Security warning draws DMCA threat
July 31, 2002 10:13 AM   Subscribe

Security warning draws DMCA threat Find a flaw in HP Code? Prepare to go to prison or pay a $50K fine if you tell anyone. Invoking both the controversial 1998 DMCA and computer crime laws, HP has threatened to sue a team of researchers who publicized a vulnerability in the company's Tru64 Unix operating system. So now, it appears that some technology companies see "security debate" on the same level as "piracy" or "copyright controls."
posted by dejah420 (10 comments total)
 
Infowarrior's mailing list has this opinion to offer about the situation:

HP, in its infinite corporate and legal wisdom - the same wisdom shared by Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and Bernie Ebbers - has opened a Pandora's Box here. Next you'll see folks saying that public disclosure of the generic password on the default Unix "guest" account will be prosecutable under DMCA, or that a given exploit uses a "buffer overflow" to cause its damage is likewise criminal to speak of. It's bad enough that black markers might become illegal, isn't it? But the madness continues.

While I disagree with Adobe's use of DMCA last year against Dmitry, at least their claim was somehow - admitted tangentially - related to copyright protection. HP's case is just absurd and has nothing to do with copyrights
and everything to do with avoiding embarrassment and taking responsibility for their product's shortcomings.

I believe system-level security is MUTUALLY-EXCLUSIVE from copyright protection -- or more accurately, the 'economic security' of the vendors. Taking reasonable steps - including public disclosure of exploits and their
code - to protect a user's system from unauthorized compromise IN NO WAY impacts the copyright rights of HP, unless HP wrote the exploit code that's being publicly shared w/o permission....in which case it's truly their fault
then. Regardless, either way you look at it, they're using DMCA to conceal their embarrassment and duck responsibility.

The way we're going, thanks to HP's legal geniuses, we may as well call NIST, NSA, SANS, and IETF to rewrite a new 'industry standard' definition for 'computer security' that places the vendor's profit and public image above the confidentiality, integrity, and availability of end-user data and systems. For all intents and purposes, Congress has already done that with DMCA and Berman's proposed "Hollywood Hacking" Bill -- they just forgot to
inform (or seek counsel from) those of us working in the real information security community.

Bleeping idiots. Congress and Corporate America. When it comes to technology policy, neither has the first clue . No wonder we're in the state we're in.
posted by dejah420 at 10:20 AM on July 31, 2002


what we are seeing is the codification of the protection of the manufacturers of shoddy consumer goods from the wrath of the consumer. you will buy now! you will love forever! if you complain you must hate america! hey, when you are safely ensconced behind impenetrable customer deflection (er, i mean service) voicemail systems, permitted to claim any virtue for your product through inescapable advertising no matter how putrid a lie it may be, why in hell would you want to produce anything of quality anyway? it's inefficient! it's unamerican! worse than that, it's greedy! it often takes nothing less than a flaming lemon in the corporate dooryard to get the attention of an automaker, perhaps a huge flaming pile of Tru64 boxen is what is needed here? of course, this does nothing to address the larger problem - the total corruption of the american money machine, and the drooling acquiescence of industry cohorts in congress falling all over themselves to pass whatever laws they may desire...
posted by quonsar at 10:34 AM on July 31, 2002


The thing that kills me is that the team in question notified HP *A YEAR AGO* about this vulnerability. That's a full year for the black hat community to get wise, and starting rooting Tru64 boxen left and right with no recourse available to Tru64 admins. At all. What in the unholy of unholies was HP thinking? Interesting to see Bruce Perens' reaction (he's a fairly high-up employee within HP, and a spokesman nearly on par with Torvalds/Raymond/Stallman within the open source community) over on Slashdot.

quonsar: indeed. You know this whole corporate situation proves how wrong Fight Club really was - "Fuck Martha Stewart! Martha's polishing the brass on the Titanic, it's all going down, man!" Hmph, brass on the Titanic indeed. The only thing Martha's going to be polishing pretty soon are prison cell doors.
posted by Ryvar at 11:00 AM on July 31, 2002


Bleeping idiots. Congress and Corporate America. When it comes to technology policy, neither has the first clue . No wonder we're in the state we're in.

Actually as one of those inside corporate America, I have to disagree. They know exactly what they are doing. They are using their money to get congress to help them continue their business model regardless of the technological change going on around them.

Each year that they can prevent a change in the way they have to do business is a year they can keep making money 'the old way'.

Real security and more importantly accountability will cost money and time that most companies are willing to commit to now. It's much cheaper to donate $250,000 into politics than to spend $20+ million on meaningful and effective security measures.
posted by Argyle at 11:03 AM on July 31, 2002


The downward spiral continues....
posted by eas98 at 11:27 AM on July 31, 2002


When will the that community as a whole see the failure in "the old way" business plan? Consumers like myself (Including those like my 60 year old mother) are only becoming more technologically educated.... not less.
posted by Decypher at 12:18 PM on July 31, 2002


Especially interesting since HP pressured Bruce Perens (who is on the HP payroll) from going ahead with his plan to flaunt the DMCA on stage at OSCon. The report at the time suggested HP was "worried that it would be "a more juicy target,'" for media companies who wanted to enforce the DMCA . . . appears they also wanted to save the option to enforce it for themselves! (previous MeFi thread on Perens here)
posted by donovan at 1:21 PM on July 31, 2002


I wonder how badly this is going to hurt future HP UNIX sales. Who in their right mind is going to spend money on a company that ignores security holes for an entire year and then decides that litigation is the best way to solve the problem. Shit, how many True64 owners are calling HP right now and bitching?

Its just way too easy to go the route of 'decadent American will make us all slaves to their shiny things.' Expect hungry competitors like, oh say, IBM to learn a lesson from this. Personally, I don't think they have a legal leg to stand on even with the DMCA.
posted by skallas at 1:30 PM on July 31, 2002


Even from a corporate point of view this is stupid. Once HP/whoever is aware of product problems, particularly with security, they are in a world of pain if a customer incurs loss as a result of them.
This sort of thing used to happen a lot with industrial injury until political pressure brought legislative change and the judiciary began inflicting significant financial penalties. Which is what needs to start happening with this sort of thing.

posted by prentiz at 2:35 AM on August 1, 2002


UPDATE: HP backs off and says they won't use the DMCA "to stifle research or impede the flow of information that would benefit our customers and improve their system security."
posted by donovan at 9:41 PM on August 1, 2002


« Older Special Operations Soldiers return from...   |   Quit for the kitty? Newer »


This thread has been archived and is closed to new comments