Cisco IOS Exploit Cover Up

Leo Bicknell bicknell at ufp.org
Thu Jul 28 13:03:56 UTC 2005


In a message written on Thu, Jul 28, 2005 at 08:29:22AM +0100, Neil J. McRae wrote:
> I couldn't disagree more. Cisco are trying to control the
> situation as best they can so that they can deploy the needed
> fixes before the $scriptkiddies start having their fun. Its
> no different to how any other vendor handles a exploit and
> I'm surprised to see network operators having such an attitude.

This is not a Cisco specific comment, but it is a network operator
comment.

You change your mind when you get hit by a network wide bug taking
out all your customers, and then spend six months beating up the
gear in your own lab to reproduce the problem, and when you do the
vendor finally admits "well, we've known about the bug for 4 years,
but we were pretty sure it couldn't happen in your network so we
didn't tell you."

I'm sure the vendors find bugs, quietly fix them, the code is
naturally upgraded and nothing ever happens.  Which is a good thing.
The problem is, most of the major operators have been hit by a bug
where the vendor knew, did nothing, or at least not enough, the
operator was hit and then the vendor continued to not want to admit
the problem because of course now they look even worse for sitting
on it.

For better or for worse, right now the only check and balance to
the vendors is conferences like the Black Hat forum.  For Cisco to
send an army of razor blade toting employees to such a conference
is chilling.  I can see them working with the parties before hand,
but to make that kind of show in public?  What is the motovation?
If this bug is, as Cisco puts it, "not serious" then they just spent
a lot of money on people to go do all of that for nothing.  Doesn't
seem likely.  So what everyone's spidy sense is now telling them
is Cisco wouldn't spend thousands of dollars on legal injunctions
and armys of razor blade toters for nothing, so there must be
something to this paper.  Which makes their denial all the more
hollow.

This isn't an endorsement of the pro-disclosure crowd.  Telling
these things to the world at large in a forum like this gives the
script kiddies a leg up, as they are almost always faster than the
vendors.  These things should happen at a more measured pace, inside
normal support channels.  That said, no one likes a coverup.  Once
it's public in any form, don't try to sweep it under the rug. Doesn't
work in politics, doesn't work for vendors.  Sometimes you can get
away with it once or twice, but in the end it costs credibility,
which is something that is extremely hard and costly to earn back.

If Cisco wanted to make me feel better right now they could contact
my company via normal support channels and have a frank and open
discussion about what this paper/presentation means, and what action
if any they are taking as a result.  Somehow for what the boxes and
support costs that doesn't seem like too much to ask.  The presentation
is out there, we will get it and read it, don't pretend like we
won't.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050728/01624dc7/attachment.sig>


More information about the NANOG mailing list