News

Opinion: Thanks, Mike Lynn -- Thanks for Nothing

Mike Lynn is being hailed in some quarters as a hero, but I don't buy it. I'm sure his heart was in the right place when he discussed a serious vulnerability in Cisco routers at the recent Black Hat USA conference, and his courage in quitting his job, rather than be censored by Cisco and his own employer, is admirable.

But that still doesn't make what he did right. My main concern is that now, hackers are working overtime to figure out how to break into these routers and wreak their havoc. Here's what Brian Krebs, the Washington Post's excellent computer security reporter, said in a blog from the conference:

"One DefCon attendee who asked not to be named told me today that an international consortium of hackers is now working around the clock to write software code that could be used to exploit the flaw Lynn uncovered."

These hackers did not have this target before; if Lynn hadn't presented his findings, many, or most of them would likely not even know about it. (All indications are that it will be an exceptionally difficult flaw to exploit, and took Lynn years of research to find. On the other hand, a large group of hackers working in concert could substantially reduce that time). But now that Lynn's blown the lid off of it, every hacker from Boise to Shanghai knows about it. That's simply not smart.

There's a scene in Steven Spielberg's movie "Saving Private Ryan" where a soldier warns a new member of his team not to salute the team's captain. "Every time you salute him, you make him a target, so don't do it; especially when he's next to me" says the soldier. What Lynn's done here is salute the captain, letting everyone know where to train their guns.

It's a shame that all parties involved have reached a legal settlement to not discuss the case, apparently forever. I'd like to hear what Cisco has to say (its response to the situation has been called thuggish by security guru Bruce Schneier, among others), and Lynn's rationale as well. I'm also not against announcing vulnerabilities; I strongly favor it, when researchers and vendors work together. Maybe Lynn tried to work with Cisco, and the company ignored him; unfortunately, it looks like we won't know. Krebs, in the blog, quoted an ISS spokesman as saying that the companies are working together to develop a solution to the problem, and a Cisco press release implied that Lynn didn't follow industry-standard processes for releasing information on vulnerabilities.

However it happened, the end result is this: the bad guys have now turned their attention to the backbone of the Internet. Let's hope it's made of strong stuff.

Keith Ward is editor of the Security Watch newsletter and managing editor of Redmond magazine.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

Featured

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.