News Ex security researcher agrees to gagging order.

http://www.bit-tech.net/news/2005/07/29/Cisco_Flaw_Hushed_Up/

 

Morally i'm outraged that they've gaged him. But yet i'm glad the internet is going to die because a few kiddies want to show what they can do with another man's research (see blaster etc.).

Toughie isn't it.

For those not in the know, CISCO routers (what the flaw applies too) pretty much run the internet. They have some competition, but few people use anything but cisco gear for all their important connections. Now whilst the internet can coupe with a router going down, and packets will still find a way across, the worry hear is, that too much of the net is effected by the flaw.

 

Id say that people should only reveal flaws in code to the manufacturers themselves, as i fail to see the logic in letting the public know cause all that does it highlight a vulnrability to be attacked. If i was getting paid to discuss security though, that would be a different matter, and Cisco would have to pay me an equal amount to keep quiet because they would therefore be taking away my livelyhood.

 

Good points

Yer it does make a hell of a lot more sense just to tell the manurfacturer, I wonder if theyl actually bother to 'fix' it or just leave as the secrets is under wraps.

Somone will find out eventually and it will be the wrong person... A ransom for the t'interweb turns up on every fat cats desk demanding "$99999999999999999999.01 otherwise we will break the interweb!"

 

The reason people go public with stuff like this is that Microsoft have proven time and again that unless there's public pressure, security bug-fixes take a back seat to pretty much everything. Which is understandable, in some ways. Time == money, but it's not a linear progression. The less time you want something to take, == money squared, or worse, so they work on something slowly unless it becomes a PR fiasco.

Regarding the argument as to whether or not it's best not to go public, I really think it depends on the technical skill it would take to replicate such works. In this case, publishing would be a huge mistake imho, as the internet in its current state could be crippled, and my impression is that replicating the work this person has done would be quite difficult so it's not likely a third party will come up with something independantly any time soon. Problems that are easier to find should be publically disclosed, however, so that they get fixed in a timely manner before third parties begin exploiting the vulnerability maliciously.

 

It's to late... "The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees" has thousands of would be hackers salavating. Just knowing that there is a security hole is enough for them to find it.

 

is there a video of that presentation available? I want to see what made cisco so worried.


He should have gone to cisco first and then gone public if nothing was done. You can garuntee that these flaw will be fixed asap now. Although he may have already gone to cisco for all we know.

 

That's exactly why, if it had been me, I would have released the information at a similar type of conference. I'd be too worried that the Manuf. would get the info, and go "Ok, we have it now, no-one else knows how to do it" and leave the flaw the way it is. I guess the best way would be tell them, then give them time to fix it, before going public.

I guess the main reason I would want it public knowledge, how is everyone supposed to know to upgrade their routers once it's fixed? One of the biggest problems in IT is people on outdated hardware/software. I'd be worried that the information wouldn't get to enough people, and the problem would still be there.

 

its intresting how people say manifactuers don't care about security, thats simply not true, they fix problems normally within a couple of months of been told, make the update available. The problem is USERS don't update it. Before blaster few home users would consider using windows update.

I mean, upgrading your managed switch scares people, most of these switches are on systems which have no unified at risk period. What i mean by that is most companies will say at 1am the PDC (primary domain controller) goes offline, every tuesday for updates. The BDC (backup ....) goes offline at 5am. This is what most large companies do. The problem is alot of them have the machines physically next to each other. The idea of taking that one switch offline to install an update and patch isn't liked.

I'd say its mostly users fault, and manifacturers for not making things patch happy, windows Vista however changes the software side of that in a quite intresting manner (i hope BSD follow suite, took me 35 mins to patch my mail auth deamon the other month).

 

Yeah, that's very true. It's not as much a fault of companies as it is of people not wanting to (or just forgetting to) update. Updating involves downtime, a cost a lot of places can't necessarily easily afford.

However, the gag order is about useless unless cisco is writing a patch for it this instant. The very fact that this got public attention just made thousands of script kiddies splooge in their shorts, and you can bet it's now a race to see who can figure out the puzzle first. It's one thing to say that you're not sure if there is a vulnerability, but you'll go looking...it's like a needle in a haystack, without knowing there's really even a needle. But to know there IS a big diamond in that haystack...well, you and everyone else who knows will invest plenty of time and energy into dismantling said stack and finding that diamond.

Work fast, Cisco.

 

Indeed. I wonder who's gonna finish first, the fixers, or the breakers?

 

My money is on the breakers. As I mentioned back when they reviewed the alienware computer, patience and intellect will beat lots of money any day. And not that Cisco people aren't intelligent, but they're going to go home at 5pm each day. The individual employees won't have the dedication that a hacker with "something to prove" will.

 

Very true indeed. I imagine someone'd work their arse off to be "the guy that broke the internet."

 

indeed, but lets not confuse that person with a script kiddie.

Cisco have another problem, they have to test their solution properly, and make sure it fixes everything. I find it quite strange how people labast companies for falling into what i call the SSHd version 1 patching trap. That is every patch breaks something, all to often making more holes.

The person making the exploit, hell if it only works on 5% of the gear its still a very damning breach.

 

That’s not entirely true... To "upgrade" a router all you have to do is tftp the new image up... reset your boot session, and reboot. All in all you’re only looking at 3-5min down time. Also any company worth its salt is running a cluster. So upgrading one router won’t effect it at all.. I.e Yahoo and Google come under daily denial or service attacks. It’s not that there immune to it or anything like that. It’s just that when one path starts to take a hit they switch over to a standby…

I work with Cisco products everyday. IMO there is a reason everyone uses Cisco. It's not there hardware; hell half the stuff they sell was acquired. The reason the internet runs on Cisco is there firmware support. You can contact your CCO and tell them hey “I'm having trouble filtering port x when I run this...” and two months later there is an update that solves your problem as well as the others that were submitted during that time period. The main problem with Router security is lazy admins that either don’t bother to protect there domain. Or don’t have the know how to do so. Network security is one of those things that most companies don’t take seriously until they get burned.

I really don’t care if this guy goes public or not... The problem will be fixed shortly. IMO the reason Cisco paid him off was to buy enough time to fix the problem! Assuming that they haven’t already….