The incident highlights the thorny issue of when to go public with a
security problem. Security firms and computer vendors generally agree to
do so when there's a patch - or fix - available.
Cisco said it encourages independent security research but said in a
statement that it felt Lynn's presentation "was presented prematurely and
did not follow proper industry disclosure rules." [see footnote a]
Worms - malicious programs that spread automatically - are less likely in
today's version of Cisco's operating system because the underlying
software is different enough for each device. That will change in the next
release, making it possible to attack a wide swath of routers without
adjusting the malware for each unique configuration.
Such attacks, Lynn said, could modify routers en masse so that they cannot
receive updates so they are always infected. Worse, attackers could erase
instructions that tell the machine how to turn on.
"The purpose of doing this presentation was to prevent a worm from being
made," he said.
His Las Vegas demonstration was stripped of any information that would
lead anyone to figure out how the technique works, Lynn said.
He also said he decided to defy his employer because Cisco's operating
system source code had been stolen and posted on a hacker Web site.
Additionally, Lynn said, he has seen discussions of Cisco vulnerabilities
posted on Web sites for Chinese hackers.
"Cisco has never told anybody that it was possible to take over one of
their routers," Lynn said. "They fought that argument for a long time. You
can see how far they're willing to go. I demonstrated it live on stage.
That debate is over now."
That changed when Cisco and ISS hired a team of temporary workers to yank
about 20 pages from thousands of conference binders and replace compact
discs with presentation materials. [footnote b]
(a) What are these "industry disclosure rules" and who made them?
(b) Cisco Rent A Cops: "You have the right to unset alias echo, any
echoing will be used against you in a GPL, OpenSource, XML, RPC,
INSERT_LICENSE_HERE court of law."
To reflect on earlier incorrect statements from some here, it is now clear
that some of the presentation was perhaps based on code that was stolen
earlier this year. Secondly for those who think some April fix worked you
must have fell for those patches that came out on April 1st. Good old