Technorati has been a great tool for surfing public opinion over CiscoGate (which I actually prefer to call the Ciscopocalypse..).Here are a few blog posts worth parsing. The best of the crop is from John S. Quarterman, the CEO of InternetPerils, who rounds up a number of articles and comments on them: As for disclosure, not only were the plaintiffs not able to restrain the Internet nor the bloggers nor the press, Michael Lynn didn't even have to quit his job and give the presentation to get his point across. He could have just stood up there and said he couldn't give the presentation, and it's pretty likely a copy of the PDF would have made its way to the Internet within two days anyway.
That part I did not agree with. Integrity is best served real. This isn't really about Cisco; the principles illustrated here are larger than that. Security by obscurity just doesn't work, no matter how big you are, and even if you have the law backing you up. Which would you rather have? A public relations disaster brought on by not disclosing a fixed vulnerability? Or a reputation burnished by assisting security researchers in publishing such a vulnerability?
Bruce Schneier, CTO of Counterpane Internet Security, chimed in very early on: The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security. (I've written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe. Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced. The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning. I can't imagine the discussions inside Cisco that led them to act like thugs. I can't figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can't believe that they thought they could have censored the information by their actions, or even that it was a good idea. And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.
And of course, its been noted that Cisco is going after any place that has posts Mike's presentation... | 
