Slashdot Mirror
HP Backs Off DMCA Threat
Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"
Bruce,
Anything else you can tell us about this fortunate reversal? Were you involved in knocking some reason into those responsible? How did the people in power originally decide that it would be strategic to weild the DMCA as a weapon against disclosure?
... the good guys win. I'm pretty sure it was my strongly-worded email to the CEO that turned the tide. :) Seriously, I think the outcry in the tech community made them beat this retreat. Whenever you're feeling overwhelmed by the latest corporate attrocity, remember: numbers can still make a different. Write, call, or scream, but don't let your outrage dribble away.
The Mongrel Dogs Who Teach
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
Well, it's quite simple. Someone says something trollish about it, and then some of the insightful people argue with him. Then we have some insightful posts, and others argue with them. Mark my words, we'll soon have another set of insightful anti-DMCA diatribes, some disappointment that we didn't get to try the DMCA against such a stupid case, and a bunch of people claiming that HP, as a corporation, has done this in their own self-interest. :)
let's see here:
Vivendi sues bnet.d, originally was under DMCA, but filed under traditional copyright;
HP threatens under DMCA, but backs down.
i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)
My life in the land of the rising sun.
While I have no desire to see SnoSoft get... uh, "Snowed", this would have been a landmark DMCA case. It would have been nice to see SnoSoft win, and set a precident to other companies who'd like to wield this myopic peice of litterbox-lining legislation as a flaw shield.
Perhaps they think they can cover the blemishes of their software with the blood of the people who point them out.
"People will pay big bucks for the luxury of ignorance."
I think I would have rather it had been tested in court.
...great. I get to rely on their self-restaint in not abusing the law, rather than striking down an eminently abusable law.
"We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security."
As long as the only test cases are against individuals and groups the public perceives as "black hats" (e.g. 2600), this damnable law will never be changed.
-- Terry
BRUCE: I'm going to violate the DMCA on stage
:)
HP: Please don't. It would sortof reflect badly on us, and could cause trouble.
BRUCE: Well... OK.
HP: We're going to sue the pants off of anyone who reveals Tru64 vulnerabilities using the DMCA!
BRUCE: Please don't. This reflects badly on us, and could cause all sorts of trouble.
HP: Well... OK.
Good to know everyone's getting along.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Misunderstanding or not, HP has done something I (and many others) will not soon forget. Even if it was one rogue element of management mouthing off, damage has been done. "Backed down" or not, they were in the process of screwing more people with the DMCA for pointing out a problem with their software.
Remind me, again, why I should continue doing business with an entity like this? Give me back the old HP.
... but as the DMCA is a statute, isn't it up to the FBI or some such to actually `use' it?
Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?
If this is the case, would not HP's original statement in regards to the researchers violating the DMCA be enough to set the ball in motion? If the FBI were to agree that the event in question is a DMCA violation, would their backing down be enough to prevent further action from being taken?
IANAL and I'm not even from the US, so maybe I've completely misunderstood how this works. But isn't there more to it than HP just deciding to stop waving the DMCA stick?
- SMJ - (It's not just a name: it's a bad aftertaste.)
So... someone fill me in here. Is it normal for organizations to ask companies for money before they'll share info about exploits? After reading the note from SNOsoft, it seems clear that they must have asked for money. How else do you explain them trying "to build a working relationship with HP" and HP (mis?)perceiving their actions as extortion.
Don't get me wrong, as far as I'm concerned, it sounds like HP needs to spend more money on developers and less on lawyers. I'm not trying to defend their actions at all. But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."
-- dR.fuZZo
They knew they would have their posterior kicked black and blue which would eliminate the DMCA threat power.
Fight Spammers!
Exactly.
We have zero evidence that HP will stop trying to hide the failures in its products.
If Carly Fiorina knew about this, then she also thought it was okay to try to use aggressive tactics to hide severe failures in an HP product. In that case, Carly should be replaced by the HP board of directors.
If Carly Fiorina didn't know about this, a major act by a vice president, then she is clearly not in control of HP. In that case, Carly should be replaced by the HP board of directors.
Appreciate your note and concern. Let me just start by saying, "don't :-)". I can assure you that my :-). We also encourage our customers and 3rd parties
...
believe everything you read in the press
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.
Kent
-----Original Message-----
From: XXXXXXX
[mailto:teaser@XXXX.com]
Sent: Tuesday, July 30, 2002 10:56 PM
To: Ferson, Kent
Subject: Rethink this approach.
Concerning this Zdnet article: http://news.com.com/2100-1023-947325.html
HP is going about this all wrong. You have managed to alert many more
people of the mentioned exploit (by making legal threats) than would
otherwise have ever noticed the Bugtraq post. That genie is way to far oput
of the bottle to to be put back now and the poster will just comply to any
cease and desist requests. Besides, there are plenty of buffer overflows in
True64 according to the Bugtraq poster Phased.
My suggestion to you and your colleagues would be that you quietly fix the
code, in a timely fashion, and avoid both the bad publicity and potential
liability.
Thank you.
We really need your help
http://www.gofundme.com/help-sherry
I think this is too early to tell. Since they already did say they could use DMCA, some damage is done. This obviously came through lawyers, so someone somewhere DID make that decision, regardless of who they blame. Now, even though they said they wouldn't, there is doubt in a researchers mind if anything might happen. You can not just release a program without "following standard procedures" any more (that's what I got from CNet's article). Following such procedures is a good thing, but it should NOT be a requirement to free speech.
Lets wait for actions from HP, who knows what they'll do a year from now on some other bug. This also opens the door for MS or Oracle or whoever to do this, without being first, and citing HP, regardless of what HP said today. Can you really open your toaster now and see what's inside? This threat, even though withdrawn, has done what it was supposed to do.
It is what they call the slippery slope.
Good going HP - my next printer will be from you.
I bet you hit yourself in the head with a hammer, because it feels good when you stop.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Last night, when I read about HP swinging the DMCA club I sent their CEO "intelligent feedback". It was polite and used words like "extremely disappointed" and accused HP of shooting the messenger instead of fixing the problem. Additionally, I told her that I wish I had discovered the flaw and had to defend this action and faced a jury.
I imagined the cross examination as follows with HP on the hotseat:
1. Isn't it true that HP learned of this exploit nearly a year ago and has done nothing except try to "silence" someone sounding a critical warning?
2. Can you explain to us what type control a person could have gained over an HP server using this security flaw?
3. Isn't it true that HP servers are used in key government installations, biomedical research labs, and fortune 500 companies and this flaw could have been used to compromise national security and commit corporate espionage?
4. Why would HP delay acting on this information for so long when so much was at risk?
Oh, this would have been soooo much fun to watch on Court TV!
Anyway, I was just curious how many slashdotters fired off a "polite" feedback.
ok, follow me...
go to thomas.loc.gov
under the Legislation heading, click on Bill Text
select the 105th congress (1997-1998)
search for word/phrase 'digital millennium' (2 L's and 2 N's) or enter bill number "s. 2037"
Click on one of the relevant results.
The Bill Summary and Status link is informative. Check the "All Bill Summary and Status Info" link for some history (or some of the other links), then look for "Recorded Vote"
Bingo.
(phew, stepping through this was a little harder than I thought it would be... But, now that I understand it enough, I can tell everyone else how to do it. Bang on.)
fair.org counterpunch.com truthout.com indymedia.org salon.com
eff.org guerrilla.net debian.org gentoo.org
I am sorry, I do not see the point of this.
The DMCA still stands, it stifles research. Alan Cox is still afraid to step on US soil for fear of being arrested for doing a moral and ethical work.
How is this any sort of victory. HP wussied out. Snosoft wussied out. And maybe Bruce Perens wussied out too.
Where were the necessary changes to the law. Hackers need some sort of protection from this crap.
Imagine if GM said you could open the hood of a car? Would the american public stand for that?
If you found a fault in a Ford, would the american public want Ford to have 30 days to figure out if they want to deal with the problem?
Corps are getting to manhandle us because the public doesnt understand the issues and we're a powerless minority.
Does the auto insurance institute which does crash testing need to inform the car companies thirty days in adnvance prior to disclosing bugs?
We need a secure receipt mechanism when reporting bugs.
We need full disclosure.
We need full authorization to learn from each other, this means sharing how buffer exploit vulnerabilities are found and how they can be exploited.
Simply reporting vulnerabilities to companies is irreponsible in the public scheme of things. If coders dont know how these exploits occur it prevents them from writing secure code.
We need the ability to learn from each other.
DMCA needs SERIOUS changes.
Bruce has done a lot more for hacker freedoms than many of us here, but I'm sorry but it hasnt been enough (not necessarily his fault).
Comment removed based on user account deletion
Maybe it's because that security flaw doesn't affect them unless they're running on Windows, which they're not.
My other first post is car post.
Should now email them to express thanks that they have reversed the decision. I had emailed them to state my displeasure and to vow never to buy another HP product again(which would be tough, as my Pavillion continues to surprise me in quality).
Now that they have reversed it, I sent a follow up thanking them and stating that I again looked forward to purchasing from them in the future. The rest of you should do the same- Express displeasure when they fuck up like this, but also express appreciation when they fix it as they have.
Do you feel that they appologized? Do you feel that they made amends for issuing threats? Do you feel that they have indicated that they are something other than a bully?
They got what they wanted. Then they said, "OK, everythings all right now."
Everything is not all right. A bully threatened someone smaller and got what he wanted out of it. If anything else happened, it sure isn't clear. But it will take a lot more than that before I ever trust them again.
I think we've pushed this "anyone can grow up to be president" thing too far.
According to the C|Net article, the manager who made the threat (Kent Ferson) came from the Compaq side of the HP/Compaq merger. So I guess you can blame that loser Fiorina for bringing clueless bozos to dilute the HP way...
IANAL either, but I am in the US and this is how I understand the situation:
It is correct that a company can not bring criminal charges against a person or another company. When an individual sues another individual, it must be for a violation of civil law. The DMCA is a federal criminal law, so it is up to the US Justice Dept to per^H^Hrosecute victims. The FBI is like a police department; they do not engage in prosecutions, but they have the power to make arrests, conduct investigations with court orders, etc.
One of the many problems with the DMCA is that the line between civil and criminal prosecution is blurring. With Dmitry Skylarov, he was effectively arrested and prosecuted by Adobe; the FBI and the Justice Dept were willing participants, but I don't think there's much doubt that Adobe was calling the shots.
HP backing down from the DMCA threat is not enough to directly prevent a lawsuit. However, if HP will not cooperate in the prosecution (providing witnesses etc) due to public outcry, it is no longer worthwhile for the Justice Dept to prosecute, because they basically have no case. So again, it is not a question of actual policy but the effects of policy.
Hope this clears things up...
The FBI didn't follow suit ... at least based on what Adobe publicly said. But how much would you wager that Adobe told the FBI in private to stick it to Sklyarov? That's where my money is...
Remember: we have the best government money can buy. And Adobe has a lot of money...
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
You mean like Judge Kaplan did in the 2600 DeCSS case?
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
The power of the DMCA is not necessarily in court. The threat of a long drawn out legal battle is usually enough to get what the large corps want, sort of a reverse "O.J." strategy, if you will. The DMCA can be milked by RIAA and others for many years without actually having to be tested. That won't lessen either it's application or damage to the IT sector.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Quote: "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."
It looks like there are quite a lot of HP workers that knows what a bad thing the DMCA is. Thanks for reacting!
The good thing about radical organizations is that they will sometimes spend money on radical causes which you don't agree with, because if no one were pushing the boundries then your "moderate causes" would be the radical ones.
When information is power, privacy is freedom.
In another BBS I go to, when I posted about Palladium and the DMCA, all I got in reply were firey defenses of corporate intellectual property. You can't disclose specifics of design flaws in proprietary works since it violates the copyrights and trade secrets of the IP owner. Microsoft can impose Palladium, since you don't have an inherent right to choose which software you run on your computer, since windows is the property of M$ and the processor is the property of Intel. You don't have an inherent right to transfer your data out of a proprietary format, since the format is IP and if the vendor doesn't want you to have the ability to convert to other formats, then they have the right to say you can't because it's intellectual property. So on and so forth. Note that IP law doesn't give corporations the right to do any of those things. And in cases where IP does apply, those rights are overridden by anti-trust laws, monopoly laws, and restraint of trade laws. (I would argue that M$ using closed file formats in order to lock you in could be legitamately considered to be a restraint of trade.) But it seems that outside communities such as /. corporate IP takes precedence over anything, and to restrict companies like Micorsoft is a violation of corporate constitutional rights by a tyrannical government!