Re: Cisco and the tobacco industry

[Jared Mauch <jared () puck nether net>]

On Thu, Jul 28, 2005 at 02:17:46PM -0400, J. Oquendo wrote:
> Subject : RE: Cisco IOS Exploit Cover Up
>
> On Thu, 28 Jul 2005, Geo. wrote:
>
> > I think there is also a LOT concern about all the unpatched routers that
> > remain unpatched simply because the admins don't feel like spending a week
> > running the cisco gauntlet to get patches when you don't have a support
> > contract with cisco. Its like cisco doesn't want you to patch or they would
> > make it easy.
> >
> > Geo.
>
> This is oh so true - contracts in order to patch your equipment. Normally
> I would never mention the need for an authority to intervene on things
> related to the Internet but how long will it be before the term "Digital
> Pearl Harbor" is a reality.
>
> Maybe it is time an authority figure steps in and makes some form of rules
> for vendors to distribute fixes under some form of law. If this flaw of
> Cisco's could lead to the kind of severe damage as Mr. Lynn claims,
> shouldn't it fall on the shoulders of Cisco to get their act together and
> provide a fix as opposed to sending in the hounds (legal shmoes via
> Cisco to avoid coming clean on this issue.

        Cisco always has provided free upgrades to non-contract holders
for security bugs.

        eg:

http://www.cisco.com/en/US/products/products_security_advisory09186a008042d51b.shtml

-- snip --
 Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a 
free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
-- snip --

        Now the fact that there has been no advisory (yet) means
no free upgrade (yet?).

        This is much kinder than other companies have done where you
can't get squat.

        Now, for the doomsdayers, yes, it's likely we'll have something
nasty happen to the internet at some point.  Yes, it'll disrupt 911 and
other critical services (finance, health care, etc..) but without people
taking active responsibility to the equipment they own and operate, the
question is who will get hurt and how bad.

        We do security testing on our IOS images and have found
bugs that have been reported to PSIRT and fixed "quietly".  They've
been fairly good at solving the issues.  I think with anytime I deal
with a vendor, promptness is always an issue, I'd always like a fix in a 
few days, they never seem to move as fast as one would want.

        If you don't do testing of your images, I suggest you create
a plan and add it to your qualification procedures.  Even if you don't
have a current contract, you can get free upgrades if you find a PSIRT
bug, perhaps that should make everyone *want* to help Cisco.

        Then again, there have been issues for years where this happens,
I encourage everyone to beat on their routers (in the lab) and work with
your vendors to solve the problems and not run around creating massive
amount of chaos, we've all seen what that does.

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.