[Dailydave] Cisco's chickens come home to roost
Dave Aitel
dave at immunityinc.com
Mon May 19 11:31:03 EDT 2014
Cisco's executive team posted a blog and went on record to the news last
week about being annoyed that the USG installed backdoors in routers as
they were shipped.
http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy/
So I wanted to point out that there's a difference between whining about
how your government does something, and building a secure ecosystem. For
example, from the blog post:
"When we learn of a security vulnerability, we respond by validating it,
informing our customers, and fixing it."
On the contrary, Cisco is notorious for posting vague and misleading
advisories. Likewise, a modern secure device needs to be transparent:
you need to allow your customers the correct tools to validate both your
hardware and software. Cisco is nowhere on this, as far as I can tell.
Perhaps Marty can educate us on how this is working better since his
arrival (which I would expect), but nobody having read a Cisco advisory
for the past ten years thinks they have a leg to stand on. Every RCE
issue is "potential DoS", and it's either duplicitous (towards their
customer set and the public both) or incompetent (which is probably
worse). Compare that to the work Microsoft does with explaining, rating,
and cataloging their vulnerabilities. Those two pictures are a world apart.
Cisco even coming out to talk about this stuff is silly, since the US
Govt is hardly the last word in supply side interdiction for any real
company. Are there tools available that help a company validate that
their router they configured in the home office in Dallas and then
shipped to Hong Kong for deployment was not modified in Hong Kong? No
there are not. And that's a much more likely scenario.
The blog has some additional naive suggestions:
"
* Governments should have policies requiring that product security
vulnerabilities that are detected be reported promptly to
manufacturers for remediation, unless a court finds a compelling
reason for a temporary delay. By the same token, governments should
not block third parties from reporting such vulnerabilities to
manufacturers.
"
Remember when Cisco sued Michael Lynn and Blackhat and ISS all at once
about releasing security issues in their routers? Well, this is those
particular chicken's coming home to roost.
http://www.infoworld.com/d/security-central/black-hat-leaked-cisco-slides-pulled-after-legal-threats-156
Dave Aitel
Immunity, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140519/d25215e6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140519/d25215e6/attachment.sig>
More information about the Dailydave
mailing list