|
|
Log in / Subscribe / Register

Cisco Files Suit to Gag Researcher, Security Conference (eWeek)

[Posted July 28, 2005 by cook]

eWeek covers a recent lawsuit by Cisco and ISS against Michael Lynn. "Cisco Systems and Internet Security Systems have asked a U.S. District Court to issue a restraining order against a former ISS researcher and Black Hat over the leak of information about security holes in Cisco's Internetwork Operating System. The two companies jointly filed an injunction and temporary restraining order Wednesday against researcher Michael Lynn and the Black Hat Briefings Conference, demanding that Lynn and Black Hat Inc. stop disseminating information on security holes in IOS (Internetwork Operating System) that Cisco Systems Inc. alleges was illegally obtained."
to post comments

Cisco Files Suit to Gag Researcher, Security Conference (eWeek)

Posted Jul 28, 2005 21:02 UTC (Thu) by dmarti (subscriber, #11625) [Link]

Thanks to Cisco's crack legal team, Cisco IOS now has the same TOTAL SECURITY as the CueCat. Wow!

Denial

Posted Jul 29, 2005 0:32 UTC (Fri) by freeio (guest, #9622) [Link] (8 responses)

Security by obscurity only works as long as no one unobscures it. Much like Medusa's box, once you open it, it is well nigh impossible to get the horrid contents back inside.

Even though Cisco and ISS may sue mightily, and perhaps even successfully, the information is now out in the wild. Destroying every paper and digital copy cannot unerase the information which the conference attendees took away in their heads.

To think otherwise is to be in denial.

Denial

Posted Jul 29, 2005 3:24 UTC (Fri) by jtc (guest, #6246) [Link] (7 responses)

" Security by obscurity only works as long as no one unobscures it. Much like Medusa's box, once you open it, it is well nigh impossible to get the horrid contents back inside."

I think you meant Pandora's box. I don't think Medusa had a box. :-)

Flaw researcher settles dispute with Cisco

Posted Jul 29, 2005 7:28 UTC (Fri) by swamig (guest, #23735) [Link]

Found this on ZDNET http://news.zdnet.com/2100-1009_22-5809390.html Also there is a Medusa's box you can get one at... http://www.finescrollsaw.com/medusa.htm ...

Mythology correction

Posted Jul 29, 2005 12:45 UTC (Fri) by freeio (guest, #9622) [Link] (5 responses)

Oopsie! I learned just enough of Greek mythology to get myself confused, I guess.

But speaking of Medusa, let's see now, wasn't she the one with the terminal case of ugly, and it would kill anyone just to look at her, unless it was in a mirror? So maybe I was talking about how ugly this exploit is. Yeah! That's the ticket!

No? Oh well...

Mythology correction

Posted Jul 29, 2005 17:23 UTC (Fri) by ncm (guest, #165) [Link] (4 responses)

This isn't slashdot. Please have something to say before you post. Also, wait until you're another five or six decades older before you try to get away with the expression "well-nigh".

Cisco doesn't expect to keep Lynn's paper secret. Most likely their goal is to create a "chilling effect" around IOS security research. They'll succeed in driving it underground. That won't stop exploits, but will make customers feel less exposed.

Mythology correction

Posted Jul 29, 2005 18:23 UTC (Fri) by freeio (guest, #9622) [Link] (1 responses)

"This isn't slashdot. Please have something to say before you post. Also, wait until you're another five or six decades older before you try to get away with the expression 'well-nigh.'"

Other than the incorrect mythology reference, I stand by my original post. I agree that intimidation is part of Cisco's plan, but not the whole of it. If possible, they would also like to have been able to undo the release of the information, which they have failed to do.

As for the use of "well nigh", the term was used quite properly. In contemporary English usage, there is no restriction upon the use of the term to persons of any particular age group.

Contemporary English usage

Posted Aug 1, 2005 1:22 UTC (Mon) by xoddam (subscriber, #2322) [Link]

> As for the use of "well nigh", the term was used quite properly.
> In contemporary English usage, there is no restriction upon the
> use of the term to persons of any particular age group.

Well said, that man!

Mythology correction

Posted Jul 31, 2005 18:26 UTC (Sun) by oloryn (guest, #7408) [Link] (1 responses)

They'll succeed in driving it underground. That won't stop exploits, but will make customers feel less exposed.

They may feel less exposed, but they'll really be more exposed. This may be looked upon as good by Cisco's marketing department, but it's actually bad for the customer.

When public perception is at odds with your experience

Posted Jul 31, 2005 19:29 UTC (Sun) by man_ls (guest, #15091) [Link]

In fact, perception is good until exploits start appearing on the darknet and live routers start being taken over. If that does not happen, the emperor keeps his clothes on for some more time.

Cisco Files Suit to Gag Researcher, Security Conference (eWeek)

Posted Jul 29, 2005 13:26 UTC (Fri) by clugstj (subscriber, #4020) [Link] (3 responses)

What seems strange to me about this is that ISS is asking for the restraining order. I would assume that whatever information was "illegally obtained" was done as part of his job at ISS. So, his former employer is asking the government to shut him up for doing the job they were paying him to do?

This makes it look like ISS is just the marketing arm of Cisco.

Not so strange

Posted Jul 29, 2005 14:32 UTC (Fri) by man_ls (guest, #15091) [Link] (2 responses)

In fact, it might be more strange to see Cisco asking for it, if you see the issue from a cynical and rather twisted point of view.

I think that taking the issues to the courts gives the issue much more publicity than just letting the conference go ahead. And publicity about insecurities in IOS is the last thing that Cisco should want. However, for ISS it is free advertising: "Look how good we are, first we discover the issue and then we protect the guys suffering from it, even if it means going after our own employee."

Again, cynical and twisted but possible.

Not so strange

Posted Jul 29, 2005 17:31 UTC (Fri) by ncm (guest, #165) [Link] (1 responses)

ISS has a legal obligation to pursue Lynn. They signed a non-disclosure agreement, and their employee violated it.

This will be bad for ISS no matter what. Who wants to hire a security firm that can't keep its collective mouth shut? In a perfect world, such a firm would be very popular: "We hired Bigmouth Consulting to study our router, and they haven't made a peep about it." In our world, managers are much too timid, and the credibility of security consultants is too little known and too hard to gauge.

score +4, funny

Posted Aug 1, 2005 1:25 UTC (Mon) by xoddam (subscriber, #2322) [Link]

> In a perfect world, such a firm would be very popular:
> "We hired Bigmouth Consulting to study our router, and
> they haven't made a peep about it."

tee hee hee


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds