Jennifer Granick Speaks
Jennifer Granick is the executive director of the Stanford Law School Centre for Internet and Society. I saw her work as counsel for the defense at the great hacker court at Black Hat 2003. She is now Mike Lynn's attorney, and she is posting her side of the story at her blog, The Shout. As of this morning there are three parts available. Here are interesting excerpts from each.
2 August 2005:
"His presentation did not give away exploit code, or even enough information for listeners to readily create exploit code. In fact, he said, Cisco employees who had vetted the information were themselves unable to create and exploit from his information. But Mike wanted to show people that (1) he knew what he was talking about and (2) he could do what he said could be done. He included just enough information to make those points. (Following the talk, other researchers who’d seen it agreed that it would take a lot of work to get from Mike’s presentation to an exploit.)"
"I was asking what exactly he was claiming that Lynn had done wrong. It appeared to be three things. First, ISS was claiming copyright in the presentation that Mike had given on Wednesday morning (Wednesday presentation). Second, Cisco was claiming copyright in the decompiled machine code that Mike obtained from the Cisco binaries and had included in his slides. And finally, Cisco was claiming trade secret in the information Mike had obtained by decompiling and studying Cisco source code."
3 August 2005:
"The more interesting claim was the trade secret claim. They were suing under California’s trade secret law. California has adopted the Uniform Trade Secrets Act, which is relatively broad. It prohibits the misappropriation of trade secrets...
So the first question is, “what’s the secret?” The complaint says that Lynn had Cisco source code, but he didn’t. He had the binary code. The binary isn’t secret, since Cisco sells it. Is the decompiled code secret? Is it the fact that there’s a vulnerability? Would the law allow a product flaw to be a protected trade secret? ...
I’m not sure there’s anything here of Cisco’s that the law would protect.
The second question is, even if there is some kind of trade secret, did Mike misappropriate it. Misappropriation means acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge. The law specifically says that reverse engineering (decompiling) is proper, not improper, means...
It seemed that Cisco was claiming that Mike’s actions were improper because he violated the End User License Agreement (EULAs), which prohibited reverse engineering...
Lynn’s case presented the question of whether EULAs could subvert the legislature’s express desire to allow people to reverse engineer trade secrets...
[M]y best legal argument was that violation of an End User License Agreement is not a trade secret violation. Improper means includes a breach of a duty to maintain secrecy. But the EULA did not impose a duty to maintain secrecy. It was merely a promise not to reverse engineer. A violation of that promise is a violation of contract, but not an improper means of discovering a trade secret.
There was the possibility that Mike had information that was secret as to ISS and that he had promised to keep secret under his employment agreement or NDA. But the complaint didn’t identify any ISS trade secrets and Mike hadn’t disclosed any ISS information other than whatever was in the presentation, so this was a great legal argument."
4 August 2005:
"A friend told me that that there were two FBI agents looking for me and asking questions about Mike’s presentation. They were wandering around the floor of the Black Hat conference, wearing suits and couldn’t be missed. He told me that the agents said they “just wanted to talk” to people. “Talk? F*ck that,” I advised. Always judicious when dealing with law enforcement, I excused myself from my family meal, and ran back to the convention center to see what was going on.
To be continued..."
Update: Here is the final installment.
2 August 2005:
"His presentation did not give away exploit code, or even enough information for listeners to readily create exploit code. In fact, he said, Cisco employees who had vetted the information were themselves unable to create and exploit from his information. But Mike wanted to show people that (1) he knew what he was talking about and (2) he could do what he said could be done. He included just enough information to make those points. (Following the talk, other researchers who’d seen it agreed that it would take a lot of work to get from Mike’s presentation to an exploit.)"
"I was asking what exactly he was claiming that Lynn had done wrong. It appeared to be three things. First, ISS was claiming copyright in the presentation that Mike had given on Wednesday morning (Wednesday presentation). Second, Cisco was claiming copyright in the decompiled machine code that Mike obtained from the Cisco binaries and had included in his slides. And finally, Cisco was claiming trade secret in the information Mike had obtained by decompiling and studying Cisco source code."
3 August 2005:
"The more interesting claim was the trade secret claim. They were suing under California’s trade secret law. California has adopted the Uniform Trade Secrets Act, which is relatively broad. It prohibits the misappropriation of trade secrets...
So the first question is, “what’s the secret?” The complaint says that Lynn had Cisco source code, but he didn’t. He had the binary code. The binary isn’t secret, since Cisco sells it. Is the decompiled code secret? Is it the fact that there’s a vulnerability? Would the law allow a product flaw to be a protected trade secret? ...
I’m not sure there’s anything here of Cisco’s that the law would protect.
The second question is, even if there is some kind of trade secret, did Mike misappropriate it. Misappropriation means acquisition by improper means, or disclosure without consent by a person who used improper means to acquire the knowledge. The law specifically says that reverse engineering (decompiling) is proper, not improper, means...
It seemed that Cisco was claiming that Mike’s actions were improper because he violated the End User License Agreement (EULAs), which prohibited reverse engineering...
Lynn’s case presented the question of whether EULAs could subvert the legislature’s express desire to allow people to reverse engineer trade secrets...
[M]y best legal argument was that violation of an End User License Agreement is not a trade secret violation. Improper means includes a breach of a duty to maintain secrecy. But the EULA did not impose a duty to maintain secrecy. It was merely a promise not to reverse engineer. A violation of that promise is a violation of contract, but not an improper means of discovering a trade secret.
There was the possibility that Mike had information that was secret as to ISS and that he had promised to keep secret under his employment agreement or NDA. But the complaint didn’t identify any ISS trade secrets and Mike hadn’t disclosed any ISS information other than whatever was in the presentation, so this was a great legal argument."
4 August 2005:
"A friend told me that that there were two FBI agents looking for me and asking questions about Mike’s presentation. They were wandering around the floor of the Black Hat conference, wearing suits and couldn’t be missed. He told me that the agents said they “just wanted to talk” to people. “Talk? F*ck that,” I advised. Always judicious when dealing with law enforcement, I excused myself from my family meal, and ran back to the convention center to see what was going on.
To be continued..."
Update: Here is the final installment.
Comments
I think that the most telling item I took away from reviewing Jennifer's blog (other than the fact that she's a lawyer, blogging!) was Mike's "true motivation" for what he did.
One thing that's been missed in the media flurry that came on as a result of these issues at Blackhat, as well as in the resulting storm of comments, is *why* he did what he did. "Responsible disclosure" is still an issue, it seems, if Mike felt that Cisco wasn't doing enough to inform their customers of the situation. I have to wonder what led him to this? I know folks who work at Cisco, and I haven't asked them yet, but were they going to their customers and informing them? Was Mike basing his opinion on what he was seeing simply on the web?
Could it be that Cisco was informing their customers, quietly, through their channel reps, and Mike wasn't seeing this?
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com