What has this case done for full disclosure advocates? It's one of those situations that has gotten people talking about it. My view is skewed because it happened at Black Hat, where most are advocates of disclosure. Most in the security community feel the amount of information Mike disclosed was completely responsible. In fact, some would say it was not full disclosure; it would have been if he had released exploit code. He explained...
the problem. I think in some ways, this has been good for advocates and bad for opponents because it suggests companies are overprotective of information since everybody I've spoken with believes Mike's information didn't put people in danger.
With the ubiquity of the product, Cisco's easygoingness about encouraging people to patch, the seriousness of the flaw, the ease of fixing it and the fact that the amount of information he put out there would not allow people to readily replicate it -- put all those factors together, I think most people would agree the way he handled it was responsible.
Yet Cisco didn't like it. I think it becomes a battle of perception; what one person thinks is useful information may be too useful to another.
Cisco charged that Mike had crossed the line and provided too much information, including trade secrets. What does the law say about trade secrets in this regard?
There were no trade secrets at stake here. Mike didn't have the source code, he had the binaries, the product that they distribute. Trade-secret laws are about protecting people in a fiduciary relationship of trust from disclosing private information that is economically valuable. The idea is if an insider gets information, they must keep it secret. It's about misappropriation of trade secrets.
This is not something that is supposed to stop the public from tinkering with products that are publicly available. It's like saying you can't look at the motor of your car and figure out how it works because the fuel-injection system is proprietary. It would be an issue if an insider from GM was talking to a competitor about a trade secret. The same responsibility does not bind the general public. Think about the limitation on people's liberties or on the economy if we could not figure out how to make machines work better or interoperate with each other.
Trade secret law says targets insider and people who misappropriate.
Would this case have made the same splash if Mike was an independent researcher and not employed by ISS prior to his presentation?
It definitely would have had the same splash if he were independent. Independent researchers are always making presentations of this kind at shows like Black Hat or CANSEC West. This made a bigger splash because the lawsuit involved Cisco. I think they mishandled their PR.
One of the things about the substance of his presentation: You can't depend on a title to give you credibility. The credibility of your hypothesis is based on the quality of your work. You have to show enough quality of work to get people to believe what you're talking about. I think he succeeded in convincing people he was not kidding; this is real.
As an advocate of full disclosure, what do you believe is a proper means of disclosing information?
It really depends; it really is in the eye of the beholder. There are a number of factors that must be considered: Are there patches available? How long have they been out? What kind of information are you disclosing? Is there proof-of-concept code? Are you describing the problem in English?
The point is, in a computer context, there is no security through secrecy about flaws. If one person has found it, chances are others have as well. With computers, it's cheap and easy to keep trying to find a flaw until you do. It's expensive and difficult to attack a castle. You may attack a castle 10 or 100 times to find a weakness, but there's a cost in lives. With computers, it may take 1,000 attacks to find a weakness, but you can keep it a secret. It's costless to keep it a secret. I agree that I'm an advocate of full disclosure, but I don't think there should be exploit code thrown left and right, but to keep it secret does not make it valuable.
Full disclosure debates do stir some emotions.
It does stir passions, but to some extent, the debate is settled. Most are in favor of responsible disclosure, where no exploit code is released, but perhaps enough details are provided that others may be able to replicate it themselves.
Mike disclosed less than that level of information. It's not easy (to develop an exploit from his presentation) unless you're an expert in routers. People generally believe this works and that it's for the greater good. The economics of this may eventually change. Companies that are no good with security problems may be better at it. In the end, it's a matter of customer awareness. Again with cars, don't tell me there's a problem with my car, tell me a tire might blow out. We need to know consequences.
In the end, is Ciscogate going to be a good or bad thing for security?
For Mike, it's a bad thing. It's very stressful, expensive and painful to be sued. I don't know, maybe the community is demonstrating its frustration with ISS's and Cisco's approach and this may show that this isn't the way to appear like a responsible vendor to purchasers of their products. It may be valuable in that next time, people don't shoot the messenger. Personally, for Mike it's not good. Overall, it's good for the security. Cisco routers have a problem and they can be fixed with a patch. People know a lot more about router security.
What issues has Ciscogate raised for the future?
This case raises a lot of issues that we'll see again in cyberlaw. It will be interesting to see if EULAs deprive someone of the right to reverse engineer a patch? It will call into question what is a legitimate trade secret. What amount of disclosure is responsible and the audience to which disclosures are made will be a real issue; whether it helps good guys or bad guys and the fragmentation of the security community in terms of which parts are trustworthy with this kind of information. This is the tip of the iceberg.
A shorter version of this interview appears in the October 2005 issue of Information Security magazine.