|
|
Television and Radio:
|
|
|
|
|
|
Host Melissa McDermot |
Host David Grey |
Hosts Patrick, Kevin & Sarah |
Fast forward 44 minutes in |
Recent Articles or Interviews:
| SearchViews | SearchViews is a website about the web search. They made not of Mark Jen's leaving Google, and a recent interview I did. |
| Slashdot & Whitedust Security | Interview with Nmap author Fyodor (for some odd reason, they asked Fyodor about me during the interview) Slashdot article here... |
| Slashdot | What is Responsible Disclosure for Security Flaws |
| ZDNet | Bug hunters, software firms in uneasy alliance |
| Slashdot | Paul 'Tony' Watson Interviewed |
| Whitedust Security | An Interview with Paul Watson |
| The Bill Good Show | Radio talk show; with guest Paul Watson and Richard Stiennon of Webroot (audio link coming) |
| Slashdot | Cisco Applies For Patents to Secured TCP |
| Slashdot | Understanding TCP Reset Attacks, Part I |
| Slashdot | Secret Repairs Preceded TCP Flaw Release |
| Slashdot | TCP Vulnerability Published |
Local Archives of News Paper and Online Reporting:
11 Auguest 2005: I was asked by a reporter today to comment on my experience in dealing with Cisco regarding security issues and vulnerability reporting. Here is my response for those interested:
When I worked with Cisco on the TCP Reset issue, I quickly noticed the problems that many researchers have in talking with large companies. I initially emailed two of Cisco's engineers who responded promptly. They were extremely helpful and even contributed some thoughts and ideas for my research. However, once the issue was identified as a serious security risk by the legal team at Cisco, the tone of the communication changed immediately. I was advised by my contacts at Cisco that they wanted me to continue providing them more information and answering their questions, but they could not respond with anything in return. I had provided them with several possible methods to correct the problem, but they refused to answer when I asked what the progress on the issue and the fixes were. One engineer advised me he was not even allowed to acknowledge that a problem existed, because their legal department restricted anyone in the company from providing anyone information on the issue. This was clearly absurd, since I was the person who notified them of the issue. When Cisco later announced that they had patented a fix for the issue, I was shocked. Their fix was clever, but it really broke my trust in them. Software vendors (like Cisco) want Security Researchers to notify them about vulnerabilities before announcing it to the general public, and I believe that is a good idea. But Cisco took advantage of this 'quiet' period and decide to issue a patent. It is almost like insider trading on Wall Street and it has bugged me more and more as time goes on. The security problem affected almost every vendor of networking equipment, and the fix should be freely available to everyone without the fear of patent infringement. Cisco claims they issued the patent for defensive purposes only, but simply announcing their solution in an open forum would have placed it in the public domain, which would have prevented anyone else from patenting the fix since prior art would have existed. Stifled by the lack of communication with Cisco, I advised them that I would be presenting my research in 45 days at the CanSecWest Security Conference in April of 2004. The conference organizer, Dragos Ruiu, notified me a short time later that Cisco and the U.S. Department of Homeland Security had asked him to pull my talk and prevent me from speaking. CanSecWest refused their request and allowed me to present my research as scheduled. The deadline succeeded in spurring action, as the fixes were implemented just a few days before my presentation at the conference.
