Hackers rally behind Cisco flaw finder

Lynn stirred the Black Hat security conference here Wednesday by quitting his job at ISS, a move taken so that he could demonstrate that he could gain control of a Cisco router by exploiting a security flaw. He did so in defiance of Cisco and ISS, which had agreed to cancel the talk. Cisco and ISS subsequently sued Lynn and the Black Hat organizers, charging public disclosure of illegally obtained proprietary information.

While corporate America may frown at Lynn's actions, he is a hero at Defcon, the more informal gathering of security professionals and enthusiasts that follows Black Hat. T-shirts with anti-Cisco prints have been selling well, and hackers have set up a PayPal account to collect money for a legal defense fund. Jennifer Granick, Lynn's lawyer, is being hailed as his savior.

On Saturday, network security specialist Raven Alder gave a presentation on the vulnerability of the Net's infrastructure. She did not repeat Lynn's demonstration, but Alder said Lynn's disclosure was important to the security of the Net. The room was packed and roiled about what some people at Defcon call "Cisco-gate."

"For the first time it looks like you can really remotely own a Cisco box," Alder said. "This is a scary thing if you are a network operator. This is a real threat."

Lynn had said that exploitation of the flaw could bring the Internet to its knees. He also warned that criminal hackers may already be working to exploit it.

In her presentation, Alder gave guidelines on how to test network infrastructure security. She criticized Cisco for not publishing an advisory on the security vulnerability exploited by Lynn until Friday, even though the network giant fixed it in April.

In its advisory, Cisco confirmed that older versions of its Internetwork Operating System are flawed in the way they process IPv6 packets. A specially crafted data packet could let a miscreant gain control over the router, but an attack is possible only from a local network segment and only on systems configured for IPv6, Cisco said.

Alder disputed Cisco's argument that the flaw can be exploited only from the local network, saying it is indeed a remote vulnerability. Others in the audience agreed. "It is possible to escalate an attack and get close enough to the router to attack it," said Robert Hansen a computer security graduate student at the University of Iowa.

Alder then blasted Cisco for going after Lynn.

"Cisco, you are really screwing up," she said, followed by a round of applause. "Suing researchers is not going to make you secure. Alienating the security community is not going to encourage people to come to you and report problems and work with you."

Even federal authorities at Defcon are talking about Lynn and responsible disclosure, if only because everybody is asking them. Jim Christy, director of the U.S. Department of Defense's cybercrime center, had no direct opinion on Lynn's actions. "You have to share information, but you have to share it through the correct channels," he said

Alder was afraid that she too would be sued. "I am being paranoid because being paranoid pays," she said. Representatives from the Electronic Frontier Foundation sat in the front row during her talk. A burly man followed her around the Alexis Park resort for protection--her own "goon," she said. Goons are the security guards at Defcon.

Lynn settled his differences with Cisco and ISS on Thursday in a deal under which he agreed never to repeat the information he gave at Black Hat. He also has to hand over any Cisco source code in his possession.

Lynn has yet to be spotted at Defcon.