An editorial on the recent "Ciscogate" Black Hat convention
If you are a computer geek, you may have heard of the Black Hat convention held last month. I was not there, so I can only go on reports of Michael Lynn's Presentation. Let's assume that some of you don't know how this story goes, I'll tell you what I know. Lynn was an employee of Internet Security Systems Inc (ISS), an Atlanta based company, and he was a member of its X-Force Research team. Through ISS Lynn was involved in security related work for Cisco. Lynn is said to have reversed engineered some of Cisco's IOS (Internetwork Operating System) code. He, or his company, found big problems which could be exploited by the bad guys. Glossing over the details, Cisco went ballistic; by all accounts they went over the edge. I have provided some links to sites if you are interested in the convention fiasco. Back to the story, Lynn was invited to be a guest speaker at the Black Hat convention. Cisco freaked as the convention nears, and get's ISS to pull Lynn 's presentation, but he quits (by some accounts he was fired) and he insisted on going ahead with the presentation. Lawyers came out for Cisco, like flashing lights and blazing sirens, Cisco confiscated convention CDs and handouts, and proper “Cisco” edited materials were substituted. The result was that Lynn hosted his presentation, titled “ The Holy Grail: Cisco IOS Shell Code and Exploitation Techniques .”
This is where I ask, what is wrong with this picture? I understand that the patch to fix the vulnerabilities had been around for three months before the convention. Yet, consider this; we have a security company knowingly presenting information to the biggest source of security threats around on an issue that has reportedly been fixed. Moreover, the broad use of Cisco's routers on the Infrastructure of the internet makes this a very serious matter.
I have been trained to forget passwords given to me for support purposes, to triple guard my client's files, and to consider email that is not mine as invisible. That's what I want and expect from other technicians and professionals in this industry. I may be alone in this thinking, but isn't this wrong, don't these people consider any thing besides what they can gain.
I don't know about Lynn 's intentions, or any of the background facts in this nonsense, I really don't care. In my own way, I refuse to give him the celebrity status he obviously sought. I consider a hacker to be a lot like a terrorist bomber. Today, we are all under attack by an opportunistic enemy, who uses the internet and may be more of a black hatter than any conventioneer. What I mean is, they are brave, cunning, rebellious, and cursed to be in a dead end project. I have heard all the arguments on white and black hats, it's rubbish. If someone disrespects you in this fashion, you don't want to thank them. Who out there would say ‘thank you for saving me from a bigger badder intruder'?
Most associations or professional groups have Codes of Ethics, which they usually start by affirming that people should be treated with respect, and looked at as an ends, not a means. The better thought out ones warn that ethical behavior is more then avoiding committing questionable act's, it is a way of acting for the good of society. The Geographic Information System (GIS) professional code of ethics points out some simple, but powerful reasoning below;
1. Do the Best Work Possible
For further reading check out these links
Association for Computing Machinery. 1992. ACM Code of Ethics and Professional Conduct, http://www.acm.org/constitution/code.html .
American Institute of Certified Planners. 1991. AICP Code of Ethics and Professional Conduct , http://www.planning.org/ethics/conduct.html .
Craig, William J. 1993. A GIS Code of Ethics: What Can We Learn from Other Organizations? Journal of the Urban and Regional Information Systems Association , 5(2): 13-16. See http://www.urisa.org/certification/craigeth.pdf .
On the convention
http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_hole_.html
http://rootprompt.org/article.php3?article=8967
If you are a computer geek, you may have heard of the Black Hat convention held last month. I was not there, so I can only go on reports of Michael Lynn's Presentation. Let's assume that some of you don't know how this story goes, I'll tell you what I know. Lynn was an employee of Internet Security Systems Inc (ISS), an Atlanta based company, and he was a member of its X-Force Research team. Through ISS Lynn was involved in security related work for Cisco. Lynn is said to have reversed engineered some of Cisco's IOS (Internetwork Operating System) code. He, or his company, found big problems which could be exploited by the bad guys. Glossing over the details, Cisco went ballistic; by all accounts they went over the edge. I have provided some links to sites if you are interested in the convention fiasco. Back to the story, Lynn was invited to be a guest speaker at the Black Hat convention. Cisco freaked as the convention nears, and get's ISS to pull Lynn 's presentation, but he quits (by some accounts he was fired) and he insisted on going ahead with the presentation. Lawyers came out for Cisco, like flashing lights and blazing sirens, Cisco confiscated convention CDs and handouts, and proper “Cisco” edited materials were substituted. The result was that Lynn hosted his presentation, titled “ The Holy Grail: Cisco IOS Shell Code and Exploitation Techniques .”
This is where I ask, what is wrong with this picture? I understand that the patch to fix the vulnerabilities had been around for three months before the convention. Yet, consider this; we have a security company knowingly presenting information to the biggest source of security threats around on an issue that has reportedly been fixed. Moreover, the broad use of Cisco's routers on the Infrastructure of the internet makes this a very serious matter.
I have been trained to forget passwords given to me for support purposes, to triple guard my client's files, and to consider email that is not mine as invisible. That's what I want and expect from other technicians and professionals in this industry. I may be alone in this thinking, but isn't this wrong, don't these people consider any thing besides what they can gain.
I don't know about Lynn 's intentions, or any of the background facts in this nonsense, I really don't care. In my own way, I refuse to give him the celebrity status he obviously sought. I consider a hacker to be a lot like a terrorist bomber. Today, we are all under attack by an opportunistic enemy, who uses the internet and may be more of a black hatter than any conventioneer. What I mean is, they are brave, cunning, rebellious, and cursed to be in a dead end project. I have heard all the arguments on white and black hats, it's rubbish. If someone disrespects you in this fashion, you don't want to thank them. Who out there would say ‘thank you for saving me from a bigger badder intruder'?
Most associations or professional groups have Codes of Ethics, which they usually start by affirming that people should be treated with respect, and looked at as an ends, not a means. The better thought out ones warn that ethical behavior is more then avoiding committing questionable act's, it is a way of acting for the good of society. The Geographic Information System (GIS) professional code of ethics points out some simple, but powerful reasoning below;
1. Do the Best Work Possible
• Be objective, use due care, and make full use of education and skills.
• Practice integrity and not be unduly swayed by the demands of others.
• Provide full, clear, and accurate information.
• Be aware of consequences, good and bad.
• Strive to do what is right, not just what is legal.
2. Contribute to the Community to the Extent Possible, Feasible, and Advisable • Practice integrity and not be unduly swayed by the demands of others.
• Provide full, clear, and accurate information.
• Be aware of consequences, good and bad.
• Strive to do what is right, not just what is legal.
• Make data and findings widely available.
• Strive for broad citizen involvement in problem definition, data identification, analysis, and decision-making.
• Donate services to the community.
3. Speak Out About Issues • Strive for broad citizen involvement in problem definition, data identification, analysis, and decision-making.
• Donate services to the community.
• Call attention to emerging public issues and identify appropriate responses based on personal expertise.
• Call attention to the unprofessional work of others. First take concerns to those persons; if satisfaction is not gained and the problems warrant, then additional people and organizations should be notified.
• Admit when a mistake has been made and make corrections where possible.
There are codes of ethics, and codes of conduct; maybe these should be more important then being a ranking member of the rowdy boys. Unfortunately the people that quit their job on moral grounds usually do it professionally and without media coverage.• Call attention to the unprofessional work of others. First take concerns to those persons; if satisfaction is not gained and the problems warrant, then additional people and organizations should be notified.
• Admit when a mistake has been made and make corrections where possible.
For further reading check out these links
Association for Computing Machinery. 1992. ACM Code of Ethics and Professional Conduct, http://www.acm.org/constitution/code.html .
American Institute of Certified Planners. 1991. AICP Code of Ethics and Professional Conduct , http://www.planning.org/ethics/conduct.html .
Craig, William J. 1993. A GIS Code of Ethics: What Can We Learn from Other Organizations? Journal of the Urban and Regional Information Systems Association , 5(2): 13-16. See http://www.urisa.org/certification/craigeth.pdf .
On the convention
http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_hole_.html
http://rootprompt.org/article.php3?article=8967