The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys.

Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup"..

It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless.

Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it.

If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco.

In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically.

Lynn said he quit his job at ISS and went ahead with his presentation because he felt that the Cisco flaw is extremely serious. He said he intends to take a stand in court so that other security researchers aren't bullied into burying their findings when the companies they're researching decide not to publicly address serious security flaws in their products.

"They're trying to intimidate and scare me, and I'll be honest it's working a little bit, but not enough. People who know me will tell you I have a long history of not being afraid of people I should."

Mike Lynn: 'People who know me will tell you I have a long history of not being afraid of people I should.'

This is not going to go the way Cisco wants it to. Its going to blow up in their face.

The general opinion that seems to be around in the blogs is clearly leaning toward Mike. None of the mainstream press has yet to cast Mike's actions in an overly negative light.

"The speaker worked with Cisco for the last six months on this and Cisco has had the patch for quite a while," said Wally Strzelec, an IT manager at Texas A&M. "I don't know what their beef is."

"Seems like Cisco's trying to cover its butt," said Tom DeSmidt, a senior security engineer for satellite TV provider Echostar. "All software has flaws you can exploit. They should embrace it rather then act this way."

And Cisco may pay for the lawsuit, in more ways than one. Ken Pfeir, CSO for Capital IQ in New York, said something like this may turn clients away. "Cisco is going about this entirely the wrong way -- they're alienating their own customers," Pfeir said. "Walking around for six months with their fly hanging open and now saying 'you didn't see anything' is a bad business practice."

As far as the lawsuit goes, Black Hat President Jeff Moss remains unconcerned and has no intention of remaining mum as the cease and desist order demands. "Apparently Cisco is going to send us a really scary letter tomorrow," he said. "I don't like scary letters so when I get it, I'll let everyone know what's going on." Depending on the outcome, a press conference is tentatively planned for Thursday morning.

The EFF should support Lynn.

Users in an uproar over Cisco/ISS suit

“By and large the whole thing is software, it’s just a computer,” he said of his demo Cisco router. “They do have a memory architecture that is kinda weird, but it’s not alien. They have buffers, if you copy more to that buffer than you should, it will overflow.”

Lynn gave much kudos to IOS’s programmers, saying it was “not easy” to hack around its countermeasures. The software almost never uses the “stack” part of memory that is the target of many overflow attacks against other products.

He said instead that attacks against IOS will almost always be against the “heap” part of memory. But this requires the attacker to forcibly terminate an IOS routine he called “check heap”, which he said is designed to prevent such attacks.

Lynn apparently did this by convincing “check heap” that it was already crashing and getting it into an infinite loop that caused other parts of the software to close it down, giving a window of a few minutes for the real attack to be executed.

“People weren’t doing this [kind of research], it wasn’t supposed to be possible, so there are still a lot of bugs in there to find,” he said. “That digital Pearl Harbor that politicians talking about, I don’t know if it will happen but I know what it will look like if we don’t change the way we look at IOS.”

It will be called the Ciscopocalypse.

ComputerWire - More Abaddon Cisco IOS Talk Details

BoingBoing is linking to the Security Focus article with a summary of the situation. Its great coverage. Mike has got to love this:

"This guy is my new hero." -- Cory Doctorow

Boing Boing: Security researcher quits job and blows whistle on Cisco's fatal flaws

The networking giant and Internet Security Systems jointly filed a request Wednesday for a temporary restraining order against Michael Lynn and the organizers of the Black Hat security conference. The motion came after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees.

The filing in U.S. District Court for the Northern District of California asks the court to prevent Lynn and Black Hat from "further disclosing proprietary information belonging to Cisco and ISS," John Noh, a Cisco spokesman, said.

"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual property rights," Noh added.

The other shoe dropped.

At this point, the restraining order doesn't matter. He gave the talk. I know Mike has no intention of letting enough information get out for someone to actually exploit the flaws in the wild. Lets just hope for Mike's sake they decide this is futile and drop it.

I just heard that Mike is going to be on CNN tomorrow. Anderson Cooper's show.

Cisco hits back at flaw researcher | CNET News.com

Wired just posted the best article so far.. Here are some of the highlights:

Lynn likened IOS to Windows XP, for its ubiquity.

"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"

"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."

"There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience.

During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute.

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

Wired News: Cisco Security Hole a Whopper

Brushing off threats of legal action and a broad effort to delete his presentation from conference materials, a security expert told Black Hat attendees on Wednesday that attackers can broadly compromise Cisco routers.

Mike has a number of good quotes in this story:

"I feel I had to do what's right for the country and the national infrastructure," he said. "It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."

Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any new buffer overrun or heap overflow, adding that running code on a router is a serious threat.

"When you attack a host machine, you gain control of that machine--when you control a router, you gain control of the network," Lynn said.

During his presentation, Lynn outlined an eight step process using any known, but unpatched flaw, to compromise a Cisco IOS-based router. While he did not publish any vulnerabilities, Lynn said that finding new flaws would not be hard.

"People aren't looking at this because they don't think gaining control of a router is doable, but there are a lot of bugs to find," he said.

In a presentation that had all the hallmarks of good theater, Lynn stated several times that the information that he was presenting would likely result in legal action against him.

"What I just did means that I'm about to get sued by Cisco and ISS," Lynn said, joking later that he may be "in Guantanamo" by the end of the week.

However, Lynn argued that the seriousness of the attack left him no choice but to let people know the existence of the weakness in the software. Cisco plans in the future to abstract the architecture of the router operating system in the future, which could have a side effect of making a single attack work against all routers. Rather then knowing the various memory addresses, or offsets, needed to compromise systems, a single offset could work, Lynn said.

"What politicians are talking about when they talk about the Digital Pearl Harbor is a network worm," he said. "That's what we could see in the future, if this isn't fixed."

SecurityFocus | Researcher breaks ranks to out Cisco router weakness

A vulnerability was identified in Cisco IOS, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a heap overflow error when processing specially crafted packets, which could be exploited by an unauthenticated attacker to execute arbitrary code and compromise a vulnerable system. No further details have been disclosed.

FrSIRT Advisories - Cisco IOS Unspecified Remote Heap Overflow Vulnerability / Exploit

A presentation called “The Holy Grail: Cisco IOS Shellcode Remote Execution” was slated to run at the Black Hat conference in Las Vegas this week. But Internet Information Systems and Cisco, the companies presenting the segment, decided to pull the presentation after discussions between the two firms.

As noted in my previous meme, Lynn did wind up giving his talk. Although he had to resign from ISS to do so.

According to Jeff Moss, CEO of the Black Hat Conference, Cisco on Monday said it would go to court for a restraining order to stop Black Hat from distributing materials on the IOS presentation already submitted by ISS and Cisco and published in the 1,000-page conference program. Moss said that Cisco supplied personnel, with razorblades in hand, to cut out 15 pages of material from 2,500 Black Hat conference show guides that detailed the company’s research.

No word if Cisco or ISS is going to attempt any legal action against Lynn.

According to a rumor circulating at the conference this week, the U.S. Department of Homeland Security was involved in asking Cisco and ISS to change its findings for security reasons. Cisco and ISS deny DHS involvement.

"Several agencies" have been in contact with Lynn regarding his research.

Network World | Cisco nixes conference session on hacking IOS router code