28 Jul 05. DAVID BANK, Staff Reporter of THE WALL STREET JOURNAL, reported that the annual Black Hat computer-security conference has become a forum for experts to disclose vulnerabilities in tech products, often rankling the products’ makers. But few companies go to the lengths that Cisco Systems Inc. did this week to suppress information about a flaw in its software that directs Internet traffic.
Cisco threatened legal action to stop the conference’s organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco’s Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed.
In the end, the researcher, Michael Lynn, went ahead with a presentation, describing flaws in Cisco’s software that he said could allow hackers to take over corporate and government networks and the Internet, intercepting and misdirecting data communications. Mr. Lynn, wearing a white hat emblazoned with the word “Good,” spoke after quitting his job at Internet Security Systems Inc. Wednesday. Mr. Lynn said he resigned because ISS executives had insisted he strike key portions of his presentation.
Cisco said the presentation didn’t identify any flaws not previously disclosed, but did explore new methods for exploiting flaws in the software that runs its routers. The company said it isn’t sure whether the flaws could allow a hacker to take control of a router, which is a specialized computer.
The company said it acted to protect its customers and the Internet from what it called “premature” disclosure of a potential security flaw. Cisco said it had been working to document the extent of the vulnerability and to develop remedies. “It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained,” Cisco added.
Cisco maintains Mr. Lynn found the flaw by reverse-engineering its product, which the San Jose, Calif., company said violates the law. Yesterday afternoon, Cisco and ISS together sought a federal court order barring Mr. Lynn and Black Hat from any further dissemination of what the companies said was their proprietary information.
The incident marks a new chapter in the argument over appropriate disclosure of security risks. Technology companies generally seek to control information about vulnerabilities in their products, for both security and marketing reasons. But many security researchers say disclosure spurs both vendors and customers to take security more seriously.
“The vulnerabilities are out there on the Net in full broadcast mode,” said Gilman Louie, a tech-industry veteran who heads In-Q-Tel, a venture-capital firm backed by the Central Intelligence Agency. “The bad guys get to it faster than everybody else. I’d rather have disclosure and let everybody respond.”
Mr. Lynn said he wanted to prod Cisco customers to install the latest version of the company’s software, which remedies nearly all of the bugs that Mr. Lynn identified. Cisco acknowledged that many customers haven’t installed the software fix, but said it didn’t know the precise number.
“It’s not a secret anymore that I can take control of Cisco routers,” said Mr. Lynn, who claims to have written his first software at age 4. “What they’re trying to get rid of is the proof.”
The eight-year-old Black Hat conference attracts both tech vendors and security researchers who specialize in finding flaws in computer products. Jeff Moss, president of Black Hat, said he reluctantly agreed to alter the conference materials. “With Cisco’s attorneys breathing down my neck, it was a no-brainer,” he said.
The high drama reflected the high stakes. Cisco regularly discloses bugs, or software flaws, that can allow hackers to force its routers to