There has been an almost unbelievable amount of hubbub lately about the research that Mike Lynn gave a demonstration of at the BlackHat conference last week, and there's been a positively dizzying amount of "spin" applied to the media. Let me say one thing to everyone reading this, right up front. What Lynn uncovered is a serious issue, probably actually more serious than what the media is making it out to be. While coverage on the issue is good (and useful to both "sides") the lack of actual accurate reporting on the issue isn't helpful to anyone.

Part of the problem is that apparently, outside of the list of BlackHat attendees, there's not that many people running around who truly understand what Lynn's research uncovered. Lynn did not reveal an "exploit" in the usual sense. In fact, Lynn of his own volition has been playing his cards fairly close to his chest on this, and omitted most of the technical details of the problem from his presentation in order to assure that no one would be able to easily "follow in his footsteps". Lynn, it can safely be said, was scared by what he discovered--scared enough that he has risked his livelihood not once but twice in order to be sure that should the technical aspects of what he's found not be resolved before someone with less respect for the continuation of the Internet figures it out for themselves, the network and security administrators of the world will have had time to take some steps to reduce the amount of damage done. It can no longer be thought of as a sure thing that just because a particular vulnerability could "break the Internet" that no one's going to try it just to see if it's really true. We have a rather excellent example in recent history that pretty much everyone is aware of by now... the MS Blaster worm which raged around the Internet wreaking rather unprecedented havok. Pretty much everyone on the Internet was either personally affected by this, or knows someone who was. Blaster made use of a vulnerability that had become rather common knowledge by the time it was released, but had already been known to many security professionals for months. The real problem that made things so painful and propagation of Blaster so widespread, was that for those months, Microsoft had been actively denying that there was ever a problem until Blaster forced them to admit it. Had system administrators been made aware of the issue and the meager steps needed to impede the spread of Blaster (which everyone implemented in a white-hot hurry once their networks were figuratively ablaze) the damage could have been much less indeed.

Cisco is not helping the issue, or I should say, Cisco's lawyers are not helping the issue. Cisco makes some really awesome products, and their technical people can't really be faulted for this one technical flaw. The problem is that Cisco's lawyers are convinced that public knowledge of a serious issue ... [ Read More (1.3k in body) ]

Mike Lynn's 'exploit', in plain (non-technical) English

“I have challenged regulators, business professionals and utility companies in Iowa to work toward achieving 1,000 megawatts of renewable energy by 2010, which will require the addition of more than 500 megawatts of renewable energy facilities,” Vilsack said. “I am pleased that MidAmerican is taking a leadership role in that effort.”

Now that just plain rocks. It's nice to see some good news these days.

MidAmerican to build Largest Wind Farm in the World

] The US Air Force is examining the feasibility of a
] nuclear-powered version of an unmanned aircraft. The USAF
] hopes that such a vehicle will be able to "loiter" in the
] air for months without refuelling, striking at will when
] a target comes into its sights.
]
]
] With a nuclear drive a Global Hawk could fly for months
] without landing (Image: GETTY NEWSERVICE)]
] But the idea is bound to raise serious concerns about the
] wisdom of flying radioactive material in a combat
] aircraft. If shot down, for instance, would an
] anti-aircraft gunner in effect be detonating a dirty bomb

New Scientist