Cisco Systems has settled a longstanding lawsuit in which federal and state agencies alleged a product was badly insecure and that the company knew about it for at least four years before it did anything. Not a good look.
Not only that, but Cisco will compensate a whistleblowing contractor who says he was fired for rocking the boat. Although Cisco maintains his job was no longer needed.
And the PR statement is, well, let’s just say nuanced. In today’s SB Blogwatch, we unpick corporate wrongthink.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: movie grammar.
PR BS FTW
What’s the craic? Katie Benner and Kate Conger report—“Cisco to Pay $8.6 Million to Settle Government Claims of Flawed Tech”:
Cisco will pay civil damages in connection with software that it sold to various government agencies, including Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and [FEMA]. Fifteen states, including New York and California, and the District of Columbia joined the Justice Department in the claim [filed] under the False Claims Act.
The government said the video surveillance software it bought from Cisco was “of no value” because it did not “meet its primary purpose: enhancing the security of the agencies that purchase it.”
The software vulnerability was identified in 2008 by … James Glenn … a Cisco subcontractor in Denmark when he discovered that he could hack into the video software and take over the surveillance system. [He] told Cisco that he had discovered a flaw that hackers could use to gain unauthorized access to the video surveillance system, manipulate information and bypass security measures.
[But] Cisco continued to sell the software with the vulnerability until July 2013.
Something smells fishy. Shaun Nichols takes a bath—“Networking giant in hot water”:
Attorneys for whistleblower James Glenn announced that the networking giant’s payout would settle the first ever US False Claims Act case to involve information security. For his trouble, Glenn (and his lawyers) stands to pocket $1.6m from the payout.
[He] filed the whistleblower complaint in 2011, accusing [Cisco] of knowingly selling Uncle Sam … copies of its Video Surveillance Manager (VSM) suite without disclosing a critical design flaw. [He] alleged Cisco knew the hole was present from 2008 to 2011 but did not warn its customers. … A successful exploit would potentially allow for a complete network takeover.
Glenn claimed that not only did Cisco try to keep the VSM vulnerability under wraps, but [Cisco] also fired Glenn … “in retaliation” [when] he tried to warn Cisco.
Ouch. New York AG Letitia James—@NewYorkStateAG—tweets her satisfaction:
We’ve reached a settlement with Cisco over major flaws in their security surveillance system software that they sold to NY & other states.
Upon learning of these flaws, Cisco failed to report or fix the issue for years.
We’re holding Cisco accountable and ensuring that software manufacturers dealing with NY not only have the most secure software possible, but diligently report & repair any flaws they learn about. This is about our security, privacy, and protection.
What has Cisco got to say for itself? CLO Mark Chandler speaks of a “Changed Approach”:
The threat landscape continues to grow exponentially. … The standards by which suppliers are judged are also changing.
What seemed reasonable [in 2008–2013] no longer meets the needs of our stakeholders today. … Evaluating these facts today, we’ve now agreed to make a payment that includes … in effect, a partial refund.
The software … intentionally utilized an open architecture. … Because of the open architecture, video feeds could theoretically have been subject to hacking.
Wait. Pause. Did it seem reasonable 10 years ago to knowingly sell a seriously insecure product? Really? No, me neither.
And so this Anonymous Coward re-interprets Chandler’s statement:
Security researchers are less trusting nowadays, and more vocal, and have ways to … trash brand names riding on a halo.
But what about this idea of openness causing vulnerabilities? Walter Bishop facepalms furiously:
“Because of the open architecture, video feeds could theoretically have been subject to hacking.”
Or theoretically Cisco doesn’t know what it is talking about.
O RLY? Pascal Monett explainifies thuswise:
[Cisco] spouting a variation of “we take our customer’s security very seriously.”
Meanwhile, this Anonymous Coward laughs and laughs and laughs and laughs:
Hahahaha should have gone with Huawai.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.