[wordup] HP uses DMCA club to thwap computer security researchers

Adam Shand adam at personaltelco.net
Wed Jul 31 01:26:13 EDT 2002 

IMHO, information is incapable of being harmful, thus full disclosure of
security vulnerabilities is *always* a good thing (especially if done
responsibily by notifying people and giving them a chance to fix things
first).

The fact that information can be used to do harm is no more significant
then that a rock can be used to bash someones head in.

Adam.

Via: politech at politechbot.com
Subject: FC: HP uses DMCA club to thwap computer security researchers

HP's DMCA nastygram:

  http://www.politechbot.com/docs/hp.dmca.threat.073002.html

From: http://news.com.com/2100-1023-947325.html?tag=politech

    Security warning draws DMCA threat
    By Declan McCullagh
    July 30, 2002, 4:48 PM PT

    WASHINGTON--Hewlett Packard has found a new club to use to pound
    researchers who unearth flaws in the company's software: the Digital
    Millennium Copyright Act.

    Invoking both the controversial 1998 DMCA and computer crime laws, HP
    has threatened to sue a team of researchers who publicized a
    vulnerability in the company's Tru64 Unix operating system.

    In a letter sent on Monday, an HP vice president warned SnoSoft, a
    loosely organized research collective, that it "could be fined up to
    $500,000 and imprisoned for up to five years" for its role in
    publishing information on a bug that lets an intruder take over a
    Tru64 Unix system.

    HP's dramatic warning appears to be the first time the DMCA has been
    invoked to stifle research related to computer security. Until now,
    it's been used by copyright holders to pursue people who distribute
    computer programs that unlock copyrighted content such as DVDs or
    encrypted e-books.

    [...]

---

From: "Richard M. Smith" <rms at computerbytesman.com>
To: <declan at well.com>, "'Richard M. Smith'" <rms at computerbytesman.com>
Subject: It takes two to tango
Date: Tue, 30 Jul 2002 20:59:59 -0400

Hi Declan,

I just read your interesting story at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft.  It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
where published by "Phased", a security researcher with Snosoft.  I
really feel that HP went way over the line by trying to place all the
blame on Snosoft for HP's security hole by invoking the DMCA and the
Computer Fraud and Abuse Act.

If this particular security hole is ever exploited by the "bad guys",
we'll probably have both HP and Phased to thank.  It really does take
two to tango.  The Phased exploit code would never have been published
if HP programmers didn't mess up in the first place.

So this quote from Kent Ferson of HP in your article was probably a big
mistake:

    "Ferson also said that HP reserves
    the right to sue SnoSoft and its members "for monies
    and damages caused by the posting and any use of the
    buffer overflow exploit."

Pretty clearly if there were ever to be any lawsuits over this
particular bug, HP has much deeper pockets which are much easier to get
to.

BTW, I'm neither a fan of the DMCA nor of people publishing exploit code
for security holes:

    Digital Copyright Act Harms Research

http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0

    Can we afford full disclosure of security holes?
    http://www.computerbytesman.com/security/fd.htm

Thanks,
Richard M. Smith
http://www.ComputerBytesMan.com

-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------

More information about the wordup mailing list