November 9, 2005 - Implications of the Lynn Cisco Research, and Moving Forward

by Jeff Moss

Did you notice that the original issue of the Black Page is missing? I removed it at the request of Mike Lynn and ISS when they were sorting out what Mike's presentation was going to include. It was getting close to the show, and I was getting conflicting signals from ISS. A common theme we will see in this saga.

In general, though, our security community is very good at sharing information, maybe the very best. This is an important skill, especially in today's times. It was like trying to put a genie back in the bottle. Pandora's box was open, and everyone wanted a look.

This update to the BlackPage will catch us up with what has happened in the ISS and Cisco vs. Mike Lynn and Black Hat case, and I hope to set the record straight. I have also asked for comment from other security experts, and that will be included as separate BlackPage entries.

First off it is important to understand that the mission of the Black Hat Briefings is to provide the most up-to-date and vendor neutral information needed to improve security of our applications and networks. If content is neutered, how can we make informed decisions on what the risks are? Unbiased information is the most valuable and I believe that is one reason why Mike ultimately dropped his back-up speech on VoIP security issues and gave his presentation, despite all odds.

"If content is neutered, how can we make informed decisions on what the risks are? "

I have been dealing with lawyers for over three months since the stipulated permanent injunction was filed hours before the conference started. Now the legal battles have come to an end for Black Hat, Cisco and ISS. After acquiring and forensically wiping all information from Black Hat regarding Michael Lynn and his presentation as required by Judge White, Cisco and ISS have finally dismissed its lawsuit against Black Hat. Mike is at an end of the civil matters as well. I think the song Attorney Kurt Opsahl from the EFF wrote must have worked!

The legal landmines have been deactivated, and the money purge has stopped. While Black Hat is still under a Permanent Restraining Order to not disseminate video of Mike's presentation or to spread his presentation material containing proprietary Cisco source, I can live with that because we no longer have any copies. I couldn't violate the terms if I tried. Looking on the bright side, if that is possible, it was a very interesting learning experience for all involved. The Cisco lawyers were very professional and all about getting down to business. If lawyers are a form of the modern day warrior, then my Cisco opponents behaved honorably. I plan to write about some of the business lessons learned in a future BlackPage entry.

Black Hat has and always will bring new research to those defending digital information. The security community won’t be easily intimidated, and Black Hat will continue to act as a platform for the security community for years to come.

However, the larger issue of this episode is not about Black Hat. It is about the industry and the state of the global infrastructure. The actions of the ISS and Cisco lawyers has had a profound impact on the security research community. Their actions reverberate beyond that of Black Hat and Michael Lynn, and impact security researchers worldwide, and more importantly, the security surrounding the infrastructure and the customers of insecure technology worldwide.

What happens next? It is important to start with the correct facts, then move forward. The security community can always look to Black Hat for straight information, and here are some important facts:

1. The Lynn-Cisco disclosure procedures, in accordance with numerous standards. Lynn did not disclose a new vulnerability; his research demonstrated remote exploitation of a known vulnerability.
2. Lynn exposed architectural weaknesses in IOS that provided the necessary functionality needed to reliably implement remote code execution of certain classes of vulnerabilities. Before Lynn's presentation, no one proved it was possible to reliably gain remote shell access to IOS routers by exploiting buffer overflows.
3. Thousands of Cisco routers have been patched since Lynn’s presentation, improving the global security posture. Without his presentation, these machines would be unpatched to this day. However, many more still need to be patched.
4. The Lynn Cisco disclosure timing was necessary. Lynn and FX agree Cisco's new architecture that is currently in beta makes a Cisco router worm possible for the first time.
5. Michael Lynn did not illegally reverse engineer Cisco's intellectual property. If there was illegal reverse engineering, it would have been ISS that had done so (Lynn was working for them). Cisco has never made such a claim against ISS.
6. Michael Lynn did not violate ISS's NDA when giving his speech. Michael Lynn, on behalf of ISS, granted the copyright of all information submitted to Black Hat two months prior to the event. His presentation even passed internal ISS marketing review three different times. On the other hand, when Mike, ISS, and Cisco all wanted the materials removed we tried to accommodate them. I couldn't fully evaluate their legal claims while in the middle of running the largest Black Hat conference to date.
7. Cisco marketing people are not sources for unbiased information, they generally are trying to spin things too much. On the other hand you can generally trust Cisco security people.

Now that we are all on the same page, let's move forward and try to fix the larger issue surrounding security research. The security research disclosure loop is broken, and has been for years. Security researchers and corporations need to work together better or this story will happen over and over. Here are a few ideas on how to make this happen:

1. Corporations actively encourage security research through research programs and by responding to legitimate concerns in a timely manner. The more this can be structured and documented, the more the researchers will know what to expect when dealing with the particular company. Currently Oracle would be an example of how NOT to do this correctly, and Microsoft would be an example of HOW TO do this correctly.
2. Corporations standardize, publish, and adhere to a security research and disclosure process with clearly defined points of contact. Shooting the messenger forces the messenger into the underground or to publish without notification.
3. Legal clarification on the status of reverse engineering for security purposes under the DMCA. This would help provide some legal stability for the bug finders and discourage malicious legal attacks designed to shut people up. The alternative is underground research and anonymous bug postings. I don't like to advocate more and more laws, but what I do want is some clarity from the courts and direction from the law makers.

I've been asked if Black Hat plans to do anything differently in the future because of this episode. My answer is an absolute no. It will be business as usual for Black Hat and the way we select speakers. I see no viable alternative. Am I to have people waiting at the edge of each stage with a hook to snag a presenter off stage the second they deviate from their printed materials? What if they dodge?

Look to upcoming issues of the Black Page to further discuss this topic. I am inviting experts I respect to contribute, including Michael Lynn, Linton Wells, Raven Alder, Jennifer Granick, Paul Proctor, and others.