<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Cisco's executive team posted a blog and went on record to the news
last week about being annoyed that the USG installed backdoors in
routers as they were shipped. <a
href="http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy/">http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy/
<br>
</a><br>
So I wanted to point out that there's a difference between whining
about how your government does something, and building a secure
ecosystem. For example, from the blog post:<br>
"<span style="color: rgb(82, 82, 82); font-family: Arial, Helvetica,
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
19px; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); display: inline !important;
float: none;">When we learn of a security vulnerability, we
respond by validating it, informing our customers, and fixing it."<br>
<br>
</span>On the contrary, Cisco is notorious for posting vague and
misleading advisories. Likewise, a modern secure device needs to be
transparent: you need to allow your customers the correct tools to
validate both your hardware and software. Cisco is nowhere on this,
as far as I can tell. Perhaps Marty can educate us on how this is
working better since his arrival (which I would expect), but nobody
having read a Cisco advisory for the past ten years thinks they have
a leg to stand on. Every RCE issue is "potential DoS", and it's
either duplicitous (towards their customer set and the public both)
or incompetent (which is probably worse). Compare that to the work
Microsoft does with explaining, rating, and cataloging their
vulnerabilities. Those two pictures are a world apart.<br>
<br>
Cisco even coming out to talk about this stuff is silly, since the
US Govt is hardly the last word in supply side interdiction for any
real company. Are there tools available that help a company validate
that their router they configured in the home office in Dallas and
then shipped to Hong Kong for deployment was not modified in Hong
Kong? No there are not. And that's a much more likely scenario.<br>
<br>
The blog has some additional naive suggestions:<br>
"<br>
<ul style="margin: 0px 0px 18px 15px; padding: 0px; color: rgb(82,
82, 82); font-family: Arial, Helvetica, sans-serif; font-size:
14px; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255);">
<li style="margin: 0px; padding: 0px;">Governments should have
policies requiring that product security vulnerabilities that
are detected be reported promptly to manufacturers for
remediation, unless a court finds a compelling reason for a
temporary delay. By the same token, governments should not
block third parties from reporting such vulnerabilities to
manufacturers.</li>
</ul>
<p>"<br>
</p>
Remember when Cisco sued Michael Lynn and Blackhat and ISS all at
once about releasing security issues in their routers? Well, this is
those particular chicken's coming home to roost. <a
href="http://www.infoworld.com/d/security-central/black-hat-leaked-cisco-slides-pulled-after-legal-threats-156">http://www.infoworld.com/d/security-central/black-hat-leaked-cisco-slides-pulled-after-legal-threats-156
</a><br>
<br>
<br>
Dave Aitel<br>
Immunity, Inc.<br>
<br>
<br>
<span style="color: rgb(82, 82, 82); font-family: Arial, Helvetica,
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
19px; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); display: inline !important;
float: none;"></span>
</body>
</html>