Black Hat 2015: Could There Be Another CISCO,  Michael Lynn Holy Grail Vulnerability Disclosure?

Guy Wertheim Events

10 years ago I attended my first Black Hat conference. The most memorable moment for me was Michael Lynn’s presentation titled, “The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques”.  Lynn had discovered a major exploit in the Internet’s backbone and was ‘warned’ against disclosing it.

I waited anxiously as  did the rest of the  audience for his presentation, holding the book of the printed presentations. Lynn’s pages were ripped out, again, in an attempt to prevent the vulnerability disclosure.

Lynn was threatened with prosecution against himself, his employer and the whole Black Hat  convention, but eventually he broke and talked and the reason was staggering. He kicked off the event with an alternative, backup presentation, which was greeted by audience heckling and booing.  This was all he needed to switch back to his original presentation. The crowd cheered and he ended the presentation by asking for a job and prepared himself for a major lawsuit.

10 years later, Jennifer Granick, the key note speaker at Black Hat 2015, talked about her role as his lawyer during that time.  Her takeaways from that experience in particular and other moments since, was that the Internet as a whole should be a place for sharing and not censorship.  As she said, “a library not a monitored TV”.  Everyone should be able to create content and not be subjected to censorship.

Interestingly, Lynn had seen evidence of the vulnerability in Chinese forums, the knowledge was out there already… yet he was not allowed to discuss it.

We rely on the cloud for everything in our modern, technology-driven lives, but as Granick describes, “the cloud is not a collection of water drops”, it is a centralized place controlled by a few large companies. She challenged the audience, asking how many are blogging on their own blog versus posting on Facebook?

A Place For The People, By The People

I personally hope that if some other Lynn will discover such a significant vulnerability today, that the Black Hat community and management will accept its disclosure with open arms.  But perhaps there is another middle ground that is more appropriate. Maybe we should have a private place, ‘for the people by the people’, where sensitive knowledge can be shared.  Not shared necessarily with everyone, but with the relevant parties who can do something to prevent extensive damage. Not subjected to a specific entity dictating what can or cannot be shared.  A bazaar not a cathedral, a library not a monitored tv.

As Granick summarised: “Start creating the technology for the next cycle of revolution”.

We certainly hope we do our part.

The following two tabs change content below.
Guy Wertheim

Guy Wertheim

Founder & CTO at Comilion
Guy is Co-founder and CTO of Comilion. Prior to that he was a consultant with McKinsey. His passion for cyber security was ignited in an elite intelligence unit of the Israeli army. Distributed networks are a particular pet love as the implementation challenges and subsequent efficiency derived are second to none. He believes that tight collaboration on security will significantly limit the longevity and scale of damage caused by cyber attacks. Once dragged away from his screen, Guy loves dancing Salsa and playing basketball