[ISN] More Tales From 'Ciscogate'

[InfoSec News]

http://www.wired.com/news/technology/0,1282,68466,00.html

By Jennifer Granick
Aug. 08, 2005

Attorney Jennifer Granick represented computer security researcher
Michael Lynn in his conflict with Cisco and ISS at the Black Hat
conference. The following is reprinted from her blog [1] with
permission.

The story so far [2]:

Cisco and Internet Security Systems sued Mike Lynn and Black Hat 
immediately following Mike's speech on vulnerabilities in Cisco's 
widely used internet routers. The lawyers scrambled, and we were able 
to settle the case cheaply and expeditiously within 24 hours. We had 
plans to drink expensive champagne. But then, mere hours after we 
filed the settlement papers, FBI agents showed up on the conference 
floor and started asking questions. 

I hurried away from my mother and our giant mai tai to the Black Hat 
area, where I found two men, obviously FBI agents, talking with the 
Black Hat lawyer. The agents told us that they were from the Las Vegas 
office, that they were visiting at the request of the Atlanta office 
(close to where both Lynn and ISS are located) and that they weren't 
currently interested in talking with Mike. 

One of the very next things I did was call Andrew Valentine, the 
Cisco/ISS lawyer. After spending hours working together, settling this 
case, after the bonhomie and the virtual handshakes, they'd still have 
a federal investigation hanging over our heads? I was really mad. 
Unfortunately, Valentine didn't answer the phone. If he had, I would 
have learned that he didn't know about the federal investigation. 
Instead, I left him a voicemail in which I definitely used the word 
"sleazy" more than once. 

I then turned on the general counsel for Cisco and the outside lawyer 
for ISS. Both calmly informed me that they hadn't known about the 
federal investigation before my call. Valentine got one more call from 
me, apologizing for assuming he'd screwed us over. 

The next step was to find out the extent of the federal interest in 
this matter and what they were investigating. I'm limited about what I 
can say on this point, as it is rarely a good idea to talk about the 
details of an ongoing federal investigation. I will say that there are 
currently no criminal charges, and I'm confident that there won't ever 
be, that the investigation soon will end, and that Mike will be able 
to go on with his life. 

I can talk about the work I did and everything that unraveled next, 
however. This should give you some idea of what a lawyer's job entails 
when she's not in court. 

The first thing I did was go back to my room and call the Las Vegas 
FBI office. I notified the agent in charge that I represented Mike 
Lynn and that he was asserting his Fifth and Sixth Amendment rights 
not to be questioned outside my presence. (Tip: Always assert both 
your right to remain silent and your right to have an attorney 
present.) I asked to confirm that there was no arrest warrant, and the 
person answering the phone said she'd leave a message for the lead 
agent. 

I then did the same for the Atlanta office. I asserted Mike's 
constitutional rights on his behalf, and asked for confirmation that 
there was no arrest warrant. I also wanted to learn who the assistant 
U.S. attorney on the case was. Every federal investigation has a 
prosecutor assigned to it, even before charges are filed. The 
prosecutor is the person to convince of your client's innocence, or at 
the very least, that your client should be allowed to self-surrender 
on a warrant rather than getting nabbed in front of his children or at 
work. (Another tip: Don't try to convince law enforcement of your own 
innocence. Get a lawyer. Really.) 

The agent who answered at the Atlanta office told me he'd leave a 
message and get back to me. It was 9 p.m. Vegas time and midnight on 
the East Coast. I figured everything probably would be all right, at 
least until the morning, and I could go to the Microsoft party at 
Pure, the new nightclub in Caesar's Palace. I left a message for Mike 
on his friend's phone, since his own mobile phone had spitefully 
decided to die. 

Pure was a little cavernous for the size of our crowd, but it looks 
great: a dark dance floor framed by white gauzy private tables. They 
didn't have Rumplemintz, now my new favorite drink, but they did have 
a full bar, and I was up for a drink. I hadn't been to any talks or 
chatted with anyone at the conference, so this was my first chance to 
talk to other attendees. And great people were at this party. I met 
the unindicted co-conspirator of one of my past clients as well as an 
old hacker friend turned spook turned respectable private citizen who 
I hadn't seen in several years. 

Then my cell phone began to ring. 

I want to give a little background before I chronicle the hysteria of 
the next three hours. First, everyone at the conference knew 
immediately that FBI agents had come by asking questions about Mike 
and the Cisco IOS presentation. The agents stuck out in the crowd 
because of their business suits. Though both lacked the tell-tale 
facial hair that often characterizes county officials, they were 
clearly law enforcement. 

Second, the Black Hat/DefCon crowd is filled with both conspiracy 
theorists and reporters, and sometimes the two types overlap. So all 
the hens were clucking, passing stories to each other and distorting 
the information between tellings. 

When my phone started to ring, it was friends of mine, friends of 
Mike's and various reporters calling. I received about five calls, all 
with rumors that Mike was in the process of getting arrested, in 
custody, that his house in Atlanta had been raided, or that agents 
were swarming the hotel looking for him. I tried but couldn't reach 
Mike. 

Worried, I gathered my stuff and left the party, returning to my room 
to call the government, just as Pure was shooing all the hackers out 
to make room for the beautiful people of Vegas. It was 11:30 p.m. 

I called the Las Vegas FBI office. The agent told me he couldn't check 
on arrest warrant information without Mike's date of birth. I 
estimated the year, but that wasn't good enough. I had to talk to 
Mike, but his cell phone was dead. Again, I left a message with 
friends. 

Then I called the Atlanta office. The night agent was extremely 
helpful, but it was 3 a.m. there, the office was closed and the agents 
had all gone home. The night person gave me the name of the Atlanta 
agent and said she would have him call me first thing the next day. 
She had no other information for me. 

My phone rang and it was Mike, not yet arrested after all, calling 
with his birth date. Relieved, I called the Las Vegas office. But 
between now and my last call, the only agent on duty had gone home. 
The woman answering the phone was just a clerk and said she couldn't 
give me any information until the office reopened the next morning. 
Just because he wasn't arrested didn't mean he wouldn't be, so I had 
to know about the arrest warrant. But this clerk wasn't talking. 

One of the things they don't tell you in law school is how much 
schmoozing the job requires. They also don't train you how to 
calculate whether being sweet, being annoying or being self-righteous 
will best help you get your way. Only experience can really teach 
this. I opted for a combination of all three. 

I explained how worried I was, how my client was a nice young man, 
more than willing to turn himself over and save everyone a lot of 
trouble if only she could help me. Then I suggested it was their fault 
we were all in this situation. After all, I called just a half hour 
ago. No one told me that the office would close. If I had known, I 
would have done things differently. I need this information. If you 
want this guy, I have him right here, I said. I kept asking the same 
questions different ways. The agent became a little annoyed with me, 
but then promised to call the Las Vegas agent I'd met and leave him a 
message. "Will he call me back tonight?" I asked. "Maybe," she said. 
And we hung up the phone. 

Amazingly, he did call me back that night. Groggy from sleep, the 
agent called me from his cell phone at 12:30 a.m. He told me there was 
no arrest warrant and no agents from his office looking for Mike. I 
was surprised and grateful for the call, and very impressed with the 
agent's consideration. 

So I called Mike again, and told him to come meet me at the Caesar's 
Palace bar. I bought him and his friend a drink, and reassured him 
that arrest was not imminent. Our work was done until tomorrow 
morning. Some shmoo friends joined us and we all headed to Tangerine 
at Treasure Island, where the Microsoft party crowd had gone, to try 
to salvage the rest of the night. 

At Tangerine, there was a long line waiting to get in. My schmoozing 
abilities were already warmed up, so I walked up to the bouncer at the 
VIP door and simply asked to be let in. The bouncer agreed and I was 
escorted inside. I waited for Mike and his friends, but as far as I 
know, they didn't make it in after me. I thought about going back to 
the bouncer to advocate for them, but decided against it. "I can only 
do so much," I told myself. "I'm just a lawyer." 

In one of the more intelligent moves of the day, I left Tangerine at 
the reasonable hour of 3 a.m. and headed home for some sleep, 
confident that Mike was definitely not in jail. 

My phone rang the next morning at 5 a.m. It was the Atlanta FBI agent, 
responsibly returning my call first thing in the morning, exactly as 
I'd asked him to do. It had seemed like a good idea to be called at 
first light when I hadn't known whether my client was in jail. We had 
a conversation, and I think it went well. That's all I can tell you. A 
reporter's call woke me next at 7 a.m. Sleepily, I decided that I 
should confirm the existence of a federal investigation, but assure 
people that the rumors of incarceration and computer seizures were 
false. 

I was pretty awake after that call, or at least I wasn't about to go 
back to sleep, and apparently I'd received the name and number of the 
assistant U.S. attorney when the Atlanta agent called earlier, so I 
called him. I then called Mike to meet me so I could update him on 
that conversation. 

On the way to talk to Mike, I got a text message from the Cisco 
general counsel, returning my call from the night before, stating he 
had information for me and asking me to call him. I almost didn't 
call, because by now I'd already talked to the government and knew 
what was happening. But since he was nice enough to get back to me, I 
dialed him on my way out the door. He informed me that, in direct 
violation of the court-ordered settlement injunction filed just the 
day before, someone had failed to take Mike Lynn's presentation off of 
the Black Hat web server. He told me to prepare to go back to court 
for a possible contempt hearing later that day. 

A little frazzled, I hurried down to the Caesar's coffee shop to meet 
Mike. But I'd forgotten to put in my contact lenses, and didn't 
realize until I got off the elevator. I couldn't even see if Mike was 
waiting for me or not. It was going to be another long day. 

The Black Hat lawyer scrambled to undo the damage. Mike wasn't 
responsible for the Black Hat server, but this was a serious gaffe 
that could scuttle the whole settlement we'd worked so hard to obtain. 
Eventually, through an excess of diplomacy, Black Hat was able to 
convince the plaintiffs' lawyers that the error was inadvertent and 
that the settlement should go forward. No one was having an easy week. 

Meanwhile, people were still calling me with arrest rumors and tales 
of Atlanta search-warrant executions. I was pulled out of one DefCon 
talk three separate times to confront rumors that Mike hadn't made it 
through security at the airport. One caller told me he had received 
that bad news directly from Mike. But upon further questioning, I 
learned that they had last talked an hour earlier than when I last 
talked with my client and everything had been fine. Everyone means 
well, but when dealing with something like a federal investigation 
that they don't understand and don't trust, the truth is hard to find. 

Today, Mike's responsibilities under the settlement agreement are 
almost complete, and I expect the civil case to be dismissed very 
soon. As for the federal investigation, there was only so much more I 
could do for Mike in Las Vegas. He would return to Atlanta and I to 
San Francisco. An Atlanta lawyer who was familiar with the U.S. 
attorney's office there would be in a better location to monitor the 
situation on the ground. When Mike returned to Atlanta, he hired a 
great lawyer there. I'm optimistic about the outcome and looking 
forward to the day when Mike and I get to have that glass of 
champagne. Mike quit his job to give a presentation his employer 
didn't want him to give. But he did so out of a sense of 
responsibility to internet security. I'm proud that my employment [3] 
doesn't make me choose between the two. 

-=-

[1] http://www.granick.com/blog/
[2] http://www.wired.com/news/technology/0,1282,68435,00.html
[3] http://cyberlaw.stanford.edu/