Security: Uncovering deficiencies
Bruce Schneier has a great post about Michael Lynn here with a load of great comments. While I'm not qualified to comment on this issue and I don't have nearly the information that many that provide commentary there, it is nonetheless interesting. For those unaware, Michael Lynn is a security researcher that presented at the BlackHat Conference in Las Vegas, NV on Thursday. He had uncovered a security flaw in the Cisco IOS while doing the research as an employee of ISS. His presentation initially was to be on the flaw, a flaw which appears to have been patched by Cisco in April, 2005. Cisco and his employer at the time ISS approved the talk, then chose to ask him to provide an alternate talk as the show approached. He resigned from ISS, some reports state 2 hours previous to his talk. After his talk on the original flaw under threat of lawsuit, Cisco and ISS filed a civil lawsuit claiming some breach of NDA and possession of illegal reversed code (or something to that effect). The civil lawsuit was settled under what appears to be a gag order for public disclosure of the material and return of the reversed source. The FBI was called in to investigate criminal charges filed presumably by ISS.
I urge you to visit Mr. Schneier's site for more details as I cannot do this story justice. But what strikes me is the measure by which each viewpoint in this matter progresses.
I am a proponent of full-disclosure security in the public forum. Unfortunately, there are a great many facts in this situation that are not yet clear. My attempt here is to raise awareness, not further muddy the situation.