The story has been sufficiently widely reported that we do not need to go
into the details here; see Bruce
if you have some catching up to do. In short: Cisco
is going after ex-ISS employee Michael Lynn after he made a presentation in
Las Vegas on security vulnerabilities in Cisco's IOS. There is now an FBI
investigation in the works, and Mr. Lynn faces the possibility of lawsuits
from Cisco or ISS (or both). Meanwhile, copies of his presentation are
circulating on the net, closely followed by lawyers with takedown notices.
BoingBoing has posted a
list of mirrors
for those of you who have not yet gotten your copy.
Cisco's argument is that Mr. Lynn's presentation discloses Cisco's trade
secrets. By this reasoning, Cisco's customers are not entitled to know
about vulnerabilities in the boxes they have used to put their networks
together. In fact, it appears that Cisco has known about this
vulnerability since April, but did not see fit to tell its customers - or
anybody else - about it until after Mr. Lynn's presentation.
Cisco's concern for its public image has clearly outweighed its
concern for its customers' security. The company has turned against
disclosure of security problems, and also seems to have forgotten what the
net has taught us over the last twenty years or so: attempting to suppress
information which has escaped onto the net is not only futile, but it
increases the distribution of that information.
There is another aspect of this situation which is worth looking at,
however. It has often been said that users of embedded systems do not care
about which operating system is running inside. The system is invisible,
and all that matters is that it does its job.
Security problems clearly increase the visibility of an embedded system.
But so do trade secrets, and in an unpleasant way. If Cisco's routers ran
Linux, there would be no question of the company using trade secrets to
shut down disclosure of vulnerabilities in the core system. There cannot
be trade secrets embedded within GPL-licensed code - at least, any such
secrets will not remain secret for long. So an attempt to use trade
secrets to block disclosure of a security problem is almost certain to
This is a good thing, and a nice added benefit from the use of free
software. People may not care about the code running inside their router,
phone, music player, automobile, or Furby, but they may yet learn to care
about having vulnerabilities in those devices hidden from them. Among the
many promises carried by free software is this one: it does not contain
secrets which may be used to censor those who would tell you
about a problem with your gadget.
That is a worthwhile freedom.
to post comments)