How should Cisco have dealt with their security flaw?

[Steve]

So what is the best way to deal with security issues? Being open with the problem will increase awareness and (hopefully) result in all customers updating and patching as necessary. For those bugs that nobody but the programmers know about, quietly rolling out a fix in the next update might be wise. So what if a security researcher wants to make a presentation about a security flaw in your routers that you'd rather he didn't make? What Lynn did may have been a little naughty, after all he did quit his job to enable him to make the presentation, but similarly the 'cover up' attempt has resulted in more hackers attempting to map out the exploit. The most dangerous problem here being that the people that know most about the exploit are good at hacking. One bad apple could cause a lot of trouble.

http://www.hexus.net/content/news/ne...lld19JRD0xNDI5

[Dougal]

I'd have thought that Cisco would have made their people sign a non disclosure agreement. Waved that in his face first.

Normal NDA give 12months after the person has left before they can do/say anything.

Then got the guy to show them it, then fix the ruddy problem. If its such a big flaw and the net relies on the vulnerable routers then Ciscos reb would have gone higher (if poss) for fixing it!

[Steve]

Indeed as far as I know the flaw remains exploitable only locally, but perhaps Cisco feared somebody would find a way of exploiting it remotely?

[Dougal]

But they still have a major security hole to repair, they didn't do themselves any favours by doing all this stuff. They should have stopped it at the source of the problem.

It may have taken a week or two to repair the exploit and another couple of weeks to deploy it.

But how much warning did they get? We got a few days (IIRC).

[Dougal]

http://www.wired.com/news/privacy/0,...w=wn_tophead_1

Just read this on Wired.

Damn good and it looks like the reason it was publicised was because of ISS wanting to get back at Cisco.