What a miserable week for software security! First, on Wednesday, a smartass researcher outed a problem in Cisco router software at the Black Hat security confab in Las Vegas--potentially exposing the Internet to massive attacks and outages.Then, on Friday, just five days after Microsoft launched its new anti-counterfieting software, hackers publicized a way to bypass the stuff. They call software security a cat and mouse game. This week, the mice won.
The Black Hat conference blow-up is really disturbing. According to published reports, what happened was Michael Lynn, who started off the week as a security researcher at Internet Security Systems, defied ISS and Cisco by putting on a presentation at the conference that explosed a flaw in older versions of Cisco's Internet Operating System. He was apparently quit. Cisco sued him and the conference organizers.The matter was settled out of court Thursday when Lynn agreed never to repeat the information he imparted in his Black Hat presentation and handed over any Cisco software code he had.
Hey, it's good to expose flaws in software so they can be fixed. But, typically you tell the software maker about them first, and give them plenty of time to fix them, so their products can be patched before much harm is done. Then it's okay for you to publicize the flaw to show how smart you are and get good press for the security firm you work for. I don't know all the details behind the story, so I may be all wet. But, based on what has been published so far, I'd say Lynn crossed way over the line.
Some in the blogosphere have hammered Cisco for suing. They call the company heavy handed. I think not. By the time Cisco sued, it was probably too late to put the genie back into the bottle. But now, at least, anybody who plans this sort of caper in the future might think better of it.
Re Microsoft's latest glitch. All I can say is, with $1 billion or so in profits flowing in per month, you'd think Microsoft would be able to get its software right more often, and avoid looking foolish.