[Previous entry: "Update on Chris Tame"] [Main Index] [Next entry: "Gordon P. reviews "War of the Worlds""]

07/28/2005 Archived Entry: "Cisco tries to hush up vulnerability"

When your watchdog barks, shoot it. That seems to be the attitude of Cisco Systems, maker of much of the Internet's infrastructure. When a researcher for Internet Security Systems, Michael Lynn, found a serious flaw in Cisco routers, and tried to present a paper on it at a computer security conference, Cisco literally ripped his talk out of the conference book, and threatened Lynn and the conference organizer -- and I suspect Lynn's employer as well -- with legal action. To his credit, Lynn quit his job and gave the paper anyway.

It's not uncommon for vendors to try to hush up vulnerabilities. Sometimes it's to give the vendor a chance to fix them, but other times it's so the vendor can ignore them. Microsoft vulnerabilities have been left unpatched for over six months, and Oracle bugs up to two years. When this happens, security pros have little choice but to blow the whistle.

It's discouraging to see Cisco reacting with legal threats and claims that these vulnerabilities are their "intellectual property." For two reasons: first, the chilling effect on other researchers in this field, who are a crucial line of defense against Internet attacks. Second, it suggests that Cisco's attitude is "cover it up" rather than "fix it." If you think Nimda, Slammer, and Code Red messed up your Internet experience, wait until someone successfully invades a Cicso router....and with their attitude, it's only a matter of time.

Unless you're in the networking business, there's nothing you can do to prevent it. My advice: make sure you're not dependent on the Internet for crucial communications. (We still have an ordinary telephone, and a fax machine.)

brad