HP Backs Off DMCA Threat

Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"

Sometimes, I guess,...

[gilroy]

... the good guys win. I'm pretty sure it was my strongly-worded email to the CEO that turned the tide. :) Seriously, I think the outcry in the tech community made them beat this retreat. Whenever you're feeling overwhelmed by the latest corporate attrocity, remember: numbers can still make a different. Write, call, or scream, but don't let your outrage dribble away.

Responsible full disclosure

[Istealmymusic]

The following post was written by Steven M. Christey for Bugtraq. I completely agree with what Christey is saying, and highly recommend everyone interested in full disclosure read his letter here:

The Responsible Disclosure Process draft specifically allows for
researchers to release vulnerability information if the vendor is not
sufficiently responsive. Some people may disagree with the delay of
30 days between initial notification and release, but I don't think
there are good stats on how long it really takes vendors to fully
address vulnerability reports - open or closed source, freeware or
commercial. Let's take a recent example - how much coordination had
to happen for the zlib vulnerability? It seems reasonable to assume
that it took more than a day. And the controversial "grace period"
has the interesting distinction of being used by both Microsoft and
Theo de Raadt.

Researchers can help to shed light in this area by publishing
disclosure histories along with their advisories. (By the way, vendor
advisories rarely include such information.)

While the response to the proposal focused almost exclusively on how
it impacts researchers, it lays out a number of requirements for
vendors, primarily that they (a) make it easy for people to file
vulnerability reports, (b) be responsive to incoming vulnerability
reports, and (c) address the issues within a reasonable amount of
time.

IMHO, it makes a stronger impression when someone releases a security
advisory with an extensive disclosure history that says how much they
tried to resolve the issue with the vendor, before they released.

Those who are interested in the legal aspects of "responsible
disclosure" are encouraged to read the article by Mark Rasch at
http://online.securityfocus.com/columnists/66. The article basically
says that the adoption of community standards could protect
researchers who disclose issues responsibly, while it could also help
vendors who seek legal recourse against researchers who are not
responsible (for some definition of "responsible"). The former could
happen with a community standard. The latter may already be happening
without one.

Re:Is there really much to say about this?

[wayland]

Well, it's quite simple. Someone says something trollish about it, and then some of the insightful people argue with him. Then we have some insightful posts, and others argue with them. Mark my words, we'll soon have another set of insightful anti-DMCA diatribes, some disappointment that we didn't get to try the DMCA against such a stupid case, and a bunch of people claiming that HP, as a corporation, has done this in their own self-interest. :)

further indication that DMCA does not hold water

[lingqi]

let's see here:

Vivendi sues bnet.d, originally was under DMCA, but filed under traditional copyright;

HP threatens under DMCA, but backs down.

i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)

Hm, kind of a shame, in a way...

[Chemical+Serenity]

While I have no desire to see SnoSoft get... uh, "Snowed", this would have been a landmark DMCA case. It would have been nice to see SnoSoft win, and set a precident to other companies who'd like to wield this myopic peice of litterbox-lining legislation as a flaw shield.

Perhaps they think they can cover the blemishes of their software with the blood of the people who point them out.

Before the arguing starts

I would like to just interject two Very Important Thoughts into the discussion.

1. Despite being legally treated as such, corporations are not singular entities. Corporations contain quite a lot of people, and many of these people have different viewpoints. Some corporations even have seperate departments with conflicting goals and incomplete coordination and communication between them. For example, you may have an overzealous legal/ intellectual property affairs department that just kind of goes off and does its thing and tries to enforce the company's IP vigilante style, a very liberal software development department that does things like fund linux development, and an upper management that kind of just says "hands off" and lets the people in the sub-departments do what they like unless one of them goes overboard. Like, say, the legal department makes legal threats that would never in a billion years stand up in court (i.e. applying the DMCA where it clearly does not apply) against someone who is performing a service for the company. Or, say, the software development team is paying for one of the people on their linux staff to go speak at a conference, and he's saying upfront that he is going to break a law on stage. These are the kinds of situations that, in this hypothetical example, the upper management would take notice and override the things that the sub-departments wanted to do. Anyway, the point is, you have to understand that within a corporation are a great many conflicting interests, and you can't call a corporation evil just becuase certain of its departments are acting in evil ways-- especially if in the end, upper management pulls through and makes everyone play nice with the consumer people.
   
   
2. Some corporations really will sit up and reform themselves if there is sufficient public outcry against what they are doing. Most corps aren't at all responsive to "the public", but some of them realize it's not in their best interest to do something that makes your customer base hate you. As such, sometimes if enough people complain loudly about something a corp is doing, said corp will change it. The moral to be gleaned from this is to never stop bitching about the things the corporations are doing wrong. After all, if we don't point out the error of their ways to them, it's quite likely they'll never see the error, which would suck; but if we bitch at them, well, the absolute worst that could happen is that we'd get ignored. So it's worth the trouble.

I think I would have rather it had been tested

[tlambert]

I think I would have rather it had been tested in court.

"We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security." ...great. I get to rely on their self-restaint in not abusing the law, rather than striking down an eminently abusable law.

As long as the only test cases are against individuals and groups the public perceives as "black hats" (e.g. 2600), this damnable law will never be changed.

-- Terry

Reciprocal Civility

[namespan]

BRUCE: I'm going to violate the DMCA on stage
HP: Please don't. It would sortof reflect badly on us, and could cause trouble.
BRUCE: Well... OK.

HP: We're going to sue the pants off of anyone who reveals Tru64 vulnerabilities using the DMCA!
BRUCE: Please don't. This reflects badly on us, and could cause all sorts of trouble.
HP: Well... OK.

Good to know everyone's getting along. :)

Re:Misunderstanding?

[delta407]

Misunderstanding or not, HP has done something I (and many others) will not soon forget. Even if it was one rogue element of management mouthing off, damage has been done. "Backed down" or not, they were in the process of screwing more people with the DMCA for pointing out a problem with their software.

Remind me, again, why I should continue doing business with an entity like this? Give me back the old HP.

Perhaps I'm completely missing the point here...

[tuxedo-steve]

... but as the DMCA is a statute, isn't it up to the FBI or some such to actually `use' it?

Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

If this is the case, would not HP's original statement in regards to the researchers violating the DMCA be enough to set the ball in motion? If the FBI were to agree that the event in question is a DMCA violation, would their backing down be enough to prevent further action from being taken?

IANAL and I'm not even from the US, so maybe I've completely misunderstood how this works. But isn't there more to it than HP just deciding to stop waving the DMCA stick?

money for exploits?

[dR.fuZZo]

So... someone fill me in here. Is it normal for organizations to ask companies for money before they'll share info about exploits? After reading the note from SNOsoft, it seems clear that they must have asked for money. How else do you explain them trying "to build a working relationship with HP" and HP (mis?)perceiving their actions as extortion.

Don't get me wrong, as far as I'm concerned, it sounds like HP needs to spend more money on developers and less on lawyers. I'm not trying to defend their actions at all. But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."

Re:money for exploits?

[Jester99]

Just about any time that two companies collaborate, some sort of agreement must be signed between the two.

(#include<std/disclaimer.h>, IANAL, etc)

But anyway, assume that SNO simply emailed HP the bug and a patch and HP said "thanks, guys" and rolled it out in the next point release. Six months down the line, SNO *could* (if they were evil enough) sue HP for breech of copyright. Delete the part of the email that said they had permission, etc, and boom.

That's no good.

So, they almost always put stuff out in writing specifying exactly who's giving what to whom and what each party's allowed to do with it.

This is why, if you watch MTV's Jackass, they specifically say at the end of each show "If you send us tapes of yourselves being jackasses, we won't open them. They will be thrown away." It's not that they don't think you could be funny; rather the contrary. They're afraid that if they see your stuff, and then end up publishing something similar by coincidence, they could be sued by you. Because there was no contract.

Furthermore, a contract between two parties, to be legal, must allow both parties to benefit from it. (Which is what separates a contract from extortion.) That's why you don't just give somebody a car and hand them the deed. They always pay you a dollar - so that a contractual agreement was fulfilled between the two of you. If HP and SNO were going to write some sort of contract stating what info SNO was going to give HP, and what HP was allowed to do with it, a transfer of money or other consideration must be given to SNO. (Now, it doesn't have to be a large sum of money. But corporations usually don't work in pocket change. So, SNO probably did want a decent chunk of cash for their part of the bargain.)

So, to summarize, "working relationships" always involve paperwork. Usually to cover people's collective asses. And they usually have cash involved, so that a mutual exchange occurs when the contract is signed. As to why that made HP's lawyers go trigger-happy, well, that's anyone's guess.

I thought so!

[www.sorehands.com]

Just like the RIAA with Felton.

They knew they would have their posterior kicked black and blue which would eliminate the DMCA threat power.

Anyone else email Ferson?

[teaserX]

Appreciate your note and concern. Let me just start by saying, "don't
believe everything you read in the press :-)". I can assure you that my
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night :-). We also encourage our customers and 3rd parties
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.

Kent ...

-----Original Message-----
From: XXXXXXX
[mailto:teaser@XXXX.com]
Sent: Tuesday, July 30, 2002 10:56 PM
To: Ferson, Kent
Subject: Rethink this approach.

Concerning this Zdnet article: http://news.com.com/2100-1023-947325.html

HP is going about this all wrong. You have managed to alert many more
people of the mentioned exploit (by making legal threats) than would
otherwise have ever noticed the Bugtraq post. That genie is way to far oput
of the bottle to to be put back now and the poster will just comply to any
cease and desist requests. Besides, there are plenty of buffer overflows in
True64 according to the Bugtraq poster Phased.
My suggestion to you and your colleagues would be that you quietly fix the
code, in a timely fashion, and avoid both the bad publicity and potential
liability.

Thank you.

Actions, not words

[v77]

I think this is too early to tell. Since they already did say they could use DMCA, some damage is done. This obviously came through lawyers, so someone somewhere DID make that decision, regardless of who they blame. Now, even though they said they wouldn't, there is doubt in a researchers mind if anything might happen. You can not just release a program without "following standard procedures" any more (that's what I got from CNet's article). Following such procedures is a good thing, but it should NOT be a requirement to free speech.

Lets wait for actions from HP, who knows what they'll do a year from now on some other bug. This also opens the door for MS or Oracle or whoever to do this, without being first, and citing HP, regardless of what HP said today. Can you really open your toaster now and see what's inside? This threat, even though withdrawn, has done what it was supposed to do.

It is what they call the slippery slope.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Snosoft security...

[Cryptnotic]

Maybe it's because that security flaw doesn't affect them unless they're running on Windows, which they're not.

Those of you who emailed HP to complain

[BoneFlower]

Should now email them to express thanks that they have reversed the decision. I had emailed them to state my displeasure and to vow never to buy another HP product again(which would be tough, as my Pavillion continues to surprise me in quality).

Now that they have reversed it, I sent a follow up thanking them and stating that I again looked forward to purchasing from them in the future. The rest of you should do the same- Express displeasure when they fuck up like this, but also express appreciation when they fix it as they have.

Re:Misunderstanding?

[HiThere]

Do you feel that they appologized? Do you feel that they made amends for issuing threats? Do you feel that they have indicated that they are something other than a bully?

They got what they wanted. Then they said, "OK, everythings all right now."

Everything is not all right. A bully threatened someone smaller and got what he wanted out of it. If anything else happened, it sure isn't clear. But it will take a lot more than that before I ever trust them again.

Re:Hollow Victory

[Bruce+Perens]

Dear AC,

I agree that this is hardly the last shot in the battle. Hardly. If anything, we kept a bad situation from getting a drop worse. But I don't know if "wussied out" is really a fair description. I modified my own DMCA paper to protect HP's Linux program. When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP and (along with a cast of good people within HP) convinced everyone, including Kent, that using DMCA this way was a bad idea.

But I didn't get the law repealed this week. I'll keep working on that. It would be really nice if you would put in a lot of work on this, too. This is the sort of issue where every one of us has to help or we'll lose.

Thanks

Bruce

Re:Hollow Victory

[gilroy]

Blockquoth the poster:

Imagine if GM said you could open the hood of a car? Would the american public stand for that? (emphasis added)

Yep, it'd be terrible if people could examine the inside of their car's engine. We'd have all these underworked overinquisitive teenagers poking around, figuring out how things work, modifying and maybe even improving the engine... it'd be chaos!

OK, OK, I shouldn't make fun of someone just because they pressed "Submit" too fast. But the slip opens up an interesting thought in my mind: It is a fact of history that in World War II, American infantry units were the only ones to get progressively more mechanized as a campaign went on. For most armies, continuing action meant trucks and tanks broke down (bad maintenance, lack of supplies, etc.). But for the US, the infantry units would gain mechanized capacity. It was not unheard of that a unit not have to march anywhere, having scrounged enough vehicles to ride. This made the infantry many times more effective and enhanced the efficiency of armor, too (since the infantry could keep up with the tanks).

It doesn't seem that, with the wear-and-tear of battle, you should get more capacity. What was the secret? Well, just about every man in a US unit had some experience with motor vehicles. Most owned their own; many if not all repaired their own. So on the battlefield, they were able to scrabble spare parts together and keep the trucks rolling. In fact, they were often able to scavenge from damaged enemy machines! When a truck or car broke down, most armies had to call in a specialist repair team. But the US infantry could fix it themselves and keep moving. (Source: Dirty Little Secrets of World War II , Dunnigan and Nofi)

What's the point? Well, consider that everyone thinks sooner or later we're going to get into a "cyberwar" -- assaults upon information infrastructure. Maybe our only chance of winning such a conflict is to have legions of people familiar with computers and security, with securing a system or attacking it, with picking apart a program and then putting it back together better. In other words, maybe we need a culture of "hackers" (in both sense) as an insurance policy.

In which case, the DMCA is not just intrusive and unbalanced. It's actually a threat to national security. How do you like them apples?