RE: Cisco IOS Exploit Cover Up

["Buhrmaster, Gary" <gtb () slac stanford edu>]

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of James Baldwin
> Sent: Thursday, July 28, 2005 10:36 AM
> To: swm () emanon com
> Cc: nanog () merit edu
> Subject: Re: Cisco IOS Exploit Cover Up
>
>
>
> Lynn developed this information based on publicly available IOS  
> images. 

Well, there is this long legal license "agreement" you have to
click to agree to before you download the images (and I think
it is included with the hardware you unpack too).  In there
somewhere you do agree not to reverse engineer the images
(I actually read it all once a long time ago).  As to whether
that is enforceable, that is for a court to decide.

> There were no illegal acts committed in gaining this  
> information nor was any proprietary information provided for its  
> development. Reverse engineering, specifically for security testing  
> has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ 
> DVD/1201.html).

As I understand it, it is still unsettled case law as to how that
clause should be interpreted.  It is generally considered a good
idea to avoid being the test case for such lawsuits (unless you
have deep pockets to afford the best lawyers money can buy, or
at least better than what your opposition can buy).
 
> That being said, what information is he not supposed to have? 
> All the  
> information he had is available to anyone with a 
> disassembler, an IOS  
> image, and an understanding of PPC assembly.

Perhaps, as in at least some companies interpretations
of the DMCA, these are software equivalent of the crime of
"Possession of burglary tools"?



The US legal system is not as clean nor clear as one
might like to hope.  But the process will be followed,
and we will see what happens.  And if the result is
"bad", we can change the laws.

Gary