One thing first... For any of you who might be down there in the delta area thinking you're going to post weather updates and pictures of the effects of Hurrican Karina and such to Memestreams--GET OUT AND HEAD NORTH NOW.

When I went to bed this morning, the thing was expected to be a category 2 storm. Now suddenly in the course of six or so hours, it's gone straight to category five with a bullet and large portions of the coast are predicted to become completely underwater for this one.

What this means is that if you're thinking you're going to hole up on the second floor of something and wait for it to pass, you're still going to drown, and if the rushing water and winds don't get you, the fire ants will. If you insist on staying down there, well, it's clear you're no longer fit to stay in the gene pool.

Southern Lousiana, it's been nice knowing you!

TOPEKA, KS—As the debate over the teaching of evolution in public schools continues, a new controversy over the science curriculum arose Monday in this embattled Midwestern state. Scientists from the Evangelical Center For Faith-Based Reasoning are now asserting that the long-held "theory of gravity" is flawed, and they have responded to it with a new theory of Intelligent Falling.

i heart the onion.

'Intelligent Falling' challenges Theory of Gravity

Wal-Mart LP's Kill Suspected Shoplifter

Man held down on burning pavement until he died

Wal-Mart loss prevention workers tackled a man suspected of stealing diapers - a new father with a two month old child - holding him down with a choke hold and knee to the back while he was shirtless on the scalding pavement of a Wal-Mart parking lot in Texas.

The incident was witnessed by dozens of shoppers, including a prominent Texas attorney, Charles Portz:

Charles Portz said he was getting out of his car when he saw a heavy blonde haired man being chased by five people who appeared to be security or store employees. He said he saw them wrestling the man to the ground. "The blacktop was extremely hot," said Portz "He had no shirt on and they wouldn't let him up off the blacktop." He said one of the men had Driver in a chokehold and had his knee in the back of his neck as the men tried to subdue him. "He kept trying to get up and they kept pushing him back down," Portz said.

According to Portz, Driver began to plead with them men. "He's begging, 'Please call an ambulance, let me up, do something, I'm gonna die," said Portz. He said the loss prevention employees called the police more than once, but another bystander called for an ambulance after realizing Driver was in trouble. Portz said he eventually began to plead with the Walmart employees. "I told them, this guy doesn't look like he's breathing," Portz said, "They said, 'He's all right." He says he continued to plead with the men, pointing out that the man's fingernails were turning gray. "They said he's just high on something," adding, "They just kept him pinned down for twenty minutes or more until the ambulance came." He said he believed Driver was dead when the ambulance left with him, but he was not certain.

The store employees could not have known that the witness who was pleading with them to let Driver get up from the hot pavement was a high profile Houston attorney, from the Portz and Portz law firm. He said after the man was handcuffed he continued trying in vain to persuade the Walmart employees to allow him to get up, even pointing out that a second pair of cuffs could be used to attach the ones already on Driver to a nearby truck trailer. "The problem is they kept him down on the blistering concrete with no shirt on," Portz reiterated. He said law enforcement arrived at about the same time as the ambulance.

* * *

Very sad. I believe people who practice frontier justice should receive it as well. I know the death of this piece of shit employee won't bring the guy back to life, but he definately deserves a similar fate.

At least have him held down in a choke hold on hot pavement for about half an hour, let him see how he fares.

Walmart Kills Houston Man for Shoplifting

Okay, I'll admit I have my doubts as to whether or not this is serious, but if it is, well... I'd sooner vote for Walken than practically anyone else who would run.

Christopher Walken in 2008!

Wired has done a great interview with Mike. It should clear up a number of the questions people have had with recent events.

I would like to specifically point out one part of this interview:

WN: So ISS knew the seriousness of the bug.

Lynn: Yes, they did. In fact, at one point ... they apparently didn't get it, and they actually wanted to distribute the full working exploit very widely inside the company.... I was told ... "Give this to all the sales engineers and to all the pen testers."

WN: Why would they want you to do that?

Lynn: Well, because it bruises Cisco, remember? Mind you, this was something that Cisco hadn’t gone public with yet and that's not useful to pen testers because what do they advise their customers to do (to protect themselves if no information about the vulnerability has been released yet)?

I told them, "You do realize if you do that, it's going to leak?" And (one of the ISS guys) says, "That's Cisco's problem." And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm. I was like, Whoa, what meeting did I walk into?

(The Witty worm was a particularly aggressive and destructive code released by someone last year that targeted computer systems running a security program made by Internet Security Systems and even more specifically targeted military bases using the software. It infected more than 12,000 servers and computer systems in about an hour. Because of the worm's speed in spreading and its creators' apparent knowledge of who ISS' customers were, some security experts speculated that someone working for or connected to ISS might have been responsible for writing and releasing it.)

At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago.

I thought they were handling this in a non-ethical manner. Because it was just way too fast and loose with who can see this.... I mean, I don't even want people to see it now. (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.)

All I can say is WOW. A big "wow". Caps, bold, and feeling.

Anyone who says that Mike is not on the level needs to reference this. This says truly horrible things about ISS. This should cost them some serious reputation capitol.

One thing that Mike did a great job of in this interview is getting the idea out that in order to defeat the "bad guys", you must run faster then them. It is the only option.

Case in point, via the Wall Street Journal:

"The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I'd rather have disclosure and let everybody respond."

Disclosure is a great thing, but it must be done properly. I would argue that Mike did it properly. I would argue that he has displayed the best kind of ethics through this entire mess. Given the content of this Wired interview, I would argue that ISS has its head up its ass.

Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3

There has been an almost unbelievable amount of hubbub lately about the research that Mike Lynn gave a demonstration of at the BlackHat conference last week, and there's been a positively dizzying amount of "spin" applied to the media. Let me say one thing to everyone reading this, right up front. What Lynn uncovered is a serious issue, probably actually more serious than what the media is making it out to be. While coverage on the issue is good (and useful to both "sides") the lack of actual accurate reporting on the issue isn't helpful to anyone.

Part of the problem is that apparently, outside of the list of BlackHat attendees, there's not that many people running around who truly understand what Lynn's research uncovered. Lynn did not reveal an "exploit" in the usual sense. In fact, Lynn of his own volition has been playing his cards fairly close to his chest on this, and omitted most of the technical details of the problem from his presentation in order to assure that no one would be able to easily "follow in his footsteps". Lynn, it can safely be said, was scared by what he discovered--scared enough that he has risked his livelihood not once but twice in order to be sure that should the technical aspects of what he's found not be resolved before someone with less respect for the continuation of the Internet figures it out for themselves, the network and security administrators of the world will have had time to take some steps to reduce the amount of damage done. It can no longer be thought of as a sure thing that just because a particular vulnerability could "break the Internet" that no one's going to try it just to see if it's really true. We have a rather excellent example in recent history that pretty much everyone is aware of by now... the MS Blaster worm which raged around the Internet wreaking rather unprecedented havok. Pretty much everyone on the Internet was either personally affected by this, or knows someone who was. Blaster made use of a vulnerability that had become rather common knowledge by the time it was released, but had already been known to many security professionals for months. The real problem that made things so painful and propagation of Blaster so widespread, was that for those months, Microsoft had been actively denying that there was ever a problem until Blaster forced them to admit it. Had system administrators been made aware of the issue and the meager steps needed to impede the spread of Blaster (which everyone implemented in a white-hot hurry once their networks were figuratively ablaze) the damage could have been much less indeed.

Cisco is not helping the issue, or I should say, Cisco's lawyers are not helping the issue. Cisco makes some really awesome products, and their technical people can't really be faulted for this one technical flaw. The problem is that Cisco's lawyers are convinced that public knowledge of a serious issue ... [ Read More (1.3k in body) ]

SecurityFocus has some coverage about what the other hackers who are not Mike Lynn are doing about the Cisco campaign to keep people in the dark. They're trying to figure out what Mike Lynn figured out, if for no other reason than to spite Cisco.

Let's hope this ends well. Lynn is a level-headed guy who knew the seriousness of what he'd discovered. The issue demanded attention, but attention of a responsible sort (which is why Lynn didn't just publish a proof-of-concept exploit some months ago, and why you're still able to read this right now). Cisco has drawn *huge* amounts of attention to a problem they haven't addressed yet, and given people plenty of incentive to do something rash just to prove a point. Part of the problem is summed up in the quoted text below, and it's going to hurt Cisco like their lawyers would never have thought possible.

"By serving takedown notices in response to such situations, a company demonstrates clearly that it is more concerned with preserving its commercial interest in intellectual property than fostering community awareness and knowledge pertaining to critical Internet security issues," Forno said an e-mail statement.

Of course, what their lawyers are probably banking on is being able to say "It wasn't *us* that did it." after the Internet burns to the ground, but I strongly suspect that if lawyers weren't so interested in myopically "protecting the interests of shareholders" to the exclusion of what makes sense for keeping the Internet as a whole safe. Had Cisco's lawyers not decided to intervene so heavy-handedly, this would have probably blown over, gotten patched, and become just another milestone event in security research--and basically Cisco would have come out of it smelling like roses. Stockholders don't care whether or not an incident or two occurs, and only slightly less than do the equipment purchasers who are the people Cisco should be truly concerned about. The way things stand now, there's thousands of hackers out there who are extremely incensed and motivated to do something to demonstrate their displeasure with the situation.

Here's to hoping that won't involve a Blaster-like event.

Cisco's poetic comeuppance begins

The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys.

Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup"..

It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless.

Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it.

If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco.

In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically.

Mike Lynn is a Whistleblower, he should be protected

Wired just posted the best article so far.. Here are some of the highlights:

Lynn likened IOS to Windows XP, for its ubiquity.

"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"

"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."

"There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience.

During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute.

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

Wired News: Cisco Security Hole a Whopper

The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference.

We may need to start a legal defense fund for Michael.

The thing that really gets me about these occurances, is how is this not equivalent to whistle blowing? I mean, if this was a disease or a terrorist threat that you had discovered and you published it or exposed it, you'd be lauded as a hero. But because there's technology involved, then you're a target and a criminal.

Cisco hits back at flaw researcher