Please support Mike Lynn by contributing to his defense fund! Currently this fund exists in the form of sending funds directly to Mike via Paypal. Mike Lynn's Paypal ID is "Abaddon@IO.com". A form to submit funds to this account can also be found at: http://www.memestreams.net/lynndefense.html A dangerous culture regarding hardware based network devices as impervious to remote compromise has been allowed to exist. Mike has taken on enormous personal risk to do the right thing for the security research community by coming forward with his research and bringing this problem into focus. Cisco has consistently been on the forefront of this dangerous culture. They exercise a strategy of walling off updates and information only to those with support contracts. In many areas of critical infrastructure, engineers are often limited in their ability to utilize the latest security updates due to their IOS feature train. For years, attempting to adopt SSH as the primary method of administration for Cisco hardware has provided a perfect example of Cisco's broken security culture. Their handling of this situation is putting icing on the cake. We must encourage change in Cisco's security culture. ISS's actions to date have shown an effect of this broken security culture. ISS's handling of this critical security threat and the researcher that found it have been less then desirable. We are confident our free-market business and media environment will result in both ISS and Cisco learning lessons from this event. We expect the FBI to be both diligent and respectful in its handling of the investigation against Lynn. The security reality of our critical infrastructure demands such a response. In this big picture, the civil and government security communities are on the same team, and should be viewed as such. If our whistleblowers are not protected, we will eventually find we have no whistles available to us to blow. This would be a disaster for both America and the globalized world. If we are to protect our critical infrastructure, we too must be protected. The most important thing we the security research community can do in regard to this event is support Mike Lynn, and encourage positive change to broken security culture wherever it exists. Right now, by supporting Mike Lynn, you support the entire community. |