Cisco’s customers want information. They don’t expect perfection, but they want to know the extent of problems and what Cisco is doing about them. They don’t want to know that Cisco tries to stifle the truth:
Joseph Klein, senior security analyst at the aerospace electronic systems division for Honeywell Technology Solutions, said he helped arrange a meeting between government IT professionals and Lynn after the talk. Klein said he was furious that Cisco had been unwilling to disclose the buffer-overflow vulnerability in unpatched routers. “I can see a class-action lawsuit against Cisco coming out of this,” Klein said.
ISS didn’t come out of this looking very good, either:
“A few years ago it was rumored that ISS would hold back on certain things because (they’re in the business of) providing solutions,” [Ali-Reza] Anghaie, [a senior security engineer with an aerospace firm, who was in the audience,] said. “But now you’ve got full public confirmation that they’ll submit to the will of a Cisco or Microsoft, and that’s not fair to their customers…. If they’re willing to back down and leave an employee … out to hang, well what are they going to do for customers?”
Schneier also said he was impressed with Lynn’s personal integrity in the matter.
It really worries me that a company that holds a major share of the security of the very ‘infrastructure’ of the Internet (through their products) – that interoperate with servers and users around the world – has such a shoddy attitude.
Instead of wasting money on legal fees, the money would be better spent on fixing the problem and give them some free good PR and put them in better standing with those who help keep their software safer.
Instead, they appear to be a company that will make so little of such a very dangerous vulnerability possibility and all they can say is it may be worse than we thought?? Especially since it appears that there are those already working on exploits, and do we really think that terrorists are so inept that they will not figure out how to do this?
A company that will bully and attack a researcher like this!
This is very disheartening.