Hi, I just read the article at News.com (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the controversy between HP and Snosoft. It seems that HP is upset that details of a dangerous security hole in the HP Tru64 operating system were published by "Phased", a security researcher with Snosoft, here on Bugtraq. I really feel that HP went way over the line by trying to place all the blame on Snosoft for HP's security hole by invoking the DMCA and the Computer Fraud and Abuse Act. If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place. So this quote from Kent Ferson of HP in the News.com article was probably a big mistake: "Ferson also said that HP reserves the right to sue SnoSoft and its members "for monies and damages caused by the posting and any use of the buffer overflow exploit." Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to. BTW, I'm neither a fan of the DMCA nor of people publishing exploit code for security holes: Digital Copyright Act Harms Research http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0 Can we afford full disclosure of security holes? http://www.computerbytesman.com/security/fd.htm Thanks, Richard M. Smith http://www.ComputerBytesMan.com
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 22:14:54 PDT