rense.com



Whistleblower Faces
FBI Probe

By Kim Zetter
Wired.com
7-29-5
 
The FBI is investigating a computer security researcher for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them.
 
Mike Lynn, a former researcher at Internet Security Systems, said he was tipped off late Thursday night that the FBI was investigating him for violating trade secrets belonging to his former employer, ISS.
 
Lynn resigned from ISS Wednesday morning after his company and Cisco threatened to sue him if he spoke at the Black Hat security conference in Las Vegas about a serious vulnerability that he found while reverse-engineering the operating system in Cisco routers. He said he conducted the reverse-engineering at the request of his company, which was concerned that Cisco wasn't being forthright about a fix it had recently made to its operating system.
 
Lynn spoke anyway, discussing the flaw in Cisco IOS, the operating system that runs on Cisco routers, which are responsible for transferring data over much of the internet and private networks.
 
Although Lynn demonstrated for the audience what hackers could do to a router if they exploited the flaw, he did not reveal technical details that would allow anyone to exploit the bug without doing the same research he did to discover it.
 
Both companies knew about Lynn's plan to talk for a while and originally supported it. But at the last minute the companies tried to halt the presentation or force Lynn to allow Cisco representatives to speak as well. They threatened Lynn with a lawsuit if he talked and made good on that threat after his appearance, when they filed a restraining order to prevent him from saying anything else about the flaw.
 
The company said the vulnerability was not new and that it had already patched the problem in April and sent revised software to customers. Lynn said, however, that Cisco did not tell customers exactly why the software was revised or indicate that the update was a critical patch. As a result, he said, system administrators didn't understand the urgency for patching their system. Cisco denied that the flaw was as critical as Lynn said it was.
 
Prior to the talk Cisco, with agreement from the conference organizers, hired temporary workers to rip out pages from a conference book that contained images of the slides from Lynn's presentation. They also replaced the conference CD-rom with a new disc that was absent the presentation. This hasn't stopped people from obtaining the presentation, however. A site on the internet has posted it for people to download.
 
The news came just hours after Lynn signed a settlement with Cisco and ISS releasing him from civil liability in exchange for several conditions. Lynn was to provide a mirror image of all computer data he has and give it to a third party for forensic analysis. This was likely to determine if he had stolen proprietary information from ISS or Cisco or broken any other laws. His research material on the vulnerability would then have to be erased. Lynn also was prohibited from discussing any information about the bug in the future.
 
"I was really mad at ISS before and now I'm extremely disappointed," Lynn told Wired News. "At this point, they're just trying to milk it for punitive damages. We already had a standing agreement, and now they're trying to attack me in some other way."
 
The FBI declined to discuss the case.
 
"Our policy is to not make any comment on anything that is ongoing. That's not to confirm that something is, because I really don't know," said FBI spokesman Paul Bresson.
 
But Lynn's lawyer, Jennifer Granick, confirmed that the FBI told her it was investigating her client.
 
Granick said, however, that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that it didn't come after her client reached his settlement. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.
 
"The investigation has to do with the presentation," she said, "but what crime that could possibly be is unknown because they haven,t found any (evidence against him)."
 
She hadn't spoken with the U.S. attorney in charge of the investigation but said she thought it was possible that the investigation would wind down soon for lack of evidence, now that Lynn had reached an agreement with Cisco and ISS.
 
"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."
 
Black Hat ended Thursday afternoon, but it's being followed by the hacker conference, DefCon, which runs in Las Vegas Friday through Sunday and is organized by the same person, security professional Jeff Moss. Many of the same people who attended Lynn's talk, including FBI and other government agents who regularly attend the security conferences, will be at the second conference as well.
 
Lynn said that if the case was not dropped, he thought it unlikely that the FBI would try to arrest him this weekend.
 
"I think they got burned with the Dmitry Sklyarov case," he said.
 
Sklyarov was a Russian programmer who, in 2001, reverse-engineered the software in Adobe's e-book and handed out CD-roms at DefCon containing a program that would allow people to circumvent the copy protection in Adobe's digital books to download and read the books without restriction.
 
The FBI, at Adobe's urging, arrested Sklyarov the morning after the conference ended before he returned home on charges that he violated the Digital Millennium Copyright Act for reverse-engineering its system. The move launched protests against Adobe, which resulted in a lot of bad publicity for the company. The government ultimately dropped its case against Sklyarov.
 
Granick said she did not think the FBI would arrest Lynn.
 
"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over. I'm hoping that's the case but if it's not, there's a lot of opportunity for people to be very concerned about it."
 
© Copyright 2005, Lycos, Inc. All Rights Reserved.
 
http://wired.com/news/politics/0,1283,68356,00.html?tw=wn_tophead_3
 

Disclaimer






MainPage
http://www.rense.com


This Site Served by TheHostPros