Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: "Cisco gate" and "Meet the Fed" at Defcon....

  • From: Fred Baker
  • Date: Mon Aug 01 05:50:43 2005
  • Authentication-results: imail.cisco.com; header.From=fred@cisco.com; dkim=pass (message from cisco.com verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=1648; t=1122889522; x=1123321722;c=nowsp; s=nebraska; h=Subject:From:Sender:Date:Content-Type:Content-Transfer-Encoding;d=cisco.com; i=fred@cisco.com; z=Subject:Re=3A=20=22Cisco=20gate=22=20and=20=22Meet=20the=20Fed=22=20at=20Defcon....|From:Fred=20Baker=20<fred@cisco.com>|Date:Mon,=201=20Aug=202005=2011=3A47=3A49=20+0200|Content-Type:text/plain=3B=20charset=3DUS-ASCII=3B=20delsp=3Dyes=3B=20format=3Dflowed|Content-Transfer-Encoding:7bit;b=LyP1Njp1mQeVRw5gyUGKsIPbQKjPN9JBpg5Ra1Tt//HJHmCZra4fiDpyqDH/w9HnSjPpWwFb5GwTYy+vgNE4B2sOCog2G0tNkoJ53D1DhXm/TxDsTbS+emsJqQEAQaD1ZD94eZberBjR4Bil82xwBfz0KlInaOIND9RylYDJ6sE=


Cisco, are you listening?
Cisco is in fact listening. Cisco, like other companies, generally does not release security notices until enough information exists to allow customers to make a reasonable determination as to whether or not they are at risk and how to mitigate possible risk.

The issue underlying the suit wasn't the disclosure of the security issue, although we would have rather worked that according to the usual processes. From what the corporate legal folks tell me, their issue was the disclosure of Cisco intellectual property. Note that it wasn't just Cisco that felt the presentation was out of order; Lynn's employer became "former" because it also felt that way. I'll refer you to the legal brief for anything further on that, but I would really like to see this discussion begin to resemble an informed one.

By this misbehavior you are seriously discouraging researchers from releasing info to you. They will suspect you'll sit on the exploit for months and not tell anyone (as you did with this one). They'll be afraid you'll try to kill the messenger (as you did with this one).
For the record, the vulnerability was first detected by Cisco in internal testing, not by outside researchers, and Cisco's approach to this has been in accordance with the RDF. Part of that process, at Cisco, is to develop work-arounds or updated code that corrects the exploit, testing it, and getting it into the field. Releasing the information on the exploit before that point exposes the ISPs to a vulnerability that they can't fix, or puts them into a scramble to download code that they haven't been able to gain confidence on. I should imagine that the various operators on this list would prefer to get the fix in place before the vulnerability is exposed rather than playing catchup while their pants are around their ankles.

We very much try to work with people that are willing to work with us. We aren't very impressed by people that expose the industry to danger.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.