-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of James Baldwin Sent: Thursday, July 28, 2005 10:36 AM To: swm@emanon.com Cc: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up
Lynn developed this information based on publicly available IOS images.
Well, there is this long legal license "agreement" you have to click to agree to before you download the images (and I think it is included with the hardware you unpack too). In there somewhere you do agree not to reverse engineer the images (I actually read it all once a long time ago). As to whether that is enforceable, that is for a court to decide.
There were no illegal acts committed in gaining this information nor was any proprietary information provided for its development. Reverse engineering, specifically for security testing has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ DVD/1201.html).
As I understand it, it is still unsettled case law as to how that clause should be interpreted. It is generally considered a good idea to avoid being the test case for such lawsuits (unless you have deep pockets to afford the best lawyers money can buy, or at least better than what your opposition can buy).
That being said, what information is he not supposed to have? All the information he had is available to anyone with a disassembler, an IOS image, and an understanding of PPC assembly.
Perhaps, as in at least some companies interpretations of the DMCA, these are software equivalent of the crime of "Possession of burglary tools"? The US legal system is not as clean nor clear as one might like to hope. But the process will be followed, and we will see what happens. And if the result is "bad", we can change the laws. Gary
I'm wondering whether Cisco released security advisory for this fix or not. According to several articles, Cisco implemented the fix around April. But I don't recall to see any security advisory for Cisco Users to recommend IOS upgrade. Between April and July, Cisco may have enough time for their account team to contact the customers, and do something about it except sending the people to tear off the conference material. I don't know what happened between ISS, Black Hat, and Cisco, and I don't know how long Cisco knew about this before Black Hat conference. But tearing off one session material from conference material is not common, and it already caught a lot of public attention, which may not be needed. From some of articles, this guy got the clue from Chinese website, so it may be already known to underground community. Buhrmaster, Gary wrote:
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of James Baldwin Sent: Thursday, July 28, 2005 10:36 AM To: swm@emanon.com Cc: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up
Lynn developed this information based on publicly available IOS images.
Well, there is this long legal license "agreement" you have to click to agree to before you download the images (and I think it is included with the hardware you unpack too). In there somewhere you do agree not to reverse engineer the images (I actually read it all once a long time ago). As to whether that is enforceable, that is for a court to decide.
There were no illegal acts committed in gaining this information nor was any proprietary information provided for its development. Reverse engineering, specifically for security testing has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ DVD/1201.html).
As I understand it, it is still unsettled case law as to how that clause should be interpreted. It is generally considered a good idea to avoid being the test case for such lawsuits (unless you have deep pockets to afford the best lawyers money can buy, or at least better than what your opposition can buy).
That being said, what information is he not supposed to have? All the information he had is available to anyone with a disassembler, an IOS image, and an understanding of PPC assembly.
Perhaps, as in at least some companies interpretations of the DMCA, these are software equivalent of the crime of "Possession of burglary tools"?
The US legal system is not as clean nor clear as one might like to hope. But the process will be followed, and we will see what happens. And if the result is "bad", we can change the laws.
Gary
participants (2)
-
Buhrmaster, Gary -
Hyunseog Ryu