As many of you know, Mike Lynn has been vaulted into the spotlight by exposing a known vulnerability in the Cisco IOS router code. This vulnerability enables a nefarious person to gain priviledged access to the router, and provides full control of all traffic that the router sees.
Needless to say, this is bad.
Mike had worked with ISS and Cisco to publish the findings... and Cisco wimped at the end of the day. I won't go into details, as there enough sites with their take on the issue, however, I truly hope that the public sees Cisco and ISS's actions for what they are.
Both of these corporations have asked Mike to perform unethical and immoral actions to prevent this well known issue from being made ?more? public.
The actions of these large organizations are truly that of money mongering, as it has been suggested that ISS actually wanted to obtain the exploit code to provide to it's auditing teams, so they could MAKE MORE MONEY!!!... does it get any more UNETHICAL?
Cisco tried to downplay the vulnerability, stating
In Response To Mike Lynn's Presentation at Black Hat
* Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners.
* It is important to note that the information presented at the Black Hat Conference yesterday was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers.
* As per Cisco's best practices guidelines, we recommend customers upgrade their software to the latest available versions.
* Customers should contact their account managers and sales engineers with questions and request for more information.
one word - BULLSHIT.
If those cowards at Cisco were even half-true with their statements, they would own up to the fact that their shit is flawed, and that they WERE notified of the flaw, and didn't do their own due-diligence to identify the depth and scope of the flaw.
So, instead of being honest, forthright and admitting their mistakes, they are targeting a friend, who with the best of intentions, raised the awareness of the issue to the world at BlackHat, due to the fact that Cisco sat on their hands when they should have been fixing their code.
Now, one has to ask themselves the following questions;
1. Why would Cisco put out such a blatant statement, and then focus on discrediting someone in the Information Security Field that has produced valuable products and solutions his entire career?
2. Why would Cisco NOT fix the flaws found in their code properly?
3. Why didn't Cisco alert all of it's users of the REAL threat of the flaw?
4. Why has ISS brought the FBI into the investigation?
5. Why did ISS try to keep the exploit code for their own auditors, and want to keep that information from Cisco?
6. Does Cisco and ISS think that we are all that stupid to agree with their public press and statements? We know Mike, personally, we know what motivates him, and he DID NOT DO THIS FOR PROFIT. Can Cisco and ISS say the same?
Well, I could rant for hours... but personally, I use Foundry Routers and Switches, and I won't ever own an ISS product. So I just hope that those of you who read this, convince those who make the decsions to dump Cisco and ISS... before they cover up another one of these flaws, that costs YOU money...
That's my 2¢, YMMV.