No one ever said the Internet wasn't chock full of contradictions.
One one hand, we have what some are now calling "Cisco gate":
http://news.com.com/Hackers+rally+behind+Cisco+flaw+finder/2100-1002_3-5812044.html
...and on the other hand, we have the DOD Cyber Crime Center folks
at Defcon looking to hire people:
http://news.com.com/2061-10789_3-5812102.html
Wow, what a world, huh? 
- ferg
<quote>Alder then blasted Cisco for going after Lynn.
"Cisco, you are really screwing up," she said, followed by a round of
applause. "Suing researchers is not going to make you secure. Alienating
the security community is not going to encourage people to come to you and
report problems and work with you."</quote>
Agreed 100%.
Cisco, are you listening?
By this misbehavior you are seriously discouraging researchers from
releasing info to you. They will suspect you'll sit on the exploit for
months and not tell anyone (as you did with this one). They'll be afraid
you'll try to kill the messenger (as you did with this one).
Instead, they're just going to release exploits into the wild anonymously.
Is this what you want? Then keep it up.
-Dan
Cisco, are you listening?
Cisco is in fact listening. Cisco, like other companies, generally does not release security notices until enough information exists to allow customers to make a reasonable determination as to whether or not they are at risk and how to mitigate possible risk.
The issue underlying the suit wasn't the disclosure of the security issue, although we would have rather worked that according to the usual processes. From what the corporate legal folks tell me, their issue was the disclosure of Cisco intellectual property. Note that it wasn't just Cisco that felt the presentation was out of order; Lynn's employer became "former" because it also felt that way. I'll refer you to the legal brief for anything further on that, but I would really like to see this discussion begin to resemble an informed one.
By this misbehavior you are seriously discouraging researchers from releasing info to you. They will suspect you'll sit on the exploit for months and not tell anyone (as you did with this one). They'll be afraid you'll try to kill the messenger (as you did with this one).
For the record, the vulnerability was first detected by Cisco in internal testing, not by outside researchers, and Cisco's approach to this has been in accordance with the RDF. Part of that process, at Cisco, is to develop work-arounds or updated code that corrects the exploit, testing it, and getting it into the field. Releasing the information on the exploit before that point exposes the ISPs to a vulnerability that they can't fix, or puts them into a scramble to download code that they haven't been able to gain confidence on. I should imagine that the various operators on this list would prefer to get the fix in place before the vulnerability is exposed rather than playing catchup while their pants are around their ankles.
We very much try to work with people that are willing to work with us. We aren't very impressed by people that expose the industry to danger.
Here's the fundamental problem. You guys say that you're willing to work with people. But on the other hand, this weakness has been known for many months, and in fact was supposedly fixed back in April. Michael's paper at Black Hat was known in advance by you and ISS, for months.
  Yet, at the very last possible moment, you guys go all "scorched earth" on him, leaving him no honorable option but to go ahead and do the presentation anyway and suffer the professional consequences that you have caused him.
  That shows how very hypocritical you are, and just how badly you're willing to screw anyone who has tried to work with you, and has successfully done so for years. It's going to be a very long time before you are capable of repairing your reputation in this industry.
  Maybe you need a few hacking attempts that are successful in cracking into virtually every router on the planet, before you will recognize the folly in your action.
  IMO, John Chambers (CEO), Larry Carter (Sr. VP), Dennis Powell (CFO), Randy Pond (Sr. VP), and everyone else working for them that have been involved in this process, have been in direct violation of their fiduciary responsibilities to the shareholders and to the industry as a whole, and you should all be summarily fired.
  You guys seriously need an SEC investigation into this matter. And a hundred billion or so knocked off your market cap. Maybe once all your options are permanently under water you'll get a grasp of the severity of the situation.
Folks, let's end this thread - 'nuff said.
Excuse me, I'm not really fluent in english, so this sentence is not
clear for me :
We aren't very impressed by people that expose the industry to
danger.
Are you sarcastic, talking about the roots of the wonder ; people
who write poor software ?
Or about thoughtless people acting like kids in a provocating manner
launching a challenge to all the hackers tribes of the world ?
From here the case is not obvious. What's the matter ? To launch the
internet paralisy contest or to offer to our students a historical
case study of the worst crisis management strategy ?
See also: Basic documentation and mainly the item 'Designated
spokesperson'
http://www3.niu.edu/newsplace/crisis.html
Guy Coslado (GC0111) wrote:
Excuse me, I'm not really fluent in english, so this sentence is not clear for me :
We aren't very impressed by people that expose the industry to danger.
It means they give a s**t for us, their customers.
Are you sarcastic, talking about the roots of the wonder ; people who write poor software ?
Or about thoughtless people acting like kids in a provocating manner launching a challenge to all the hackers tribes of the world ?
It is about money:
People who make it sports to find security holes and celebrate parties
in the streets if they find one, are bad. There is no money only noise.
Garbage to clean, ...
People who make profit, selling their bad knowledge secretly to people
making more profit, exploring those security wholes are favoured by
them.
From here the case is not obvious. What's the matter ? To launch the internet paralisy contest or to offer to our students a historical case study of the worst crisis management strategy ?
Tabarnak! Your homepage says they must be camels because they just started
spitting. I dont know who annoyed them but I dont want to be their customer
when they start biting.
See also: Basic documentation and mainly the item 'Designated spokesperson' http://www3.niu.edu/newsplace/crisis.html
Having seen some interesting threads here - or is it threats? Sorry my english.
What is more dangerous, a soho router in the NIC or some of them big iron?
You know that soho router will come down when you really use it. You dont know
when that big iron will come done but you know for shure, when it comes done
it will bring a lot more damage.
About that spokesperson:
I feel quite comfortable in front of a tv set, as long as it it switched off.
I tv camera behaves somewhat like a tv set that is switched off. At least as
long as that monkey behind it keeps his mouth shut.
I am not afraid of a camera, should that desaster really strike. They will
not find a network to plug their laptop into 
--
Guy Coslado.
Regards,
Peter and Karin Dambier
fred, seeing as there is not now, and likely never will be fixed
versions for many of our routers (25xx, 17xx, ..., and i can't
find a path up from my 7200 k4p-mz.120-25.4.S on the web site),
your logic tells us that cisco will never announce. i am sure
this is not what you intend.
randy
Randy Bush <randy@psg.com> writes:
fred, seeing as there is not now, and likely never will be fixed
versions for many of our routers (25xx, 17xx, ..., and i can't
No?
Logged in to ftp.cisco.com.
Current remote directory is /cisco.
ncftp /cisco > dir ios/12.3/12.3.15a/2500/
-rw-rw-r-- 1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin
-rw-rw-r-- 1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin
-rw-rw-r-- 1 518 1 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin
ncftp /cisco > dir ios/12.3/12.3.15a/1700/
-rw-rw-r-- 1 518 1 9779944 Jul 25 15:03 c1700-bnr2sy7-mz.123-15a.bin
-rw-rw-r-- 1 518 1 9186836 Jul 25 14:56 c1700-entbase-mz.123-15a.bin
-rw-rw-r-- 1 518 1 7758064 Jul 25 14:46 c1700-ipbase-mz.123-15a.bin
-rw-rw-r-- 1 518 1 12504136 Jul 25 14:32 c1700-ipvoice-mz.123-15a.bin
-rw-rw-r-- 1 518 1 10068088 Jul 25 15:05 c1700-sv3y-mz.123-15a.bin
-rw-rw-r-- 1 518 1 12826128 Jul 25 15:05 c1700-sv8y7-mz.123-15a.bin
-rw-rw-r-- 1 518 1 8568756 Jul 25 15:06 c1700-sy7-mz.123-15a.bin
-rw-rw-r-- 1 518 1 6992208 Jul 25 15:13 c1700-y7-mz.123-15a.bin
-rw-rw-r-- 1 518 1 5911432 Jul 25 14:49 c1700-y-mz.123-15a.bin
Bj�rn
note image size of 11/12/16 mb... note that many (most?) 2500's don't have
16M flash 
many, many referenced before (term servers for instance) are
2mb flash boxes. It's possible that Randy's referring to this sort of
2500. Kindly using himself for a whipping boy instead of the rest of us
with 2500 term servers with 2mb flash I suspect the same thing goes for
the 1700's as well in many cases.
note image size of 11/12/16 mb... note that many (most?)
2500's don't have 16M flash
(term servers for instance) are 2mb flash boxes. It's
possible that Randy's referring to this sort of 2500. Kindly
using himself for a whipping boy instead of the rest of us
with 2500 term servers with 2mb flash
thing goes for the 1700's as well in many cases.
IIRC the 2500 has an end of support date of 2009 so I expect images
to be available.
Regards,
Neil.
cons uptime is 1 week, 10 hours, 42 minutes
System restarted by power-on
System image file is "flash:igs-i-l.111-9", booted via flash
cisco 2511 (68030) processor (revision D) with 2048K/2048K bytes of
memory.
lather/rinse/repeat... where are the images that fit in my 2501's 2mb
ram/2mbflash? (current, non-vulnerable, ipv6 capable even)
and in order to get 30k devices (more actually) upgraded I'll have to
spend 30k+X dollars? I'm fairly certain that's not going to happen. This
gets back to 2 things:
1) no (practical) upgrade path under security vulnerabilities (hence
reluctance of vendors to release info without fix)
2) possibly unhappy customers and vulnerabilities silently fixed in other
code trains.
Oh well...
cons uptime is 1 week, 10 hours, 42 minutes System restarted
by power-on System image file is "flash:igs-i-l.111-9",
booted via flashcisco 2511 (68030) processor (revision D) with 2048K/2048K
bytes of memory.lather/rinse/repeat... where are the images that fit in my
2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even)
So are you running IPV6 code on this box now?
no, but I'd like to... since I'm upgrading and all (for security reasons
and ipv6 is so much better for security, right? )
no, but I'd like to... since I'm upgrading and all (for
security reasons and ipv6 is so much better for security, right?
ok so your issue is totally irrelvant to the recent "ciscogate"
paranoia?
Neil.
It has quality of service, too! Let's not forget that!
no... not really, not originally, it got morphed into something different
So, the ciscogate paranoia, as near as I saw, got down to: "cisco wont
tell people about vulns as soon as they know about them" (or some version
of I don't get to know fast enough about vulns from a vendor, while we
currently bash on cisco)
With that in mind, the example 2500 above is a cisco box, running old code
because it can't be upgraded to current code. Cisco is reluctant to tell
folks in public about vulnerabilities without there beig fixes for the
problem in as much running code as possible.
-Chris
ok so your issue is totally irrelvant to the recent "ciscogate"
paranoia?
That would depend on what other exploits cisco has slipstream patched
wouldn't it? (honest question as I don't know but it would be nice if cisco
would clarify the situation)
Geo.
George Roettger
Netlink Services