News

Opinion: Thanks, Mike Lynn -- Thanks for Nothing

Mike Lynn is being hailed in some quarters as a hero, but I don't buy it. I'm sure his heart was in the right place when he discussed a serious vulnerability in Cisco routers at the recent Black Hat USA conference, and his courage in quitting his job, rather than be censored by Cisco and his own employer, is admirable.

But that still doesn't make what he did right. My main concern is that now, hackers are working overtime to figure out how to break into these routers and wreak their havoc. Here's what Brian Krebs, the Washington Post's excellent computer security reporter, said in a blog from the conference:

"One DefCon attendee who asked not to be named told me today that an international consortium of hackers is now working around the clock to write software code that could be used to exploit the flaw Lynn uncovered."

These hackers did not have this target before; if Lynn hadn't presented his findings, many, or most of them would likely not even know about it. (All indications are that it will be an exceptionally difficult flaw to exploit, and took Lynn years of research to find. On the other hand, a large group of hackers working in concert could substantially reduce that time). But now that Lynn's blown the lid off of it, every hacker from Boise to Shanghai knows about it. That's simply not smart.

There's a scene in Steven Spielberg's movie "Saving Private Ryan" where a soldier warns a new member of his team not to salute the team's captain. "Every time you salute him, you make him a target, so don't do it; especially when he's next to me" says the soldier. What Lynn's done here is salute the captain, letting everyone know where to train their guns.

It's a shame that all parties involved have reached a legal settlement to not discuss the case, apparently forever. I'd like to hear what Cisco has to say (its response to the situation has been called thuggish by security guru Bruce Schneier, among others), and Lynn's rationale as well. I'm also not against announcing vulnerabilities; I strongly favor it, when researchers and vendors work together. Maybe Lynn tried to work with Cisco, and the company ignored him; unfortunately, it looks like we won't know. Krebs, in the blog, quoted an ISS spokesman as saying that the companies are working together to develop a solution to the problem, and a Cisco press release implied that Lynn didn't follow industry-standard processes for releasing information on vulnerabilities.

However it happened, the end result is this: the bad guys have now turned their attention to the backbone of the Internet. Let's hope it's made of strong stuff.

Keith Ward is editor of the Security Watch newsletter and managing editor of Redmond magazine.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.