Juniper defends hiring Cisco flaw researcher

Juniper said on Wednesday it is standing by its decision to employ a security consultant who revealed "great holes" in the security of Cisco routers.

A spokeswoman for Juniper confirmed on Wednesday that it had hired Michael Lynn as a full-time employee but released no further details other than to state it was not the policy of the company to comment on the circumstances of an individual employee.

Juniper did comment on the subject of whether someone who had blown the whistle on Cisco's alleged cover-up of a security problem was a suitable employee for a network security.

"Juniper takes its responsibilities as a member of the global IT community very seriously," the spokeswoman said in a statement, "and as a company always operates within a very strict code of ethics. We are confident that all our employees will do the same."

Lynn was a security analyst with ISS until he resigned suddenly in July to give a security briefing at a Black Hat conference in Las Vegas, where he disclosed the existence of a flaw within Cisco's Infrastructure Operating System.

It was reported at the time that Lynn had outlined a method of attacking Cisco's Internetwork Operating System (IOS) to gain control over Cisco routers, which make up much of the infrastructure of the Internet. A widespread attack could badly impair the Internet's functioning, according to experts attending Black Hat.

When Lynn went public about the flaw, Cisco and ISS both sued him, although the parties have now settled.

Lynn told Wired  that he had gone public because "the worst thing is to keep this stuff secret".

The tale took another twist last week when Cisco finally released details, and patched, a second flaw identified by Lynn.

The scope of the second flaw explains why Cisco went through great lengths to keep it under wraps, said Johannes Ullrich, chief research officer at the SANS Institute Internet Storm Center, last week