- The FBI is investigating a computer security researcher
for criminal conduct after he revealed that critical routers supporting
the internet and many networks have a serious software flaw that could
allow someone to crash or take control of them.
- Mike Lynn, a former researcher at Internet Security Systems,
said he was tipped off late Thursday night that the FBI was investigating
him for violating trade secrets belonging to his former employer, ISS.
- Lynn resigned from ISS Wednesday morning after his company
and Cisco threatened to sue him if he spoke at the Black Hat security conference
in Las Vegas about a serious vulnerability that he found while reverse-engineering
the operating system in Cisco routers. He said he conducted the reverse-engineering
at the request of his company, which was concerned that Cisco wasn't being
forthright about a fix it had recently made to its operating system.
- Lynn spoke anyway, discussing the flaw in Cisco IOS,
the operating system that runs on Cisco routers, which are responsible
for transferring data over much of the internet and private networks.
- Although Lynn demonstrated for the audience what hackers
could do to a router if they exploited the flaw, he did not reveal technical
details that would allow anyone to exploit the bug without doing the same
research he did to discover it.
- Both companies knew about Lynn's plan to talk for a while
and originally supported it. But at the last minute the companies tried
to halt the presentation or force Lynn to allow Cisco representatives to
speak as well. They threatened Lynn with a lawsuit if he talked and made
good on that threat after his appearance, when they filed a restraining
order to prevent him from saying anything else about the flaw.
- The company said the vulnerability was not new and that
it had already patched the problem in April and sent revised software to
customers. Lynn said, however, that Cisco did not tell customers exactly
why the software was revised or indicate that the update was a critical
patch. As a result, he said, system administrators didn't understand the
urgency for patching their system. Cisco denied that the flaw was as critical
as Lynn said it was.
- Prior to the talk Cisco, with agreement from the conference
organizers, hired temporary workers to rip out pages from a conference
book that contained images of the slides from Lynn's presentation. They
also replaced the conference CD-rom with a new disc that was absent the
presentation. This hasn't stopped people from obtaining the presentation,
however. A site on the internet has posted it for people to download.
- The news came just hours after Lynn signed a settlement
with Cisco and ISS releasing him from civil liability in exchange for several
conditions. Lynn was to provide a mirror image of all computer data he
has and give it to a third party for forensic analysis. This was likely
to determine if he had stolen proprietary information from ISS or Cisco
or broken any other laws. His research material on the vulnerability would
then have to be erased. Lynn also was prohibited from discussing any information
about the bug in the future.
- "I was really mad at ISS before and now I'm extremely
disappointed," Lynn told Wired News. "At this point, they're
just trying to milk it for punitive damages. We already had a standing
agreement, and now they're trying to attack me in some other way."
- The FBI declined to discuss the case.
- "Our policy is to not make any comment on anything
that is ongoing. That's not to confirm that something is, because I really
don't know," said FBI spokesman Paul Bresson.
- But Lynn's lawyer, Jennifer Granick, confirmed that the
FBI told her it was investigating her client.
- Granick said, however, that she thought the agency was
simply following through on a complaint it received when Cisco and ISS
filed their lawsuit against Lynn and that it didn't come after her client
reached his settlement. She didn't know the nature of the complaint but
said it was probably something to do with intellectual property and that
it most likely came from Cisco or ISS.
- "The investigation has to do with the presentation,"
she said, "but what crime that could possibly be is unknown because
they haven,t found any (evidence against him)."
- She hadn't spoken with the U.S. attorney in charge of
the investigation but said she thought it was possible that the investigation
would wind down soon for lack of evidence, now that Lynn had reached an
agreement with Cisco and ISS.
- "There's no arrest warrant for (Lynn) and there
are no charges filed and no case pending," Granick said. "There
may never be. But they got a complaint and as a result they were doing
- Black Hat ended Thursday afternoon, but it's being followed
by the hacker conference, DefCon, which runs in Las Vegas Friday through
Sunday and is organized by the same person, security professional Jeff
Moss. Many of the same people who attended Lynn's talk, including FBI and
other government agents who regularly attend the security conferences,
will be at the second conference as well.
- Lynn said that if the case was not dropped, he thought
it unlikely that the FBI would try to arrest him this weekend.
- "I think they got burned with the Dmitry Sklyarov
case," he said.
- Sklyarov was a Russian programmer who, in 2001, reverse-engineered
the software in Adobe's e-book and handed out CD-roms at DefCon containing
a program that would allow people to circumvent the copy protection in
Adobe's digital books to download and read the books without restriction.
- The FBI, at Adobe's urging, arrested Sklyarov the morning
after the conference ended before he returned home on charges that he violated
the Digital Millennium Copyright Act for reverse-engineering its system.
The move launched protests against Adobe, which resulted in a lot of bad
publicity for the company. The government ultimately dropped its case against
- Granick said she did not think the FBI would arrest Lynn.
- "Definitely not," she said. "I don't have
any sense at all that that's where they're going. I don't know what the
circumstances are under which anyone contacted the FBI. It may very well
be that given that we settled the civil case yesterday, this is over. I'm
hoping that's the case but if it's not, there's a lot of opportunity for
people to be very concerned about it."
- © Copyright 2005, Lycos, Inc. All Rights Reserved.