OK - I was patient at first; I was even interested for a day or so in this whole debacle. But now, 600+ news stories later (626 as of the current count), I am officially sick of seeing either the name "Lynn" or the word "Cisco" in the security media. I don't include ISS in the list, because I was already sick of them before this whole mess started.
My question is: why do we keep talking about this? I mean, what's new here? Is it that Cisco is more interested in their PR more than the security of IOS? Oooooo... the shock value! (Not.) Is it the staggering revelation that ISS cares more about catching the crumbs from Cisco's plate than about courting hacker cred? Well, kiss my grits!
The bottom line is that both Cisco and ISS are publicly-traded *for profit* corporations. Meaning, their goal is to make money. And, the unfortunate truth is: without the debacle, Cisco would have made more money if Mike's message was stifled. Period. If they could have gotten away with it, that is. This is a lesson from the history books - it's why we have full-disclosure in the first place. Why does this story make it new?
What about ISS? Again, we've already learned that lesson too. Specifically, when it's profit vs. one employee (or ex employee), the employee loses. Seriously - how much business do you suppose having a relationship with Cisco brings them? Weigh that against the amount of dollars brought in by the hacking community. On the one hand you have a multi-billion dollar corporation and on the other hand you have the legion of the vinyl-clad disenfranchised. If @stake (ISS's evil twin) is willing to fire Dan Geer because Microsoft dislikes the nature of his research, why do we think ISS would "kid glove" Mike Lynn when Cisco is out for blood? Nope, not a surprise.
So why does the festival continue? I do think there is one thing that we can learn - that the associated bad PR with trying to "gag" vulnerability research is worse than the bad PR associated with having a vulnerability (in "for-profit" terms: it costs more money to stifle than to fix.) That's a useful lesson.
Posted by Ed at August 15, 2005 10:21 AM