News
Opinion: Thanks, Mike Lynn -- Thanks for Nothing
Mike Lynn is being hailed in some quarters as a hero, but I don't buy
it. I'm sure his heart was in the right place when he discussed a serious
vulnerability in Cisco routers at the recent Black Hat USA conference, and his
courage in quitting his job, rather than be censored by Cisco and his
own employer, is admirable.
But that still doesn't make what he did right. My main concern is that
now, hackers are working overtime to figure out how to break into these
routers and wreak their havoc. Here's what Brian Krebs, the Washington
Post's excellent computer security reporter, said in a blog from the
conference:
"One DefCon attendee who asked not to be named told me today that an
international consortium of hackers is now working around the clock to
write software code that could be used to exploit the flaw Lynn
uncovered."
These hackers did not have this target before; if Lynn hadn't
presented his findings, many, or most of them would likely not even
know about it. (All indications are that it will be an exceptionally
difficult flaw to exploit, and took Lynn years of research to find. On
the other hand, a large group of hackers working in concert could
substantially reduce that time). But now that Lynn's blown the lid off
of it, every hacker from Boise to Shanghai knows about it. That's
simply not smart.
There's a scene in Steven Spielberg's movie "Saving Private Ryan" where
a soldier warns a new member of his team not to salute the team's
captain. "Every time you salute him, you make him a target, so don't do
it; especially when he's next to me" says the soldier. What Lynn's done
here is salute the captain, letting everyone know where to train their
guns.
It's a shame that all parties involved have reached a legal settlement
to not discuss the case, apparently forever. I'd like to hear what
Cisco has to say (its response to the situation has been called
thuggish by security guru Bruce Schneier, among others), and Lynn's
rationale as well. I'm also not against announcing vulnerabilities; I
strongly favor it, when researchers and vendors work together. Maybe
Lynn tried to work with Cisco, and the company ignored him;
unfortunately, it looks like we won't know. Krebs, in the blog, quoted
an ISS spokesman as saying that the companies are working together to
develop a solution to the problem, and a Cisco press release implied
that Lynn didn't follow industry-standard processes for releasing
information on vulnerabilities.
However it happened, the end result is this: the bad guys have now
turned their attention to the backbone of the Internet. Let's hope it's
made of strong stuff.
Keith Ward is editor of the Security Watch newsletter and managing editor of Redmond magazine.
About the Author
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.