Linked by Andrew Youll on Sat 30th Jul 2005 14:44 UTC, submitted by phaceton
Privacy, Security, Encryption A security expert has agreed never to repeat what he knows about various flaws in Software from networking giant Cisco.
Order by: Score:
scum
by Anonymous on Sat 30th Jul 2005 15:00 UTC
Anonymous
Member since:
---

That microsoft partnership seems to be coming along nicely

Reply Score: 1

v RE: scum
by Anonymous on Sun 31st Jul 2005 05:20 UTC in reply to "scum"
RE[2]: scum
by Anonymous on Sun 31st Jul 2005 13:29 UTC in reply to "RE: scum"
Anonymous Member since:
---

Agree.

It is becoming more and more difficult to find an Microsoft bashing-free comment on OSNews.

Sometimes I would like it woule be called LinOSNews or GentoOSNews ...

Reply Score: 1

RE[2]: scum
by Anonymous on Sun 31st Jul 2005 13:59 UTC in reply to "RE: scum"
Anonymous Member since:
---

Typical of OSNews articles. An article about Cisco and the first troll blames Microsoft.

And you walked right into commenting on it.

Don't feed the trolls.

Reply Score: 0

About the vulnerability
by Jody on Sat 30th Jul 2005 15:07 UTC
Jody
Member since:
2005-06-30

From the little bit of information I have seen on this I believe the vuln only impacts routers configured for IPv6 and requires access to the local network segment to exploit.

Reply Score: 2

Sad to say the least
by anand78 on Sat 30th Jul 2005 15:10 UTC
anand78
Member since:
2005-07-07

Let us see here, what CISCO is trying to do. It is trying to prevent freedom of speech. All in the name of IP rights. I am waiting for someone to sue their A** when a hacker misuses the flaw. Rather than being grateful that someone is helping them make them secure they have chosen the other route.

Reply Score: 3

RE: Sad to say the least
by Jody on Sat 30th Jul 2005 15:26 UTC in reply to "Sad to say the least"
Jody Member since:
2005-06-30

It might not be that simple though. Lynn had actual Cisco IOS code and was likely under and NDA when either Cisco or ISS decided to give him it. I am presuming ISS is likely paid by Cisco to perform audits. If you or I found this vuln and decided to go public with it we would likely be under a different set of circumstances.

Reply Score: 2

RE[2]: Sad to say the least
by Anonymous on Sat 30th Jul 2005 15:54 UTC in reply to "RE: Sad to say the least"
Anonymous Member since:
---

Lynn didn't have source code, he had to reverse the binaries. Cisco was cranky because it affected every verson of IOS except for the latest version and the bug is sevre.

Reply Score: 0

RE[3]: Sad to say the least
by Anonymous on Sat 30th Jul 2005 16:47 UTC in reply to "RE[2]: Sad to say the least"
Anonymous Member since:
---

Wasn't the IOS source code stolen by hackers a couple years back? Lynn might've gotten hold of a copy.

Paul G

Reply Score: 1

RE[3]: Sad to say the least
by Jody on Sat 30th Jul 2005 20:57 UTC in reply to "RE[2]: Sad to say the least"
Jody Member since:
2005-06-30

Well the article does seem to imply that he does/did have IOS source code:
From the article:
"Mr Lynn also has to return any Cisco source code he owns.

Reply Score: 1

RE: Sad to say the least
by Anonymous on Sat 30th Jul 2005 23:28 UTC in reply to "Sad to say the least"
Anonymous Member since:
---

Sorry, this is not a freedom of speech issue whatsoever.

Reply Score: 0

RE: Sad to say the least
by morgoth on Sun 31st Jul 2005 00:58 UTC in reply to "Sad to say the least"
morgoth Member since:
2005-07-08

Quote: "It is trying to prevent freedom of speech. All in the name of IP rights."

Yup. That's the way that the world is going. The lil guy has fuck all rights, the big corporate bastards have all of the rights and can tell you what to do. The law and governments are siding with the large corporations because of greed and money.

This just proves that the open source development model is the way to go. As far as I'm aware, it's not illegal to repeat the src code for patented stuff. It's illegal for you to use it. If it's a trade secret, then it's been revealed, tough shit Cisco. They can sue the ass off the person that revealed it, but do jack shit to anyone else. If it's copyrighted, then they might have a chance, but since the problem part of the src code is =< 5%, then it's legal to repeat it under the copyright. The only thing that Cisco might have in it's favour is the DMCA which makes it illegal to reverse engineer things. Might as well throw the copyright out act, since all of the rights that the copyright act gives the end user have been taken away by the DMCA.

Just my 2.2c (inc GST) worth!

Dave

Reply Score: 2

Buck
by Buck on Sat 30th Jul 2005 16:39 UTC
Buck
Member since:
2005-06-29

Special staff tearing presentaion pages sounds ominous... Democracy is really such a nuisance, such a hindrance for corporations these days, I'm sure they'll ban it really soon. Everyone's gotta be silenced and worship the Stuff that comes from the omniglorious Corporation, regardless of its quality or content of course.

Reply Score: 3

well
by Anonymous on Sat 30th Jul 2005 16:57 UTC
Anonymous
Member since:
---

when cisco went corporate is the day cisco statred downhill.... I am kind of surprised the poeple that started cisco didnt start another company once the suits booted them out... instead of a grunge fingernail polish company... oh well...

i am sure there are plenty of flaws in IOS and security dealing with routers is limited at best... hopefully you have a good featureset and multi-layered protections in place to protect your network....

Reply Score: 0

cisco's patriot act
by Anonymous on Sat 30th Jul 2005 17:18 UTC
Anonymous
Member since:
---

Well, in the time when a government sustained from our own money treat his citizens without regard to the basic rights why not such a nazi practice private company.

You may ask my why "nazi" - because that is what it is comming into my mind when I hear about people ripping books, presentaions and threatening researchers. That is.

I watched the story and I suppose (maybe I am not right) that Mr. Lynn obtained part of his informations by reverse engineering. I don't have knwledge about legal details but could be good posible that his acction were not fair. But hey, sue him Cisco if you don't like! Don't rip papers, exchange CDs etc.

What is really scary is that companies act in such a way like middle age kings. Fortunatly they don't have armies... yet.

Also this class of companies do not comprehend that obfuscation doesn't lead to security. Suppose that Mr. Lynn as evil minded hacker who doesn't write papers or attend conferences. Just write a worm and >click< >enter<. That was with the Internet for today. Would it be better, Cisco?

Fortunattly maybe bacause a PR desaster also Cisco backd off. Tumb up Mr. Lynn and good luck finding a new job...

Reply Score: 1

RE: cisco's patriot act
by Anonymous on Sun 31st Jul 2005 12:50 UTC in reply to "cisco's patriot act"
Anonymous Member since:
---

Well, in the time when a government sustained from our own money treat his citizens without regard to the basic rights why not such a nazi practice private company.

Do you know about this?

http://en.wikipedia.org/wiki/Godwin's_law

Reply Score: 0

extra effort incentive
by DLazlo on Sat 30th Jul 2005 17:48 UTC
DLazlo
Member since:
2005-07-06

Just knowing the flaws are there is enough to spur some on to greater efforts at hacking Cisco, it doesn't matter if any info is availible or not. Unfortunately, many of those that this will encourage are also the type that do it with little or no good will intended.

Reply Score: 1

The competition gets bether.
by Anonymous on Sat 30th Jul 2005 18:21 UTC
Anonymous
Member since:
---

Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPv3 and BGPv4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.
http://quagga.net/

OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.
http://www.openbgpd.org/

Reply Score: 0

JT
by Anonymous on Sat 30th Jul 2005 18:24 UTC
Anonymous
Member since:
---

Rather interesting and frankly disappointing behavior by Cisco. IMHO, very dumb move, all they've done is attract a lot of attention from the bad guys (whom, let's face it, probably have copies of cisco's source code anyways) and likely will now be pooring over it. Minor details are sure to continue to leak out, giving the bad guys more ammo to find the flaws and begin exploiting them. If a 0-day exploit hits, Cisco will have no one but themselves to blame.

Now in fairness, maybe they tried to work with Mr. Lynn on proper timing of the release, maybe Lynn is under a NDA, who knows, but all they've done here is create more confusion among the white hats and paint a big fat bullseye on IOS for the bad guys.

More I think about it, wow...incredibly dumb move by Cisco.

JT

Reply Score: 1

Let me get this straight
by Anonymous on Sat 30th Jul 2005 18:41 UTC
Anonymous
Member since:
---

Cisco has had 4 months to fix the bugs. They decided to use a general purpose CPU for IOS (MIPS) knowing the consecuences of doing this. And now they want to pretend the problem doesn't exist by means of security through obscurity and legal threats. Information in itself is not bad. It's irresponsible vendors like Cisco and the proprietary Microseft with de facto monopolies that are harmful. Once a bug is discovered a large percentage of critical systems can be pwn3d before you can say Microseft. And that is why software/hardware monocultures are so bad.

Reply Score: 0

RE: Let me get this straight
by nemith on Sun 31st Jul 2005 15:34 UTC in reply to "Let me get this straight"
nemith Member since:
2005-07-28

The bug was fixed... four months ago. Although the tecnique used to inject the shell code could be used with future exploits.

I am sure Cisco isn't "pretending" that the problem doesn't exist.

Reply Score: 1

Re: By Anonymous (IP: 150.101.114.---)
by CrazyDude0 on Sat 30th Jul 2005 19:14 UTC
CrazyDude0
Member since:
2005-07-10

Hey looks like someone finally brought his head back out of his ass...but yikes he is spreading foul smell everywhere

Reply Score: 1

Further Insight into the Presentation
by Anonymous on Sat 30th Jul 2005 19:16 UTC
Anonymous
Member since:
---

Some insightful comments on slashdot..anyone intrested in the topic should read..

http://it.slashdot.org/comments.pl?sid=157444&cid=13197446

Reply Score: 1

ssme
Member since:
2005-07-06

... and they _are_ a greedy selfish lot, no doubt.

BUT

it is programmers who write crappy programs and other windows and who create bugs.

actually I cannot name another engineering profession where shoddy work considered to be norm, bugs are ok ("every program has bugs, he-he"). and it is always dumb users, managers and other billy gates to blame for bugs, and for everything.

professional "standards" of programming community is a shame, not a joke.

Reply Score: 3

Anonymous Member since:
---

Ola ssme,

are you manager or what? ;-)

I am an engineer, software engineer. In my entire study time I was amazed to see the other engineers having norms, clear rules and strict regulations etc.

You just have to understand that software engineering is still in its infancy and there is a long way to go. Software development is still more creativity than engineering. In REAL engineering you have tolerances but in an if-statement you must have true or false... there is nothing in between...

So, just wait some years... and meantime in this story Cisco deserves the blame for their behavior.
Shame to them!

Reply Score: 0

Wrong/right/right/wrong?
by CrazyDude0 on Sat 30th Jul 2005 23:46 UTC
CrazyDude0
Member since:
2005-07-10

In a way Lynn is right and in another way Cisco is right too. There are two sides of the coin.

Would you not appreciate a person telling a problem in your ford which can cause a fatal accident? Would you punish that person, No? Hell No, he will be a hero. So if you look from that angle, Lynn is hero.

On the other hand, Would you appreciate the same person telling in public a fatal problem in our border security, which can lead to terrorists attacking us? Nah, so if you look from this angle, Lynn is the bad guy. He should tell our border security people about the problem and not to every damn person out there.

I think if you find a problem which is not known or hard to exploit, you should inform the vendor with full details and let people know that there are exploitable vulnerabilities so please patch your systems.

The only problem is that by doing this you don't get well-deserved attention and credibility since people can say he is bluffing. The only way things will be better is, if companies starts rewarding and acknowledging people who find security holes in software and let vendor know in private manner.

In fact many security companies do that and Microsoft has even embraced that many times.

Reply Score: 2

RE: Wrong/right/right/wrong?
by morgoth on Sun 31st Jul 2005 01:04 UTC in reply to "Wrong/right/right/wrong?"
morgoth Member since:
2005-07-08

No. It's the secrecy behaviour that causes all of the problems. If we lived in a totally *open* society, the trust levels would be a lot higher, and I suspect that there'd be a lot less trouble, and a lot less terrorism to boot. You have violence and terrorism in reaction to dictatorships like George W Bush jr.'s government, and the behaviour of the US government in shoving it's viewpoints down any other countries throats. I really hate to break this news to you, but the US is no longer a democratic country, and hasn't been one for quite some time. It's now owned by the large corporation, they are the ones that dictate what happens.

Dave

Reply Score: 3

Fascism Rules!
by Anonymous on Sun 31st Jul 2005 02:07 UTC in reply to "RE: Wrong/right/right/wrong?"
Anonymous Member since:
---

Goodbye democracy hello fascist state. I wonder if George W. would look good with small mustache and a swastika on his arm?

Reply Score: 1

v RE: Fascism Rules!
by pravda on Sun 31st Jul 2005 02:39 UTC in reply to "Fascism Rules!"
Tinfoil hatman
by Anonymous on Sun 31st Jul 2005 02:47 UTC
Anonymous
Member since:
---

Just like Microsoft "It's not a flaw, it's a feature"

It's a feature that we are not supposed to know about, that's all.

It's a feature for a very few select agencies to utilize.

Why the FBI investigation of this guy? To scare this guy to shut up.

He played ball, prison is no place for a geek.

Reply Score: 0

CuriosityKills
Member since:
2005-07-10

Sorry dude, i disagree. Leaking an important information about a security hole which can cause compromise of many machines is as good as writing blaster. He should have gone to correct medium.

And by the way, the first line of your comments made you lose all credibility. You are a lame zealot and nothing else. You are like that small dog on the street barking on an elephant and elephant is not even looking at you ;) If you think you are good, then make other OS better instead of barking here.

Reply Score: 1

v what the hell
by re_re on Sun 31st Jul 2005 05:11 UTC
v RE: what the hell
by pravda on Sun 31st Jul 2005 07:56 UTC in reply to "what the hell"
re: CuriosityKills
by re_re on Sun 31st Jul 2005 05:15 UTC
re_re
Member since:
2005-07-06

........ perhaps leaking this information will prompt them to patch it...

.... if this was opensource it would have probably been patched within a day.

either way... i think this information should be released anyway... otherwise that security hole will sit open for ages

Reply Score: 1

CuriosityKills
Member since:
2005-07-10

Again i disagree, telling that there is a security problem is different than giving exact details such that others can exploit it. The exact details should only be given to the vendor.

Reply Score: 1

this is so simple
by Anonymous on Sun 31st Jul 2005 07:04 UTC
Anonymous
Member since:
---

The security exploit got fixed a while ago, it is cisco fault not to publish the exploit before, so the networking guys could get their routers upgraded and the information given by Lynn were irrelevant now.

From my point of view all of this is the cisco's fault. Lynn just published information about a security problem that is already fixed. Why there is a lot of routers affected by this??... because of cisco "secrets".

Reply Score: 0

Too little, too late, Cisco
by Anonymous on Mon 1st Aug 2005 06:22 UTC
Anonymous
Member since:
---

Slashdot discussion has already pointed to links to the PDF presentation hosted on cryptome.org, attrition.org and others.
Oh well, as least a few people got some work and some lawyers got paid.

Reply Score: 0

Read the talk
by Anonymous on Mon 1st Aug 2005 06:22 UTC
Anonymous
Member since:
---

It appears none of you who posts on this thread has actually understood what this is about.
It's not about publicizing details on flaws nor is it about a particular flaw that affects IPv6. The big thing in Lynn's talk is to refute something that Cisco (and others) has stated for ages namely that it's not possible to execute shellcode remotely on Cisco equipment. Currently it so happen that it can, apparently, be done by exploiting a bug in the Cisco IPv6 implementation but the important point is that it can be done AT ALL and that in the future it could be accomplished by exploiting ohter bugs.
Cisco has NO BUSINESS WHATSOEVER trying to silence these results since they do not detail exactly HOW it can be done only THAT it can be done. And lets not even mention the horribly behaviour of ISS...

Reply Score: 0