http://www.wired.com/news/technology/0,1282,68435,00.html By Jennifer Granick Aug. 05, 2005 Attorney Jennifer Granick represented computer security researcher Michael Lynn in his conflict with Cisco and ISS at the Black Hat conference. The following is reprinted from her blog with permission. What follows is my take on "Ciscogate," the uproar over researcher Michael Lynn's presentation at this year's Black Hat conference, in which he revealed that he was able to remotely execute code on Cisco routers. I have been representing Mike during this crisis, so I'm clearly partisan, and what I can say is limited by attorney-client responsibilities. But while many people are speculating about the facts, there hasn't been much on the law, which turns out to be really interesting. I arrived in Las Vegas around 1:00 p.m. on Wednesday. My plane had been delayed, and I was anxious to get to Caesar's Palace and get prepared for my presentation, scheduled for 3:15 p.m. My parents and sister also were coming to see me, and I had to get approval for their day passes from the Black Hat powers-that-be. I had heard that there was a chance of some legal problems with a talk that Mike Lynn had planned to give about Cisco router vulnerability and that the night or so before the conference, Cisco sent temp workers to cut Lynn's slides out of the presentation materials and to seize CDs containing his PowerPoint presentation. But I wasn't involved in the case yet. When I arrived, someone pointed Lynn out to me. He was wearing a white backward-facing baseball hat with the word "GOOD" on it and chatting animatedly with friends. I introduced myself, and he told me that he'd quit his job and given the talk anyway, and that he expected to be sued. Lynn knew that Cisco had fixed the problem he found and stopped distributing the vulnerable code, but he was deeply concerned that the company did not do nearly enough to persuade its customers to upgrade promptly, or to explain to them why upgrading was necessary. Based on some web searching, he thought that Chinese hackers were working on breaking routers too, and that people needed to know. Up until very recently, Mike's employer, ISS, had approved his talk and was happy for him to give it. But very recently, they dramatically changed their minds and forbade him from giving it. They made Mike pick another topic. By the morning of the conference, Mike decided he had to quit his job and give the talk anyway. (In subsequent conversations with Cisco attorneys, I was assured that Cisco and ISS were working on a presentation that would reveal the flaw without revealing what Cisco and ISS felt was proprietary information or giving bad guys a road map to an exploit. I never saw this presentation, and to the best of my knowledge Mike didn't either. If this is true, I don't know why Lynn, ISS and Cisco were communicating so poorly. Of course, I also don't know what Cisco and ISS were worried about, since Lynn's presentation neither revealed confidential information nor provided much assistance to would-be intruders. Cisco also told me that they offered to give the new joint ISS and Cisco talk, but that Black Hat refused. My understanding of Black Hat's position was that the speaking slot wasn't given to Cisco and ISS but to Mike Lynn, and if he wanted to talk about something else, he could, but they weren't going to give the slot to Cisco just because the originally scheduled talk was about their product.) I'm generally a believer in the free flow of information. I've written an article on vulnerability disclosure, and generally don't like rules that stop people from telling the truth, for whatever reason. But I understand that exploit code, while communicative, can also be used as a dangerous tool. Lynn understood this too. His presentation did not give away exploit code, or even enough information for listeners to readily create exploit code. In fact, he said, Cisco employees who had vetted the information were themselves unable to create and exploit from his information. But Mike wanted to show people that (1) he knew what he was talking about and (2) he could do what he said could be done. He included just enough information to make those points. (Following the talk, other researchers who'd seen it agreed that it would take a lot of work to get from Mike's presentation to an exploit.) After my talk, I caught up with Mike and discussed the possibility that Cisco or ISS would sue him. I told him to call me if he heard anything. Then my family and I went to Shintaro at the Bellagio for dinner. It was my parents' 37th anniversary. Shintaro has three really beautiful jellyfish tanks in the front of the restaurant, behind the sushi bar. The restaurant is actually kind of large and sits on the Bellagio lagoon. We wanted a table with a window view, but the maitre d' said they were all reserved -- even though we had a reservation, it was 5:45 p.m. and there were very few other people around. No one came to sit at those tables the whole time we were there. We had sushi, which was really fresh and good, and then my sister and I shared the crispy lobster in black bean sauce. As with my father's lamb dish, it was really good, but the sauce was a little overpowering for the delicacy of the meat. The waiter was adept at explaining the sakes, and I ordered a really good one to share with my dad, a junmai ginjo called gissen, I believe. I would definitely go back if it were not for the snootiness of not letting us have a window seat even though no one cool enough to pre-empt us would dream of going to dinner so ungodly early. By the time dinner was over, Cisco and ISS had filed a lawsuit and served papers requesting a temporary restraining order on Black Hat, but not on Mike. Mike had heard about the lawsuit, though, and called me. I met him at Caesar's Palace, where a reporter gave me a copy of the moving papers. Black Hat's PR person told me that Cisco and ISS were suing Black Hat and Lynn, and that they'd scheduled an ex parte hearing before Judge White in San Francisco for the next morning at 8:30 a.m. to ask for a temporary restraining order. Now I had to decide whether I was interested in the case. I took the papers back to my room to read, and told Mike not to talk directly to opposing counsel. If they called him, he should tell them to call me. This is just habit that I can't break. As a criminal defense attorney, you never let opposing counsel get anywhere near your client. Even though Mike wasn't my client, and this wasn't my case, and it wasn't criminal, it was reflex to protect him at all costs from the prying questions of an opponent. Sure enough, the attorney for ISS and Cisco, Andrew Valentine, called Mike, and then called me. Valentine is a pretty pleasant, reasonable person for someone who's sued someone I like very much. We started talking about the case, and I was asking what exactly he was claiming that Lynn had done wrong. It appeared to be three things. First, ISS was claiming copyright in the presentation that Mike had given on Wednesday morning. Second, Cisco was claiming copyright in the decompiled machine code that Mike obtained from the Cisco binaries and had included in his slides. And finally, Cisco was claiming trade secret in the information Mike had obtained by decompiling and studying Cisco source code. The complaint [2] (.pdf) also alleged that Mike had breached his nondisclosure agreement with ISS. I didn't and don't think much of the legal case, and I'll explain why in the next installment. But every attorney knows that an opponent's weak legal case is first and foremost an opportunity to get a good settlement. No party wants to litigate against a rich corporation if they don't have to. It's a different story for the lawyers, though. For me, no matter how much I care about the client, it's a job that I enjoy. I like to litigate a case if the issues are interesting and these definitely are. But the client comes first, so I asked Valentine what his clients really wanted out of all of this. We parsed and narrowed, and came to a point where I thought we might be able to cut a deal. I told him I'd talk to Lynn and Black Hat and get back to him one way or another. When I first talked to Valentine, I wasn't even sure I wanted to be involved in the case, but as I read the temporary restraining order papers, I became really interested in the legal issues that the suit raised. You'll remember that ISS claimed copyright in the slides Mike used on Wednesday morning. I hadn't seen the original ISS slides, but I imagined that they looked different but had similar bullet points or words. This wasn't very interesting to me. I would argue that the bullet points were unoriginal and not deserving of much copyright protection, or that it was fair use, or that Mike jointly retained the copyright with ISS, but none of this is particularly fun. The second copyright claim was Cisco's in the decompiled code. Certainly Cisco has copyright in the source code, and I suppose in the binary, too, and therefore it probably has copyright in the machine code as well. But Mike only used little edited snippets of the machine code to illustrate his points about how he found the IOS vulnerability and why it existed. This was classic fair use, something important to defend, but only kind of fun, if only because it was so damn obviously permissible. The more interesting claim was the trade secret claim. They were suing under California's trade secret law. California has adopted the Uniform Trade Secrets Act, which is relatively broad. It prohibits the misappropriation of trade secrets. A trade secret is information that: (1) derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. So the first question is, what's the secret? The complaint says that Lynn had Cisco source code, but he didn't. He had the binary code. The binary isn't secret, since Cisco sells it. Is the decompiled code secret? Is it the fact that there's a vulnerability? Would the law allow a product flaw to be a protected trade secret? I've had lawyers argue it to me, but I can't believe that any court would think that's a good idea. Imagine if we did that with cars. The fact that it blows up if someone rear ends you is a protected secret, because people wouldn't buy the cars if they had that information? I'm not sure there's anything here of Cisco's that the law would protect. The second question is, even if there is some kind of trade secret, did Mike misappropriate it. Misappropriation means acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge. The law specifically says that reverse engineering (decompiling) is proper, not improper, means. As used in this title, unless the context requires otherwise: (a) "Improper means" includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means. Reverse engineering or independent derivation alone shall not be considered improper means. So then the question is, did Mike use reverse engineering or independent derivation alone? It seemed that Cisco was claiming that Mike's actions were improper because he violated the End User License Agreement, which prohibited reverse engineering. So now I was having fun. I'm totally interested in EULAs and the circumstances under which they take away public rights that are otherwise guaranteed us. Usually, a breach of contract is no big deal. But increasingly in the tech field, we're seeing big penalties for what's essentially a contract violation. Under the Computer Fraud and Abuse Act, if you exceed your authorization to access a computer, you've committed a crime. Cases have said you exceed authorization when you breach a EULA, terms of service or employment contract. Other cases have said that EULAs can waive fair-use rights and other rights guaranteed under copyright law. Lynn's case presented the question of whether EULAs could subvert the legislature's express desire to allow people to reverse-engineer trade secrets. I decided to get involved in the case. There were lots of ways to argue the case. I could say that the EULA wasn't enforceable. I could say that if Lynn violated the EULA, it was only at the behest of plaintiff ISS, and I could cross-claim for indemnification. But my best legal argument was that violation of an End User License Agreement is not a trade secret violation. "Improper means" includes a breach of a duty to maintain secrecy. But the EULA did not impose a duty to maintain secrecy. It was merely a promise not to reverse-engineer. A violation of that promise is a violation of contract, but not an improper means of discovering a trade secret. There was the possibility that Mike had information that was secret as to ISS and that he had promised to keep secret under his employment agreement or NDA. But the complaint didn't identify any ISS trade secrets, and Mike hadn't disclosed any ISS information other than whatever was in the presentation, so this was a great legal argument. Fortunately for Mike, I never got to make it to a judge, because we were able to settle the case within 24 hours. A lot of people have asked what the basis was for the injunction that the court entered, or why the court entered an injunction, or why Mike can't give out the slides from his presentation, and the answer to each question is the same. We agreed to an injunction to settle the case, and the reason we settled the case is because all Mike has to do is stuff he's mostly willing to do anyway, and Cisco and ISS will dismiss the lawsuit. At the point that you get sued, or even charged with a crime, it matters less what actually happened and whether you did something wrong and more what it takes to get out of the case as unscathed as possible. It's sad, but true, that our legal system can often be more strategy than justice. Though I wanted to fight the case, as a good advocate, I had to explore the possibility of settling it as well. (And I definitely didn't want to have to fly back to San Francisco for a court hearing the next morning!) Valentine, the Cisco/ISS lawyer, was pretty reasonable, and able to clearly state what exactly it was that his clients wanted, at least at that time of day. I went back to Lynn and Black Hat with his proposal and could see that we were close to an agreement. I called Valentine and told him, and he sent me bullet points representing the essence of our agreement. It was 1:30 a.m. I e-mailed back some comments, but we basically had a deal. Then the Black Hat people and I double-checked that the impounded official video of Lynn's presentation was safe and sound, and I went to bed. I woke up at 5:30 a.m. because the Black Hat lawyer and I were supposed to meet at 6 a.m. to get a copy of the settlement agreement that Valentine had courageously stayed up all night writing. We were hoping to get it signed before the 8:30 a.m. court hearing that day. Now, Valentine is licensed to practice in California and his bar number is close to mine, so we were admitted about the same year, and I imagine he's about my age, maybe a little older. At our age, staying up all night really sucks. For those of you in your 20s who are reading this, stay up all night now as much as you can before you lose the knack. By the time Valentine sent it to us, he was pretty raw, I'm sure. Not thinking, I redlined his proposal pretty heavily and sent it back to him with a breezy note. He was getting ready to leave for the court hearing, and I think my redlines might have broken his usually reasonable brain. His position basically went from "we're close to a deal," to "forget this, we have no deal and I've got court to go to." I was seriously disconcerted. If I was going to have a temporary restraining order hearing, I would have at least written a brief, and maybe even have showed up in San Francisco. I reminded Valentine that we'd agreed that if we were close, we'd postpone the hearing, and we were definitely close. He said he'd have to talk to his clients and he'd get back to me. So there I was, sitting with Mike on the Black Hat conference floor, unable to check my e-mail because you hackers sniff my password and lock me out of my own account, doing Lexis searches and waiting for word of whether we'd be arguing against a temporary restraining order in 30 minutes, or knocking out a deal. Luckily, there were bagels. After chilling out during his long drive, Valentine was true to his word, and his clients were willing to talk about a deal. We frantically scrambled to make the speaker phone in the hotel connect audibly to the conference phones in the courtroom, then told the judge that with a little talking, we might be able to settle the case in its entirety. Judges love that. So the Cisco/ISS team, which was about six people, retired to the attorney conference room in the lounge upstairs in the Federal Building, the Black Hat lawyer, Mike Lynn and I settled into the Black Hat suite at Caesar's Palace, and we got to work. Our basic agreement was that if Lynn and Black Hat agreed not to disseminate the presentation, the video or the decompiled code any further, and Lynn agreed not to disseminate any of the stuff he worked on while at ISS at all, then Cisco and ISS would drop the case. Everyone was cool with this. But if you've ever negotiated something, you know it is painstaking work. Even if you generally agree, you have to imagine everything that you might want and everything that you want to avoid. Then you have to draft language that describes clearly and precisely exactly that and no more, while still agreeing. We had a couple of bullet points at 1:30 a.m. the night before, but once you got all the lawyers together, everyone was able to think about other terms and conditions that might be nice to have, as well as things that might theoretically happen that should be prohibited. Its kind of a code among lawyers that what's said in settlement negotiations doesn't get blabbed around. When working things out for our clients, lawyers sometimes take unofficial positions to see how it sounds, or think out loud, or act more rabidly than we really feel, staking out a position from which we can come down. So I'm going to try to keep to the code but still point out a few things about the agreement process. Overall, the lawyers in the conference were relatively reasonable, under the circumstances, especially since there wasn't inherently a lot of trust between the two sides. If you read the settlement agreement, you can reverse-engineer the issues with which each side was concerned. For example, ISS and Cisco insisted on stipulating between themselves that they had prepared an alternative presentation "designed to discuss internet security, including the flaw which Lynn had identified, but without revealing Cisco code or pointers which might help enable third parties to exploit the flaw, but were informed they would not be allowed to present that presentation at the conference." We insisted that the agreement specifically state that Lynn was not precluded from lawful discussions of internet security using materials lawfully obtained. Probably the most hotly debated provision was paragraph 9, where we all agreed that ISS and Cisco should be able to reassure themselves that at the end of this matter, Lynn would not retain any materials to which he wasn't entitled, and we all agreed that Lynn and others had privacy rights that should be honored, so we had to work out a process that would respect both concerns. We worked almost nonstop from 8:30 a.m. to 2:30 p.m., running on caffeine and cold bagels. Some lawyers were great with punctuation, some with grammar. I personally spent five whole minutes convincing everyone to change a "which" to a "whether." Sigh. At a certain point, you can lose sight of the forest because of all the trees. We had delays exchanging versions of the settlement documents because the Black Hat lawyer didn't have a laptop with him, and I kept getting my password sniffed and locked out of my e-mail account whenever I would use the wireless. (Did I mention how annoying this is? Oh, well. Live by the sword, die by the sword.) But by the afternoon we had something everyone agreed upon. As we were wrapping up, one of the opposing lawyers asked me if I was happy. "Happiness is a relative term," I responded, "and I'm relatively happy." That afternoon we reconvened in court (the Vegas team by telephone) to file the document with the judge. The judge entered the stipulated injunction immediately, Cisco and ISS promised to dismiss the case once and for all when we complied with the terms, and Team Vegas breathed a sigh of relief and made a date to drink expensive champagne together that very evening. Meanwhile, my parents retired to Vegas and I went off to have dinner with my mom and sister, and do some shopping in the Forum Shops. (The Granicks are from New Jersey.) It was Thursday at 6 p.m., and we were sitting at the Chinese place there, and my mother and I had just ordered a gigantic two-person Mai Tai. (Photo to be posted soon. Check back.) I was pix-messaging a phone photo of us drinking it to my father when the phone rang in my hand. The message was that there were two FBI agents looking for me and asking questions about Mike's presentation, that they were wandering around the floor of the Black Hat conference, that they were wearing suits and couldn't be missed, and that they "just wanted to talk." "Fuck that," I advised. Always judicious when dealing with law enforcement, I excused myself from my family meal, and ran back to the convention center to see what was going on. To be continued.... [1] http://www.granick.com/blog/ [2] http://www.granick.com/blog/lynncomplaint.pdf _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Sun Aug 07 2005 - 22:51:50 PDT