Cisco Systems’ response to the Federal District Court’s issuance of a permanent injunction against Michael Lynn and Black Hat, Inc. from further disclosure of code and code pointers that could aid in the development of an exploitation of a network infrastructure: We are gratified with the court’s actions.
Cisco and ISS took action only as a last resort, to stop continued irresponsible public disclosure of illegally obtained proprietary information.
Cisco’s actions with Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure. It is Cisco’s opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet.
The court’s order includes reference to the fact that ISS and Cisco had prepared an alternative presentation designed to discuss Internet security, including the flaw which Lynn had identified, but without revealing Cisco code or pointers which might help enable third parties to exploit the flaw, but were informed they would not be allowed to present that presentation at the conference. Once the stipulated permanent injunction is entered by the Court, Cisco and ISS will execute and file a dismissal of the Action against Michael Lynn and Black Hat, Inc.
In accordance with industry guidelines, Cisco, like other companies, generally does not release security notices until enough information exists to allow customers to make a reasonable determination as to whether or not they are at risk and how to mitigate possible risk. To clarify confusion caused by Lynn’s irresponsible disclosure and resulting customer concerns, the company is following its standard process for disclosing security concerns. Cisco plans to communicate with its customers and partners by issuing a security advisory within the next day.