Jul 29

Marc Hedlund

Marc Hedlund

BusinessWeek blows the Michael Lynn story

BusinessWeek's Steve Hamm completely blows the Michael Lynn/Cisco IOS vulnerability story in his "Tech Beat" blog entry, which he titled, "The Black Hats must be gloating":

The Black Hat conference blow-up is really disturbing. According to published reports, what happened was Michael Lynn, who started off the week as a security researcher at Internet Security Systems, defied ISS and Cisco by putting on a presentation at the conference that explosed a flaw in older versions of Cisco's Internet Operating System. He was fired. Cisco sued him and the conference organizers.The matter was settled out of court Thursday when Lynn agreed never to repeat the information he imparted in his Black Hat presentation and handed over any Cisco software code he had.
Hey, it's good to expose flaws in software so they can be fixed. But, typically you tell the software maker about them first, and give them plenty of time to fix them, so their products can be patched before much harm is done. Then it's okay for you to publicize the flaw to show how smart you are and get good press for the security firm you work for. I don't know all the details behind the story, so I may be all wet. But, based on what has been published so far, I'd say Lynn crossed way over the line.

[Emphasis added.] All the reports I've read, including this one from security expert Bruce Schneier -- which Hamm linked to in his post -- say that Lynn resigned in protest, not that he was fired. Steve, did you even read Bruce's piece? They also say that he gave Cisco exactly the notice for which Hamm asks.

Shame on Hamm and BusinessWeek for amplifying the corporate perspective on this story without first checking the facts. From all that I've read, Michael Lynn is protecting the Internet, and deserves our praise, not this. Steve, you are indeed all wet. Cisco must be gloating, too, for having BusinessWeek buy their spin so completely.

Update: here are some more links that dispute Hamm's factual errors.

tags:   | comments: 2   | Sphere It

Previous  |  Next

0 TrackBacks

TrackBack URL for this entry:

Comments: 2

  Warguppy [08.02.05 12:50 AM]

Abaddon absolutely did the right thing. Cisco's position that this is fixed is absolutely incorrect. What they have done is made sure that new systems are not vulnerable from the XML vector for any new equipment. They have severely underplayed the potential for disaster here and made no active effort at all to strongly encourage their federal customers fix this immediately. Shame on them for letting it get this far. I am not sure what the basis of ISS's claim that they have a fix for this is based on. Are they going to put a Proventia box in front of the router? Shame on ISS for letting a vendor sweep this under. While Cisco has a big problem with its gear and IOS, ISS has a far bigger problem in that the trust level they have developed over the years is absolutely gone. Matters of national security cannot be driven by corporate greed. It was bad enough when Enron destroyed the peoples ability to retire. Mike has made the single strongest case for open source and full disclosure. I too have known Mike for years and I am immensely proud of him. People are not harping on the real problem, that being that once virtual processes are an integral part of IOS this will be easy to script and worm.

  Ejovi [09.28.05 02:20 PM]

Whenever a writer states "I don't know all the details behind the story, so I may be all wet." disregard everything they say. In writer speak that means "i didn't actually research this piece, but decided its hot enough to write about"

Post A Comment:

 (please be patient, comments may take awhile to post)

Type the characters you see in the picture above.