We’ve had our own journalistic fracas here at Tom’s Hardware this week, and no, it didn’t involve Karl Rove or any leaks about covert ops. At least, not yet. But when we arranged to send one of our reporters to the Black Hat and Defcon shows in Vegas last week, we stepped into a messy situation involving Cisco, ISS, and divulging information about Cisco’s IOS router operating system.
For those of you that haven’t been following the issue, a security researcher by the name of Mike Lynn was scheduled to give a talk at the hacker conference about how he could gain ownership of a random Cisco router by exploiting a buffer overflow condition. Lynn figured this out several months ago, and tried but failed to gain the support of both his now-former employer ISS and also within Cisco. He quit ISS moments before going on stage and presenting how he did it, to a packed audience that included our reporter, along with reporters of several other sites and news organizations.
We posted a story on our sister Tom’s Networking site on Thursday, the day after Lynn gave his talk. The story included photographs of Lynn giving his talk along with photos we took during the talk of several of his presentation slides. In the meantime, down in Vegas the printed copies of his presentation were removed from the show proceedings and new CDs were pressed that didn’t include the electronic copy. Lynn also negotiated an agreement with Cisco and ISS to no longer disseminate this information. And a day after Lynn gave his talk, Cisco announced a patch to work around the exploit.
We received over the weekend a letter from a lawyer representing ISS that asked us to remove the article. Based on the advice of our own counsel, we left the article on our site, and removed the photos from the article and from our web servers.
This is clearly a case of shutting the barn doors after the horses have left, and while I agreed to remove our content (the first time in my journalist career that I have done so), I am not happy about it. Especially since copies of Lynn’s presentation (and our photos too) can be found at many places around the Internet, with just a few minutes of searching. I guess the ISS lawyers will be working overtime to try to get rid of these copies as well.
The whole episode recalls a situation when I was in high school and our public school began using a new health textbook. Someone objected to a couple of chapters in the book regarding sex ed, and before you could say X-acto the school board had approved cutting the offending chapters out of the books and blacking out the table of contents referring to these chapters. Any kid with a modicum of research talent (and this is way before Google) could stop at the local library and read the excised chapters at will. The action was noteworthy enough to make it to the New York Times’ editorial pages.
Removing this content (the Cisco content, not our sex chapters) doesn’t make the Internet safer, doesn’t make our routers more secure, doesn’t encourage IT managers to upgrade their routers and doesn’t make it more difficult to figure out the ultimate exploit. It just makes us, and ISS and Cisco spend more money on lawyering around the problem. All this time and energy and money could be better spent educating the right people. These are the people who should be making their routers more secure and understanding how and why they are vulnerable.
Most certainly, people can figure out what Lynn did and reproduce his attack, without his slides. His talk wasn’t all that prescriptive, and pointedly so. Lynn wasn’t interested in spawning a new series of attacks. At Defcon, a room full of hackers were trying their best to replicate it over the weekend, but didn’t succeed not for lack of trying but for lack of time.
It is only a matter of time before someone else figures this out and posts the steps or writes some code. So take some time, if you are running a Cisco shop, and make sure you have upgraded your IOS as instructed here and understand the exploit. And check this page often, it has already been revised several times in the past week. About time Cisco acknowledged this flaw, and it is unfortunate that it took the circumstances at Black Hat to bring it to light. I realize that the security researchers (the legit ones, such as those who still work at ISS and elsewhere) have a tough dance to do with the vendors they research, but the events of last week and this aren’t the best way to go about business. And cutting pages out of books and trimming images off Web sites is just plain stupid, as much now as when I was in high school health class.