Lynn's actions at Black Hat weren't noble

Computerworld - I read the latest Security Manager's Journal, "Peers Say Cisco Ended Up Wearing the Black Hat," written by C.J. Kelly, and I was somewhat surprised by the gist of the comments. But I guess I shouldn't be. It's another case where the details of a situation take a back seat to the hype surrounding it.

The controversy surrounding Michael Lynn making a presentation at the Black Hat event has given most people the impression that the events involve someone who is trying to let the world know about some critical vulnerability that Cisco Systems Inc. was hiding from the world. The details aren't as noble as the reality.

According to published reports, Lynn, during the course of his work at Internet Security Systems Inc., discovered a vulnerability in the Internetworking Operating System from Cisco. The exploitation of the vulnerability would result in control of the router. Cisco created a fix for the problem and released it without describing the details. At the same time, Lynn submitted a presentation about the vulnerability to the Black Hat conference, which was reviewed internally at ISS and disclosed to Cisco. At some point prior to the presentation, after the approvals were given out, ISS and/or Cisco changed its mind and wanted Lynn to edit the presentation. Lynn didn't want to and resigned his position. Despite warnings, Lynn still made his presentation at Black Hat.

Immediately prior to Lynn giving the presentation, he stated that he would be "sued into oblivion." I can only assume that this was in reference to the fact that he was warned that, since he created the presentation during his employment at ISS, the presentation was the property of ISS. That didn't change when he resigned. As a matter of fact, it likely made it worse, since he didn't have any legal right to access the materials after he left.

The fact is that the Lynn incident became an issue primarily involving the protection of intellectual property and consistent application of human resource guidelines. The question of proper disclosure is secondary. Lynn wanted to make the point that Cisco wasn't telling how critical the new vulnerability could be and that similar vulnerabilities could exist in the system. There were other ways he could have done that.

I agree that Cisco and ISS giving approval for the presentation and then withdrawing it is bad. I would also give a person credit for quitting because of a personal belief. However, what Lynn did after that is what created all the problems.

It's