Viewable With ANY Browser

Note: My Web pages are best viewed with style sheets enabled.


Shoot the Messenger

or Why Internet Security Eludes Us

Copyright © 2005, 2006, 2011 by David E. Ross

An ongoing debate rages among computer security professionals. This debate is best described by giving an example of a recent incident.

Routers are the devices that connect the Internet together. Routers direct messages from one place to another, not merely E-mail messages from you to me but also the packets of data sent from a Web server to your browser to create this Web page.

Michael Lynn (a former employee of Internet Security Systems, Inc. [ISS]) discovered a security vulnerability in the router hardware built by Cisco Systems, Inc., the largest manufacturer of routers. Lynn and ISS notified Cisco of the vulnerability, which could result in hackers taking control of the routers and thus seizing control of large segments of the Internet.

Although Cisco developed a software patch to make this flaw unusable by hackers, the company apparently did not aggressively promote the use of the patch. Having determined that the Internet was at a severe risk, Lynn decided to go public with his discovery by presenting a paper at the 2005 Black Hat conference in Las Vegas. At first, Cisco accepted Lynn's decision; but, at the last minute, demanded that ISS halt its employee from speaking. ISS tried to comply, but Lynn abruptly resigned from ISS and presented his paper anyway on 27 July.

Lynn's paper lacked sufficient details that would have enabled a hacker to use the vulnerability. Nevertheless, Cisco immediately sued Lynn, demanding that he deliver all his raw data, notes, and undistributed copies of his paper to Cisco. Just as quickly, Lynn capitulated and settled the lawsuit.

While Cisco claimed that its lawsuit was to prevent disclosure of proprietary software code, the real reason seems to be that Cisco was trying avoid being embarrassed by its weak response to Lynn's original notification to the company. This is quite typical of how most computer companies respond to publicity about security vulnerabilities in their products.

In any case, the cat was out of the bag.

Source: Los Angeles Times, 29 July 2005

The question being debated is:

If someone discovers a security vulnerability in a computer system and notifies the company that developed the system, how long should he or she wait for the vulnerability to be fixed before going public?

If you don't go public at all, the company has little incentive to place a priority on fixing the problem. If you go public too soon (before a fix could be possible), you create a risk that some hacker will use the information to cause severe damage.

*** Begin Left Sidebar ***

Suddenly, this issue became very real to me. I discovered a serious security vulnerability in the Web access to my account at my bank, which I characterized as
the backdoor is double locked while the front door is standing wide open.

*** End Left Sidebar ***

Contrary to a commentary by Steve Hamm in Business Week, Lynn waited several months before appearing at the Black Hat conference. To some, he was wrong to wait so long; hackers could have independently discovered the problem and damaged the Internet. To others, Lynn is a hero for alerting us to Cisco's apathetic response to the problem. Only to Cisco was Lynn a demon worthy of suing.

Remember, Lynn did not create the security vulnerability. The problem was inherent in Cisco's product. The vulnerability was created by Cisco. Cisco shot the messenger.

While rumors circulated that Lynn was under investigation by the FBI and might be arrested, the US-CERT (Computer Emergency Response Team, an agency of the Department of Homeland Security) released a public bulletin on the vulnerability. Near the end of the bulletin, the following statement appears.

Information regarding this vulnerability was primarily provided by Cisco Systems, who in turn acknowledge the disclosure of this vulnerability at Black Hat USA 2005.
Without Lynn's paper, we would still be in the dark about this. The FBI should be investigating why Cisco suppressed this information for several months.

The debate continues. The question of how long to wait remains unanswered.

We all see the consequences of speaking out: Lynn is now unemployed. The Internet remains quite vulnerable, not because of Cisco's defective routers but because of the general way such problems are handled. Those companies whose products contain flaws shoot the messenger when the flaws are revealed. Instead, people like Lynn should be rewarded by those companies for performing work that the companies themselves should have done originally. Until this situation changes, Internet security will remain impossible.

30 July 2005

CNET published an article on this subject on 6 September 2005. The article begins describing how Tom Ferris reported a user vulnerability bug in Internet Explorer to Micro$oft. It then goes into an extensive discussion of the broader issue of prompt versus delayed disclosure of such bugs.

On that same date, Ferris submitted a confidential bug report to the Mozilla Foundation about a similar bug in browsers based on Mozilla. Bug #307259 reported that a hostile Web page can cause the computer of anyone who views that page to execute arbitrary and possibly quite harmful code. Three days later (9 September), Ferris went public with his discovery, causing Mozilla to remove the confidentiality flag from the bug report. By that time, work was well underway to correct the problem. Later that same day, an interim fix was publicly released to disable the feature that contained the bug. A more permanent fix — without disabling that feature — was also developed for implementation in the next versions of Mozilla products.

An outside news report indicates that Ferris went public with his discovery after only three days because of a dispute with the Mozilla Foundation. The Foundation has not commented on this. Speculative comments on that news report suggest that Ferris went public too quickly in order to garner publicity for himself.

10 September 2005
Updated 29 October 2006

On occasion, the messenger can be targeted with severe penalties. On 22 October 2011, Patrick Webster notified Pillar Administration — the administrator and trustee of several Australian pension plans — that their software contained a security vulnerability that allowed him to access the accounts of other members of his pension plan. Webster — a security consultant in Australia — provided Pillar Administration with data from some 500 accounts. Webster did not go public with the vulnerability. He did not publish his data or make any use of it other than to prove his assertion. He disseminated the data only to Pillar Administration.

Instead of thanking Webster for finding a flaw in their software, Webster's own pension plan — First State Superannuation Scheme (superannuation scheme being an Australian term for retirement pension plan) — filed a criminal complaint against Webster for accessing the other accounts. First State Super's attorneys also sent Webster a letter, demanding that he purge his computer of any data and software related to his discovery and warned him that they might seek reimbursement from Webster for the cost of fixing the security flaw.

Webster had accessed retirement accounts only at First State Super although it turns out that other pension plans administered by Pillar Administration have the same security flaw. First State Super sent letters to other account holders, implying that Webster caused the security vulnerability. Apparently in response to public outrage over news accounts of what really happened, First State Super then withdrew any claims against Webster. It is not yet known whether the criminal complaint against Webster has been dropped.

Here we have a case of a whistle-blower facing both criminal prosecution and a civil claim for damages for privately reporting a security flaw. Truly, First State Super tried to shoot the messenger.

Sources: Slashdot, SC Magazine, Financial Standard Online, Technology Spectator

14 October 2011
Updated 20 October 2011

Link to David Ross's home page
David Ross home

Valid HTML 4.01