HP's DMCA nastygram: http://www.politechbot.com/docs/hp.dmca.threat.073002.html --- http://news.com.com/2100-1023-947325.html?tag=politech Security warning draws DMCA threat By Declan McCullagh July 30, 2002, 4:48 PM PT WASHINGTON--Hewlett Packard has found a new club to use to pound researchers who unearth flaws in the company's software: the Digital Millennium Copyright Act. Invoking both the controversial 1998 DMCA and computer crime laws, HP has threatened to sue a team of researchers who publicized a vulnerability in the company's Tru64 Unix operating system. In a letter sent on Monday, an HP vice president warned SnoSoft, a loosely organized research collective, that it "could be fined up to $500,000 and imprisoned for up to five years" for its role in publishing information on a bug that lets an intruder take over a Tru64 Unix system. HP's dramatic warning appears to be the first time the DMCA has been invoked to stifle research related to computer security. Until now, it's been used by copyright holders to pursue people who distribute computer programs that unlock copyrighted content such as DVDs or encrypted e-books. [...] --- From: "Richard M. Smith" <rmsat_private> To: <declanat_private>, "'Richard M. Smith'" <rmsat_private> Subject: It takes two to tango Date: Tue, 30 Jul 2002 20:59:59 -0400 Hi Declan, I just read your interesting story at News.com (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the controversy between HP and Snosoft. It seems that HP is upset that details of a dangerous security hole in the HP Tru64 operating system where published by "Phased", a security researcher with Snosoft. I really feel that HP went way over the line by trying to place all the blame on Snosoft for HP's security hole by invoking the DMCA and the Computer Fraud and Abuse Act. If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place. So this quote from Kent Ferson of HP in your article was probably a big mistake: "Ferson also said that HP reserves the right to sue SnoSoft and its members "for monies and damages caused by the posting and any use of the buffer overflow exploit." Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to. BTW, I'm neither a fan of the DMCA nor of people publishing exploit code for security holes: Digital Copyright Act Harms Research http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0 Can we afford full disclosure of security holes? http://www.computerbytesman.com/security/fd.htm Thanks, Richard M. Smith http://www.ComputerBytesMan.com ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 19:37:49 PDT