Create an Account
username: password:
 
  MemeStreams Logo

RE: Mike Lynn is a Whistleblower, he should be protected

search

dc0de
Picture of dc0de
dc0de's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

dc0de's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
  War on Terrorism
Recreation
Local Information
Science
Society
  Politics and Law
   Surveillance
  Media
   Blogging
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Networking
   Computing Platforms
    Linux
    Microsoft Windows
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: Mike Lynn is a Whistleblower, he should be protected
Topic: Technology 10:14 pm EDT, Jul 28, 2005

Rattle has hit the nail on the head. Mike has done the ethical ("right") thing. He's handled it well, and now is coming under fire.

Why doesn't Cisco simply say, "Yes, it's a flaw, and we dragged our feet on it..."?

Why doesn't ISS admit that they simply wanted to keep the exploit to themselves to further their consulting practice? (sarcasm) Who would be harmed anyway? We're ISS, the most ethical hacking company on the planet, we wouldn't harm anyone, right? (/sarcasm)

Rattle wrote:
The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys.

Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup"..

It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless.

Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it.

If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco.

In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically.

RE: Mike Lynn is a Whistleblower, he should be protected



 
 
Powered By Industrial Memetics
RSS2.0