Security researcher quits job to defy Cisco

By Derek Sooman on July 28, 2005, 6:38 AM
Michael Lynn, a security researcher at Internet Security Systems (ISS), planned to give a presentation on a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, until Cisco put pressure on ISS to put a stop to it. Following the 2004 theft of Cisco's IOS source code, it was feared that attackers could create a devastating worm attack using Lynn's information and the source code. Lynn, however, felt that it was paramount that security communities gained knowledge of the flaw, since users running older versions of the company's software are at risk. Lynn has therefore quit his position at ISS, and the planned presentation has gone ahead at the Black Hat security conference in Las Vegas.

Lynn said he felt compelled to quit his job so that he could give the talk because the Cisco security issues are of vital importance to the Internet's health. "This is the right thing to do," he said to applauding Black Hat attendees. "When you attack the router, you gain control of the network."

Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and the steps he used to gain control of a router. Although Cisco was informed of the flaw by ISS, and patched its firmware in April, users running older versions of the company's software are at risk, he said.

Cisco and ISS have now filed a restraining order against the management of the Black Hat Conference and Lynn. Cisco cited reasons of protecting intellectual property.




User Comments: 1

Got something to say? Post a comment
Phantasm66 said:
[quote]ISS disavowed any foreknowledge of Lynn's intent to resign and present his findings. Cisco condemned the talk in strong terms that suggested the company may initiate legal action against the researcher and the conference, describing the presentation as the illegal publication of proprietary material."It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained," the company said in a statement. "We appreciate the cooperation we have received from ISS in this matter. We are working with ISS to continue our joint research in the area of security vulnerabilities."[/quote]
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.