Part of what boggles my mind at the idea of any of the hacker community championing Lynn’s actions is that he broke a legal agreement for the management of intellectual property. And, hello!, such an agreement is of the same nature and function as all of the open source licensing practices currently in use. How would most hackers react if I grabbed a big blob of GPL’d source code, stripped out all the attributions, used it to shore up my own weak proprietary code, and started selling it as closed source? I don’t know who would get me first, the blogosphere or the army of lawyers that would surely descend upon me. But I can almost guarantee that you wouldn’t see the hacker community rallying around me in support of my free speech rights under the first ammendment. The fact that there are hackers coming out in support of Lynn when he has effectively trod upon all the legally essential principles of the GPL is downright shocking to me. Either I don’t understand the hacker community as well as I like to think I do, or these individuals are in serious need of upgrades to their memetic firewall code.

This is the first comment in the blogosphere about this situation I've seen that's been truly misguided.. I would like to respond to the two sections of this quote I've put in bold face.

First, it would be Mike Lynn who would catch you, or someone like him. As proof of this, I offer the recent situation where Mike Lynn did the analysis that proved CherryOS stole the code for its emulator product from the PearPC open source project. I pointed this our earlier. Here are a few quotes from his article:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

As far as our memetic firewalls go, we are working on that, and have been for quite awhile. Mike's analysis of the CherryOS situation was posted here on MemeStreams.

Cisco and the Serpent’s Broken Tooth (Response)

Technorati has been a great tool for surfing public opinion over CiscoGate (which I actually prefer to call the Ciscopocalypse..).

Here are a few blog posts worth parsing. The best of the crop is from John S. Quarterman, the CEO of InternetPerils, who rounds up a number of articles and comments on them:

As for disclosure, not only were the plaintiffs not able to restrain the Internet nor the bloggers nor the press, Michael Lynn didn't even have to quit his job and give the presentation to get his point across. He could have just stood up there and said he couldn't give the presentation, and it's pretty likely a copy of the PDF would have made its way to the Internet within two days anyway.

That part I did not agree with. Integrity is best served real.

This isn't really about Cisco; the principles illustrated here are larger than that. Security by obscurity just doesn't work, no matter how big you are, and even if you have the law backing you up.

Which would you rather have? A public relations disaster brought on by not disclosing a fixed vulnerability? Or a reputation burnished by assisting security researchers in publishing such a vulnerability?

Bruce Schneier, CTO of Counterpane Internet Security, chimed in very early on:

The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security. (I've written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe.

Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced.

The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning.

I can't imagine the discussions inside Cisco that led them to act like thugs. I can't figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can't believe that they thought they could have censored the information by their actions, or even that it was a good idea.

And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.

And of course, its been noted that Cisco is going after any place that has posts Mike's presentation...

The Public Opinion on Lynn's Disclosure

Wired has done a great interview with Mike. It should clear up a number of the questions people have had with recent events.

I would like to specifically point out one part of this interview:

WN: So ISS knew the seriousness of the bug.

Lynn: Yes, they did. In fact, at one point ... they apparently didn't get it, and they actually wanted to distribute the full working exploit very widely inside the company.... I was told ... "Give this to all the sales engineers and to all the pen testers."

WN: Why would they want you to do that?

Lynn: Well, because it bruises Cisco, remember? Mind you, this was something that Cisco hadn’t gone public with yet and that's not useful to pen testers because what do they advise their customers to do (to protect themselves if no information about the vulnerability has been released yet)?

I told them, "You do realize if you do that, it's going to leak?" And (one of the ISS guys) says, "That's Cisco's problem." And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm. I was like, Whoa, what meeting did I walk into?

(The Witty worm was a particularly aggressive and destructive code released by someone last year that targeted computer systems running a security program made by Internet Security Systems and even more specifically targeted military bases using the software. It infected more than 12,000 servers and computer systems in about an hour. Because of the worm's speed in spreading and its creators' apparent knowledge of who ISS' customers were, some security experts speculated that someone working for or connected to ISS might have been responsible for writing and releasing it.)

At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago.

I thought they were handling this in a non-ethical manner. Because it was just way too fast and loose with who can see this.... I mean, I don't even want people to see it now. (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.)

All I can say is WOW. A big "wow". Caps, bold, and feeling.

Anyone who says that Mike is not on the level needs to reference this. This says truly horrible things about ISS. This should cost them some serious reputation capitol.

One thing that Mike did a great job of in this interview is getting the idea out that in order to defeat the "bad guys", you must run faster then them. It is the only option.

Case in point, via the Wall Street Journal:

"The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I'd rather have disclosure and let everybody respond."

Disclosure is a great thing, but it must be done properly. I would argue that Mike did it properly. I would argue that he has displayed the best kind of ethics through this entire mess. Given the content of this Wired interview, I would argue that ISS has its head up its ass.

Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3

First, Mike gave his talk. Then he got sued. Then I decided to represent him.

I just noticed that Jennifer Granick has a blog.

Please shower this woman with comments thanking her for helping/representing Mike.

The Shout | Jennifer Granick | Supporting Mike Lynn

From the desk of the Acting CEO:

It's been a hectic few days here. Due to having to juggle several balls at once, I have not commented on this situation as much as I would like to. Due to how it could affect others, and the gravity of the situation, it is also necessary that I be careful with what I say.

Due to time constraints, I have not been able to put together a formal press announcement as I would have liked. In fact, this might not be the worst of times to mention two positions Industrial Memetics would like to fill:

CFO - We need someone to secure funding and manage our finances. Do not attempt to contact us unless you are serious about and capable of doing both. Experience working with technology companies and an understanding of the internet media and internet security space is required.

Corporate Communications / Business Development - Handle PR functions. Be able to take, arrange, and express information such as that in this message and turn it into press releases, and communicate it to interested parties and the press. Responsible for maintaining relationships with vendors and partners. Must be able to author basic HTML, be skilled at document creation, and have experience with negotiation teams as both a member and a leader.

Both positions have a starting pay rate of zero. I can be contacted by email at nick @at@ nicklevay.net.

Ciscopocalypse Press Release Notes
- Industrial Memetics Circles The Wagons
* Events
--- Tom Cross has stepped down as the CEO of Industrial Memetics in order to avoid any conflicts of interest surrounding the Cisco/ISS/Lynn situation.
--- Nick Levay has taken over management of Industrial Memetics as the Acting CEO.
--- A number of Industrial Memetics projects have been put on hold.

* Positions
--- Industrial Memetics strongly supports Mike Lynn.
--- Industrial Memetics has no desire to become involved in litigation.

* Disclosure
--- Industrial Memetics offered Mike Lynn a position on July 4, 2005.
---- Mike Lynn to date has not accepted.
---- While Industrial Memetics was aware of Mike's research, no information or details were ever shared.
--- Industrial Memetics is in severe need of a round of funding.
---- Baseline is two million dollars
--- Industrial Memetics financial situation will in no way impact MemeStreams website operations, unless we experience a traffic increase of several orders of magnitude.

* Talking Points - The great battles at the dawn of this millennium center around culture.
--- In the global struggle against violent extremism, we must defeat the dangerous fundamentalist elements of middle-eastern culture.
--- In the global struggle for security, we must defeat the dangerous and broken elements of our own security cu... [ Read More (0.2k in body) ]

Decius wrote:
You may have noticed that I haven't been posting much. I don't plan to post for a while. I am hereby turning over all reponsibility for administration of this site to Nick Levay (Rattle). I am not managing MemeStreams or Industrial Memetics for the time being. All queries should be sent to Nick.

I think its appropriate for this community to be able to express its views without implicating any conflicts of interest that I may have, so I am stepping back for now. The perspective of this community belongs to the community and not to me or Nick or anyone else.

Furthermore, to avoid any rumors, there has been absolutely nothing from any of the parties involved in this dispute that has prompted this action, nor to I really believe that any of the parties involved in this dispute would have a problem with what this site consists of, presuming they understood what it is. This is simply a precautionary measure that I am taking to avoid any potential problems and to ensure the freedom of the people in this comunity to express their views.

It is my sincere hope that all of this drama dies down as quickly as it began.

I officially acknowledge receipt of this message, and assume control of The Industrial Memetics Institute as the Acting CEO. In light of the situation, and full recognition of your importance to Industrial Memetics and The MemeStreams Community, your status will be classified as "on sabbatical".

Industrial Memetics will make a formal press announcement sometime within the next 24-hours.

We fully expect that your sabbatical will be short yet fruitful. It should be noted that in your entire service since our great company's founding in September of 2001, you have not taken a vacation.

I look forward to seeing if what happens in Vegas, truly stays in Vegas.

Nick Levay, Acting CEO, Industrial Memetics Institute

I assume the helm. Stay the course..

Please support Mike Lynn by contributing to his defense fund! Currently this fund exists in the form of sending funds directly to Mike via Paypal.

Mike Lynn's Paypal ID is "Abaddon@IO.com". A form to submit funds to this account can also be found at: http://www.memestreams.net/lynndefense.html

A dangerous culture regarding hardware based network devices as impervious to remote compromise has been allowed to exist. Mike has taken on enormous personal risk to do the right thing for the security research community by coming forward with his research and bringing this problem into focus.

Cisco has consistently been on the forefront of this dangerous culture. They exercise a strategy of walling off updates and information only to those with support contracts. In many areas of critical infrastructure, engineers are often limited in their ability to utilize the latest security updates due to their IOS feature train. For years, attempting to adopt SSH as the primary method of administration for Cisco hardware has provided a perfect example of Cisco's broken security culture. Their handling of this situation is putting icing on the cake. We must encourage change in Cisco's security culture.

ISS's actions to date have shown an effect of this broken security culture. ISS's handling of this critical security threat and the researcher that found it have been less then desirable. We are confident our free-market business and media environment will result in both ISS and Cisco learning lessons from this event.

We expect the FBI to be both diligent and respectful in its handling of the investigation against Lynn. The security reality of our critical infrastructure demands such a response. In this big picture, the civil and government security communities are on the same team, and should be viewed as such.

If our whistleblowers are not protected, we will eventually find we have no whistles available to us to blow. This would be a disaster for both America and the globalized world.

If we are to protect our critical infrastructure, we too must be protected.

The most important thing we the security research community can do in regard to this event is support Mike Lynn, and encourage positive change to broken security culture wherever it exists.

Right now, by supporting Mike Lynn, you support the entire community.

Mike Lynn Legal Defense Fund

A copy of the injunction against Abaddon is posted on the Silicon Valley Sleuth weblog.

I would like to give come public kudos to Jennifer Granick, who appears to be doing a great job representing Mike, and by extension security researchers everywhere.

Injunction against Michael Lynn (MS-DOC Format)

According to a copy of the injunction obtained by washingtonpost.com, the settlement also requires Lynn to "prepare complete mirror images of all computer data in his possession or control. ISS and Lynn shall appoint a third party forensic expert to verify, in the presence of ISS and Lynn (or his representative), on the mirror image, that Lynn has provided to ISS and/or Cisco any ISS- or Cisco-owned materials."

The latest word out of Vegas is that the FBI is looking for Lynn. Its unclear if they are the ones going to play the role of third party.. But it would make logical sense.

FBI Looking for Lynn & Settlement Details

Cisco Systems Inc. and a network security firm reached a settlement Thursday with a researcher who quit his job so he could deliver a speech on a serious flaw in Cisco software that routes data over the Internet.

He also must return any proprietary Cisco source code in his possession.

"The purpose of doing this presentation was to prevent a worm from being made," he said.

He also said he decided to defy his employer because Cisco's operating system source code had been stolen and posted on a hacker Web site. Additionally, Lynn said, he has seen discussions of Cisco vulnerabilities posted on Web sites for Chinese hackers.

"Cisco has never told anybody that it was possible to take over one of their routers," Lynn said. "They fought that argument for a long time. You can see how far they're willing to go. I demonstrated it live on stage. That debate is over now."

Cisco gives in to Mike Lynn