Cisco issuing Gag Orders?
As if it weren't enough that someone found an embarassing flaw in Cisco's IOS software, they go and compound the issue by trying to get the presentation at the Black Hat Security conference thrown out. Cisco should, if they were smarter, take Michael Lynn and buy him a 6-pack. I can understand Cisco's concern over this, and I can also understand why they would not want to have their dirty laundry aired in front of the entire security community, but strong arming and basically trying to gag the whistleblower is not the way to gain your customers' trust.
Public disclosure of major security flaws should be welcomed because it allows IT and IT security managers to make proper decisions regarding the products they purchase. This makes for a more robust computing environment in government and in the public sector. If a company can't develop good products, then it shouldn't succeed period. Cisco should patch its IOS software for free, and they should have come out with the issue themselves when they noticed it. This move actually has government written all over it, what probably went down, and this is all speculation, is that Cisco's engineers probably discovered the bug a while ago, but were prevented from disclosing it because of the danger to “National Security.” Cisco can't come out and say this, but I have the feeling that they were compelled to keep this information from the community because of the potential destructive situation I could cause. If this is the case, then I do feel for Cisco, because revealing critical flaws in the infrastructure that almost all business uses the wrong way is really pretty awful. Sill, once the cat's out of the bag, its out. You can't stuff it back in with threats, you only make a bad situation worse. Bad Cisco!