HP Uses DMCA To Quash Vulnerability Publication

Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."

Bruce Perens

[BoyPlankton]

So this is the real reason HP didn't want Bruce Perens to demonstrate against the DMCA?

Re:Bruce Perens

[jc42]

> People really resist the phone. Lots will reply to me here. A few will email. None will call.

To a great extent, this is intentional. One of the real benefits of email and posting replies is that you can stare at your text on the screen, rewrite, check facts, reword, and only hit the Send button when you think you've got it right. Granted, not everyone does this, but many (possibly most) of us do.

Also, a phone call can easily get lost in the shuffle. A text message sits there until someone deletes it. You can come back to it an hour or a year later. You can toss it into bins and count the pro/con messages. You can grep through your messages looking for keywords.

I can't see any reason for techies to ever use the phone for issues like this. Posted and emailed replies are so superior.

Phone calls and face time make sense for communicating with suits. They don't make sense in technical discussions. This is a lot of why Open Source development has been so outpacing corporate software lately. The corporate model has people in a room or on the phone. The Open Source model has everyone communicating via email and mailing lists. The latter is orders of magnitude more effective at getting ideas across without loss or misunderstanding.

Apache

[vex24]

Funny how when Apache had a hole released before they had a chance to fix it, they gave off a muted air of annoyance and fur that had been rubbed the wrong way.

Very mature compared to what big business does. "Wahh wahhh wahh!!! Help us Uncle Sam, we're poor defenseless transnational corporations!" Buncha whiners.

Re:Apache

[gmack]

Look at the diffrence though .. Xforce didn't wait before releasing a patch that failed to fix the problem along with an advisory that didn't grasp the full scope of the bug they found.

These guys waited a YEAR and HP still hadn't fixed the problem.

I hope

that someone is writing down all these "infractions" of the DMCA so that regular people can see a) what a pathetic joke this law is and b) that the government is no longer making laws for the people but for the lobbyists instead.

Who's laughing at Alan Cox now?

[rodgerd]

When Alan Cox originally discussed the notion that companies would (mis)use the DMCA in the security field, he was widely attacked for being silly.

Anyone still feel like laughing?

Re:Who's laughing at Alan Cox now?

[Rohan427]

I actually submitted to LKML - on 8/1/2001 - that the DMCA could be used in this manner, and I also submitted several posts regarding other warnings about other laws. I hate to say I told you/them so, but I did:

[SNIP of e-mail quote I replied to]
"It's very simple, and something like this is done all the time in the security industry
by people who not only enjoy it, but who get paid to do it.

1) Discover an exploit or a new way of using a known exploit.
2) Write a trojan, virus, worm, etc. that takes advantage of the exploit.
3)* Report the exploit to the applicable compan(y/ies), Security Focus, etc. and provide
the BINARY of your trojan, virus, or whatever so they can test the
exploit and find a fix.

* Usually people provide the source code as open software. In this case (for this
argument) we release it as binary only and keep full rights.

No law was broken when the trojan, virus, etc. was written and no one can (technically)
seek prosecution. Under DMCA (at least the way the writers of it have
used it), anyone attempting to reverse engineer your virus (or whatever) and provide an
antigen, is liable to you and you can sue them.

To take another angle, those of us who actively look for exploits in software (because
companies like M$ fail to do so themselves) risk being sued for doing so.
This makes jobs like mine EXTREMELY difficult because on the one hand I don't want my
company using software that will allow Joe Cracker to take over our
machines, and on the other I don't want the company sued just because I did some
necessary reverse engineering in order to prevent it (again, because the
software mfg. can't be trusted to do it themselves).

PGA

--
Paul G. Allen
UNIX Admin II/Programmer
Akamai Technologies, Inc.
www.akamai.com
Work: xxx-xxx-xxxx
Cell: xxx-xxx-xxxx"

(Note: I no longer work for the above referenced company as my office was closed late last year. My statements and views are mine alone and do not, nor ever have, represented the views of Akamai Technologies, Inc. or any of it's officers and/or representatives.)

So, what do _I_ get for my warnings to the kernel developers? Blackballed from the list by the maintainer, in a rather rude fashion IMO. (despite the fact that I've received many a thank you for the information I had provided)

So, to all those who have read, heard, and seen such warnings, wherever you've read, seen, or heard them, and were asked to take action and do not, I say stop whining, shut up, and suffer. The same thing I tell people who don't vote - if you can't do your part to fight the problem, you have no right to bitch and moan about it.

My solution to many of these issues is not to support the companies promoting them. I no longer buy CDs, DVDs, or go to movies (yes, I will be missing the second in the LotR series - which I have long awaited.) I do not buy Compaq, and will never buy another HP device. I do not buy M$ products or anoything that runs on M$ platforms either. I have written letters to congress critters, etc. as well.

How many others can say they've actually done their part to fight the DMCA, US Patriot Act, CDBTPA, etc. and/or whatever equivalent laws you may have in your own countries?

I for one wish more folks in Alan's position would speak up. I commend him for doing his part, and he's not even a US citizen, is he?

I for one never did laugh at him.

PGA

Re:Who's laughing at Alan Cox now?

[Alan+Cox]

> I no longer buy CDs,

Thats a shame. There is a lot of great music on independant labels who have a really good attitude to their fans. They don't hide lyric sheets, they often waive some radio fees and in many cases they work through local recording studios and cd firms helping them to survive and support local music.

I don't know about the USA but the UK has many relatively independant and completely independant small labels (eg www.showofhands.co.uk - a band whose musicians who actually go around teaching people to play their music, www.madrarua.com (ok Im biased they are in Swansea)). When I visited St Johns newfoundland I was amazed at the huge mostly independant and deeply vibrant music culture there.

FUCK HP

Here's another fucking BIG CORP trying to strongarm to get there way.

Fuck HP. IT's like Ford trying to get the safety concerns of the Pinto hushed up.

Consumers are in danger, and WE COME FIRST.

An Excellent Quote

[unsinged+int]

Finisterre said that while he wanted to resolve the dispute with HP, he resented receiving DMCA threats. "We are like the guys that found out that Firestone tires have issues on Ford explorers," he said. "It's not our fault your Explorer has crap tires. We just pointed it out. We should not get attacked for pointing out issues in someone's product nor for proving it is possible."

When will people learn this is the same thing?

Re:An Excellent Quote

[rodgerd]

Why, when the media conglomerates who lobbied for this bill use the newspapers (they own), TV new and documentaries (they own) and radio shows (they own) to explain to people why the DMCA is such a bad idea, and what the negative ramifications of it are.

I'm sure the congressmen (they own) will also take a responsible line, and won't conflate these kinds of issues with actual breaches of copyright, terrorism, or other acts most people consider unacceptable.

Re:An Excellent Quote

[richieb]

Some people might argue, that by publicizing a security hole, more people will try to take advantage of that hole, and will compromise security for anyone using the product.

So, to carry the Ford Explorer analogy, they should've stayed quiet until the manufacturer recalled all the tires?

HP had a year to deal with this! WHy don't they hire some programmers, instead of lawyers.

This is rediculous!

[SunCrushr]

Finding and publishing a security hole in an OS is not a way to circumvent copyright protection.
If I take over somebody's True64 machine via this security hole, I haven't broken copyright at all.
Now, if I take documents off of the server, then I may be breaking copyright, but I don't think the connection is strong enough to stand up in a court of law.
I could hold up a book store with a gun and make them give me their books. I've stolen the books and therefore broken copyright. Does that mean we should ban guns since they are a possible copyright protection circumvention device?

Bruce, it's time for you to make a decision

[JoeBuck]

It was legitimate for you to cooperate with HP's valid concern that, as a "deep pockets" organization it would be too risky for them to let you challenge the DMCA. I understood that.

But now it appears that you work for a company that is using the DMCA as a club to suppress discussion of security flaws. It doesn't seem that the two hats you wear (your HP role and your open source leadership role) are compatible unless you can persuade HP to back off.

It is possible, of course, that the DMCA threat is coming from one manager who is shooting his mouth off. If so, we need a clarification from higher management: is it the policy of HP to use the DMCA to suppress discussion of their security flaws, or not?

Re:Bruce, it's time for you to make a decision

[TellarHK]

I suspect Bruce won't be able to reply here for legal reasons (though he maybe able, we'll see) but he's definitely reading, I think we can all guess that. HPaq is going to be increasingly difficult to work with in the future, by any guess I think I can make. They're bigger, they're badder, more bloated, and they're aiming at a much more demanding and volatile market so any "advantage" they can use to squash appearance of failure or flaw is going to be rapidly pounced upon before they suffer the fate of any large star that runs out of power. The DMCA is just today's big stick. Will they bring out a bigger one later?

Does this cause Bruce to reconsider his employer? Only Bruce knows. Does this cause us to want him to make a statement by resigning or taking some other action? I suspect so. But I don't want to see the community pushing him toward a decision that isn't in his best interests. I think we just need to sit back and wait, to see what happens next.

Re:Bruce, it's time for you to make a decision

[gilroy]

Blocxkquoth the poster:

I just wish people would stop believing that any company exists for any reason other than to increase the wealth of its shareholders.

I just wish people would stop believing that any company exists for the sole reason of increasing the wealth of its shareholders. It used to be that people believed in ethics -- that there are societal responsibilities that compete with shareholder equity. Of course it used to be that the primary purpose of a company was to produce something, which something would hopefully allow a profit.

You know it is possible -- and ethical! -- to not do something because it goes too far. Or is HP obligated to murder someone if it increases shareholder profit? And before you say, "Well, the law imposes too high a cost", answer me this: What if you could prove the legal sanction was less than the profit realized? Should HP kill the person? Must they?

Re:Bruce, it's time for you to make a decision

[elmegil]

Bruce,

I just want to say that I an 100% behind your request for time instead of having to answer to a horde of mad slashdot zealots wielding pitchforks when you've had no time to investigate. Not all of us here are so quick to assume the worst.

Good luck in your discussions with the PHB's that be.

Re:Bruce, it's time for you to make a decision

[Bruce+Perens]

Well, hopefully I get points for not speaking out of ignorance, which is what I would be doing if I were to air a condemnation before I had first-hand data.

Thanks

Bruce

DMCA and research

[Col.+Klink+(retired)]

HP's dramatic warning appears to be the first time the DMCA has been invoked to stifle research related to computer security.

Um... wasn't that hole Felton/SDMI thing the first time the DMCA was invoked* to stifle research related to computer security?

* Technically, they only threatened to invoke the DMCA. As of now, HP has also only threatened to invoke it.

Re:DMCA and research

[seanadams.com]

As of now, HP has also only threatened to invoke it.

Uh, no, "invoking the DMCA" is precicely what HP is doing, though they haven't formally filed a complaint with the feds. How can you possibly defend these unscrupulous fucks? From dictionary.com.

invoke Pronunciation Key(n-vk)
tr.v. invoked, invoking, invokes
...
2. To appeal to or cite in support or justification.
...
5. To resort to; use or apply:
...

hp wasting valuable engery

[ecalkin]

this is really a shame. hp was one of the technology companies that had a lot going for it.

when you are fighting in a tough market *and* trying to make a merger happen without too much bad stuff, it seems that it is counter-productive to play this game: you make people mad, you spend resources (money and man-hours that could be easily used elsewhere) and you are *not* going to achive the immediate goal of supressing bad stuff (real or imagined).

so hp gets more points in the bad pr column, they waste money, and the problem doesn't go away. i hope that they spin off the printer division before they crash and burn.

eric

p.s. i guess the worst part is that hp *didn't* learn from all the other companies that went down this path.

Very Frustrating

How are we to feel secure while computing if it is illegal to check up on the companies providing the software/hardware solutions?

Imagine if you would, a secure piece of software ( or a secure piece of hardware ) is sold to handle monitary transactions, no-one can verify that the software/hardware is infact secure ... except the criminals who are going to exploit the vulerability and steal hard earned money.

Yeah for the DMCA for protecting corporations instead of the individual!

my 2 cents.

Re:Excerpt from the CNet article

[m0rph3us0]

The article says the informed HP about these vuln's a year earlier, in reality it is up to the company to secure their products, mistakes happen, but should Ralph Nader be put in jail for telling people that the Pinto's gas tank would explode on impact?

Security through [mrf! Grbbl--!]

[KFury]

So does this a sign that Microsoft will once again(?) be a secure platform, because now in addition to:

• Securith through Obscurity

and

• Security through Diligence

we now add the mighty

• Security through Litigation?

To be fair, when do the handgun designers go to jail again?

DMCA Violation?

[_LFTL_]

Ok someone fill me in here:

How on earth does a law pertaining to the circumvention of copyright protection systems apply at all to someone releasing a security flaw in an operating system?

Re:DMCA Violation?

[fishbowl]

It does not. And if everyone involved has the guts to go ahead and let a jury decide, we might ALL be better off. Until someone does this, it's an open question whereby the mere threat of anything and everything is enough to control the behavior of individuals.

Re:DMCA Violation?

[inerte]

Am I really willing to go to the poor house over this issue? Am I really willing to throw away a fair job, an OK home, and my car?

Okay, what if you don't? What if we resist peacefully the DMCA?

What would happen if we allow everyone to be prosecuted? I bet that when the count comes to 150 person prosecuted, it will be over forever.

I am close to the point of saying, let them come, and I am not even from the USA, but my country does mimic a lot of things that happen there (we also have a corrupt governament, who doesn't?)

While weighting the personal and monetary costs to resist these stupid laws, and letting my own sacrifice, I am slightly pending to the sacrifice side.

It looks like doesn't matter how much we discuss, how much these things look and in effect, are stupid, how much they TRULY hold innovation, information, and ultimately knowledge (Middle Age's church, anyone?), nothing will change.

It's apathic to just discuss these things. Damn, if I were full of prejudice I could say that nerds are naturally more headed to talk and understand than most people.

Imagine you walking to your grandma and saying to her: "Gran, if you look at this recipe, YOU WILL GO TO JAIL. If you decide to change the ingredients, YOU WILL GO TO JAIL. If you distribute the recipe to your friends, YOU WILL GO TO JAIL".

Ha, the way things are, not even paraboles will suffice.

Now, recipes are pretty cheap compared to source code, I know. One has aggregated value, and the other doesn't. But is this the society that we want to live?

Hell no! It's not only information that I want, I NEED, and other people NEED too, that should be free.

I don't know when the ranting will be over, hold on. Anyway, look at the future we are leaving to our children. This isn't good. This is good to a couple executives with their ass already so full of money that they can pretend that they give (or "donate") this money, because it will generate MORE to them! The corporative world is full of "social marketing" these days, and well, D'oh! Who believes that 99% of this crap is because suddenly companies want to go to heaven?

No. It's acceptable to a point, isn't? Have we come to the limit? Have we reached the suffering treshold that we allow ourselfs to live in? Can we feel more deeply attacked on what we believe?

Hell yes! We can! And that's the sad part. Slashdotters don't go to the street and make a DMCA riot because they (me too) are sweet little lazy bastards that think, hey, this one here isn't a big deal, this one here too. Oh, that one back in 1998 wasn't too, even if added with this one.

I mean, we have the EFF to protect us, right? We have the power to decide about what the company we work will buy, right?

WRONG! While all these gigantic bastards are spending millions on advertisement to talk about the "Digital Revolution", I say: What?

Are you coming to tell me, someone who breaths computers 24/7, what is best to me in computer terms?

Hell! Do the following if you work for a company that you DON'T like: Quit! If the company that you work makes deal with other companies that you think that will compromise your vision of the future, QUIT!

Do you think that is it so hard to make a personal sacrifice to a better world?

Blah, now I may resume my normal activities.

Ridiculous

[dh003i]

The public has the right to know about these security flaws, just as much as we have the right to know if the tires we buy pass safety standards.

HP trying to cover this up just proves its a problem. HP is using the DMCA to prevent people from discussing valid flaws in their OS'.

People have the right to know if the car they're driving -- or are going to buy -- is unsafe. Why? Because their lives depend on it, literally. For the same reason, people have the right to know if the OS they're using is secure. Why? Because their lives depend on it, or at least their carreers. Data important to one's carreer (i.e., scientific experimental data) is stored on one's computer. Private information -- i.e., credit card information -- is stored on a computer. Security holes can literally destroy one's life.

We have the right to know exactly what problems their are in our software.

Re:Don't blame HP

[Quixote]

Some people seem to forget that the real villain here is the US Government, who made DMCA into law.

Yep. Murderers don't kill people; guns do! Don't send the murderers to jail; go after the gun manufacturers.

The USC made a stupid law; just because a stupid law exists it does not mean that it should be used to quash legitimate research. If Carly had half a brain, she would fire the idiot VP and apologize to Snosoft. But don't count on it happening anytime soon.

Leave it to crackers

[richieb]

Frankly, I think that all the security experts should stop looking at Tru64 and just publicize the fact that they don't recomend it for uses where security is required.

Let the crackers have it.

Re:I don't see the problem

[richieb]

As a community, we do ourselves an incredible injustice by lining up to defend everyone who posts an exploit as if they were an associate professor at MIT. And that's exactly the perception that the initial commentary and posting to Slashdot of this article tried to imply.

So free speech is good for academics, but not for random hacker?

What difference does it make who finds and reports a bug? The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself.

And if I'm running affected software, I don't care who reports the problem - as long as I find out and get a fix.

Would you still feel the same if your bank kept your accounts on an Tru64 HP machines?

Re:Excerpt from the CNet article

[Karma+Farmer]

Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way.

No, of course you wouldn't like it. And, if you were an emperor who got suckered into walking around naked, you'd be fairly pissed at the kid who pointed out that you were, in fact, naked.

But, this story has nothing to do with HP "liking" or "not liking" it when people (rightly) point out that they're walking around naked. The story is about the fact that the DMCA has emboldened HP to the point that they feel it's better to walk around naked and sue anyone who notices, rather than buying some reasonable clothes.

Etiquette in the security community demands that the discovers of holes give companies reasonable time to respond to security problems, before publicizing the security problems. But this courtesy is not, in any way, a courtesy towards the company that manufactures the flawed product. That company's opinion in the matter doesn't mean squat. It is a courtesy extended entirely to the users of the product. Users are harmed if they do not know about exploitable flaws in the products they use, but at the same time users are harmed if the exploitable flaws are widely known before patches are available. The only reasonable role for a company with flawed products in the security process is to work diligently to minimize the harm to users, by the only method available to them -- by expediting patches for their products, and thus providing an environment where the user can be informed of security flaws in their product as quickly as possible.

Unfortunately, what HP has done here is imagine itself to have some other role in the security process -- someone at HP is under the completely mistaken impression that their opinion of the security process matters in any way. It does not. The courtesies of the security process are entirely towards the users of the flawed product. People have a right to know about flawed products. HP has the opportunity to provide patches to their product, so that those users might have some alternative to simply throwing all of their HP equipment in the garbage, but that is entirely HP's opportunity, and really of no concern either to the users or to the security professionals who disclose the hole.

There is a lesson to be learned here

[Bob+Loblaw]

Companies that deal with hardware are supportive of the DMCA (makers of DVD drives, CPUs, satellite broadcasters, etc.). The reason being that it is *very* expensive for them to fix a security problem once the hardware is being sold out in the field. It involves costly recalls, shipping and reassembly. Sometimes a "fix" can be handled in firmware but not always.

Companies that deal with software are less supporting of DMCA. If they have a bug in their software, they whip out a patch, put it on their webpage and tell people to install it themselves. They have little to lose if someone hacks around their software since they can more cheaply play a game of cat and mouse with the hackers with the full source code at their disposal where the hacker has none of the proprietary code.

Re:There is a lesson to be learned here

[NullProg]

In both of your lessons, it all boils down to design. Can you, as a designer, imagine all the flaws in your design. :)

Enjoy.

Re:My mail to Carly

[JohnA]

Wow... you work for a company that HAS ITS OWN CUSTOMERS ARRESTED and you have the nerve to complain about HP's DMCA threat?

Talk about the pot calling the kettle black...

This could turn out to be good...

[GuNgA-DiN]

If companies start to make it a habit of suing people who tell the truth about them people will stop trusting these companies. Why did they tell HP about it first? They were honest and got bitch slapped. So, next time the researchers will think twice before going to the company. Maybe they will just publish on FreeNet or leak their story on Slashdot first?

A Scenario...

[pla]

Imagine...

You have a brand-new deadbolt lock installed on your front door.

A month later, a master key for your lock's exact model leaks out.

Every thief within a hundred miles has a key to your front door, they just have to notice that it fits to rob you blind.

Fortunately, a neighborhood watch group got wind of the leaked key, and started publicising it heavily, saving countless people from break-ins.

So who does the lock manufacturer go after, on learning of this problem?

Not the engineer who stupidly designed a master-keyed lock for the general public...

Not the thieves who make use of this information...

Not even the problem itself, which would take only a limited recall and almost no effort to correct...

Instead, they go after the neighborhood watch group, on some shaky grounds about loss of confidence in the company.

It strikes me as a *DAMNED* good thing that we only have such f'd up laws relating to computers, rather than physical security. Oh, wait, one *could* read the DMCA as applying to physical security. Oops. Time to go install a 2x4 on a latch-and-hinge across my front door.

Thats not a solution

I dont see the point of taking HP to task for it.
It's a waste of time. Even if they back off .. whoopdee doo.

Please .. what we need is a change in the law.

Hackers can expose findings and report them to companies .. too often a flaw gets found and the company sweeps it under the rug maybe they'll fix it in the next version but prior versions are vulnerable.

Given the sad fact that all our politicians (not just in america but worldwide are elected by money) maybe the following compromise can be reached:

a) Hackers who find vulnerabilites must email a notice and description to the company. He must try to give at least 24 hours notice before announcing it to the public unless he knows of an imminent exploit in the wild (like an impending mass DDOS attack or something). In that case he should be allowed to announce it to the public immediately.

b) Companies that take no action (that is dont make a patch available/requestable) on a vulnerability that was reported to them but not announced to the public, are liable for exploits.

c) The setup of a third party security company or government department where hackers can email reports of finding vulnerabilities. This is like CERT or bugtraq but the organization must have the funding and capability to pursue inaction on the part of companies that do not fix reported and well documented security flaws.

Is there any way for you to use your publicity to bring something like this about?

At least try. I hate the fact that curiousity is now a crime. I am allowed to take apart my car and see how it works .. why cant I do it with the applications I use and store my depply personal information (from baby pictures to tax and health records) on?

Thanks,

Johan

What will it end up to?

[jsse]

I can see it here, US Government is progressively inventing laws that ensures:

Only the Government can investigate crimes.
Only the Government can test, examine, uncover defectives in consummer products
Only the Government can perform reverse engineering on anything
Only the Government is allowed to use top-grade encryption
The scope of Free Speech is defined by senators, and it happens that no constitutional right are being intruded.

That's to say, US would become a country where citizens, by laws, SHOULD trust the Government and any questions on the already established laws and regulations are prohibited.

What's wrong with the picture? I don't know, but I've read a novel book about a country whose government has absolute power over their citizens and no citizen is allowed to question the decision of the government. This government does not use any military power or violence to control their citizens, but by laws.

IIRC at the end of this story all the citizens end up living in an array of big tubes of liquid, and the rest of the rebels are either jailed(brains were sperated from their body) or terminated(becomes food for others). It's like Matrix, but this time some humans control everything.

....Imagine, no violence, no crime, no hunger...a perfect world!

Won't use HP in my shop

[Sean+Clifford]

Well, then. This clearly demonstrates why *not* to use HP's Unix in your shop; I won't use it in mine. Nor will I use their software or services - you can't trust them. This stupid insular policy against public disclosure only ensures that (a) exploits aren't known, and (b) aren't patched, and (c) cannot be defended against.

Don't say it...don't say it...I'm warning you...

Use Linux.

Damn, I said it.

Why the fuck don't people want exploits fully disclosed? Sure, I don't have a problem with waiting a week or so to give a team/vendor (yes, even Microsoft) a chance to roll out a patch before making it public. It's a courtesy, not a necessity.

<rant />
Clearly some sort of political action is required. I suggest:

1. The DMCA needs to be repealed or ruled unconstitutional. Hopefully the ACLU or the EFF will take a case that'll get us there. Or some rich philanthropist geek could 'violate' it by exercising their constitutional rights. But the best ploy is for every one of *us* to contact (visit,snailmail,fax,call,email) 'our' reps in the House and Senate, rationally outline our objections, and protest like hell if they don't. Civil disobedience, etc.

2. Abolish corporate personhood (same methods).

3. Abolish the lobby industry.

4. Abolish campaign finance. Make it publicly funded, free TV-radio spots (public airwaves) equally distributed among ballot-qualified candidates.

We've let corporations have far too much swing. I'm all for making a buck, but Jesus F***ing Christ...

My letter to my Representative and Senators

[LordNimon]

This is a letter I just sent to my Representative and Senators. Permission is given to anyone who wants to use this text to send a similar letter.

Today I read an article on news.com (http://news.com.com/2100-1023-947325.html) that Hewlett-Packard has intended to use the Digital Millennium Copyright Act (DMCA) to punish a company that has released information about a security vulnerability in an HP product. For quite some time I have been telling you that the DMCA is a bad law that needs to be repealed, and this is just more evidence to that effect. HP has known about this vulnerability for a year, but has chosen to do nothing to fix it.

HP's action could set a precedent that would stifle technology research. Companies would be free to release broken technologies that would eventually be used in high-security environments. Anyone who attempted to test the strengths of these products would be branded a criminal.

HP's customers and the American public deserve to know about security issues in HP's products. Withholding such information is just like the accounting scandals that have been rampant in recent times. Insecure technology is a weapon that hackers and terrorists can use against us. So when an American company decides to hide behind an American law rather than fix it products, our politicians need to re-examine that law.

I urge you to sponsor legislation that will repeal the DMCA. Americans deserve better. Please write back to me and let me know that you support my fair use rights in a digital world, and that you'll be working to repeal the DMCA.

Re:I need your call on this, please, folks.

[friedmud]

Bruce,

I guess I don't understand how full disclosure can equate to a shakedown.

The company (snosoft) seems like a more or less legit research company, and the fact that they have a full disclosure policy in no way says that they are trying to take out companies. It just says, up front, that they have a policy of disclosing these security breaches that they find.

On the other hand they have to make money somehow - so they contract out their services to companies who wish to have their software audited.

I could be wrong, but by looking through their posts on security focus, I don't think they are out to extort money from companies - and this is especially true if they gave HP a year to fix this problem (in fact if that is true then you should REALLY stick it to the top brass).

It could go either way - but it doesn't look like they are in the business of extortion. And the fact that they have been around for a while, and seem to be respected in the security community says quite a lot....

ON THE OTHER HAND.... I don't see how it is in any way shape or form right for HP to sick the DMCA on them, no matter what their business practices are. This is a vulnerability in HPQ's software and should not be treated with such arrogance (don't report it or else!).

Just my $.02

Derek

Re:The EU

[Lemmy+Caution]

As long as what you say doesn't jeopardize national security, suggest an interest in terrorism, reveal trade secrets, infringe on copyrights, trademarks, or patents, isn't a description of sexual activities involving anyone under the age of majority, isn't disruptive, doesn't explain how to circumvent copyright, doesn't explain how to acquire or use drugs, isn't seditious, doesn't reveal trade secrets, doesn't threaten our vital national unity during this ongoing and arduous war against terrorism, and is otherwise relatively inoffensive, you can say almost anything you like in the US.

HP is wrong; but hacker was irresponsible

[matthew_gream]

I think HP is wrong with its DMCA style threats, because they are not appropriate. However, I can sympathise with HP and understand why they may have "lashed out". I think the hacker in question was wrong to irresponsibly post the exploit for script kiddies to start playing with fire. For all the debate about various sorts of disclosure processes, it's quite clear that this approach potentially has a high impact upon any deployed systems and gives no time for either the vendors or the administrators to take action. This is just not a responsible real-world approach to dealing with security issues.

Re:HP is wrong; but hacker was irresponsible

[TeddyR]

The problem is that this gives a rise to the other question... How long to wait before making something public?

The person that made the information public knew that HP has had the information SEVERAL MONTHS before making the exploit public.

Its true that it may have been better to contact CERT first (note: HP already knew); post to bugtraq, but DESCRIBE the issue and not post the exploit... THEN once the PUBLIC description is made {and still no response from HP} [I say maybe give HP 14 working days] only then post the exploit as as done..

Re:I need your call on this, please, folks.

[thales]

Bruce,
Even if it was a company that engaged in outright extortion, ie "we just found this hole, pay us $10,000 by Friday or we release it", some advice my Mother gave me comes to mind.

Two Wrongs Don't Make a Right

HP's Customer's are inocent third parties in this matter. Once the exploit was released, no matter how shady the people who released it were, HP should have been trying to notify it's customers instead of engaging in a futile attempt to put the cat back in the bag. HP has increased the harm to innocent third parties by not contacting them, and now their actions have insured that the code for the exploit is more widely distrubited than before.

SnoSoft's actions may have been wrong, but that did not give HP a license to engage in wrong actions of their own.

Re:This is a marketing disaster for HP.

[Neil+Watson]

Let's not get draconian yes,

I'm going to wander slightly off topic here but I feel what you are saying is wrong. Today, top company exectutives seem to be above the law. They can operate their companies however they choose. No one ever seems to hold them accountable. A company goes bankrupt, thousands loose their jobs and top executives are laughing all the way to the bank. In this example an executive acts in an irresponsible manner that could affect many of his customers, and you suggest mearly a wrist slap?

Re:I need your call on this, please, folks.

[uucp]

No, Bruce, Snosoft saying "Our advisory release policy is full disclosure unless bound by contract" does not seem like a shakedown to me. HP saying "If SnoSoft and its members fail to cooperate with HP, then this will be considered further evidence of SnoSoft's bad faith" seems much closer to the language used by blackmailing thugs. There is no implied threat in the former, because full disclosure is not a threat. The letter from HP to Snosoft, if the news.com report is accurate, is nothing but a threat.

That is my call on this. I answered, since you asked. And the reason why I'm not calling you on the phone telling you this is because I think (and I suspect there are others as well that feel similarly) that cold-calling someone like that would be rude. So that would explain why you're getting calls from soulless "reporters" instead of maladjusted geeks.