[ISN] More Tales From 'Ciscogate'
isn at c4i.org
Tue Aug 9 04:48:16 EDT 2005
By Jennifer Granick
Aug. 08, 2005
Attorney Jennifer Granick represented computer security researcher
Michael Lynn in his conflict with Cisco and ISS at the Black Hat
conference. The following is reprinted from her blog  with
The story so far :
Cisco and Internet Security Systems sued Mike Lynn and Black Hat
immediately following Mike's speech on vulnerabilities in Cisco's
widely used internet routers. The lawyers scrambled, and we were able
to settle the case cheaply and expeditiously within 24 hours. We had
plans to drink expensive champagne. But then, mere hours after we
filed the settlement papers, FBI agents showed up on the conference
floor and started asking questions.
I hurried away from my mother and our giant mai tai to the Black Hat
area, where I found two men, obviously FBI agents, talking with the
Black Hat lawyer. The agents told us that they were from the Las Vegas
office, that they were visiting at the request of the Atlanta office
(close to where both Lynn and ISS are located) and that they weren't
currently interested in talking with Mike.
One of the very next things I did was call Andrew Valentine, the
Cisco/ISS lawyer. After spending hours working together, settling this
case, after the bonhomie and the virtual handshakes, they'd still have
a federal investigation hanging over our heads? I was really mad.
Unfortunately, Valentine didn't answer the phone. If he had, I would
have learned that he didn't know about the federal investigation.
Instead, I left him a voicemail in which I definitely used the word
"sleazy" more than once.
I then turned on the general counsel for Cisco and the outside lawyer
for ISS. Both calmly informed me that they hadn't known about the
federal investigation before my call. Valentine got one more call from
me, apologizing for assuming he'd screwed us over.
The next step was to find out the extent of the federal interest in
this matter and what they were investigating. I'm limited about what I
can say on this point, as it is rarely a good idea to talk about the
details of an ongoing federal investigation. I will say that there are
currently no criminal charges, and I'm confident that there won't ever
be, that the investigation soon will end, and that Mike will be able
to go on with his life.
I can talk about the work I did and everything that unraveled next,
however. This should give you some idea of what a lawyer's job entails
when she's not in court.
The first thing I did was go back to my room and call the Las Vegas
FBI office. I notified the agent in charge that I represented Mike
Lynn and that he was asserting his Fifth and Sixth Amendment rights
not to be questioned outside my presence. (Tip: Always assert both
your right to remain silent and your right to have an attorney
present.) I asked to confirm that there was no arrest warrant, and the
person answering the phone said she'd leave a message for the lead
I then did the same for the Atlanta office. I asserted Mike's
constitutional rights on his behalf, and asked for confirmation that
there was no arrest warrant. I also wanted to learn who the assistant
U.S. attorney on the case was. Every federal investigation has a
prosecutor assigned to it, even before charges are filed. The
prosecutor is the person to convince of your client's innocence, or at
the very least, that your client should be allowed to self-surrender
on a warrant rather than getting nabbed in front of his children or at
work. (Another tip: Don't try to convince law enforcement of your own
innocence. Get a lawyer. Really.)
The agent who answered at the Atlanta office told me he'd leave a
message and get back to me. It was 9 p.m. Vegas time and midnight on
the East Coast. I figured everything probably would be all right, at
least until the morning, and I could go to the Microsoft party at
Pure, the new nightclub in Caesar's Palace. I left a message for Mike
on his friend's phone, since his own mobile phone had spitefully
decided to die.
Pure was a little cavernous for the size of our crowd, but it looks
great: a dark dance floor framed by white gauzy private tables. They
didn't have Rumplemintz, now my new favorite drink, but they did have
a full bar, and I was up for a drink. I hadn't been to any talks or
chatted with anyone at the conference, so this was my first chance to
talk to other attendees. And great people were at this party. I met
the unindicted co-conspirator of one of my past clients as well as an
old hacker friend turned spook turned respectable private citizen who
I hadn't seen in several years.
Then my cell phone began to ring.
I want to give a little background before I chronicle the hysteria of
the next three hours. First, everyone at the conference knew
immediately that FBI agents had come by asking questions about Mike
and the Cisco IOS presentation. The agents stuck out in the crowd
because of their business suits. Though both lacked the tell-tale
facial hair that often characterizes county officials, they were
clearly law enforcement.
Second, the Black Hat/DefCon crowd is filled with both conspiracy
theorists and reporters, and sometimes the two types overlap. So all
the hens were clucking, passing stories to each other and distorting
the information between tellings.
When my phone started to ring, it was friends of mine, friends of
Mike's and various reporters calling. I received about five calls, all
with rumors that Mike was in the process of getting arrested, in
custody, that his house in Atlanta had been raided, or that agents
were swarming the hotel looking for him. I tried but couldn't reach
Worried, I gathered my stuff and left the party, returning to my room
to call the government, just as Pure was shooing all the hackers out
to make room for the beautiful people of Vegas. It was 11:30 p.m.
I called the Las Vegas FBI office. The agent told me he couldn't check
on arrest warrant information without Mike's date of birth. I
estimated the year, but that wasn't good enough. I had to talk to
Mike, but his cell phone was dead. Again, I left a message with
Then I called the Atlanta office. The night agent was extremely
helpful, but it was 3 a.m. there, the office was closed and the agents
had all gone home. The night person gave me the name of the Atlanta
agent and said she would have him call me first thing the next day.
She had no other information for me.
My phone rang and it was Mike, not yet arrested after all, calling
with his birth date. Relieved, I called the Las Vegas office. But
between now and my last call, the only agent on duty had gone home.
The woman answering the phone was just a clerk and said she couldn't
give me any information until the office reopened the next morning.
Just because he wasn't arrested didn't mean he wouldn't be, so I had
to know about the arrest warrant. But this clerk wasn't talking.
One of the things they don't tell you in law school is how much
schmoozing the job requires. They also don't train you how to
calculate whether being sweet, being annoying or being self-righteous
will best help you get your way. Only experience can really teach
this. I opted for a combination of all three.
I explained how worried I was, how my client was a nice young man,
more than willing to turn himself over and save everyone a lot of
trouble if only she could help me. Then I suggested it was their fault
we were all in this situation. After all, I called just a half hour
ago. No one told me that the office would close. If I had known, I
would have done things differently. I need this information. If you
want this guy, I have him right here, I said. I kept asking the same
questions different ways. The agent became a little annoyed with me,
but then promised to call the Las Vegas agent I'd met and leave him a
message. "Will he call me back tonight?" I asked. "Maybe," she said.
And we hung up the phone.
Amazingly, he did call me back that night. Groggy from sleep, the
agent called me from his cell phone at 12:30 a.m. He told me there was
no arrest warrant and no agents from his office looking for Mike. I
was surprised and grateful for the call, and very impressed with the
So I called Mike again, and told him to come meet me at the Caesar's
Palace bar. I bought him and his friend a drink, and reassured him
that arrest was not imminent. Our work was done until tomorrow
morning. Some shmoo friends joined us and we all headed to Tangerine
at Treasure Island, where the Microsoft party crowd had gone, to try
to salvage the rest of the night.
At Tangerine, there was a long line waiting to get in. My schmoozing
abilities were already warmed up, so I walked up to the bouncer at the
VIP door and simply asked to be let in. The bouncer agreed and I was
escorted inside. I waited for Mike and his friends, but as far as I
know, they didn't make it in after me. I thought about going back to
the bouncer to advocate for them, but decided against it. "I can only
do so much," I told myself. "I'm just a lawyer."
In one of the more intelligent moves of the day, I left Tangerine at
the reasonable hour of 3 a.m. and headed home for some sleep,
confident that Mike was definitely not in jail.
My phone rang the next morning at 5 a.m. It was the Atlanta FBI agent,
responsibly returning my call first thing in the morning, exactly as
I'd asked him to do. It had seemed like a good idea to be called at
first light when I hadn't known whether my client was in jail. We had
a conversation, and I think it went well. That's all I can tell you. A
reporter's call woke me next at 7 a.m. Sleepily, I decided that I
should confirm the existence of a federal investigation, but assure
people that the rumors of incarceration and computer seizures were
I was pretty awake after that call, or at least I wasn't about to go
back to sleep, and apparently I'd received the name and number of the
assistant U.S. attorney when the Atlanta agent called earlier, so I
called him. I then called Mike to meet me so I could update him on
On the way to talk to Mike, I got a text message from the Cisco
general counsel, returning my call from the night before, stating he
had information for me and asking me to call him. I almost didn't
call, because by now I'd already talked to the government and knew
what was happening. But since he was nice enough to get back to me, I
dialed him on my way out the door. He informed me that, in direct
violation of the court-ordered settlement injunction filed just the
day before, someone had failed to take Mike Lynn's presentation off of
the Black Hat web server. He told me to prepare to go back to court
for a possible contempt hearing later that day.
A little frazzled, I hurried down to the Caesar's coffee shop to meet
Mike. But I'd forgotten to put in my contact lenses, and didn't
realize until I got off the elevator. I couldn't even see if Mike was
waiting for me or not. It was going to be another long day.
The Black Hat lawyer scrambled to undo the damage. Mike wasn't
responsible for the Black Hat server, but this was a serious gaffe
that could scuttle the whole settlement we'd worked so hard to obtain.
Eventually, through an excess of diplomacy, Black Hat was able to
convince the plaintiffs' lawyers that the error was inadvertent and
that the settlement should go forward. No one was having an easy week.
Meanwhile, people were still calling me with arrest rumors and tales
of Atlanta search-warrant executions. I was pulled out of one DefCon
talk three separate times to confront rumors that Mike hadn't made it
through security at the airport. One caller told me he had received
that bad news directly from Mike. But upon further questioning, I
learned that they had last talked an hour earlier than when I last
talked with my client and everything had been fine. Everyone means
well, but when dealing with something like a federal investigation
that they don't understand and don't trust, the truth is hard to find.
Today, Mike's responsibilities under the settlement agreement are
almost complete, and I expect the civil case to be dismissed very
soon. As for the federal investigation, there was only so much more I
could do for Mike in Las Vegas. He would return to Atlanta and I to
San Francisco. An Atlanta lawyer who was familiar with the U.S.
attorney's office there would be in a better location to monitor the
situation on the ground. When Mike returned to Atlanta, he hired a
great lawyer there. I'm optimistic about the outcome and looking
forward to the day when Mike and I get to have that glass of
champagne. Mike quit his job to give a presentation his employer
didn't want him to give. But he did so out of a sense of
responsibility to internet security. I'm proud that my employment 
doesn't make me choose between the two.
More information about the ISN