Feeds

Legal disassembly

Black hat, white hat

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

When security researcher and ISS employee Michael Lynn went to give a presentation at the Black Hat conference in Las Vegas, little did he know he would ignite a legal firestorm questioning whether even the act of looking for security vulnerabilities violates the law.

A brief history

Lynn, in his position with ISS, apparently disassembled the source code for a particular type of Cisco router, discovered particular types of potential vulnerabilities, and prepared a PowerPoint presentation not only describing the vulnerabilities (and the potential for exploit) but also containing a small amount of the decompiled code to demonstrate how the vulnerability and potential exploit would work. Pretty standard stuff. What wasn't standard was the reaction of both Cisco and ISS - they went into federal district court in California (where Cisco was located) and asked for an injunction against both Lynn and Black Hat, not only preventing the presentation, but removing all copies of the presentation from the CDs and ripping them out of the presentation binders. Lynn resigned from ISS and gave the speech anyway, before agreeing to the injunction going forward. Copies of the presentation - Cisco code and all - are predictably available at mirror sites on the net.

Is it legal to decompile software?

The question for security researchers going forward is modeled by the Lynn saga. Is it legal to decompile source code to find vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe it's not.

Much of the debate over the Lynn case has arisen in the context of "responsible disclosure," which asks whether Lynn should have told Cisco of the vulnerability, allowed them to fix it, and be done with it. The reports are that he did just that. But according to the terms of the lawsuit, both Cisco and ISS's legal claims against him arose long before the Black Hat conference. It was the very act of decompiling the code - an act Lynn took on as an employee in good standing with ISS - that apparently constituted the violation of the law, although what they sought to enjoin was the disclosure of the decompiled code.

The lawsuit alleges a somewhat convoluted legal theory of liability, and the facts spelled out are particularly turbid. Essentially, Cisco and ISS's claim is as follows: Lynn worked for ISS under a standard "non-disclosure" agreement. His employer ISS presumably bought a Cisco router, which came with software subject to an End User License Agreement (EULA). The EULA stated that the licensee (ISS) specifically agreed not to, "reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent expressly permitted under applicable law," or to, "disclose... trade secrets contained in the Software or documentation in any form to any third party..."

Cisco's theory, then, was that by decompiling the source code to find the vulnerability, Lynn (and presumably his employer, ISS) violated the terms of the EULA - a contract. This contract violation then meant that the license to acquire or use the software was violated, and Lynn was using a copyrighted work (the software) without the consent of the copyright holder - thus a copyright violation - which gets Cisco into federal court rather than state court. When Lynn and Black Hat sought to publish the bits of source code in the presentation, they were alleged to be distributing the code in violation of the EULA and copyright law, and also violating Cisco's right to protect its trade secrets. Finally, Lynn was alleged to have violated the terms of his ISS non-disclosure agreement by disclosing information at the conference that he learned "in secret" from ISS under the NDA - presumably information that ISS obtained by unlawful reverse engineering!

Michael Lynn settled the case with Cisco and ISS by essentially agreeing not to further distribute, and to destroy retained copies of the disassembled source code. Therefore, this case has little if any actual precedential value. However, Lynn also agreed to be enjoined "from unlawfully disassembling or reverse engineering Cisco code in the future."

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.