Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Backs Off DMCA Threat

Posted by timothy on from the maybe-that-wasn't-such-a-hot-idea dept.

Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"

9 of 320 comments (clear)

  1. Sometimes, I guess,... by gilroy · · Score: 4, Informative

    ... the good guys win. I'm pretty sure it was my strongly-worded email to the CEO that turned the tide. :) Seriously, I think the outcry in the tech community made them beat this retreat. Whenever you're feeling overwhelmed by the latest corporate attrocity, remember: numbers can still make a different. Write, call, or scream, but don't let your outrage dribble away.

    --
    The Mongrel Dogs Who Teach
  2. Responsible full disclosure by Istealmymusic · · Score: 4, Informative
    The following post was written by Steven M. Christey for Bugtraq. I completely agree with what Christey is saying, and highly recommend everyone interested in full disclosure read his letter here:
    The Responsible Disclosure Process draft specifically allows for
    researchers to release vulnerability information if the vendor is not
    sufficiently responsive. Some people may disagree with the delay of
    30 days between initial notification and release, but I don't think
    there are good stats on how long it really takes vendors to fully
    address vulnerability reports - open or closed source, freeware or
    commercial. Let's take a recent example - how much coordination had
    to happen for the zlib vulnerability? It seems reasonable to assume
    that it took more than a day. And the controversial "grace period"
    has the interesting distinction of being used by both Microsoft and
    Theo de Raadt.

    Researchers can help to shed light in this area by publishing
    disclosure histories along with their advisories. (By the way, vendor
    advisories rarely include such information.)

    While the response to the proposal focused almost exclusively on how
    it impacts researchers, it lays out a number of requirements for
    vendors, primarily that they (a) make it easy for people to file
    vulnerability reports, (b) be responsive to incoming vulnerability
    reports, and (c) address the issues within a reasonable amount of
    time.

    IMHO, it makes a stronger impression when someone releases a security
    advisory with an extensive disclosure history that says how much they
    tried to resolve the issue with the vendor, before they released.

    Those who are interested in the legal aspects of "responsible
    disclosure" are encouraged to read the article by Mark Rasch at
    http://online.securityfocus.com/columnists/66. The article basically
    says that the adoption of community standards could protect
    researchers who disclose issues responsibly, while it could also help
    vendors who seek legal recourse against researchers who are not
    responsible (for some definition of "responsible"). The former could
    happen with a community standard. The latter may already be happening
    without one.
    --
    "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
  3. Hm, kind of a shame, in a way... by Chemical+Serenity · · Score: 4, Informative

    While I have no desire to see SnoSoft get... uh, "Snowed", this would have been a landmark DMCA case. It would have been nice to see SnoSoft win, and set a precident to other companies who'd like to wield this myopic peice of litterbox-lining legislation as a flaw shield.

    Perhaps they think they can cover the blemishes of their software with the blood of the people who point them out.

    --
    "People will pay big bucks for the luxury of ignorance."
  4. Re:further indication that DMCA does not hold wate by Anonymous Coward · · Score: 1, Informative

    I disagree..

    I believe that companies would rather keep the DMCA as a scare tactic. A law doesnt expire per-se, it has to be taken to court to be overturned. If this goes to court, corporations fear it will be overturned and they'd have no more scare tactic.

  5. Re:money for exploits? by Dr.+Awktagon · · Score: 3, Informative

    "working relationship" could also mean that 1) HP has a contact person assigned to snosoft, who will actually read and respond to snosoft's emails, and 2) snosoft will promise keep exploits and advisories quiet until HP says they are ready.

    of course, you'd think this is how it would work anyway, without any formal agreements..

  6. Re:Voting record by certron · · Score: 3, Informative

    ok, follow me...

    go to thomas.loc.gov

    under the Legislation heading, click on Bill Text

    select the 105th congress (1997-1998)

    search for word/phrase 'digital millennium' (2 L's and 2 N's) or enter bill number "s. 2037"

    Click on one of the relevant results.

    The Bill Summary and Status link is informative. Check the "All Bill Summary and Status Info" link for some history (or some of the other links), then look for "Recorded Vote"

    Bingo.
    (phew, stepping through this was a little harder than I thought it would be... But, now that I understand it enough, I can tell everyone else how to do it. Bang on.)

    --

    fair.org counterpunch.com truthout.com indymedia.org salon.com
    eff.org guerrilla.net debian.org gentoo.org
  7. Re:Snosoft security... by Cryptnotic · · Score: 4, Informative

    Maybe it's because that security flaw doesn't affect them unless they're running on Windows, which they're not.

    --
    My other first post is car post.
  8. Re:Hollow Victory by Bruce+Perens · · Score: 5, Informative
    Dear AC,

    I agree that this is hardly the last shot in the battle. Hardly. If anything, we kept a bad situation from getting a drop worse. But I don't know if "wussied out" is really a fair description. I modified my own DMCA paper to protect HP's Linux program. When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP and (along with a cast of good people within HP) convinced everyone, including Kent, that using DMCA this way was a bad idea.

    But I didn't get the law repealed this week. I'll keep working on that. It would be really nice if you would put in a lot of work on this, too. This is the sort of issue where every one of us has to help or we'll lose.

    Thanks

    Bruce

    --
    Bruce Perens.
  9. It was a Compaq bozo who made the threat... by silentbozo · · Score: 3, Informative

    According to the C|Net article, the manager who made the threat (Kent Ferson) came from the Compaq side of the HP/Compaq merger. So I guess you can blame that loser Fiorina for bringing clueless bozos to dilute the HP way...