Cisco IOS Exploit Cover Up

Thu Jul 28 17:48:57 UTC 2005

On Thu, Jul 28, 2005 at 01:36:01PM -0400, James Baldwin wrote:
> On Jul 28, 2005, at 10:14 AM, Scott Morris wrote:
> >While I do think it's obnoxious to try to
> >censor someone, on the other hand if they have proprietary internal
> >information somehow that they aren't supposed to have to begin  
> >with, I don't
> >think it is in security's best interested to commit a crime in  
> >order to get
> >tighter security.
> >
> 
> Lynn developed this information based on publicly available IOS  
> images. There were no illegal acts committed in gaining this  
> information nor was any proprietary information provided for its  
> development. Reverse engineering, specifically for security testing  
> has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ 
> DVD/1201.html).
> 
> That being said, what information is he not supposed to have? All the  
> information he had is available to anyone with a disassembler, an IOS  
> image, and an understanding of PPC assembly.
> 
> If anything, the only "crime" he may or may not have committed is  
> violation of an NDA with ISS, which should a contractual, civil issue  
> not a criminal one.

	I think that's why it was a restraining order and not
damanges in the amounts of billions, but IANAL.

	Same way people were asked to not disclose who the half-blooded
prince was.  I'm not saying it's right, but that's up for the
judge(s) involved to decide.

	As far as Cisco goes, I know it takes them some time to fix
bugs, but generally speaking they need to "fix them faster".  But this
can be said for most vendors.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.