News Stay informed about the latest enterprise technology news and product updates.

Users in an uproar over Cisco/ISS suit

A Cisco IOS flaw patched three months ago becomes the catalyst for litigation against a security researcher. Black Hat attendees cry foul and say Cisco is in the wrong.

LAS VEGAS -- Attendees at The Black Hat Security Conference had plenty to say yesterday in the wake of Cisco Systems' announcement that it issued cease and desist orders to conference organizers and the security researcher who presented his findings on a serious Cisco IOS flaw patched months ago.

"The speaker worked with Cisco for the last six months on this and Cisco has had the patch for quite a while," said Wally Strzelec, an IT manager at Texas A&M. "I don't know what their beef is."

Security researcher Michael Lynn stated in his presentation that he quit his job as a researcher at Internet Security

More news on the IOS flaw

Security researcher causes furor by releasing flaw in Cisco Systems IOS
A security researcher and The Black Hat Security Conference face litigation by Cisco and ISS in the wake of a vulnerability presentation he said could bring down the Internet.

Systems [ISS] two hours before his discussion because of the controversy and now faces litigation from both his former employer and Cisco for divulging information on an IOS flaw patched in April. Sources say the two companies filed a joint lawsuit in the U.S. District Court for the Northern District of California.

"Seems like Cisco's trying to cover its butt," said Tom DeSmidt, a senior security engineer for satellite TV provider Echostar. "All software has flaws you can exploit. They should embrace it rather then act this way."

And Cisco may pay for the lawsuit, in more ways than one. Ken Pfeil, CSO for Capital IQ in New York, said something like this may turn clients away. "Cisco is going about this entirely the wrong way -- they're alienating their own customers," Pfeil said. "Walking around for six months with their fly hanging open and now saying 'you didn't see anything' is a bad business practice."

Sources close to the controversy say that ISS had at least four opportunities to modify the contents of the Black Hat presentation, but waited until only a few days prior to the show to request changes that would require a reprint of the Black Hat conference proceedings to the tune of nearly $20,000. ISS allegedly decided the cost wasn't worthwhile. Cisco claims it wasn't given the option of making the changes if it was concerned.

As far as the lawsuit goes, Black Hat President Jeff Moss remains unconcerned and has no intention of remaining mum as the cease and desist order demands. "Apparently Cisco is going to send us a really scary letter tomorrow," he said. "I don't like scary letters so when I get it, I'll let everyone know what's going on." Depending on the outcome, a press conference is tentatively planned for Thursday morning.

Associate Editor Amber Plante contributed to this report

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.