Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco crapaganda

  • From: James Baldwin
  • Date: Wed Aug 10 08:56:20 2005

On Aug 10, 2005, at 6:13 AM, Michael.Dillon@btradianz.com wrote:

What techniques are you referencing? The technique Lynn demonstrated
has not been seen anywhere in the wild, as far as I know. He, nor
ISS, ever made the source code available to anyone outside of Cisco,
or ISS. What publication are you referring to?

Didn't Lynn come out and say flat out that he'd found a lot of information
on a Chinese website (with the implication that the website had even more
information than what he presented)?

A black hat who is not Chinese has published some slides with
far more explicit step-by-step details of how to crack IOS using
the techniques that Lynn glossed over in his presentation. This
person also claims to have source code available on his website
for download but I didn't look to know for sure.
I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. If so, I think "far more explicit step-by-step" is quite an over characterization of what she presented. If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.

Since all blackhats tend to
communicate with each other to share ideas and to brag about
their exploits, it is entirely possible that this Cisco
exploit began in China.
That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat as his actions, notification of vendor, confirmation of a patch, and release, are not characteristic of a black hat. I'd suggest that generalization is incorrect in any case, researchers of any hat, in my experience, keep their secrets amongst a small group.

It is a nice myth to believe that a company like ISS does all
their own work in-house and that their employees are all super
gurus. But I would hope that most of you realize this is not
true. Companies like ISS leverage the work of blackhats just
like any hacker does. That's why I don't think gagging Lynn or
ISS or the Blackhat conference will have any positive effect
whatsoever. In fact, I would argue that this legal manouevering
has had a net negative effect because it has now been widely
published that Cisco exploits are possible. This means that
many more hackers are now trying to craft their own exploits
and own Cisco routers.
I agree that this was a very large public relations blunder on the part of ISS and Cisco. Their actions caused undue attention to be placed on this issue and put both groups on the wrong side of a very public argument. On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best "If you put him and a (Cisco) box in a room, the box breaks."

Having spoken with him throughout development of this technique, I can assure you that it was not developed, and further, not propagated to anyone outside of ISS with Lynn's knowledge. He has taken every care possible to ensure that this did not leak. That's not to say it will not, certain members within ISS were keen on originally releasing this to the public before informing Cisco which prompted Lynn to resign on the spot before he was talked into returning after they dropping the subject of uninformed public release.

Now I believe that Open Source software techniques can solve
this root problem because many eyes can find more bugs.
This doesn't just mean *BSD and Linux. There are also
systems like OSKit http://www.cs.utah.edu/flux/oskit/
and RTAI http://www.rtai.org/ that are more appropriate
for building things like routers.
"Many eyes can find more bugs" implies several things. It implies that a large group of people are investigating bugs, and that the are qualified to find bugs of this nature. I would argue that the number that meet both criteria is small in the open source world. That is not to imply that there are untalented people in the FOSS community, only that they are not interested in locating bugs or ensuring security of a specialized routing operating system as their primary function.

It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.