Folks, we need to be clear about what exposure means. No disrespect to Mr. Lynn but I have zero doubt that people other than Mr. Lynn know exactly what he was talking about and have known for a long time (like way before it was patched by Cisco).

All vulnerabilities exist before they are exposed. I have to stress this a lot with the security students I teach who tend to think vulnerabilites date from when a patch was issued. Vulnerabilities in Cisco IOS (or IIS, or BSD, or whatever) have 'always' been there. They did not come into existence when a talk about exploiting them was given. Hence, keeping quiet about them only helps the people who are already exploiting them. Remember, the 'best' hackers don't leave traces.

E.g. someone who uses a vulnerability to perform stealthy monitoring of Internet traffic without a court order is hardly likely to tell people about it, and frankly they may have limited interest in seeing it fixed.

What you describe in your excellent article is a group of people trying to learn for themselves what others already know but won't share.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11263/32270#32270