nanog mailing list archives
Re: Cisco IOS Exploit Cover Up
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Thu, 28 Jul 2005 16:30:01 +0000 (GMT)
On Thu, 28 Jul 2005, Leo Bicknell wrote:
In a message written on Thu, Jul 28, 2005 at 08:29:22AM +0100, Neil J. McRae wrote:I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude.This is not a Cisco specific comment, but it is a network operator comment. --snip--- but to make that kind of show in public? What is the motovation? If this bug is, as Cisco puts it, "not serious" then they just spent a lot of money on people to go do all of that for nothing. Doesn't seem likely. So what everyone's spidy sense is now telling them is Cisco wouldn't spend thousands of dollars on legal injunctions and armys of razor blade toters for nothing, so there must be something to this paper. Which makes their denial all the more hollow.
There is the possiblity that cisco, in this case, knows that they have a significant base of folks that 'never upgrade' devices. I know of several thousand 2500's with 11.x code on them, which will NEVER be upgraded... So, the potential for Neil's network or Leo's or Martin's to be vulnerable to something patched in 12.0.x.y.z code train 9 months ago isn't there. That's a good thing for them, it doesn't address the thousands, or hundreds of thousands of devices which never get upgraded and still connect to Neil/Martin/Leo's networks as CPE or cpe to cpe... These devices could still cause some pain to the networks in question. (all this without seeing the talk of course... perhaps he said: push button yellow and router go boom. I don't know.)
Current thread:
- Cisco IOS Exploit Cover Up James Baldwin (Jul 27)
- Re: Cisco IOS Exploit Cover Up James Baldwin (Jul 27)
- <Possible follow-ups>
- RE: Cisco IOS Exploit Cover Up Hannigan, Martin (Jul 27)
- RE: Cisco IOS Exploit Cover Up Fergie (Paul Ferguson) (Jul 27)
- Re: Cisco IOS Exploit Cover Up Andre Ludwig (Jul 27)
- RE: Cisco IOS Exploit Cover Up Dan Hollis (Jul 27)
- RE: Cisco IOS Exploit Cover Up Neil J. McRae (Jul 28)
- Re: Cisco IOS Exploit Cover Up Florian Weimer (Jul 28)
- Re: Cisco IOS Exploit Cover Up Leo Bicknell (Jul 28)
- Re: Cisco IOS Exploit Cover Up Christopher L. Morrow (Jul 28)
- Re: Cisco IOS Exploit Cover Up James Baldwin (Jul 28)
- Re: Cisco IOS Exploit Cover Up Eric Rescorla (Jul 28)
- Re: Cisco IOS Exploit Cover Up Brett Frankenberger (Jul 28)
- Re: Cisco IOS Exploit Cover Up Florian Weimer (Jul 28)
- RE: Cisco IOS Exploit Cover Up Scott Morris (Jul 28)
- Re: Cisco IOS Exploit Cover Up Leo Bicknell (Jul 28)
- Re: Cisco IOS Exploit Cover Up Jason Frisvold (Jul 28)
- Re: Cisco IOS Exploit Cover Up James Baldwin (Jul 28)
- Re: Cisco IOS Exploit Cover Up Jared Mauch (Jul 28)
- Re: Cisco IOS Exploit Cover Up Stephen Sprunk (Jul 28)