Sunday, July 31, 2005

HACKERS RACE TO RIP CISCO

f
By Elaine Meinel Supkis

This was so predictable. The minute Cisco dumped on Mr. Lynn for lecturing about flaws in their router systems, the sharp ears and eyes of every hacker and computer maven suddenly was affixed upon this very thing. As my previous article Black Hat Spat noted, the data and the lecture that Cisco and ISS tried to suppress ended up on the web. I saw all of it while researching a story that was sort of off to one side but I changed directions and focused on the not aborted Lynn "Holy Grail" lecture.

The website that posted the lecture, Infowarrior, pretty much put the data out where all could see it and even I saw it all. When the lawyer's letters arrived, Forno, the well known computer security expert who ran the site, posted the threatening letters which I read and linked. Then he got, today, another threatening letter ordering him to remove the threatening letter or else.

So charming.

Of course, this only riled the computer world further. This is direct stepping on the toes of programmers who are already very unhappy about outsourcing and the collapse of their value and incomes. So the story continues to grow and evolve...not in Cisco's favor at all.

From Reuters:
Computer hackers worked through the weekend to expose a flaw that could allow an attacker to take control of the Cisco Systems routers that direct traffic across much of the Internet.

Angered and inspired by Cisco's attempts to suppress news of the flaw earlier in the week, several computer security experts at the Defcon computer-security conference worked past midnight Saturday to discover and map out the vulnerability.

"The reason we're doing this is because someone said you can't," said one hacker, who like the others spoke to Reuters on condition of anonymity.

Cisco's routers direct traffic across at least 60 percent of the Internet and the security hole has dominated a pair of conferences that draw thousands of security researchers, U.S. government employees and teenage troublemakers to Las Vegas each summer.

The hackers said they had no intention of hijacking e-commerce payments, reading private e-mail, or launching any of the other malicious attacks that could be possible by exploiting the flaw.

Rather, they said they wanted to illustrate the need for Cisco customers to update their software to defend against such possibilities. Many Cisco customers have postponed the difficult process because it could require them to unplug entirely from the Internet.
If this spontaneous demonstration fails to move Cisco in the right direction, it won't matter because the nastier quarter of Hackerdom will rise up to exploit the weaknesses just for the sheer hell of it so I do hope that Cisco and ISS are devoting all their energy, money and time dealing with this.

And Lynn is in hot water, too. If hackers destroy the routers and bring down parts of the net, he will be held liable.

One of the people presenting material at the today's Defcon convention had her own problems:
In her presentation, Alder gave guidelines on how to test network infrastructure security. She criticized Cisco for not publishing an advisory on the security vulnerability exploited by Lynn until Friday even though the network giant fixed it in April.

In its advisory, Cisco confirmed that older versions of its Internetwork Operating System are flawed in the way they process IPv6 packets. A specially crafted data packet could let a miscreant gain control over the router, but an attack is possible only from a local network segment and only on systems configured for IPv6, Cisco said.

Alder said that while Cisco says the flaw can be exploited only from the local network, it is indeed a remote vulnerability. Others in the audience agreed. "It is possible to escalate an attack and get close enough to the router to attack it," said Robert Hansen a computer security graduate student at the University of Iowa.

Alder then blasted Cisco for going after Lynn.

"Cisco, you are really screwing up," she said, followed by a round of applause. "Suing researchers is not going to make you secure. Alienating the security community is not going to encourage people to come to you and report problems and work with you."

Even federal authorities at Defcon are talking about Lynn and responsible disclosure, if only because everybody is asking them. Jim Christy, director of the U.S. Department of Defense's cybercrime center, had no direct opinion on Lynn's actions. "You have to share information, but you have to share it through the correct channels," he said

Alder was afraid that she too would be sued. "I am being paranoid because being paranoid pays," she said. Representatives from the Electronic Frontier Foundation sat in the front row during her talk. A burly guy followed her around the Alexis Park.
Seems there is a parade of people warning Cisco about excessive lawyer use. Microsoft became a behemoth mainly because of clever use of lawyers because Bill Gate's dad is a top lawyer and knew all the tricks but do note that the enthusiasim for working for Microsoft is falling rapidly.

Just this week in China, Microsoft is suing a Chinese top computer expert because he left for greener pastures at Google!

So even their outsourced work has to be kept on a very short leash. The Wild West culture of the computer community hasn't died. It is very much alive and not very happy about things. I remember when the whole subculture began and everyone wanted to be an innovator and inventor and to morph the systems to suit themselves and to be free to roam all over the place doing whatever one wanted.

Instead, fences are going up. Barriers are being erected. People are being punished for saying too much, doing things out of the box. Here is an older article about this. From the Register, UK
When Bill Gates last week urged businesses to have their lawyers read the GPL before using open source software, it turns out he was speaking from a position of knowledge. Knowledge of having lots of lawyers, anyway, because Microsoft's legal team have clearly given themselves the most awful fright by reading the blessed thing.

Evidence of their trauma was unearthed late last week by Linuxtoday, which found that the new licence agreement for the beta of Microsoft's Mobile Internet Toolkit has a whole section devoted to Open Source, which it describes as "Potentially Viral Software." Naturally you're not allowed to have this kind of stuff (there's a pretty comprehensive list of what this kind of stuff is) anywhere near stuff you're developing with pure, Microsoft tools - oh, no sir.
Linux has been a huge thorn under Bill's saddle.
It's a delicious thought, but it's a little unfair. Microsoft would not be required to open the source of code derived from BSD code, because that's not what the Ts & Cs say. Which is why BSD isn't on the death list.* We've also been contacted by a former Softway staffer who says he ported BSD programs to NT for Softway, but the same goes for that; not, however, for Softway's Interix.

Interix, now owned by Microsoft, includes a GPL'd copy of GCC, so Microsoft is obliged to make the source available, for free. Which it does - enough of you have told me you can download it to convince me, I don't know why I couldn't, but the hell with it, why would I want it anyway?

Microsoft is discharging its obligations, as it should do. But why is it ranting on at imaginary monsters, telling developers they can't do what they'd never dream of doing anyway, and rejecting responsibility for a bunch of stuff that nobody would ever dream of holding it responsible for? Maybe the monsters aren't so imaginary, and a lot closer to home than you you might think.
Microsoft and Cisco and all the computer corporate giants desperately need and want to tell computer programmers what to do. Exerting control over this beast is their prime directive. They also want to make money, heaps of money, money as fast as possible, money that passes as little as possible through the hands of the computer programmers and others involved in actually designing these systems.

Money in and money staying where they want it: with themselves. They hire at great expense a stable of lawyers to insure that they get their money and keep their money and this includes an army of lobbyists in our government servicing their desire for more money.

That story is from nearly five years ago. So what is going on today? From Network World:
"Discovery is different in the open source and closed source approach," Jollans says. "Because source code is visible to lots of people, if there is a security issue, it tends to be spotted earlier. The open source community isn't shy about criticizing bad code." He added that a version of Linux, SuSE Enterprise Server 9, in March became the first to earn the government-approved International Common Criteria certification for security level 4, comparable to what Microsoft achieved with Windows Server 2000 in security test reviews three years ago.
Tim Clarke, IT director at Manifest, a maker of electronic voting and research tools for investment firms in England, feels much the same way about open source security. He says open source developers are "more agile and feel more exposed on a personal level to criticism at whatever level that might be aimed at their products."

Buying into the philosophy

Thus, open source developers are "more able to respond quickly and to use new and more secure techniques. Because they perform for peers' kudos, this, too, behooves them to perform well," Clarke says.

"Open source development is centered around operating systems designed many years ago with security and Internet connectivity as a base requirement," he adds.

Open source is foremost an "ethos" that "is precisely the best social environment for the best development of anything," Clarke maintains. "By contrast, the principle culprit of poor security, Microsoft, has several major issues with producing secure code."
To put this in a nutshell: Linux and other open code people have to always be on their toes to fix coding problems because they want them to work. And they are a real community, a very strong community, I might add. One that is rather riled today, Cisco. Anyway, the reason Gates doesn't move as fast to fix anything is simple.

He wants his lawyers to fix it for him. Fuck the people doing the actual computer programming work.

This fight isn't over. It has just begun.

To return to homepage click here