[infowarrior] - Comment on DMCA, Security, and Vuln Reporting

[InfoSec News <isn () c4i org>]

---------- Forwarded message ----------
Date: Wed, 31 Jul 2002 09:37:50 -0400
From: Richard Forno <rforno () infowarrior org>
To: infowarrior () g2-forward org
Subject: [infowarrior] - Comment on DMCA, Security, and Vuln Reporting

Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of
Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
comments of-value and worthy of relaying onto the list.

The News.Com story with more details is at :
http://news.com.com/2100-1023-947325.html?tag=fd_lede

----------RFF Comments
I find it sadly amusing that technology companies see "security
debate" on the same level as "piracy" or "copyright controls." What it
really serves as is a corporate secrecy tool and (as was said) cudgel
against any and all potential enemies.

HP, in its infinite corporate and legal wisdom - the same wisdom
shared by Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and
Bernie Ebbers - has opened a Pandora's Box here. Next you'll see folks
saying that public disclosure of the generic password on the default
Unix "guest" account will be prosecutable under DMCA, or that a given
exploit uses a "buffer overflow" to cause its damage is likewise
criminal to speak of. It's bad enough that black markers might become
illegal, isn't it? But the madness continues.

While I disagree with Adobe's use of DMCA last year against Dmitry, at
least their claim was somehow - admitted tangentally - related to
copyright protection. HP's case is just absurd and has nothing to do
with copyrights and everything to do with avoiding embarassment and
taking responsibility for their product's shortcomings.

I believe system-level security is MUTUALLY-EXCLUSIVE from copyright
protection -- or more accurately, the 'economic security' of the
vendors. Taking reasonable steps - including public disclosure of
exploits and their code - to protect a user's system from unauthorized
compromise IN NO WAY impacts the copyright rights of HP, unless HP
wrote the exploit code that's being publicly shared w/o
permission....in which case it's truly their fault then. Regardless,
either way you look at it, they're using DMCA to conceal their
embarassment and duck responsibility.

The way we're going, thanks to HP's legal geniuses, we may as well
call NIST, NSA, SANS, and IETF to rewrite a new 'industry standard'
definition for 'computer security' that places the vendor's profit and
public image above the confidentiality, integrity, and availability of
end-user data and systems. For all intents and purposes, Congress has
already done that with DMCA and Berman's proposed "Hollywood Hacking"
Bill -- they just forgot to inform (or seek counsel from) those of us
working in the real information security community.

Bleeping idiots. Congress and Corporate America. When it comes to
technology policy, neither has the first clue . No wonder we're in the
state we're in.

rick 
infowarrior.org



--
You are a subscribed member of the infowarrior list. Visit 
www.infowarrior.org/lists for list information or to unsubscribe. This 
message may be redistributed freely in its entirety. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.