who specialise in security know what
I am referring to. I won't say any more publicly since
there are black hats reading this list. If they don't already
know about this stuff, I'm not going to help them.

If anyone wants to know what I am talking about, then
go to the security people in your company and ask them.
The company pays them to keep abreast of this stuff.

That's a fairly bold statement. I'd also hesitate to label Lynn as a
black hat

I never labelled Lynn as a blackhat. I said that Lynn and
ISS and all other similar firms and researchers do the
same thing as blackhats. They monitor communications of
blackhats and learn from them. This activity does not make
someone into a blackhat.

researchers of
any hat, in my experience, keep their secrets amongst a small group.

It is human nature to brag about what you have discovered and
for many blackhats, this is the only return they get for their
work. I agree that whitehats like Lynn are generally much more
careful about their secrets which is why Lynn's presentation was
quite vague about many things.

On the other hand, Lynn is exactly the sort of guru
you describe. Riley Eller said it best "If you put him and a (Cisco)
box in a room, the box breaks."

I'm sceptical about such rhetoric.

It boils down to the following question: Do you think benefit or
releasing the source code for IOS, allowing independent researchers
access to the source code in order to locate flaws, outweighs the
costs of that release, allowing criminals access to the source code
in order to locate flaws and forfeiting trade secrets? In the case of
Cisco, I'm sure the latter weighs more heavily in their mind.

First, I don't think there will be any trade secrets of great value
revealed by the source code. Software and systems have a long history
and people continue to reinvent wheels that were first invented two
or three generations ago. In any case, people looking for trade secrets
simply acquire the boxes and reverse engineer.

Second, I don't suggest that Cisco suddenly release their code. But
I can imagine a phased approach where they release the code to an
ever widening circle of people, and then finally make it completely
open. Or they could phase in a new codebase using Open Source as the
foundation.

--Michael Dillon

I, desperately, hope you are not referring to Raven Adler's
presentation at Defcon following Black Hat.

No, I am referring to something that was published
3 years ago and describes substantially the same
exploits and techniques as Lynn described except the
3 year old document has much more technical detail and
offers a URL where source code for the exploits can
be acquired.

Maybe Lynn rediscovered this independently. Maybe he
heard rumours of an exploit in blackhat communications
and this guided him where to look. But if my memory
serves me correctly, Lynn himself claimed that his work
was based on the work of a blackhat.

--Michael Dillon

Michael.Dillon@btradianz.com writes:

If not, once again, I'd ask you to cite sources rather
than make broad sweeping statements about what is already available.
Appealing to some anonymous authority in order to claim the sky is
falling is hardly endearing.

I think that people who specialise in security know what
I am referring to. I won't say any more publicly since
there are black hats reading this list. If they don't already
know about this stuff, I'm not going to help them.

Get a grip, Michael. Any black hat who reads this list already knows
this information (if indeed it exists; acting mysterious isn't gaining
you any credibility with the cynical among us, and of course you
aren't even providing enough detail for people with clues to discern
what the bloody heck you're referring to). All you're doing is
withholding data from the non-black-hats.

                                        ---rob

Inability? I'd rather say it's an economic question. Would you want to
pay for proven bug-free software? Think twice (and look at some expense
figures for such software first).

Regards,
Daniel

I will say is also about development time. We are continuously asking for
new features (some times somehow artificially generated by the market or the
vendors ?), so they need to work faster, test faster ...

Regards,
Jordi

Get a grip, Michael. Any black hat who reads this list already knows
this information (if indeed it exists; acting mysterious isn't gaining
you any credibility with the cynical among us, and of course you
aren't even providing enough detail for people with clues to discern
what the bloody heck you're referring to). All you're doing is
withholding data from the non-black-hats.

*sigh*

I have no special sources of info. One Monday morning
I saw the traffic on this list about Lynn's presentation.
None of the posted URL's worked. One of them led to a legal
document ordering that the slides not be posted. So what
did I do?

That's right, I turned to Google. I found articles written
by people who attended the presentation. One person had
posted a zip file with photos of all of Lynn's slides as
presented at BlackHat. I even managed to find the PDF file
with the edited version of the slides that was the target
of the lawyers.

But I found more. It seems that a guy using the name FX
has been publishing stuff about Cisco heap exploits for
years now. I found his slides from a presentation made
at BlackHat Las Vegas in 2002. Lots of juicy detail. And I
found a long document translated from Chinese about modern
information/economic warfare.

I really didn't think this stuff was all that hard to find
because it took me all of 30 minutes.

The big question in my mind is why did Cisco freak out when
somebody wanted to present an overview of exploits that have
been worked on by hackers for the past 3 years? Especially
when Lynn is giving them some valuable free advice, i.e.
don't make it easier for hackers to use heap exploits.

Thank's to Drew's posting I now know that FX presented
again at BHLV a year later pointing out a UDP exploit that
can be used to facilitate building the correct heap exploit
for a specific IOS release and architecture.

It seems to me that Cisco has a fundamental communications
problem in regards to security. Their actions against Lynn
did not stop people from reading his slides and his slides
were not nearly as informative as the older slides from FX.
Also, Cisco seems stuck in the traditional vendor-customer
communications cycle that causes them to ignore or deprioritize
security related communications unless it comes to them
through a major customer. In fact, the people who REALLY
know this stuff may not work for a major Cisco customer
or if they do, they may not have access to the privileged
communications channels within their company.

--Michael Dillon

Give a man a fish and you feed him for a day, teach him
how to fish and you feed him for a lifetime.