[ISN] Legal threats continue over Lynn presentation slides

InfoSec News isn at c4i.org
Wed Aug 3 06:06:24 EDT 2005 

http://www.techworld.com/security/news/index.cfm?NewsID=4139

By Robert McMillan
IDG News Service &
Kieren McCarthy
Techworld
02 August 2005

The leak of the controversial Cisco IOS security presentation is 
continuing to draw legal threats on those hosting a pdf copy on their 
servers.

Security research company Internet Security Systems (ISS), the company 
at the centre of the saga, has sent a cease-and-desist letter to 
Richard Forno, a security researcher who just hours earlier had posted 
the presentation slides to his InfoWarrior.org site.

The letter from ISS' lawyers, believed to be but one of many, accused 
Forno of publishing stolen proprietary information and threatened 
legal action if he did not remove the ISS material. 

Forno said in a letter on the site that he decided to pull the slides 
but added angrily: "Had the two companies involved said nothing about 
this briefing, it's quite likely that few if any people or news 
outlets would've given it more than a passing thought. But as a result 
of their heavy-handed tactics this week, both Cisco and ISS have ended 
up publicising a serious vulnerability quite significantly and thusly 
re-ignited the discussion over how the Internet security community 
handles vulnerability disclosure and product updates."

A Cisco spokesman downplayed his company's involvement. "We're not 
sending out those letters. ISS is doing that through their law firms," 
he said. ISS declined to comment for this story.

The legal threats are unlikely to have much of an impact however. The 
material is already available on a string of other websites and the 
ongoing controversy has drawn more and more people to the case. Two 
versions of the presentation have since appeared, as well as 
photographs of the actual presentation at the Red Hat conference in 
Las Vegas. Anyone likely to understand the full import of the slides 
will easily locate the presentation. 

Cisco has since produced an advisory on the holes in its IOS software 
- patched back in April, following wider awareness of the situation.

One of the other high-profile hosters of material surrounding the 
case, Cryptome, was unable to say whether it had received similar 
legal threats but its administrator, John Young, said it was Cryptome 
policy to ignore any such threats. The site has since added a page 
covering discussions of the Lynn presentations.

The controversy has ignited debate within the security community about 
the limits of responsible disclosure and whether companies such as 
Cisco are helping hackers or users through the public discussion of 
security flaws. To most Black Hat attendees interviewed last week, 
Cisco and ISS's actions clearly went too far.

One attendee said that companies such as Cisco should embrace this 
type of disclosure. "I look at it this way: It's free research," said 
Robert Gregory, an Information Assurance Engineer with Northrop 
Grumman's TASC division. "You've got the entire IT community doing 
research for you, and it's not costing you a dime."

More information about the ISN mailing list