LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Front page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cisco v. full disclosure

[Posted August 3, 2005 by corbet]

The story has been sufficiently widely reported that we do not need to go into the details here; see Bruce Schneier's summary if you have some catching up to do. In short: Cisco is going after ex-ISS employee Michael Lynn after he made a presentation in Las Vegas on security vulnerabilities in Cisco's IOS. There is now an FBI investigation in the works, and Mr. Lynn faces the possibility of lawsuits from Cisco or ISS (or both). Meanwhile, copies of his presentation are circulating on the net, closely followed by lawyers with takedown notices. BoingBoing has posted a list of mirrors for those of you who have not yet gotten your copy.

Cisco's argument is that Mr. Lynn's presentation discloses Cisco's trade secrets. By this reasoning, Cisco's customers are not entitled to know about vulnerabilities in the boxes they have used to put their networks together. In fact, it appears that Cisco has known about this vulnerability since April, but did not see fit to tell its customers - or anybody else - about it until after Mr. Lynn's presentation. Cisco's concern for its public image has clearly outweighed its concern for its customers' security. The company has turned against disclosure of security problems, and also seems to have forgotten what the net has taught us over the last twenty years or so: attempting to suppress information which has escaped onto the net is not only futile, but it increases the distribution of that information.

There is another aspect of this situation which is worth looking at, however. It has often been said that users of embedded systems do not care about which operating system is running inside. The system is invisible, and all that matters is that it does its job. Security problems clearly increase the visibility of an embedded system. But so do trade secrets, and in an unpleasant way. If Cisco's routers ran Linux, there would be no question of the company using trade secrets to shut down disclosure of vulnerabilities in the core system. There cannot be trade secrets embedded within GPL-licensed code - at least, any such secrets will not remain secret for long. So an attempt to use trade secrets to block disclosure of a security problem is almost certain to fail.

This is a good thing, and a nice added benefit from the use of free software. People may not care about the code running inside their router, phone, music player, automobile, or Furby, but they may yet learn to care about having vulnerabilities in those devices hidden from them. Among the many promises carried by free software is this one: it does not contain secrets which may be used to censor those who would tell you about a problem with your gadget. That is a worthwhile freedom.

(Log in to post comments)

Cisco v. full disclosure

Posted Aug 4, 2005 16:27 UTC (Thu) by stevan (subscriber, #4342) [Link]

It may not be much, but with Cisco in the running for supplying switches
for an upcoming new build project, it is with glee that I have excluded
them from the shortlist, based partly on their irritatingly arrogant sales
techniques, but mostly as a result of their approach to this case. Not
much I know, but maybe others will also think again. They have done the
wrong thing and shouldn't be rewarded for it, IMHO.

S

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds