[82725] in North American Network Operators' Group
Re: Cisco IOS Exploit Cover Up
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jul 28 13:50:32 2005
Date: Thu, 28 Jul 2005 13:48:57 -0400
From: Jared Mauch <jared@puck.nether.net>
To: James Baldwin <jbaldwin@antinode.net>
Cc: swm@emanon.com, nanog@merit.edu
In-Reply-To: <6F73D804-17FC-492A-AE93-C9867B2CA679@antinode.net>
Errors-To: owner-nanog@merit.edu
On Thu, Jul 28, 2005 at 01:36:01PM -0400, James Baldwin wrote:
> On Jul 28, 2005, at 10:14 AM, Scott Morris wrote:
> >While I do think it's obnoxious to try to
> >censor someone, on the other hand if they have proprietary internal
> >information somehow that they aren't supposed to have to begin
> >with, I don't
> >think it is in security's best interested to commit a crime in
> >order to get
> >tighter security.
> >
>
> Lynn developed this information based on publicly available IOS
> images. There were no illegal acts committed in gaining this
> information nor was any proprietary information provided for its
> development. Reverse engineering, specifically for security testing
> has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/
> DVD/1201.html).
>
> That being said, what information is he not supposed to have? All the
> information he had is available to anyone with a disassembler, an IOS
> image, and an understanding of PPC assembly.
>
> If anything, the only "crime" he may or may not have committed is
> violation of an NDA with ISS, which should a contractual, civil issue
> not a criminal one.
I think that's why it was a restraining order and not
damanges in the amounts of billions, but IANAL.
Same way people were asked to not disclose who the half-blooded
prince was. I'm not saying it's right, but that's up for the
judge(s) involved to decide.
As far as Cisco goes, I know it takes them some time to fix
bugs, but generally speaking they need to "fix them faster". But this
can be said for most vendors.
- jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
