Over at Memestreams there's a post explaining the technical aspects of this non-technically - why the exploit was already known and why all of this is actually not about the exploit per se, but about something much deeper than that.

Memestreams on Cryptome today.

Cryptome pciks up Memestreams/Lynn link

A COMPARISON OF
MICROSOFT'S C# PROGRAMMING LANGUAGE
TO SUN MICROSYSTEMS' JAVA PROGRAMMING LANGUAGE

I am having to write some Web apps for work, both for us to attack, and to assist internal development and testing. I did some ASP Back In The Day, and found it clusmy at best.

I am pretty impressed with writting ASP .NET pages with C#. Impressed only because MS finally caught up to Java/JSP 8 years late after a little stop to try and kill it along the way. Sure there are some features of .NET that I am not even touching, but for 90% of what I am doing, its a clean rip of Java.

And forget this is ".NET is available for multiple languages." That like saying you can compile Perl to Java byte code. Sure, but you will make your Perl so nasty in the process, why bother. If you code.NET, you pretty much have to code in Microsoft Java ... I mean C#.

C# From a Java Developer's Perspective

During a round-table interview with reporters from five Texas newspapers, Bush declined to go into detail on his personal views of the origin of life. But he said students should learn about both theories, Knight Ridder Newspapers reported.

"I think that part of education is to expose people to different schools of thought," Bush said. "You're asking me whether or not people ought to be exposed to different ideas, the answer is yes."

This whole "we should teach different ideas" is retarded. There are ideas that life spawns from rotten meat. There are ideas that the US forced Japan to attack Pearl Harbor because of an oil embargo. There are ideas that the earth is hollow.

The point is there are ideas for everything, and we don't teach them all. We have some criteria that concepts have to meet to be taught. In science classes, that criteria is the scientific method.

I quote the Intelligent Design article on Wikipedia:

Critics call ID religious dogma repackaged in an effort to return creationism into public school science classrooms and note that ID features notably as part of the campaign known as Teach the Controversy. The National Academy of Sciences and the National Center for Science Education assert that ID is not science, but creationism. While the scientific theory of evolution by natural selection has observable and repeatable facts to support it such as the process of mutations, gene flow, genetic drift, adaptation and speciation through natural selection, the "Intelligent Designer" in ID is neither observable nor repeatable. This violates the scientific requirement of falsifiability. ID violates Occam's Razor by postulating an entity or entities to explain something that may have a simpler and scientifically supportable explanation not involving unobservable help.

ID is *not* science. It should not be taught in a *science* class. Doing so undermines the entire point of science. Bush's complete misunderstanding of this is beyond excuse.

CNN.com - Bush: Schools should teach 'intelligent design' - Aug 2, 2005

Nice little site that generates the urpmi commands needed to add and support source mirrors, update rpms, devel stuff. Very handy!

Mandrake : Easy Urpmi

Some giant tab delimited lists of all types of browser and robot user agent strings. Useful if you happen to be writting evil crawler/attack tools.

Agent String Switchboard.

Security focus has the best summary of the actions before during and after the conference taken by ISS/Cisco/Mike/the conference.

The pisser is 3 weeks ago ISS approached Blackhat about removing the talk, but waited until last Friday to tell Mike he was pulling the talk.

Best Summary of Mike's Plight.

FrSIRT Advisory : FrSIRT/ADV-2005-1248
CVE Reference : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-27

* Technical Description *

A vulnerability was identified in Cisco Internet Operating System (IOS), which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a heap overflow error when processing specially crafted packets, which could be exploited by an unauthenticated attacker to execute arbitrary code and compromise a vulnerable device.

Nice to see the industry recognizing the seriousness of it all.

FrSIRT Advisories - Cisco IOS Unspecified Remote Heap Overflow Vulnerability / Exploit

Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

Wired News: Cisco Security Hole a Whopper

"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"

Lynn decided to speak now, he said, because the source code for Cisco IOS was recently stolen for the second time, and he felt he could no longer remain silent.

"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."

Mike Lynn telling it how it is

Even more of Abaddon being up to no good.

Ok, A couple of things

-Fuck Cisco for buying off ISS to cancel the production.

-Fuck ISS for short changing one of there top researchers.

-Mike followed the "respected disclosure procedures." Cisco has known about this for months, and has been notifying top clients about on the down low.

-This is a full compromise of the IOS. Not simply a DoS.

-Fuck this "Illegally obtained information." IOS isn't encrypted. There was no DMCA violation. Its a closed proprietary system. Its a trade secret. Mike figured it out.

Abaddon, still up to no good.