7 August 2005. See ISS demand letter to Cryptome and information on Cisco and ISS officers:
3 August 2005 Updated.
Over at Memestreams there's a post explaining the technical aspects of this non-technically - why the exploit was already known and why all of this is actually not about the exploit per se, but about something much deeper than that.
From the post:
http://www.memestreams.net/users/dagmar/blogid5665679"[...]Cisco had gone one step farther [...] in their equipment design and had incorporated software that acts as a kind of watchdog, that once it sees something going on that shouldn't be happening, it puts a stop to it. So, under ordinary circumstances, when someone finds an overflow glitch in Cisco equipment and tries to exploit it, the worst that can happen is the the part of the equipment that was attacked gets killed by the watchdog routine.[...]
Mike Lynn, in short, figured out how to make the watchdog believe that nothing is actually wrong, so that the attacker's own code gets executed and isn't stopped."
Don't see people discussing this anywhere else so with your coverage of the situation I think this article would really be useful.
2 August 2005 Updated.
Video of Lynn's presentation being ripped out of the Black Hat compendium and CDs being removed from attendee packets:
Photos of Lynn in-person presentation at Black Hat:
31 July 2005.
ISS advisory on Cisco ISO exploit:
Responses welcomed; send to: jya[at]pipeline.com (PGP PK)
If the Lynn presentation is pulled from here, Google the newsgroups or send us an email for where to get it. There are at least a dozen places its available in- and outside the US.
A reader writes:
So looking at your web site, it seems like there was some info that was blacked out in Lynn's presentaiton, but not in your slides. Is that correct?
Also wondering if you've received a letter from the ISS laywers?
Apparently so on the redactions, but we're asking around for whatever BH attendees recorded or can recall of Lynn's in-person presentation -- for publication on Cryptome, including pointers to the "Chinese" IOS hacks Lynn credited for aiding his research.
One attendee reports that Lynn's presentation slides had removed the ISS logo. Another reports that quite a number of BH's printed compendium and conference CDs were obtained before Cisco/ISS raided and ripped and rejiggered the disappearance of the July 1, 2005, presentation on Cryptome.
ISS obviously intended to present its findings based on the slides we're offering. It remains to be revealed what pressures led to the withdrawal during the three weeks plus from time of preparing the Powerpoint to the abrupt cancellation.
We'd like to help reveal that change of mind by keeping the material out in the open, despite whatever measures Cisco and ISS take to prevent that. I can't answer your question about a cease and desist due to our heavy-handed spam filter. No matter, I never comply with emailed demands like that based on legal advice that most emailed demands are bluffs, and they do come in about once a month. A blurb on Cryptome:
Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here -- or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored.
More interestingly, based on similar abrupt withdrawals of sensitive security information, there is likely dark hands behind the scenes, say one or more TLAs, who demanded the IOS exploits be suppressed and slapped a national security NDA on the principals, maybe even got an in camera hearing with a federal judge. That would not be the first time. Nor the first time "Chinese" or foreign threats have been alleged, to wit, recent reports coming out of DoD/Intel and the media to warn of PRC spying and unconventional warmaking.
There has been an upsurge in accesses to a 1999 file on Cryptome about Chinese unconventional warfare:
There appears to be an increasing drumbeat about the Internet being a target, and corporations associated with its hardware and operation are deeply involved with the homeland security industrial complex.
Cisco, in particular, likes to brag of its national security role, and is susceptible to the disease of secrecy to cover its lucrative ineptness.
ISS got squeezed, it seems to me, as many small infosec sub-contractors do. Cryptome got started revealing this infosec coercion back in 1996. Looking forward to more to come.
Cryptome wrote on Bruce Schneier's blog:
Posted by: John Young at July 30, 2005 10:09 AM
The Lynn presentation on Cryptome was last modified on 1 July 2005 (last modification date on the original file received), thus is the one assisted by Cisco and ISS before mindchange and then ripped from the Black Hack compendium of presentations. Lynn presented a redacted version of this document at Black Hat. Compare a redacted slide from his Black Hat show with one unredacted in the PDF now on Cryptome.
Cryptome cracked the light security to remove the author's name (not Lynn) which set the last mod as July 29, 2005. And changed the filename from that used by Black Hat to "lynn-cisco.pdf."
What happened at the last minute to mindchange Cisco/ISS remains to be revealed but it is likely to do with risk of liability for the weakness which was sure to cause customer backlash when it was made public.
Could be this teacup tempest is an orchestrated "leak" of the weakness while pretending to fight release and gain a legal defense against pissed customers, a practice long-used in the fork-tongued world of national security.
If Lynn was duped by peddlers and sharks into being a suicide leaker, it wouldn't be a first time.
Posted by: John Young at July 31, 2005 07:44 AM
Cryptome has two versions of the Lynn pre-Black Hat presentation, the second derived from the first by Cryptome's cracking of light security to remove the PDF author's name and change of filename from that apparently used by Black Hat to lynn-cisco.pdf. This was done to muddy the doc source (we get attempted document stings now and then, and some appear to have covertly planted trackers).
The slide from Lynn's Black Hat presentation is from a tomsnetworking.com posting by H. Cheung, a BH attendee who took photos of some of Lynn's slides. See the URL cited above:
Cryptome has on its home page a composite of a Cheung photo of a redacted slide and the same slide unredacted in the PDF.
The Cryptome PDF file size is 1.9MB not 5.9MB as a person has claimed of one version. If there is a 5.9MB version we'd like to have copy of it for comparison. Send to jya[at]pipeline.com
We are not aware of a 3rd version of Lynn's presenstation but there could be a third or more as the doc went through stages of preparation, editing, censoring, obfuscating, even being rigged for disinformation.
A full account -- video, audio, notes, recollections, whatever -- of Lynn's in-person redacted presentation would be informative. He is apparently legally prohibited from providing that so it's up to BH attendees to piecemeal the account. If these are sent to us, Cryptome will make a package of the fragments for publication unless it has been done else where. If it has been done we'd appreciate pointer(s).
Posted by: John Young at July 31, 2005 12:37 PM
Cryptome got the Lynn/Cisco PDF after posting a call for any information about his BH presentation. It arrived overnight July28/29. At the time Cryptome posted the file around 5AM EST the 29th we had not been able to locate a version of his in-person presentation. And still have not seen much of it.
We'd like to see more information about his in-person presentation. And especially the "Chinese" hacks he refers to.
The ISS PDF version is way too corporate, too slick, too controlled, too promotional, slathered with an obnoxious logo and wee copyright hokum.
Probably a good thing Lynn dissociated himself from the over-doctored crapola which is likely to have hidden more than it revealed like Cisco's pussified security advisory.
A. writes 7/31/05:
I wanted to pass along a small piece of information shared at the Michael Lynn talk. Slide #27 of the lynn-cisco.pdf file on your site refers to TCB's and says, "I don't know what this stands for, and neither did the people at Cisco I spoke with". Someone in the audience claimed that it stands for "Transmission Control Blocks".
A2 writes 7/31/05:
I was at Lynn's talk at Black Hat, and I can tell you that some of the slides you have there are the same as the ones he showed, but there are some differences too. His slides did not include the ISS logo, and they had a fair number of redacted parts.
During the talk he said that ISS had received a call from John Chambers [Cisco chief] telling them to pull the presentation. Cisco never confirmed this, but that's what Lynn said.
Seeing what ISS is going through, however, it makes me wonder about the credibility of these independent security research firms. Is it possible for them to remain neutral reporters of security problems, when they sometimes have business relationsihps with the companies whose products they report on (hmm. wait a second, this kind of sounds like the press, doesn't it? :-)) Remember what happened to Dan Geer? [Geer was fired from @Stake, a Microsoft sub-contractor, for reporting Microsoft weaknesses.]
If Chambers abruptly ordered the presentation pulled that would fit how the TLAs get their way: calling the CEO and threatening to cancel government contracts and banishment from government/industry confabs. A Cisco insider might (anonymously) tell more about this if Chambers doesn't have the balls to do it. During the fight over encryption regulation in the early and mid-1990s there was a lot of government hammering of the crypto industry as it struggled to get out from under government control and reach the broader public. Dan Bernstein, Phil Zimmermann, and others were indicted and sued and threatened by the authorities, as others leaked information about the infosec technology and what was happening inside the industry. Cryptome was set up at that time to aid those who believed information security should be available to everyone not just those who benefit from CEO-grade secrecy.
Bear in mind that a fair amount of information security technology is rigged to allow government spying, and when these deliberate holes are revealed they are called faults not features. Some are deliberately revealed to divert attention from those more deeply hidden, which could be the case with those Lynn found in IOS. Cisco routers are surely rigged for government spying, not only by the US. Google the tale of Swiss-based Crypto AG which tells of a decades-long arrangement to keep those trusted crypto products accessible to NSA.
Wired News has an informative interview with Michael Lynn, who says at one point:
Wired News: You met with the feds after your talk, and someone gave you a challenge coin (a special coin created for members of the military to commemorate challenging missions)?
Lynn: Yes, they did, actually. And I didn't know what it was, so I didn't thank him properly.... This was a really funny story. (Right after my talk, this) guy walks up with a very, very impressive badge ... and says, "I need to speak with you. Now."
WN: What agency was it?
Lynn: Air Force (Office of Special Investigations). NSA, is what I'm told, but he wouldn't show me his credentials. There were a lot of flashy badges around from lots of three-letter agencies. So they take me to a maintenance area and I'm surrounded by people ... and one of them says (to another guy), "You've got the van ready?" I'm going, "Oh my god." And they go, "Just kidding!... Oh, man, you rock! We can't thank you enough." And I'm just sitting there, like still pale white. They all shook my hand.
I get the feeling that they were in the audience because they were told that there was a good chance that I was about to do something that would cause a serious problem. And when they realized that I was actually there to pretty much clue them in on ... the storm that's coming ... they just couldn't say enough nice things about me.... Also, US-CERT (Computer Emergency Response Team) asked me if I would come up to D.C. in a week or two and help them formulate the nation's strategy for cybersecurity.
A4 writes 1 August 2005:
FYI Abaddon is Mike Lynn's nick. He built heavily upon the research of a hacker named FX. Specifics on which Abaddon built are at http://www.phenoelit.de/ultimaratio/ - complete with tutorial, defcon slides, blackhat slides, and software downloads.
L. writes 1 August 2005:
Raven Alder's presentation from DEFCON about the Lynn attacks is available here:
A5 writes 1 August 2005:
Mike told me he originally found the Chinese documents at xfocus.org, although I'm not exactly sure what he found there.
Second, ISS is behind a lot of the legal action, actually more than Cisco. Note that many of the legal documents are drafted by ISS lawyers.
Third, Mike told me the reason he quit ISS is because they basically asked him to lie in his presentation. They wanted him to say he didn't find what he found. Which questions the credibility of the various ISS and Cisco press releases.
Finally, although ISS wants to suppress the information about the exploit, they have eagerly integrated this information into their products:
Apparently, their motivation is not so much protecting Cisco and its customers as it is using this knowledge to gain a competitive advantage.
I heard from a couple reliable sources that the exploit (or something similar) has been known for at least a couple years. Since I cannot reveal these sources, for now it will have to just be a rumor that certain govt-connected groups have known about this and kept it quiet.