Who threw the stone? Lynn Vs. Cisco case.

In the book Security, Ethics & Electronic Commerce Systems – ECOM20002 compiled from Principles and Practice of Information Security by Volonino and Robinson, chapter 3, the common sources of risks are user ignorance, lack of enforceable policy, social engineering, excessive sharing, and revealing candor. How does the software company is not included as a source of risk for having a bad security design? Don’t they liable for the causes of security breaches?

That was the question I asked in class Security, Ethics & Electronic Commerce Systems – ECOM20002 few weeks ago. A bit f surprise as I was seeing people was laughing at my question and wonder why would we blame (for example) M$ for their responsibility(ies) to provide safe software and should protect the customer. Why people blame System Administrator, Cracker, or even the company (in this case is the customer) who bought M$ product? Why should the customer by liable for these producer’s problem?

Another case just came up to the surface about a hacker named Mike Lynn, a former researcher at Internet Security System, who blew the whistle about Cisco IOS software flaw. Basically, Cisco did repaired this problem in April yet Cisco was not giving any information about why the IOS was patched. Recently, and just recently, Cisco did announce Cisco Security Advisory: IPv6 Crafted Packet Vulnerability dated 2005 July 29 1630 UTC.

Now, why would Mike be liable for this? because he got this information using ‘inappropriate way’ like using reverse engineering? why the hell did Cisco close the source and don’t want anybody know about the inside and do everything they can to find and sue a hacker (cracker, ehm) who steal the source code?

Remember Fernando Gont with the story revealing ICMP Attacks against TCP? Cisco was there.

Back to the question, why don’t the software producer, in this case, Cisco, be liable for this flaw? Why don’t there any lawsuit against the negligence of providing appropriate information, support, and preventive action to avoid company or user lost due to their product problem?

Let me trying to explain this in simpler way. Just say that you need a software that your company can’t make. You outsource to the company XYZ. I believe you have more incisiveness to ask the XYZ to provide you the source code and warranty. Now, If you’re smart, probably you would ask too what will happen if the software did a failure and cost you your head?. Would you like to be called stupid or you would just really want to make sure that this XYZ will “takin’ care of this” (Yeah, like the Itallian mafia “takin’ care of this”)?

Well, this is one of the reason I don’t like Closed Source!

“A few years ago it was rumored that ISS would hold back on certain things because (they’re in the business of) providing solutions,” Anghaie said. “But now you’ve got full public confirmation that they’ll submit to the will of a Cisco or Microsoft, and that’s not fair to their customers…. If they’re willing to back down and leave an employee … out to hang, well what are they going to do for customers?”
Cisco Security Hole a Whopper

Collection of this story can be found on the list below:
Whistleblower Faces FBI Probe
Cisco Files Suit to Gag Researcher, Security Conference
Cisco Security Hole a Whopper
Flaw researcher settles dispute with Cisco
Researcher Defends Decision to Spill Beans on IOS Flaw
Cisco Is Shooting Itself in the Foot

Leave a Reply