Exposer of Cisco Flaws to Go Silent
Cisco Systems Inc. on Thursday won a legal battle to silence a researcher who had publicly demonstrated he could hijack machines that power much of the Internet.
Cisco sued Michael Lynn shortly after he presented his findings Wednesday at the annual Black Hat technological security convention in Las Vegas. Despite its name, the gathering mostly draws not bad guys but experts who help defend companies against Internet attacks.
Lynn went to the conference to present research he conducted as an employee of Atlanta-based Internet Security Systems Inc., which advises companies on protection measures. Since January he has been studying how hackers could seize control of routers made by Cisco -- devices that are used around the world to direct Internet traffic.
The research showed that a series of previously disclosed flaws were far more critical than had been believed, jeopardizing computers that had not received recent software updates, Lynn told attendees Wednesday.
“You could own portions of the Internet. It’s pretty scary,” said Ero Carrera, a researcher with the Finnish security software company F-Secure Corp. who attended the talk.
Lynn had shared his findings with Cisco months ago, Lynn and Chris Rouland, Internet Security Systems’ chief technology officer, said. Cisco had cooperated with him and even wanted to share the stage.
For reasons that have not been made public, however, Cisco changed its mind last week. After the company complained to Internet Security Systems, Rouland told Lynn he couldn’t give the lecture, Lynn said.
Lynn agreed -- but on Wednesday he abruptly resigned and delivered the talk anyway.
The vulnerabilities are too important for the matter to be kept quiet, he said Thursday.
“Nobody really considered until Wednesday that it was possible, so nobody has had a plan” to protect the system, Lynn said.
In the lawsuit, which sought a court order prohibiting Lynn from publicizing his work, Cisco and Internet Security Systems accused Lynn of stealing trade secrets and breaking copyright law.
“Both Cisco and ISS felt that it would not be in the best interest of customers and partners to disclose the findings until the broader scope and impact is understood,” said Cisco spokeswoman Mojgan Khalili, declining to elaborate.
On Thursday, Lynn settled the case by agreeing to give up all copies of his presentation and return his raw materials.
Some called Cisco’s suit an overreaction. Many technology companies are overly worried about losing face in such cases, said Carrera, the researcher with F-Secure.
“I don’t see what you win by trying to sue these people,” he said. “It’s embarrassing for them, of course, but they should just admit [the security problem] and fix it.”
The incident reflects a natural tension between Internet security firms, which say they want to publicize findings to aid customers, and technology firms whose products are identified as flawed. Often those companies would prefer to fix things quietly.
Disputes over similar disclosures end in court perhaps once or twice a year, said Jennifer Granick, a Stanford University Law School lecturer who represented Lynn in his brief courtroom battle.
Legal scuffles usually result when researchers release news of a security hole before the responsible company has had time to fix it or release computer code that would allow hackers to exploit the vulnerability.
In this case, Lynn did neither. Cisco objected mainly to the release of portions of its own code, which it said were illegally obtained. The company said it would release its own security advisory to customers by the end of today.
Lynn said he acted responsibly.
“I gave maybe about 5% of the information required to actually do what I did,” Lynn said. “I didn’t want to help anybody write anything malicious.”
Still, Lynn said he understood why Cisco and Internet Security Systems, which wants to maintain good relations with the biggest companies, acted as they did.
The attempt to stop his talk was “probably good for their bottom line -- and bad for the country,” Lynn said. Cisco shares rose 12 cents Thursday to close at $19.30.
