Cisco: Dare To Be StupidCisco: Dare To Be Stupid

First things first: There is now a legal defense fund accepting contributions on behalf of ex-ISS researcher Mike Lynn, who now faces a possible FBI criminal investigation. You can PayPal donations to [email protected]. EFF will get any leftover funds.If you're just tuning in to this freak show here's a quick summary:

Over the past four days, Cisco's management turned a molehill into Mount Everest, and they're still shoveling furiously. I admit I'm a fan of hyperbole, but stupidity on this scale defies exaggeration.

Lynne's presentation was an unlikely candidate for a Wall Street Journal feature until Cisco squeezed its "deal" out of the invertebrates who pass for executives at Internet Security Systems. Then, with each subsequent move -- harassing and threatening both Lynn and the Black Hat organizers; alleging that Lynn broke the law by following wiely accepted responsible disclosure procedures; and finally, slapping restraining orders on him and on several sites mirroring his presentation materials -- Cisco turned up the media spotlight again and again, systematically achieving the exact opposite of what it wanted.

You'd expect this kind of behavior from a record-industry executive, bless its shriveled little heart. You're getting it, unfortunately, from the executives at a company whose hardware touches most of the planet's Internet traffic.

Cisco's management may or may not care about the PR fallout -- that will pass in time, anyway. They certainly care, however, that hundreds of sites are mirroring Lynn's presentation by now, including many in jurisdictions where a U.S. court order is gonna leave 'em laughing until they wet their pants.

Or if a Web mirror is just too twentieth-century for you, there's always BitTorrent or anonymity-shielding equivalents such as I2P and TOR: all open-source, and all decentralized, headless, and utterly impossible to cleanse by court order.

Incidentally, Lynn settled Cisco's lawsuit against him late last week by agreeing not to comment any further and to return any related information to ISS. That was good news: Lynn followed his conscience well past the point where his own sense of self-preservation should have stopped him, and of course he's now unemployed (one of his slides during the Black Hat talk was apparently a copy of his resume)

Lynn accomplished his goal: Cisco won't have the luxury of sweeping a major security problem under the rug or playing it off as old news. The material in Lynn's presentation and his comments before settling with Cisco are enough to ensure that the company works with customers to patch the vulnerabilities and that its customers have the information they need to keep Cisco honest.

As for those vicious attack chickens at ISS, the future is likely to be short and ugly:

At this point, it's safe to say that ISS and its remaining customers, if there are any, deserve one another.

Finally: Will Cisco manage to change the subject before its customers think too long and hard about the implications of Lynn's research? I doubt it, although the payback is likely to be a far more drawn-out affair than Lynn's weekend trip to hell. Litigation is never a good thing, but in this case, a shareholder lawsuit might work wonders on the quality of Cisco's decision-making processes.