http://www.wired.com/news/technology/0,1282,68466,00.html By Jennifer Granick Aug. 08, 2005 Attorney Jennifer Granick represented computer security researcher Michael Lynn in his conflict with Cisco and ISS at the Black Hat conference. The following is reprinted from her blog [1] with permission. The story so far [2]: Cisco and Internet Security Systems sued Mike Lynn and Black Hat immediately following Mike's speech on vulnerabilities in Cisco's widely used internet routers. The lawyers scrambled, and we were able to settle the case cheaply and expeditiously within 24 hours. We had plans to drink expensive champagne. But then, mere hours after we filed the settlement papers, FBI agents showed up on the conference floor and started asking questions. I hurried away from my mother and our giant mai tai to the Black Hat area, where I found two men, obviously FBI agents, talking with the Black Hat lawyer. The agents told us that they were from the Las Vegas office, that they were visiting at the request of the Atlanta office (close to where both Lynn and ISS are located) and that they weren't currently interested in talking with Mike. One of the very next things I did was call Andrew Valentine, the Cisco/ISS lawyer. After spending hours working together, settling this case, after the bonhomie and the virtual handshakes, they'd still have a federal investigation hanging over our heads? I was really mad. Unfortunately, Valentine didn't answer the phone. If he had, I would have learned that he didn't know about the federal investigation. Instead, I left him a voicemail in which I definitely used the word "sleazy" more than once. I then turned on the general counsel for Cisco and the outside lawyer for ISS. Both calmly informed me that they hadn't known about the federal investigation before my call. Valentine got one more call from me, apologizing for assuming he'd screwed us over. The next step was to find out the extent of the federal interest in this matter and what they were investigating. I'm limited about what I can say on this point, as it is rarely a good idea to talk about the details of an ongoing federal investigation. I will say that there are currently no criminal charges, and I'm confident that there won't ever be, that the investigation soon will end, and that Mike will be able to go on with his life. I can talk about the work I did and everything that unraveled next, however. This should give you some idea of what a lawyer's job entails when she's not in court. The first thing I did was go back to my room and call the Las Vegas FBI office. I notified the agent in charge that I represented Mike Lynn and that he was asserting his Fifth and Sixth Amendment rights not to be questioned outside my presence. (Tip: Always assert both your right to remain silent and your right to have an attorney present.) I asked to confirm that there was no arrest warrant, and the person answering the phone said she'd leave a message for the lead agent. I then did the same for the Atlanta office. I asserted Mike's constitutional rights on his behalf, and asked for confirmation that there was no arrest warrant. I also wanted to learn who the assistant U.S. attorney on the case was. Every federal investigation has a prosecutor assigned to it, even before charges are filed. The prosecutor is the person to convince of your client's innocence, or at the very least, that your client should be allowed to self-surrender on a warrant rather than getting nabbed in front of his children or at work. (Another tip: Don't try to convince law enforcement of your own innocence. Get a lawyer. Really.) The agent who answered at the Atlanta office told me he'd leave a message and get back to me. It was 9 p.m. Vegas time and midnight on the East Coast. I figured everything probably would be all right, at least until the morning, and I could go to the Microsoft party at Pure, the new nightclub in Caesar's Palace. I left a message for Mike on his friend's phone, since his own mobile phone had spitefully decided to die. Pure was a little cavernous for the size of our crowd, but it looks great: a dark dance floor framed by white gauzy private tables. They didn't have Rumplemintz, now my new favorite drink, but they did have a full bar, and I was up for a drink. I hadn't been to any talks or chatted with anyone at the conference, so this was my first chance to talk to other attendees. And great people were at this party. I met the unindicted co-conspirator of one of my past clients as well as an old hacker friend turned spook turned respectable private citizen who I hadn't seen in several years. Then my cell phone began to ring. I want to give a little background before I chronicle the hysteria of the next three hours. First, everyone at the conference knew immediately that FBI agents had come by asking questions about Mike and the Cisco IOS presentation. The agents stuck out in the crowd because of their business suits. Though both lacked the tell-tale facial hair that often characterizes county officials, they were clearly law enforcement. Second, the Black Hat/DefCon crowd is filled with both conspiracy theorists and reporters, and sometimes the two types overlap. So all the hens were clucking, passing stories to each other and distorting the information between tellings. When my phone started to ring, it was friends of mine, friends of Mike's and various reporters calling. I received about five calls, all with rumors that Mike was in the process of getting arrested, in custody, that his house in Atlanta had been raided, or that agents were swarming the hotel looking for him. I tried but couldn't reach Mike. Worried, I gathered my stuff and left the party, returning to my room to call the government, just as Pure was shooing all the hackers out to make room for the beautiful people of Vegas. It was 11:30 p.m. I called the Las Vegas FBI office. The agent told me he couldn't check on arrest warrant information without Mike's date of birth. I estimated the year, but that wasn't good enough. I had to talk to Mike, but his cell phone was dead. Again, I left a message with friends. Then I called the Atlanta office. The night agent was extremely helpful, but it was 3 a.m. there, the office was closed and the agents had all gone home. The night person gave me the name of the Atlanta agent and said she would have him call me first thing the next day. She had no other information for me. My phone rang and it was Mike, not yet arrested after all, calling with his birth date. Relieved, I called the Las Vegas office. But between now and my last call, the only agent on duty had gone home. The woman answering the phone was just a clerk and said she couldn't give me any information until the office reopened the next morning. Just because he wasn't arrested didn't mean he wouldn't be, so I had to know about the arrest warrant. But this clerk wasn't talking. One of the things they don't tell you in law school is how much schmoozing the job requires. They also don't train you how to calculate whether being sweet, being annoying or being self-righteous will best help you get your way. Only experience can really teach this. I opted for a combination of all three. I explained how worried I was, how my client was a nice young man, more than willing to turn himself over and save everyone a lot of trouble if only she could help me. Then I suggested it was their fault we were all in this situation. After all, I called just a half hour ago. No one told me that the office would close. If I had known, I would have done things differently. I need this information. If you want this guy, I have him right here, I said. I kept asking the same questions different ways. The agent became a little annoyed with me, but then promised to call the Las Vegas agent I'd met and leave him a message. "Will he call me back tonight?" I asked. "Maybe," she said. And we hung up the phone. Amazingly, he did call me back that night. Groggy from sleep, the agent called me from his cell phone at 12:30 a.m. He told me there was no arrest warrant and no agents from his office looking for Mike. I was surprised and grateful for the call, and very impressed with the agent's consideration. So I called Mike again, and told him to come meet me at the Caesar's Palace bar. I bought him and his friend a drink, and reassured him that arrest was not imminent. Our work was done until tomorrow morning. Some shmoo friends joined us and we all headed to Tangerine at Treasure Island, where the Microsoft party crowd had gone, to try to salvage the rest of the night. At Tangerine, there was a long line waiting to get in. My schmoozing abilities were already warmed up, so I walked up to the bouncer at the VIP door and simply asked to be let in. The bouncer agreed and I was escorted inside. I waited for Mike and his friends, but as far as I know, they didn't make it in after me. I thought about going back to the bouncer to advocate for them, but decided against it. "I can only do so much," I told myself. "I'm just a lawyer." In one of the more intelligent moves of the day, I left Tangerine at the reasonable hour of 3 a.m. and headed home for some sleep, confident that Mike was definitely not in jail. My phone rang the next morning at 5 a.m. It was the Atlanta FBI agent, responsibly returning my call first thing in the morning, exactly as I'd asked him to do. It had seemed like a good idea to be called at first light when I hadn't known whether my client was in jail. We had a conversation, and I think it went well. That's all I can tell you. A reporter's call woke me next at 7 a.m. Sleepily, I decided that I should confirm the existence of a federal investigation, but assure people that the rumors of incarceration and computer seizures were false. I was pretty awake after that call, or at least I wasn't about to go back to sleep, and apparently I'd received the name and number of the assistant U.S. attorney when the Atlanta agent called earlier, so I called him. I then called Mike to meet me so I could update him on that conversation. On the way to talk to Mike, I got a text message from the Cisco general counsel, returning my call from the night before, stating he had information for me and asking me to call him. I almost didn't call, because by now I'd already talked to the government and knew what was happening. But since he was nice enough to get back to me, I dialed him on my way out the door. He informed me that, in direct violation of the court-ordered settlement injunction filed just the day before, someone had failed to take Mike Lynn's presentation off of the Black Hat web server. He told me to prepare to go back to court for a possible contempt hearing later that day. A little frazzled, I hurried down to the Caesar's coffee shop to meet Mike. But I'd forgotten to put in my contact lenses, and didn't realize until I got off the elevator. I couldn't even see if Mike was waiting for me or not. It was going to be another long day. The Black Hat lawyer scrambled to undo the damage. Mike wasn't responsible for the Black Hat server, but this was a serious gaffe that could scuttle the whole settlement we'd worked so hard to obtain. Eventually, through an excess of diplomacy, Black Hat was able to convince the plaintiffs' lawyers that the error was inadvertent and that the settlement should go forward. No one was having an easy week. Meanwhile, people were still calling me with arrest rumors and tales of Atlanta search-warrant executions. I was pulled out of one DefCon talk three separate times to confront rumors that Mike hadn't made it through security at the airport. One caller told me he had received that bad news directly from Mike. But upon further questioning, I learned that they had last talked an hour earlier than when I last talked with my client and everything had been fine. Everyone means well, but when dealing with something like a federal investigation that they don't understand and don't trust, the truth is hard to find. Today, Mike's responsibilities under the settlement agreement are almost complete, and I expect the civil case to be dismissed very soon. As for the federal investigation, there was only so much more I could do for Mike in Las Vegas. He would return to Atlanta and I to San Francisco. An Atlanta lawyer who was familiar with the U.S. attorney's office there would be in a better location to monitor the situation on the ground. When Mike returned to Atlanta, he hired a great lawyer there. I'm optimistic about the outcome and looking forward to the day when Mike and I get to have that glass of champagne. Mike quit his job to give a presentation his employer didn't want him to give. But he did so out of a sense of responsibility to internet security. I'm proud that my employment [3] doesn't make me choose between the two. -=- [1] http://www.granick.com/blog/ [2] http://www.wired.com/news/technology/0,1282,68435,00.html [3] http://cyberlaw.stanford.edu/ _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Tue Aug 09 2005 - 02:15:43 PDT