Cisco security fiasco ends with legal agreement

Cisco and Internet Security Systems (ISS) have reached legal agreement with ISS former employee Michael Lynn following this week's debacle at the Black Hat security conference.

The agreement, signed by all the parties, requires the Black Hat management to hand over a video of the presentation Lynn gave regarding security holes in Cisco's router software.

According to the injunction, Lynn is also forbidden from "unlawfully disassembling or reverse engineering Cisco code in the future ... [and] using Cisco decompiled code currently in his possession or control for any purpose."

Lynn hired high-tech defence lawyer Jennifer Grannick after Cisco and ISS took legal action against him for discussing the known holes in Cisco's router software. Lynn was due to give the presentation as a representative of ISS alongside Cisco, but at the last minute Cisco pressured ISS to pull it and had 31 pages pulled out of every conference guide that referred to the presentation.

Lynn quit ISS in response and proceeded with the presentation anyway, saying that he "had to do what was right for the country and the national infrastructure".

The injunction requires him to return any materials or disassembled code related to Cisco and never to discuss the materials related to the presentation he gave at the Black Hat conference.

Cisco and ISS decided it was premature to release sensitive information related to how unpatched Cisco routers can be hacked and were furious when Lynn defiantly spoke out.

The restrictions raise the issues of when security research crosses the line from the side of altruistic, or responsible hacking to breaking the law, experts say

"Reverse engineering on its own is legally OK," says Lee Bromberg, senior partner for law firm Bromberg & Sunstein, a law firm specialising in electronic intellectual property litigation. But there are several exceptions. "If in doing this, you violate a patent, you're still violating a patent. If in you are violating a copyright, you're violating a copyright," he says.

Violating "trade secret" agreements can be another sticky area, Bromberg says. Such an agreement could include a non-disclosure agreement, or an employment obligation contract, "or it could be as simple as going on the Internet, clicking 'yes' on a piece of software's licensing terms and conditions before installing."

In the Cisco case: "Cisco must have had some basis on which to demonstrate to the court that the defendant had an obligation not to reverse engineer, whether it was contractual or other wise, or arising out of trade secret law."

Legalese aside, Cisco's move against ISS' Lynn sends the wrong message to the security community, some in the industry say. "Security researchers won't want to make stuff public if Cisco is just going to come back at them with legal action," Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, a vulnerability research and security vendor.
"Why should someone report something to Cisco if the company is going to act this way?" he says. "Who would want to work with a company that's going to do stuff like this?"