dc0de wrote:
Rattle has hit the nail on the head. Mike has done the ethical ("right") thing. He's handled it well, and now is coming under fire. Why doesn't Cisco simply say, "Yes, it's a flaw, and we dragged our feet on it..."? Why doesn't ISS admit that they simply wanted to keep the exploit to themselves to further their consulting practice? (sarcasm) Who would be harmed anyway? We're ISS, the most ethical hacking company on the planet, we wouldn't harm anyone, right? (/sarcasm)
I'm going to make a post to my blog later today about this, but yeah, Mike definitely did the right thing. We've got a perfect example of what happens when things like this are allowed to be swept under the rug, and it's called "Blaster". Microsoft denied there was a problem with DCOM for months and months and months until finally script kiddies had enough time to figure out how to exploit the issue and someone loosed a worm that brought us The Day The Internet Clogged Up. Cisco is definitely trying to sweep this issue under the rug because it threatens their "IOS Everywhere" agenda--however if they're allowed to just sweep it under the rug, and some script kiddie finally figures out how to defeat the thing that Mike figured out how to defeat, then we're going to have The Day Criminals Got Control of Every Bank's ATM Network or The Day The Internet Crashed. RE: Mike Lynn is a Whistleblower, he should be protected | 
