Michael Lynn
Encyclopedia
Michael Thomas Lynn is an American
computer security expert
currently employed by Juniper Networks
and known for his presentation on vulnerabilities in Cisco IOS
at Black Hat
and the controversy with Cisco Systems
that followed. He was formerly an employee of Internet Security Systems
(ISS).
in Euless, Texas
, and then attended the University of Texas at Austin
, majoring in mathematics
. As of 2009, he attends the University of Illinois Urbana-Champaign working on a degree in computer science
.
, the operating system used on Cisco Systems
routers and other networking
equipment. The vulnerability concerned IOS' handling of IPv6
packets and whether or not the problem could allow the routers to be exploited remotely. Although Cisco had originally discovered and fixed the flaw in April 2005, they did not inform their users of the true nature or severity of the problem.
Lynn was originally scheduled to present his findings at the Black Hat
conference on July 27, 2005. The presentation had been originally approved by his employer ISS, and did not mention details of any vulnerability. It instead focused on the fact that vulnerabilities in IOS could be exploited, similar to other computer systems.
Despite the fact that Lynn had taken considerable care to remove as much technical detail as possible from his presentation, in order to make it more difficult for criminals to duplicate his work, Cisco and then later ISS objected to the talk, and threatened legal action just hours before the conference. The Black Hat organizers therefore allowed a team hired by Cisco to remove the relevant sections out of all conference materials, a short video of which was soon circulated on the internet.
Lynn was warned by Black Hat not to give his speech and promised the organizers not to. He ostensibly started an alternative talk on VoIP, which was met by booing from the audience. Lynn delivered his previously scheduled presentation despite the implications, bringing him international media attention. Though there have been conflicting reports over the timing and nature of Lynn's departure from his employer ISS, Lynn was told by ISS that he would be fired if he made his original presentation. Lynn then resigned voluntarily approximately one hour prior to delivering the original presentation as he had intended. Lynn
ended the talk by asking about possibilities for new employment from the audience. He was hired by Juniper Networks a few months later.
Lynn was initially represented at the conference by noted Cyber law attorney
Jennifer Granick
. The lawsuit filed by Cisco and ISS was settled with a permanent injunction upon both Lynn and Black Hat against further disclosure of information on the exploit.
At the 2006 Black Hat event, Mike Lynn was invited by Cisco to attend the after Blackhat Party at PURE located inside Caesars Palace
. Media reports that Mike "crashed" the party by social engineering the host are in dispute.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
computer security expert
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
currently employed by Juniper Networks
Juniper Networks
Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
and known for his presentation on vulnerabilities in Cisco IOS
Cisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
at Black Hat
Black Hat Briefings
The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona and Tokyo...
and the controversy with Cisco Systems
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
that followed. He was formerly an employee of Internet Security Systems
Internet Security Systems
IBM Internet Security Systems is a security software provider which was founded in 1994 as Internet Security Systems, and is often known simply as ISS or ISSX...
(ISS).
Education
Lynn attended Trinity High SchoolTrinity High School (Euless, Texas)
Trinity High School is a public high school in Euless, Texas. It administers grade levels 10–12 and is a part of the Hurst-Euless-Bedford Independent School District....
in Euless, Texas
Texas
Texas is the second largest U.S. state by both area and population, and the largest state by area in the contiguous United States.The name, based on the Caddo word "Tejas" meaning "friends" or "allies", was applied by the Spanish to the Caddo themselves and to the region of their settlement in...
, and then attended the University of Texas at Austin
University of Texas at Austin
The University of Texas at Austin is a state research university located in Austin, Texas, USA, and is the flagship institution of the The University of Texas System. Founded in 1883, its campus is located approximately from the Texas State Capitol in Austin...
, majoring in mathematics
Mathematics
Mathematics is the study of quantity, space, structure, and change. Mathematicians seek out patterns and formulate new conjectures. Mathematicians resolve the truth or falsity of conjectures by mathematical proofs, which are arguments sufficient to convince other mathematicians of their validity...
. As of 2009, he attends the University of Illinois Urbana-Champaign working on a degree in computer science
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
.
Cisco controversy
Lynn came to widespread attention in July 2005 following a controversy, informally known as "Ciscogate", that resulted from his research into a major security vulnerability of Cisco IOSCisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
, the operating system used on Cisco Systems
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
routers and other networking
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
equipment. The vulnerability concerned IOS' handling of IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
packets and whether or not the problem could allow the routers to be exploited remotely. Although Cisco had originally discovered and fixed the flaw in April 2005, they did not inform their users of the true nature or severity of the problem.
Lynn was originally scheduled to present his findings at the Black Hat
Black Hat Briefings
The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona and Tokyo...
conference on July 27, 2005. The presentation had been originally approved by his employer ISS, and did not mention details of any vulnerability. It instead focused on the fact that vulnerabilities in IOS could be exploited, similar to other computer systems.
Despite the fact that Lynn had taken considerable care to remove as much technical detail as possible from his presentation, in order to make it more difficult for criminals to duplicate his work, Cisco and then later ISS objected to the talk, and threatened legal action just hours before the conference. The Black Hat organizers therefore allowed a team hired by Cisco to remove the relevant sections out of all conference materials, a short video of which was soon circulated on the internet.
Lynn was warned by Black Hat not to give his speech and promised the organizers not to. He ostensibly started an alternative talk on VoIP, which was met by booing from the audience. Lynn delivered his previously scheduled presentation despite the implications, bringing him international media attention. Though there have been conflicting reports over the timing and nature of Lynn's departure from his employer ISS, Lynn was told by ISS that he would be fired if he made his original presentation. Lynn then resigned voluntarily approximately one hour prior to delivering the original presentation as he had intended. Lynn
ended the talk by asking about possibilities for new employment from the audience. He was hired by Juniper Networks a few months later.
Lynn was initially represented at the conference by noted Cyber law attorney
Lawyer
A lawyer, according to Black's Law Dictionary, is "a person learned in the law; as an attorney, counsel or solicitor; a person who is practicing law." Law is the system of rules of conduct established by the sovereign government of a society to correct wrongs, maintain the stability of political...
Jennifer Granick
Jennifer Granick
Jennifer Stisa Granick is an attorney at ZwillGen PLLC. Prior to joining ZwillGen in 2010, she held the position of Civil Liberties Director at the Electronic Frontier Foundation from 2007-2010. Prior to that, she served as the Executive Director of the Center for Internet and Society at...
. The lawsuit filed by Cisco and ISS was settled with a permanent injunction upon both Lynn and Black Hat against further disclosure of information on the exploit.
At the 2006 Black Hat event, Mike Lynn was invited by Cisco to attend the after Blackhat Party at PURE located inside Caesars Palace
Caesars Palace
Caesars Palace is a luxury hotel and casino located on the Las Vegas Strip in Paradise, Nevada, an unincorporated township in Clark County, Nevada, United States in the Las Vegas metropolitan area. Caesars Palace is owned and operated by Caesars Entertainment Corp....
. Media reports that Mike "crashed" the party by social engineering the host are in dispute.
External links
- Cisco acts to silence researcher - BBC News story (July 28, 2005)
- Researcher Resigns Over New Cisco Router Flaw - Slashdot story (July 28, 2005)
- Lynn Settles With Cisco, Investigated By FBI - Slashdot story (July 29, 2005)
- Router Flaw Is a Ticking Bomb - interviewed by Kim ZetterKim ZetterKim Zetter is an American freelance journalist in Oakland, California. She has written on a wide variety of subjects from the Kabbalah to dining out in San Francisco to Israel to cryptography and electronic voting, and her work has been published in newspapers and magazines all over the world,...
for Wired NewsWired NewsWired News is an online technology news website, formerly known as HotWired, that split off from Wired magazine when the magazine was purchased by Condé Nast Publishing in the 1990s. Wired News was owned by Lycos not long after the split, until Condé Nast purchased Wired News on July 11, 2006...
(August 1, 2005) - An Insider's View of 'Ciscogate' - Jennifer Granick on the Cisco controversy (August 5, 2005)
- Exploiting Cisco with FX - technical interview about Lynn's exploit and what can be done when attacking IOS (August 31, 2005)
- Abaddon's blog at MemeStreamsMemeStreamsMemeStreams is an early social networking website, online community, and blog host that was established in 2001 by Industrial Memetics,.Created by Tom Cross and Nick Levay, the site is particularly popular among computer security professionals....
- http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml Cisco announcement of vulnerability that Lynn discovered