Create an Account
username: password:
 
  MemeStreams Logo

Mike Lynn is a Whistleblower, he should be protected

search

Dagmar
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Dagmar's topics
Arts
  Sci-Fi/Fantasy Literature
Business
Games
  Role Playing Games
  Video Games
   PC Video Games
   Console Video Games
   Multiplayer Online Games
Health and Wellness
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
  Activism
  Futurism
  Politics and Law
   Internet Civil Liberties
   Surveillance
   Intellectual Property
  Media
  Philosophy
  Religion
  Security
Technology
  Computers
   Computer Security
   PC Hardware
   Computer Networking
   Computing Platforms
    Linux
   Software Development
    Open Source Development
    Perl Programming

support us

Get MemeStreams Stuff!


 
Mike Lynn is a Whistleblower, he should be protected
Topic: Computer Security 10:10 pm EDT, Jul 28, 2005

The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys.

Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup"..

It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless.

Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it.

If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco.

In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically.

Mike Lynn is a Whistleblower, he should be protected



 
 
Powered By Industrial Memetics
RSS2.0