Michael Lynn, who brought a big flaw in Cisco’s software and bug-fixing procedures to light just got whacked by cisco’s PR machine. Lots of people in the blogosphere (for example, Mark Hedlund, Bernie), and on-line are saying that he’s a good guy, but that doesn’t matter a damn, when Business Week, one of the most widely read magazines in America leaves the impression that this guy was just a loose cannon.
It would be naive to think that Steve Hamm of Business Week came to his conclusion based completely on what he read in press releases or on the Internet.
The reality is that there are people out there whose job it is to protect the reputations of big organizations, to ‘spin’ bad stories in a way that will at least make them seem less bad. This happens in the local media, it happens in politics, it happens in business and we are beginning to see it online in the blogosphere.
In this case they succeeded very well. They understood that it didn’t really matter what was said in the fringe media, like weblogs. What matters is what is said in the technology press (which thrives on advertising from companies like cisco) and the business press, like Business Week, which is what higher-level decisionmakers are likely to read.
Professional public relations isn’t a bad thing, any more than professional journalism is a bad thing. Well managed communications should be good for all concerned.
However, as readers, we have to make an effort to keep a track of what’s going on, and what interests are involved in reporting a particular issue.
In the meantime, though, Michael Lynn’s good name is all messed up. We digerati know that Lynn is a brave digital samurai, but what will his next prospective boss think? If Business Week carries its line through to its multi-million-selling paper publication, the guy in the corner office will be saying to himself ‘Lynn? Isn’t he the guy who caused all that trouble at Cisco?’
I think you’re overestimating the effects of BusinessWeek on prospective employers; IMO, Lynn won’t be dealing with the kind of company where someone who gets all their tech news from BusinessWeek without questioning it, gets a look in on hiring decisions like that. He’s already made his name as a great security researcher — especially since all the facts seem to indicate that Cisco are doing this in an attempt at spin control, the bug has been fixed in packages released 3 months ago, and the vulnerability deserves exposure now.
BTW, I find it interesting to see the “full disclosure” argument playing out again, more than ten years since it cropped up first with the creation of the bugtraq mailing list. That happened in response to CERT’s secrecy in the face of active use of undisclosed holes by black-hats, iirc.
You mean … if he’s recruited by a blackhat operation …!
Maybe it’s not his next employing manager, but what happens when anybody runs a security check on him? This dumb stuff will be what comes up. He’ll have to explain the whole story again and again forever.
The ol’ ‘full disclosure’ issue is certainly like an old friend.