Maybe Cisco should take a clue from Microsoft. Like Cisco, Microsoft back in the 90's tried to put the heat on hackers who released exploits against its products. But now Microsoft sends engineers from its product groups to mingle with the same hackers who spend most their time beating up on Microsoft software.
In all, Microsoft had more than 80 people at Black Hat, according to a Microsoft spokesperson. Like an IE guy I met at the Venus pool as Black Hat was wrapping up (sorry, can't remember his name, as I didn't have any pockets to carry my notepad in). Microsoft rented a poolside tent and this IE guy wandered in and out of the pool looking for users to give him their perceptions and concerns. He hit me up in the pool where I was cooling my jets, and I gave him an earful about all the heavy security software running on my XP and the impossible security complexities for the clueless end user. He responded with a historic perspective leading to how he's particularly proud of Microsoft's automatic alerting and updating services, which we all know is the best thing going today to minimize risk to the end user. Then he went away for a minute and found me on my chaise lounge, where he handed me a collector's IE 7 water bottle and tickets to Microsoft's exclusive bash at Vegas' hottest night club, Pure, in Caesar's Palace – a bash only the hacker elite are invited to, and many others tried to social engineer their way into.
Instead of working with these hacking resources, essentially acting as free security researchers, what does Cisco do? It sends reps to literally cut all of Michael Lynn's pages out of the Black Hat proceedings and erase the session from the Black Hat CD. Then it slaps Michael Lynn and conference organizer, Jeff Moss, with court orders and sends two FBI agents to collect the materials. At this point, Jennifer Granick, a famous hacker attorney and director of Internet and Society at Stanford Law School, accused the two FBI agents of being "lackeys" for Cisco. The court order, she reminded them, was to turn over the materials to Cisco, not the FBI. The FBI left empty handed.
Sure, Lynn essentially violated a non-disclosure with his company, ISS, and he gave up his job for it. But the horse was out of the barn, the cat out of the bag, the chicken had flown the coop. And Cisco, who's in the information business, should know that once it's out in the wild, such information can't be reigned in.
In the end, Cisco did the right thing by dropping the suits and ultimately posting the vulnerability information. But not without giving itself a big, black eye. So instead of lining up for a Cisco party, the hacking community is up in arms about how Cisco tried to lie to its customers and risk an outage on the Internet the likes of which has never been seen.
If there's one thing I know about hackers, it's that they value freedom of information above all. I also know that when they're pissed off, there's no telling what they'll do. So I wasn't surprised when, at Defcon two days later, I heard talk of releasing a zero day against Cisco IOS and not alerting Cisco in advance about it.
Kind of makes you wonder what the best minds at Cisco were thinking when they pulled this blunder.
Did you accept the IE water bottle? If you did, shame on you...
Posted by: John | August 03, 2005 at 10:34 AM
Right I accepted the bottle. Must of cost them about $2.50 to produce. A real collector's item! And I went to the party at Pure and the Tangerine, both hosted by Microsoft. I even ate some of their food and drank three or four of my non-alcoholic beverages consisting of cranberry and grapefruit juice with a splash of soda. Probably worth another $20 or so. So I guess that means I've been bribed for hmm about $22.50, eh?
Shame shame shame, huh?
Posted by: Deb Radcliff | August 03, 2005 at 10:40 AM
It looks as though Cisco really did take a page from MS. They just had some kind of security incident - they have had to reset ALL their CCO user login passwords.
Posted by: John | August 03, 2005 at 10:53 AM
It looks as though Cisco really did take a page from MS. They just had some kind of security incident - they have had to reset ALL their CCO user login passwords.
Posted by: John | August 03, 2005 at 10:55 AM
Forgive the shameless self-promotion but I had sent emails to Cisco and ISS with a couple of questions. ISS came back today with answers (well, more or less, as much as can be expected under the circumstances, I guess). It makes an interesting read.
Posted by: Axel Eble | August 03, 2005 at 03:18 PM
Not shameless at all. It's the typical party line and says no more than what we already know, but at least they responded to you!
Posted by: Deb Radcliff | August 03, 2005 at 06:18 PM
Indeed. I think they managed to steer clear (but only barely) of the barrage. Which is kinda interesting since they are actively pursuing everyone hosting any document related to Lynn's presentation. Must be the lawyers at it :)
Posted by: Axel Eble | August 03, 2005 at 11:00 PM
CISCO/ISS may have dropped their lawsuits but the FBI is still investigating last I heard. Since when is it the FBI's business to investigate CIVIL lawsuits????? Abuse of something.
Posted by: Anon | August 04, 2005 at 07:50 AM
Anon: they're investigating whether Lynn broke criminal law.
Posted by: Axel Eble | August 05, 2005 at 06:04 AM
I thought CCIE's were like sub-gods. They should have used their powers to know not the "F" with an army of Gray & Black Hats. Bad mojo.
P.s. Linking is not illegal:
www.cryptocrome.org/lynn-cisco.zip
Posted by: rob | August 05, 2005 at 09:30 AM
Did anyone see this coming?
http://australianit.news.com.au/articles/0,7204,16159569%5E15306%5E%5Enbv%5E,00.html
Posted by: rob | August 05, 2005 at 09:58 AM
Hey, Rob. Nice to hear from ya again. Yes, as I said in first blog about the Cisco fiasco, the hackers were talking Zero day. Then in next post, we showed hackers hit Cisco on Monday. They had to reset all their Cisco.com passwords. What's next? I think they're going to continue pounding away at Cisco IOS to release a working exploit.
Meanwhile, ISS continues to wage legal wars against document posters and am wondering if Cisco's behind this, or if ISS is freaked that Cisco might sue them for breech of contract.
Posted by: Hell yes we saw it coming | August 05, 2005 at 10:14 AM