Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Backs Off DMCA Threat

Posted by timothy on from the maybe-that-wasn't-such-a-hot-idea dept.

Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"

4 of 320 comments (clear)

  1. also The Register story by red_gnom · · Score: 0, Redundant
    There is also The Register story: HP invokes DMCA to quash Tru64 bug report.

    The link is over here

  2. full disclosure is all about timing by tux42 · · Score: 2, Redundant

    (i'm going to go a little bit further from the HP/Snosoft case, so don't be surprised if some of the statements below do not fit 100% in that case)

    All these problems will vanish if people will choose to disclose vulnerabilities in a responsible way. Sure, HP's response has been harsh. But every security problem (especially when it's accompanied by an exploit) should be reported first to the vendor! There should be no exception from this rule. The person doing the reporting should give the vendor a reasonable period of time to fix it; say, a few weeks or so.

    Only if the vendor does nothing in these weeks, only then the report/exploit/whatever should be made public.

    If hacker H writes a comment on Slashdot, making public an exploit against some software made by vendor V, and does not notify V in advance (say, 2...4 weeks in advance), and then V sues H, then who's right?

    H is right, because (s)he disclosed a vulnerability, and disclosing is good. V is right, because not being warned in advance, their customers are left to the mercy of script kiddies. H is wrong, because (s)he's obviously looking for cheap publicity (i published a zero-day exploit; mine is bigger), not for improving security. V is wrong, because they are filing a lawsuit against open disclosure, which is not a good thing.

    See?

    And the solution is so simple: DO NOT publish "zero-day exploits". Give the damn vendors an early warning. Only if they are lazy and do nothing within a reasonable time (2...4 weeks), only then you are entitled to go slashdot-happy.

    I'm a big fan of open disclosure, freedom of speech, etc. But people who look for cheap publicity are not my favourites. If H is going to publish the exploit without early warning, i'll say V has all the rights in the world to sue the crap out of H, and put him(her) in jail for one thousand years, and i'll applaud that. However, if there was an early warning, within a reasonable time, like one month or so (unlike some popular security companies did recently), and the vendor did nothing and didn't provide a good reason for the delay (because such reasons could exist, if you think of it), then H is 100% entitled to publish whatever exploit he likes.

    It's all about timing. It's all about being reasonable.

  3. Re:Hollow Victory by Sabriel · · Score: 1, Redundant

    Wow. Cool insight. Someone mod the parent up!

  4. Then it would be in our hands to destroy it. by jotaeleemeese · · Score: 2, Redundant

    Geek A creates a company that creates a program that "encrypts" (rot13, he) documents.

    Geek B, friend of Geek A, breaks the encryption scheme, violating all the articles of the DMCA.

    Geek A sues Geek B and they fight the case all the way to the Supreme Court.

    Once the monstruosity is declared un-constitutional everybody is happy.

    If it is not, Geek B is pardoned by Geek A and we go and hide in the mountains.

    --
    IANAL but write like a drunk one.