for-real-things-I-know
For Real Things I Know: 07/01/2005 - 08/01/2005

For Real Things I Know

Fine-art digital photography, liberal hard left-leaning politics, and personal mindspace of Solomon

My Photo
Name:
Location: Ann Arbor, Michigan, United States

Saturday, July 30, 2005

Cisco Harasses Security Researcher

Because I believe in full disclosure as well, I'm posting this in its entirety in the hope that this sort of thing can't be hidden from people in this blogging age.

Schneier on Security: Cisco Harasses Security Researcher
Cisco Harasses Security Researcher

I've written about full disclosure, and how disclosing security vulnerabilities is our best mechanism for improving security -- especially in a free-market system. (That essay is also worth reading for a general discussion of the security trade-offs.) I've also written about how security companies treat vulnerabilities as public-relations problems first and technical problems second. This week at BlackHat, security researcher Michael Lynn and Cisco demonstrated both points.

Lynn was going to present security flaws in Cisco's IOS, and Cisco went to inordinate lengths to make sure that information never got into the hands of the their consumers, the press, or the public.

Cisco threatened legal action to stop the conference's organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco's Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed.

In the end, the researcher, Michael Lynn, went ahead with a presentation, describing flaws in Cisco's software that he said could allow hackers to take over corporate and government networks and the Internet, intercepting and misdirecting data communications. Mr. Lynn, wearing a white hat emblazoned with the word "Good," spoke after quitting his job at Internet Security Systems Inc. Wednesday. Mr. Lynn said he resigned because ISS executives had insisted he strike key portions of his presentation.

Not being able to censor the information, Cisco decided to act as if it were no big deal:

In a release shortly after the presentation, Cisco stated, "It is important to note that the information Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Lynn's research explores possible ways to expand exploitations of known security vulnerabilities impacting routers." And went on to state "Cisco believes that the information Lynn presented at the Blackhat conference today contained proprietary information and was illegally obtained." The statement also refers to the fact that Lynn stated in his presentation that he used a popular file decompressor to 'unzip' the Cisco image before reverse engineering it and finding the flaw, which is against Cisco's use agreement.

The Cisco propaganda machine is certainly working overtime this week.

The security implications of this are enormous. If companies have the power to censor information about their products they don't like, then we as consumers have less information with which to make intelligent buying decisions. If companies have the power to squelch vulnerability information about their products, then there's no incentive for them to improve security. (I've written about this in connection to physical keys and locks.) If free speech is subordinate to corporate demands, then we are all much less safe.

Full disclosure is good for society. But because it helps the bad guys as well as the good guys (see my essay on secrecy and security for more discussion of the balance), many of us have championed "responsible disclosure" guidelines that give vendors a head start in fixing vulnerabilities before they're announced.

The problem is that not all researchers follow these guidelines. And laws limiting free speech do more harm to society than good. (In any case, laws won't completely fix the problem; we can't get laws passed in every possible country security researchers live.) So the only reasonable course of action for a company is to work with researchers who alert them to vulnerabilities, but also assume that vulnerability information will sometimes be released without prior warning.

I can't imagine the discussions inside Cisco that led them to act like thugs. I can't figure out why they decided to attack Michael Lynn, BlackHat, and ISS rather than turn the situation into a public-relations success. I can't believe that they thought they could have censored the information by their actions, or even that it was a good idea.

Cisco's customers want information. They don't expect perfection, but they want to know the extent of problems and what Cisco is doing about them. They don't want to know that Cisco tries to stifle the truth:

Joseph Klein, senior security analyst at the aerospace electronic systems division for Honeywell Technology Solutions, said he helped arrange a meeting between government IT professionals and Lynn after the talk. Klein said he was furious that Cisco had been unwilling to disclose the buffer-overflow vulnerability in unpatched routers. "I can see a class-action lawsuit against Cisco coming out of this," Klein said.

ISS didn't come out of this looking very good, either:

"A few years ago it was rumored that ISS would hold back on certain things because (they're in the business of) providing solutions," [Ali-Reza] Anghaie, [a senior security engineer with an aerospace firm, who was in the audience,] said. "But now you've got full public confirmation that they'll submit to the will of a Cisco or Microsoft, and that's not fair to their customers.... If they're willing to back down and leave an employee ... out to hang, well what are they going to do for customers?"

Despite their thuggish behavior, this has been a public-relations disaster for Cisco. Now it doesn't matter what they say -- we won't believe them. We know that the public-relations department handles their security vulnerabilities, and not the engineering department. We know that they think squelching information and muzzling researchers is more important than informing the public. They could have shown that they put their customers first, but instead they demonstrated that short-sighted corporate interests are more important than being a responsible corporate citizen.

And these are the people building the hardware that runs much of our infrastructure? Somehow, I don't feel very secure right now.

EDITED TO ADD: I am impressed with Lynn's personal integrity in this matter:

When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he got started, Mr. Lynn said, "What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on."

And this:

Lynn closed his talk by directing the audience to his resume and asking if anyone could give him a job.

"In large part I had to quit to give this presentation because ISS and Cisco would rather the world be at risk, I guess," Lynn said. "They had to do what's right for their shareholders; I understand that. But I figured I needed to do what's right for the country and for the national critical infrastructure."

There's a lawsuit against him. I'll let you know if there's a legal defense fund.

EDITED TO ADD: The lawsuit has been settled. Some details:

Michael Lynn, a former ISS researcher, and the Black Hat organisers agreed to a permanent injunction barring them from further discussing the presentation Lynn gave on Wednesday. The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees.

The injunction also requires Lynn to return any materials and disassembled code related to Cisco, according to a copy of the injunction, which was filed in US District Court for the District of Northern California. The injunction was agreed on by attorneys for Lynn, Black Hat, ISS and Cisco.

Lynn is also forbidden to make any further presentations at the Black Hat event, which ended on Thursday, or the following Defcon event. Additionally, Lynn and Black Hat have agreed never to disseminate a video made of Lynn's presentation and to deliver to Cisco any video recording made of Lynn.

My hope is that Cisco realized that continuing with this would be a public-relations disaster.

EDITED TO ADD: Lynn's BlackHat presentation is on line.

EDITED TO ADD: The FBI is getting involved.

EDITED TO ADD: The link to the presentation, above, has been replaced with a cease-and-desist letter. A copy of the presentation is now here.

Posted on July 29, 2005 at 04:35 AM

Ice lake found on the Red Planet

BBC NEWS | Science/Nature | Ice lake found on the Red Planet:
A giant patch of frozen water has been pictured nestled within an unnamed impact crater on Mars.

The photographs were taken by the High Resolution Stereo Camera on board Mars Express, the European Space Agency probe which is exploring the planet.

The ice disc is located on Vastitas Borealis, a broad plain that covers much of Mars' far northern latitudes.

Thursday, July 28, 2005

The Christian Paradox (Harpers.org)

The Christian Paradox (Harpers.org):
Only 40 percent of Americans can name more than four of the Ten Commandments, and a scant half can cite any of the four authors of the Gospels. Twelve percent believe Joan of Arc was Noah’s wife. This failure to recall the specifics of our Christian heritage may be further evidence of our nation’s educational decline, but it probably doesn’t matter all that much in spiritual or political terms. Here is a statistic that does matter: Three quarters of Americans believe the Bible teaches that “God helps those who help themselves.” That is, three out of four Americans believe that this uber-American idea, a notion at the core of our current individualist politics and culture, which was in fact uttered by Ben Franklin, actually appears in Holy Scripture. The thing is, not only is Franklin’s wisdom not biblical; it’s counter-biblical. Few ideas could be further from the gospel message, with its radical summons to love of neighbor. On this essential matter, most Americans—most American Christians—are simply wrong, as if 75 percent of American scientists believed that Newton proved gravity causes apples to fly up.
And therein is the paradox. America is simultaneously the most professedly Christian of the developed nations and the least Christian in its behavior. That paradox—more important, perhaps, than the much touted ability of French women to stay thin on a diet of chocolate and cheese—illuminates the hollow at the core of our boastful, careening culture.

Here's why you can't buy the News Journal at Wal-Mart

The Pensacola News Journal:
Some managers at Wal-Mart didn't appreciate a column Mark O'Brien wrote last month about the downside of the cheap prices that Sam Walton's empire has brought to America. We all pay a little less, and sometimes a lot less, at the grocery store and department store because of Mr. Walton, the founder of Wal-Mart.
...
Mr. Hart, however, said he and his stores couldn't tolerate a newspaper that would print the opinions of someone who was as mean and negative as Mark O'Brien. But, you know, Mark's not nearly as ornery as that left-wing rabble-rouser Molly Ivins, whose column the newspaper also publishes. At any rate, Mr. Hart said he wanted the newspaper to get its racks off his lots. But he also said that if I fired Mark, we could talk about continuing to sell the newspaper at his stores.

Wal-Mart is a company that wraps itself in red, white and blue.

I might understand it if Wal-Mart said I ought to fire Mark because what he said wasn't accurate. But that isn't the case. Mark accurately reported that there are 10,000 children of Wal-Mart employees in a health-care program that is costing Georgia taxpayers nearly $10 million a year.

Shouldn't we talk about that?

Tuesday, July 26, 2005

Wow! Origami dishware

My mouth hung open for several seconds marvelling at the beauty of this idea. Combining origami with functionality in a flat piece of polypropylene that folds into a shallow dish, a deep dish, a cutting board, a funnel, all sorts of things. What a camping item!

Flatworld Orikaso Dish from REI.com

Thursday, July 21, 2005

The 1984ness is creepy

The amazing doublespeak in this statement by Mayor Bloomberg astonishes me. Does he actually smell the crap he's shoveling, trying to elicit pride in our freedoms while sawing those freedoms to dust?

New York Starts to Inspect Bags on the Subways - New York Times: Mr. Bloomberg acknowledged that passengers might be inconvenienced. 'It's a complex world where, sadly, there are a lot of bad people,' he said. 'We know that our freedoms are threatening to certain individuals, and there's no reason for us to let our guard down.'

New York City Starts to Inspect Bags on the Subways

New York Starts to Inspect Bags on the Subways - New York Times:
The story even has accompanying pictures of the NEW random bag searching of everyone who uses the subway in New York City. What the FUCK! Nicole, this is what you're coming back to, I'm so sorry. Civil liberties have been mowed under by the constant sale of fear by the government and the media in this country. Woe be us.

Monday, July 18, 2005

People's Food Cooperative

This, a blog about how my local food co-op needs to be fixed, is what I've been up to and what I will be up to for a while. I wasn't comfortable being as public about this while I was an employee and working within the system to change things. Now, identifying myself only as a member-owner of the co-op and a member of the Ann Arbor community, I'm willing to try to make this a public discussion.

Hip Hip Hooray

I now work at Zingerman's, the most fantabulous specialty grocery store I've ever encountered, as well as the business I've seen that best marries its need for profit and good business with ethics and community building.

Sunday, July 17, 2005

Criticism: A query

Unless the folks over at FILM ROTATION mind, I'm just going to quote their entire entry here because I think its such an interesting question in regard to film critics vs. book critics vs. music critic vs., say, a technology critic. How much of a deciding factor do critics of various fields have on the general consumer?

FILM ROTATION : V4 - A Blog for Film-Geeks!: Regardless of being universally panned by US critics - with UK critics seemingly following suite - as we're all aware Fantastic Four shot to the top of the US box office in its opening weekend with $56m making it the third biggest opening of the year after Revenge Of The Sith and War Of The Worlds.

Fox Studios executive Hutch Parker says, 'When you have a weekend like this, you've got to question, what is the relevance of reviewers to viewers at large?'

So this is a question I want to open up in the ol' ATB area... Really, how relevant are the critics these days? Ebert savaged both War of the Worlds and Wedding Crashers only for both to blossom fantastically. At the opposite end of the scale, the critics both in America [and at present internationally] raved about Cinderella Man, some calling it the movie of the year, only for it to flop quite severely.

Do reviews matter? With Fantastic Four as an example, does bad word of mouth even matter either? If it had just been FF then I'd have blamed the good box office on people turning out to see a car-wreck (but then they didn't do it with Gigli did they?), but this is steadily turning into a more and more regular occurence... critics speak out, the paying public act the opposite.

What do you guys think? My personal example would be the rather forgettable Ladder 49 - asides from Ebert, I have not found a single positive review of this film but at the same time I've never spoken to anyone who didn't enjoy it. Are the critics sitting too way up on the old high horse? Have they lost touch with the general viewing public?