Cisco/ISS gag security whistleblower

Cisco tries to get its secrets locked up again

A California judge has granted a request by Cisco Systems and Internet Security Systems (ISS) to issue a temporary restraining order against security expert Michael Lynn.

The judge's ruling was made on Thursday, and Lynn has since settled the dispute. All parties have made the injunction permanent.

Lynn gave a presentation on Wednesday at the Black Hat security conference in Las Vegas where he showed how to use a known exploit in Cisco's Internet Operating System (IOS) to bring down a router. He alleged that the flaw could cripple the entire internet.

The security hole that Lynn used has already been patched, but not all live systems are believed to have been updated.

The security expert was originally scheduled to give the presentation as an ISS employee. After the security company made a last minute decision to cancel the talk, Lynn quit his job and proceeded to make the presentation.

Conference organisers had removed 31 pages containing Lynn's presentation from the conference manual at the request of ISS.

Cisco and ISS had mutually agreed to cancel the presentation because further research was required, Cisco security spokesman John Noh told vnunet.com. This would have enabled the security researchers to provide more detail.

After Lynn proceeded with his presentation, which demonstrated how to shut down a router running IOS through remote execution, Cisco and ISS took legal action.

"Cisco and ISS jointly filed a motion for a temporary restraining order against Michael Lynn and the Black Hat organisers because we believe that the information Mr Lynn presented yesterday contained intellectual property belonging to Cisco and ISS and that he has illegally obtained it," said the companies in a joint statement.

Cisco did not object to Lynn's identifying a flaw in IOS, but took issue with the fact that his presentation contained information that could have helped third parties to exploit the vulnerability. The vendor argued that this was not in the best interests of the internet.

The injunction bars Lynn and Black Hat conference organisers from disclosing any notes and recordings from the presentation, and blocks Lynn from disclosing any further information about the IOS case that he gathered as an ISS employee.

Cisco also believes that, by decompiling the IOS software, Lynn has violated its copyrights. Decompiling is a form of reverse engineering.

A spokeswoman for ISS confirmed that the company had taken legal steps against its former employee, but could not provide any additional details because she had not seen the legal complaint at the time. Lynn could not be reached for comment.

An employee of security provider F-Secure who was present at the conference said in a blog posting: "Needless to say it's rather serious."

Lynn was aware of the legal consequences as he gave his presentation, but insisted that it was the right thing to do because of the seriousness of the issue.

As IOS is the dominant operating system for the internet, the software is a target for hackers. The flaw gets even more serious because the IOS source code was stolen in 2004, which potentially allows hackers to look for weak spots in the software's security.

• A .doc file with the Cisco and ISS injunction can be downloaded here.