Unlimited long distance $24.99/mo
- Related Stories
-
More legal threats over Cisco flaws
July 29, 2005 -
Flaw researcher settles dispute with Cisco
July 28, 2005
Lynn stirred the
While corporate America may frown at Lynn's actions, he is a hero at Defcon, the more informal gathering of security professionals and enthusiasts that follows Black Hat. T-shirts with anti-Cisco prints have been selling well, and hackers have set up a PayPal account to collect money for a legal defense fund. Jennifer Granick, Lynn's lawyer, is being hailed as his savior.
On Saturday, network security specialist
"For the first time it looks like you can really remotely own a Cisco box," Alder said. "This is a scary thing if you are a network operator. This is a real threat."
Lynn had said that exploitation of the flaw could bring the Internet to its knees. He also warned that criminal hackers may already be working to exploit it.
In her presentation, Alder gave guidelines on how to test network infrastructure security. She criticized Cisco for not publishing an advisory on the security vulnerability exploited by Lynn until Friday, even though the network giant fixed it in April.
In its advisory, Cisco confirmed that older versions of its Internetwork Operating System are flawed in the way they process IPv6 packets. A specially crafted data packet could let a miscreant gain control over the router, but an attack is possible only from a local network segment and only on systems configured for IPv6, Cisco said.
Alder disputed Cisco's argument that the flaw can be exploited only from the local network, saying it is indeed a remote vulnerability. Others in the audience agreed. "It is possible to escalate an attack and get close enough to the router to attack it," said Robert Hansen a computer security graduate student at the University of Iowa.
Alder then blasted Cisco for going after Lynn.
"Cisco, you are really screwing up," she said, followed by a round of applause. "Suing researchers is not going to make you secure. Alienating the security community is not going to encourage people to come to you and report problems and work with you."
Even federal authorities at Defcon are talking about Lynn and responsible disclosure, if only because everybody is asking them. Jim Christy, director of the U.S. Department of Defense's cybercrime center, had no direct opinion on Lynn's actions. "You have to share information, but you have to share it through the correct channels," he said
Alder was afraid that she too would be sued. "I am being paranoid because being paranoid pays," she said. Representatives from the Electronic Frontier Foundation sat in the front row during her talk. A burly man followed her around the Alexis Park resort for protection--her own "goon," she said. Goons are the security guards at Defcon.
Lynn
Lynn has yet to be spotted at Defcon.
See more CNET content tagged:
Defcon,
Cisco Systems Inc.,
Black Hat,
Cisco Router,
disclosure
Davis,
http://www.my-loan-insurance.co.uk/
Davis,
http://www.my-loan-insurance.co.uk/
Well folks, this is cyclical. In the old days, IBM and ATT were giants and people even indicated in movies like Soylent Green they might take over the world. That is fanciful but today the big IT basically is leaning on the White House not to make the now official NIST level 4 authentication using two factor authentication with offline devices mandatory although all the other G8 nations have done it or are making it law too.
Big IT, lobbied the U.S. administration politically, copying the old boy's network. Everyone now sees the White House put into effect a global plan to do two factor authentication with an offline device, as US Commerce Dept NIST level 4, since the cyber treaty, US allies and mostly knowledgeable consumers demand it. In this case, the White House is to be congradulated.
My Pledge
I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Well folks, this is cyclical. In the old days, IBM and ATT were giants and people even indicated in movies like Soylent Green they might take over the world. That is fanciful but today the big IT basically is leaning on the White House not to make the now official NIST level 4 authentication using two factor authentication with offline devices mandatory although all the other G8 nations have done it or are making it law too.
Big IT, lobbied the U.S. administration politically, copying the old boy's network. Everyone now sees the White House put into effect a global plan to do two factor authentication with an offline device, as US Commerce Dept NIST level 4, since the cyber treaty, US allies and mostly knowledgeable consumers demand it. In this case, the White House is to be congradulated.
My Pledge
I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
I experienced it in 1998!! in a fractal image off
a news group... dang thing installed a trojen..
stop fooling yourselves folks.. your subconscious
fears are real. and even you if you try to make
your way around the invisible beast... even
acting like an angel.. your insight and
predictable behavior will nail you.. and if you
silently and invisably protest.. even
gentilally... you will get harrassed...
especially during times like these... Ciscos
behavior should be expected.. research cray
dudes...
virtualization works... I am no rich engineer or
even a hacker.. but if you control the
environment around something it can minimize the
amount of uncontrolled variables in an equation.
security experts call this stuff buffer zones..
why dont you people get off your high horses and
talk about what does work rather than what does
not... and what happend to those linux boxes with
all those nic cards and bus extenders? those
things still around? Hey ISCSI is the future you
know.. some of those nics or host bus adapters I
should say are worth drooling over...
Ok I will shut up now... as soon as my openwrt
compiles.....
I experienced it in 1998!! in a fractal image off
a news group... dang thing installed a trojen..
stop fooling yourselves folks.. your subconscious
fears are real. and even you if you try to make
your way around the invisible beast... even
acting like an angel.. your insight and
predictable behavior will nail you.. and if you
silently and invisably protest.. even
gentilally... you will get harrassed...
especially during times like these... Ciscos
behavior should be expected.. research cray
dudes...
virtualization works... I am no rich engineer or
even a hacker.. but if you control the
environment around something it can minimize the
amount of uncontrolled variables in an equation.
security experts call this stuff buffer zones..
why dont you people get off your high horses and
talk about what does work rather than what does
not... and what happend to those linux boxes with
all those nic cards and bus extenders? those
things still around? Hey ISCSI is the future you
know.. some of those nics or host bus adapters I
should say are worth drooling over...
Ok I will shut up now... as soon as my openwrt
compiles.....
In a 5 year old fit one worker for ISS quit and ran to tell mommy. I'm sorry, but I just don't see why everyone is going to "rally" behind this guy for being so stupid.
If he really just wanted to ensure the information got out, all he had to do was a "hand off" to someone else, or to dozens of others in a way that wouldn't be easily tracked back to him. At that point ISS and Cisco would need to prove it reasonable that a crim was committed in such information transfer while not knowing who provided the info in order to subpeana anyone about it.
I seriously doubt this guy is going to have an easy time of finding a new job, especialy where any kind of trust is an issue.
In a 5 year old fit one worker for ISS quit and ran to tell mommy. I'm sorry, but I just don't see why everyone is going to "rally" behind this guy for being so stupid.
If he really just wanted to ensure the information got out, all he had to do was a "hand off" to someone else, or to dozens of others in a way that wouldn't be easily tracked back to him. At that point ISS and Cisco would need to prove it reasonable that a crim was committed in such information transfer while not knowing who provided the info in order to subpeana anyone about it.
I seriously doubt this guy is going to have an easy time of finding a new job, especialy where any kind of trust is an issue.
what a lame excuse for good security, it is sad that thats the only
way to do it in the US now a days, but hey, who ever said Greed
was a bad thing, sorry to see he is not making any money off this.
what a lame excuse for good security, it is sad that thats the only
way to do it in the US now a days, but hey, who ever said Greed
was a bad thing, sorry to see he is not making any money off this.