Black Hat Organizer Unbowed - As Ciscogate closes, the man behind the Black Hat security conference reflects on the impact of the controversy on computer security research and network safety across the globe. Wired News interview by Kim Zetter. [Security Blanket]

Recently, Cisco Systems released its patch for what is known as the “Black Hat Bug,” a fatal flaw that can disrupt operating systems running Cisco routers. Cisco routers are drives which move traffic through much of the internet and are utilized in many corporate networking systems. The controversy surrounding the Black Hat bug stems essentially from the way in which Cisco handled the publicity regarding the incident and dealt with the researchers who uncovered the flaw. In addition, Cisco and the Black Hat bug have ignited a debate on full disclosure and company privacy in the internet age.
Mike Lynn, a computer security researcher is at the center of the controversy. He and his team found the problem with the Cisco routers, and were immediately praised for their efforts to disclose and share the problem with various corporate IT departments. Last July, Lynn was a speaker at a security conference held in Las Vegas regarding the Black Hat bug and other unrelated security glitches. He demonstrated how the bug worked and the havoc it could wreak on the routing system.
As a companion to the talk at the conference, Internet Security Solutions and Mike Lynn and his team had put together a security booklet in which Cisco had included reading material regarding their routers and CD-ROMs with information about product security. However, just a day before the conference, Cisco representatives did an about-face and pulled all the material out of the books and CD-ROMs, claiming that the material had proprietary source code that could essentially drive the company to ruin. People working the conference then spent hours removing all the CD-ROMs from the booklets and everything seemed to be fixed. The founder of the Black Hat conference, Jeff Moss states in his interview with Wired Magazine, “The (revised) CDs were starting to show up, and it looked like everything was fine. Cisco was happy, ISS was happy, and it looked like we dodged that bulled.”
However, much to Lynn and Moss’s surprise, almost immediately following the conference, FBI agents began investigating Lynn for “theft of trade secrets.” ISS was responsible for opening the investigation and the accusations stemmed from the inclusion of the source codes in the CD-ROMs and the disclosure of the bug in the first place. The legal investigation and wrangling finally came to a close a few weeks ago and the FBI case is now officially closed.
From reading about and researching this case, I wholeheartedly believe that Cisco’s altering of the CD-ROM and ISS’s charge of “trade secret theft,” and all the legal wrangling that ensued really had nothing to do with “proprietary information,” and had everything to do with trying to quiet criticism of their product. It seems like more and more companies are trying to cover up fatal flaws in their systems or trying to offer quick fixes for bugs in an effort to quietly brush things under the rug and avoid a public uproar. We saw it just recently with the Sony RootKit case. In this case, Cisco wanted to avoid loss of profit and respect in the tech world, so when someone blew the whistle on the flaws in their routers, they immediately tried to silence and punish the research team that found the problems. Such practices by big corporations threat the advancement of innovation and consumer confidence. Moss states in the article that this can happen to anyone who blows the whistle on a big company and “it’s just going to be a big stifling of innovation, and it’s going to drive researchers underground.” Technology corporations should either build perfect devices, or be prepared to be honest with the public when they are not perfect.