Thursday, July 28, 2005

Cover ups and civic responsibility

OK, moral dilema time. I've got a situation for you to ponder and I'd love to hear your thoughts.

Imagine that a researcher discovers a way to send a signal to the computers installed in the engines of all models of a specific manufacturer's cars. (Doesn't matter which one, just that it's a specific car company with a lot of cars out there on the road.) In sending this signal, he instructs the computer to take actions that result in a lot more electrical current being applied to components of the fuel management system than should be. The result is a 90% probability that the car will immediately catch fire and the gas tank will explode. He has the opportunity to disclose that information to the car maker so they can produce a fix for the problem. He also has the opportunity to present the information in a conference comprised of people some of whom have anarchist ties, some histories of illegal activity, and some who are outspoken critics of corporations and law enforcement. In short, a conference of people some of whom will absolutely make use of his information to perform the action this researcher has discovered is possible.

Should he disclose the information to the company or present the information at the conference? If he chooses to present the information at the conference, is he in any way responsible when one of the attendees uses his technique against some 3rd party's car?

Think about it. Leave a comment and let us all know how you feel on the matter.

As you've likely guessed, this is not a completely hypothetical exercise. I note a situation going on that's very near and dear to my techie heart. A researcher named Michael Lynn, until recently an employee at ISS in their "X-Force" research team, has apparently discovered a method of using a previously detected vulnerability in Cisco's IOS, the operating system on Cisco routers. Lynn's technique allows an authorized user to gain access to the router's operating system and configuration. (Please note that this isn't a new "hole" but a different use for one that had already been reported. The security problem has been fixed in recent versions of the code but not all of Cisco's customers had been advised of the particulars yet, nor had they had the chance to update all the routers.) When the details of Lynn's presentation was made known to Cisco and ISS, Cisco asked that the details of how to perform this exploit be withheld from the audience of the Black Hat Briefing conference going on in Las Vegas until they had the chance to disclose the exploit to their customer base using their procedures for this task. ISS agreed and removed the material from the binder being given out at the conference. Lynn resigned his position in protest and presented the information anyway. As of yesterday afternoon, Vegas time, an unknown number of technically very clever people were given detailed instruction on exactly how to gain access to the routers that comprise a huge majority of the Internet's infrastructure and provide the internal networks of the vast majority of America's corporations. I can absolutely guarantee that there will be companies, agencies, and public entities taken off-line as a result of this technique. The mass of groups using Cisco's routers is simply too large to perform updates fast enough to stop it.

Cisco has initiated a lawsuit against Lynn to get a restraining order on his further divulgence of this data.

Some members of the techie community are calling that action a "cover up" with Cisco trying to "silence" this researcher. The various technical reporting outlets are painting this fight as a valiant member of the research community desperately trying to expose a corporation deliberately putting out a defective product and the faceless, monolithic corporation trying just as hard to keep us all in the dark. Allow me to put this into a different light.

Picture this: a member of your family has just fallen very ill with a heart arrhythmia and is having trouble breathing. On his way in from the patio out back, staggering in to attempt to call 911, his drug allergy bracelet catches on the doorjam and breaks off. He manages to dial 911 before he collapses and the paramedics find him on the floor when they arrive. On the way to the hosptial, your family member starts going into cardiac arrest. The parameds have 2 medications they can treat him with, 1 of which he's lethally allergic to. They radio in to the hospital asking if he's got a known allegery. The nurse at the hospital goes to check the database - and can't. That database is on the other side of a Cisco router that some script kiddie in South Korea just took down on a lark using Lynn's technique. So sorry to inform you that these caring, professional medical people just pumped 10 cc's of what might as well have been ricin poison into your family member and he died.

I will be keeping an eye on this situation to see if there was some kind of mitigating circumstance in Lynn's disclosure. Right now, it just looks like a case where some researcher thinks his right to recognition for his work outweighs the public good of maintaining our information systems integrity. Cisco has, by all accounts, already dealt with the problem and is advising its customers to apply the fix as fast as they can. It seems to me that Lynn just didn't want to miss the chance to play to an audience at Black Hat and decided to just quit his job rather than give Cisco the time to disperse the fix. And this guy was a member of a team supposedly dedicated to helping us all stay safe in cyberspace. Nice. Real nice.