http://www.wired.com/news/technology/0,1282,54297,00.html By Brian McWilliams 11:00 a.m. Aug. 2, 2002 PDT When Patrick Mueller got a phone call Wednesday from a Hewlett-Packard engineer looking for a program to test the security of his Web server, alarm bells went off in his head. "My first impression was that he was trying to trap us," said Mueller, a security analyst with Neohapsis, a network and security consulting group located in Chicago. Under ordinary circumstances, the HP engineer's request for OpenSSL "exploit code" would not have raised eyebrows. But earlier this week, HP sent shock waves through the industry when it threatened a lawsuit against Secure Network Operations (SnoSoft), a small security firm based in Massachusetts. In a novel legal argument, HP claimed SnoSoft violated the 1998 Digital Millennium Copyright Act when one of its researchers released an exploit in mid-July that could give remote attackers control of systems running HP's Tru64 Unix operating system. In a July 29 letter to SnoSoft, HP warned that the incident exposed SnoSoft to potential imprisonment and half a million dollars in fines. HP's request for help from Neohapsis probably was spurred on by Neohapsis being credited Tuesday with discovering a serious security bug in OpenSSL, a popular open-source Internet application. After warily conversing with the HP engineer, who identified himself as Peter Bobco, a webmaster with the company's Compaq headquarters in Houston, Mueller decided the request was legit and passed it on to his boss. "Sure, we've got an exploit for the OpenSSL bug, but no way are we going to let it out, and definitely not to someone from HP," said Greg Shipley, Neohapsisí chief technology officer. Bobco declined a telephone interview with Wired News Thursday. An HP spokesperson said the company was investigating the situation and had no immediate comment. By threatening SnoSoft with legal action, HP has awkwardly stepped into the middle of the debate over what security professionals call "full disclosure." At issue is what constitutes the responsible handling of vulnerable information. To SnoSoft co-founder Adriel T. Desautels, the bizarre timing of Bobco's request for Neohapsis' OpenSSL exploit code was like a slap in the face. "I almost feel insulted by it. We offered to work with HP and help them harden their systems in a big way. Yet HP refused our help. And now they are out digging for exploit code?" Desautels said Thursday. SnoSoft had been working privately with HP for several months on a handful of Tru64 bug reports when a SnoSoft researcher without authorization posted the exploit to the Bugtraq security mailing list, according to Desautels. In response to public outcry, HP appears to be backing away from its legal threats. According to Desautels, SnoSoft held "positive" talks with HP on Thursday that suggested the big computer maker will not move ahead with legal action against SnoSoft. An HP representative declined to comment on the SnoSoft discussions, but did provide a statement that said the letter to SnoSoft "was not consistent or indicative of HP's policy. We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security." According to Shipley, HP's attempt to make exploit code illegal could seriously harm computer security. "That's what exploit code is good for -- helping companies develop fixes," said Shipley, who noted that Neohapsis only releases such proof-of-concept programs to affected vendors and not to the public or to researchers who privately request them. Accepting demonstration code from bug finders appears to be standard practice at HP. A page at the firm's site for reporting security vulnerabilities in HP software provides instructions for submitting exploits to the company. In some instances, new exploits, also known as "zero-days," are also a means by which security researchers can privately prod vendors who deny vulnerabilities exist. "When we told HP that we found (the bugs in Tru64 Unix), they didn't take us seriously. Then we created some proof-of-concept-code, and their attitude changed," said Desautels. He said SnoSoft's disclosure policy generally gives vendors eight days to respond to a vulnerability report before going public. In the case of HP, SnoSoft agreed to a 45-day grace period, he said. System administrators and software developers also rely on such programs to test their applications for security flaws. A couple dozen U.S. government and military sites have already downloaded the leaked SnoSoft exploit, according to a log at the download site. Mueller said the irony of Bobco's exploit request was not lost on the HP engineer. "He was sympathetic and said HP's handling of the whole SnoSoft thing made HP look bad but he pointed out that HP was a big company and not everyone feels the same way," Mueller said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 03:46:50 PDT