Create an Account
username: password:
 
  MemeStreams Logo

Titles suck

search

skullaria
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

skullaria's topics
Arts
  Fine Arts
  Fiction
  Non-Fiction
  Movies
   Documentary
  Photography
Business
  Tech Industry
  Telecom Industry
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Repair and Improvement
  Parenting
  Pets
Miscellaneous
  Humor
Current Events
  War on Terrorism
  Elections
  Israeli/Palestinian
  North Ireland
Recreation
  Astrology
  Martial Arts
Local Information
  Georgia
   Atlanta
    Atlanta Events
Science
  Astronomy
  Biology
  Environment
  Geology
  Medicine
  Space
Society
  Activism
  Crime
  Education
  Futurism
  International Relations
  History
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Philosophy
  Relationships
  Religion
  Security
Sports
Technology
  Computers
   (Computer Security)
    Cryptography
   Cyber-Culture
   Human Computer Interaction
   Knowledge Management
   Computer Networking
   Linux
   Microsoft Windows
   Perl Programming
   PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Current Topic: Computer Security

Redmond, Thanks for Nothing...
Topic: Computer Security 12:37 am EDT, Aug 12, 2005

I have reason to believe that at least one person already has this exploit, and it isn't just Mike Lynn. :)

Anyway, I have about as much faith in this guy's opinion as I do that this chick's boobs are real.

Redmond, Thanks for Nothing...


Jennifer Granick | The Shout | Reverse Engineering Lawyer Code
Topic: Computer Security 11:47 am EDT, Aug  7, 2005

The next installment of Jennifer's story about representing Mike is up.

This post has one key piece of information that explains definitively why Jennifer kicks so much ass. She is a Jersey Girl!

I also find it somewhat intriguing that both her cat and dog look very serious.

Update: The last installment is up now as well. Wired has picked up the story from Jennifer's blog and is running it.

Jennifer Granick | The Shout | Reverse Engineering Lawyer Code


Non-Technical Explanation of Mike Lynn's Disclosure
Topic: Computer Security 5:12 pm EDT, Aug  4, 2005

Kudos to MemeStreams user Dagmar for putting together a post with breaks the technical aspects of Lynn's disclosure down in a way that non-technical people can understand. Be sure to click through and read his entire post.

Someone who takes the time to tie a few existing exploits together and utilize a technique similar to what Lynn discovered to make a worm that infects equipment, spends a small amount of time trying to infect other equipment, and then viciously puts the equipment out of commission in the aforementioned fashion, could in a very real sense turn off large chunks of the Internet.

No, I was not joking about the last sentence. If you work in an IT (Information Technology shop) take a moment to look around your office at all the very important equipment you have that just happens to have the Cisco logo on it. (I say "just happens to have the Cisco logo" because the root problem here has nothing to do with Cisco in particular, they're just the first company who have had this weakness uncovered--and as I said earlier, they were already in better shape than most.) Now imagine what would happen if that all that equipment just shut off, and you couldn't get it back up and running any time in the next twelve hours or so. You might think, "well, I will just go to their website and get the updates" but no, no... the Internet connection ran through one of the pieces of equipment that is now down so you can't do that. ...and even if it's not, there's a good chance that the people who your company connects to in order to reach the Internet has equipment that's has been effected, so you still can't get to the website with the updates you need. So you pick up the phone and call the manufacturer, and get to wait on hold for a very long time indeed, because many thousands of other people are just as stuck as you are. FedEx can get things out fast, but they're not nearly instantaneous, and hundreds of thousands of packages all marked "Red Tag, Highest Priority" at once are going to give them fits. Unless you know someone with magic powers of teleportation, you're looking at a very long wait for a package to be delivered by a truck that can fix your problem, and you're going to have to deal with all the upper-management types freaking out in the meantime. (Mind you, if you're lucky, your inter-office email system will also have been shut down by this, so they can only get to you through your cell phone and pager, which limits the number of panicked managers who can get to you at once.)

One message that Dagmar tries to get across in this, that should be spread and embraced, is that equipment (and software) mono-cultures are inherently dangerous. A post on the blog Art Of Noh... [ Read More (0.1k in body) ]

Non-Technical Explanation of Mike Lynn's Disclosure


Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3
Topic: Computer Security 12:39 pm EDT, Aug  3, 2005

Wired has done a great interview with Mike. It should clear up a number of the questions people have had with recent events.

I would like to specifically point out one part of this interview:

WN: So ISS knew the seriousness of the bug.

Lynn: Yes, they did. In fact, at one point ... they apparently didn't get it, and they actually wanted to distribute the full working exploit very widely inside the company.... I was told ... "Give this to all the sales engineers and to all the pen testers."

WN: Why would they want you to do that?

Lynn: Well, because it bruises Cisco, remember? Mind you, this was something that Cisco hadn’t gone public with yet and that's not useful to pen testers because what do they advise their customers to do (to protect themselves if no information about the vulnerability has been released yet)?

I told them, "You do realize if you do that, it's going to leak?" And (one of the ISS guys) says, "That's Cisco's problem." And then (another ISS guy) turns to me and says that they need to understand this could be their Witty worm. I was like, Whoa, what meeting did I walk into?

(The Witty worm was a particularly aggressive and destructive code released by someone last year that targeted computer systems running a security program made by Internet Security Systems and even more specifically targeted military bases using the software. It infected more than 12,000 servers and computer systems in about an hour. Because of the worm's speed in spreading and its creators' apparent knowledge of who ISS' customers were, some security experts speculated that someone working for or connected to ISS might have been responsible for writing and releasing it.)

At that point, I told them all no, and they fought it and I resigned right there on the spot. And this was about a month ago.

I thought they were handling this in a non-ethical manner. Because it was just way too fast and loose with who can see this.... I mean, I don't even want people to see it now. (ISS talked him out of the resignation by agreeing to give him control over who could see or have the exploit.)

All I can say is WOW. A big "wow". Caps, bold, and feeling.

Anyone who says that Mike is not on the level needs to reference this. This says truly horrible things about ISS. This should cost them some serious reputation capitol.

One thing that Mike did a great job of in this interview is getting the idea out that in order to defeat the "bad guys", you must run faster then them. It is the only option.

Case in point, via the Wall Street Journal:

"The vulnerabilities are out there on the Net in full broadcast mode," said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. "The bad guys get to it faster than everybody else. I'd rather have disclosure and let everybody respond."

Disclosure is a great thing, but it must be done properly. I would argue that Mike did it properly. I would argue that he has displayed the best kind of ethics through this entire mess. Given the content of this Wired interview, I would argue that ISS has its head up its ass.

Router Flaw Is a Ticking Bomb | Mike Lynn Has Integrity^3


Mike Lynn's Presentation in PDF format
Topic: Computer Security 12:24 am EDT, Jul 30, 2005

This is also mirrored on cryptome for now. They are sending out cease and desist letters it seems everywhere. I ran into several trying to find this.

Having been legally made to shut up myself this week about something, I guess this hit a nerve. I hate it when companies tell people that they have to shut up and sit down.

What the hell use if free speech if the corporations who have you at their mercy and can MAKE you shut up?

Mike Lynn's Presentation in PDF format


Lynn Presentation Leaks onto the Net
Topic: Computer Security 11:18 pm EDT, Jul 29, 2005

Lynn presentation leaks onto the net, as it should.

Lynn Presentation Leaks onto the Net


Boing Boing: Security researcher quits job and blows whistle on Cisco's fatal flaws
Topic: Computer Security 11:09 pm EDT, Jul 29, 2005

I think he's a hero. If people don't realize that, its because they are idiots.

Boing Boing: Security researcher quits job and blows whistle on Cisco's fatal flaws


Mike Lynn is a Whistleblower, he should be protected
Topic: Computer Security 10:57 pm EDT, Jul 29, 2005

The EFF should support Mike Lynn in his defense against ISS and Cisco. If security researchers are not protected as Whistleblowers when they uncover major flaws, our critical communication infrastructure will be at serious risk. These are the Good Guys.

Mike has taken on enormous personal risk to do the right thing. So far, the general impression in the blogs is that he is doing the right thing. The mainstream media coverage has been good as well. This is a departure from the past, and a good one at that. The headlines contain words like "Whistleblower" and "Coverup"..

It is quite ironic that Cisco & ISS are taking the "Intellectual Property" tactic. Just to add some irony to it, here is a a post of Mike Lynn here on MemeStreams proving CherryOS stole OSS code from the PearPC project:

just incase anyone didn't believe them already here goes the analysis (I do this sort of thing for a living) first off CherryOS.exe is what we call in the security industry "packed", that means that they have taken a compiled binary and run it through an obfuscator to make it hard to reverse engineer (or at least with hard if all you're doing is strings)...this is common for virus writers, worm writers, 31337 bot net kiddies, and on the legitimate side, game developers do this a lot...its not very common among the commercial (or free) legitimate software market (mostly because it doesn't work and doesn't do any good) so, the easiest way to defeat the packing is simply to let it start up (this one has several annoying checks for debuggers so its easiest to just attach after its loaded)...

the eula for this thing says its a violation to reverse engineer it, but if you do disassemble it you find they never had the rights to license it in the first place, so I don't feel worried to put this here...

I think I have made it clear beyond a shadow of a doubt that CherryOS.exe, shipped as the core of cherryos is nothing but a recompiled version of PearPC...it has at most minor changes, most to strip attribution, hide the theft, or remove debugging output...

The only way we can fault Mike's research is with petty things like not consistently using upper case letters in his posts. The technical end of his work is flawless.

Both Cisco and ISS are attempting to spin Mike's research and make it look incomplete, but the truth of the matter is he demo'ed his technique in front of a room of people, and no one has found fault with it.

If this tactic continues, it will approach a very transparent form of character assassination. It will backfire on Cisco.

In the field of Security Research, Whistleblowing has always been a controversial issue. It is not a black and white thing. This article at CNET covers a number of the issues with disclosure of security problems that often come up. If you compare the ideas expressed in the article with what Mike actually did, you should come away thinking that Mike handled this ethically.

Mike Lynn is a Whistleblower, he should be protected


Wired News: Cisco Security Hole a Whopper
Topic: Computer Security 10:14 pm EDT, Jul 27, 2005

Wired just posted the best article so far.. Here are some of the highlights:

Lynn likened IOS to Windows XP, for its ubiquity.

"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"

"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."

"There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience.

During his talk, Lynn demonstrated an attack in real time using his own router, but did not allow the audience to see the steps. The attack took less than a minute to execute.

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

lolol@ the name recognition. :) I've seen one of those dudes running around here on memestreams somewhere....now, where'd he go?

Wired News: Cisco Security Hole a Whopper


MD5 collision method published
Topic: Computer Security 2:10 am EST, Mar 15, 2005

] At last, the secret of how to make MD5 collisions is out!

MD5 collision method published


(Last) Newer << 1 - 2 - 3 - 4 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0