Re: Cisco IOS Exploit Cover Up

[Jared Mauch <jared () puck nether net>]

On Thu, Jul 28, 2005 at 01:36:01PM -0400, James Baldwin wrote:
> On Jul 28, 2005, at 10:14 AM, Scott Morris wrote:
> > While I do think it's obnoxious to try to
> > censor someone, on the other hand if they have proprietary internal
> > information somehow that they aren't supposed to have to begin  
> > with, I don't
> > think it is in security's best interested to commit a crime in  
> > order to get
> > tighter security.
>
> Lynn developed this information based on publicly available IOS  
> images. There were no illegal acts committed in gaining this  
> information nor was any proprietary information provided for its  
> development. Reverse engineering, specifically for security testing  
> has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ 
> DVD/1201.html).
>
> That being said, what information is he not supposed to have? All the  
> information he had is available to anyone with a disassembler, an IOS  
> image, and an understanding of PPC assembly.
>
> If anything, the only "crime" he may or may not have committed is  
> violation of an NDA with ISS, which should a contractual, civil issue  
> not a criminal one.

        I think that's why it was a restraining order and not
damanges in the amounts of billions, but IANAL.

        Same way people were asked to not disclose who the half-blooded
prince was.  I'm not saying it's right, but that's up for the
judge(s) involved to decide.

        As far as Cisco goes, I know it takes them some time to fix
bugs, but generally speaking they need to "fix them faster".  But this
can be said for most vendors.

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.