Payback for Ciscogate – new trend?

on the surface it seems like in recent weeks people started going full-disclosure on cisco, surprising them with vulnerabilities reports on bugtraq and friends. i may be wrong and they knew of these ahead of time… if i am forgive me. it seems like “payback time” or “loss of faith” after “ciscogate”.

this possible trend is more than just disturbing, it’s dangerous to us all when it comes to a company like cisco… whether they “deserve” it or not is irrelevant. they represent most of the internet’s infrastructure and that by itself is a problem.

today when microsoft truly /wants/ to work with researchers (even if sometimes they don’t act it), the main problem they face is that researchers simply don’t believe in them. they are used to hearing things like:
“this is not a vulnerability”
“yes, we are already aware of that” (=and that is why you won’t get credit)
and many other responses, although sometimes people don’t even get a response.

myself, i never had such problems with microsoft and found them very responsive and serious in their replies.. at least in recent years.. but that’s just my personal experience and that doesn’t count. :)

with cisco, it can get worse. researchers may fear that if they do get a response (or work with psirt) it will be with some sort of legal document or a search warrant. still, cisco is responsive and i don’t like much the fact of full disclosure where companies actually handle reports and give due credit to researchers.

i suppose only time will tell where this will end, but it seems that much like predicted by mike lynn, raven alder and myself, exploits with cisco are going to become a very serious concern in the near future for the infrastructure.

i believe people should give cisco psirt a *chance* before going public with vulnerabilities… but if they don’t i suppose cisco and everyone else learned a valuable lesson.

what that lesson may be is a whole different blog entry. not many had a grudge against cisco before ciscogate… and lost faith is very difficult to recover.

gadi evron,
ge@beyondsecurity.com.

Share
  • jsk

    I agree and personally think that Cisco’s best bet would be to formally state that the way they dealt with Lynn was wrong. They need to somehow get people to work with them, otherwise I agree with others predictions that this is just the beginning of the flood.

  • http://www.tuxq.com/ Steven

    I noticed this a few months ago after DEFCON in August when Cisco had that fine fellow gagged. It seems they struck a chord in the security world.. one that shouldn’t have been struck so hard. Ever since those last days of August, Cisco vulnerabilities have been popping up like erectile dysfunction medication advertisements.

  • sunshine

    I think that is more due to people realizing they CAN hack IOS than anything else really.