November 26, 2024

Posts Comments

Cisco Claims Its Product is a Trade Secret

August 4, 2005 by

I wrote Friday about the legal threats by Cisco and ISS against researcher Mike Lynn, relating to Lynn’s presentation at Black Hat about a Cisco security vulnerability. The complaint Cisco and ISS filed is now available online. Jennifer Granick, Lynn’s lawyer, has an interesting narrative of the case (part 1; part 2; part 3; part 4).

The complaint claims that Lynn wronged ISS, by giving a PowerPoint presentation that was copyrighted by ISS (because Lynn allegedly prepared it as a work for hire), and by violating the NDA he signed as a member of ISS’s board of directors. The complaint also claims that Lynn wronged Cisco by including snippets of its copyrighted software code in the presentation, and by presenting Cisco trade secrets that had been misappropriated.

The trade secret misappropriation claim is the most interesting one. Cisco’s argument goes as follows. The executable machine code that ships with Cisco routers is a trade secret of Cisco. Customers agree to a contract in which they promise not to disassemble the code. ISS agreed to that contract. Some unspecified person disassembled the code, in violation of the contract, to get information that was used in Lynn’s presentation. Lynn knew that the information was acquired by breach of contract and therefore was a misappropriated trade secret. Lynn disseminated the information anyway.

[Oddly, the complaint incorrectly refers to the executable machine code that ships on Cisco routers as Cisco’s “source code.” This false characterization looks deliberate – it is made repeatedly in the documents, and even occurs more than once in the two-page declaration signed by Cisco’s Vice President for Customer Support. Lawyers in a hurry might make this mistake in their papers, but it’s hard to come up with a charitable explanation for how this mischaracterization occurred twice in a very short statement under oath by the VP for Customer Support. Does he really not know the difference between machine code and source code? Does he not know which kind of code Cisco ships on its routers? Did he not recognize that the code in the presentation which he claims to have reviewed was not source code? Did he sign the declaration under oath without reading it carefully enough to catch such a simple error, which occurred twice in a document with less than one page of text? Or did he know about the error and sign anyway? He could easily have corrected the error himself by deleting or crossing out the word “source” before signing.]

Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)

It’s also pretty clear that the alleged harm to Cisco from Lynn’s action was not the kind of harm that trade secret law was meant to prevent. There is no real argument that the brief snippets of code in Lynn’s presentation (2MB PDF) would help Cisco’s competitors improve their products. The reason Cisco wanted to prevent Lynn’s presentation is that it wanted to keep truthful information about flaws in its products out of the hands of the public. Why should information about product flaws be considered a trade secret?

As I argued on Friday, ISS is in a difficult position. The complaint alleges that ISS agreed not to disassemble Cisco’s code. It does not assert that Lynn himself had agreed not to disasssemble the code, and it does not accuse Lynn of directly misappropriating the secrets. It only says that Lynn knew that they had been misappropriated. The complaint essentially accuses ISS of misappropriating the trade secrets. Which is interesting, considering that ISS was one of the parties that filed the complaint.

Jennifer Granick, Lynn’s lawyer, also had her doubts about the trade secret claim. It would have been interesting to see the claim litigated. Instead, Lynn, on Granick’s advice, decided prudently to settle the case. It’s one thing to talk about cases like this in the abstract; it’s another thing entirely to be in the legal meat-grinder yourself.

The only good news here is that Cisco seems to be getting what it deserves after the legal strongarming of Mike Lynn. Cisco’s efforts have only notified more people that its product has a serious security flaw, and that Cisco is afraid to allow independent evaluation of its products’ security.

Filed Under: Uncategorized Tagged With: ,

Entertainment Industry Pretending to Have Won Grokster Case

August 3, 2005 by

Most independent analysts agree that the entertainment industry didn’t get what it wanted from the Supreme Court’s Grokster ruling. Things look grim for the Grokster defendants themselves; but what the industry really wanted from the Court was a ruling that a communication technologies that are widely used to infringe should not be allowed to exist, regardless of the behavior and intentions of the technologies’ creators. The Court rejected this theory.

Last week the Senate Commerce Committee held a hearing (a video stream is available) on the Grokster aftermath. This was a chance for witnesses representing various interests to put their official spin on the Grokster ruling. All of the witnesses praised the ruling and asked Congress to wait and see what develops, rather than legislating right away. But different witnesses put different spins on the ruling.

The entertainment industry line was presented by Mitch Bainwol of the RIAA, Fritz Attaway of the MPAA, and Gregory Kerber of Wurld Media (a music distribution service). Their strategy was essentially to pretend that the Court did give the industry what it wanted, and that P2P technologies were now presumptively illegal unless they had cut licensing deals with the industry. They didn’t argue this directly, but the message was clear. For example, they tried to draw a line between “legitimate” P2P technologies and others, where legitimacy was apparently achieved by signing a licensing deal with major recording or movie companies.

For example, in response to concerns from Mark Heesen of the National Venture Capital Association about venture capitalists’ fears of financial ruin from investing in even well-intentioned communication technology companies, Mr. Kerber said this:

It’s very clear how you get investment. The rules are there. We’re a P2P – we’re a real peer-to-peer – it’s centrally controlled, we can control that … we can respect the copyright holder’s wants during – through a contractual process.

And the way that investors realize that is when we go out and get deals with the record labels, movie studios; and … the venture capitalists do their due diligence, they call and they find out that … the content owner of these assets [says] yes, we will allow this to be transferred and distributed and sold … within – on the network.

So … it’s very, very clear. If you have a contract with a major label, indy label, movie studio, publisher, what they have said is, we will allow the content to be sold in this manner across our network. So I’m a little confused by – there’s an absolute clear path for an investor to understand what’s right and wrong in the process.

It’s a simple message. Investing in technologies that have been blessed by the entertainment industry: right; investing in other technologies: wrong.

But it’s not what the Court said. The Court rejected the proposition that P2P or other communication technologies can exist only at the pleasure of the entertainment industry.

Despite this, we can expect to hear more of this rhetoric of “legitimacy”. And when P2P technologies continue to exist and be popular, we can expect calls for legislation to control the scourge of “illegitimacy”.

Filed Under: Uncategorized Tagged With: , ,

WiFi Freeloading Now a Crime in U.K.

August 1, 2005 by

A British man has been fined and given a suspended prison sentence for connecting to a stranger’s WiFi access point without permission, according to a BBC story. There is no indication that he did anything improper while connected; all he did was to park his car in front of a stranger’s house and connect his laptop to the stranger’s open WiFi network. He was convicted of “dishonestly obtaining an electronic communications service”.

As the story notes, this case is quite different from previous WiFi-related convictions, in which people were convicted not of connecting to an open network but of committing other crimes, such as swiping financial information, once connected.

Most WiFi equipment operates in an open fashion by default, allowing anybody to connect. It’s well known that few people change their network settings. I used to find quite often that my laptop was connected accidentally to my neighbor’s WiFi network – failing to get a strong enough signal from my own (secured) network, the laptop would connect automatically to any open network it found.

Often the person who set up the network is happy to let strangers use it. Many businesses set up open access points to attract customers. Unfortunately, the technology offers no agreed-upon way for the network owner to say whether he welcomes connections. Taking steps to secure an access point is a clear statement that connections are not welcome; but many people worry that changing security settings will break their network, so the lack of security precautions doesn’t always indicate that the owner welcomes connections.

It would be nice if people used the SSID to indicate their preference. (Joe Gratz says he uses the SSID “PleaseUseSparingly”.) Changing the SSID is easy and is unlikely to break anything that is already working.

Another part of the BBC article is even scarier:

“There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn’t them that used the network for illegal purposes,” said NetSurity’s Mr Cracknell.

Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.

I doubt this is true. If it is, everybody who runs a WiFi network is at risk of a long jail sentence.

Filed Under: Uncategorized Tagged With: ,

ISS Caught in the Middle in Cisco Security Flap

July 29, 2005 by

The cybersecurity world is buzzing with news about Cisco’s attempt to silence Michael Lynn’s discussion of a serious security flaw in the company’s product. Here’s the chronology, which I have pieced together from news reports (so the obvious caveats apply):

Michael Lynn worked for ISS, a company that sells security scanning software. In the course of his work, he found a serious security flaw in IOS, the operating system that runs on Cisco’s routers. (Routers are specialized computers that shunt Internet packets from link to link, getting them gradually from source to destination. Cisco is the leading maker of routers.)

It has long been believed that a buffer overflow bug (the most common types of security bug) in IOS could be exploited by a remote party to crash the router, but not to seize control of it. What Lynn discovered is a way for an attacker to leverage a buffer overflow bug in IOS into full control over the router. Buffer overflow bugs are common, and Cisco routers handle nearly all Internet traffic, so this is a big problem.

Lynn was planning to discuss this in a presentation Wednesday at the Black Hat conference. At the last minute Cisco convinced ISS (Lynn’s employer) to cancel the talk. Cisco employees ripped Lynn’s paper out of every copy of the already-printed conference proceedings, and ISS ordered Lynn to talk about another topic during his already-scheduled slot in the Black Hat conference schedule.

Lynn quit his ISS job and gave a presentation about the Cisco flaw.

Cisco ran to court, asking for an injunction barring Lynn from further disclosing the information. They argued that the information was a trade secret and Lynn had obtained it illegally by reverse engineering.

The parties have now agreed that Lynn will destroy any documents or files he has on the topic, and will refrain from disclosing the information to anyone. The Black Hat organizers will destroy their videotape of Lynn’s presentation.

What distinguishes this from the standard “vendor tries to silence security researcher” narrative is the role of ISS. Recall that Lynn did his research as an ISS employee. This kind of research is critical to ISS’s business – it has to know about flaws before it can help protect its customers from them. Which means that ISS can’t be happy with the assertion that the research done in ISS’s lab was illegal.

So it looks like all of the parties lose. Cisco failed to cover up its security vulnerability, and only drew more attention with the legal threats. Lynn is out of a job. And ISS is the big loser, with its research enterprise potentially at risk.

The public, on the other hand, got useful information about the (in)security of the Internet infrastructure. Despite Cisco’s legal action, the information is out there – Lynn’s PowerPoint presentation is already available at Cryptome.

[Updated at 11:10 AM with minor modification to the description of what Lynn discovered, and to add the last sentence about the information reaching the public via Cryptome.]

Update (1:10 PM): The FBI is investigating whether Lynn committed a crime by giving his talk. The possible crime, apparently, was the alleged disclosure of ISS trade secrets.

Filed Under: Uncategorized Tagged With: ,

U.S. Computer Science Malaise

July 27, 2005 by

There’s a debate going on now among U.S. computer science researchers and educators, about whether the U.S. as a nation is serious about maintaining its lead in computer science. We have been the envy of the world, drawing most of the worlds’ best and brightest in the field to our country, and laying the foundations of a huge industry that has fostered wealth and national power. But there is a growing sense within the field that all of this may be changing. This sense of malaise is a common topic around faculty water coolers across the country, and in speeches by industry figures like Bill Gates and Vint Cerf.

Whatever the cause – and more on that below – there two main symptoms. First is a sharp decrease in funding for computer science research, especially in strategic areas such as cybersecurity. For example, DARPA, the Defense Department research agency that funded the early Internet and other breakthroughs, has cut its support for university computer science research by more than 40% in the last three years, and has redirected the remaining funding toward short-term advanced development efforts. Corporate research is not picking up the slack.

The second symptom, which in my view is more worrisome, is the sharp decrease in the number of students majoring in computer science. One reputable survey found a 60% drop in the last four years. One would have expected a drop after the dotcom crash – computer science enrollments have historically tracked industry business cycles – but this is a big drop! (At Princeton, we’ve been working hard to make our program more compelling, so we have seen a much smaller decrease.)

All this despite fundamentals that seem sound. Our research ideas seem as strong as ever (though research is inherently a hit-and-miss affair), and the job market for our graduates is still very strong, though not as overheated as a few years ago. Our curricula aren’t perfect but are better than ever. So what’s the problem?

The consensus seems to be that computer science has gotten a bad rap as a haven for antisocial, twinkie-fed nerds who spend their nights alone in cubicles wordlessly writing code, and their days snoring and drooling on office couches. Who would want to be one of them? Those of us in the field know that this stereotype is silly; that computer scientists do many things beyond coding; that we work in groups and like to have fun; and that nowadays computer science plays a role in almost every field of human endeavor.

Proposed remedies abound, most of them attempts to show people who computer scientists really are and what we really do. Stereotypes take a long time to overcome, but there’s no better time than the present to get started.

UPDATE (July 28): My colleagues Sanjeev Arora and Bernard Chazelle have a thoughtful essay on this issue in the August issue of Communications of the ACM.

Filed Under: Uncategorized