HP Backs Off DMCA Threat

Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"

Great news Bruce! A few questions about it...

[CoughDropAddict]

Bruce,

Anything else you can tell us about this fortunate reversal? Were you involved in knocking some reason into those responsible? How did the people in power originally decide that it would be strategic to weild the DMCA as a weapon against disclosure?

further indication that DMCA does not hold water

[lingqi]

let's see here:

Vivendi sues bnet.d, originally was under DMCA, but filed under traditional copyright;

HP threatens under DMCA, but backs down.

i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)

It takes two to tango

[Wladinator]

It seems that HP is upset that details of a dangerous security hole in the HP Tru64 operating system were published by "Phased", a security researcher with Snosoft, here on Bugtraq. I really feel that HP went way over the line by trying to place all the blame on Snosoft for HP's security hole by invoking the DMCA and the Computer Fraud and Abuse Act.

If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place.

So this quote from Kent Ferson of HP in the News.com article was probably a big mistake:

"Ferson also said that HP reserves the right to sue SnoSoft and its members "for monies and damages caused by the posting and any use of the buffer overflow exploit."

Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to.

Perhaps I'm completely missing the point here...

[tuxedo-steve]

... but as the DMCA is a statute, isn't it up to the FBI or some such to actually `use' it?

Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

If this is the case, would not HP's original statement in regards to the researchers violating the DMCA be enough to set the ball in motion? If the FBI were to agree that the event in question is a DMCA violation, would their backing down be enough to prevent further action from being taken?

IANAL and I'm not even from the US, so maybe I've completely misunderstood how this works. But isn't there more to it than HP just deciding to stop waving the DMCA stick?

slight relief

[Lurking+Grue]

I fired off an e-mail to my HP support rep yesterday morning, and am awaiting his response. (He's out of office until next week.) Basically I told him that as a customer, I resent this behavior toward those who would offer us information about the security of the products we're using.

My support rep does an awesome job for us, and is our "foot in the door" to HP. That's why I felt it necessary to get the message to him quickly. Now I'll have a good opportunity to follow-up with him regarding HP's response. They've typically done a good job for us, but we've been curious as to how the post-merger HP would behave. I hope this isn't an indication.

money for exploits?

[dR.fuZZo]

So... someone fill me in here. Is it normal for organizations to ask companies for money before they'll share info about exploits? After reading the note from SNOsoft, it seems clear that they must have asked for money. How else do you explain them trying "to build a working relationship with HP" and HP (mis?)perceiving their actions as extortion.

Don't get me wrong, as far as I'm concerned, it sounds like HP needs to spend more money on developers and less on lawyers. I'm not trying to defend their actions at all. But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."

Re:money for exploits?

[dd301]

But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."

The point in question was whether "third party" (read CERT) would have to be in on the information sharing. Many people feel that CERT is just piggybacking on the efforts of real security researchers.

Snosoft security...

[FyRE666]

So snosoft are a security research company? Then how come they haven't bothered updating their web server to fix the security flaw mentioned over a month ago?

According to Netcraft, they're still running Apache 2.0.35...

Re:Hate to say it but the Military uses a bunch of

[jbolden]

I can't think of any large entity that takes security more seriously than the military (including the banks I've worked for). They may have flaws but they are without question the toughest target.

Oops, we got caught

[DearSlashdot]

If there is anything that the Enron/Worldcom/corporate scandals of the week and ludicrous xxAA-backed legislation has taught us, it is that greedy people will try and get away with as much as possible until they get caught. HP didn't suddenly get a conscience, they just found the point of diminishing returns for this particular type of legal attack. The fundamental attitude of "how can we exploit the law to our own benefit" without any regard to it's intent or long-term consequences remains the same.

One can only hope that vigorous outcry from vigilant people can convince corporations that they don't always have to do what their lawyer says. Lawyers don't have consciences. At least, they don't have independent ones. A lawyer believes whatever he is paid to believe. And so they are incapable of looking at any situation from a non-opportunistic/exploitative point of view. Only when their paymasters say, wait a minute, this policy doesn't work, I'm not going to just send that cease-and-desist or SLAPP or call the FBI or whatever, do these corporations do something in the public interest.

Re:further indication that DMCA does not hold wate

[kyras]

i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)

On the contrary, I think that if corporations were under the impression that this "tool" would soon disappear from their arsenal, they would have incentive to make use of it ASAP and "get while the getting is good". It's like when retailers make sure to stress that an offer is for a limited time only to try to get people to half-panic and hurry in to the store. More likely, corporations that try to make use of the DMCA are encountering some seriously bad backlash from the community that makes them think twice about using the DMCA. I would suspect that they would only resort to the DMCA when no other weapons are available. That's sort of a good thing, I guess, but it suggests that the DMCA will be the corporate legal equivalent of the H-bomb -- the "no more Mr. Nice Guy" gun that's used more as a scare tactic than an actual weapon.

We have zero evidence that HP will stop...

[Futurepower(R)]

Exactly.

We have zero evidence that HP will stop trying to hide the failures in its products.

If Carly Fiorina knew about this, then she also thought it was okay to try to use aggressive tactics to hide severe failures in an HP product. In that case, Carly should be replaced by the HP board of directors.

If Carly Fiorina didn't know about this, a major act by a vice president, then she is clearly not in control of HP. In that case, Carly should be replaced by the HP board of directors.

Retaliation?

[dissy]

So, my question is why dont they bring charges aginst HP for knowingly forcing people to use software that does not do what they claim (Unless being broken into is on the features list) as well as claim damages for the couple days their DMCA invocation caused by making us all run their vulnerable software?

Also, i cant remember the name, but if you threaten someone with a lawsuit and have no intentions of following through with it, that is a crime as well.

Ah well, thats the joy of the USA.. everything is a crime now

Anyone else email Ferson?

[teaserX]

Appreciate your note and concern. Let me just start by saying, "don't
believe everything you read in the press :-)". I can assure you that my
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night :-). We also encourage our customers and 3rd parties
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.

Kent ...

-----Original Message-----
From: XXXXXXX
[mailto:teaser@XXXX.com]
Sent: Tuesday, July 30, 2002 10:56 PM
To: Ferson, Kent
Subject: Rethink this approach.

Concerning this Zdnet article: http://news.com.com/2100-1023-947325.html

HP is going about this all wrong. You have managed to alert many more
people of the mentioned exploit (by making legal threats) than would
otherwise have ever noticed the Bugtraq post. That genie is way to far oput
of the bottle to to be put back now and the poster will just comply to any
cease and desist requests. Besides, there are plenty of buffer overflows in
True64 according to the Bugtraq poster Phased.
My suggestion to you and your colleagues would be that you quietly fix the
code, in a timely fashion, and avoid both the bad publicity and potential
liability.

Thank you.

Re:Is there really much to say about this?

[jazman_777]

In any of the countless stories about some cable or DSL provider or another, the same tired, predictable, and largely factless debates about cable versus DSL breaks out. The sad thing is that it's largely a verbatim recreation of the same argument that's played out about 2^16 times on here

Come now, you know it's like a car crash. Frightening, gruesome, but we want to look. That's why we keep coming back to the same tired old arguments and issues (and back to /.). We're old folks sitting on their rocking chairs, telling the same old stories and jokes, and laughing every time, except we're not all old yet.

How many people sent Mrs. Fiorina (CEO) Feedback?

[Proudrooster]

Last night, when I read about HP swinging the DMCA club I sent their CEO "intelligent feedback". It was polite and used words like "extremely disappointed" and accused HP of shooting the messenger instead of fixing the problem. Additionally, I told her that I wish I had discovered the flaw and had to defend this action and faced a jury.

I imagined the cross examination as follows with HP on the hotseat:

1. Isn't it true that HP learned of this exploit nearly a year ago and has done nothing except try to "silence" someone sounding a critical warning?

2. Can you explain to us what type control a person could have gained over an HP server using this security flaw?

3. Isn't it true that HP servers are used in key government installations, biomedical research labs, and fortune 500 companies and this flaw could have been used to compromise national security and commit corporate espionage?

4. Why would HP delay acting on this information for so long when so much was at risk?

Oh, this would have been soooo much fun to watch on Court TV!

Anyway, I was just curious how many slashdotters fired off a "polite" feedback.

Hollow Victory

I am sorry, I do not see the point of this.

The DMCA still stands, it stifles research. Alan Cox is still afraid to step on US soil for fear of being arrested for doing a moral and ethical work.

How is this any sort of victory. HP wussied out. Snosoft wussied out. And maybe Bruce Perens wussied out too.

Where were the necessary changes to the law. Hackers need some sort of protection from this crap.

Imagine if GM said you could open the hood of a car? Would the american public stand for that?
If you found a fault in a Ford, would the american public want Ford to have 30 days to figure out if they want to deal with the problem?
Corps are getting to manhandle us because the public doesnt understand the issues and we're a powerless minority.

Does the auto insurance institute which does crash testing need to inform the car companies thirty days in adnvance prior to disclosing bugs?

We need a secure receipt mechanism when reporting bugs.

We need full disclosure.

We need full authorization to learn from each other, this means sharing how buffer exploit vulnerabilities are found and how they can be exploited.

Simply reporting vulnerabilities to companies is irreponsible in the public scheme of things. If coders dont know how these exploits occur it prevents them from writing secure code.

We need the ability to learn from each other.

DMCA needs SERIOUS changes.

Bruce has done a lot more for hacker freedoms than many of us here, but I'm sorry but it hasnt been enough (not necessarily his fault).

Re:Hollow Victory

[gilroy]

Blockquoth the poster:

Imagine if GM said you could open the hood of a car? Would the american public stand for that? (emphasis added)

Yep, it'd be terrible if people could examine the inside of their car's engine. We'd have all these underworked overinquisitive teenagers poking around, figuring out how things work, modifying and maybe even improving the engine... it'd be chaos!

OK, OK, I shouldn't make fun of someone just because they pressed "Submit" too fast. But the slip opens up an interesting thought in my mind: It is a fact of history that in World War II, American infantry units were the only ones to get progressively more mechanized as a campaign went on. For most armies, continuing action meant trucks and tanks broke down (bad maintenance, lack of supplies, etc.). But for the US, the infantry units would gain mechanized capacity. It was not unheard of that a unit not have to march anywhere, having scrounged enough vehicles to ride. This made the infantry many times more effective and enhanced the efficiency of armor, too (since the infantry could keep up with the tanks).

It doesn't seem that, with the wear-and-tear of battle, you should get more capacity. What was the secret? Well, just about every man in a US unit had some experience with motor vehicles. Most owned their own; many if not all repaired their own. So on the battlefield, they were able to scrabble spare parts together and keep the trucks rolling. In fact, they were often able to scavenge from damaged enemy machines! When a truck or car broke down, most armies had to call in a specialist repair team. But the US infantry could fix it themselves and keep moving. (Source: Dirty Little Secrets of World War II , Dunnigan and Nofi)

What's the point? Well, consider that everyone thinks sooner or later we're going to get into a "cyberwar" -- assaults upon information infrastructure. Maybe our only chance of winning such a conflict is to have legions of people familiar with computers and security, with securing a system or attacking it, with picking apart a program and then putting it back together better. In other words, maybe we need a culture of "hackers" (in both sense) as an insurance policy.

In which case, the DMCA is not just intrusive and unbalanced. It's actually a threat to national security. How do you like them apples?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Perhaps I'm completely missing the point here..

[adam613]

IANAL either, but I am in the US and this is how I understand the situation:

It is correct that a company can not bring criminal charges against a person or another company. When an individual sues another individual, it must be for a violation of civil law. The DMCA is a federal criminal law, so it is up to the US Justice Dept to per^H^Hrosecute victims. The FBI is like a police department; they do not engage in prosecutions, but they have the power to make arrests, conduct investigations with court orders, etc.

One of the many problems with the DMCA is that the line between civil and criminal prosecution is blurring. With Dmitry Skylarov, he was effectively arrested and prosecuted by Adobe; the FBI and the Justice Dept were willing participants, but I don't think there's much doubt that Adobe was calling the shots.

HP backing down from the DMCA threat is not enough to directly prevent a lawsuit. However, if HP will not cooperate in the prosecution (providing witnesses etc) due to public outcry, it is no longer worthwhile for the Justice Dept to prosecute, because they basically have no case. So again, it is not a question of actual policy but the effects of policy.

Hope this clears things up...

Re:Perhaps I'm completely missing the point here..

[kcbrown]

Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

The FBI didn't follow suit ... at least based on what Adobe publicly said. But how much would you wager that Adobe told the FBI in private to stick it to Sklyarov? That's where my money is...

Remember: we have the best government money can buy. And Adobe has a lot of money...

Re:Those of you who emailed HP to complain

[Jehosephat2k]

Here's the problem.
HP cried DMCA.
Where the hell are the Feds? Once you cry DMCA you can't take it back. The probable cause is there.
Where's the FBI busting these guys? Because HP changed their mind? What about Adobe?
Where is the consistency?
We need a trial, NOW.

Thanks Bruce Perens and the other guys at HP

[pointwood]

Quote: "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."

It looks like there are quite a lot of HP workers that knows what a bad thing the DMCA is. Thanks for reacting!