BusinessWeek’s Steve Hamm completely blows the Michael Lynn/Cisco IOS vulnerability story in his “Tech Beat” blog entry, which he titled, “The Black Hats must be gloating”:
The Black Hat conference blow-up is really disturbing. According to published reports, what happened was Michael Lynn, who started off the week as a security researcher at Internet Security Systems, defied ISS and Cisco by putting on a presentation at the conference that explosed a flaw in older versions of Cisco’s Internet Operating System. He was fired. Cisco sued him and the conference organizers.The matter was settled out of court Thursday when Lynn agreed never to repeat the information he imparted in his Black Hat presentation and handed over any Cisco software code he had.
Hey, it’s good to expose flaws in software so they can be fixed. But, typically you tell the software maker about them first, and give them plenty of time to fix them, so their products can be patched before much harm is done. Then it’s okay for you to publicize the flaw to show how smart you are and get good press for the security firm you work for. I don’t know all the details behind the story, so I may be all wet. But, based on what has been published so far, I’d say Lynn crossed way over the line.
[Emphasis added.] All the reports I’ve read, including this one from security expert Bruce Schneier — which Hamm linked to in his post — say that Lynn resigned in protest, not that he was fired. Steve, did you even read Bruce’s piece? They also say that he gave Cisco exactly the notice for which Hamm asks.
Shame on Hamm and BusinessWeek for amplifying the corporate perspective on this story without first checking the facts. From all that I’ve read, Michael Lynn is protecting the Internet, and deserves our praise, not this. Steve, you are indeed all wet. Cisco must be gloating, too, for having BusinessWeek buy their spin so completely.
Update: here are some more links that dispute Hamm’s factual errors.