From: "Geo" 

"Frank Haber"  wrote in message
news:43590192{at}w3.nls.net...

> This is not Rich's blackmail; it's creative pressure - a nice balance.  Of
> course, if you didn't get results....(g).

I learned from the NT team that I *can* make a small but significant (at
least to me) difference.

Wanna hear about my new project to make a difference? Know how obnoxious it
is to patch cisco routers because they do the upgrade thing instead of the
patch thing and they are very tight with handing out free updates to anyone
who doesn't have a maintenance contract? Well I aim to be creative and put
some pressure on them.

I started off the same way, on the security lists I questioned why cisco
can't issue patches as freely as Microsoft does. That lead to a writer who
is doing an article on securing cisco routers wanting to talk to me.

During the 45 minute phone interview he asked a very important question,
what could you do if you rooted a router and I explained BGP and how
corrupting the BGP table on a trusted router could take down a large
section of the internet, even gave him a reference to the Mai Internet
services incident which took out the whole east coast by accident due to a
bad route being entered. I guess  none of the other peope he had talked to
explained how wide spread this could be because he seemed really interested
in it.

I also mentioned Michael Lyn and how he proved at blackhat that it's
possible to root a router instead of just crash it so that he understood
the connection between that and the Mai Incident.

Anyway, that was a couple days ago, then last night Level 3 goes down (and
takes verio with them) because of something very similar and so I emailed
this writer that here was a good example of how access to one router could
wipe out a huge section of the net which lead to this
http://www.internetweek.com/news/172303311 article today.

I can't wait to see how he puts this all together for the securing cisco
routers article but my main point to him was that cisco needs to address
the issue of making patches instead of upgrades in order to make the
security fixes freely available to everyone even if they don't have a
maintenance contract. Something cisco should easily be able to do when
their new IOS comes out rsn since it's going to be modular. I'm hoping the
pressure convinces cisco to make that upgrade free as a security
fix/improvement.

It's all in the timing .

Geo.

--- BBBS/NT v4.01 Flag-5