I'm sure that most regular readers are very familiar with the prevailing opinion of Forbes' reporter Dan Lyons in the Domino community. Today I stumbled on a doozy of a blog thread over on the Business Week site, courtesy of their reporter Steve Hamm.
The post is about the widely reported disclosure of the fact that a previously known Cisco IOS bug has potentially far more serious consequences than Cisco had previously admitted. The best, IMHO, source of independent info about this is in the blog threads over at Bruce Schneir's site.
Ethical disclosure is a tough problem. Mr. Hamm clearly sides with Cisco, who brought in their attorneys in an attempt to stop researcher Michael Lynn from doing his presentation at Black Hat. Lynn did the presentation anyhow, but Hamm thinks that Cisco did right.
Some in the blogosphere have hammered Cisco for suing. They call the company heavy handed. I think not. By the time Cisco sued, it was probably too late to put the genie back into the bottle. But now, at least, anybody who plans this sort of caper in the future might think better of it.
Hamm is hammered in his blog comments, not just for siding with Cisco, but for getting numerous facts wrong. He replied with this gem:
Yikes! I reread a bunch of the news stories about this incident, and the blogs. Seems to me there are precious few "facts" that have been firmly established. I'm trying to get Cisco to help clarify things. If you know how I can get in touch with Michael Lynn to get his side of the story, tell me.
I just couldn't hold back on this. I had to put in a comment.
You're trying to get Cisco to help clarify things? Cisco!?? Talk about a "Yikes!"
They're the ones trying to keep things from being clarified! Why else would they force Lynn to stop speaking about it publicly!? Come on... use some common sense here. Get some independent experts in the field of computer security, with no connection to Cisco, ISS, or Mr. Lynn, to clarify things. Preferably, get someone who was there to give you an accurate report on the facts.
The computer industry has no agreed-upon standards for disclosure of security risks. All that we can rely on is the integrity of corporations and individuals in weighing the consequences of their actions. Unfortunately, the proprietary interests of even the most reputable corporations are guarded closely (and misguidedly in some cases) by their attorneys, so the integrity of individuals is of primary importance. Now, the fact that Cisco brought in the lawyers in this case shouldn't be considered damning, but it does have to be considered significant -- at least in terms of what you are going to get from them when you go to them for "clarification". All you will get from them is their attorney-approved statements intended to protect their own best interests.
In considering disclosure issues, reputable professionals will consider the likelihood that the "bad guys" already know as much or more than the "good guys", and whether or not innocent users can be provided with ways to cope with the vulerabilities once they are exposed. Furthermore, they will provide only as much information as is necessary to convince the innocent users to implement the patches that are available as soon as possible. Lacking any accepted standard, it must be the majority opinion of the computer security community that serves as judge of whether Mr. Lynn balanced the issues and the consequences of his actions properly.
What you will find if you talk to some independent experts who where there, I believe, is that while a few who attended the conference believe that Mr. Lynn may have "crossed the line", the vast majority believe he very deliberately and expertly did not cross the line, and that he proved beyond a shadow of a doubt that the previously known vulerability in Cisco's product is worse than anyone -- especially Cisco -- had publicly acknowledged.
I then went in and added another comment
I should have added: Lynn isn't likely to talk with you. He's been forced to settle with Cisco and ISS, and I doubt that he'll be able to present his side without serious risk of running afoul of his agreement not to talk about the vulnerability. At least not without an attorney present.
Neither of my comments has appeared in the thread yet. Perhaps they're just delayed. But if not, at least they're here.
1. Michelle08/05/2005 12:55:56 AM
Tech companies like Cisco need to have a policy in place for puiblic disclosure or non-disclosure of product flaws and have employees agree to adhere to this policy as a condition of employement. On the flip side tech companies like Cisco need to adhere to a public integrity commitment where they commit to disclose any information that puts their customers or the general public at risk. Does Sarbanes-Oxley cover this?