Media did a poor job writing that article.
It suggested Cisco was putting the clamps down on anyone discussing router bugs, which is not true.
What the article doesn't say (but should) is that this guy is feeding router bugs into a bad community that he shouldn't and potentially benefiting from it by doing so. I think that deserves FBI investigation.
Industry standard (that everyone practises) is you notify Cisco/ITAdmins about a router bug 30 days before discussing it, so that everyone can fix the bug before crooks get into everyone's systems.
This was a poorly written article. I had (incorrectly) assumed Michael Lynn had already done industry norm reporting to Cisco etc. When in fact, he had not. What a horrible thing. FBI should throw the book at him for possibly giving this information to crooks. There's no reason to give this information to crooks, unless you are a crook. Quite possible this guy is trying to set up a business that sells bug info prior to the 30day window so crooks can exploit bugs. Or, maybe he's just a horribly irresponsible person, though he's certainly intelligent enough to know that he is assisting a bad community by spreading the info to crooks first.
I think Cisco and FBI should get aggressive with this guy (but they should better educate the media so people don't think Cisco was putting the clamps down on anyone discussing router bugs, which is not true.)
Haven't thought this through, but maybe Cisco's legal department should ensure all licensing requires 30 day notification of bugs. I've never read a Cisco licensing agreement so don't know what it says. But what is commonly accepted industry practise, should be written legal jargon in their licensing agreements. This way, any consultant studying or working on routers that finds a bug, is obligated to inform Cisco first, rather than crooks. Since industry NDA's for consultants require consultants to perform legally according to a company's policy, that also would tie any consultant to legally obeying licensing agreements to any company that owns routers.
Regards,
Amy J |
