Re: Cisco IOS Exploit Cover Up

[James Baldwin <jbaldwin () antinode net>]

On Jul 28, 2005, at 10:14 AM, Scott Morris wrote:


> While I do think it's obnoxious to try to
> censor someone, on the other hand if they have proprietary internal
> information somehow that they aren't supposed to have to begin  
> with, I don't
> think it is in security's best interested to commit a crime in  
> order to get
> tighter security.

Lynn developed this information based on publicly available IOS  
images. There were no illegal acts committed in gaining this  
information nor was any proprietary information provided for its  
development. Reverse engineering, specifically for security testing  
has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ 
DVD/1201.html).

That being said, what information is he not supposed to have? All the  
information he had is available to anyone with a disassembler, an IOS  
image, and an understanding of PPC assembly.

If anything, the only "crime" he may or may not have committed is  
violation of an NDA with ISS, which should a contractual, civil issue  
not a criminal one.