Legal disassembly

Black hat, white hat

When security researcher and ISS employee Michael Lynn went to give a presentation at the Black Hat conference in Las Vegas, little did he know he would ignite a legal firestorm questioning whether even the act of looking for security vulnerabilities violates the law.

A brief history

Lynn, in his position with ISS, apparently disassembled the source code for a particular type of Cisco router, discovered particular types of potential vulnerabilities, and prepared a PowerPoint presentation not only describing the vulnerabilities (and the potential for exploit) but also containing a small amount of the decompiled code to demonstrate how the vulnerability and potential exploit would work. Pretty standard stuff. What wasn't standard was the reaction of both Cisco and ISS - they went into federal district court in California (where Cisco was located) and asked for an injunction against both Lynn and Black Hat, not only preventing the presentation, but removing all copies of the presentation from the CDs and ripping them out of the presentation binders. Lynn resigned from ISS and gave the speech anyway, before agreeing to the injunction going forward. Copies of the presentation - Cisco code and all - are predictably available at mirror sites on the net.

Is it legal to decompile software?

The question for security researchers going forward is modeled by the Lynn saga. Is it legal to decompile source code to find vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe it's not.

Much of the debate over the Lynn case has arisen in the context of "responsible disclosure," which asks whether Lynn should have told Cisco of the vulnerability, allowed them to fix it, and be done with it. The reports are that he did just that. But according to the terms of the lawsuit, both Cisco and ISS's legal claims against him arose long before the Black Hat conference. It was the very act of decompiling the code - an act Lynn took on as an employee in good standing with ISS - that apparently constituted the violation of the law, although what they sought to enjoin was the disclosure of the decompiled code.

The lawsuit alleges a somewhat convoluted legal theory of liability, and the facts spelled out are particularly turbid. Essentially, Cisco and ISS's claim is as follows: Lynn worked for ISS under a standard "non-disclosure" agreement. His employer ISS presumably bought a Cisco router, which came with software subject to an End User License Agreement (EULA). The EULA stated that the licensee (ISS) specifically agreed not to, "reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent expressly permitted under applicable law," or to, "disclose... trade secrets contained in the Software or documentation in any form to any third party..."

Cisco's theory, then, was that by decompiling the source code to find the vulnerability, Lynn (and presumably his employer, ISS) violated the terms of the EULA - a contract. This contract violation then meant that the license to acquire or use the software was violated, and Lynn was using a copyrighted work (the software) without the consent of the copyright holder - thus a copyright violation - which gets Cisco into federal court rather than state court. When Lynn and Black Hat sought to publish the bits of source code in the presentation, they were alleged to be distributing the code in violation of the EULA and copyright law, and also violating Cisco's right to protect its trade secrets. Finally, Lynn was alleged to have violated the terms of his ISS non-disclosure agreement by disclosing information at the conference that he learned "in secret" from ISS under the NDA - presumably information that ISS obtained by unlawful reverse engineering!

Michael Lynn settled the case with Cisco and ISS by essentially agreeing not to further distribute, and to destroy retained copies of the disassembled source code. Therefore, this case has little if any actual precedential value. However, Lynn also agreed to be enjoined "from unlawfully disassembling or reverse engineering Cisco code in the future."

Sponsored: 2015 Cost of Cyber Crime Study: United States