RE: Comment on DMCA, Security, and Vuln Reporting

["Keith T. Morgan" <keith.morgan () terradon com>]

HP seems to have forgotten, that if they distributed ONE COPY of the exploit code, and / or the email that contained 
it, they're subject to us copyright law and damages surrounding it.  Just releasing your code or copywrite protected 
material (yes, this very email qualifies under US Law) to a public forum doesn't void your copyright.

So, at least the exploit authors likely have some civil recourse.  Statutory damages are only $15000 at the maximum, 
but hey... take that thought and run with it.


> -----Original Message-----
> From: Richard Forno [mailto:rforno () infowarrior org]
> Sent: Wednesday, July 31, 2002 9:28 AM
> To: bugtraq () securityfocus com
> Cc: vuln-dev () securityfocus com; johnmacsgroup () yahoogroups com
> Subject: Comment on DMCA, Security, and Vuln Reporting
>
>
> Given the recent news about HP using DMCA to shutter a 
> Bugtraq disclosure of
> Tru64 vulnerability, I felt it appropriate to chime in. I 
> hope you find my
> comments of-value and worthy of relaying onto the list.
>
> The News.Com story with more details is at :
> http://news.com.com/2100-1023-947325.html?tag=fd_lede
>
> ----------RFF Comments
> I find it sadly amusing that technology companies see 
> "security debate" on
> the same level as "piracy" or "copyright controls." What it 
> really serves as
> is a corporate secrecy tool and (as was said) cudgel against 
> any and all
> potential enemies.
>
> HP, in its infinite corporate and legal wisdom  - the same 
> wisdom shared by
> Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and Bernie 
> Ebbers - has
> opened a Pandora's Box here. Next you'll see folks saying that public
> disclosure of the generic password on the default Unix 
> "guest" account will
> be prosecutable under DMCA, or that a given exploit uses a 
> "buffer overflow"
> to cause its damage is likewise criminal to speak of. It's 
> bad enough that
> black markers might become illegal, isn't it? But the madness 
> continues.
>
> While I disagree with Adobe's use of DMCA last year against 
> Dmitry, at least
> their claim was somehow - admitted tangentally - related to copyright
> protection. HP's case is just absurd and has nothing to do 
> with copyrights
> and everything to do with avoiding embarassment and taking 
> responsibility
> for their product's shortcomings.
>
> I believe system-level security is MUTUALLY-EXCLUSIVE from copyright
> protection  -- or more accurately, the 'economic security' of 
> the vendors.
> Taking reasonable steps - including public disclosure of 
> exploits and their
> code - to protect a user's system from unauthorized 
> compromise IN NO WAY
> impacts the copyright rights of HP, unless HP wrote the 
> exploit code that's
> being publicly shared w/o permission....in which case it's 
> truly their fault
> then. Regardless, either way you look at it, they're using 
> DMCA to conceal
> their embarassment and duck responsibility.
>
> The way we're going, thanks to HP's legal geniuses, we may as 
> well call
> NIST, NSA, SANS, and IETF to rewrite a new 'industry 
> standard' definition
> for 'computer security' that places the vendor's profit and 
> public image
> above the confidentiality, integrity, and availability of 
> end-user data and
> systems. For all intents and purposes, Congress has already 
> done that with
> DMCA and Berman's proposed "Hollywood Hacking" Bill -- they 
> just forgot to
> inform (or seek counsel from) those of us working in the real 
> information
> security community.
>
> Bleeping idiots. Congress and Corporate America. When it 
> comes to technology
> policy, neither has the first clue . No wonder we're in the 
> state we're in.
>
> rick
> infowarrior.org