Opinion: Thanks, Mike Lynn -- Thanks for Nothing

Mike Lynn is being hailed in some quarters as a hero, but I don't buy it. I'm sure his heart was in the right place when he discussed a serious vulnerability in Cisco routers at the recent Black Hat USA conference, and his courage in quitting his job, rather than be censored by Cisco and his own employer, is admirable.

But that still doesn't make what he did right. My main concern is that now, hackers are working overtime to figure out how to break into these routers and wreak their havoc. Here's what Brian Krebs, the Washington Post's excellent computer security reporter, said in a blog from the conference:

"One DefCon attendee who asked not to be named told me today that an international consortium of hackers is now working around the clock to write software code that could be used to exploit the flaw Lynn uncovered."

These hackers did not have this target before; if Lynn hadn't presented his findings, many, or most of them would likely not even know about it. (All indications are that it will be an exceptionally difficult flaw to exploit, and took Lynn years of research to find. On the other hand, a large group of hackers working in concert could substantially reduce that time). But now that Lynn's blown the lid off of it, every hacker from Boise to Shanghai knows about it. That's simply not smart.

There's a scene in Steven Spielberg's movie "Saving Private Ryan" where a soldier warns a new member of his team not to salute the team's captain. "Every time you salute him, you make him a target, so don't do it; especially when he's next to me" says the soldier. What Lynn's done here is salute the captain, letting everyone know where to train their guns.

It's a shame that all parties involved have reached a legal settlement to not discuss the case, apparently forever. I'd like to hear what Cisco has to say (its response to the situation has been called thuggish by security guru Bruce Schneier, among others), and Lynn's rationale as well. I'm also not against announcing vulnerabilities; I strongly favor it, when researchers and vendors work together. Maybe Lynn tried to work with Cisco, and the company ignored him; unfortunately, it looks like we won't know. Krebs, in the blog, quoted an ISS spokesman as saying that the companies are working together to develop a solution to the problem, and a Cisco press release implied that Lynn didn't follow industry-standard processes for releasing information on vulnerabilities.

However it happened, the end result is this: the bad guys have now turned their attention to the backbone of the Internet. Let's hope it's made of strong stuff.

Keith Ward is editor of the Security Watch newsletter and managing editor of Redmond magazine.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

  • Microsoft Closing Most of Its Retail Stores

    Microsoft on Friday announced a major shift in its retail operations, with plans to close most of its physical Microsoft Store outlets in favor of online sales.

  • Matrix

    Microsoft, Harvard Describe Joint Privacy Initiative

    To facilitate data sharing while still preserving data privacy, Microsoft and Harvard have embarked on a set of open source tool called the "OpenDP Initiative."

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.