I wrote Friday about the legal threats by Cisco and ISS against researcher Mike Lynn, relating to Lynn’s presentation at Black Hat about a Cisco security vulnerability. The complaint Cisco and ISS filed is now available online. Jennifer Granick, Lynn’s lawyer, has an interesting narrative of the case (part 1; part 2; part 3; part 4).
The complaint claims that Lynn wronged ISS, by giving a PowerPoint presentation that was copyrighted by ISS (because Lynn allegedly prepared it as a work for hire), and by violating the NDA he signed as a member of ISS’s board of directors. The complaint also claims that Lynn wronged Cisco by including snippets of its copyrighted software code in the presentation, and by presenting Cisco trade secrets that had been misappropriated.
The trade secret misappropriation claim is the most interesting one. Cisco’s argument goes as follows. The executable machine code that ships with Cisco routers is a trade secret of Cisco. Customers agree to a contract in which they promise not to disassemble the code. ISS agreed to that contract. Some unspecified person disassembled the code, in violation of the contract, to get information that was used in Lynn’s presentation. Lynn knew that the information was acquired by breach of contract and therefore was a misappropriated trade secret. Lynn disseminated the information anyway.
[Oddly, the complaint incorrectly refers to the executable machine code that ships on Cisco routers as Cisco’s “source code.” This false characterization looks deliberate – it is made repeatedly in the documents, and even occurs more than once in the two-page declaration signed by Cisco’s Vice President for Customer Support. Lawyers in a hurry might make this mistake in their papers, but it’s hard to come up with a charitable explanation for how this mischaracterization occurred twice in a very short statement under oath by the VP for Customer Support. Does he really not know the difference between machine code and source code? Does he not know which kind of code Cisco ships on its routers? Did he not recognize that the code in the presentation which he claims to have reviewed was not source code? Did he sign the declaration under oath without reading it carefully enough to catch such a simple error, which occurred twice in a document with less than one page of text? Or did he know about the error and sign anyway? He could easily have corrected the error himself by deleting or crossing out the word “source” before signing.]
Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)
It’s also pretty clear that the alleged harm to Cisco from Lynn’s action was not the kind of harm that trade secret law was meant to prevent. There is no real argument that the brief snippets of code in Lynn’s presentation (2MB PDF) would help Cisco’s competitors improve their products. The reason Cisco wanted to prevent Lynn’s presentation is that it wanted to keep truthful information about flaws in its products out of the hands of the public. Why should information about product flaws be considered a trade secret?
As I argued on Friday, ISS is in a difficult position. The complaint alleges that ISS agreed not to disassemble Cisco’s code. It does not assert that Lynn himself had agreed not to disasssemble the code, and it does not accuse Lynn of directly misappropriating the secrets. It only says that Lynn knew that they had been misappropriated. The complaint essentially accuses ISS of misappropriating the trade secrets. Which is interesting, considering that ISS was one of the parties that filed the complaint.
Jennifer Granick, Lynn’s lawyer, also had her doubts about the trade secret claim. It would have been interesting to see the claim litigated. Instead, Lynn, on Granick’s advice, decided prudently to settle the case. It’s one thing to talk about cases like this in the abstract; it’s another thing entirely to be in the legal meat-grinder yourself.
The only good news here is that Cisco seems to be getting what it deserves after the legal strongarming of Mike Lynn. Cisco’s efforts have only notified more people that its product has a serious security flaw, and that Cisco is afraid to allow independent evaluation of its products’ security.
You can check out http://www.usedcisco.org for more used cisco products that are indeed cheap and already tested
You can check out http://www.usedcisco.org for more used cisco products that are indeed cheap and already tested
I will definitely understand if this will the decision of CISCO with their products . Everyone needs to be very keen and very protective with thier products.
With the amount of money invested I can understand why Cisco would want to protect their source. However I don’t feel that this was the best way to go about it.
Paul,
Regardless, the claims about “source code” in Cisco’s complaint and other legal documents are bogus. They claim that they ship “source code” with all of their routers, that Lynn ran a disassembler on “source code” to get the assembly code snippets included in his presentation, that Lynn revealed “source code” in his presentation, and so on.
The complaint does not say that Cisco gave Lynn any special access to its code, beyond what all customers get. If they gave him any special access to code, they would surely have said so in their legal papers. They also don’t claim that Lynn or ISS had any confidentiality agreement with Cisco, beyond the standard EULA that comes with every router. Again, one would have expected a source code disclosure to come with some kind of NDA; and Cisco would surely have mentioned the additional NDA in the legal papers, if it existed.
In the Wired interview, Lynn said that he “worked on the reverse engineering with cooperation from Cisco”. With no more detail than that, I would *not* assume that Cisco did not show him some source code. They could have helped him in some other way, but giving him some source code (or pointers to structures, and so on) would certainly be logical cooperation after seeing him get to the command line remotely.
It’s tangential, but I thought you might find this post of mine worth reading:
http://www.livejournal.com/users/polyergic/55109.html
(most of mine aren’t near so worthwhile)
Perhaps ISS had a confidential relationship with Cisco, I don’t know the details, but for the code included in Cisco routers to be secret it would mean every buyer of Cisco routers had to have a confidential relationship with Cisco and an obligation to keep Cisco’s secrets. Enter super EULA stage right.
I’m waiting to see gumballs come wrapped in license agreements. If you don’t agree to this contract you must return the enclosed gumball. Failure to include a postage paid evelope indicates your waiver of refund.
The “trade secret” issue was also brought up by AT&T in the infamous BSD lawsuit. The judge in that case gave the opinion that if you are selling the code to everyone willing (and able) to pay for it, that counts as publication. Publication nullifies the trade secret. The snipplets of Cisco code I’ve seen in the presentation fall IMO (IANAL) under fair use.
I think that Lynn made a sensible decision to settle, because ISS had some serious contract issues that they could bring to court. Cisco can cry that it was hurt, but has little legal leverage.
Looks like Cisco has taken a page out of the DVD CCA’s playbook.
“We’ve distributed our secret to millions of people, but it’s still a secret!”
I don’t know much about trade secrets, but it seems to me that if they are claiming to provide the _source_ code on every router sold, then it is very hard to call it a secret — that’d be like Coca-Cola putting their receipe on every bottle of coke.
Instead, we have the machine code — and, comparing it to coke again, it isn’t even like having a list of ingredients. You would have to be a chemist and analyze coke’s liquid to “reverse engineer” it. Software reverse-engineering is conceptually the same (although the tools are much more readily available). It seems to me that you can’t call a finished good a secret; certainly, you can keep the process of making it a secret, but once you’ve sold it, you can legislate all you like, but you can’t stop a determined individual from figuring out how it works, or how to exploit it in new ways.