At the Black Hat security conference in Las Vegas in July 2005, one presentation caused unprecedented excitement. A technical researcher promised to reveal details of a vulnerability in Cisco's Internet Operating System (IOS) – the software that powers most of the Internet's routers. Mike Lynn showed delegates how routers could be vulnerable to attack. It was made more contentious as he had discovered the weakness while working for Internet Security Systems (ISS); his employer had instructed him not to reveal the information.
Lynn had found a way to run ‘attack code' on IOS, which controls millions of Cisco routers across the Internet, using a previously known flaw. Such a technique could have widespread uses, and cause widespread damage.
"I'm probably about to be sued to oblivion, (but) the worst thing is to keep this stuff secret," Lynn told his audience. "I had to quit [my job] to give this presentation because ISS and Cisco would rather the world [was] at risk. They had to do what's right for their shareholders."
Cisco imposed an injunction on Lynn following his presentation, banning him from making any further comment on the flaw, and assured its customers that the flaw was well understood and nothing to worry about. Reaction to Lynn's actions was split between those that think he is helping hackers exploit IOS and those that believed that hackers would already be well aware of the vulnerability and that Lynn was simply informing businesses of a serious flaw.
The commotion that followed quickly blew over, but the episode did raise important questions: What obligation are vendors under to publicise security flaws in their products? Does broadcasting the details of vulnerabilities increase or decrease the chance that someone will abuse them?
Representatives of the industry tend to support the argument that full disclosure of security shortcomings would only make a hacker's work a lot easier. On the side of the customers, though, there is a recognition that the more information they have about security risks, the better equipped they are to tackle them.