The dispute between Cisco, Internet Security Systems, the Black Hat conference and a former ISS security expert — who revealed information related to hacking Cisco routers at the show on Wednesday — has reached a point of legal settlement.
Michael Lynn, who had hired high-tech defense lawyer Jennifer Grannick as his attorney as he faced legal action by his former employer ISS and Cisco, agreed on Thursday to sign a court injunction. The injunction requires him to return any materials or disassembled code related to Cisco and never to discuss the materials related to the presentation he gave at the Black Hat conference on July 27.
That talk, which he gave in spite of a prohibition from ISS and after a request by Cisco for it to be cancelled on Monday, pulled him into a legal whirlwind. Cisco and ISS on Monday decided it was premature to release sensitive information related to how unpatched Cisco routers can be hacked and were furious when the main researcher who had uncovered the exploits, defiantly spoke out on the topic.
The agreement, signed by all the parties, also requires Black Hat to never disseminate a video made of Lynn's presentation on July 27, and to deliver to Cisco any video recording made of Lynn.
According to the, injunction Lynn is also forbidden from "unlawfully disassembling or reverse engineering Cisco code in the future [and] using Cisco decompiled code currently in his possession or control for any purpose."
These restrictions raise the issues of when security research crosses the line from the side of altruistic or responsible hacking to breaking the law, experts say.
"Reverse engineering on its own is legally okay," says Lee Bromberg, senior partner for Bromberg & Sunstein, a law firm specialising in electronic intellectual property litigation. But there are several exceptions: "If in doing this, you violate a patent, you're still violating a patent. If in you are violating a copyright, you're violating a copyright," he says.
Violating "trade secret" agreements can be another sticky area, Bromberg says. Such an agreement could include a non-disclosure agreement or an employment obligation contract, "or it could be as simple as going on the internet, clicking 'yes' on a piece of software's licensing terms and conditions before installing", he says.
In the Cisco case, "Cisco must have had some basis on which to demonstrate to the court that the defendant had an obligation not to reverse engineer, whether it was contractual or other wise, or arising out of trade secret law," he says.
Legalese aside, Cisco's move against ISS' Lynn sends the wrong message to the security community, some in the industry say.
"Security researchers won't want to make stuff public if Cisco is just going to come back at them with legal action," says Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, a vulnerability research and security vendor.
"Why should someone report something to Cisco if the company is going to act this way?" he says. "Who would want to work with a company that's going to do stuff like this?"