HP Backs Off DMCA Threat

Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"

Misunderstanding?

[Overand (590318)]

Actually, it looks like this whole thing was a misunderstanding, and involved screw-ups by people on both sides. And believe me, I'm the first one who'll go on about how awful the DMCA is, but I think this was just overreaction on one side and misbehavior on the other. But... well, we'll never know the real story.

Re:Misunderstanding?

[delta407 (518868)]

Misunderstanding or not, HP has done something I (and many others) will not soon forget. Even if it was one rogue element of management mouthing off, damage has been done. "Backed down" or not, they were in the process of screwing more people with the DMCA for pointing out a problem with their software.

Remind me, again, why I should continue doing business with an entity like this? Give me back the old HP.

We have zero evidence that HP will stop...

[Futurepower(R) (558542)]

Exactly.

We have zero evidence that HP will stop trying to hide the failures in its products.

If Carly Fiorina knew about this, then she also thought it was okay to try to use aggressive tactics to hide severe failures in an HP product. In that case, Carly should be replaced by the HP board of directors.

If Carly Fiorina didn't know about this, a major act by a vice president, then she is clearly not in control of HP. In that case, Carly should be replaced by the HP board of directors.

It was a Compaq bozo who made the threat...

[silentbozo (542534)]

According to the C|Net article [com.com], the manager who made the threat (Kent Ferson) came from the Compaq side of the HP/Compaq merger. So I guess you can blame that loser Fiorina for bringing clueless bozos to dilute the HP way...

Re:Misunderstanding?

[HiThere (15173)]

Do you feel that they appologized? Do you feel that they made amends for issuing threats? Do you feel that they have indicated that they are something other than a bully?

They got what they wanted. Then they said, "OK, everythings all right now."

Everything is not all right. A bully threatened someone smaller and got what he wanted out of it. If anything else happened, it sure isn't clear. But it will take a lot more than that before I ever trust them again.

Great news Bruce! A few questions about it...

[CoughDropAddict (40792)]

Bruce,

Anything else you can tell us about this fortunate reversal? Were you involved in knocking some reason into those responsible? How did the people in power originally decide that it would be strategic to weild the DMCA as a weapon against disclosure?

Sometimes, I guess,...

[gilroy (155262)]

... the good guys win. I'm pretty sure it was my strongly-worded email to the CEO that turned the tide. :) Seriously, I think the outcry in the tech community made them beat this retreat. Whenever you're feeling overwhelmed by the latest corporate attrocity, remember: numbers can still make a different. Write, call, or scream, but don't let your outrage dribble away.

Re:Sometimes, I guess,...

[antirename (556799)]

OK, HP backed down. So what? If this really was a DMCA violation, what's going to stop the feds from filing charges? Nothing as far as I can tell. Maybe they just didn't want Adobe's publicity problem... "no, really, your honor, the FBI arrested those people all on their own".

Responsible full disclosure

[Istealmymusic (573079)]

The following post was written by Steven M. Christey for Bugtraq. I completely agree with what Christey is saying, and highly recommend everyone interested in full disclosure read his letter here:

The Responsible Disclosure Process draft specifically allows for

researchers to release vulnerability information if the vendor is not
sufficiently responsive. Some people may disagree with the delay of
30 days between initial notification and release, but I don't think
there are good stats on how long it really takes vendors to fully
address vulnerability reports - open or closed source, freeware or
commercial. Let's take a recent example - how much coordination had
to happen for the zlib vulnerability? It seems reasonable to assume
that it took more than a day. And the controversial "grace period"
has the interesting distinction of being used by both Microsoft and
Theo de Raadt.

Researchers can help to shed light in this area by publishing
disclosure histories along with their advisories. (By the way, vendor
advisories rarely include such information.)

While the response to the proposal focused almost exclusively on how
it impacts researchers, it lays out a number of requirements for
vendors, primarily that they (a) make it easy for people to file
vulnerability reports, (b) be responsive to incoming vulnerability
reports, and (c) address the issues within a reasonable amount of
time.

IMHO, it makes a stronger impression when someone releases a security
advisory with an extensive disclosure history that says how much they
tried to resolve the issue with the vendor, before they released.

Those who are interested in the legal aspects of "responsible
disclosure" are encouraged to read the article by Mark Rasch at
http://online.securityfocus.com/columnists/66. The article basically
says that the adoption of community standards could protect
researchers who disclose issues responsibly, while it could also help
vendors who seek legal recourse against researchers who are not
responsible (for some definition of "responsible"). The former could
happen with a community standard. The latter may already be happening
without one.

Re:Responsible full disclosure

[HiThere (15173)]

I do not see that this in any way justifies threatening someone with the DMCA.

So far, I have not encountered anything which excuses that, though I am willing to keep looking.

That HP has said "Now that you've withdrawn your threat to release infor about us, we won't threaten to pull the DMCA on you" doesn't count as very much of an appology at all. In fact, it doesn't count as an appology.

I do not feel that HP has yet done anything to redeem themselves for this disgraceful action.

further indication that DMCA does not hold water

[lingqi (577227)]

let's see here:

Vivendi sues bnet.d, originally was under DMCA, but filed under traditional copyright;

HP threatens under DMCA, but backs down.

i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)

Re:further indication that DMCA does not hold wate

[kyras (472503)]

i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)

On the contrary, I think that if corporations were under the impression that this "tool" would soon disappear from their arsenal, they would have incentive to make use of it ASAP and "get while the getting is good". It's like when retailers make sure to stress that an offer is for a limited time only to try to get people to half-panic and hurry in to the store. More likely, corporations that try to make use of the DMCA are encountering some seriously bad backlash from the community that makes them think twice about using the DMCA. I would suspect that they would only resort to the DMCA when no other weapons are available. That's sort of a good thing, I guess, but it suggests that the DMCA will be the corporate legal equivalent of the H-bomb -- the "no more Mr. Nice Guy" gun that's used more as a scare tactic than an actual weapon.

Hm, kind of a shame, in a way...

[Rick Franchuk (1324)]

While I have no desire to see SnoSoft get... uh, "Snowed", this would have been a landmark DMCA case. It would have been nice to see SnoSoft win, and set a precident to other companies who'd like to wield this myopic peice of litterbox-lining legislation as a flaw shield.

Perhaps they think they can cover the blemishes of their software with the blood of the people who point them out.

Before the arguing starts

[by Anonymous Coward]

I would like to just interject two Very Important Thoughts into the discussion.

1. Despite being legally treated as such, corporations are not singular entities. Corporations contain quite a lot of people, and many of these people have different viewpoints. Some corporations even have seperate departments with conflicting goals and incomplete coordination and communication between them. For example, you may have an overzealous legal/ intellectual property affairs department that just kind of goes off and does its thing and tries to enforce the company's IP vigilante style, a very liberal software development department that does things like fund linux development, and an upper management that kind of just says "hands off" and lets the people in the sub-departments do what they like unless one of them goes overboard. Like, say, the legal department makes legal threats that would never in a billion years stand up in court (i.e. applying the DMCA where it clearly does not apply) against someone who is performing a service for the company. Or, say, the software development team is paying for one of the people on their linux staff to go speak at a conference, and he's saying upfront that he is going to break a law on stage. These are the kinds of situations that, in this hypothetical example, the upper management would take notice and override the things that the sub-departments wanted to do. Anyway, the point is, you have to understand that within a corporation are a great many conflicting interests, and you can't call a corporation evil just becuase certain of its departments are acting in evil ways-- especially if in the end, upper management pulls through and makes everyone play nice with the consumer people.
   
   
2. Some corporations really will sit up and reform themselves if there is sufficient public outcry against what they are doing. Most corps aren't at all responsive to "the public", but some of them realize it's not in their best interest to do something that makes your customer base hate you. As such, sometimes if enough people complain loudly about something a corp is doing, said corp will change it. The moral to be gleaned from this is to never stop bitching about the things the corporations are doing wrong. After all, if we don't point out the error of their ways to them, it's quite likely they'll never see the error, which would suck; but if we bitch at them, well, the absolute worst that could happen is that we'd get ignored. So it's worth the trouble.

I think I would have rather it had been tested

[tlambert (566799)]

I think I would have rather it had been tested in court.

"We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security." ...great. I get to rely on their self-restaint in not abusing the law, rather than striking down an eminently abusable law.

As long as the only test cases are against individuals and groups the public perceives as "black hats" (e.g. 2600), this damnable law will never be changed.

-- Terry

full disclosure is all about timing

[tux42 (213341)]

(i'm going to go a little bit further from the HP/Snosoft case, so don't be surprised if some of the statements below do not fit 100% in that case)

All these problems will vanish if people will choose to disclose vulnerabilities in a responsible way. Sure, HP's response has been harsh. But every security problem (especially when it's accompanied by an exploit) should be reported first to the vendor! There should be no exception from this rule. The person doing the reporting should give the vendor a reasonable period of time to fix it; say, a few weeks or so.

Only if the vendor does nothing in these weeks, only then the report/exploit/whatever should be made public.

If hacker H writes a comment on Slashdot, making public an exploit against some software made by vendor V, and does not notify V in advance (say, 2...4 weeks in advance), and then V sues H, then who's right?

H is right, because (s)he disclosed a vulnerability, and disclosing is good. V is right, because not being warned in advance, their customers are left to the mercy of script kiddies. H is wrong, because (s)he's obviously looking for cheap publicity (i published a zero-day exploit; mine is bigger), not for improving security. V is wrong, because they are filing a lawsuit against open disclosure, which is not a good thing.

See?

And the solution is so simple: DO NOT publish "zero-day exploits". Give the damn vendors an early warning. Only if they are lazy and do nothing within a reasonable time (2...4 weeks), only then you are entitled to go slashdot-happy.

I'm a big fan of open disclosure, freedom of speech, etc. But people who look for cheap publicity are not my favourites. If H is going to publish the exploit without early warning, i'll say V has all the rights in the world to sue the crap out of H, and put him(her) in jail for one thousand years, and i'll applaud that. However, if there was an early warning, within a reasonable time, like one month or so (unlike some popular security companies did recently), and the vendor did nothing and didn't provide a good reason for the delay (because such reasons could exist, if you think of it), then H is 100% entitled to publish whatever exploit he likes.

It's all about timing. It's all about being reasonable.

Reciprocal Civility

[namespan (225296)]

BRUCE: I'm going to violate the DMCA on stage
HP: Please don't. It would sortof reflect badly on us, and could cause trouble.
BRUCE: Well... OK.

HP: We're going to sue the pants off of anyone who reveals Tru64 vulnerabilities using the DMCA!
BRUCE: Please don't. This reflects badly on us, and could cause all sorts of trouble.
HP: Well... OK.

Good to know everyone's getting along. :)

It takes two to tango

[Wladinator (214768)]

It seems that HP is upset that details of a dangerous security hole in the HP Tru64 operating system were published by "Phased", a security researcher with Snosoft, here on Bugtraq. I really feel that HP went way over the line by trying to place all the blame on Snosoft for HP's security hole by invoking the DMCA and the Computer Fraud and Abuse Act.

If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place.

So this quote from Kent Ferson of HP in the News.com article was probably a big mistake:

"Ferson also said that HP reserves the right to sue SnoSoft and its members "for monies and damages caused by the posting and any use of the buffer overflow exploit."

Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to.

What were they thinking before?

[iabervon (1971)]

They're presumably backing down because it would be a terrible PR move. "We're neglecting our customers and suing people to try to cover this fact up" just doesn't go over well.

The question is what they were thinking in the first place; it's not like you can actually a company and have nobody know. Possibly they just wanted a bit more time in preparing patches before SNOsoft released details. I think it's most likely that think that people won't remember who this incident involved, and will just think "Some big computer company tried suing someone who found a vulnerability in their product. I'd better avoid that big company. Now, was it MicroSoft or Sun?" Of course, as nothing is coming of it, there won't be much in the way of records on the subject. Or maybe HP's lawyers have been spending too much time in Germany and think they should threaten/sue people in HP's name without HP's permission.

Perhaps I'm completely missing the point here...

[tuxedo-steve (33545)]

... but as the DMCA is a statute, isn't it up to the FBI or some such to actually `use' it?

Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

If this is the case, would not HP's original statement in regards to the researchers violating the DMCA be enough to set the ball in motion? If the FBI were to agree that the event in question is a DMCA violation, would their backing down be enough to prevent further action from being taken?

IANAL and I'm not even from the US, so maybe I've completely misunderstood how this works. But isn't there more to it than HP just deciding to stop waving the DMCA stick?

Re:Perhaps I'm completely missing the point here..

[adam613 (449819)]

IANAL either, but I am in the US and this is how I understand the situation:

It is correct that a company can not bring criminal charges against a person or another company. When an individual sues another individual, it must be for a violation of civil law. The DMCA is a federal criminal law, so it is up to the US Justice Dept to per^H^Hrosecute victims. The FBI is like a police department; they do not engage in prosecutions, but they have the power to make arrests, conduct investigations with court orders, etc.

One of the many problems with the DMCA is that the line between civil and criminal prosecution is blurring. With Dmitry Skylarov, he was effectively arrested and prosecuted by Adobe; the FBI and the Justice Dept were willing participants, but I don't think there's much doubt that Adobe was calling the shots.

HP backing down from the DMCA threat is not enough to directly prevent a lawsuit. However, if HP will not cooperate in the prosecution (providing witnesses etc) due to public outcry, it is no longer worthwhile for the Justice Dept to prosecute, because they basically have no case. So again, it is not a question of actual policy but the effects of policy.

Hope this clears things up...

Re:Perhaps I'm completely missing the point here..

[kcbrown (7426)]

Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

The FBI didn't follow suit ... at least based on what Adobe publicly said. But how much would you wager that Adobe told the FBI in private to stick it to Sklyarov? That's where my money is...

Remember: we have the best government money can buy. And Adobe has a lot of money...

slight relief

[Lurking Grue (3963)]

I fired off an e-mail to my HP support rep yesterday morning, and am awaiting his response. (He's out of office until next week.) Basically I told him that as a customer, I resent this behavior toward those who would offer us information about the security of the products we're using.

My support rep does an awesome job for us, and is our "foot in the door" to HP. That's why I felt it necessary to get the message to him quickly. Now I'll have a good opportunity to follow-up with him regarding HP's response. They've typically done a good job for us, but we've been curious as to how the post-merger HP would behave. I hope this isn't an indication.

This is usually called saving face...

[antirename (556799)]

The only backed down becuase continuing on this path would have convinced all the conspiracy theorists that they have something to hide. Doing something stupid made them look bad, therefore they quit. Nothing to see here.

This is bad ...

[cykes (597392)]

This is bad. So far the DMCA hasn't been challenged. Adobe asked the government to drop charges now HP has backed off. The problem with this is that this law has not had it's day in court.

I'm sure any judge will realise how broad the DMCA is and as a result how damaging it can be to a persons rights as well as to a community of developers, not to mention privacy advocates.

Unfortuantely we have lost another great opportunity. HP like all the others want this law to remain. Only when the stakes are really high will they seek to enforce it ... or denounce it.

Re:This is bad ...

[kcbrown (7426)]

I'm sure any judge will realise how broad the DMCA is and as a result how damaging it can be to a persons rights as well as to a community of developers, not to mention privacy advocates.

You mean like Judge Kaplan did in the 2600 DeCSS case?

money for exploits?

[dR.fuZZo (187666)]

So... someone fill me in here. Is it normal for organizations to ask companies for money before they'll share info about exploits? After reading the note from SNOsoft, it seems clear that they must have asked for money. How else do you explain them trying "to build a working relationship with HP" and HP (mis?)perceiving their actions as extortion.

Don't get me wrong, as far as I'm concerned, it sounds like HP needs to spend more money on developers and less on lawyers. I'm not trying to defend their actions at all. But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."

Re:money for exploits?

[Dr. Awktagon (233360)]

"working relationship" could also mean that 1) HP has a contact person assigned to snosoft, who will actually read and respond to snosoft's emails, and 2) snosoft will promise keep exploits and advisories quiet until HP says they are ready.

of course, you'd think this is how it would work anyway, without any formal agreements..

Re:money for exploits?

[Jester99 (23135)]

Just about any time that two companies collaborate, some sort of agreement must be signed between the two.

(#include<std/disclaimer.h>, IANAL, etc)

But anyway, assume that SNO simply emailed HP the bug and a patch and HP said "thanks, guys" and rolled it out in the next point release. Six months down the line, SNO *could* (if they were evil enough) sue HP for breech of copyright. Delete the part of the email that said they had permission, etc, and boom.

That's no good.

So, they almost always put stuff out in writing specifying exactly who's giving what to whom and what each party's allowed to do with it.

This is why, if you watch MTV's Jackass, they specifically say at the end of each show "If you send us tapes of yourselves being jackasses, we won't open them. They will be thrown away." It's not that they don't think you could be funny; rather the contrary. They're afraid that if they see your stuff, and then end up publishing something similar by coincidence, they could be sued by you. Because there was no contract.

Furthermore, a contract between two parties, to be legal, must allow both parties to benefit from it. (Which is what separates a contract from extortion.) That's why you don't just give somebody a car and hand them the deed. They always pay you a dollar - so that a contractual agreement was fulfilled between the two of you. If HP and SNO were going to write some sort of contract stating what info SNO was going to give HP, and what HP was allowed to do with it, a transfer of money or other consideration must be given to SNO. (Now, it doesn't have to be a large sum of money. But corporations usually don't work in pocket change. So, SNO probably did want a decent chunk of cash for their part of the bargain.)

So, to summarize, "working relationships" always involve paperwork. Usually to cover people's collective asses. And they usually have cash involved, so that a mutual exchange occurs when the contract is signed. As to why that made HP's lawyers go trigger-happy, well, that's anyone's guess.

Snosoft security...

[FyRE666 (263011)]

So snosoft are a security research company? Then how come they haven't bothered updating their web server to fix the security flaw mentioned over a month ago [apache.org]?

According to Netcraft [netcraft.com], they're still running Apache 2.0.35 [netcraft.com]...

Re:Snosoft security...

[Cryptnotic (154382)]

Maybe it's because that security flaw doesn't affect them unless they're running on Windows, which they're not.

Oops, we got caught

[DearSlashdot (592493)]

If there is anything that the Enron/Worldcom/corporate scandals of the week and ludicrous xxAA-backed legislation has taught us, it is that greedy people will try and get away with as much as possible until they get caught. HP didn't suddenly get a conscience, they just found the point of diminishing returns for this particular type of legal attack. The fundamental attitude of "how can we exploit the law to our own benefit" without any regard to it's intent or long-term consequences remains the same.

One can only hope that vigorous outcry from vigilant people can convince corporations that they don't always have to do what their lawyer says. Lawyers don't have consciences. At least, they don't have independent ones. A lawyer believes whatever he is paid to believe. And so they are incapable of looking at any situation from a non-opportunistic/exploitative point of view. Only when their paymasters say, wait a minute, this policy doesn't work, I'm not going to just send that cease-and-desist or SLAPP or call the FBI or whatever, do these corporations do something in the public interest.

I thought so!

[www.sorehands.com (142825)]

Just like the RIAA with Felton.

They knew they would have their posterior kicked black and blue which would eliminate the DMCA threat power.

DMCA strongest if not challenged

[SgtChaireBourne (457691)]

The power of the DMCA is not necessarily in court. The threat of a long drawn out legal battle is usually enough to get what the large corps want, sort of a reverse "O.J." strategy, if you will. The DMCA can be milked by RIAA and others for many years without actually having to be tested. That won't lessen either it's application or damage to the IT sector.

Anyone else email Ferson?

[teaserX (252970)]

Appreciate your note and concern. Let me just start by saying, "don't
believe everything you read in the press :-)". I can assure you that my
primary interest and concern is for the Tru64 customers and that the
Tru64 engineering team is committed to finding and fixing any security
problem in the product and getting these fixes/notifications out to
customers ASAP. Trying to do everything possible for Tru64
customers is what motivates and brings me to work every day
(and night :-). We also encourage our customers and 3rd parties
that find security issues in the product to coordinate through the
CERT process, which has been set up to support both product
vendors and customers. Again, I appreciate your concern and
feedback.

Kent ...

-----Original Message-----
From: XXXXXXX
[mailto:teaser@XXXX.com]
Sent: Tuesday, July 30, 2002 10:56 PM
To: Ferson, Kent
Subject: Rethink this approach.

Concerning this Zdnet article: http://news.com.com/2100-1023-947325.html

HP is going about this all wrong. You have managed to alert many more
people of the mentioned exploit (by making legal threats) than would
otherwise have ever noticed the Bugtraq post. That genie is way to far oput
of the bottle to to be put back now and the poster will just comply to any
cease and desist requests. Besides, there are plenty of buffer overflows in
True64 according to the Bugtraq poster Phased.
My suggestion to you and your colleagues would be that you quietly fix the
code, in a timely fashion, and avoid both the bad publicity and potential
liability.

Thank you.

Actions, not words

[v77 (221577)]

I think this is too early to tell. Since they already did say they could use DMCA, some damage is done. This obviously came through lawyers, so someone somewhere DID make that decision, regardless of who they blame. Now, even though they said they wouldn't, there is doubt in a researchers mind if anything might happen. You can not just release a program without "following standard procedures" any more (that's what I got from CNet's article). Following such procedures is a good thing, but it should NOT be a requirement to free speech.

Lets wait for actions from HP, who knows what they'll do a year from now on some other bug. This also opens the door for MS or Oracle or whoever to do this, without being first, and citing HP, regardless of what HP said today. Can you really open your toaster now and see what's inside? This threat, even though withdrawn, has done what it was supposed to do.

It is what they call the slippery slope.

How many people sent Mrs. Fiorina (CEO) Feedback?

[Proudrooster (580120)]

Last night, when I read about HP swinging the DMCA club I sent their CEO "intelligent feedback". It was polite and used words like "extremely disappointed" and accused HP of shooting the messenger instead of fixing the problem. Additionally, I told her that I wish I had discovered the flaw and had to defend this action and faced a jury.

I imagined the cross examination as follows with HP on the hotseat:

1. Isn't it true that HP learned of this exploit nearly a year ago and has done nothing except try to "silence" someone sounding a critical warning?

2. Can you explain to us what type control a person could have gained over an HP server using this security flaw?

3. Isn't it true that HP servers are used in key government installations, biomedical research labs, and fortune 500 companies and this flaw could have been used to compromise national security and commit corporate espionage?

4. Why would HP delay acting on this information for so long when so much was at risk?

Oh, this would have been soooo much fun to watch on Court TV!

Anyway, I was just curious how many slashdotters fired off a "polite" feedback.

Hollow Victory

[by Anonymous Coward]

I am sorry, I do not see the point of this.

The DMCA still stands, it stifles research. Alan Cox is still afraid to step on US soil for fear of being arrested for doing a moral and ethical work.

How is this any sort of victory. HP wussied out. Snosoft wussied out. And maybe Bruce Perens wussied out too.

Where were the necessary changes to the law. Hackers need some sort of protection from this crap.

Imagine if GM said you could open the hood of a car? Would the american public stand for that?
If you found a fault in a Ford, would the american public want Ford to have 30 days to figure out if they want to deal with the problem?
Corps are getting to manhandle us because the public doesnt understand the issues and we're a powerless minority.

Does the auto insurance institute which does crash testing need to inform the car companies thirty days in adnvance prior to disclosing bugs?

We need a secure receipt mechanism when reporting bugs.

We need full disclosure.

We need full authorization to learn from each other, this means sharing how buffer exploit vulnerabilities are found and how they can be exploited.

Simply reporting vulnerabilities to companies is irreponsible in the public scheme of things. If coders dont know how these exploits occur it prevents them from writing secure code.

We need the ability to learn from each other.

DMCA needs SERIOUS changes.

Bruce has done a lot more for hacker freedoms than many of us here, but I'm sorry but it hasnt been enough (not necessarily his fault).

Re:Hollow Victory

[Bruce Perens (3872)]

Dear AC,

I agree that this is hardly the last shot in the battle. Hardly. If anything, we kept a bad situation from getting a drop worse. But I don't know if "wussied out" is really a fair description. I modified my own DMCA paper to protect HP's Linux program. When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP and (along with a cast of good people within HP) convinced everyone, including Kent, that using DMCA this way was a bad idea.

But I didn't get the law repealed this week. I'll keep working on that. It would be really nice if you would put in a lot of work on this, too. This is the sort of issue where every one of us has to help or we'll lose.

Thanks

Bruce

Re:Don't send $100 to EFF!

[Jah-Wren Ryel (80510)]

The good thing about radical organizations is that they will sometimes spend money on radical causes which you don't agree with, because if no one were pushing the boundries then your "moderate causes" would be the radical ones.

Re:Hollow Victory

[gilroy (155262)]

Blockquoth the poster:

Imagine if GM said

you could open the hood of a car? Would the american public stand for that? (emphasis added)

Yep, it'd be terrible if people could examine the inside of their car's engine. We'd have all these underworked overinquisitive teenagers poking around, figuring out how things work, modifying and maybe even improving the engine... it'd be chaos!

OK, OK, I shouldn't make fun of someone just because they pressed "Submit" too fast. But the slip opens up an interesting thought in my mind: It is a fact of history that in World War II, American infantry units were the only ones to get progressively more mechanized as a campaign went on. For most armies, continuing action meant trucks and tanks broke down (bad maintenance, lack of supplies, etc.). But for the US, the infantry units would gain mechanized capacity. It was not unheard of that a unit not have to march anywhere, having scrounged enough vehicles to ride. This made the infantry many times more effective and enhanced the efficiency of armor, too (since the infantry could keep up with the tanks).

It doesn't seem that, with the wear-and-tear of battle, you should get more capacity. What was the secret? Well, just about every man in a US unit had some experience with motor vehicles. Most owned their own; many if not all repaired their own. So on the battlefield, they were able to scrabble spare parts together and keep the trucks rolling. In fact, they were often able to scavenge from damaged enemy machines! When a truck or car broke down, most armies had to call in a specialist repair team. But the US infantry could fix it themselves and keep moving. (Source: Dirty Little Secrets of World War II [barnesandnoble.com] , Dunnigan and Nofi)

What's the point? Well, consider that everyone thinks sooner or later we're going to get into a "cyberwar" -- assaults upon information infrastructure. Maybe our only chance of winning such a conflict is to have legions of people familiar with computers and security, with securing a system or attacking it, with picking apart a program and then putting it back together better. In other words, maybe we need a culture of "hackers" (in both sense) as an insurance policy.

In which case, the DMCA is not just intrusive and unbalanced. It's actually a threat to national security. How do you like them apples?

Those of you who emailed HP to complain

[BoneFlower (107640)]

Should now email them to express thanks that they have reversed the decision. I had emailed them to state my displeasure and to vow never to buy another HP product again(which would be tough, as my Pavillion continues to surprise me in quality).

Now that they have reversed it, I sent a follow up thanking them and stating that I again looked forward to purchasing from them in the future. The rest of you should do the same- Express displeasure when they fuck up like this, but also express appreciation when they fix it as they have.

Thanks Bruce Perens and the other guys at HP

[pointwood (14018)]

Quote: "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."

It looks like there are quite a lot of HP workers that knows what a bad thing the DMCA is. Thanks for reacting!

Corporate IP Rights?

[Lord MJ (574227)]

In another BBS I go to, when I posted about Palladium and the DMCA, all I got in reply were firey defenses of corporate intellectual property. You can't disclose specifics of design flaws in proprietary works since it violates the copyrights and trade secrets of the IP owner. Microsoft can impose Palladium, since you don't have an inherent right to choose which software you run on your computer, since windows is the property of M$ and the processor is the property of Intel. You don't have an inherent right to transfer your data out of a proprietary format, since the format is IP and if the vendor doesn't want you to have the ability to convert to other formats, then they have the right to say you can't because it's intellectual property. So on and so forth. Note that IP law doesn't give corporations the right to do any of those things. And in cases where IP does apply, those rights are overridden by anti-trust laws, monopoly laws, and restraint of trade laws. (I would argue that M$ using closed file formats in order to lock you in could be legitamately considered to be a restraint of trade.) But it seems that outside communities such as /. corporate IP takes precedence over anything, and to restrict companies like Micorsoft is a violation of corporate constitutional rights by a tyrannical government!

Re:Is there really much to say about this?

[wayland (165119)]

Well, it's quite simple. Someone says something trollish about it, and then some of the insightful people argue with him. Then we have some insightful posts, and others argue with them. Mark my words, we'll soon have another set of insightful anti-DMCA diatribes, some disappointment that we didn't get to try the DMCA against such a stupid case, and a bunch of people claiming that HP, as a corporation, has done this in their own self-interest. :)

Re:Good

[antirename (556799)]

Except that they at least thought about it... and the DMCA is a LAW, not a company policy. Once HP cries wolf, what's to stop a creative procecutor from bringing charges?

Re:Good

[jazman_777 (44742)]

See? Not everyone horribly abuses the DMCA. I don't think it was a good idea, but it's nice to see that not everyone is using it like a club.

Good going HP - my next printer will be from you.

I bet you hit yourself in the head with a hammer, because it feels good when you stop.

Re:Hate to say it but the Military uses a bunch of

[jbolden (176878)]

I can't think of any large entity that takes security more seriously than the military (including the banks I've worked for). They may have flaws but they are without question the toughest target.

Re:Voting record

[certron (57841)]

ok, follow me...

go to thomas.loc.gov

under the Legislation heading, click on Bill Text

select the 105th congress (1997-1998)

search for word/phrase 'digital millennium' (2 L's and 2 N's) or enter bill number "s. 2037"

Click on one of the relevant results.

The Bill Summary and Status link is informative. Check the "All Bill Summary and Status Info" link for some history (or some of the other links), then look for "Recorded Vote"

Bingo.
(phew, stepping through this was a little harder than I thought it would be... But, now that I understand it enough, I can tell everyone else how to do it. Bang on.)

Re:The light at the end of the tunnel?

[danheskett (178529)]

You confuse the winning of a battle with the winning of a war. Battles can be won and wars still lost.
What's worse is that we, as in Anti-DMCA people, clearly lost this battle.

The DMCA will be the law of the land until such time that it is repealed by Congress or overturned in the courts.

In most DMCA cases, the damage is the threat: big/powerful threatens weak/non-powerful into submission using DMCA.

The weaker party must acede or fight it in court. HP's, MPAA, etc know that they have the resources will SNOSoft/ElmcoSoft/Felton etc probably have rather few in comparison. This means they can effectively threaten with impunity.

What we need is someone like HP following threw and taking the case to court. Then a precedent will be set. Right now there are very few precedent's set regarding the DMCA.

Cases like this one are very bad for anti-DMCA peopl: HP got what they wanted (removal of the exploit code, blah blah blah). HP also didnt have to go to court. We (anti-DMCA's) didnt get a court victory. We are appeased because "we won the battle".

Overall this is a step backwards; for now another corporation has decided that the DMCA essentially works, and we are stil no closer to having it overturned.