IP: HP uses DMCA club to thwap computer security researchers

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Declan McCullagh <declan () well com>

HP's DMCA nastygram:
http://www.politechbot.com/docs/hp.dmca.threat.073002.html

---

http://news.com.com/2100-1023-947325.html?tag=politech

    Security warning draws DMCA threat
    By Declan McCullagh
    July 30, 2002, 4:48 PM PT

    WASHINGTON--Hewlett Packard has found a new club to use to pound
    researchers who unearth flaws in the company's software: the Digital
    Millennium Copyright Act.

    Invoking both the controversial 1998 DMCA and computer crime laws, HP
    has threatened to sue a team of researchers who publicized a
    vulnerability in the company's Tru64 Unix operating system.

    In a letter sent on Monday, an HP vice president warned SnoSoft, a
    loosely organized research collective, that it "could be fined up to
    $500,000 and imprisoned for up to five years" for its role in
    publishing information on a bug that lets an intruder take over a
    Tru64 Unix system.

    HP's dramatic warning appears to be the first time the DMCA has been
    invoked to stifle research related to computer security. Until now,
    it's been used by copyright holders to pursue people who distribute
    computer programs that unlock copyrighted content such as DVDs or
    encrypted e-books.

    [...]

---

From: "Richard M. Smith" <rms () computerbytesman com>
To: <declan () well com>, "'Richard M. Smith'" <rms () computerbytesman com>
Subject: It takes two to tango
Date: Tue, 30 Jul 2002 20:59:59 -0400

Hi Declan,

I just read your interesting story at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft.  It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
where published by "Phased", a security researcher with Snosoft.  I
really feel that HP went way over the line by trying to place all the
blame on Snosoft for HP's security hole by invoking the DMCA and the
Computer Fraud and Abuse Act.

If this particular security hole is ever exploited by the "bad guys",
we'll probably have both HP and Phased to thank.  It really does take
two to tango.  The Phased exploit code would never have been published
if HP programmers didn't mess up in the first place.

So this quote from Kent Ferson of HP in your article was probably a big
mistake:

    "Ferson also said that HP reserves
    the right to sue SnoSoft and its members "for monies
    and damages caused by the posting and any use of the
    buffer overflow exploit."

Pretty clearly if there were ever to be any lawsuits over this
particular bug, HP has much deeper pockets which are much easier to get
to.

BTW, I'm neither a fan of the DMCA nor of people publishing exploit code
for security holes:

    Digital Copyright Act Harms Research

http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0

    Can we afford full disclosure of security holes?
    http://www.computerbytesman.com/security/fd.htm

Thanks,
Richard M. Smith
http://www.ComputerBytesMan.com




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/