[ISN] [infowarrior] - Comment on DMCA, Security, and Vuln Reporting

From: InfoSec News (isnat_private)
Date: Thu Aug 01 2002 - 03:38:32 PDT

  • Next message: InfoSec News: "[ISN] Security czar points finger of blame"

    ---------- Forwarded message ----------
    Date: Wed, 31 Jul 2002 09:37:50 -0400
    From: Richard Forno <rfornoat_private>
    To: infowarrior@g2-forward.org
    Subject: [infowarrior] - Comment on DMCA, Security, and Vuln Reporting
    Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of
    Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
    comments of-value and worthy of relaying onto the list.
    The News.Com story with more details is at :
    ----------RFF Comments
    I find it sadly amusing that technology companies see "security
    debate" on the same level as "piracy" or "copyright controls." What it
    really serves as is a corporate secrecy tool and (as was said) cudgel
    against any and all potential enemies.
    HP, in its infinite corporate and legal wisdom - the same wisdom
    shared by Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and
    Bernie Ebbers - has opened a Pandora's Box here. Next you'll see folks
    saying that public disclosure of the generic password on the default
    Unix "guest" account will be prosecutable under DMCA, or that a given
    exploit uses a "buffer overflow" to cause its damage is likewise
    criminal to speak of. It's bad enough that black markers might become
    illegal, isn't it? But the madness continues.
    While I disagree with Adobe's use of DMCA last year against Dmitry, at
    least their claim was somehow - admitted tangentally - related to
    copyright protection. HP's case is just absurd and has nothing to do
    with copyrights and everything to do with avoiding embarassment and
    taking responsibility for their product's shortcomings.
    I believe system-level security is MUTUALLY-EXCLUSIVE from copyright
    protection -- or more accurately, the 'economic security' of the
    vendors. Taking reasonable steps - including public disclosure of
    exploits and their code - to protect a user's system from unauthorized
    compromise IN NO WAY impacts the copyright rights of HP, unless HP
    wrote the exploit code that's being publicly shared w/o
    permission....in which case it's truly their fault then. Regardless,
    either way you look at it, they're using DMCA to conceal their
    embarassment and duck responsibility.
    The way we're going, thanks to HP's legal geniuses, we may as well
    call NIST, NSA, SANS, and IETF to rewrite a new 'industry standard'
    definition for 'computer security' that places the vendor's profit and
    public image above the confidentiality, integrity, and availability of
    end-user data and systems. For all intents and purposes, Congress has
    already done that with DMCA and Berman's proposed "Hollywood Hacking"
    Bill -- they just forgot to inform (or seek counsel from) those of us
    working in the real information security community.
    Bleeping idiots. Congress and Corporate America. When it comes to
    technology policy, neither has the first clue . No wonder we're in the
    state we're in.
    You are a subscribed member of the infowarrior list. Visit 
    www.infowarrior.org/lists for list information or to unsubscribe. This 
    message may be redistributed freely in its entirety. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:42:39 PDT