What was Cisco thinking?

Every once in a while a communications organization initiates an action that is not only apparently a bit awkward, but more than likely against the best interest of their customers. During the summer of 2005 Cisco Systems initiated such an action, which makes one ask, ‘What were they thinking?’ Let me explain. For as long as I can remember the annual Black Hat computer security conference has been recognized as a forum for experts and those that think they are to discuss vulnerabilities in hardware and software. At the 2005 Black Hat conference held in Las Vegas, Michael Lynn, a security researcher, was scheduled to give a presentation which described flaws in Cisco’s software that, according to the presenter, could enable hackers to take control over networks using Cisco equipment, enabling unauthorized persons to intercept and even misdirect data. Instead of welcoming an investigation of software flaws and spending its energy on correcting the problems enumerated in the planned presentation, Cisco took what I consider a rather strange approach. First, Cisco threatened legal action to stop the conference organizers from allowing the presentation to occur. Then, in what many persons could categorize as an affront to freedom of the press, Cisco’s attorneys convinced the Black Hat conference organizers to remove 20 pages outlining the information about security flaws from the conference program as well as having approximately 2000 CDs containing the presentation destroyed. According to Cisco the rationale for their action was to protect its customers and the Internet community from the ‘premature’ disclosure of a potential security flaw. Cisco further maintained that the person who was to give the presentation at the conference found the flaw by reverse-engineering its product, which the company claims violated the law. Instead of flooding communications manager and LAN administrator email and voice mail with the need to update a revised IOS that closed the hole exploited by the flaw, Cisco Systems publicized the fact that non-updated routers have a key buffer overflow vulnerability. Thus, the weirdos , crazies and countless wannabe hackers were made aware of vulnerabilities that were easily exploitable. At the same time the researcher that discovered the flaw went ahead and revealed information that to some degree was already on Chinese bulletin boards. While Cisco correctly used the legal system to obtain a court injunction against both the Black Hat conference and the presenter, in all probability the court knew nothing about reverse engineering. From auto manufacturers to router makers it’s common for companies to purchase competitor products to see how they operate and examine how they are fabricated. As long as reverse engineering is used for research, it’s a commonly accepted practice that the legal system tolerates. Legal issues aside, the reaction of Cisco is a bit bizarre and certainly conveys the wrong message to the security community. After all, if Cisco appears as an attack dog do you think the next researcher that finds a flaw in their product line will go public? Or, in more likelihood, to avoid the potential wrath of Cisco the researcher might simply fix his organization’s equipment. Then, the end result is that other users as well as Cisco will become aware of the problem only when the dastardly deed is done and the new hack makes page one in the national news. If this author was in Mr Lynn’s shoes he would more than likely have sought a negotiated resolution with Cisco that publicized the vulnerability but enabled the company to notify its customers in advance INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT Int. J. Network Mgmt 2006; 16: 157–158 Published online in Wiley InterScience (www.interscience.wiley.com) DOI: 10.1002/nem.595