Create an Account
username: password:
 
  MemeStreams Logo

encoded arbitrary binary sequences

search

dc0de
Picture of dc0de
dc0de's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

dc0de's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
  War on Terrorism
Recreation
Local Information
Science
Society
  Politics and Law
   Surveillance
  Media
   Blogging
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Networking
   Computing Platforms
    Linux
    Microsoft Windows
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: Mike Lynn is a Whistleblower, he should be protected
Topic: Technology 10:14 pm EDT, Jul 28, 2005

Rattle has hit the nail on the head. Mike has done the ethical ("right") thing. He's handled it well, and now is coming under fire.

Why doesn't Cisco simply say, "Yes, it's a flaw, and we dragged our feet on it..."?

Why doesn't ISS admit that they simply wanted to keep the exploit to themselves to further their consulting practice? (sarcasm) Who would be harmed anyway? We're ISS, the most ethical hacking company on the planet, we wouldn't harm anyone, right? (/sarcasm)

Rattle wrote:
The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys.

Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup"..

It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

The only way we can f... [ Read More (0.1k in body) ]

RE: Mike Lynn is a Whistleblower, he should be protected


Mike Lynn's Glorious Escapades
Topic: Technology 9:46 pm EDT, Jul 28, 2005

As many of you know, Mike Lynn has been vaulted into the spotlight by exposing a known vulnerability in the Cisco IOS router code. This vulnerability enables a nefarious person to gain priviledged access to the router, and provides full control of all traffic that the router sees.

Needless to say, this is bad.

Mike had worked with ISS and Cisco to publish the findings... and Cisco wimped at the end of the day. I won't go into details, as there enough sites with their take on the issue, however, I truly hope that the public sees Cisco and ISS's actions for what they are.

Both of these corporations have asked Mike to perform unethical and immoral actions to prevent this well known issue from being made ?more? public.

The actions of these large organizations are truly that of money mongering, as it has been suggested that ISS actually wanted to obtain the exploit code to provide to it's auditing teams, so they could MAKE MORE MONEY!!!... does it get any more UNETHICAL?

Cisco tried to downplay the vulnerability, stating

In Response To Mike Lynn's Presentation at Black Hat

* Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners.

* It is important to note that the information presented at the Black Hat Conference yesterday was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers.

* As per Cisco's best practices guidelines, we recommend customers upgrade their software to the latest available versions.

* Customers should contact their account managers and sales engineers with questions and request for more information.

one word - BULLSHIT.

If those cowards at Cisco were even half-true with their statements, they would own up to the fact that their shit is flawed, and that they WERE notified of the flaw, and didn't do their own due-diligence to identify the depth and scope of the flaw.

So, instead of being honest, forthright and admitting their mistakes, they are targeting a friend, who with the best of intentions, raised the awareness of the issue to the world at BlackHat, due to the fact that Cisco sat on their hands when they should have been fixing their code.

Now, one has to ask themselves the following questions;

1. Why would Cisco put out such a blatant statement, and then focus on discrediting someone in the Information Security Field that has produced valuable products and solutions his entire career?

2. Why would Cisco NOT fix the flaws found in their code properly?

3. Why didn't Cisco alert all of it's users of the REAL threat of the flaw?

4. Why has ISS brought the FBI into the investigation?

5. Why did ISS try to keep the exploit code for their own auditors, and want to keep that information from Cisco?

6. Does Cisco and ISS think that we are all that stupid to agree with their public press and statements? We know Mike, personally, we know what motivates him, and he DID NOT DO THIS FOR PROFIT. Can Cisco and ISS say the same?

Well, I could rant for hours... but personally, I use Foundry Routers and Switches, and I won't ever own an ISS product. So I just hope that those of you who read this, convince those who make the decsions to dump Cisco and ISS... before they cover up another one of these flaws, that costs YOU money...

That's my 2ยข, YMMV.

dc0de.


(Last) Newer << 14 ++ 24 - 25 - 26 - 27 - 28 >>
 
 
Powered By Industrial Memetics
RSS2.0