[ISN] An Insider's View of 'Ciscogate'

From: InfoSec News (isn@private)
Date: Sun Aug 07 2005 - 22:06:41 PDT


http://www.wired.com/news/technology/0,1282,68435,00.html

By Jennifer Granick
Aug. 05, 2005 

Attorney Jennifer Granick represented computer security researcher 
Michael Lynn in his conflict with Cisco and ISS at the Black Hat 
conference. The following is reprinted from her blog with permission. 

What follows is my take on "Ciscogate," the uproar over researcher 
Michael Lynn's presentation at this year's Black Hat conference, in 
which he revealed that he was able to remotely execute code on Cisco 
routers. I have been representing Mike during this crisis, so I'm 
clearly partisan, and what I can say is limited by attorney-client 
responsibilities. But while many people are speculating about the 
facts, there hasn't been much on the law, which turns out to be really 
interesting. 

I arrived in Las Vegas around 1:00 p.m. on Wednesday. My plane had 
been delayed, and I was anxious to get to Caesar's Palace and get 
prepared for my presentation, scheduled for 3:15 p.m. My parents and 
sister also were coming to see me, and I had to get approval for their 
day passes from the Black Hat powers-that-be. I had heard that there 
was a chance of some legal problems with a talk that Mike Lynn had 
planned to give about Cisco router vulnerability and that the night or 
so before the conference, Cisco sent temp workers to cut Lynn's slides 
out of the presentation materials and to seize CDs containing his 
PowerPoint presentation. But I wasn't involved in the case yet. 

When I arrived, someone pointed Lynn out to me. He was wearing a white 
backward-facing baseball hat with the word "GOOD" on it and chatting 
animatedly with friends. I introduced myself, and he told me that he'd 
quit his job and given the talk anyway, and that he expected to be 
sued. Lynn knew that Cisco had fixed the problem he found and stopped 
distributing the vulnerable code, but he was deeply concerned that the 
company did not do nearly enough to persuade its customers to upgrade 
promptly, or to explain to them why upgrading was necessary. Based on 
some web searching, he thought that Chinese hackers were working on 
breaking routers too, and that people needed to know. Up until very 
recently, Mike's employer, ISS, had approved his talk and was happy 
for him to give it. But very recently, they dramatically changed their 
minds and forbade him from giving it. They made Mike pick another 
topic. By the morning of the conference, Mike decided he had to quit 
his job and give the talk anyway. 

(In subsequent conversations with Cisco attorneys, I was assured that 
Cisco and ISS were working on a presentation that would reveal the 
flaw without revealing what Cisco and ISS felt was proprietary 
information or giving bad guys a road map to an exploit. I never saw 
this presentation, and to the best of my knowledge Mike didn't either. 
If this is true, I don't know why Lynn, ISS and Cisco were 
communicating so poorly. Of course, I also don't know what Cisco and 
ISS were worried about, since Lynn's presentation neither revealed 
confidential information nor provided much assistance to would-be 
intruders. Cisco also told me that they offered to give the new joint 
ISS and Cisco talk, but that Black Hat refused. My understanding of 
Black Hat's position was that the speaking slot wasn't given to Cisco 
and ISS but to Mike Lynn, and if he wanted to talk about something 
else, he could, but they weren't going to give the slot to Cisco just 
because the originally scheduled talk was about their product.) 

I'm generally a believer in the free flow of information. I've written 
an article on vulnerability disclosure, and generally don't like rules 
that stop people from telling the truth, for whatever reason. But I 
understand that exploit code, while communicative, can also be used as 
a dangerous tool. Lynn understood this too. His presentation did not 
give away exploit code, or even enough information for listeners to 
readily create exploit code. In fact, he said, Cisco employees who had 
vetted the information were themselves unable to create and exploit 
from his information. But Mike wanted to show people that (1) he knew 
what he was talking about and (2) he could do what he said could be 
done. He included just enough information to make those points. 
(Following the talk, other researchers who'd seen it agreed that it 
would take a lot of work to get from Mike's presentation to an 
exploit.) 

After my talk, I caught up with Mike and discussed the possibility 
that Cisco or ISS would sue him. I told him to call me if he heard 
anything. Then my family and I went to Shintaro at the Bellagio for 
dinner. It was my parents' 37th anniversary. 

Shintaro has three really beautiful jellyfish tanks in the front of 
the restaurant, behind the sushi bar. The restaurant is actually kind 
of large and sits on the Bellagio lagoon. We wanted a table with a 
window view, but the maitre d' said they were all reserved -- even 
though we had a reservation, it was 5:45 p.m. and there were very few 
other people around. No one came to sit at those tables the whole time 
we were there. We had sushi, which was really fresh and good, and then 
my sister and I shared the crispy lobster in black bean sauce. As with 
my father's lamb dish, it was really good, but the sauce was a little 
overpowering for the delicacy of the meat. The waiter was adept at 
explaining the sakes, and I ordered a really good one to share with my 
dad, a junmai ginjo called gissen, I believe. I would definitely go 
back if it were not for the snootiness of not letting us have a window 
seat even though no one cool enough to pre-empt us would dream of 
going to dinner so ungodly early. 

By the time dinner was over, Cisco and ISS had filed a lawsuit and 
served papers requesting a temporary restraining order on Black Hat, 
but not on Mike. Mike had heard about the lawsuit, though, and called 
me. I met him at Caesar's Palace, where a reporter gave me a copy of 
the moving papers. Black Hat's PR person told me that Cisco and ISS 
were suing Black Hat and Lynn, and that they'd scheduled an ex parte 
hearing before Judge White in San Francisco for the next morning at 
8:30 a.m. to ask for a temporary restraining order. 

Now I had to decide whether I was interested in the case. I took the 
papers back to my room to read, and told Mike not to talk directly to 
opposing counsel. If they called him, he should tell them to call me. 
This is just habit that I can't break. As a criminal defense attorney, 
you never let opposing counsel get anywhere near your client. Even 
though Mike wasn't my client, and this wasn't my case, and it wasn't 
criminal, it was reflex to protect him at all costs from the prying 
questions of an opponent. Sure enough, the attorney for ISS and Cisco, 
Andrew Valentine, called Mike, and then called me. 

Valentine is a pretty pleasant, reasonable person for someone who's
sued someone I like very much. We started talking about the case, and
I was asking what exactly he was claiming that Lynn had done wrong. It
appeared to be three things. First, ISS was claiming copyright in the
presentation that Mike had given on Wednesday morning. Second, Cisco
was claiming copyright in the decompiled machine code that Mike
obtained from the Cisco binaries and had included in his slides. And
finally, Cisco was claiming trade secret in the information Mike had
obtained by decompiling and studying Cisco source code. The complaint
[2] (.pdf) also alleged that Mike had breached his nondisclosure
agreement with ISS.

I didn't and don't think much of the legal case, and I'll explain why 
in the next installment. But every attorney knows that an opponent's 
weak legal case is first and foremost an opportunity to get a good 
settlement. No party wants to litigate against a rich corporation if 
they don't have to. It's a different story for the lawyers, though. 
For me, no matter how much I care about the client, it's a job that I 
enjoy. I like to litigate a case if the issues are interesting and 
these definitely are. But the client comes first, so I asked Valentine 
what his clients really wanted out of all of this. We parsed and 
narrowed, and came to a point where I thought we might be able to cut 
a deal. I told him I'd talk to Lynn and Black Hat and get back to him 
one way or another. 

When I first talked to Valentine, I wasn't even sure I wanted to be 
involved in the case, but as I read the temporary restraining order 
papers, I became really interested in the legal issues that the suit 
raised. 

You'll remember that ISS claimed copyright in the slides Mike used on 
Wednesday morning. I hadn't seen the original ISS slides, but I 
imagined that they looked different but had similar bullet points or 
words. This wasn't very interesting to me. I would argue that the 
bullet points were unoriginal and not deserving of much copyright 
protection, or that it was fair use, or that Mike jointly retained the 
copyright with ISS, but none of this is particularly fun. The second 
copyright claim was Cisco's in the decompiled code. Certainly Cisco 
has copyright in the source code, and I suppose in the binary, too, 
and therefore it probably has copyright in the machine code as well. 
But Mike only used little edited snippets of the machine code to 
illustrate his points about how he found the IOS vulnerability and why 
it existed. This was classic fair use, something important to defend, 
but only kind of fun, if only because it was so damn obviously 
permissible. 

The more interesting claim was the trade secret claim. They were suing 
under California's trade secret law. California has adopted the 
Uniform Trade Secrets Act, which is relatively broad. It prohibits the 
misappropriation of trade secrets. 

A trade secret is information that: 

(1) derives independent economic value, actual or potential, from not 
being generally known to the public or to other persons who can obtain 
economic value from its disclosure or use; and (2) is the subject of 
efforts that are reasonable under the circumstances to maintain its 
secrecy. 

So the first question is, what's the secret? The complaint says that 
Lynn had Cisco source code, but he didn't. He had the binary code. The 
binary isn't secret, since Cisco sells it. Is the decompiled code 
secret? Is it the fact that there's a vulnerability? Would the law 
allow a product flaw to be a protected trade secret? I've had lawyers 
argue it to me, but I can't believe that any court would think that's 
a good idea. Imagine if we did that with cars. The fact that it blows 
up if someone rear ends you is a protected secret, because people 
wouldn't buy the cars if they had that information? I'm not sure 
there's anything here of Cisco's that the law would protect. 

The second question is, even if there is some kind of trade secret, 
did Mike misappropriate it. Misappropriation means acquisition by 
improper means, or disclosure without consent by a person who used 
improper means to acquire the knowledge. The law specifically says 
that reverse engineering (decompiling) is proper, not improper, means. 

As used in this title, unless the context requires otherwise: (a) 
"Improper means" includes theft, bribery, misrepresentation, breach or 
inducement of a breach of a duty to maintain secrecy, or espionage 
through electronic or other means. Reverse engineering or independent 
derivation alone shall not be considered improper means. 

So then the question is, did Mike use reverse engineering or 
independent derivation alone? It seemed that Cisco was claiming that 
Mike's actions were improper because he violated the End User License 
Agreement, which prohibited reverse engineering. So now I was having 
fun. I'm totally interested in EULAs and the circumstances under which 
they take away public rights that are otherwise guaranteed us. 
Usually, a breach of contract is no big deal. But increasingly in the 
tech field, we're seeing big penalties for what's essentially a 
contract violation. Under the Computer Fraud and Abuse Act, if you 
exceed your authorization to access a computer, you've committed a 
crime. Cases have said you exceed authorization when you breach a 
EULA, terms of service or employment contract. Other cases have said 
that EULAs can waive fair-use rights and other rights guaranteed under 
copyright law. Lynn's case presented the question of whether EULAs 
could subvert the legislature's express desire to allow people to 
reverse-engineer trade secrets. 

I decided to get involved in the case. There were lots of ways to 
argue the case. I could say that the EULA wasn't enforceable. I could 
say that if Lynn violated the EULA, it was only at the behest of 
plaintiff ISS, and I could cross-claim for indemnification. But my 
best legal argument was that violation of an End User License 
Agreement is not a trade secret violation. "Improper means" includes a 
breach of a duty to maintain secrecy. But the EULA did not impose a 
duty to maintain secrecy. It was merely a promise not to 
reverse-engineer. A violation of that promise is a violation of 
contract, but not an improper means of discovering a trade secret. 

There was the possibility that Mike had information that was secret as 
to ISS and that he had promised to keep secret under his employment 
agreement or NDA. But the complaint didn't identify any ISS trade 
secrets, and Mike hadn't disclosed any ISS information other than 
whatever was in the presentation, so this was a great legal argument. 

Fortunately for Mike, I never got to make it to a judge, because we 
were able to settle the case within 24 hours. A lot of people have 
asked what the basis was for the injunction that the court entered, or 
why the court entered an injunction, or why Mike can't give out the 
slides from his presentation, and the answer to each question is the 
same. We agreed to an injunction to settle the case, and the reason we 
settled the case is because all Mike has to do is stuff he's mostly 
willing to do anyway, and Cisco and ISS will dismiss the lawsuit. At 
the point that you get sued, or even charged with a crime, it matters 
less what actually happened and whether you did something wrong and 
more what it takes to get out of the case as unscathed as possible. 
It's sad, but true, that our legal system can often be more strategy 
than justice. 

Though I wanted to fight the case, as a good advocate, I had to 
explore the possibility of settling it as well. (And I definitely 
didn't want to have to fly back to San Francisco for a court hearing 
the next morning!) Valentine, the Cisco/ISS lawyer, was pretty 
reasonable, and able to clearly state what exactly it was that his 
clients wanted, at least at that time of day. I went back to Lynn and 
Black Hat with his proposal and could see that we were close to an 
agreement. I called Valentine and told him, and he sent me bullet 
points representing the essence of our agreement. It was 1:30 a.m. I 
e-mailed back some comments, but we basically had a deal. Then the 
Black Hat people and I double-checked that the impounded official 
video of Lynn's presentation was safe and sound, and I went to bed. 

I woke up at 5:30 a.m. because the Black Hat lawyer and I were 
supposed to meet at 6 a.m. to get a copy of the settlement agreement 
that Valentine had courageously stayed up all night writing. We were 
hoping to get it signed before the 8:30 a.m. court hearing that day. 
Now, Valentine is licensed to practice in California and his bar 
number is close to mine, so we were admitted about the same year, and 
I imagine he's about my age, maybe a little older. At our age, staying 
up all night really sucks. For those of you in your 20s who are 
reading this, stay up all night now as much as you can before you lose 
the knack. 

By the time Valentine sent it to us, he was pretty raw, I'm sure. Not 
thinking, I redlined his proposal pretty heavily and sent it back to 
him with a breezy note. He was getting ready to leave for the court 
hearing, and I think my redlines might have broken his usually 
reasonable brain. His position basically went from "we're close to a 
deal," to "forget this, we have no deal and I've got court to go to." 
I was seriously disconcerted. If I was going to have a temporary 
restraining order hearing, I would have at least written a brief, and 
maybe even have showed up in San Francisco. I reminded Valentine that 
we'd agreed that if we were close, we'd postpone the hearing, and we 
were definitely close. He said he'd have to talk to his clients and 
he'd get back to me. 

So there I was, sitting with Mike on the Black Hat conference floor, 
unable to check my e-mail because you hackers sniff my password and 
lock me out of my own account, doing Lexis searches and waiting for 
word of whether we'd be arguing against a temporary restraining order 
in 30 minutes, or knocking out a deal. Luckily, there were bagels. 

After chilling out during his long drive, Valentine was true to his 
word, and his clients were willing to talk about a deal. We 
frantically scrambled to make the speaker phone in the hotel connect 
audibly to the conference phones in the courtroom, then told the judge 
that with a little talking, we might be able to settle the case in its 
entirety. Judges love that. So the Cisco/ISS team, which was about six 
people, retired to the attorney conference room in the lounge upstairs 
in the Federal Building, the Black Hat lawyer, Mike Lynn and I settled 
into the Black Hat suite at Caesar's Palace, and we got to work. 

Our basic agreement was that if Lynn and Black Hat agreed not to 
disseminate the presentation, the video or the decompiled code any 
further, and Lynn agreed not to disseminate any of the stuff he worked 
on while at ISS at all, then Cisco and ISS would drop the case. 
Everyone was cool with this. But if you've ever negotiated something, 
you know it is painstaking work. Even if you generally agree, you have 
to imagine everything that you might want and everything that you want 
to avoid. Then you have to draft language that describes clearly and 
precisely exactly that and no more, while still agreeing. 

We had a couple of bullet points at 1:30 a.m. the night before, but 
once you got all the lawyers together, everyone was able to think 
about other terms and conditions that might be nice to have, as well 
as things that might theoretically happen that should be prohibited. 
Its kind of a code among lawyers that what's said in settlement 
negotiations doesn't get blabbed around. When working things out for 
our clients, lawyers sometimes take unofficial positions to see how it 
sounds, or think out loud, or act more rabidly than we really feel, 
staking out a position from which we can come down. 

So I'm going to try to keep to the code but still point out a few 
things about the agreement process. Overall, the lawyers in the 
conference were relatively reasonable, under the circumstances, 
especially since there wasn't inherently a lot of trust between the 
two sides. If you read the settlement agreement, you can 
reverse-engineer the issues with which each side was concerned. 

For example, ISS and Cisco insisted on stipulating between themselves 
that they had prepared an alternative presentation "designed to 
discuss internet security, including the flaw which Lynn had 
identified, but without revealing Cisco code or pointers which might 
help enable third parties to exploit the flaw, but were informed they 
would not be allowed to present that presentation at the conference." 
We insisted that the agreement specifically state that Lynn was not 
precluded from lawful discussions of internet security using materials 
lawfully obtained. Probably the most hotly debated provision was 
paragraph 9, where we all agreed that ISS and Cisco should be able to 
reassure themselves that at the end of this matter, Lynn would not 
retain any materials to which he wasn't entitled, and we all agreed 
that Lynn and others had privacy rights that should be honored, so we 
had to work out a process that would respect both concerns. 

We worked almost nonstop from 8:30 a.m. to 2:30 p.m., running on 
caffeine and cold bagels. Some lawyers were great with punctuation, 
some with grammar. I personally spent five whole minutes convincing 
everyone to change a "which" to a "whether." Sigh. At a certain point, 
you can lose sight of the forest because of all the trees. We had 
delays exchanging versions of the settlement documents because the 
Black Hat lawyer didn't have a laptop with him, and I kept getting my 
password sniffed and locked out of my e-mail account whenever I would 
use the wireless. (Did I mention how annoying this is? Oh, well. Live 
by the sword, die by the sword.) 

But by the afternoon we had something everyone agreed upon. As we were 
wrapping up, one of the opposing lawyers asked me if I was happy. 
"Happiness is a relative term," I responded, "and I'm relatively 
happy." That afternoon we reconvened in court (the Vegas team by 
telephone) to file the document with the judge. The judge entered the 
stipulated injunction immediately, Cisco and ISS promised to dismiss 
the case once and for all when we complied with the terms, and Team 
Vegas breathed a sigh of relief and made a date to drink expensive 
champagne together that very evening. 

Meanwhile, my parents retired to Vegas and I went off to have dinner 
with my mom and sister, and do some shopping in the Forum Shops. (The 
Granicks are from New Jersey.) It was Thursday at 6 p.m., and we were 
sitting at the Chinese place there, and my mother and I had just 
ordered a gigantic two-person Mai Tai. (Photo to be posted soon. Check 
back.) I was pix-messaging a phone photo of us drinking it to my 
father when the phone rang in my hand. The message was that there were 
two FBI agents looking for me and asking questions about Mike's 
presentation, that they were wandering around the floor of the Black 
Hat conference, that they were wearing suits and couldn't be missed, 
and that they "just wanted to talk." "Fuck that," I advised. Always 
judicious when dealing with law enforcement, I excused myself from my 
family meal, and ran back to the convention center to see what was 
going on. 

To be continued.... 

[1] http://www.granick.com/blog/
[2] http://www.granick.com/blog/lynncomplaint.pdf



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org 



This archive was generated by hypermail 2.1.3 : Sun Aug 07 2005 - 22:51:50 PDT