The leak of the controversial Cisco IOS security presentation is continuing to draw legal threats on those hosting a pdf copy on their servers.
Security research company Internet Security Systems (ISS), the company at the centre of the saga, has sent a cease-and-desist letter to Richard Forno, a security researcher who just hours earlier had posted the presentation slides to his InfoWarrior.org site.
The letter from ISS' lawyers, believed to be but one of many, accused Forno of publishing stolen proprietary information and threatened legal action if he did not remove the ISS material.
Forno said in a letter on the site that he decided to pull the slides but added angrily: "Had the two companies involved said nothing about this briefing, it's quite likely that few if any people or news outlets would've given it more than a passing thought. But as a result of their heavy-handed tactics this week, both Cisco and ISS have ended up publicising a serious vulnerability quite significantly and thusly re-ignited the discussion over how the Internet security community handles vulnerability disclosure and product updates."
A Cisco spokesman downplayed his company's involvement. "We're not sending out those letters. ISS is doing that through their law firms," he said. ISS declined to comment for this story.
The legal threats are unlikely to have much of an impact however. The material is already available on a string of other websites and the ongoing controversy has drawn more and more people to the case. Two versions of the presentation have since appeared, as well as photographs of the actual presentation at the Red Hat conference in Las Vegas. Anyone likely to understand the full import of the slides will easily locate the presentation.
Cisco has since produced an advisory on the holes in its IOS software - patched back in April, following wider awareness of the situation.
One of the other high-profile hosters of material surrounding the case, Cryptome, was unable to say whether it had received similar legal threats but its administrator, John Young, said it was Cryptome policy to ignore any such threats. The site has since added a page covering discussions of the Lynn presentations.
The controversy has ignited debate within the security community about the limits of responsible disclosure and whether companies such as Cisco are helping hackers or users through the public discussion of security flaws. To most Black Hat attendees interviewed last week, Cisco and ISS's actions clearly went too far.
One attendee said that companies such as Cisco should embrace this type of disclosure. "I look at it this way: It's free research," said Robert Gregory, an Information Assurance Engineer with Northrop Grumman's TASC division. "You've got the entire IT community doing research for you, and it's not costing you a dime."