Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: HP uses DMCA club to thwap computer security researchers

From: Declan McCullagh <declan () well com>
Date: Tue, 30 Jul 2002 22:14:20 -0400
HP's DMCA nastygram:
http://www.politechbot.com/docs/hp.dmca.threat.073002.html

---

http://news.com.com/2100-1023-947325.html?tag=politech

   Security warning draws DMCA threat
   By Declan McCullagh
   July 30, 2002, 4:48 PM PT

   WASHINGTON--Hewlett Packard has found a new club to use to pound
   researchers who unearth flaws in the company's software: the Digital
   Millennium Copyright Act.

   Invoking both the controversial 1998 DMCA and computer crime laws, HP
   has threatened to sue a team of researchers who publicized a
   vulnerability in the company's Tru64 Unix operating system.

   In a letter sent on Monday, an HP vice president warned SnoSoft, a
   loosely organized research collective, that it "could be fined up to
   $500,000 and imprisoned for up to five years" for its role in
   publishing information on a bug that lets an intruder take over a
   Tru64 Unix system.

   HP's dramatic warning appears to be the first time the DMCA has been
   invoked to stifle research related to computer security. Until now,
   it's been used by copyright holders to pursue people who distribute
   computer programs that unlock copyrighted content such as DVDs or
   encrypted e-books.

   [...]

---

From: "Richard M. Smith" <rms () computerbytesman com>
To: <declan () well com>, "'Richard M. Smith'" <rms () computerbytesman com>
Subject: It takes two to tango
Date: Tue, 30 Jul 2002 20:59:59 -0400

Hi Declan,

I just read your interesting story at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft.  It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
where published by "Phased", a security researcher with Snosoft.  I
really feel that HP went way over the line by trying to place all the
blame on Snosoft for HP's security hole by invoking the DMCA and the
Computer Fraud and Abuse Act.

If this particular security hole is ever exploited by the "bad guys",
we'll probably have both HP and Phased to thank.  It really does take
two to tango.  The Phased exploit code would never have been published
if HP programmers didn't mess up in the first place.

So this quote from Kent Ferson of HP in your article was probably a big
mistake:

   "Ferson also said that HP reserves
   the right to sue SnoSoft and its members "for monies
   and damages caused by the posting and any use of the
   buffer overflow exploit."

Pretty clearly if there were ever to be any lawsuits over this
particular bug, HP has much deeper pockets which are much easier to get
to.

BTW, I'm neither a fan of the DMCA nor of people publishing exploit code
for security holes:

   Digital Copyright Act Harms Research

http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0

   Can we afford full disclosure of security holes?
   http://www.computerbytesman.com/security/fd.htm

Thanks,
Richard M. Smith
http://www.ComputerBytesMan.com




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: