Re: Cisco crapaganda

[James Baldwin <jbaldwin () antinode net>]

On Aug 10, 2005, at 6:13 AM, Michael.Dillon () btradianz com wrote:

> > > What techniques are you referencing? The technique Lynn demonstrated
> > > has not been seen anywhere in the wild, as far as I know. He, nor
> > > ISS, ever made the source code available to anyone outside of Cisco,
> > > or ISS. What publication are you referring to?
> >
> > Didn't Lynn come out and say flat out that he'd found a lot of  
> > information
> > on a Chinese website (with the implication that the website had  
> > even more
> > information than what he presented)?
>
> A black hat who is not Chinese has published some slides with
> far more explicit step-by-step details of how to crack IOS using
> the techniques that Lynn glossed over in his presentation. This
> person also claims to have source code available on his website
> for download but I didn't look to know for sure.

I, desperately, hope you are not referring to Raven Adler's  
presentation at Defcon following Black Hat. If so, I think "far more  
explicit step-by-step" is quite an over characterization of what she  
presented. If not, once again, I'd ask you to cite sources rather  
than make broad sweeping statements about what is already available.  
Appealing to some anonymous authority in order to claim the sky is  
falling is hardly endearing.

> Since all blackhats tend to
> communicate with each other to share ideas and to brag about
> their exploits, it is entirely possible that this Cisco
> exploit began in China.

That's a fairly bold statement. I'd also hesitate to label Lynn as a  
black hat as his actions, notification of vendor, confirmation of a  
patch, and release, are not characteristic of a black hat. I'd  
suggest that generalization is incorrect in any case, researchers of  
any hat, in my experience, keep their secrets amongst a small group.

> It is a nice myth to believe that a company like ISS does all
> their own work in-house and that their employees are all super
> gurus. But I would hope that most of you realize this is not
> true. Companies like ISS leverage the work of blackhats just
> like any hacker does. That's why I don't think gagging Lynn or
> ISS or the Blackhat conference will have any positive effect
> whatsoever. In fact, I would argue that this legal manouevering
> has had a net negative effect because it has now been widely
> published that Cisco exploits are possible. This means that
> many more hackers are now trying to craft their own exploits
> and own Cisco routers.

I agree that this was a very large public relations blunder on the  
part of ISS and Cisco. Their actions caused undue attention to be  
placed on this issue and put both groups on the wrong side of a very  
public argument. On the other hand, Lynn is exactly the sort of guru  
you describe. Riley Eller said it best "If you put him and a (Cisco)  
box in a room, the box breaks."

Having spoken with him throughout development of this technique, I  
can assure you that it was not developed, and further, not propagated  
to anyone outside of ISS with Lynn's knowledge. He has taken every  
care possible to ensure that this did not leak. That's not to say it  
will not, certain members within ISS were keen on originally  
releasing this to the public before informing Cisco which prompted  
Lynn to resign on the spot before he was talked into returning after  
they dropping the subject of uninformed public release.

> Now I believe that Open Source software techniques can solve
> this root problem because many eyes can find more bugs.
> This doesn't just mean *BSD and Linux. There are also
> systems like OSKit http://www.cs.utah.edu/flux/oskit/
> and RTAI http://www.rtai.org/ that are more appropriate
> for building things like routers.

"Many eyes can find more bugs" implies several things. It implies  
that a large group of people are investigating bugs, and that the are  
qualified to find bugs of this nature. I would argue that the number  
that meet both criteria is small in the open source world. That is  
not to imply that there are untalented people in the FOSS community,  
only that they are not interested in locating bugs or ensuring  
security of a specialized routing operating system as their primary  
function.

It boils down to the following question: Do you think benefit or  
releasing the source code for IOS, allowing independent researchers  
access to the source code in order to locate flaws, outweighs the  
costs of that release, allowing criminals access to the source code  
in order to locate flaws and forfeiting trade secrets? In the case of  
Cisco, I'm sure the latter weighs more heavily in their mind.