Short version: I think that Cisco is overreacting and is being a bully.
Long version follows…
Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:
actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible
Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those “established industry practices and
procedures” (the phrase implies that they’re written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If “established
industry procedures” indicates the “Full Disclosure Policy” that was
drafted by Rain Forest
Puppy, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure. Or how about eEye’s RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye’s reported process is similar to those of the OIS (Organization for
Internet Safety) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
So which “established industry practice and procedure”
did M. Lynn violate? Or did Cisco just not like someone airing their
Just so that there’s no confusion about my
“overreacting” opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I’d understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.
Neither side has acted with logical
consideration to their actions, both are trying to appear to be “the
victim”, and all involved should “get over it”.
Errr… I missed the announcement of this one too: ShmooCon 2006. Current price $75.
For those that don’t know: the price goes up as it gets closer to con
(from the Register).
My first thought: this will add a whole new side
to the phrase “when hackers attack”.
My second thought: Johnny Long is
going to need a new category on his site.
Networking has a good piece going on the Cisco flop-and-twitch. I
consider the whole incident to be yet another go-round in the religious
war called “responsible disclosure”. You’ve heard the arguments from
both sides. You’ll hear ’em again.
My personal view (at least of this
incident) is that this isn’t something that M. Lynn “invented”, it’s
something that he heard of elsewhere which caused him to do a bit of
research. Some of “the bad guys” already have the info. It’s nice to
know that some of “the good guys” now also have it. However, M. Lynn is
probably going to suffer in multiple ways and this incident has a strong
possibility to set a very nasty precedent. Watch for the legal pendulum
to very quickly to one side or the other.