Wednesday, August 03, 2005

Security Research Ethics

Jeff and I had an interesting conversation over lunch regarding a recent disclosure about a flaw in Cisco's IOS operating system by security researcher Michael Lynn (Wired Article). Cisco tried very hard to make sure the presentation never happened, and it's obvious to everyone, in retrospect, that the attempted cover-up did far more damage than the original disclosure. From the Wired article:

[Michael Lynn] said he conducted the reverse-engineering at the request of his company, which was concerned that Cisco wasn't being forthright about a recent fix it had made to its operating system.

Jeff's position (and Cisco's position) was that the original disclosure of the information by Lynn was unethical, and that he should have given the company more time to respond to the information and tell users to upgrade their firmware. My position was that if a firmware update already exists (it does) to cover the vulnerability, then disclosure is acceptable.

Further complicating the issue,
Cisco's Press Release implies that Lynn revealed Cisco-proprietary code in his presentation:
... ISS and Cisco had prepared an alternative presentation designed to discuss Internet security, including the flaw which Lynn had identified, but without revealing Cisco code or pointers ...

I downloaded the presentation (available from, among other places) to see what information he actually revealed. He outlines the general procedure one would follow to create a remote-code exploit on IOS. He has some source code examples, but they're all of dissassembled MIPS assembler code. One can argue about whether disassembled code is Cisco property, but it's clearly code he created and not code that Cisco provided to Lynn. A few C function prototypes are also in the presentation, but only the most wildly paranoid would call a function prototype a code disclosure.

Finally, Bruce Schneier came down firmly on the side of disclosure.

I tend to think that Lynn got a raw deal for basically doing his job, and when told to present an alternative (read: sanitized) presentation instead of the one he originally created, he opted for disclosure instead of job security. The real question in my mind is why Cisco went ballistic over it.

No comments: