Bruce Schneier has almost a blow by blow account of the Cisco IOS security issue that's surfaced of late.
The researcher, Michael Lynn, was going to present findings regarding the security vulnerability at the recent BlackHat conference last week - however Cisco and even his own employer ISS went to great lengths to prevent him from doing so.
In the end - after resigning from ISS, Lynn went ahead and presented his research, in the name of full disclosure. The presentation is currently available from his website and linked in Schneier's post above.
In my opinion full disclosure is really important for secure systems. In the past some people have claimed that full disclosure actually harms security as the general public is given access to information that could be used in a malicious way.
Personally, I find this view to be invalid, as it assumes those who would use this information in a malicious way don't have access to the information already. In the pedantic world of security we're better off assuming the "bad" guys already know.
Also, as we've seen in the past, vendors often heed quicker to fix things when vulnerabilities are made public, rather than treat them as a marketing issue - which reminds me of the scene in Fight Club, where Edward Norton is explaining to a fellow passenger on a plane what his job entails when investigating accidents in the auto industry, that could potentially be caused due to manufacturing fault. :)
Posted by crafterm at July 31, 2005 10:00 PM | TrackBack