10 years ago I attended my first Black Hat conference. The most memorable moment for me was Michael Lynn’s presentation titled, “The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques”. Lynn had discovered a major exploit in the Internet’s backbone and was ‘warned’ against disclosing it.
I waited anxiously as did the rest of the audience for his presentation, holding the book of the printed presentations. Lynn’s pages were ripped out, again, in an attempt to prevent the vulnerability disclosure.
Lynn was threatened with prosecution against himself, his employer and the whole Black Hat convention, but eventually he broke and talked and the reason was staggering. He kicked off the event with an alternative, backup presentation, which was greeted by audience heckling and booing. This was all he needed to switch back to his original presentation. The crowd cheered and he ended the presentation by asking for a job and prepared himself for a major lawsuit.
10 years later, Jennifer Granick, the key note speaker at Black Hat 2015, talked about her role as his lawyer during that time. Her takeaways from that experience in particular and other moments since, was that the Internet as a whole should be a place for sharing and not censorship. As she said, “a library not a monitored TV”. Everyone should be able to create content and not be subjected to censorship.
Interestingly, Lynn had seen evidence of the vulnerability in Chinese forums, the knowledge was out there already… yet he was not allowed to discuss it.
We rely on the cloud for everything in our modern, technology-driven lives, but as Granick describes, “the cloud is not a collection of water drops”, it is a centralized place controlled by a few large companies. She challenged the audience, asking how many are blogging on their own blog versus posting on Facebook?
A Place For The People, By The People
I personally hope that if some other Lynn will discover such a significant vulnerability today, that the Black Hat community and management will accept its disclosure with open arms. But perhaps there is another middle ground that is more appropriate. Maybe we should have a private place, ‘for the people by the people’, where sensitive knowledge can be shared. Not shared necessarily with everyone, but with the relevant parties who can do something to prevent extensive damage. Not subjected to a specific entity dictating what can or cannot be shared. A bazaar not a cathedral, a library not a monitored tv.
As Granick summarised: “Start creating the technology for the next cycle of revolution”.
We certainly hope we do our part.
Latest posts by Guy Wertheim (see all)
- Black Hat 2015: Could There Be Another CISCO, Michael Lynn Holy Grail Vulnerability Disclosure? - August 7, 2015
- Facebook’s ThreatExchange: Who Owns Your Data? - April 14, 2015
- Sharing Capabilities: Amex CEO Sketches the Future of Cybersecurity Collaboration - February 26, 2015