MIchael Lynn's Black Hat presentation: What's the big deal?
In case you haven't heard, there's a big controversy over one of yesterday's Black Hat presentations. I frankly don't see what all the fuss is about.
According to Cisco, Lynn reverse engineered parts of IOS while working for ISS. This allowed him to discover methods to make use of existing vulnerabilities to gain shell access or execute arbitrary code on a Cisco router.
People, this is a big technical step forward, but it's just not news. First, Mr. Lynn has not created or publicized new Cisco vulnerabilities, he's merely come up with some more creative ways to make use of existing vulnerabilities. Second, I don't think any security professional should be surprised that it's possible to use a stack or heap vulnerability to execute code. It's been done to death on every other platform, why not IOS too? My hat's off to Mr. Lynn for what is definitely some masterful coding on his part, but we've seen this before elsewhere.
What really puzzles me, though, is why anyone is surprised that he's apparently going to be sued by both Cisco and ISS. I'm not privy to the agreements he may have signed with ISS when he was employed there, nor do I know any details about any NDAs that might be in place between ISS and Cisco. However, if he was paid by ISS to work on this project, the work belongs to ISS and not to Mr. Lynn. That alone could be sufficient grounds for ISS to complain, especially because by outing the work, he has also probably opened ISS itself to lawsuits from Cisco.
So please everyone, let's get over this teacup imbroglio. This just isn't the story everyone thinks it is.
