Cisco, ISS, Michael Lynn and Black Hat sign legal accord http://www.networkworld.com/news/2005/072805-cisco-settlement.html By Ellen Messmer, NetworkWorld.com, 07/28/05
The dispute between Cisco, Internet Security Systems, the Black Hat conference and a former ISS security expert - who Wednesday at the show revealed information related to hacking Cisco routers - reached a point of legal settlement Thursday. Michael Lynn who had hired high-tech defense lawyer Jennifer Grannick as his attorney as he faced legal action Wednesday by his former employer ISS and Cisco, Thursday agreed to sign a court injunction. The injunction requires him to return any materials or disassembled code related to Cisco and never to discuss the materials related to the presentation he gave at the Black Hat conference on July 27. That talk, which he gave in spite of a prohibition from ISS, and after a request by Cisco for it to be cancelled on Monday, pulled him into a legal whirlwind. Cisco and ISS on Monday decided it was premature to release sensitive information related to how unpatched Cisco routers can be hacked and were furious when the main researcher who had uncovered the exploits, defiantly spoke out on the topic. The agreement, signed by all the parties, also requires Black Hat to never disseminate a video made of Lynn¹s presentation on July 27, and to deliver to Cisco any video recording made of Lynn. According to the, injunction Lynn is also forbidden from ³unlawfully disassembling or reverse engineering Cisco code in the future [and] using Cisco decompiled code currently in his possession or control for any purpose.² These restrictions raise the issues of when security research crosses the line from the side of altruistic, or responsible hacking to breaking the law, experts say. ³Reverse engineering on its own is legally OK,² says Lee Bromberg, senior partner for law firm Bromberg & Sunstein, a Boston-based law firm specializing in electronic intellectual property litigation. But there are several exceptions. ³If in doing this, you violate a patent, you¹re still violating a patent. If in you are violating a copyright, you¹re violating a copyright,² he says. Violating ³trade secret² agreements can be another sticky area, Bromberg says. Such an agreement could include a non-disclosure agreement, or an employment obligation contract, ³or it could be as simple as going on the Internet, clicking yes¹ on a piece of software¹s licensing terms and conditions before installing.² In the Cisco case, ³ Cisco must have had some basis on which to demonstrate to the court that the defendant had an obligation not to reverse engineer, whether it was contractual or other wise, or arising out of trade secret law, ³ he says. Legalese aside, Cisco¹s move against ISS¹ Lynn sends the wrong message to the security community, some in the industry say. ³Security researchers won¹t want to make stuff public if Cisco is just going to come back at them with legal action,² Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, a vulnerability research and security vendor. ³Why should someone report something to Cisco if the company is going to act this way?² he says. ³Who would want to work with a company that¹s going to do stuff like this?² You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
