Saturday, July 30, 2005

ISS Pursues Lynn Presentation Copies

It looks like I spoke too soon about the Lynn affair being closed. ISS is now pursuing Web sites posting Mike Lynn's presentation. For example, Rick Forno has removed his copy of the Lynn slides after receiving a cease-and-desist letter from lawyers representing ISS. The document (.pdf), by DLA Piper Rudnick Gray Cary US LLP attorney Andrew P. Valentine features this piece of exceptional grammar:

"The posting is located on your [Forno's] website... and relates to a presentation that ISS decided not go give [sic] at the Black Hat 2005 USA Conference in Las Vegas, Nevada."

The letter also states

"On Wednesday, ISS and Cisco sued Mr. Lynn and Black Hat for claims of copyright infringement, misappropriation of trade secrets, and breach of employment agreement in connection with improper distribution of the material. On Thursday, Judge Jeffrey White of the United States District Court for the Northern District of California issued a permanent injunction preventing further distribution of the material...

We also understand that the unlawful distribution of this information is the subject of a federal investigation."

I wonder how ISS and Cisco will handle Web sites located outside of the US, like the disLEXia 3000 blog? Maximillian Dornseif makes several good points in his blog, including asking whether the slides Lynn showed at Black Hat are the same as those now circulating on the Web.

The "stipulated permanent injunction" faxed to Rick Forno contains an interesting paragraph:

"Lynn... acknowledges that ISS did not authorize him to present [his talk] and which he had notified ISS he would not present. In particular, ISS had directed no presentation or live demonstration would be made which included disassembled Cisco code and the 'pointers'. (ISS and Cisco stipulate that they had prepared an alternative presentation designed to discuss Internet security, including the flaw which Lynn had identified, but without revealing Cisco code or pointers which might help enable third parties to exploit the flaw, but were informed they would not be allowed to present that presentation at the conference)."

I assume Jeff Moss was the party that would not allow ISS and Cisco to present at Black Hat.

It looks like Cisco employee John Noh wrote the injunction?

Update: Check out the photographs of slides from Mike's talk posted at Tom's Networking.


Anonymous said...

So, can everyone who download a copy of the pdf expect a friendly visit or letter soon?

Michael Boman said...

Richard, your link to "Tom's Networking" points to your UNIX $HOME directory and no-where else, which means that only you can see the stuff.

If you want I can host it on my box located in Sweden, no pesky DMCA and what-not over there...

Richard Bejtlich said...

Fixed, thanks Mike.

Hendrik Scholz said...

I managed to get hold of a copy of the PDF (MD5 559942447c88086fa1304c38f9d0242c) and compared it to the slides available on Tom's networking.
Content-wise they are the same but missing the right-hand side pictures. Tom's networking seems to try to stay on the safe side by not posting pictures of key slides.
for my comparison.

Anonymous said...

I was actually at the talk at Black Hat and saw the original slides. The ones circulating on the Internet I have seen have the addresses and offsets filled in whereas the ones Lynn presented had them blacked out. I would be skeptical as to the validity of the offsets in the one on the Internet.