| |
Mike Lynn is a Whistleblower, he should be protected
by Rattle at 8:11 pm EDT, Jul 28, 2005 |
The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys. Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup".. It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project: just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)... the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here... I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...
The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless. Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it. If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco. In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically. |
| |
RE: Mike Lynn is a Whistleblower, he should be protected
by dc0de at 10:14 pm EDT, Jul 28, 2005 |
Rattle has hit the nail on the head. Mike has done the ethical ("right") thing. He's handled it well, and now is coming under fire. Why doesn't Cisco simply say, "Yes, it's a flaw, and we dragged our feet on it..."? Why doesn't ISS admit that they simply wanted to keep the exploit to themselves to further their consulting practice? (sarcasm) Who would be harmed anyway? We're ISS, the most ethical hacking company on the planet, we wouldn't harm anyone, right? (/sarcasm) Rattle wrote:
The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys. Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup".. It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project: just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)... the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here... I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...
The only way we can f... [ Read More (0.1k in body) ]
|
|
| | |
RE: Mike Lynn is a Whistleblower, he should be protected
by Dagmar at 7:48 am EDT, Jul 29, 2005 |
dc0de wrote:
Rattle has hit the nail on the head. Mike has done the ethical ("right") thing. He's handled it well, and now is coming under fire. Why doesn't Cisco simply say, "Yes, it's a flaw, and we dragged our feet on it..."? Why doesn't ISS admit that they simply wanted to keep the exploit to themselves to further their consulting practice? (sarcasm) Who would be harmed anyway? We're ISS, the most ethical hacking company on the planet, we wouldn't harm anyone, right? (/sarcasm)
I'm going to make a post to my blog later today about this, but yeah, Mike definitely did the right thing. We've got a perfect example of what happens when things like this are allowed to be swept under the rug, and it's called "Blaster". Microsoft denied there was a problem with DCOM for months and months and months until finally script kiddies had enough time to figure out how to exploit the issue and someone loosed a worm that brought us The Day The Internet Clogged Up. Cisco is definitely trying to sweep this issue under the rug because it threatens their "IOS Everywhere" agenda--however if they're allowed to just sweep it under the rug, and some script kiddie finally figures out how to defeat the thing that Mike figured out how to defeat, then we're going to have The Day Criminals Got Control of Every Bank's ATM Network or The Day The Internet Crashed. |
|
| | |
RE: Mike Lynn is a Whistleblower, he should be protected
by Jamie at 1:08 pm EDT, Jul 29, 2005 |
dc0de wrote:
Rattle has hit the nail on the head. Mike has done the ethical ("right") thing. He's handled it well, and now is coming under fire. Why doesn't Cisco simply say, "Yes, it's a flaw, and we dragged our feet on it..."? Why doesn't ISS admit that they simply wanted to keep the exploit to themselves to further their consulting practice? (sarcasm) Who would be harmed anyway? We're ISS, the most ethical hacking company on the planet, we wouldn't harm anyone, right? (/sarcasm) Rattle wrote:
The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys. Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup".. It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project: just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)... the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here... I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output... ... [ Read More (0.2k in body) ]
|
|
There are redundant posts not displayed in this view from the following users: Palindrome, Dagmar, Neoteric, skullaria.
|
|
