[ISN] An Insider's View of 'Ciscogate'
InfoSec News
isn at c4i.org
Mon Aug 8 01:06:41 EDT 2005
http://www.wired.com/news/technology/0,1282,68435,00.html
By Jennifer Granick
Aug. 05, 2005
Attorney Jennifer Granick represented computer security researcher
Michael Lynn in his conflict with Cisco and ISS at the Black Hat
conference. The following is reprinted from her blog with permission.
What follows is my take on "Ciscogate," the uproar over researcher
Michael Lynn's presentation at this year's Black Hat conference, in
which he revealed that he was able to remotely execute code on Cisco
routers. I have been representing Mike during this crisis, so I'm
clearly partisan, and what I can say is limited by attorney-client
responsibilities. But while many people are speculating about the
facts, there hasn't been much on the law, which turns out to be really
interesting.
I arrived in Las Vegas around 1:00 p.m. on Wednesday. My plane had
been delayed, and I was anxious to get to Caesar's Palace and get
prepared for my presentation, scheduled for 3:15 p.m. My parents and
sister also were coming to see me, and I had to get approval for their
day passes from the Black Hat powers-that-be. I had heard that there
was a chance of some legal problems with a talk that Mike Lynn had
planned to give about Cisco router vulnerability and that the night or
so before the conference, Cisco sent temp workers to cut Lynn's slides
out of the presentation materials and to seize CDs containing his
PowerPoint presentation. But I wasn't involved in the case yet.
When I arrived, someone pointed Lynn out to me. He was wearing a white
backward-facing baseball hat with the word "GOOD" on it and chatting
animatedly with friends. I introduced myself, and he told me that he'd
quit his job and given the talk anyway, and that he expected to be
sued. Lynn knew that Cisco had fixed the problem he found and stopped
distributing the vulnerable code, but he was deeply concerned that the
company did not do nearly enough to persuade its customers to upgrade
promptly, or to explain to them why upgrading was necessary. Based on
some web searching, he thought that Chinese hackers were working on
breaking routers too, and that people needed to know. Up until very
recently, Mike's employer, ISS, had approved his talk and was happy
for him to give it. But very recently, they dramatically changed their
minds and forbade him from giving it. They made Mike pick another
topic. By the morning of the conference, Mike decided he had to quit
his job and give the talk anyway.
(In subsequent conversations with Cisco attorneys, I was assured that
Cisco and ISS were working on a presentation that would reveal the
flaw without revealing what Cisco and ISS felt was proprietary
information or giving bad guys a road map to an exploit. I never saw
this presentation, and to the best of my knowledge Mike didn't either.
If this is true, I don't know why Lynn, ISS and Cisco were
communicating so poorly. Of course, I also don't know what Cisco and
ISS were worried about, since Lynn's presentation neither revealed
confidential information nor provided much assistance to would-be
intruders. Cisco also told me that they offered to give the new joint
ISS and Cisco talk, but that Black Hat refused. My understanding of
Black Hat's position was that the speaking slot wasn't given to Cisco
and ISS but to Mike Lynn, and if he wanted to talk about something
else, he could, but they weren't going to give the slot to Cisco just
because the originally scheduled talk was about their product.)
I'm generally a believer in the free flow of information. I've written
an article on vulnerability disclosure, and generally don't like rules
that stop people from telling the truth, for whatever reason. But I
understand that exploit code, while communicative, can also be used as
a dangerous tool. Lynn understood this too. His presentation did not
give away exploit code, or even enough information for listeners to
readily create exploit code. In fact, he said, Cisco employees who had
vetted the information were themselves unable to create and exploit
from his information. But Mike wanted to show people that (1) he knew
what he was talking about and (2) he could do what he said could be
done. He included just enough information to make those points.
(Following the talk, other researchers who'd seen it agreed that it
would take a lot of work to get from Mike's presentation to an
exploit.)
After my talk, I caught up with Mike and discussed the possibility
that Cisco or ISS would sue him. I told him to call me if he heard
anything. Then my family and I went to Shintaro at the Bellagio for
dinner. It was my parents' 37th anniversary.
Shintaro has three really beautiful jellyfish tanks in the front of
the restaurant, behind the sushi bar. The restaurant is actually kind
of large and sits on the Bellagio lagoon. We wanted a table with a
window view, but the maitre d' said they were all reserved -- even
though we had a reservation, it was 5:45 p.m. and there were very few
other people around. No one came to sit at those tables the whole time
we were there. We had sushi, which was really fresh and good, and then
my sister and I shared the crispy lobster in black bean sauce. As with
my father's lamb dish, it was really good, but the sauce was a little
overpowering for the delicacy of the meat. The waiter was adept at
explaining the sakes, and I ordered a really good one to share with my
dad, a junmai ginjo called gissen, I believe. I would definitely go
back if it were not for the snootiness of not letting us have a window
seat even though no one cool enough to pre-empt us would dream of
going to dinner so ungodly early.
By the time dinner was over, Cisco and ISS had filed a lawsuit and
served papers requesting a temporary restraining order on Black Hat,
but not on Mike. Mike had heard about the lawsuit, though, and called
me. I met him at Caesar's Palace, where a reporter gave me a copy of
the moving papers. Black Hat's PR person told me that Cisco and ISS
were suing Black Hat and Lynn, and that they'd scheduled an ex parte
hearing before Judge White in San Francisco for the next morning at
8:30 a.m. to ask for a temporary restraining order.
Now I had to decide whether I was interested in the case. I took the
papers back to my room to read, and told Mike not to talk directly to
opposing counsel. If they called him, he should tell them to call me.
This is just habit that I can't break. As a criminal defense attorney,
you never let opposing counsel get anywhere near your client. Even
though Mike wasn't my client, and this wasn't my case, and it wasn't
criminal, it was reflex to protect him at all costs from the prying
questions of an opponent. Sure enough, the attorney for ISS and Cisco,
Andrew Valentine, called Mike, and then called me.
Valentine is a pretty pleasant, reasonable person for someone who's
sued someone I like very much. We started talking about the case, and
I was asking what exactly he was claiming that Lynn had done wrong. It
appeared to be three things. First, ISS was claiming copyright in the
presentation that Mike had given on Wednesday morning. Second, Cisco
was claiming copyright in the decompiled machine code that Mike
obtained from the Cisco binaries and had included in his slides. And
finally, Cisco was claiming trade secret in the information Mike had
obtained by decompiling and studying Cisco source code. The complaint
[2] (.pdf) also alleged that Mike had breached his nondisclosure
agreement with ISS.
I didn't and don't think much of the legal case, and I'll explain why
in the next installment. But every attorney knows that an opponent's
weak legal case is first and foremost an opportunity to get a good
settlement. No party wants to litigate against a rich corporation if
they don't have to. It's a different story for the lawyers, though.
For me, no matter how much I care about the client, it's a job that I
enjoy. I like to litigate a case if the issues are interesting and
these definitely are. But the client comes first, so I asked Valentine
what his clients really wanted out of all of this. We parsed and
narrowed, and came to a point where I thought we might be able to cut
a deal. I told him I'd talk to Lynn and Black Hat and get back to him
one way or another.
When I first talked to Valentine, I wasn't even sure I wanted to be
involved in the case, but as I read the temporary restraining order
papers, I became really interested in the legal issues that the suit
raised.
You'll remember that ISS claimed copyright in the slides Mike used on
Wednesday morning. I hadn't seen the original ISS slides, but I
imagined that they looked different but had similar bullet points or
words. This wasn't very interesting to me. I would argue that the
bullet points were unoriginal and not deserving of much copyright
protection, or that it was fair use, or that Mike jointly retained the
copyright with ISS, but none of this is particularly fun. The second
copyright claim was Cisco's in the decompiled code. Certainly Cisco
has copyright in the source code, and I suppose in the binary, too,
and therefore it probably has copyright in the machine code as well.
But Mike only used little edited snippets of the machine code to
illustrate his points about how he found the IOS vulnerability and why
it existed. This was classic fair use, something important to defend,
but only kind of fun, if only because it was so damn obviously
permissible.
The more interesting claim was the trade secret claim. They were suing
under California's trade secret law. California has adopted the
Uniform Trade Secrets Act, which is relatively broad. It prohibits the
misappropriation of trade secrets.
A trade secret is information that:
(1) derives independent economic value, actual or potential, from not
being generally known to the public or to other persons who can obtain
economic value from its disclosure or use; and (2) is the subject of
efforts that are reasonable under the circumstances to maintain its
secrecy.
So the first question is, what's the secret? The complaint says that
Lynn had Cisco source code, but he didn't. He had the binary code. The
binary isn't secret, since Cisco sells it. Is the decompiled code
secret? Is it the fact that there's a vulnerability? Would the law
allow a product flaw to be a protected trade secret? I've had lawyers
argue it to me, but I can't believe that any court would think that's
a good idea. Imagine if we did that with cars. The fact that it blows
up if someone rear ends you is a protected secret, because people
wouldn't buy the cars if they had that information? I'm not sure
there's anything here of Cisco's that the law would protect.
The second question is, even if there is some kind of trade secret,
did Mike misappropriate it. Misappropriation means acquisition by
improper means, or disclosure without consent by a person who used
improper means to acquire the knowledge. The law specifically says
that reverse engineering (decompiling) is proper, not improper, means.
As used in this title, unless the context requires otherwise: (a)
"Improper means" includes theft, bribery, misrepresentation, breach or
inducement of a breach of a duty to maintain secrecy, or espionage
through electronic or other means. Reverse engineering or independent
derivation alone shall not be considered improper means.
So then the question is, did Mike use reverse engineering or
independent derivation alone? It seemed that Cisco was claiming that
Mike's actions were improper because he violated the End User License
Agreement, which prohibited reverse engineering. So now I was having
fun. I'm totally interested in EULAs and the circumstances under which
they take away public rights that are otherwise guaranteed us.
Usually, a breach of contract is no big deal. But increasingly in the
tech field, we're seeing big penalties for what's essentially a
contract violation. Under the Computer Fraud and Abuse Act, if you
exceed your authorization to access a computer, you've committed a
crime. Cases have said you exceed authorization when you breach a
EULA, terms of service or employment contract. Other cases have said
that EULAs can waive fair-use rights and other rights guaranteed under
copyright law. Lynn's case presented the question of whether EULAs
could subvert the legislature's express desire to allow people to
reverse-engineer trade secrets.
I decided to get involved in the case. There were lots of ways to
argue the case. I could say that the EULA wasn't enforceable. I could
say that if Lynn violated the EULA, it was only at the behest of
plaintiff ISS, and I could cross-claim for indemnification. But my
best legal argument was that violation of an End User License
Agreement is not a trade secret violation. "Improper means" includes a
breach of a duty to maintain secrecy. But the EULA did not impose a
duty to maintain secrecy. It was merely a promise not to
reverse-engineer. A violation of that promise is a violation of
contract, but not an improper means of discovering a trade secret.
There was the possibility that Mike had information that was secret as
to ISS and that he had promised to keep secret under his employment
agreement or NDA. But the complaint didn't identify any ISS trade
secrets, and Mike hadn't disclosed any ISS information other than
whatever was in the presentation, so this was a great legal argument.
Fortunately for Mike, I never got to make it to a judge, because we
were able to settle the case within 24 hours. A lot of people have
asked what the basis was for the injunction that the court entered, or
why the court entered an injunction, or why Mike can't give out the
slides from his presentation, and the answer to each question is the
same. We agreed to an injunction to settle the case, and the reason we
settled the case is because all Mike has to do is stuff he's mostly
willing to do anyway, and Cisco and ISS will dismiss the lawsuit. At
the point that you get sued, or even charged with a crime, it matters
less what actually happened and whether you did something wrong and
more what it takes to get out of the case as unscathed as possible.
It's sad, but true, that our legal system can often be more strategy
than justice.
Though I wanted to fight the case, as a good advocate, I had to
explore the possibility of settling it as well. (And I definitely
didn't want to have to fly back to San Francisco for a court hearing
the next morning!) Valentine, the Cisco/ISS lawyer, was pretty
reasonable, and able to clearly state what exactly it was that his
clients wanted, at least at that time of day. I went back to Lynn and
Black Hat with his proposal and could see that we were close to an
agreement. I called Valentine and told him, and he sent me bullet
points representing the essence of our agreement. It was 1:30 a.m. I
e-mailed back some comments, but we basically had a deal. Then the
Black Hat people and I double-checked that the impounded official
video of Lynn's presentation was safe and sound, and I went to bed.
I woke up at 5:30 a.m. because the Black Hat lawyer and I were
supposed to meet at 6 a.m. to get a copy of the settlement agreement
that Valentine had courageously stayed up all night writing. We were
hoping to get it signed before the 8:30 a.m. court hearing that day.
Now, Valentine is licensed to practice in California and his bar
number is close to mine, so we were admitted about the same year, and
I imagine he's about my age, maybe a little older. At our age, staying
up all night really sucks. For those of you in your 20s who are
reading this, stay up all night now as much as you can before you lose
the knack.
By the time Valentine sent it to us, he was pretty raw, I'm sure. Not
thinking, I redlined his proposal pretty heavily and sent it back to
him with a breezy note. He was getting ready to leave for the court
hearing, and I think my redlines might have broken his usually
reasonable brain. His position basically went from "we're close to a
deal," to "forget this, we have no deal and I've got court to go to."
I was seriously disconcerted. If I was going to have a temporary
restraining order hearing, I would have at least written a brief, and
maybe even have showed up in San Francisco. I reminded Valentine that
we'd agreed that if we were close, we'd postpone the hearing, and we
were definitely close. He said he'd have to talk to his clients and
he'd get back to me.
So there I was, sitting with Mike on the Black Hat conference floor,
unable to check my e-mail because you hackers sniff my password and
lock me out of my own account, doing Lexis searches and waiting for
word of whether we'd be arguing against a temporary restraining order
in 30 minutes, or knocking out a deal. Luckily, there were bagels.
After chilling out during his long drive, Valentine was true to his
word, and his clients were willing to talk about a deal. We
frantically scrambled to make the speaker phone in the hotel connect
audibly to the conference phones in the courtroom, then told the judge
that with a little talking, we might be able to settle the case in its
entirety. Judges love that. So the Cisco/ISS team, which was about six
people, retired to the attorney conference room in the lounge upstairs
in the Federal Building, the Black Hat lawyer, Mike Lynn and I settled
into the Black Hat suite at Caesar's Palace, and we got to work.
Our basic agreement was that if Lynn and Black Hat agreed not to
disseminate the presentation, the video or the decompiled code any
further, and Lynn agreed not to disseminate any of the stuff he worked
on while at ISS at all, then Cisco and ISS would drop the case.
Everyone was cool with this. But if you've ever negotiated something,
you know it is painstaking work. Even if you generally agree, you have
to imagine everything that you might want and everything that you want
to avoid. Then you have to draft language that describes clearly and
precisely exactly that and no more, while still agreeing.
We had a couple of bullet points at 1:30 a.m. the night before, but
once you got all the lawyers together, everyone was able to think
about other terms and conditions that might be nice to have, as well
as things that might theoretically happen that should be prohibited.
Its kind of a code among lawyers that what's said in settlement
negotiations doesn't get blabbed around. When working things out for
our clients, lawyers sometimes take unofficial positions to see how it
sounds, or think out loud, or act more rabidly than we really feel,
staking out a position from which we can come down.
So I'm going to try to keep to the code but still point out a few
things about the agreement process. Overall, the lawyers in the
conference were relatively reasonable, under the circumstances,
especially since there wasn't inherently a lot of trust between the
two sides. If you read the settlement agreement, you can
reverse-engineer the issues with which each side was concerned.
For example, ISS and Cisco insisted on stipulating between themselves
that they had prepared an alternative presentation "designed to
discuss internet security, including the flaw which Lynn had
identified, but without revealing Cisco code or pointers which might
help enable third parties to exploit the flaw, but were informed they
would not be allowed to present that presentation at the conference."
We insisted that the agreement specifically state that Lynn was not
precluded from lawful discussions of internet security using materials
lawfully obtained. Probably the most hotly debated provision was
paragraph 9, where we all agreed that ISS and Cisco should be able to
reassure themselves that at the end of this matter, Lynn would not
retain any materials to which he wasn't entitled, and we all agreed
that Lynn and others had privacy rights that should be honored, so we
had to work out a process that would respect both concerns.
We worked almost nonstop from 8:30 a.m. to 2:30 p.m., running on
caffeine and cold bagels. Some lawyers were great with punctuation,
some with grammar. I personally spent five whole minutes convincing
everyone to change a "which" to a "whether." Sigh. At a certain point,
you can lose sight of the forest because of all the trees. We had
delays exchanging versions of the settlement documents because the
Black Hat lawyer didn't have a laptop with him, and I kept getting my
password sniffed and locked out of my e-mail account whenever I would
use the wireless. (Did I mention how annoying this is? Oh, well. Live
by the sword, die by the sword.)
But by the afternoon we had something everyone agreed upon. As we were
wrapping up, one of the opposing lawyers asked me if I was happy.
"Happiness is a relative term," I responded, "and I'm relatively
happy." That afternoon we reconvened in court (the Vegas team by
telephone) to file the document with the judge. The judge entered the
stipulated injunction immediately, Cisco and ISS promised to dismiss
the case once and for all when we complied with the terms, and Team
Vegas breathed a sigh of relief and made a date to drink expensive
champagne together that very evening.
Meanwhile, my parents retired to Vegas and I went off to have dinner
with my mom and sister, and do some shopping in the Forum Shops. (The
Granicks are from New Jersey.) It was Thursday at 6 p.m., and we were
sitting at the Chinese place there, and my mother and I had just
ordered a gigantic two-person Mai Tai. (Photo to be posted soon. Check
back.) I was pix-messaging a phone photo of us drinking it to my
father when the phone rang in my hand. The message was that there were
two FBI agents looking for me and asking questions about Mike's
presentation, that they were wandering around the floor of the Black
Hat conference, that they were wearing suits and couldn't be missed,
and that they "just wanted to talk." "Fuck that," I advised. Always
judicious when dealing with law enforcement, I excused myself from my
family meal, and ran back to the convention center to see what was
going on.
To be continued....
[1] http://www.granick.com/blog/
[2] http://www.granick.com/blog/lynncomplaint.pdf
More information about the ISN
mailing list