November 23, 2024

Posts Comments

Recommended Reading: Crime-Facilitating Speech

August 27, 2005 by

Eugene Volokh has an interesting new paper about Crime-Facilitating Speech (abridged version): “speech [that] provides information that makes it easier to commit crimes, torts, or other harms”. He argues convincingly that many free-speech cases pertain to crime-facilitating speech. Somebody wants to prevent speech because it may facilitate crime, but others argue that the speech has beneficial effects too. When should such speech be allowed?

The paper is a long and detailed discussion of this issues, with many examples. In the end, he asserts that crime-facilitating speech should be allowed except where (a) “the speech is said to a few people who the speaker knows are likely to use it to commit a crime or to escape punishment”, (b) the speech “has virtually no noncriminal uses”, (c) “the speech facilitates extraordinarily serious harms, such as nuclear or biological attacks”. But don’t just read the end – if you have time it’s well worth the effort to understand how he got there.

What struck me is how many of the examples relate to computer security or copyright enforcement. Many security researchers feel that the applied side of the field has become a legal minefield. Papers like this illustrate how that happened. The paper’s recommendations, if followed, would go a long way toward making legitimate research and publication safer.

Filed Under: Uncategorized Tagged With: , , ,

Cisco Claims Its Product is a Trade Secret

August 4, 2005 by

I wrote Friday about the legal threats by Cisco and ISS against researcher Mike Lynn, relating to Lynn’s presentation at Black Hat about a Cisco security vulnerability. The complaint Cisco and ISS filed is now available online. Jennifer Granick, Lynn’s lawyer, has an interesting narrative of the case (part 1; part 2; part 3; part 4).

The complaint claims that Lynn wronged ISS, by giving a PowerPoint presentation that was copyrighted by ISS (because Lynn allegedly prepared it as a work for hire), and by violating the NDA he signed as a member of ISS’s board of directors. The complaint also claims that Lynn wronged Cisco by including snippets of its copyrighted software code in the presentation, and by presenting Cisco trade secrets that had been misappropriated.

The trade secret misappropriation claim is the most interesting one. Cisco’s argument goes as follows. The executable machine code that ships with Cisco routers is a trade secret of Cisco. Customers agree to a contract in which they promise not to disassemble the code. ISS agreed to that contract. Some unspecified person disassembled the code, in violation of the contract, to get information that was used in Lynn’s presentation. Lynn knew that the information was acquired by breach of contract and therefore was a misappropriated trade secret. Lynn disseminated the information anyway.

[Oddly, the complaint incorrectly refers to the executable machine code that ships on Cisco routers as Cisco’s “source code.” This false characterization looks deliberate – it is made repeatedly in the documents, and even occurs more than once in the two-page declaration signed by Cisco’s Vice President for Customer Support. Lawyers in a hurry might make this mistake in their papers, but it’s hard to come up with a charitable explanation for how this mischaracterization occurred twice in a very short statement under oath by the VP for Customer Support. Does he really not know the difference between machine code and source code? Does he not know which kind of code Cisco ships on its routers? Did he not recognize that the code in the presentation which he claims to have reviewed was not source code? Did he sign the declaration under oath without reading it carefully enough to catch such a simple error, which occurred twice in a document with less than one page of text? Or did he know about the error and sign anyway? He could easily have corrected the error himself by deleting or crossing out the word “source” before signing.]

Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)

It’s also pretty clear that the alleged harm to Cisco from Lynn’s action was not the kind of harm that trade secret law was meant to prevent. There is no real argument that the brief snippets of code in Lynn’s presentation (2MB PDF) would help Cisco’s competitors improve their products. The reason Cisco wanted to prevent Lynn’s presentation is that it wanted to keep truthful information about flaws in its products out of the hands of the public. Why should information about product flaws be considered a trade secret?

As I argued on Friday, ISS is in a difficult position. The complaint alleges that ISS agreed not to disassemble Cisco’s code. It does not assert that Lynn himself had agreed not to disasssemble the code, and it does not accuse Lynn of directly misappropriating the secrets. It only says that Lynn knew that they had been misappropriated. The complaint essentially accuses ISS of misappropriating the trade secrets. Which is interesting, considering that ISS was one of the parties that filed the complaint.

Jennifer Granick, Lynn’s lawyer, also had her doubts about the trade secret claim. It would have been interesting to see the claim litigated. Instead, Lynn, on Granick’s advice, decided prudently to settle the case. It’s one thing to talk about cases like this in the abstract; it’s another thing entirely to be in the legal meat-grinder yourself.

The only good news here is that Cisco seems to be getting what it deserves after the legal strongarming of Mike Lynn. Cisco’s efforts have only notified more people that its product has a serious security flaw, and that Cisco is afraid to allow independent evaluation of its products’ security.

Filed Under: Uncategorized Tagged With: ,

WiFi Freeloading Now a Crime in U.K.

August 1, 2005 by

A British man has been fined and given a suspended prison sentence for connecting to a stranger’s WiFi access point without permission, according to a BBC story. There is no indication that he did anything improper while connected; all he did was to park his car in front of a stranger’s house and connect his laptop to the stranger’s open WiFi network. He was convicted of “dishonestly obtaining an electronic communications service”.

As the story notes, this case is quite different from previous WiFi-related convictions, in which people were convicted not of connecting to an open network but of committing other crimes, such as swiping financial information, once connected.

Most WiFi equipment operates in an open fashion by default, allowing anybody to connect. It’s well known that few people change their network settings. I used to find quite often that my laptop was connected accidentally to my neighbor’s WiFi network – failing to get a strong enough signal from my own (secured) network, the laptop would connect automatically to any open network it found.

Often the person who set up the network is happy to let strangers use it. Many businesses set up open access points to attract customers. Unfortunately, the technology offers no agreed-upon way for the network owner to say whether he welcomes connections. Taking steps to secure an access point is a clear statement that connections are not welcome; but many people worry that changing security settings will break their network, so the lack of security precautions doesn’t always indicate that the owner welcomes connections.

It would be nice if people used the SSID to indicate their preference. (Joe Gratz says he uses the SSID “PleaseUseSparingly”.) Changing the SSID is easy and is unlikely to break anything that is already working.

Another part of the BBC article is even scarier:

“There have been incidences where paedophiles deliberately leave their wireless networks open so that, if caught, they can say that is wasn’t them that used the network for illegal purposes,” said NetSurity’s Mr Cracknell.

Such a defence would hold little water as the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network, whether it be launching a hack attack or downloading illegal pornography.

I doubt this is true. If it is, everybody who runs a WiFi network is at risk of a long jail sentence.

Filed Under: Uncategorized Tagged With: ,

ISS Caught in the Middle in Cisco Security Flap

July 29, 2005 by

The cybersecurity world is buzzing with news about Cisco’s attempt to silence Michael Lynn’s discussion of a serious security flaw in the company’s product. Here’s the chronology, which I have pieced together from news reports (so the obvious caveats apply):

Michael Lynn worked for ISS, a company that sells security scanning software. In the course of his work, he found a serious security flaw in IOS, the operating system that runs on Cisco’s routers. (Routers are specialized computers that shunt Internet packets from link to link, getting them gradually from source to destination. Cisco is the leading maker of routers.)

It has long been believed that a buffer overflow bug (the most common types of security bug) in IOS could be exploited by a remote party to crash the router, but not to seize control of it. What Lynn discovered is a way for an attacker to leverage a buffer overflow bug in IOS into full control over the router. Buffer overflow bugs are common, and Cisco routers handle nearly all Internet traffic, so this is a big problem.

Lynn was planning to discuss this in a presentation Wednesday at the Black Hat conference. At the last minute Cisco convinced ISS (Lynn’s employer) to cancel the talk. Cisco employees ripped Lynn’s paper out of every copy of the already-printed conference proceedings, and ISS ordered Lynn to talk about another topic during his already-scheduled slot in the Black Hat conference schedule.

Lynn quit his ISS job and gave a presentation about the Cisco flaw.

Cisco ran to court, asking for an injunction barring Lynn from further disclosing the information. They argued that the information was a trade secret and Lynn had obtained it illegally by reverse engineering.

The parties have now agreed that Lynn will destroy any documents or files he has on the topic, and will refrain from disclosing the information to anyone. The Black Hat organizers will destroy their videotape of Lynn’s presentation.

What distinguishes this from the standard “vendor tries to silence security researcher” narrative is the role of ISS. Recall that Lynn did his research as an ISS employee. This kind of research is critical to ISS’s business – it has to know about flaws before it can help protect its customers from them. Which means that ISS can’t be happy with the assertion that the research done in ISS’s lab was illegal.

So it looks like all of the parties lose. Cisco failed to cover up its security vulnerability, and only drew more attention with the legal threats. Lynn is out of a job. And ISS is the big loser, with its research enterprise potentially at risk.

The public, on the other hand, got useful information about the (in)security of the Internet infrastructure. Despite Cisco’s legal action, the information is out there – Lynn’s PowerPoint presentation is already available at Cryptome.

[Updated at 11:10 AM with minor modification to the description of what Lynn discovered, and to add the last sentence about the information reaching the public via Cryptome.]

Update (1:10 PM): The FBI is investigating whether Lynn committed a crime by giving his talk. The possible crime, apparently, was the alleged disclosure of ISS trade secrets.

Filed Under: Uncategorized Tagged With: ,

Who'll Stop the Spam-Bots?

July 20, 2005 by

The FTC has initiated Operation Spam Zombies, a program that asks ISPs to work harder to detect and isolate spam-bots on their customers’ computers. Randy Picker has a good discussion of this.

A bot is a malicious, long-lived software agent that sits on a computer and carries out commands at the behest of a remote badguy. (Bots are sometimes called zombies. This makes for more colorful headlines, but the cognoscenti prefer “bot”.) Bots are surprisingly common; perhaps 1% of computers on the Internet are infected by bots.

Like any successful parasite, a bot tries to limit its impact on its host. A bot that uses too many resources, or that too obviously destabilizes its host system, is more likely to be detected and eradicated by the user. So a clever bot tries to be unobtrusive.

One of the main uses of bots is for sending spam. Bot-initiated spam comes from ordinary users’ machines, with only a modest volume coming from each machine; so it is difficult to stop. Nowadays the majority of spam probably comes from bots.

Spam-bots exhibit the classic economic externality of Internet security. A bot on your machine doesn’t bother you much. It mostly harms other people, most of whom you don’t know; so you lack a sufficient incentive to find and remove bots on your system.

What the FTC hopes is that ISPs will be willing to do what users aren’t. The FTC is urging ISPs to monitor their networks for telltale spam-bot activity, and then to take action, up to and including quarantining infected machines (i.e., cutting off or reducing their network connectivity).

It would be good if ISPs did more about the spam-bot problem. But unfortunately, the same externality applies to ISPs as to users. If an ISP’s customer hosts a spam-bot, most the spam sent by the bot goes to other ISPs, so the harm from that spam-bot falls mostly on others. ISPs will have an insufficient incentive to fight bots, just as users do.

A really clever spam-bot could make this externality worse, by making sure not to direct any spam to the local ISP. That would reduce the local ISP’s incentive to stop the bot to almost zero. Indeed, it would give the ISP a disincentive to remove the bot, since removing the bot would lower costs for the ISP’s competitors, leading to tougher price competition and lower profits for the ISP.

That said, there is some hope for ISP-based steps against bot-spam. There aren’t too many big ISPs, so they may be able to agree to take steps against bot-spam. And voluntary steps may help to stave off unpleasant government regulation, which is also in the interest of the big ISPs.

There are interesting technical issues here too. If ISPs start monitoring aggressively for bots, the bots will get stealthier, kicking off an interesting arms race. But that’s a topic for another day.

Filed Under: Uncategorized Tagged With: , ,