Tuesday, August 02, 2005

Forbidden Knowledge

Last year, the software that runs Cisco Systems’ core routers (laymen can read: ‘the software that makes the Internet work’) was stolen and published on the web. (See here.)

Last month a security researcher was scheduled by his company (ISS) to give a talk to a major Internet Security conference about some of the flaws since discovered in that (publicly available) software. At the last moment the company had a change of heart and cancelled the presentation. The researcher felt the flaw was so serious that he resigned his job and gave the presentation anyway, resulting in an injunction being taken out against him talking about the flaw again. (See here.)

I understand that there are all kinds of legal issues about intellectual property rights and licensing restrictions but I wonder if anyone at Cisco thought about the big picture before calling the lawyers.

First of all, the flaw that the researcher was talking about has already been fixed. Secondly, he didn’t give away any source code or details of how to exploit the flaw. Thirdly, a version of the flawed software is already out there for anyone to examine, so any good hacker or terrorist with a desire to do the Internet harm could do the research on their own.

The only things Cisco has achieved with its lawsuit are to give the flaw some serious publicity and to piss-off the people they rely on to point these problems out to them. The security/hacking community are busy doing their own research to find out what Cisco is so paranoid about. You can bet that the criminal/hacking community aren’t sitting on their hands either!

I suppose maybe the publicity will kick-start SysAdmins into applying the fix sooner rather than later, but surely there was a better way of doing that…

EDIT: You can also get an alternative view here. Maybe I am just an 11-year old who wants cookies!

No comments: