-
July 29th, 2005, 10:09 PM
#11
Senior Member
Would it be safe to put this IOS Patching off until Monday?
There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.
-
July 30th, 2005, 03:08 AM
#12
I was at the presentation, and applaud Mike for what he did.
He also pointed out that anyone who has kept their systems up to date with patches is not at risk. However Cisco have some stuff in the pipeline that may make the attack vectors for Cisco a little different (i.e. rather then having to recompile a worm for each version of IOS, one worm will work for all).
Quis custodiet ipsos custodes
-
July 31st, 2005, 12:41 AM
#13
Senior Member
A Patch was issued in April that fixed the Vulnerability, but they were just going to keep it to themseleves that it fixes a major bung hole? Am I understanding this correctly?
There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.
-
July 31st, 2005, 04:32 AM
#14
Well, the other issue seems to be that, while this specific vulnerability has been patched, the underlying deficient code development processes may have created vulnerabilities in other portions of the IOS code.
And as said, other product offerings and changes might be vulnerable.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
July 31st, 2005, 04:55 AM
#15
Hi zencoder,
Looks like he buckled under the pressure...
" Cisco, security researcher settle dispute "
Michael Lynn, who left his job at Internet Security Systems Inc. hours before his speech, agreed never to repeat the information he gave at the Black Hat conference in Las Vegas on Wednesday.
He also must return any proprietary Cisco source code in his possession.
http://www.sanluisobispo.com/mld/san...s/12248404.htm
AP Wire | 07/28/2005 | Cisco, security researcher settle dispute
as you said...
That flaw was patched in April, but it's possible that the same technique could be used to exploit other vulnerabilities in Cisco routers. Lynn said the technique also could lead to the creation of a worm that targets routers, particularly when coupled with an upcoming version of Cisco's operating system.
Eg
-
July 31st, 2005, 05:05 AM
#16
Well, you could say buckled. I like to think more optimisticly and say he chose to agree to their terms, rather than face a lengthy and/or expensive legal proceeding. Besides, it doesn't really matter to him now...he's already made his point and shared the information. He can easily say "I won't repeat it again" with complete satisfaction that his point has been shared and will be repeated by others now.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
July 31st, 2005, 08:53 PM
#17
Junior Member
Cisco security hole...
If anyone has seen and reviewed his (Lynn's) information - what impact does/would this have on the Cisco security products such as the PIX? I can only guess that the underlying IOS is similar in some respects and therefore vulnerable as well.
Shame, I would have liked to read his report and seen this for myself.
-
August 1st, 2005, 03:36 AM
#18
"Shame, I would have liked to read his report and seen this for myself."
www.cryptome.org will help you
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
-
August 1st, 2005, 05:24 AM
#19
Mike did raise the point that for the hole to be used for a worm in the current environment would require a worm to be about 40mb in size...so don`t be too concerned just yet. Cisco are looking at using virtual processes which is going to dratsically alter this and a generic worm could be developed.
The hole affects the Cisco IOS in general, so anything using it is at risk.
And I don`t think he buckled, it was was either that or be sued by ISS and Cisco.
Quis custodiet ipsos custodes
-
August 1st, 2005, 05:52 AM
#20
Hi R0n1n,
And I don`t think he buckled, it was was either that or be sued by ISS and Cisco.
Isn't that the very definition of buckling? Folding under pressure? He was under the heat and he took the easy way out....I'm not faulting him for that...no sense fighting a war you can't win...still...he caved under the pressure...under the circumstances it was probably the smart thing to do...but the result is the same.
Eg
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|