Understand the legal ramifications of vulnerability testing and disclosure

by Jonathan Yarden | Aug 12, 2005 7:00:00 AM

Tags: SECURITY, Jonathan Yarden, Michael Lynn, Cisco Systems Inc., Internet Security Systems Inc., Internet Security Focus Newsletter

10 comment(s)

Takeaway: Recent weeks have provided a great deal of coverage about Michael Lynn's now-infamous presentation of Cisco IOS vulnerabilities at the Black Hat conference and the legal spectacle that followed. However, while these vulnerabilities are important, we can't overlook the legal ramifications of this case. Jonathan Yarden weighs in on what vulnerability testing and disclosure have to do with the law.

If you follow IT security news at all, you've more than likely heard about Michael Lynn. He's the security researcher who recently disclosed Internet security vulnerabilities in Cisco's Internetwork Operating System (IOS) during his presentation at the 2005 Black Hat security conference in Las Vegas last month. He's also the man Cisco took to court.

While it's certainly nothing new for a security researcher to make such a presentation, the details of his disclosure were so troubling to Cisco that Lynn had to resign from employer Internet Security Systems (ISS) in order to give the talk. That didn't stop Cisco and ISS from taking legal action to suppress the presented information, including taking steps to prevent the distribution of the presentation and all materials associated with it.

The legal spectacle culminated in a three-way agreement to cease any further discussion of the presentation or dissemination of any information or recordings. The settlement requires the surrender of all copies of Lynn's research, presentation, and videos of the presentation, which Lynn titled "The Holy Grail: Cisco IOS Shellcode and Remote Execution."

In other words, the flaws are apparently so bad that Cisco and ISS would prefer they never see the light of day�and were willing to endure the media attention to ensure it. However, while Cisco's actions were arguably suspect, the fact is if Lynn performed the research while employed by ISS (which was under contract with Cisco), there's a legitimate legal issue as to who actually owns the results of that research.

Of course, this isn't the first time that the disclosure of a vulnerability has resulted in a massive legal response. It's also not the first time an Internet security researcher deliberately ignored the legal restrictions of his employment and went public with his findings. And while the bigger issue is the actual list of vulnerabilities, we can't overlook the legal ramifications.

While I agree with full disclosure, I also respect that companies have a legal right to the research conducted by employees of the company or other companies under contract. Regardless of whether Lynn believed the information was important enough to quit his job, ISS paid him to conduct the research�and it therefore owns the results.

Cisco paid ISS to hunt for flaws, and Lynn surely found them. But that doesn't mean he has the right to do what he chooses with the information. Had Lynn been an independent security researcher, not under any contract when discovering this information, he would have had every right to do whatever he pleased with his findings. It could have likely resulted in some manner of legal action against him regardless, but we can only speculate.

Lynn merely presented a new way to attack already existing problems in Cisco IOS. Cisco had already fixed some of these problems in newer IOS releases, but, as we all know, not everyone stays on top of the latest updates and releases.

So yes, the new exploits do pose a threat to the Internet as a whole�Cisco routers make up a large part of the Internet. But Lynn apparently forgot that ISS legally owned his research since he completed it while employed there. Cisco and ISS have deep pockets, and he should have known better.

But even if he had been an independent researcher, looking for flaws in compiled software by disassembly is itself a clear violation of the terms of use of a software product. Real hackers don't bother themselves with such details, but those of us who choose to live within the confines of the legal system must respect them.

Internet security researchers should be paying careful attention to the fallout from this incident�and it's only a matter of time before it occurs again. Software companies will continue to use the legal system both to deny liability for software defects and pursue those who find them at the same time.

Regardless of what any of us think, the issue is really moot: The cat's out of the bag, and you can find Lynn's presentation on the Internet. In fact, it took me less than five minutes to find a copy. The PDF version of his presentation is fairly bland, but after an additional 10 minutes, I also managed to find a video copy floating around the Internet.

However, I decided not to review either the presentation or the video because I'm not sure it's a good idea. Cisco and ISS have mountains of financial and legal resources that I do not, and I certainly don't want to expose myself to potential legal action.

And despite my ability to understand assembly language, the presentation is highly technical. And even after understanding the vulnerability, I doubt I'd even be remotely interested in doing anything with it. Of course, while most of us are discussing the legal ramifications of this incident, the hacker community is already laughing and plotting.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

10 comment(s)