On Aug 10, 2005, at 6:13 AM, [EMAIL PROTECTED] wrote:
What techniques are you referencing? The technique Lynn demonstrated
has not been seen anywhere in the wild, as far as I know. He, nor
ISS, ever made the source code available to anyone outside of Cisco,
or ISS. What publication are you referring to?
Didn't Lynn come out and say flat out that he'd found a lot of
information
on a Chinese website (with the implication that the website had
even more
information than what he presented)?
A black hat who is not Chinese has published some slides with
far more explicit step-by-step details of how to crack IOS using
the techniques that Lynn glossed over in his presentation. This
person also claims to have source code available on his website
for download but I didn't look to know for sure.
I, desperately, hope you are not referring to Raven Adler's
presentation at Defcon following Black Hat. If so, I think "far more
explicit step-by-step" is quite an over characterization of what she
presented. If not, once again, I'd ask you to cite sources rather
than make broad sweeping statements about what is already available.
Appealing to some anonymous authority in order to claim the sky is
falling is hardly endearing.
Since all blackhats tend to
communicate with each other to share ideas and to brag about
their exploits, it is entirely possible that this Cisco
exploit began in China.
That's a fairly bold statement. I'd also hesitate to label Lynn as a
black hat as his actions, notification of vendor, confirmation of a
patch, and release, are not characteristic of a black hat. I'd
suggest that generalization is incorrect in any case, researchers of
any hat, in my experience, keep their secrets amongst a small group.
It is a nice myth to believe that a company like ISS does all
their own work in-house and that their employees are all super
gurus. But I would hope that most of you realize this is not
true. Companies like ISS leverage the work of blackhats just
like any hacker does. That's why I don't think gagging Lynn or
ISS or the Blackhat conference will have any positive effect
whatsoever. In fact, I would argue that this legal manouevering
has had a net negative effect because it has now been widely
published that Cisco exploits are possible. This means that
many more hackers are now trying to craft their own exploits
and own Cisco routers.
I agree that this was a very large public relations blunder on the
part of ISS and Cisco. Their actions caused undue attention to be
placed on this issue and put both groups on the wrong side of a very
public argument. On the other hand, Lynn is exactly the sort of guru
you describe. Riley Eller said it best "If you put him and a (Cisco)
box in a room, the box breaks."
Having spoken with him throughout development of this technique, I
can assure you that it was not developed, and further, not propagated
to anyone outside of ISS with Lynn's knowledge. He has taken every
care possible to ensure that this did not leak. That's not to say it
will not, certain members within ISS were keen on originally
releasing this to the public before informing Cisco which prompted
Lynn to resign on the spot before he was talked into returning after
they dropping the subject of uninformed public release.
Now I believe that Open Source software techniques can solve
this root problem because many eyes can find more bugs.
This doesn't just mean *BSD and Linux. There are also
systems like OSKit http://www.cs.utah.edu/flux/oskit/
and RTAI http://www.rtai.org/ that are more appropriate
for building things like routers.
"Many eyes can find more bugs" implies several things. It implies
that a large group of people are investigating bugs, and that the are
qualified to find bugs of this nature. I would argue that the number
that meet both criteria is small in the open source world. That is
not to imply that there are untalented people in the FOSS community,
only that they are not interested in locating bugs or ensuring
security of a specialized routing operating system as their primary
function.
It boils down to the following question: Do you think benefit or
releasing the source code for IOS, allowing independent researchers
access to the source code in order to locate flaws, outweighs the
costs of that release, allowing criminals access to the source code
in order to locate flaws and forfeiting trade secrets? In the case of
Cisco, I'm sure the latter weighs more heavily in their mind.
