Create an Account
username: password:
 
  MemeStreams Logo

So.. Where do we go from here?
search
Home Agent Weblogs Social Network Post Help About

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Security
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
So.. Where do we go from here?
Topic: Computer Security 9:14 pm EDT, Aug  4, 2005

I guess that's the big question.

Cisco can best be considered "high risk, high return". Lets hope they adjust their security culture and we see those returns. Even the media following the financial markets has noted Cisco is taking a vacation at Club Microsoft. I don't think anyone even had to connect the dots for them. There have been some changes in Cisco's Chinese management, which I'm sure have nothing to do with this.. No dots here. No sir. Just things that look like nodes, and a general neglect for all things American that are not American Business. At least they are not Enron.

As the days roll on, Mike will not be sitting in the hot-seat any longer. I expect ISS to take his place, and rightfully so, they deserve every black-eye they get. Right now the Cisco legal team is doing the equivalent of a pre-fight pump-up. I'm sure of it.

Ed Felten has a good post over at the Freedom To Tinker blog that goes into a number of the legal issues this presents:

Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)

Clearly an issue we are concerned with. The most stressful parts of the coming Cisco vs. ISS battle are going to surround this. Many bullets will fly. Some might strike the innocent, but they will fly for awhile and strike them far off in the distant future. We will be listening for the fire and keeping our heads down.

So what about Mike? Ira Winkler at the IT Defense Patrol blog offers this:

Let’s stop chastising Michael Lynn. He may have violated is employee agreement, but that is not really an issue for us. He may have technically violated Cisco licensing, and that is the whole point - any bad guy would probably do the same. However, he did it within a regulated environment, which where it should happen. And where it happens all the time. And the result is often publication of a security alert. Lynn's actions are no different.

Sure. Too bad it wasn't a well regulated environment, although its not like we have a good definition for what that would be. Its not exactly like anyone is actually chastising him actually.. The bulk of the comments I've seen have been very supportive. There have been some exceptions, but they all seem to come off as shallow spin. Someone has to play the loyal opposition, and it might as well be Steve Hamm. Frankly, I think that going after Bruce Schneier the way he did looks like trying to pick a weak target. Classifying him as part of the "blogosphere" rather then the security community is insulting, but not because there is anything wrong with blogs. The bulk will read right past that. When it comes to Mike, most would agree that its the Cisco and ISS part which keep the word "integrity" out of this list.

The thing that's ironic, given the big picture, is best said by some fellow named antonin:

In the meantime, though, Michael Lynn’s good name is all messed up. We digerati know that Lynn is a brave digital samurai, but what will his next prospective boss think? If Business Week carries its line through to its multi-million-selling paper publication, the guy in the corner office will be saying to himself ‘Lynn? Isn’t he the guy who caused all that trouble at Cisco?’

My current "office" is at a most wonderful Bongo Java. I'm currently sitting in the corner. From here, I see a solid future for Mike. If he winds up working at a place where the guy at the corner office has that attitude, the only mistake he could make is by not going somewhere else that can see the big picture.

As for the hacker community at large, I'll head back over to the IT Defense Patrol again:

We should likewise neither begin publishing exploit code (Michael Lynn didn't). The Black Hat/Defcon threats should temper their actions. They should follow the good example set by security practitioner and follow proper processes for publication of exploit code. I hope that once they get past their anger over Cisco's ludicrous actions, they will see that publishing exploit code would go contradict all the gains that came from Black Hat/Defcon. At least, give everyone time to get the patches in place. Those silly threats demean us all. And especially, it would prove the pundits right, that responsible release of vulnerability and exploitability are bad. I, for one, believe that release of vulnerability and exploitability should be done. It should be done with controls and regulation. But it should not be stifled, such as Cisco attempted last week.

Lets make it damn clear that the logical conclusion to Mike giving his presentation isn't a live working exploit make it into the wild. That would be the illogical conclusion, and the wrong thing to put energy into. The integrity Mike has shown should inspire you to do something else, like put in a wake-up call to another vendor.

Switches can be taken over too...

Thread [1]


  
 
Powered By Industrial Memetics		RSS2.0