iEntry 10th Anniversary RSS Newsletter Advertising
WebProNews Alerts:
Visit Twellow.com
SearchSocial MediaTechnologyMarketingEmail MarketingGoogleFacebookTwitterBingYahooAmazonYouTube Tags
Text: Decrease Font Size Increase Font Size | Print Print Article | Share: Delicious Digg StumbleUpon Post to Twitter Post to Facebook
CommentFriday, July 29, 2005

Cisco Reaches Accord With Security Researcher

By WebProNews Staff

Former ISS employee Michael Lynn has agreed to terms with Cisco that will end its suit against him.

Mr. Lynn defied requests from Cisco and Internet Security Systems regarding his talk on Cisco IOS software and the potential harm that could come from exploits. Instead of discussing a different topic at the Black Hat conference in Las Vegas, Mr. Lynn gave his original talk and demonstrated how, if a flaw were present, an attacker could gain control of a Cisco router.

Cisco filed a complaint claiming that Mr. Lynn's reverse engineering of the IOS code infringed on its intellectual property. A court agreed and issued the requested injunction against Mr. Lynn. He will be required to give back any related materials to Cisco, and is barred from discussing the problem cited in his talk.

Conference organizers, who claimed they did not know Mr. Lynn was going to defy Cisco's request and discuss the IOS problem anyway, will have to hand over a video tape of Mr. Lynn's talk, according to TechWorld.

The injunction was "probably good for their bottom line - and bad for the country," Mr. Lynn said in the Los Angeles Times. For its part, Cisco claims it needed more time to understand "the broader scope and impact" of the flaw, to better serve its customers.

The type of action Cisco took generally happens when someone takes a newly-discovered flaw public. But that wasn't the case here. In Mr. Lynn's talk, he showed how, if a flaw were present, how that flaw could be exploited. He used a router running a version of IOS that contained a flaw Cisco patched in April.

That patch came as a result of research Mr. Lynn and ISS provided to Cisco earlier this year. Until last week, Cisco apparently was supporting Mr. Lynn's proposed talk, and even planned to be part of it, again according to the Times.

A greater problem comes from how Cisco, which has its routers and other hardware devices in countless parts of the globe, will now be perceived by security researchers. Instead of sharing flaws with the company, those researchers may be tempted to keep quiet and avoid incurring Cisco's legal wrath.

That would be a disastrous case scenario if another researcher found the same flaw, and instead of reporting it or keeping silent disclosed its presence to malicious attackers. Perhaps Cisco should better clarify its practices regarding security disclosures going forward.

David Utter is a staff writer for WebProNews covering technology and business. Email him here.

  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Twitter
News Tags: Security, Cisco

Publish A Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
7 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
SEARCH
Popular WPN Business Resources
WebProNews Video Blog View All Videos












Subscribe to WebProNews


Send me relevant info


WebProNews Videos | Advertise | About Us | Newsletter | Archive | News Feeds | Terms & Conditions | Login

WebProNews is an iEntry Network ® publication - © 1998-2009 All Rights Reserved