Cisco and Internet Security Systems (ISS) have filed a lawsuit against Michael Lynn and the Black Hat security conference. The two companies claim that information disclosed in a talk about a Cisco vulnerability is proprietary: http://news.com.com/2100-1002_3-5807551.html Now they appear (see below) to be sending nastygrams to conference attendees who posted information about Lynn's presentation to their own web sites. Right now they're attacking a mirror of the PDF, but why not a summary of the information in the PDF? Or a news article with technical information about the vulnerability? This slope is quite slippery. -Declan -------- Original Message -------- Subject: ISS serves takedown notice for Cisco briefing Date: Fri, 29 Jul 2005 22:59:45 -0400 From: Richard Forno <rforno@private> To: Infowarrior List <infowarrior@g2-forward.org> CC: Dave Farber <dave@private>, Bruce Schneier <schneier@private>, Declan McCullagh <declan@private> This evening, I received a cease-and-desist (e.g., takedown) notice from attorneys representing Internet Security Systems (ISS). Having received and reviewed their letter, I have removed the file containing Michael Lynn's controversial Blackhat presentation. A copy of the notice can be found at: http://www.infowarrior.org/users/rforno/lynn-cisco.pdf Looking back at this week's events, my sense is that had the two companies involved (Cisco and ISS) said nothing about this briefing, it's quite likely that few if any people or news outlets would've given it more than a passing thought like so many other vulnerabilities being reported this week in Vegas -- after which, it likely would have gotten caught up in the "noise" of regular security community chatter. But as a result of their heavy-handed tactics this week, both Cisco and ISS have ended up publicizing a serious vulnerability quite significantly and thusly re-ignited the discussion over how the Internet security community handles vulnerability disclosure and product updates. By serving takedown notices in response to such situations, a company demonstrates clearly that it is more concerned with preserving its commercial interest in intellectual property than fostering community awareness and knowledge pertaining to critical internet security issues. Improvements to internet security will NOT become a reality as the result of questionable secrecy or from commercial lawsuits that serve to mask the more substantial and fundamental problems within the information security industry and Internet community at large. Security through obscurity doesn't work, and neither does security through lawyering. These practices make the Internet more, not less, vulnerable. I will close with a note of appreciation to my web hosting provider for their understanding and assistance in resolving this situation promptly and satisfactorily for all concerned tonight. As for me, it's now time to enjoy the weekend. -Rick Infowarrior.org _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Aug 01 2005 - 17:25:25 PDT