[ISN] Legal threats continue over Lynn presentation slides
isn at c4i.org
Wed Aug 3 06:06:24 EDT 2005
By Robert McMillan
IDG News Service &
02 August 2005
The leak of the controversial Cisco IOS security presentation is
continuing to draw legal threats on those hosting a pdf copy on their
Security research company Internet Security Systems (ISS), the company
at the centre of the saga, has sent a cease-and-desist letter to
Richard Forno, a security researcher who just hours earlier had posted
the presentation slides to his InfoWarrior.org site.
The letter from ISS' lawyers, believed to be but one of many, accused
Forno of publishing stolen proprietary information and threatened
legal action if he did not remove the ISS material.
Forno said in a letter on the site that he decided to pull the slides
but added angrily: "Had the two companies involved said nothing about
this briefing, it's quite likely that few if any people or news
outlets would've given it more than a passing thought. But as a result
of their heavy-handed tactics this week, both Cisco and ISS have ended
up publicising a serious vulnerability quite significantly and thusly
re-ignited the discussion over how the Internet security community
handles vulnerability disclosure and product updates."
A Cisco spokesman downplayed his company's involvement. "We're not
sending out those letters. ISS is doing that through their law firms,"
he said. ISS declined to comment for this story.
The legal threats are unlikely to have much of an impact however. The
material is already available on a string of other websites and the
ongoing controversy has drawn more and more people to the case. Two
versions of the presentation have since appeared, as well as
photographs of the actual presentation at the Red Hat conference in
Las Vegas. Anyone likely to understand the full import of the slides
will easily locate the presentation.
Cisco has since produced an advisory on the holes in its IOS software
- patched back in April, following wider awareness of the situation.
One of the other high-profile hosters of material surrounding the
case, Cryptome, was unable to say whether it had received similar
legal threats but its administrator, John Young, said it was Cryptome
policy to ignore any such threats. The site has since added a page
covering discussions of the Lynn presentations.
The controversy has ignited debate within the security community about
the limits of responsible disclosure and whether companies such as
Cisco are helping hackers or users through the public discussion of
security flaws. To most Black Hat attendees interviewed last week,
Cisco and ISS's actions clearly went too far.
One attendee said that companies such as Cisco should embrace this
type of disclosure. "I look at it this way: It's free research," said
Robert Gregory, an Information Assurance Engineer with Northrop
Grumman's TASC division. "You've got the entire IT community doing
research for you, and it's not costing you a dime."
More information about the ISN