[ISN] Dark Cloud Hovers Over Black Hat

[InfoSec News]

http://www.wired.com/news/privacy/0,1848,69655,00.html

By Jennifer Granick
Nov. 23, 2005

Last week Black Hat, the Vegas security conference that was at the 
center of the Ciscogate controversy last summer, was purchased by CMP 
Media. The sale has the internet hens clucking about whether ownership 
by a larger, wealthier corporation will protect Black Hat from future 
legal challenges, or make it more susceptible to pressure from 
companies wanting to control vulnerability disclosures. 

The more worrisome question is why Black Hat and other purveyors of 
security information must worry so much about what they disclose. For 
better or worse, the settlement I negotiated with Cisco in its case 
against researcher Michael Lynn kept some important legal issues from 
reaching a courtroom, and these unsettled questions cast a long shadow 
over security research today. 

As a brief background, Michael, my client, worked for ISS, a company 
that provides security products and services. While there, Michael's 
job was to study Cisco products, to figure out how they worked and to 
analyze them for security flaws. Cisco did not give ISS or its 
employees Cisco source code and ISS had no nondisclosure agreement, or 
NDA, with Cisco. Michael had the typical NDA with ISS that he would 
not reveal confidential information obtained during the course of his 
employment there. 

When Michael discovered the now-famous Cisco flaw, ISS initially was 
pleased to have Michael tout the success at Black Hat. Michael's 
presentation demonstrated for the first time that it was possible to 
execute remote code on Cisco routers, and encouraged systems 
administrators running vulnerable versions to upgrade fast. 

But in the weeks leading up to the conference, Cisco and ISS butted 
heads over what information Michael would reveal about the router 
code. The day before the conference, Cisco and ISS cut a deal and 
informed Black Hat that it had to cut Michael's presentation out of 
the conference materials. Michael, concerned that important 
information was being suppressed, gave an edited version of his talk 
anyway, and by that afternoon, Cisco and ISS had jointly filed a 
federal lawsuit against Michael and Black Hat. 

Among other claims, the lawsuit alleged that Michael and Black Hat 
misappropriated trade secrets by revealing Cisco code in his 
presentation. 

In California, where Cisco is located and the lawsuit was filed, 
misappropriation means "acquisition by improper means, or disclosure 
without consent by a person who used improper means to acquire the 
knowledge." Improper means "includes theft, bribery, 
misrepresentation, breach or inducement of a breach of a duty to 
maintain secrecy, or espionage through electronic or other means." 

Importantly, "Reverse engineering or independent derivation alone 
shall not be considered improper means" under the law. 

Michael didn't steal anything, and he never had access to confidential 
Cisco source code. He took the binary distributed with every Cisco 
router, decompiled it into machine code and used some pointers to the 
machine code to illustrate the claims made in his presentation. 
Machine code is probably copyright-protected, but copyright's fair-use 
doctrine allows some copying for the purpose of critique and study. 

California law makes it clear that people are allowed to study 
products on the market, and that a trade secret loses its special 
status when a company sells it to the public. When a company 
distributes confidential information to insiders, it can assure that 
that information remains protected by requiring the employee or 
contractor to sign an NDA. 

Since Michael was not under an NDA with Cisco, he and Black Hat should 
have been in the clear. (At some point, Cisco and ISS lawyers claimed 
that Michael's NDA with ISS prevented him from reporting information 
he learned on the job about Cisco products, but arguing that Cisco 
flaws are ISS confidential information is a real stretch.) 

But what about the Cisco End User License Agreement that ships with 
the router code? That's where things get interesting, and troubling 
for Black Hat's future. 

Almost every piece of software today comes with a click-through EULA 
that purports to regulate how customers can use the product, including 
a limitation on reverse engineering. Companies have argued that the 
EULA has the exact same effect as an NDA -- essentially letting every 
single customer in on a "secret" that they're legally obliged to 
protect. 

If courts adopt this view, instead of keeping insiders loyal, 
trade-secret law can help companies force the public not to discuss 
published information. 

And if EULAs do confer trade-secret protection, that might mean 
magazines, newspapers and conferences have a duty to screen 
information to make sure it wasn't obtained by prohibited reverse 
engineering. 

In a variety of cases, courts have held that the press has a right to 
disseminate information of a public concern even if it was illegally 
obtained. In the Pentagon Papers case, The New York Times battled the 
Nixon White House over its right to publish a secret Department of 
Defense report on U.S. involvement in Vietnam that had been leaked by 
DOD employee Daniel Ellsberg. The Times won and the documents were 
published, calling the government version of the nation's decision to 
go to war into question. 

In Barnicki v. Vopper, the Supreme Court said that a radio station 
could not be sued for playing a tape of an illegally intercepted 
telephone call between two union leaders involved in a matter of 
public interest, even though it knew that the person who recorded the 
call did so illegally, in violation of the Wiretap Act. 

Those are good decisions. But one of the only cases that addressed the 
issue of trade-secret publishers went the other way. 

In a lawsuit filed by the DVD Copy Control Association against a 
California man who posted the DeCSS DVD-decryption code on his 
website, the California Supreme Court held that the First Amendment 
doesn't mean courts can't stop people from publishing trade secrets 
when the publisher knows or has reason to know that the information 
was acquired by improper means. 

That case is different from the Pentagon Papers case and Barnicki 
because the court found that DeCSS wasn't a matter of public interest. 
Of course, most security vulnerabilities are, especially those that 
affect the machines that form the backbone of the internet. 

Today, it's unclear how a court would rule in a trade-secret case 
where Cisco sued ISS for violating the prohibition against reverse 
engineering. 

The rule should be that EULAs don't make published information secret, 
under any circumstance. The contrary would be dangerous for Black Hat, 
Michael, future bug finders and computer security. 

And while trade-secret law can prohibit accomplices and 
co-conspirators from publishing stolen data, reporters who merely know 
that information was improperly obtained should have a free-speech 
right to publish -- especially if the information reaches a matter of 
public interest, like the safety and security of the foundation of the 
internet. 

- - - 

Jennifer Granick is executive director of the Stanford Law School 
Center for Internet and Society, and teaches the Cyberlaw Clinic.