Cisco, Black Hat litigation comes to a close

LAS VEGAS -- A litigation nightmare that began Wednesday for security researcher Michael Lynn and Black Hat Briefings organizers came to an end one day later when an agreement was reached Thursday afternoon with Cisco Systems and Internet Security Systems.

Lynn quit his job as a security researcher at ISS just two hours before his presentation began, then came the announcement from Cisco and ISS that a cease and desist order was on its way, as well as criminal charges.

"I think I did the right thing, it was worth what I was going to go through" Lynn said of his presentation. "There was the potential of a serious problem coming in the future, and I didn't think the nation's best interests were served by waiting. We pretty much averted a disaster."

That "disaster" was a remote root flaw Lynn said could destroy the Internet. But, he added, if companies are up to date on patches, they're probably fine.

Lynn and conference organizer Jeff Moss signed a permanent injunction forbidding them from disclosing or disseminating in any way the presentation Lynn gave at Black Hat Briefings on Tuesday morning that revealed details of a Cisco IOS flaw patched in April. Lynn is also barred from making further presentations at Black Hat or DefCon, which is held this weekend. Other stipulations prevent Lynn from decompiling Cisco code currently in his possession, identifying anyone to whom he provided either the presentation or exploit code, and returning all ISS-owned materials to the company.

A remaining bone of contention with many conference attendees is Cisco labeling the ordeal a case of "irresponsible disclosure." As Lynn noted, Cisco's release issued Wednesday said no new flaw was reported, but also stated that he failed to follow responsible disclosure guidelines. A Cisco spokesman said that referred to "code and pointers -- materials he had agreed he wouldn't present."

Other Black Hat coverage Should Michael Lynn have shut his mouth? Security researcher causes furor over Cisco IOS exploit Users in uproar over Cisco/ISS legal action VeriSign raises stakes in threat intelligence battle Beefed up OWASP 2.0 introduced at Black Hat VoIP to have 'Pretty Good Privacy'

Depending on whom you ask, a miscommunication arose between any number of the parties involved, but resulted in Cisco attempting to pull "sensitive" information from the session only a day before it was to be unveiled. ISS had vetted the presentation more than three months prior, Moss said Thursday at a press conference, and had several opportunities to request modifications. Cisco apparently wasn't in the loop early on and believed the details of the flaw would be limited to a short abstract and some information on the Black Hat Web site. Moss said Cisco was a good sport about much of the situation and offered to pay for new conference proceedings on CDs, which it distributed at the conference.

Lynn said he was expecting the worst by continuing with his presentation, but was still shocked by what happened when he finished speaking. "Right after my talk, a big guy comes up to me, pulls out a badge and says, 'We need to talk…now,'" said Lynn. "He pulls me into a maintenance hallway with a bunch of other law enforcement guys and asks where the van is. I start to freak and he says, 'Just kidding, man, you rock. Thanks for letting us know what's going on.'"

"It was nice to see that much support from the government," he added.

Though he lost sleep over the issue this week, Black Hat's Moss doesn't really plan to treat his presenters any different in the future. "The thing that scared me," Moss said, "is that this could have killed my entire show. But I can't use a hook to pull someone from the stage the minute they deviate from a slide."