Maybe Cisco should take a clue from Microsoft. Like Cisco, Microsoft back in the 90's tried to put the heat on hackers who released exploits against its products. But now Microsoft sends engineers from its product groups to mingle with the same hackers who spend most their time beating up on Microsoft software.
In all, Microsoft had more than 80 people at Black Hat, according to a Microsoft spokesperson. Like an IE guy I met at the Venus pool as Black Hat was wrapping up (sorry, can't remember his name, as I didn't have any pockets to carry my notepad in). Microsoft rented a poolside tent and this IE guy wandered in and out of the pool looking for users to give him their perceptions and concerns. He hit me up in the pool where I was cooling my jets, and I gave him an earful about all the heavy security software running on my XP and the impossible security complexities for the clueless end user. He responded with a historic perspective leading to how he's particularly proud of Microsoft's automatic alerting and updating services, which we all know is the best thing going today to minimize risk to the end user. Then he went away for a minute and found me on my chaise lounge, where he handed me a collector's IE 7 water bottle and tickets to Microsoft's exclusive bash at Vegas' hottest night club, Pure, in Caesar's Palace – a bash only the hacker elite are invited to, and many others tried to social engineer their way into.
Instead of working with these hacking resources, essentially acting as free security researchers, what does Cisco do? It sends reps to literally cut all of Michael Lynn's pages out of the Black Hat proceedings and erase the session from the Black Hat CD. Then it slaps Michael Lynn and conference organizer, Jeff Moss, with court orders and sends two FBI agents to collect the materials. At this point, Jennifer Granick, a famous hacker attorney and director of Internet and Society at Stanford Law School, accused the two FBI agents of being "lackeys" for Cisco. The court order, she reminded them, was to turn over the materials to Cisco, not the FBI. The FBI left empty handed.
Sure, Lynn essentially violated a non-disclosure with his company, ISS, and he gave up his job for it. But the horse was out of the barn, the cat out of the bag, the chicken had flown the coop. And Cisco, who's in the information business, should know that once it's out in the wild, such information can't be reigned in.
In the end, Cisco did the right thing by dropping the suits and ultimately posting the vulnerability information. But not without giving itself a big, black eye. So instead of lining up for a Cisco party, the hacking community is up in arms about how Cisco tried to lie to its customers and risk an outage on the Internet the likes of which has never been seen.
If there's one thing I know about hackers, it's that they value freedom of information above all. I also know that when they're pissed off, there's no telling what they'll do. So I wasn't surprised when, at Defcon two days later, I heard talk of releasing a zero day against Cisco IOS and not alerting Cisco in advance about it.
Kind of makes you wonder what the best minds at Cisco were thinking when they pulled this blunder.
