Sunday, July 31, 2005

Weasel-wording

Short version: I think that Cisco is overreacting and is being a bully.
Long version follows...

Cisco has a press release about the
permanent injunction against M. Lynn. Most of it reads like the usual
PC fluff. However, I take exception to the following:

Cisco's
actions with Mr. Lynn and Black Hat were not based on the fact that a
flaw was identified, rather that they chose to address the issue outside
of established industry practices and procedures for responsible
disclosure.

Based on available information, I feel that those
words are entirely bullshit and ask that someone (at Cisco hopefully)
point me to those "established industry practices and
procedures
" (the phrase implies that they're written down
somewhere). Supposedly Cisco patched the flaw last April, which means
that it was known (or made known) to them before that. If "established
industry procedures" indicates the "Full Disclosure Policy" that was
drafted by Rain Forest
Puppy
, then M.L. was well outside of the 5-day waiting period. Or
even the 30-day standard that Microsoft pushed for when that company
last trotted out
responsible disclosure
. Or how about eEye's RDP where specific
information is withheld until the patch is realeased? Coincidentally,
eEye's reported process is similar to those of the OIS (Organization for
Internet Safety
) (read their PDF for the actual written practices
and procedures) in that specific information is withheld until the patch
is released.

So which "established industry practice and procedure"
did M. Lynn violate? Or did Cisco just not like someone airing their
dirty laundry?

Just so that there's no confusion about my
"overreacting" opinion, I used that term in referring to the injunction
requirement put forth by Cisco, where M. Lynn never speak at Blackhat or
Defcon again, on any topic. I'd understand if the requirement was
limited to this specific vulnerability. In my opinion, anything extra
is malicious and over-the-top.

Neither side has acted with logical
consideration to their actions, both are trying to appear to be "the
victim", and all involved should "get over it".