Ciscogate Explained

Ciscogate, also known as the Black Hat Bug, is the name given to a legal incident that occurred at the Black Hat Briefings security conference in Las Vegas, Nevada, on July 27, 2005.[1] [2] [3]

On the morning of the first day of the conference, July 26, 2005, some attendees noticed that 30 pages of text had been physically ripped out of the extensive conference presentation booklet the night before at the request of Cisco Systems and the CD-ROM with presentation slides was not included. It was determined the pages covered a talk to be given by Michael Lynn, a security researcher with Atlanta-based IBM Internet Security Systems (ISS). Instead of the pages with the details, attendees found a photographed copy of a notice from Black Hat saying "Due to some last minute changes beyond Black Hat's control, and at the request of the presenter, the included materials aren't up to the standards Black Hat tries to meet. Black Hat will be the first to apologize. We hope the vendors involved will follow suit."[4] According to Lynn's lawyer, his employer had approved of the talk leading up to the conference but changed their minds two days before the scheduled talk, forbidding him from presenting.[5]

Lynn's original presentation was to cover a vulnerability in Cisco routers. The presentation was one of four scheduled to follow Jeff Moss' keynote address on the first day of the conference, titled "Cisco IOS Security Architecture".[6] After being told by his employer that he could not present on the topic, Lynn chose an alternate topic. Cisco and ISS had offered to give new joint presentation but this was turned down by Black Hat because the original speaking slot was given to Lynn, not Cisco. Lynn's presentation began by covering security issues in services that allow users to make Voice over IP telephone calls. Shortly after beginning the presentation Lynn changed back to his original topic and began disclosing some technical details of the vulnerability he found in Cisco routers stating that he would rather resign from his job at ISS than keep the details private.

Lawsuit

Shortly after Lynn concluded his talk he met Jennifer Granick, who would soon become his lawyer. During their initial meeting Lynn told Granick that he expected to be sued. Later in the evening Lynn had heard that Cisco and ISS had filed a lawsuit and requested a temporary restraining order against Black Hat but not himself. A public relations representative from Black Hat told Granick that the lawsuit was against both Black Hat and Lynn and that the companies had scheduled an Ex parte hearing in San Francisco the next morning to request the restraining order. That night, Andrew Valentine, an attorney for ISS and Cisco called Lynn who directed them to Granick. During the conversation Valentine explained the claims and accusations against Lynn, which included three things: 1) ISS claimed copyright over the presentation that Lynn gave, 2) Cisco claimed copyright over the decompiled machine code obtained from the router which was included in the presentation, and 3) Cisco claimed the presentation contained trade secrets. These complaints were outlined in a civil complaint at the U.S. Northern District of California and filed against both Lynn and Black Hat.[7] According to Granick, she and Valentine were able agree to an injunction to settle the case without court proceedings. This deal was almost called off due to an inadvertent mistake by Black Hat in which they had restored Lynn's presentation on their web server. Black Hat, Granick, and the plaintiff's lawyers were able to resolve this problem and the deal stood.[8]

One condition of the settlement required Lynn to provide an image of all computer data he used in his research to be provided to a third party for forensic analysis before erasing his research and any Cisco data from his systems. The settlement also stipulated that Lynn was prohibited from talking about the vulnerability in the future.[9]

FBI Investigation

Shortly after lawyers for Lynn and ISS / Cisco filed settlement papers, FBI agents from the Las Vegas office arrived at the conference to begin asking questions. According to Granick, they were there at the request of the Atlanta FBI office and Lynn was not of interest. Granick asserted the Fifth and Sixth amendment rights on behalf of her client, Lynn. Granick asserted his rights for the Atlanta office and asked if an arrest warrant had been issued for Lynn. Over the next 24 hours Granick was not able to ascertain the status of a warrant but ultimately determined no warrant was issued.

When the FBI was asked about the case by a journalist, spokesman Paul Bresson declined to discuss the case saying "Our policy is to not make any comment on anything that is ongoing. That's not to confirm that something is, because I really don't know". Granick would only confirm to journalists that the "investigation has to do with the presentation".

Response

Attendees

Attendees of Black Hat Briefings, as well as many that also attended DEF CON, were not happy with vendors threatening legal action over vulnerability disclosure. The term "Ciscogate" was coined quickly by an unknown person, but some attendees were quick to create shirts to commemorate the incident.[10] [11]

Cisco

Mojgan Khalili, a senior manager for corporate PR at Cisco,[12] issued a statement to the press saying "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."[13]

ISS

Kim Duffy, managing director of ISS Australia, was asked about ISS's response to the incident. Duffy responded that it was "business as usual" as the company handled the incident "strictly by the book". He gave a brief statement to ZDNet UK saying "ISS has published rules for disclosure and that is what we stick to. We didn't care to publish [the disclosure] because we were not ready. We had not completed the research to our satisfaction so it was not ready to be disclosed".[14] ISS spokesperson Roger Fortier confirmed that Lynn was no longer employed with the company and that ISS was still working with Cisco on the matter. He gave a statement to the Washington Post saying "ISS and Cisco have been working on this in the background and didn't feel at this time that the material was ready for publication. The decision was made on Monday to pull the presentation because we wanted to make sure the research was fully baked."

Notes and References

  1. Book: Whitbeck, Caroline. Ethics in Engineering Practice and Research. 2011-08-15. Cambridge University Press. 978-1-139-49885-2. 114, 205–206. en.
  2. Book: Cardwell, Kevin. Building Virtual Pentesting Labs for Advanced Penetration Testing. 2016-08-30. Packt Publishing Ltd. 978-1-78588-495-5. 91. en.
  3. Web site: Leyden. John. Cisco protects routers against 'Black Hat' bug. live. https://web.archive.org/web/20210211051453/https://www.theregister.com/2005/11/03/cisco_black_hat_bug/ . 2021-02-11 . 2020-12-02. The Register. en.
  4. Web site: 2005-07-29. Security Fix. 2020-08-21. https://web.archive.org/web/20050729012025/http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_hole_.html. 2005-07-29.
  5. Granick. Jennifer. 2005-08-05. An Insider's View of 'Ciscogate'. Wired. 2020-08-21. 1059-1028.
  6. Web site: Black Hat Briefings and Training USA 2005. 2020-08-21. www.blackhat.com.
  7. Web site: 2005-09-10. http://www.granick.com/blog/lynncomplaint.pdf. 2020-08-22. https://web.archive.org/web/20050910144104/http://www.granick.com/blog/lynncomplaint.pdf. 2005-09-10.
  8. Granick. Jennifer. 2005-08-08. More Tales From 'Ciscogate'. Wired. 2020-08-22. 1059-1028.
  9. Web site: 2005-12-16. Wired News: Whistle-Blower Faces FBI Probe. 2020-08-22. https://web.archive.org/web/20051216132326/https://www.wired.com/news/politics/0,1283,68356,00.html. 2005-12-16.
  10. X . scooterthetroll . 1153448278811467776 . 2019-07-22 . Going through the t-shirts. Does anyone know where this came from? https://t.co/oOEHT62f1L . en . 2021-02-13.
  11. Laurie . Adam . rfidiot . 1153632739012333570 . 2019-07-23 . @scooterthetroll This was my version... :) https://t.co/uhEiyJL7Ll . en . 2021-02-13.
  12. Web site: Mojgan Khalili LinkedIn Profile. live. https://archive.today/20200821052236/https://www.linkedin.com/in/mojgan-khalili-11b32b4/%23. August 21, 2020. August 20, 2020.
  13. Web site: Security Fix - Black Hat Day 1: Update on Cisco-gate. 2020-08-22. voices.washingtonpost.com.
  14. Web site: 2005-12-05. ISS defends itself over Cisco flaw - ZDNet UK News. 2020-08-22. https://web.archive.org/web/20051205141940/http://news.zdnet.co.uk/internet/security/0,39020375,39212014,00.htm. 2005-12-05.