lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <42EA758F.4000504@science.org>
Date: Fri Jul 29 19:28:59 2005
From: jasonc at science.org (Jason Coombs)
Subject: Cisco IOS Shellcode Presentation

Frank Knobbe wrote:
> What he has done is not say "Here's a bug that I can exploit". He has
> said "This IOS is capable of exploitation beyond current belief". And it
> will be for the foreseeable future.


Precisely. And Lynn pointed out that Cisco routers use general purpose 
CPUs -- therefore Cisco's own engineers chose purposefully to build a 
vulnerable device.

Cisco is responsible for this entire mess. Had they engineered a secure 
product around a CPU that was not general purpose, none of this would be 
happening now.

No company that intentionally engineers a computing device around a 
general purpose programmable CPU should have the ability to press 
charges against security researchers who disclose security flaws in 
those devices.

Cisco is wrong to conclude that they can engineer a defective product 
and then allow the criminal prosecution of a person who simply asks the 
pointed question "Why did Cisco do this? It renders their product 
permanently defective, and here's the proof."

Somebody needs to explain this clearly to the FBI.

Cisco should be criminally prosecuted for telling lies to their 
customers and for abuse of process.

Regards,

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists