The dispute between Cisco, Internet Security Systems, the Black Hat conference and a former ISS security expert - who Wednesday at the show revealed information related to hacking Cisco routers - reached a point of legal settlement Thursday.
Michael Lynn, who had hired high-tech defense lawyer Jennifer Grannick as his attorney as he faced legal action Wednesday from his former employer ISS and Cisco, Thursday agreed to sign a court injunction. The injunction requires him to return any materials or disassembled code related to Cisco and never to discuss the materials related to the presentation he gave at the Black Hat conference on July 27.
That talk, which he gave in spite of a prohibition from ISS, and after a request by Cisco for it to be canceled on Monday, pulled him into a legal whirlwind. Cisco and ISS on Monday decided it was premature to release sensitive information related to how unpatched Cisco routers can be hacked and were furious when the main researcher who had uncovered the exploits defiantly spoke out on the topic.
The agreement, signed by all parties, also requires Black Hat to never disseminate a video made of Lynn’s presentation on July 27 and to deliver to Cisco any video recording made of Lynn.
According to the injunction Lynn is also forbidden from “unlawfully disassembling or reverse engineering Cisco code in the future… [and] using Cisco decompiled code currently in his possession or control for any purpose.”
These restrictions raise the issues of when security research crosses the line from the side of altruistic or responsible hacking to breaking the law, experts say.
“Reverse engineering on its own is legally OK,” says Lee Bromberg, senior partner for Bromberg & Sunstein, a Boston law firm specializing in electronic intellectual property litigation. But there are several exceptions. “If in doing this, you violate a patent, you’re still violating a patent. If you are violating a copyright, you’re violating a copyright,” he says.
Violating “trade secret” agreements can be another sticky area, Bromberg says. Such an agreement could include a non-disclosure agreement, or an employment obligation contract, “or it could be as simple as going on the Internet, clicking ‘yes’ on a piece of software’s licensing terms and conditions before installing.”
In the Cisco case, “ Cisco must have had some basis on which to demonstrate to the court that the defendant had an obligation not to reverse-engineer, whether it was contractual or otherwise, or arising out of trade secret law, “ he says.
Legalese aside, Cisco’s move against ISS’s Lynn sends the wrong message to the security community, some in the industry say.
“Security researchers won’t want to make stuff public if Cisco is just going to come back at them with legal action,” Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, a vulnerability research and security vendor. “Why should someone report something to Cisco if the company is going to act this way?” he says. “Who would want to work with a company that’s going to do stuff like this?”