North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: "Cisco gate" and "Meet the Fed" at Defcon....

  • From: Fred Baker
  • Date: Mon Aug 01 05:50:43 2005
  • Authentication-results: imail.cisco.com; [email protected]; dkim=pass (message from cisco.com verified; );
  • Dkim-signature: a=rsa-sha1; q=dns; l=1648; t=1122889522; x=1123321722;c=nowsp; s=nebraska; h=Subject:From:Sender:Date:Content-Type:Content-Transfer-Encoding;d=cisco.com; [email protected]; z=Subject:Re=3A=20=22Cisco=20gate=22=20and=20=22Meet=20the=20Fed=22=20at=20Defcon....|From:Fred=20Baker=20<[email protected]>|Date:Mon,=201=20Aug=202005=2011=3A47=3A49=20+0200|Content-Type:text/plain=3B=20charset=3DUS-ASCII=3B=20delsp=3Dyes=3B=20format=3Dflowed|Content-Transfer-Encoding:7bit;b=LyP1Njp1mQeVRw5gyUGKsIPbQKjPN9JBpg5Ra1Tt//HJHmCZra4fiDpyqDH/w9HnSjPpWwFb5GwTYy+vgNE4B2sOCog2G0tNkoJ53D1DhXm/TxDsTbS+emsJqQEAQaD1ZD94eZberBjR4Bil82xwBfz0KlInaOIND9RylYDJ6sE=


Cisco, are you listening?




Cisco is in fact listening. Cisco, like other companies, generally
does not release security notices until enough information exists to
allow customers to make a reasonable determination as to whether or
not they are at risk and how to mitigate possible risk.



The issue underlying the suit wasn't the disclosure of the security
issue, although we would have rather worked that according to the
usual processes. From what the corporate legal folks tell me, their
issue was the disclosure of Cisco intellectual property. Note that it
wasn't just Cisco that felt the presentation was out of order; Lynn's
employer became "former" because it also felt that way. I'll refer
you to the legal brief for anything further on that, but I would
really like to see this discussion begin to resemble an informed one.




By this misbehavior you are seriously discouraging researchers from
releasing info to you. They will suspect you'll sit on the exploit
for months and not tell anyone (as you did with this one). They'll
be afraid you'll try to kill the messenger (as you did with this one).



For the record, the vulnerability was first detected by Cisco in
internal testing, not by outside researchers, and Cisco's approach to
this has been in accordance with the RDF. Part of that process, at
Cisco, is to develop work-arounds or updated code that corrects the
exploit, testing it, and getting it into the field. Releasing the
information on the exploit before that point exposes the ISPs to a
vulnerability that they can't fix, or puts them into a scramble to
download code that they haven't been able to gain confidence on. I
should imagine that the various operators on this list would prefer
to get the fix in place before the vulnerability is exposed rather
than playing catchup while their pants are around their ankles.



We very much try to work with people that are willing to work with
us. We aren't very impressed by people that expose the industry to
danger.