// I just read the article at News.com // (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the // controversy between HP and Snosoft. It seems that HP is upset that // details of a dangerous security hole in the HP Tru64 ... and why not? This has put all their customers at risk. They did not just disclose the bug they are showing you how to exploit it. // operating system // were published by "Phased", a security researcher with 'security researcher', that is funny. // Snosoft, here on // Bugtraq. I really feel that HP went way over the line by trying to // place all the blame on Snosoft for HP's security hole by // invoking the // DMCA and the Computer Fraud and Abuse Act. Just exactly where did you hear or see that? The article does not state that. They are protecting their customers. That is what a good company is supposed to do. Any company not doing this in my opinion is negligent. They are doing exactly what they should be doing; using the law to protect their company and it's clients. // // If this particular security hole is ever exploited by the // "bad guys", // we'll probably have both HP and Phased to thank. It really No you will have the luser that uses the exploit to thank. // does take // two to tango. The Phased exploit code would never have // been published // if HP programmers didn't mess up in the first place. What a crock. Are you perfect. NO! Why in the world would you expect anyone else to be what you yourself are not? Expecting perfect code is just stupid. // // So this quote from Kent Ferson of HP in the News.com article was // probably a big mistake: // // "Ferson also said that HP reserves // the right to sue SnoSoft and its members "for monies // and damages caused by the posting and any use of the // buffer overflow exploit." // // Pretty clearly if there were ever to be any lawsuits over this // particular bug, HP has much deeper pockets which are much // easier to get // to. HP has acted to stop the problem. In other words CYA. The fact is that the person exploiting the issue is the problem, not HP. Could someone sue HP, yes. But as you pointed out they have deeper pockets than most people. It works both ways. They can call out an army of lawyers for this. They can also show that they acted in good faith. Game over. As for this hampering 'research', hardly. Phased said it himself. He does not live in the U.S. and SnoSoft does not know where he lives (assuming they are telling the truth). Let's face it being a criminal with little skill gets your more respect than skill without a record. IMO Symantec purchasing Security Focus is a much greater risk to openness than a few clowns releasing code. My guess is that the code was pulled to keep from queering the deal with Symantec, more than some hacker ethics. Just take a look at NTBugtraq. Ever since they were acquired by a MS friendly company; Russ Cooper has been pushing limited disclosure. Even going so far as to propose that he would decide on an inner circle of 'trusted' people who would get information as he saw fit. As an aside I have noticed a substantial drop in traffic on the list within the last year. Could be lots of filtering, I don't know. Maybe they are now worried about law suits. Just seems fishy considering the push for limiting the discourse. Should we release code that exploits bugs, I don't think so. I do believe that we should let others know of the issue with software or hardware for that matter. Companies should be given a chance to fix the issue before letting the word out that there is a bug. Unfortunately in the mad dash for glory, that is sometimes not a consideration.
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 23:33:24 PDT