Former ISS employee Michael Lynn has agreed to terms with Cisco that will end its suit against him.
Mr. Lynn defied requests from Cisco and Internet Security Systems regarding his talk on Cisco IOS software and the potential harm that could come from exploits. Instead of discussing a different topic at the Black Hat conference in Las Vegas, Mr. Lynn gave his original talk and demonstrated how, if a flaw were present, an attacker could gain control of a Cisco router.
Cisco filed a complaint claiming that Mr. Lynn’s reverse engineering of the IOS code infringed on its intellectual property. A court agreed and issued the requested injunction against Mr. Lynn. He will be required to give back any related materials to Cisco, and is barred from discussing the problem cited in his talk.
Conference organizers, who claimed they did not know Mr. Lynn was going to defy Cisco’s request and discuss the IOS problem anyway, will have to hand over a video tape of Mr. Lynn’s talk, according to TechWorld.
The injunction was “probably good for their bottom line – and bad for the country,” Mr. Lynn said in the Los Angeles Times. For its part, Cisco claims it needed more time to understand “the broader scope and impact” of the flaw, to better serve its customers.
The type of action Cisco took generally happens when someone takes a newly-discovered flaw public. But that wasn’t the case here. In Mr. Lynn’s talk, he showed how, if a flaw were present, how that flaw could be exploited. He used a router running a version of IOS that contained a flaw Cisco patched in April.
That patch came as a result of research Mr. Lynn and ISS provided to Cisco earlier this year. Until last week, Cisco apparently was supporting Mr. Lynn’s proposed talk, and even planned to be part of it, again according to the Times.
A greater problem comes from how Cisco, which has its routers and other hardware devices in countless parts of the globe, will now be perceived by security researchers. Instead of sharing flaws with the company, those researchers may be tempted to keep quiet and avoid incurring Cisco’s legal wrath.
That would be a disastrous case scenario if another researcher found the same flaw, and instead of reporting it or keeping silent disclosed its presence to malicious attackers. Perhaps Cisco should better clarify its practices regarding security disclosures going forward.
David Utter is a staff writer for Murdok covering technology and business. Email him here.