From the little bit of information I have seen on this I believe the vuln only impacts routers configured for IPv6 and requires access to the local network segment to exploit.
Let us see here, what CISCO is trying to do. It is trying to prevent freedom of speech. All in the name of IP rights. I am waiting for someone to sue their A** when a hacker misuses the flaw. Rather than being grateful that someone is helping them make them secure they have chosen the other route.
It might not be that simple though. Lynn had actual Cisco IOS code and was likely under and NDA when either Cisco or ISS decided to give him it. I am presuming ISS is likely paid by Cisco to perform audits. If you or I found this vuln and decided to go public with it we would likely be under a different set of circumstances.
Lynn didn’t have source code, he had to reverse the binaries. Cisco was cranky because it affected every verson of IOS except for the latest version and the bug is sevre.
Quote: “It is trying to prevent freedom of speech. All in the name of IP rights.”
Yup. That’s the way that the world is going. The lil guy has fuck all rights, the big corporate bastards have all of the rights and can tell you what to do. The law and governments are siding with the large corporations because of greed and money.
This just proves that the open source development model is the way to go. As far as I’m aware, it’s not illegal to repeat the src code for patented stuff. It’s illegal for you to use it. If it’s a trade secret, then it’s been revealed, tough shit Cisco. They can sue the ass off the person that revealed it, but do jack shit to anyone else. If it’s copyrighted, then they might have a chance, but since the problem part of the src code is =< 5%, then it’s legal to repeat it under the copyright. The only thing that Cisco might have in it’s favour is the DMCA which makes it illegal to reverse engineer things. Might as well throw the copyright out act, since all of the rights that the copyright act gives the end user have been taken away by the DMCA.
Special staff tearing presentaion pages sounds ominous… Democracy is really such a nuisance, such a hindrance for corporations these days, I’m sure they’ll ban it really soon. Everyone’s gotta be silenced and worship the Stuff that comes from the omniglorious Corporation, regardless of its quality or content of course.
when cisco went corporate is the day cisco statred downhill…. I am kind of surprised the poeple that started cisco didnt start another company once the suits booted them out… instead of a grunge fingernail polish company… oh well…
i am sure there are plenty of flaws in IOS and security dealing with routers is limited at best… hopefully you have a good featureset and multi-layered protections in place to protect your network….
Well, in the time when a government sustained from our own money treat his citizens without regard to the basic rights why not such a nazi practice private company.
You may ask my why “nazi” – because that is what it is comming into my mind when I hear about people ripping books, presentaions and threatening researchers. That is.
I watched the story and I suppose (maybe I am not right) that Mr. Lynn obtained part of his informations by reverse engineering. I don’t have knwledge about legal details but could be good posible that his acction were not fair. But hey, sue him Cisco if you don’t like! Don’t rip papers, exchange CDs etc.
What is really scary is that companies act in such a way like middle age kings. Fortunatly they don’t have armies… yet.
Also this class of companies do not comprehend that obfuscation doesn’t lead to security. Suppose that Mr. Lynn as evil minded hacker who doesn’t write papers or attend conferences. Just write a worm and >click< >enter<. That was with the Internet for today. Would it be better, Cisco?
Fortunattly maybe bacause a PR desaster also Cisco backd off. Tumb up Mr. Lynn and good luck finding a new job…
Well, in the time when a government sustained from our own money treat his citizens without regard to the basic rights why not such a nazi practice private company.
Just knowing the flaws are there is enough to spur some on to greater efforts at hacking Cisco, it doesn’t matter if any info is availible or not. Unfortunately, many of those that this will encourage are also the type that do it with little or no good will intended.
Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPv3 and BGPv4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.
OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.
Rather interesting and frankly disappointing behavior by Cisco. IMHO, very dumb move, all they’ve done is attract a lot of attention from the bad guys (whom, let’s face it, probably have copies of cisco’s source code anyways) and likely will now be pooring over it. Minor details are sure to continue to leak out, giving the bad guys more ammo to find the flaws and begin exploiting them. If a 0-day exploit hits, Cisco will have no one but themselves to blame.
Now in fairness, maybe they tried to work with Mr. Lynn on proper timing of the release, maybe Lynn is under a NDA, who knows, but all they’ve done here is create more confusion among the white hats and paint a big fat bullseye on IOS for the bad guys.
More I think about it, wow…incredibly dumb move by Cisco.
Cisco has had 4 months to fix the bugs. They decided to use a general purpose CPU for IOS (MIPS) knowing the consecuences of doing this. And now they want to pretend the problem doesn’t exist by means of security through obscurity and legal threats. Information in itself is not bad. It’s irresponsible vendors like Cisco and the proprietary Microseft with de facto monopolies that are harmful. Once a bug is discovered a large percentage of critical systems can be pwn3d before you can say Microseft. And that is why software/hardware monocultures are so bad.
it is programmers who write crappy programs and other windows and who create bugs.
actually I cannot name another engineering profession where shoddy work considered to be norm, bugs are ok (“every program has bugs, he-he”). and it is always dumb users, managers and other billy gates to blame for bugs, and for everything.
professional “standards” of programming community is a shame, not a joke.
I am an engineer, software engineer. In my entire study time I was amazed to see the other engineers having norms, clear rules and strict regulations etc.
You just have to understand that software engineering is still in its infancy and there is a long way to go. Software development is still more creativity than engineering. In REAL engineering you have tolerances but in an if-statement you must have true or false… there is nothing in between…
So, just wait some years… and meantime in this story Cisco deserves the blame for their behavior.
In a way Lynn is right and in another way Cisco is right too. There are two sides of the coin.
Would you not appreciate a person telling a problem in your ford which can cause a fatal accident? Would you punish that person, No? Hell No, he will be a hero. So if you look from that angle, Lynn is hero.
On the other hand, Would you appreciate the same person telling in public a fatal problem in our border security, which can lead to terrorists attacking us? Nah, so if you look from this angle, Lynn is the bad guy. He should tell our border security people about the problem and not to every damn person out there.
I think if you find a problem which is not known or hard to exploit, you should inform the vendor with full details and let people know that there are exploitable vulnerabilities so please patch your systems.
The only problem is that by doing this you don’t get well-deserved attention and credibility since people can say he is bluffing. The only way things will be better is, if companies starts rewarding and acknowledging people who find security holes in software and let vendor know in private manner.
In fact many security companies do that and Microsoft has even embraced that many times.
No. It’s the secrecy behaviour that causes all of the problems. If we lived in a totally *open* society, the trust levels would be a lot higher, and I suspect that there’d be a lot less trouble, and a lot less terrorism to boot. You have violence and terrorism in reaction to dictatorships like George W Bush jr.’s government, and the behaviour of the US government in shoving it’s viewpoints down any other countries throats. I really hate to break this news to you, but the US is no longer a democratic country, and hasn’t been one for quite some time. It’s now owned by the large corporation, they are the ones that dictate what happens.
Sorry dude, i disagree. Leaking an important information about a security hole which can cause compromise of many machines is as good as writing blaster. He should have gone to correct medium.
And by the way, the first line of your comments made you lose all credibility. You are a lame zealot and nothing else. You are like that small dog on the street barking on an elephant and elephant is not even looking at you If you think you are good, then make other OS better instead of barking here.
…. i am not a bush supporter.. but holy crap…. he’s just doing his job….. he does what he needs to do and i would be willing to bet that just about anyone else put in his position would make similar decisions.
do i agree with some of those decisions, no…. but….. would i make the same decisions put in his shoes….. i might
Again i disagree, telling that there is a security problem is different than giving exact details such that others can exploit it. The exact details should only be given to the vendor.
The security exploit got fixed a while ago, it is cisco fault not to publish the exploit before, so the networking guys could get their routers upgraded and the information given by Lynn were irrelevant now.
From my point of view all of this is the cisco’s fault. Lynn just published information about a security problem that is already fixed. Why there is a lot of routers affected by this??… because of cisco “secrets”.
It appears none of you who posts on this thread has actually understood what this is about.
It’s not about publicizing details on flaws nor is it about a particular flaw that affects IPv6. The big thing in Lynn’s talk is to refute something that Cisco (and others) has stated for ages namely that it’s not possible to execute shellcode remotely on Cisco equipment. Currently it so happen that it can, apparently, be done by exploiting a bug in the Cisco IPv6 implementation but the important point is that it can be done AT ALL and that in the future it could be accomplished by exploiting ohter bugs.
Cisco has NO BUSINESS WHATSOEVER trying to silence these results since they do not detail exactly HOW it can be done only THAT it can be done. And lets not even mention the horribly behaviour of ISS…
That microsoft partnership seems to be coming along nicely
Idiot.
Typical of OSAlert articles. An article about Cisco and the first troll blames Microsoft.
Agree.
It is becoming more and more difficult to find an Microsoft bashing-free comment on OSAlert.
Sometimes I would like it woule be called LinOSAlert or GentoOSAlert …
Typical of OSAlert articles. An article about Cisco and the first troll blames Microsoft.
And you walked right into commenting on it.
Don’t feed the trolls.
From the little bit of information I have seen on this I believe the vuln only impacts routers configured for IPv6 and requires access to the local network segment to exploit.
Let us see here, what CISCO is trying to do. It is trying to prevent freedom of speech. All in the name of IP rights. I am waiting for someone to sue their A** when a hacker misuses the flaw. Rather than being grateful that someone is helping them make them secure they have chosen the other route.
It might not be that simple though. Lynn had actual Cisco IOS code and was likely under and NDA when either Cisco or ISS decided to give him it. I am presuming ISS is likely paid by Cisco to perform audits. If you or I found this vuln and decided to go public with it we would likely be under a different set of circumstances.
Lynn didn’t have source code, he had to reverse the binaries. Cisco was cranky because it affected every verson of IOS except for the latest version and the bug is sevre.
Wasn’t the IOS source code stolen by hackers a couple years back? Lynn might’ve gotten hold of a copy.
Paul G
Well the article does seem to imply that he does/did have IOS source code:
From the article:
“Mr Lynn also has to return any Cisco source code he owns.
Sorry, this is not a freedom of speech issue whatsoever.
Quote: “It is trying to prevent freedom of speech. All in the name of IP rights.”
Yup. That’s the way that the world is going. The lil guy has fuck all rights, the big corporate bastards have all of the rights and can tell you what to do. The law and governments are siding with the large corporations because of greed and money.
This just proves that the open source development model is the way to go. As far as I’m aware, it’s not illegal to repeat the src code for patented stuff. It’s illegal for you to use it. If it’s a trade secret, then it’s been revealed, tough shit Cisco. They can sue the ass off the person that revealed it, but do jack shit to anyone else. If it’s copyrighted, then they might have a chance, but since the problem part of the src code is =< 5%, then it’s legal to repeat it under the copyright. The only thing that Cisco might have in it’s favour is the DMCA which makes it illegal to reverse engineer things. Might as well throw the copyright out act, since all of the rights that the copyright act gives the end user have been taken away by the DMCA.
Just my 2.2c (inc GST) worth!
Dave
Special staff tearing presentaion pages sounds ominous… Democracy is really such a nuisance, such a hindrance for corporations these days, I’m sure they’ll ban it really soon. Everyone’s gotta be silenced and worship the Stuff that comes from the omniglorious Corporation, regardless of its quality or content of course.
when cisco went corporate is the day cisco statred downhill…. I am kind of surprised the poeple that started cisco didnt start another company once the suits booted them out… instead of a grunge fingernail polish company… oh well…
i am sure there are plenty of flaws in IOS and security dealing with routers is limited at best… hopefully you have a good featureset and multi-layered protections in place to protect your network….
Well, in the time when a government sustained from our own money treat his citizens without regard to the basic rights why not such a nazi practice private company.
You may ask my why “nazi” – because that is what it is comming into my mind when I hear about people ripping books, presentaions and threatening researchers. That is.
I watched the story and I suppose (maybe I am not right) that Mr. Lynn obtained part of his informations by reverse engineering. I don’t have knwledge about legal details but could be good posible that his acction were not fair. But hey, sue him Cisco if you don’t like! Don’t rip papers, exchange CDs etc.
What is really scary is that companies act in such a way like middle age kings. Fortunatly they don’t have armies… yet.
Also this class of companies do not comprehend that obfuscation doesn’t lead to security. Suppose that Mr. Lynn as evil minded hacker who doesn’t write papers or attend conferences. Just write a worm and >click< >enter<. That was with the Internet for today. Would it be better, Cisco?
Fortunattly maybe bacause a PR desaster also Cisco backd off. Tumb up Mr. Lynn and good luck finding a new job…
Well, in the time when a government sustained from our own money treat his citizens without regard to the basic rights why not such a nazi practice private company.
Do you know about this?
http://en.wikipedia.org/wiki/Godwin‘s_law
Just knowing the flaws are there is enough to spur some on to greater efforts at hacking Cisco, it doesn’t matter if any info is availible or not. Unfortunately, many of those that this will encourage are also the type that do it with little or no good will intended.
Quagga is a routing software suite, providing implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPv3 and BGPv4 for Unix platforms, particularly FreeBSD, Linux, Solaris and NetBSD.
http://quagga.net/
OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.
http://www.openbgpd.org/
Rather interesting and frankly disappointing behavior by Cisco. IMHO, very dumb move, all they’ve done is attract a lot of attention from the bad guys (whom, let’s face it, probably have copies of cisco’s source code anyways) and likely will now be pooring over it. Minor details are sure to continue to leak out, giving the bad guys more ammo to find the flaws and begin exploiting them. If a 0-day exploit hits, Cisco will have no one but themselves to blame.
Now in fairness, maybe they tried to work with Mr. Lynn on proper timing of the release, maybe Lynn is under a NDA, who knows, but all they’ve done here is create more confusion among the white hats and paint a big fat bullseye on IOS for the bad guys.
More I think about it, wow…incredibly dumb move by Cisco.
JT
Cisco has had 4 months to fix the bugs. They decided to use a general purpose CPU for IOS (MIPS) knowing the consecuences of doing this. And now they want to pretend the problem doesn’t exist by means of security through obscurity and legal threats. Information in itself is not bad. It’s irresponsible vendors like Cisco and the proprietary Microseft with de facto monopolies that are harmful. Once a bug is discovered a large percentage of critical systems can be pwn3d before you can say Microseft. And that is why software/hardware monocultures are so bad.
The bug was fixed… four months ago. Although the tecnique used to inject the shell code could be used with future exploits.
I am sure Cisco isn’t “pretending” that the problem doesn’t exist.
Hey looks like someone finally brought his head back out of his ass…but yikes he is spreading foul smell everywhere
Some insightful comments on slashdot..anyone intrested in the topic should read..
http://it.slashdot.org/comments.pl?sid=157444&cid=13197446
… and they _are_ a greedy selfish lot, no doubt.
BUT
it is programmers who write crappy programs and other windows and who create bugs.
actually I cannot name another engineering profession where shoddy work considered to be norm, bugs are ok (“every program has bugs, he-he”). and it is always dumb users, managers and other billy gates to blame for bugs, and for everything.
professional “standards” of programming community is a shame, not a joke.
Ola ssme,
are you manager or what?
I am an engineer, software engineer. In my entire study time I was amazed to see the other engineers having norms, clear rules and strict regulations etc.
You just have to understand that software engineering is still in its infancy and there is a long way to go. Software development is still more creativity than engineering. In REAL engineering you have tolerances but in an if-statement you must have true or false… there is nothing in between…
So, just wait some years… and meantime in this story Cisco deserves the blame for their behavior.
Shame to them!
In a way Lynn is right and in another way Cisco is right too. There are two sides of the coin.
Would you not appreciate a person telling a problem in your ford which can cause a fatal accident? Would you punish that person, No? Hell No, he will be a hero. So if you look from that angle, Lynn is hero.
On the other hand, Would you appreciate the same person telling in public a fatal problem in our border security, which can lead to terrorists attacking us? Nah, so if you look from this angle, Lynn is the bad guy. He should tell our border security people about the problem and not to every damn person out there.
I think if you find a problem which is not known or hard to exploit, you should inform the vendor with full details and let people know that there are exploitable vulnerabilities so please patch your systems.
The only problem is that by doing this you don’t get well-deserved attention and credibility since people can say he is bluffing. The only way things will be better is, if companies starts rewarding and acknowledging people who find security holes in software and let vendor know in private manner.
In fact many security companies do that and Microsoft has even embraced that many times.
No. It’s the secrecy behaviour that causes all of the problems. If we lived in a totally *open* society, the trust levels would be a lot higher, and I suspect that there’d be a lot less trouble, and a lot less terrorism to boot. You have violence and terrorism in reaction to dictatorships like George W Bush jr.’s government, and the behaviour of the US government in shoving it’s viewpoints down any other countries throats. I really hate to break this news to you, but the US is no longer a democratic country, and hasn’t been one for quite some time. It’s now owned by the large corporation, they are the ones that dictate what happens.
Dave
Goodbye democracy hello fascist state. I wonder if George W. would look good with small mustache and a swastika on his arm?
Remember, boys and girls, that fascism is merely a flavor of socialism.
You will have to search a little bit harder to find the masters. George W. Bush is merely fulfilling the duties of his staff position.
Just like Microsoft “It’s not a flaw, it’s a feature“
It’s a feature that we are not supposed to know about, that’s all.
It’s a feature for a very few select agencies to utilize.
Why the FBI investigation of this guy? To scare this guy to shut up.
He played ball, prison is no place for a geek.
Sorry dude, i disagree. Leaking an important information about a security hole which can cause compromise of many machines is as good as writing blaster. He should have gone to correct medium.
And by the way, the first line of your comments made you lose all credibility. You are a lame zealot and nothing else. You are like that small dog on the street barking on an elephant and elephant is not even looking at you If you think you are good, then make other OS better instead of barking here.
ok….. how did politics get brought into this
…. i am not a bush supporter.. but holy crap…. he’s just doing his job….. he does what he needs to do and i would be willing to bet that just about anyone else put in his position would make similar decisions.
do i agree with some of those decisions, no…. but….. would i make the same decisions put in his shoes….. i might
i am not a bush supporter.. but holy crap…. he’s just doing his job
And what job is that? If every major decision he makes is anti-American, anti-freedom and anti-capitalism, who does he work for?
Open your mind a bit and think about it.
…….. perhaps leaking this information will prompt them to patch it…
…. if this was opensource it would have probably been patched within a day.
either way… i think this information should be released anyway… otherwise that security hole will sit open for ages
Again i disagree, telling that there is a security problem is different than giving exact details such that others can exploit it. The exact details should only be given to the vendor.
The security exploit got fixed a while ago, it is cisco fault not to publish the exploit before, so the networking guys could get their routers upgraded and the information given by Lynn were irrelevant now.
From my point of view all of this is the cisco’s fault. Lynn just published information about a security problem that is already fixed. Why there is a lot of routers affected by this??… because of cisco “secrets”.
Slashdot discussion has already pointed to links to the PDF presentation hosted on cryptome.org, attrition.org and others.
Oh well, as least a few people got some work and some lawyers got paid.
It appears none of you who posts on this thread has actually understood what this is about.
It’s not about publicizing details on flaws nor is it about a particular flaw that affects IPv6. The big thing in Lynn’s talk is to refute something that Cisco (and others) has stated for ages namely that it’s not possible to execute shellcode remotely on Cisco equipment. Currently it so happen that it can, apparently, be done by exploiting a bug in the Cisco IPv6 implementation but the important point is that it can be done AT ALL and that in the future it could be accomplished by exploiting ohter bugs.
Cisco has NO BUSINESS WHATSOEVER trying to silence these results since they do not detail exactly HOW it can be done only THAT it can be done. And lets not even mention the horribly behaviour of ISS…