Slashdot Mirror
HP Backs Off DMCA Threat
Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"
A company with some fucking common sense.
Uh....Good?
Really though, what sort of conversation could possibly come of this? Maybe we can debate whether cable is better than DSL. Cable r00lz beyotchis!
Glad to see that they came to their senses. Sueing people who let you know you have a problem instead of rewarding them is all wrong.
"Common Sense Ain't" -Unknown
Did you get rough with them Bruce?
you said that you would look into it, and you followed through like we all knew you would...
:-)
just goes to show how much power the OSS universe has now....that is what they get for employing us
True capitalism = lots of similar companies = jobs for everyone who wants one.
The link is over here
Actually, it looks like this whole thing was a misunderstanding, and involved screw-ups by people on both sides. And believe me, I'm the first one who'll go on about how awful the DMCA is, but I think this was just overreaction on one side and misbehavior on the other. But... well, we'll never know the real story.
See? Not everyone horribly abuses the DMCA. I don't think it was a good idea, but it's nice to see that not everyone is using it like a club.
Good going HP - my next printer will be from you.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
Bruce,
Anything else you can tell us about this fortunate reversal? Were you involved in knocking some reason into those responsible? How did the people in power originally decide that it would be strategic to weild the DMCA as a weapon against disclosure?
... the good guys win. I'm pretty sure it was my strongly-worded email to the CEO that turned the tide. :) Seriously, I think the outcry in the tech community made them beat this retreat. Whenever you're feeling overwhelmed by the latest corporate attrocity, remember: numbers can still make a different. Write, call, or scream, but don't let your outrage dribble away.
The Mongrel Dogs Who Teach
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
let's see here:
Vivendi sues bnet.d, originally was under DMCA, but filed under traditional copyright;
HP threatens under DMCA, but backs down.
i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)
My life in the land of the rising sun.
Still, I'd rather just get the stupid DMCA repealed by the legislature, if we can only get enough of them in who have a clue (and boot the clueless ones out).
And kudos to Bruce, who I'm sure had something to do with the quick turnaround. You da man!
While I have no desire to see SnoSoft get... uh, "Snowed", this would have been a landmark DMCA case. It would have been nice to see SnoSoft win, and set a precident to other companies who'd like to wield this myopic peice of litterbox-lining legislation as a flaw shield.
Perhaps they think they can cover the blemishes of their software with the blood of the people who point them out.
"People will pay big bucks for the luxury of ignorance."
I think I would have rather it had been tested in court.
...great. I get to rely on their self-restaint in not abusing the law, rather than striking down an eminently abusable law.
"We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security."
As long as the only test cases are against individuals and groups the public perceives as "black hats" (e.g. 2600), this damnable law will never be changed.
-- Terry
(i'm going to go a little bit further from the HP/Snosoft case, so don't be surprised if some of the statements below do not fit 100% in that case)
All these problems will vanish if people will choose to disclose vulnerabilities in a responsible way. Sure, HP's response has been harsh. But every security problem (especially when it's accompanied by an exploit) should be reported first to the vendor! There should be no exception from this rule. The person doing the reporting should give the vendor a reasonable period of time to fix it; say, a few weeks or so.
Only if the vendor does nothing in these weeks, only then the report/exploit/whatever should be made public.
If hacker H writes a comment on Slashdot, making public an exploit against some software made by vendor V, and does not notify V in advance (say, 2...4 weeks in advance), and then V sues H, then who's right?
H is right, because (s)he disclosed a vulnerability, and disclosing is good. V is right, because not being warned in advance, their customers are left to the mercy of script kiddies. H is wrong, because (s)he's obviously looking for cheap publicity (i published a zero-day exploit; mine is bigger), not for improving security. V is wrong, because they are filing a lawsuit against open disclosure, which is not a good thing.
See?
And the solution is so simple: DO NOT publish "zero-day exploits". Give the damn vendors an early warning. Only if they are lazy and do nothing within a reasonable time (2...4 weeks), only then you are entitled to go slashdot-happy.
I'm a big fan of open disclosure, freedom of speech, etc. But people who look for cheap publicity are not my favourites. If H is going to publish the exploit without early warning, i'll say V has all the rights in the world to sue the crap out of H, and put him(her) in jail for one thousand years, and i'll applaud that. However, if there was an early warning, within a reasonable time, like one month or so (unlike some popular security companies did recently), and the vendor did nothing and didn't provide a good reason for the delay (because such reasons could exist, if you think of it), then H is 100% entitled to publish whatever exploit he likes.
It's all about timing. It's all about being reasonable.
BRUCE: I'm going to violate the DMCA on stage
:)
HP: Please don't. It would sortof reflect badly on us, and could cause trouble.
BRUCE: Well... OK.
HP: We're going to sue the pants off of anyone who reveals Tru64 vulnerabilities using the DMCA!
BRUCE: Please don't. This reflects badly on us, and could cause all sorts of trouble.
HP: Well... OK.
Good to know everyone's getting along.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
1) HP is committed to protecting our customer's security environments.
2) We have verified that there is a security vulnerability with Tru64 UNIX, the details of which were brought to our attention July 18. The problem has now been isolated and HP has been preparing a fix, which will be available within the next 48 hours.
3) We won't comment on the specifics of our discussions with SnoSoft. However, we take our customers' security requirements very seriously and have a strong track record following industry-standard security practices.
4) Where and how the DMCA should be applied is a matter of great controversy. The reported letter to SnoSoft was not consistent or indicative of HP's policy. We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security.
note: emphasis mine
Okay, so "conspiracy theory" isn't only a sign of paranoia, it's also a fun "home game!"
...anyone with any ideas along those lines? I would, for once, like to see the DMCA put into a situation where it's clearly and publically shown for what it is so it can finally be repealed... (and then replaced with something else.)
But it seems to me that every time the DMCA has been used as a threat against 'research/hacktivism' there is an eventual back-down. Okay, I say "every time" as if this has happened a lot. I can think of only two times and it hardly defines a pattern.
But I wonder what the motivation was to back down from their position? Was it unfavorable press such as in the case of Adobe? Was it various lawyers and corporate organizations fearing that a loss would impair the effectiveness of the DMCA or even get it repealed? I have to wonder about that...
So, on my list of laws and things that should change:
1. Child support - Child support should only be applicable in the case where the child was concieved within a legal marriage. Any other situation leaves enough doubt that the man was not a willing participant unless he's willing to admit to it or assume responsibility on his own. Repealing child support law as it is would result in a great decrease in single-parent children.
2. Software patents - Gotta go! It's bad enough that Copyrights are an issue with software, but PATENTS too? That impairs the right to make compatible and competing products. Patents gotta go.
3. Copyright law - It has its place, but the way it's being extended to infinity is ludicrous. It doesn't serve public interests well enough and tips the balance too much in favor of the rights holders or controllers.
4. Fair Use law - It should be formalized as a guarantee to the American people. We have spent so much time trying to prevent and repeal bad law that we forget that we can write up and recommend good law to counter the bad in many cases. Is there anyone out there drafting "Fair Use" law and submitting it to their congressman or senator? Why not?
I can't remember where the original link was (so this is from memory) but didn't the US government want to have hackers help with regard to security concerns... rather than go down the 'all hackers are bad' notion.
HP have done the right thing, but was their threat a bit of sabre rattling... or an attempt to test the waters?
Either way, HP have enough on their plate with the HPaq dealings... they couldn't really have enjoyed the idea of the bad PR as well as the backlash that would have been created by following through.
Just my 2cents.
Are you local? There's nothing for you here!
If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place.
So this quote from Kent Ferson of HP in the News.com article was probably a big mistake:
Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to.
They're presumably backing down because it would be a terrible PR move. "We're neglecting our customers and suing people to try to cover this fact up" just doesn't go over well.
The question is what they were thinking in the first place; it's not like you can actually a company and have nobody know. Possibly they just wanted a bit more time in preparing patches before SNOsoft released details. I think it's most likely that think that people won't remember who this incident involved, and will just think "Some big computer company tried suing someone who found a vulnerability in their product. I'd better avoid that big company. Now, was it MicroSoft or Sun?" Of course, as nothing is coming of it, there won't be much in the way of records on the subject. Or maybe HP's lawyers have been spending too much time in Germany and think they should threaten/sue people in HP's name without HP's permission.
... but as the DMCA is a statute, isn't it up to the FBI or some such to actually `use' it?
Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?
If this is the case, would not HP's original statement in regards to the researchers violating the DMCA be enough to set the ball in motion? If the FBI were to agree that the event in question is a DMCA violation, would their backing down be enough to prevent further action from being taken?
IANAL and I'm not even from the US, so maybe I've completely misunderstood how this works. But isn't there more to it than HP just deciding to stop waving the DMCA stick?
- SMJ - (It's not just a name: it's a bad aftertaste.)
Most corporations are very response to bad press from their customers though not necc. the public at large. In the case of HP the Slashdot crowd our their customers (or at least future customers). Its likely that say 1/2 of slashdots readers will influence of control $1m+ in hardware / software purchases over the next 20 years. And as the Slashdot effect shows there are lots of Slashdot readers.
OTOH I'm not sure the MPAA sees the Slashdot crowd as particularly important now if MTVdot got mad about something...
I am referring to his offer, which he predicted that he would get no calls.
:-)
I know he lost that prediction because I called. (Only got an answering machine though.) Would be curious if this is enough information for him to figure out who wrote this post.
(Incidentally he may be contributing to people resisting phoning him. His answering machine tells you that he goes on a lot of trips and doesn't check voicemail, so email is preferred. What do you think that Joe random geek will do then?)
I fired off an e-mail to my HP support rep yesterday morning, and am awaiting his response. (He's out of office until next week.) Basically I told him that as a customer, I resent this behavior toward those who would offer us information about the security of the products we're using.
My support rep does an awesome job for us, and is our "foot in the door" to HP. That's why I felt it necessary to get the message to him quickly. Now I'll have a good opportunity to follow-up with him regarding HP's response. They've typically done a good job for us, but we've been curious as to how the post-merger HP would behave. I hope this isn't an indication.
The only backed down becuase continuing on this path would have convinced all the conspiracy theorists that they have something to hide. Doing something stupid made them look bad, therefore they quit. Nothing to see here.
This is bad. So far the DMCA hasn't been challenged. Adobe asked the government to drop charges now HP has backed off. The problem with this is that this law has not had it's day in court.
... or denounce it.
I'm sure any judge will realise how broad the DMCA is and as a result how damaging it can be to a persons rights as well as to a community of developers, not to mention privacy advocates.
Unfortuantely we have lost another great opportunity. HP like all the others want this law to remain. Only when the stakes are really high will they seek to enforce it
So... someone fill me in here. Is it normal for organizations to ask companies for money before they'll share info about exploits? After reading the note from SNOsoft, it seems clear that they must have asked for money. How else do you explain them trying "to build a working relationship with HP" and HP (mis?)perceiving their actions as extortion.
Don't get me wrong, as far as I'm concerned, it sounds like HP needs to spend more money on developers and less on lawyers. I'm not trying to defend their actions at all. But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."
-- dR.fuZZo
So snosoft are a security research company? Then how come they haven't bothered updating their web server to fix the security flaw mentioned over a month ago?
According to Netcraft, they're still running Apache 2.0.35...
Code, Hardware, stuff like that.
I can't think of any large entity that takes security more seriously than the military (including the banks I've worked for). They may have flaws but they are without question the toughest target.
One can only hope that vigorous outcry from vigilant people can convince corporations that they don't always have to do what their lawyer says. Lawyers don't have consciences. At least, they don't have independent ones. A lawyer believes whatever he is paid to believe. And so they are incapable of looking at any situation from a non-opportunistic/exploitative point of view. Only when their paymasters say, wait a minute, this policy doesn't work, I'm not going to just send that cease-and-desist or SLAPP or call the FBI or whatever, do these corporations do something in the public interest.
"Why should we leave America to go to America Junior?" - H. Simpson, on visiting Canada
i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)
On the contrary, I think that if corporations were under the impression that this "tool" would soon disappear from their arsenal, they would have incentive to make use of it ASAP and "get while the getting is good". It's like when retailers make sure to stress that an offer is for a limited time only to try to get people to half-panic and hurry in to the store. More likely, corporations that try to make use of the DMCA are encountering some seriously bad backlash from the community that makes them think twice about using the DMCA. I would suspect that they would only resort to the DMCA when no other weapons are available. That's sort of a good thing, I guess, but it suggests that the DMCA will be the corporate legal equivalent of the H-bomb -- the "no more Mr. Nice Guy" gun that's used more as a scare tactic than an actual weapon.
Tastes like burning! - Ralph Wiggum
They knew they would have their posterior kicked black and blue which would eliminate the DMCA threat power.
Fight Spammers!
Exactly.
We have zero evidence that HP will stop trying to hide the failures in its products.
If Carly Fiorina knew about this, then she also thought it was okay to try to use aggressive tactics to hide severe failures in an HP product. In that case, Carly should be replaced by the HP board of directors.
If Carly Fiorina didn't know about this, a major act by a vice president, then she is clearly not in control of HP. In that case, Carly should be replaced by the HP board of directors.
more and more we are seeing serious backlash against the DMCA and at least, it seems, some companies are listening. I am a firm believer that us "10%ers" drive the tech industry. Possibly now, the "10%ers" are asserting real force on the market. It's nice to see a "grass-roots" movement be, at least somehat successful.
Work is punishment for failing to procrastinate effectively.
i agree with this post
That seems right to me. HP has set the prosecution in motion. It doesn't matter what they say for public relations. PR has no effect whatsoever.
So, my question is why dont they bring charges aginst HP for knowingly forcing people to use software that does not do what they claim (Unless being broken into is on the features list) as well as claim damages for the couple days their DMCA invocation caused by making us all run their vulnerable software?
Also, i cant remember the name, but if you threaten someone with a lawsuit and have no intentions of following through with it, that is a crime as well.
Ah well, thats the joy of the USA.. everything is a crime now
Appreciate your note and concern. Let me just start by saying, "don't :-)". I can assure you that my :-). We also encourage our customers and 3rd parties
...
believe everything you read in the press
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.
Kent
-----Original Message-----
From: XXXXXXX
[mailto:teaser@XXXX.com]
Sent: Tuesday, July 30, 2002 10:56 PM
To: Ferson, Kent
Subject: Rethink this approach.
Concerning this Zdnet article: http://news.com.com/2100-1023-947325.html
HP is going about this all wrong. You have managed to alert many more
people of the mentioned exploit (by making legal threats) than would
otherwise have ever noticed the Bugtraq post. That genie is way to far oput
of the bottle to to be put back now and the poster will just comply to any
cease and desist requests. Besides, there are plenty of buffer overflows in
True64 according to the Bugtraq poster Phased.
My suggestion to you and your colleagues would be that you quietly fix the
code, in a timely fashion, and avoid both the bad publicity and potential
liability.
Thank you.
We really need your help
http://www.gofundme.com/help-sherry
I think this is too early to tell. Since they already did say they could use DMCA, some damage is done. This obviously came through lawyers, so someone somewhere DID make that decision, regardless of who they blame. Now, even though they said they wouldn't, there is doubt in a researchers mind if anything might happen. You can not just release a program without "following standard procedures" any more (that's what I got from CNet's article). Following such procedures is a good thing, but it should NOT be a requirement to free speech.
Lets wait for actions from HP, who knows what they'll do a year from now on some other bug. This also opens the door for MS or Oracle or whoever to do this, without being first, and citing HP, regardless of what HP said today. Can you really open your toaster now and see what's inside? This threat, even though withdrawn, has done what it was supposed to do.
It is what they call the slippery slope.
just a few days ago, Bruce gave his contact phone number in case anyone wanted to call him and talk about HP. his phone number is 510/526-1165.
Cretin - a powerful and flexible CD reencoder
We're all glad HP backed down, but what scares me is that the "Responsible Disclosure" FUD continues. On Bugtraq people write that CERT and SecurtyFocus are "established parties" and everyone who does not give them their so-called "0days" is irresponsible (at least CERT is known to sell 0days). I personally won't give them my 0days early.
The "Responsible Disclosure" draft continues to get advertised, though it was not approved by the IETF .
Why do people think about giving away the right of free speech just because of some FUD?
Even in the unlikely case if this bad RFC passes, does it mean that that people are safer when they disclose problems - I definitely don't think so personally.
So the facts are: some companies can't write secure code, and it is more expensive to write code securely.
Just check "Help -> About" on Windows before using the word "responsibility".
The easiest solution is to shoot the messenger and to outlaw saying the emperor has no clothes. But this won't fix the problem in the real world. Such regulations will only alienate a lot of people and will make things worse.
All this was quoted verbatim from the mailing list.
Karma whoring, anyone?
I disagree..
I believe that companies would rather keep the DMCA as a scare tactic. A law doesnt expire per-se, it has to be taken to court to be overturned. If this goes to court, corporations fear it will be overturned and they'd have no more scare tactic.
So, does anyone know where we can find the voting record for the DMCA?
Some laws do expire, via "sunset clauses". This has become increasingly popular in the last few decades. I dunno about the DMCA, though.
Last night, when I read about HP swinging the DMCA club I sent their CEO "intelligent feedback". It was polite and used words like "extremely disappointed" and accused HP of shooting the messenger instead of fixing the problem. Additionally, I told her that I wish I had discovered the flaw and had to defend this action and faced a jury.
I imagined the cross examination as follows with HP on the hotseat:
1. Isn't it true that HP learned of this exploit nearly a year ago and has done nothing except try to "silence" someone sounding a critical warning?
2. Can you explain to us what type control a person could have gained over an HP server using this security flaw?
3. Isn't it true that HP servers are used in key government installations, biomedical research labs, and fortune 500 companies and this flaw could have been used to compromise national security and commit corporate espionage?
4. Why would HP delay acting on this information for so long when so much was at risk?
Oh, this would have been soooo much fun to watch on Court TV!
Anyway, I was just curious how many slashdotters fired off a "polite" feedback.
What a lame answer. Whats preventing him from coming on /. and posting his side of the story? Did he, or did he not, threaten to sic the DMCA on SnoSoft?
I posted my message on the last story (but it was never modded up, i guess the other letters were more worthy). So i can say "I fed-back to carly-&-crew". And i was fairly polite, and used similar wording as you described above.
Power to the people!
Appreciate your note and concern... committed to finding and fixing any security ...appreciate your concern and
feedback..
Did anyone else feel that that was a contentless form letter? I don't think it says anything at all.
Oh, this would have been soooo much fun to watch on Court TV!
Too bad it would be torn to shreds in a real court. There would be all sorts of inadmissible evidence.
This *was* a form reply. I had further discussion with both him and a couple other guys at HP. Anybody who pushed farther than the original form-response from Mr. Ferson is probably a big cause for the reversal.
---- Please flame below this line ----
I am sorry, I do not see the point of this.
The DMCA still stands, it stifles research. Alan Cox is still afraid to step on US soil for fear of being arrested for doing a moral and ethical work.
How is this any sort of victory. HP wussied out. Snosoft wussied out. And maybe Bruce Perens wussied out too.
Where were the necessary changes to the law. Hackers need some sort of protection from this crap.
Imagine if GM said you could open the hood of a car? Would the american public stand for that?
If you found a fault in a Ford, would the american public want Ford to have 30 days to figure out if they want to deal with the problem?
Corps are getting to manhandle us because the public doesnt understand the issues and we're a powerless minority.
Does the auto insurance institute which does crash testing need to inform the car companies thirty days in adnvance prior to disclosing bugs?
We need a secure receipt mechanism when reporting bugs.
We need full disclosure.
We need full authorization to learn from each other, this means sharing how buffer exploit vulnerabilities are found and how they can be exploited.
Simply reporting vulnerabilities to companies is irreponsible in the public scheme of things. If coders dont know how these exploits occur it prevents them from writing secure code.
We need the ability to learn from each other.
DMCA needs SERIOUS changes.
Bruce has done a lot more for hacker freedoms than many of us here, but I'm sorry but it hasnt been enough (not necessarily his fault).
It's also an effetive summary of the follow up article. 'Zaclty what I expected. I was hoping see a few examples from others that may have felt like hara^H^H^H^H^H offering Ferson some constructive criticism.
We really need your help
http://www.gofundme.com/help-sherry
why do you spam-proof your email addy in the name field, but have it in your sig?
is it just me, or does this defeat the purpose?
If its any consolation its been down before. I imagine Christmas Island does not have the most reliable electrical and internet infrastructure in the world.
Comment removed based on user account deletion
If you had anything to do with the reconsideration, we appreciate it.
You see? You see? Your stupid minds! Stupid! Stupid!
SNOSoft makes a business out of uncovering exploits, and if you don't agree to their "service contract" they will have one of their "security experts" publish the flaw along with example exploit code.
/.'ers can't seem to get past.
/.
The way that I see it is that these guys are nothing more than a group of crackers who would rather have the money instead of fame/noterity.
Worthless thugs.
And I don't blame HP whatsoever for wanting to bitch-slap these sorry bastards, but using the DMCA to do so was a mistake. A mistake that
And I've read comments supposing that these guys just wanted HP to provide a contact for SNOsoft to explain the exploit to. Bullshit, this was extortion plain and simple. I'm surprised that the twirps didn't file their IPO while they were at it.
And the rank and file here defend them. Nobody said that you had to be smart to post here, and I guess that includes me too, but if you believe that these guys are anything more than second rate thieves, then you need some serious slap time with the cluebat.
Oh well, another day at
Should now email them to express thanks that they have reversed the decision. I had emailed them to state my displeasure and to vow never to buy another HP product again(which would be tough, as my Pavillion continues to surprise me in quality).
Now that they have reversed it, I sent a follow up thanking them and stating that I again looked forward to purchasing from them in the future. The rest of you should do the same- Express displeasure when they fuck up like this, but also express appreciation when they fix it as they have.
After reading SNOSofts response, I've gotta say it looks like they were trying to drum up business and it back fired big time.
Im not supporting HP in any way and personally I think the DMCA is the greatest piece of loo paper I've ever seen but if you go to someone and say "I know how to break into your house and steal all your hidden money and Im not going to tell you unless you pay me" you gotta expect to get burnt.
It does look like he is trying to be "cool". Too bad we can't make fun of him and take his lunch money :-D.
Why should you be pissed off at HP? I see it one of two ways:
1) If HP's statement is correct that details of the hole were brought to their attention July 18 then this guy is an A**hole for not giving HP time to fix it before going public.
2) If the rumors are true that the Tru64 team was notified a year ago then that was on Compaq's watch and not HP's. I can understand being mad that it wasn't fixed in a year (if this is truely the case) but you should be mad at Compaq and not HP. (And the premerger HP folks should admonish the premerger Compaq team!)
The DMCA did get taken to court, and the judge told us to FOAD.
Right. And I won't buy anything from Adobe, either. And I won't recommend any Adobe products. And I will truthfully disparage Adobe products when reasonably appropriate.
I don't like companies that invoke vile laws. And the DMCA is one of the viler ones.
I think we've pushed this "anyone can grow up to be president" thing too far.
Oh yeah, and keep in mind that the VeeP that sent the nasty-gram was a Compaq guy. Perhaps he's just not quite acclimated to the HP way yet (or at least what is left of it if the press stories over the last 6 months are to be believed.)
Wouldn't matter. For HP to even have a case, they'd have to say enough that they'd hang themselves in the process. Only scientologists are good enough to keep ALL the relevant facts out of the case.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
According to the C|Net article, the manager who made the threat (Kent Ferson) came from the Compaq side of the HP/Compaq merger. So I guess you can blame that loser Fiorina for bringing clueless bozos to dilute the HP way...
IANAL either, but I am in the US and this is how I understand the situation:
It is correct that a company can not bring criminal charges against a person or another company. When an individual sues another individual, it must be for a violation of civil law. The DMCA is a federal criminal law, so it is up to the US Justice Dept to per^H^Hrosecute victims. The FBI is like a police department; they do not engage in prosecutions, but they have the power to make arrests, conduct investigations with court orders, etc.
One of the many problems with the DMCA is that the line between civil and criminal prosecution is blurring. With Dmitry Skylarov, he was effectively arrested and prosecuted by Adobe; the FBI and the Justice Dept were willing participants, but I don't think there's much doubt that Adobe was calling the shots.
HP backing down from the DMCA threat is not enough to directly prevent a lawsuit. However, if HP will not cooperate in the prosecution (providing witnesses etc) due to public outcry, it is no longer worthwhile for the Justice Dept to prosecute, because they basically have no case. So again, it is not a question of actual policy but the effects of policy.
Hope this clears things up...
The FBI didn't follow suit ... at least based on what Adobe publicly said. But how much would you wager that Adobe told the FBI in private to stick it to Sklyarov? That's where my money is...
Remember: we have the best government money can buy. And Adobe has a lot of money...
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
The power of the DMCA is not necessarily in court. The threat of a long drawn out legal battle is usually enough to get what the large corps want, sort of a reverse "O.J." strategy, if you will. The DMCA can be milked by RIAA and others for many years without actually having to be tested. That won't lessen either it's application or damage to the IT sector.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Due to its protections, the DMCA enables companies to not care a damn if there are vulnerabilities in their products. DMCA allows companies to get away with buggy software and no negative publicity. If only God had blessed Firestone, GM, or Tobacco companies with this fortune.
With its fostering and active encouragement of the creation of flawed software, I think the DMCA acronym should be changed to Dangerous Machine Crashes Act.
>I was just curious how many slashdotters fired off a "polite" feedback.
Not to Carly. But I did email HP citing the news item, asking them to contact me if it was in error. And telling them that HP printers had been removed from my company's "recommended" list pending such a reply. Haven't heard from them yet.
....has HP fired those lawyers or their firm?
I doubt it.
If only more lawyers would get fired. There are far too many upright-walking cockroaches in that profession. There are good lawyers too of course, just look at the ACLU, but there are also plenty of the worst type of scum known to man.
I guess if you're an amoral sociopath, career choices that match your temperament are few and far between. Your choices are basically car salesman, CEO, or legalistic henchman/mercenary.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Both Snosoft and Phased mentioned that the vulnerability in question is only one of many they know of.
HP stated that they would fix THIS vuln in 48hrs, but how many more are they sitting on? And given HP's response, how long will it be until anyone hears about them?
I think this issue is far from over, if there is any truth to Snosoft's and Phased's claims.
Quote: "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."
It looks like there are quite a lot of HP workers that knows what a bad thing the DMCA is. Thanks for reacting!
A lot of people are worried that Symantec will influence how Bugtraq is moderated and operated, and here we have a case where the deal isn't even closed yet, and already "things are different" down at ole Bugtraq...
Coincidence? Methinks not.
Sigh, moderate parent down, although the influence concern is still valid, the claim may not be.
"SecurityFocus.com, which is in the process of being acquired by Symantec, said it had already deleted a copy of the C source code from its Web site at the request of SnoSoft."
I knew I wasn't smoking crack yesterday. However, they allegedly pulled it at the request of snosoft, not HP.
I will remember.
Besides, - one year, multiple issues, not just this one, plus my memory of late W2K drivers.
HP will have to surprise and amaze me, otherwise I have now switched to white boxes.
"Of course, you've already joined the EFF [eff.org] and sent them at least $100 ........ haven't you?"
I would have.
Only they wouldn't promise to use the money ONLY on worthy causes, like fighting the DMCA, instead of defending Kevin Mitnick, should he go phreaking again.
The problem with giving money to radical organizations is that they will sometimes spend it on radical causes which you don't agree with.
Unfortunately, there's not an ACLU SIG on Intellectual Property yet, so once you give the nut-jobs your money, you lose control of it, and if one of their causes is to fight deer tick eradications, Murphy's Law says that's where your donation will be spent instead of on the cause you orignally donated to support.
-- Terry
So what's keeping some small company that hates the DMCA from somehow taking a DMCA case to court? Okay, there's probably something illegal about manufacturing your own DMCA violation in order to take it to court in order to get the DMCA overthrown, but could it be done?
Kierthos
Mr. Hu is not a ninja.
Has everyone forgotten what Adobe did to Skylarov? Adobe screamed "DMCA VIOLATION!" at the top of their lungs, got Dmitry arrested and then BACKED OFF.
Why?
They don't want the DMCA to see any kind of trial before a judge.
Now HP is doing the same. Soon, the next big company will do the exact same thing. The DMCA is a THREAT and will be used as a THREAT...but the last thing the big corps want is for the DMCA to see actual court time.
The Digital Millenium Copyright Act was passed by voice vote in one House of Congress, by Unanamous Consent in the other. Not one senator or representative is on record voting against the DMCA. Thus, your vote for any member of the Congress of 1998 signifies your approval of the DMCA.
Ed Craig "Who cares what you think?" George W. Bush, 4th of July 2001
The original source code was never posted on Bugtraq. What went up, and was then removed at Snosofts request, was a post by Phased containg a link to the code. In the same article Dave Ahmad goes on to say that pulling it at the request of the originating team was normal procedure but that it would remain in the archives untill a further decision was made.
From the Apache.org advisory:
"While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential remote exploit vulnerability."
So, while the problem was initially detected on the Windows platform, it has been found to affect other platforms. In fact at the very top of the advisory we see this:
"Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
up to 2.0.36; Apache 1.2 all versions."
Now I'm not sure what "all versions" means to you, but to me it doesn't mean "Windows only"...
Code, Hardware, stuff like that.
I know you were trying to say something else, but take a look at this line and consider:
>2) The thing that scares me about the DMCA is that, in this narrow sense, it is ILLEGAL to bitch about faulty hardware. The problem is that under the
>law, HP DOES have a case against SNOsoft. Just because they're not pressing it doesn't mean that the law is fundamentally broken. Note that the
>UCITA's shrink-wrap enforcement codicils could be used similarly.
The "Free Market" that so many seem to worship is based on an informed consumer able to make choices, to vote with his/her money. We really stink in the tech sector. First we have Microsoft dedicated to becoming the only choice. Now we have the DMCA removing the "informed" from what choices we have left.
Perhaps it's time to bill the UCITA and portions of the DMCA as being anti-free-market.
The living have better things to do than to continue hating the dead.
No way, the USERS / CUSTOMERS should be the first to know, that the product they bought is defective and/or dangerous.
/bin/su).
That's the whole point of full disclosure. Why should the vendor and the bad guys be the only ones to know about security holes for a month? So that the bad guys have a month to root all the systems in the world, and nobody to stop them? Why even notify the vendor, they don't start fixing the problem until their customers know about it anyway.
As a user, I want to be the first to know about holes in any product I use, so that *I* can make the decision about whether to take the system offline, or use another workaround. (in this case (bug in su): chmod 0000
And no, I didn't like not knowing what was going on with ssh either, but at least I knew that there was a problem, and could take the service offline until disclosure. Not knowing what the problem was, I didn't have any other possibilities.
Very interesting, and encouraging.
/me sets mode -shitlist HP
Thank you HP, I think we all knew you had more common sense than met the eye.
Some places make it sound like there is some miscommunication going on between the legal department and other departments at HP. I'm sure this will be fixed now, if its true heh.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
I disagree as well. The concept of using it as much as possible without creating a formal challenge is not unusual. A great example is the War Powers Act. Congress passed the law to impose limits on what the President can do as Commander in Chief. No President has liked the law. Congress doesn't always like the way President's have interpreted the law. Neither side wants a court battle because no one can be sure which way the court would go. Their both willing to accept getting less than what they would really like rather than taking the risk of losing everything to get even more.
... but i think i could do a better job representing HP in the public eye with 2 ozs of propriety and a sense of humor. sometimes it is truly amazing how much happens in a company's name before they are even aware of it - and even more amazing is the fact that they continue to let it happen over and over again simply because they don't understand the negative side of having lawyers and PR types aware of each other at all. lock 'em away in different boxes, folks, and we'll all get along better.
when it rains, it gets real soggy. when it pours, i'm under the tap just _waiting_ for the joy
How in the fuck is this modded a 4? The mods are on the pipe...the mods are on the pipe. He is just asking questions and trying to grandstand for his boy Bruce.
In another BBS I go to, when I posted about Palladium and the DMCA, all I got in reply were firey defenses of corporate intellectual property. You can't disclose specifics of design flaws in proprietary works since it violates the copyrights and trade secrets of the IP owner. Microsoft can impose Palladium, since you don't have an inherent right to choose which software you run on your computer, since windows is the property of M$ and the processor is the property of Intel. You don't have an inherent right to transfer your data out of a proprietary format, since the format is IP and if the vendor doesn't want you to have the ability to convert to other formats, then they have the right to say you can't because it's intellectual property. So on and so forth. Note that IP law doesn't give corporations the right to do any of those things. And in cases where IP does apply, those rights are overridden by anti-trust laws, monopoly laws, and restraint of trade laws. (I would argue that M$ using closed file formats in order to lock you in could be legitamately considered to be a restraint of trade.) But it seems that outside communities such as /. corporate IP takes precedence over anything, and to restrict companies like Micorsoft is a violation of corporate constitutional rights by a tyrannical government!
"At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."
Sounds like a cron job to me hehe.
"...today consumers have been conditioned to think of beer when they see a bullfrog..."
But it goes even further than "cyberwar". If we don't have talented computer professionals in this country, the CIA, NSA, FBI, Armed Forces are all going to suffer disasterously. What are we gonna do, hire foreigners to protect our national security? ;-)
And then there's long term economic problems we'll run into as well. Corporations won't be able to hire security experts with enough talent and experience to protect them from corporate espionage, script kiddies, disgruntled employees, etc.
Our "leaders" are going to bring about our own demise. Stupid bastards...
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Geek A creates a company that creates a program that "encrypts" (rot13, he) documents.
Geek B, friend of Geek A, breaks the encryption scheme, violating all the articles of the DMCA.
Geek A sues Geek B and they fight the case all the way to the Supreme Court.
Once the monstruosity is declared un-constitutional everybody is happy.
If it is not, Geek B is pardoned by Geek A and we go and hide in the mountains.
IANAL but write like a drunk one.
OpenSSH has a security problem:
HP has a security problem:
Kudoes to HP for backing down, but this should lend some perspective on the viability of open source software.
HP blames the snafu on... their lawyers!
This is wrong, legally and morally. HP is a corporation; their lawyeres are a part of them. The non-corporate analogy would be a little like punching someone in the nose and then saying "I didn't do it! It was my hands!" Someone who honestly presented this as a defense would be encouraged to undergo a psychiatric evaluation. I see NO difference in HP's behavior. Their attorneys, BY LAW, represent HP. Attorneys are not allowed to do things their clients don't want. Any action an attorney takes is legally the action of the client; that's what the word "attorney" means. When your attorney threatens legal action, YOU are threatening legal action; the attorney was hired by YOU to take actions YOU want by using the tool of the American legal system. The attorney may suggest courses of action; YOU decide what your legal representative will do.
The ONLY time I'd be willing to make an exception to this is if the corporation fires their lawyers or files suit against their law firm for legal malpractice.
Anyone who tries to tell you that it's not their fault because their attorney did it needs to be punched in the face.
I am in the position to influence purchase decisions and I will be extremely biased against HP for a very long time to come. Their behavior as "corporate citizens" does have an massive impact on how I view them to be dependable suppliers, and a company whose VP does something as (legally) inane as trotting out the "DMCA" to protect the reputation of their obviously flawed product... I suppose I need to explain no further.
Attn: Moderators!
The parent was flamebait not offtopic.
Please learn to read in context and with understanding and moderate accordingly.
I now await your decision on the aspect of THIS post.
Who run Barter Town?
You cannot blame their inaction on this issue for a year on the lawyers. As has been said, I will not soon forget this, and HP needs to do something major to show that they are not a big part of the problem. Thinly-worded excuses will not fly.
Does anyone else read this as:
"HP blames the snafu on... their lawyers!"
HP blames the snafu on, dah dah dah, their lawyers!
adobe = (Gimp && pdf2text) ? "who needs ya!" : "help! im stuck with adobe!"
Why don't two members or the Slashdot community get together to sue one or the other over some DMCA like issue, allow it to go to court and let the judge prove that it is a joke of a law?
Go a step further, and have the loser appeal, and lose again.
This will do more to destroy the DMCA than anything!
IMHO, this is too little, too late. Yeah, they're backpedaling after a justifiably furious outcry. However, the fact that one of their VPs sent this letter in the first place goes to show you how the HP/Compaq top brass think about security: keep it quiet.
Maybe so, but it's like a nuclear weapon. You don't have to use it, and don't really want to because the fallout would contaminate you, but the very existence of it is a formidable and chilling threat.
Milo
Now if HP were to come out against the DMCA, citing this type of incident as exactly the kind of thing that _could_ happen under the law I would gain back some of my respect for them (and maybe my desire to purchase their products).
Until Wednesday, SnoSoft's home page stressed that it had a policy of "full disclosure" of security threats--unless that company retains SnoSoft as consultants. "If someone hires us to do research we can not disclose that information since the information becomes theirs--they purchase it," said Snosoft's Desautels.
Ok, so SnoSoft says, "Hey, we found a security hole in your Tru64 product, but we are only going to tell you if you fork over some dough!" How ethical is that? Its hardly full disclosure. HP was threatening legal action on this basis, not that they found a hole. If I were HP I would sue the extorting bastards, too. Either disclose all holes publicly upon discovery or give the opportunity for vendors to fix them, but disclosing security holes within 24 hours to bugtraq only in the cases where the vendor does not pay you for cracking their system is unethical, IMO.
I'm sure the outrage helped to speed things alone, however reading between the lines, putting my ear to the rumours mill has it that Felton serious overstepped the mark, went against policy and is lucky to still have a job.
As the previous replier notes, HP would be completely on the defense, when they are the ones bringing the suit and thus they are the ones who have to prove that SnoSoft is guilty of something. From the "like a train wreck" perspective, I'm more than a little disappointed HP backed off, because this would've been so fun to watch unfold...but it's still going to be fun to watch just how far HP backpedals...as someone else has noted, it'd be great to see them say "see, the DMCA can be used to stifle legitimate security concerns" and protest it, but that's probably not going to happen in this lifetime.
"I may be quite wrong." - Socrates
How many days anal-retentive VP Kent Ferson has left at HP?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This wasn't just a mistake. It was an act of malice by at least one indecent person. HP's reputation remains tarnished until there is some indication that there has been a change.
Either this person should be fired, or there should be a statement from someone who says something like, "*I* was the person [no buck passing] who made this decision, and now I realize why it was wrong..."
It would be amusing, but might not happen. Remember, this would be a prosecution of a federal crime(DMCA). The question at hand is whether a crime was committed, not HP's competence.
If the defense were allowed to call such witnesses from HP at all, the prosecution would object to this line of questioning. They would argue that HP's incompetence is irrelevant to the question at hand: whether a crime was committed. If successful, the whole line of questioning would be halted.
Wouldn't matter. For HP to even have a case, they'd have to say enough that they'd hang themselves in the process.
Not if they can get the proceeding sealed under some pretense (which is what happened in most of the cases featuring RIAA/MPAA etc). You may want to read Jack Valenti's testimony in the DeCSS case where a lot of his answers were removed from the record.
HP would be completely on the defense...
As they say, the best defense is to attack. The courts would only see a bunch of hackers trying to annoy/disrupt the activities of a large corporation. How long do you think it will take for SnoSoft's lawyers to make the Judge understand what "hacker" really means?
Unfortunately, there's not an ACLU SIG on Intellectual Property yet, so once you give the nut-jobs your money
My message was about the EFF. Your reply seems to be about the ACLU. They are unrelated. Please check out the EFF web site before dismissing them as a "radical organization" - which IMHO they are not.
"HP emphasized that it would not use a controversial copyright law, the Digital Millennium Copyright Act (DMCA), to pursue a loosely organized team of researchers who demonstrated a bug in the company's Tru64 Unix operating system."
[...]
"Perens said that some executives did not realize what a "hot button" the DMCA was. "Certainly the engineering staff all spoke up about that," he said. "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."
Unfortunately, what we really need is ONE HP customer that had their system compromised to sue HP, citing that they knew about the problem for
a year.
This will take care of the corporate attitudes towards bug reporting.
This is just another example of how the people who sit in charge of large companies tend to float in their ivory towers and not have any clue what's happening inside their own walls.
Just like the recent wave of accounting "irregularities", this is either a case of those in charge trying to get away with things they KNOW are wrong -- and backpedelling when they get caught, OR honest lack of clue as to what their laywer breeding ponds were producing.
Why do people seem to lose their ability to use common sense as they climb the corporate ladder? At what point does rational thought and normal human morality get left behind? Just as proposals are being pushed to hold CEO's responsible for the state of their underlings, I'd like to see congressmen held responsible for the damages caused by the laws they pass without thinking about the consequences.
I don't think laws are meant to cover every possible Bad Thing (TM) that can happen... they are meant to correct known wrongs as society determines they are problems. As such, we shouldn't make up laws that cover crimes which don't yet exist (most of the newer technology laws try to be vague so they can do this). We also shouldn't make redundant laws, but acknowledge and correct their lack of enforcement (DMCA mostly tries to re-invent copyright law -- copyright law already does the job quite nicely, it just needs to be enforced).
One anonymous short seller with a couple thousand shares isn't going to make a significant dent in HPQ's stock price, but imagine a beowulf cluster of us shorting ADBE, shorting HPQ, shorting anybody who demonstrates customer-hostile behavior like this.
Sold at 13.26, covered at 12.91.
Don't you mean VP Kent Ferson?
Being removed from the public record doesn't mean they weren't considered in the case.
Isn't it true that HP learned of this exploit nearly a year ago and has done nothing except try to "silence" someone sounding a critical warning?
According to HP, no, that's not true. They received notification of the exploit on July 18th and Phased, without the rest of SnoSoft's permission, published the exploit on July 19th.
The rest of you points are kind of moot at that point.
There are two models that snosoft follows internally when performing security research: 1) Independent research with a full disclosure policy, and 2) Private research under NDA with a vendor. The threat from HP regarding extortion was based on the miscommunications/misperceptions around these two models. The history of the situation included initially findings under independent research. We halted prior to full disclosure due to the serious nature of our findings, and approached HP with a proposal to continue our research privately with them, under NDA. At no time did we attempt to request compensation for the initial research findings, and at no time did we threaten damaging actions if HP did not provide compensation. The goal we attempted to strive for was to transition from the Independent research/full-disclosure model to the private research/NDA model. HP was not interested in pursuing this track. So, we accepted their decision, and followed the "industry standard practice" for reporting vulnerabilities, by reporting them to CERT, who acted as the independent third party between SNOsoft and HP. The end result is that HP is getting penetration testing results for approximately two person months worth of work. The value in this service is obvious, which incents us to transition to a private research/NDA business model.
So, to sum up, the difference between extortion and transitioning a business model is a matter of the timing of requesting compensation for research results. If a security firm performs independent research, and then approaches the vendor with the position of, "pay us for this information, or else we'll release it to the public", then that can be considered extortion. However, if a security firm performs sales generating activities by trying to demonstrate to a vendor the value in their service, and requests a contract to do future work based on the demonstrated value, then that can not be considered extortion.
No way....you make a very good point. Symantec is very CORPORATE and has never been associated with anything remotely related to OSS or the "sharing community" at large. An more importantly, they make their living from fixing other peoples problems that don't even know about Bugtraq. If Bugtraq goes, what will the Bugtraq users do? But not to worry, if Bugtraq is polluted by corporate ineptitude, another will be born or an existing site will be pushed to the spotlight. There is not enough money for all of them to be purchased by corporate American is there?
Not only do we need the information that Bugtraq provides, we all need to be reminded that there are lots of us "community minded" individuals existing in corporate environments. Bugtraq confirms for us that some people do care about good quality technology and good people and helping each other out without trying to get every last nickel from every last joesixpack plus every last joecpu.
Money does not have metadata.
Maybe in version 3.
Some NPOs allow the attachment of provisions or maintain special funds; most do not, since permitting that would have the side effect of leaving "orphan funds" once a funded goal has been achieved, or leaving important new causes without funding (e.g. robbing the of the ability to exercise their discretion in prioritizing).
Would that you could specify where your money goes when it leaves your hands; for one thing, all of my taxes would be earmarked for long term projects, which is to say, "no pork".
-- Terry
Being removed from the public record doesn't mean they weren't considered in the case.
But the OP's point was that HP would lose face if they tried this. As long as the public doesn't know, that is not a possibility.
Can HP's lawyers sue HP for bringing them into disrepute?
I suppose they could if they weren't lawyers. As lawyers, not matter what is said about them, it improves people's opinion of them.
P.S. Joking. Some of my best friends are lawyers.
http://pcblues.com - Digits and Wood
I wish DCMA issues were the causes most worthy of my efforts. Such is not the case. There are a lot worse things going on (ask Amnesty International, for starters) than infringement of fair use. Although we have lost steps in the progress of software, things like pharmaceuticals are developing their own fair use common law. There is no give and take, though. You are right, in that everyone must get behind this issue or nobody will get anywhere.
No, the point was that the line of questioning laid out in the parent post would get torn to shreds in a real court because so much evidence would be inadmissable. It was then pointed out that in order to even make a case, HP would end up opening itself to at least some of the questions mentioned, or something along those lines. Then someone said that it would be sealed and deleted from transcripts. Then it was said that just because it was deleted from transcripts doesn't mean it wasn't considered.
So, you see, it makes no difference what the public knows. That wasn't the point. The point was that in bringing a case, HP would have to admit enough in court that it would lose the case. Nothing about losing face.
Do people know what this means?
Situation normal all F__ked up.
It dates back to WWII.
Anonymous Coward
I sent an email to her via the HP feedback mechanism. Told her I was always impressed by her leadership abilities but suggested that this was a very bad PR move to use a controversial piece of legislation to in effect suppress the First Amendment. Told her a lot of HP customers were threatening to become former customers. Told her she didn't need this in the middle of trying to make the merger work.
And I added a PS that said I always thought she was a "babe", too!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!