Feeds

Legal disassembly

Black hat, white hat

  • alert
  • submit to reddit

Seven Steps to Software Security

When security researcher and ISS employee Michael Lynn went to give a presentation at the Black Hat conference in Las Vegas, little did he know he would ignite a legal firestorm questioning whether even the act of looking for security vulnerabilities violates the law.

A brief history

Lynn, in his position with ISS, apparently disassembled the source code for a particular type of Cisco router, discovered particular types of potential vulnerabilities, and prepared a PowerPoint presentation not only describing the vulnerabilities (and the potential for exploit) but also containing a small amount of the decompiled code to demonstrate how the vulnerability and potential exploit would work. Pretty standard stuff. What wasn't standard was the reaction of both Cisco and ISS - they went into federal district court in California (where Cisco was located) and asked for an injunction against both Lynn and Black Hat, not only preventing the presentation, but removing all copies of the presentation from the CDs and ripping them out of the presentation binders. Lynn resigned from ISS and gave the speech anyway, before agreeing to the injunction going forward. Copies of the presentation - Cisco code and all - are predictably available at mirror sites on the net.

Is it legal to decompile software?

The question for security researchers going forward is modeled by the Lynn saga. Is it legal to decompile source code to find vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe it's not.

Much of the debate over the Lynn case has arisen in the context of "responsible disclosure," which asks whether Lynn should have told Cisco of the vulnerability, allowed them to fix it, and be done with it. The reports are that he did just that. But according to the terms of the lawsuit, both Cisco and ISS's legal claims against him arose long before the Black Hat conference. It was the very act of decompiling the code - an act Lynn took on as an employee in good standing with ISS - that apparently constituted the violation of the law, although what they sought to enjoin was the disclosure of the decompiled code.

The lawsuit alleges a somewhat convoluted legal theory of liability, and the facts spelled out are particularly turbid. Essentially, Cisco and ISS's claim is as follows: Lynn worked for ISS under a standard "non-disclosure" agreement. His employer ISS presumably bought a Cisco router, which came with software subject to an End User License Agreement (EULA). The EULA stated that the licensee (ISS) specifically agreed not to, "reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent expressly permitted under applicable law," or to, "disclose... trade secrets contained in the Software or documentation in any form to any third party..."

Cisco's theory, then, was that by decompiling the source code to find the vulnerability, Lynn (and presumably his employer, ISS) violated the terms of the EULA - a contract. This contract violation then meant that the license to acquire or use the software was violated, and Lynn was using a copyrighted work (the software) without the consent of the copyright holder - thus a copyright violation - which gets Cisco into federal court rather than state court. When Lynn and Black Hat sought to publish the bits of source code in the presentation, they were alleged to be distributing the code in violation of the EULA and copyright law, and also violating Cisco's right to protect its trade secrets. Finally, Lynn was alleged to have violated the terms of his ISS non-disclosure agreement by disclosing information at the conference that he learned "in secret" from ISS under the NDA - presumably information that ISS obtained by unlawful reverse engineering!

Michael Lynn settled the case with Cisco and ISS by essentially agreeing not to further distribute, and to destroy retained copies of the disassembled source code. Therefore, this case has little if any actual precedential value. However, Lynn also agreed to be enjoined "from unlawfully disassembling or reverse engineering Cisco code in the future."

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.