Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
HP Your Rights Online

HP Backs Off DMCA Threat 334

Posted by timothy from the maybe-that-wasn't-such-a-hot-idea dept.
Bruce Perens wrote with this interesting reversal: "News.com reports HP has backed off of its DMCA threat." Which makes SNOsoft's official response thankfully beside the point now. Update: 08/02 05:37 GMT by T : Declan McCullagh points out this CNET story, which includes words from HP, Snosoft, and Bruce Perens. Writes Declan: "HP blames the snafu on... their lawyers!"
This discussion has been archived. No new comments can be posted.

HP Backs Off DMCA Threat More

HP Backs Off DMCA Threat

Comments Filter:

  • Misunderstanding? (Score:2, Insightful)

    by Overand ( 590318 )
    Actually, it looks like this whole thing was a misunderstanding, and involved screw-ups by people on both sides. And believe me, I'm the first one who'll go on about how awful the DMCA is, but I think this was just overreaction on one side and misbehavior on the other. But... well, we'll never know the real story.

    • Re:Misunderstanding? (Score:5, Insightful)

      by delta407 ( 518868 ) <slashdot@@@lerfjhax...com> on Thursday August 01, 2002 @10:50PM (#3996541) Homepage
      Misunderstanding or not, HP has done something I (and many others) will not soon forget. Even if it was one rogue element of management mouthing off, damage has been done. "Backed down" or not, they were in the process of screwing more people with the DMCA for pointing out a problem with their software.

      Remind me, again, why I should continue doing business with an entity like this? Give me back the old HP.

      • Exactly.

        We have zero evidence that HP will stop trying to hide the failures in its products.

        If Carly Fiorina knew about this, then she also thought it was okay to try to use aggressive tactics to hide severe failures in an HP product. In that case, Carly should be replaced by the HP board of directors.

        If Carly Fiorina didn't know about this, a major act by a vice president, then she is clearly not in control of HP. In that case, Carly should be replaced by the HP board of directors.

      • Re:Misunderstanding? (Score:2, Insightful)

        by Anonymous Coward
        In a company of 150,000 people, some of them will screw up from time to time. Haven't you ever overreacted and said something you later regretted? The poor bastard just did it in a more public forum than is usual.

        The guy made a mistake, and was quickly slapped down by reactions both inside and outside HP. As Declan said, there were a huge number of emails from HP engineers letting Carly know why it was a really dumb way to react.

        It's not good, but it's not necessarily reflect HP as a whole, or any kind of systematic policy.

        In some ways, HP quickly admitting that it overstepped the line is a really good outcome for people who are afraid that the DMCA will be abused.
      • According to the C|Net article [com.com], the manager who made the threat (Kent Ferson) came from the Compaq side of the HP/Compaq merger. So I guess you can blame that loser Fiorina for bringing clueless bozos to dilute the HP way...

    • Re:Misunderstanding? (Score:4, Insightful)

      by HiThere ( 15173 ) <charleshixsn@ear ... inus threevowels> on Friday August 02, 2002 @01:08AM (#3997031)
      Do you feel that they appologized? Do you feel that they made amends for issuing threats? Do you feel that they have indicated that they are something other than a bully?

      They got what they wanted. Then they said, "OK, everythings all right now."

      Everything is not all right. A bully threatened someone smaller and got what he wanted out of it. If anything else happened, it sure isn't clear. But it will take a lot more than that before I ever trust them again.

  • Great news Bruce! A few questions about it... (Score:3, Interesting)

    by CoughDropAddict ( 40792 ) on Thursday August 01, 2002 @10:41PM (#3996491) Homepage
    Bruce,

    Anything else you can tell us about this fortunate reversal? Were you involved in knocking some reason into those responsible? How did the people in power originally decide that it would be strategic to weild the DMCA as a weapon against disclosure?

  • Sometimes, I guess,... (Score:4, Informative)

    by gilroy ( 155262 ) on Thursday August 01, 2002 @10:41PM (#3996493) Homepage Journal
    ... the good guys win. I'm pretty sure it was my strongly-worded email to the CEO that turned the tide. :) Seriously, I think the outcry in the tech community made them beat this retreat. Whenever you're feeling overwhelmed by the latest corporate attrocity, remember: numbers can still make a different. Write, call, or scream, but don't let your outrage dribble away.
    • OK, HP backed down. So what? If this really was a DMCA violation, what's going to stop the feds from filing charges? Nothing as far as I can tell. Maybe they just didn't want Adobe's publicity problem... "no, really, your honor, the FBI arrested those people all on their own".

  • Responsible full disclosure (Score:4, Informative)

    by Istealmymusic ( 573079 ) on Thursday August 01, 2002 @10:41PM (#3996494) Homepage Journal
    The following post was written by Steven M. Christey for Bugtraq. I completely agree with what Christey is saying, and highly recommend everyone interested in full disclosure read his letter here:
    The Responsible Disclosure Process draft specifically allows for

    researchers to release vulnerability information if the vendor is not
    sufficiently responsive. Some people may disagree with the delay of
    30 days between initial notification and release, but I don't think
    there are good stats on how long it really takes vendors to fully
    address vulnerability reports - open or closed source, freeware or
    commercial. Let's take a recent example - how much coordination had
    to happen for the zlib vulnerability? It seems reasonable to assume
    that it took more than a day. And the controversial "grace period"
    has the interesting distinction of being used by both Microsoft and
    Theo de Raadt.

    Researchers can help to shed light in this area by publishing
    disclosure histories along with their advisories. (By the way, vendor
    advisories rarely include such information.)

    While the response to the proposal focused almost exclusively on how
    it impacts researchers, it lays out a number of requirements for
    vendors, primarily that they (a) make it easy for people to file
    vulnerability reports, (b) be responsive to incoming vulnerability
    reports, and (c) address the issues within a reasonable amount of
    time.

    IMHO, it makes a stronger impression when someone releases a security
    advisory with an extensive disclosure history that says how much they
    tried to resolve the issue with the vendor, before they released.

    Those who are interested in the legal aspects of "responsible
    disclosure" are encouraged to read the article by Mark Rasch at
    http://online.securityfocus.com/columnists/66. The article basically
    says that the adoption of community standards could protect
    researchers who disclose issues responsibly, while it could also help
    vendors who seek legal recourse against researchers who are not
    responsible (for some definition of "responsible"). The former could
    happen with a community standard. The latter may already be happening
    without one.

    • FUD Alert (Score:2, Funny)

      by tux42 ( 213341 )

      We're all glad HP backed down, but what scares me is that the "Responsible Disclosure" FUD continues. On Bugtraq people write that CERT [altoids.com] and SecurtyFocus [securityfocus.com] are "established parties" and everyone who does not give them their so-called "0days [mp3hq.net]" is irresponsible (at least CERT is known to sell 0days [audiogalaxy.com]). I personally won't give them my 0days early.

      The "Responsible Disclosure" draft continues to get advertised, though it was not approved by the IETF [icann.org] .

      Why do people think about giving away the right of free speech just because of some FUD [abuse.net]?

      Even in the unlikely case if this bad RFC passes, does it mean that that people are safer when they disclose problems - I definitely don't think so personally.

      So the facts are: some companies can't write secure code, and it is more expensive to write code securely.

      Just check "Help -> About" on Windows before using the word "responsibility".

      The easiest solution is to shoot the messenger [jabber.org] and to outlaw saying the emperor has no clothes. But this won't fix the problem in the real world [cbs.com]. Such regulations [anti-dmca.org] will only alienate [scifi.com] a lot of people and will make things worse.

    • I do not see that this in any way justifies threatening someone with the DMCA.

      So far, I have not encountered anything which excuses that, though I am willing to keep looking.

      That HP has said "Now that you've withdrawn your threat to release infor about us, we won't threaten to pull the DMCA on you" doesn't count as very much of an appology at all. In fact, it doesn't count as an appology.

      I do not feel that HP has yet done anything to redeem themselves for this disgraceful action.

    • The point that everyone seems to be missing is this:

      I don't care how many "good guys" know about a vulnerability. I do care if the "bad guys" know about it!

      By sitting on the information for any time longer than the length of time that it takes to post an alert message, I believe that "security researchers" are unnecesarily putting our systems in danger.

      It seems that the good guys are the last to know in these situations, and the good guys here are the guys who are actually managing the affected systems and trying to get some real work done. If I have a vulnerable system and I don't know it, my data is in danger. Tell me about the problem NOW! Then I can assess the risk to my systems based on accurate information and take action to mitigate the problem if I see fit. If a patch is not yet available to fix the problem, I can change my setup or even yank it offline. But not telling me that I'm vulnerable for X period of time takes all of my options away from me and it's "be quiet and we'll tell you what you need to know when we think you should know it." Sorry, that's not good enough.

  • further indication that DMCA does not hold water (Score:4, Interesting)

    by lingqi ( 577227 ) on Thursday August 01, 2002 @10:44PM (#3996504) Journal
    let's see here:

    Vivendi sues bnet.d, originally was under DMCA, but filed under traditional copyright;

    HP threatens under DMCA, but backs down.

    i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)
    • i think companies *know* that if the DMCA gets taken to court, it will die and we will all live free, so they don't want to risk it. which, incidentally, means that we should try to as much as possible (within reason)

      On the contrary, I think that if corporations were under the impression that this "tool" would soon disappear from their arsenal, they would have incentive to make use of it ASAP and "get while the getting is good". It's like when retailers make sure to stress that an offer is for a limited time only to try to get people to half-panic and hurry in to the store. More likely, corporations that try to make use of the DMCA are encountering some seriously bad backlash from the community that makes them think twice about using the DMCA. I would suspect that they would only resort to the DMCA when no other weapons are available. That's sort of a good thing, I guess, but it suggests that the DMCA will be the corporate legal equivalent of the H-bomb -- the "no more Mr. Nice Guy" gun that's used more as a scare tactic than an actual weapon.
    • Geek A creates a company that creates a program that "encrypts" (rot13, he) documents.

      Geek B, friend of Geek A, breaks the encryption scheme, violating all the articles of the DMCA.

      Geek A sues Geek B and they fight the case all the way to the Supreme Court.

      Once the monstruosity is declared un-constitutional everybody is happy.

      If it is not, Geek B is pardoned by Geek A and we go and hide in the mountains.
    • Maybe so, but it's like a nuclear weapon. You don't have to use it, and don't really want to because the fallout would contaminate you, but the very existence of it is a formidable and chilling threat.

  • Hm, kind of a shame, in a way... (Score:4, Informative)

    by Chemical Serenity ( 1324 ) on Thursday August 01, 2002 @10:45PM (#3996508) Homepage Journal
    While I have no desire to see SnoSoft get... uh, "Snowed", this would have been a landmark DMCA case. It would have been nice to see SnoSoft win, and set a precident to other companies who'd like to wield this myopic peice of litterbox-lining legislation as a flaw shield.

    Perhaps they think they can cover the blemishes of their software with the blood of the people who point them out.

  • Before the arguing starts (Score:5, Insightful)

    by Anonymous Coward on Thursday August 01, 2002 @10:45PM (#3996510)
    I would like to just interject two Very Important Thoughts into the discussion.
    1. Despite being legally treated as such, corporations are not singular entities. Corporations contain quite a lot of people, and many of these people have different viewpoints. Some corporations even have seperate departments with conflicting goals and incomplete coordination and communication between them. For example, you may have an overzealous legal/ intellectual property affairs department that just kind of goes off and does its thing and tries to enforce the company's IP vigilante style, a very liberal software development department that does things like fund linux development, and an upper management that kind of just says "hands off" and lets the people in the sub-departments do what they like unless one of them goes overboard. Like, say, the legal department makes legal threats that would never in a billion years stand up in court (i.e. applying the DMCA where it clearly does not apply) against someone who is performing a service for the company. Or, say, the software development team is paying for one of the people on their linux staff to go speak at a conference, and he's saying upfront that he is going to break a law on stage. These are the kinds of situations that, in this hypothetical example, the upper management would take notice and override the things that the sub-departments wanted to do. Anyway, the point is, you have to understand that within a corporation are a great many conflicting interests, and you can't call a corporation evil just becuase certain of its departments are acting in evil ways-- especially if in the end, upper management pulls through and makes everyone play nice with the consumer people.

    2. Some corporations really will sit up and reform themselves if there is sufficient public outcry against what they are doing. Most corps aren't at all responsive to "the public", but some of them realize it's not in their best interest to do something that makes your customer base hate you. As such, sometimes if enough people complain loudly about something a corp is doing, said corp will change it. The moral to be gleaned from this is to never stop bitching about the things the corporations are doing wrong. After all, if we don't point out the error of their ways to them, it's quite likely they'll never see the error, which would suck; but if we bitch at them, well, the absolute worst that could happen is that we'd get ignored. So it's worth the trouble.
    • 1) When HP, being an entity almost infinitely more powerful than me, takes action, it is slim comfort to me if parts of that entity disagree with the action. I don't give a crap whether there's a "conscience of the company" in there saying that what they're doing is wrong...they're still doing it. The HP corporation is responsible for the HP corporation's actions. Morally, legally, and ethically, IT IS a single entity. That's the way the corps wanted it. They don't get to change their tune when it's inconvenient to their PR campaign.

      (Fortunately, in this case, they got stung, and they backpedaled...but true in dozens of other cases even this week)

      2) The thing that scares me about the DMCA is that, in this narrow sense, it is ILLEGAL to bitch about faulty hardware. The problem is that under the law, HP DOES have a case against SNOsoft. Just because they're not pressing it doesn't mean that the law is fundamentally broken. Note that the UCITA's shrink-wrap enforcement codicils could be used similarly.

      There is no excuse for irresponsible behavior from corps, and there is no excuse for bad legislation. I want to see a corporate death penalty, and I want it to be a lot harder to get corp-friendly legislation bought. I mean passed.
      • I know you were trying to say something else, but take a look at this line and consider:

        >2) The thing that scares me about the DMCA is that, in this narrow sense, it is ILLEGAL to bitch about faulty hardware. The problem is that under the
        >law, HP DOES have a case against SNOsoft. Just because they're not pressing it doesn't mean that the law is fundamentally broken. Note that the
        >UCITA's shrink-wrap enforcement codicils could be used similarly.

        The "Free Market" that so many seem to worship is based on an informed consumer able to make choices, to vote with his/her money. We really stink in the tech sector. First we have Microsoft dedicated to becoming the only choice. Now we have the DMCA removing the "informed" from what choices we have left.

        Perhaps it's time to bill the UCITA and portions of the DMCA as being anti-free-market.
    • I don't see that HP has in any way even attempted to ameliorate the lack of trust that they have earned.

      HP has basically said, "Since you have knuckled under to our threats, we will pretend that we didn't say them." That's it. No appology. No promise to not do this in the future. Nothing.

      I see no reason to consider HP to be a trustworthy company. They have power, and they abuse it, and then, having gained their ends, they make no amends. Not only do they not satisfy the company that they abused with their amends, they don't even admit that they really did anything wrong. This means that you can expect them to do the same thing next time. They have warned you.

      HP has openly declared that you had better not let anyone know if you find any problems with their products. Therefore, you can't turst them.

      There may have been extenuating circumstances, but a) they haven't been made clear, and b) they definitely didn't say that if they hadn't been present, then they big stick wouldn't have come out.

      So you can't trust them.

    • 1. Despite being legally treated as such, corporations are not singular entities.

      If an axe murder has multiple personality disorder do you still let him roam free ???

  • I think I would have rather it had been tested (Score:5, Insightful)

    by tlambert ( 566799 ) on Thursday August 01, 2002 @10:45PM (#3996512)
    I think I would have rather it had been tested in court.

    "We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security." ...great. I get to rely on their self-restaint in not abusing the law, rather than striking down an eminently abusable law.

    As long as the only test cases are against individuals and groups the public perceives as "black hats" (e.g. 2600), this damnable law will never be changed.

    -- Terry
    • Even better, maybe we can get someone to sue someone else for breathing, and use the DMCA. That'll certainly get the DMCA deemed unconstitutional, because I obviously have a right to breathe!
      • Even better, maybe we can get someone to sue someone else for breathing, and use the DMCA

        You would first have to make the claim that breathing was an unauthorized method by which to circumvent an access control mechanism. But it's simple: Without breathing, you die rather quickly. Thus, breathing is a mechanism by which your access to being dead is controlled. Unauthorized breathing is an unauthorized breach of this access control, and is therefore covered by the DMCA.

        Now. I'll take a 50% cut of your profits.

  • (i'm going to go a little bit further from the HP/Snosoft case, so don't be surprised if some of the statements below do not fit 100% in that case)

    All these problems will vanish if people will choose to disclose vulnerabilities in a responsible way. Sure, HP's response has been harsh. But every security problem (especially when it's accompanied by an exploit) should be reported first to the vendor! There should be no exception from this rule. The person doing the reporting should give the vendor a reasonable period of time to fix it; say, a few weeks or so.

    Only if the vendor does nothing in these weeks, only then the report/exploit/whatever should be made public.

    If hacker H writes a comment on Slashdot, making public an exploit against some software made by vendor V, and does not notify V in advance (say, 2...4 weeks in advance), and then V sues H, then who's right?

    H is right, because (s)he disclosed a vulnerability, and disclosing is good. V is right, because not being warned in advance, their customers are left to the mercy of script kiddies. H is wrong, because (s)he's obviously looking for cheap publicity (i published a zero-day exploit; mine is bigger), not for improving security. V is wrong, because they are filing a lawsuit against open disclosure, which is not a good thing.

    See?

    And the solution is so simple: DO NOT publish "zero-day exploits". Give the damn vendors an early warning. Only if they are lazy and do nothing within a reasonable time (2...4 weeks), only then you are entitled to go slashdot-happy.

    I'm a big fan of open disclosure, freedom of speech, etc. But people who look for cheap publicity are not my favourites. If H is going to publish the exploit without early warning, i'll say V has all the rights in the world to sue the crap out of H, and put him(her) in jail for one thousand years, and i'll applaud that. However, if there was an early warning, within a reasonable time, like one month or so (unlike some popular security companies did recently), and the vendor did nothing and didn't provide a good reason for the delay (because such reasons could exist, if you think of it), then H is 100% entitled to publish whatever exploit he likes.

    It's all about timing. It's all about being reasonable.

  • Reciprocal Civility (Score:5, Funny)

    by namespan ( 225296 ) <(gro.liametile) (ta) (napseman)> on Thursday August 01, 2002 @10:47PM (#3996527) Journal
    BRUCE: I'm going to violate the DMCA on stage
    HP: Please don't. It would sortof reflect badly on us, and could cause trouble.
    BRUCE: Well... OK.

    HP: We're going to sue the pants off of anyone who reveals Tru64 vulnerabilities using the DMCA!
    BRUCE: Please don't. This reflects badly on us, and could cause all sorts of trouble.
    HP: Well... OK.

    Good to know everyone's getting along. :)
  • It seems that HP is upset that details of a dangerous security hole in the HP Tru64 operating system were published by "Phased", a security researcher with Snosoft, here on Bugtraq. I really feel that HP went way over the line by trying to place all the blame on Snosoft for HP's security hole by invoking the DMCA and the Computer Fraud and Abuse Act.

    If this particular security hole is ever exploited by the "bad guys", we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place.

    So this quote from Kent Ferson of HP in the News.com article was probably a big mistake:

    "Ferson also said that HP reserves the right to sue SnoSoft and its members "for monies and damages caused by the posting and any use of the buffer overflow exploit."

    Pretty clearly if there were ever to be any lawsuits over this particular bug, HP has much deeper pockets which are much easier to get to.

  • They're presumably backing down because it would be a terrible PR move. "We're neglecting our customers and suing people to try to cover this fact up" just doesn't go over well.

    The question is what they were thinking in the first place; it's not like you can actually a company and have nobody know. Possibly they just wanted a bit more time in preparing patches before SNOsoft released details. I think it's most likely that think that people won't remember who this incident involved, and will just think "Some big computer company tried suing someone who found a vulnerability in their product. I'd better avoid that big company. Now, was it MicroSoft or Sun?" Of course, as nothing is coming of it, there won't be much in the way of records on the subject. Or maybe HP's lawyers have been spending too much time in Germany and think they should threaten/sue people in HP's name without HP's permission.

  • Perhaps I'm completely missing the point here... (Score:5, Interesting)

    by tuxedo-steve ( 33545 ) on Thursday August 01, 2002 @10:58PM (#3996580)
    ... but as the DMCA is a statute, isn't it up to the FBI or some such to actually `use' it?

    Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

    If this is the case, would not HP's original statement in regards to the researchers violating the DMCA be enough to set the ball in motion? If the FBI were to agree that the event in question is a DMCA violation, would their backing down be enough to prevent further action from being taken?

    IANAL and I'm not even from the US, so maybe I've completely misunderstood how this works. But isn't there more to it than HP just deciding to stop waving the DMCA stick?
    • Right. And I won't buy anything from Adobe, either. And I won't recommend any Adobe products. And I will truthfully disparage Adobe products when reasonably appropriate.

      I don't like companies that invoke vile laws. And the DMCA is one of the viler ones.

    • IANAL either, but I am in the US and this is how I understand the situation:

      It is correct that a company can not bring criminal charges against a person or another company. When an individual sues another individual, it must be for a violation of civil law. The DMCA is a federal criminal law, so it is up to the US Justice Dept to per^H^Hrosecute victims. The FBI is like a police department; they do not engage in prosecutions, but they have the power to make arrests, conduct investigations with court orders, etc.

      One of the many problems with the DMCA is that the line between civil and criminal prosecution is blurring. With Dmitry Skylarov, he was effectively arrested and prosecuted by Adobe; the FBI and the Justice Dept were willing participants, but I don't think there's much doubt that Adobe was calling the shots.

      HP backing down from the DMCA threat is not enough to directly prevent a lawsuit. However, if HP will not cooperate in the prosecution (providing witnesses etc) due to public outcry, it is no longer worthwhile for the Justice Dept to prosecute, because they basically have no case. So again, it is not a question of actual policy but the effects of policy.

      Hope this clears things up...
    • Adobe brought a `DMCA violation' to the attention of the FBI to prompt the Skylarov / Elcomsoft affair. When they backed down, the FBI did not follow suit. Is it not the case that all a person or company can do is bring a `violation' to the attention of the FBI, and let them take it from there?

      The FBI didn't follow suit ... at least based on what Adobe publicly said. But how much would you wager that Adobe told the FBI in private to stick it to Sklyarov? That's where my money is...

      Remember: we have the best government money can buy. And Adobe has a lot of money...

  • slight relief (Score:2, Interesting)

    by Lurking Grue ( 3963 )
    I fired off an e-mail to my HP support rep yesterday morning, and am awaiting his response. (He's out of office until next week.) Basically I told him that as a customer, I resent this behavior toward those who would offer us information about the security of the products we're using.

    My support rep does an awesome job for us, and is our "foot in the door" to HP. That's why I felt it necessary to get the message to him quickly. Now I'll have a good opportunity to follow-up with him regarding HP's response. They've typically done a good job for us, but we've been curious as to how the post-merger HP would behave. I hope this isn't an indication.
  • The only backed down becuase continuing on this path would have convinced all the conspiracy theorists that they have something to hide. Doing something stupid made them look bad, therefore they quit. Nothing to see here.

  • This is bad ... (Score:2, Insightful)

    by cykes ( 597392 )
    This is bad. So far the DMCA hasn't been challenged. Adobe asked the government to drop charges now HP has backed off. The problem with this is that this law has not had it's day in court.

    I'm sure any judge will realise how broad the DMCA is and as a result how damaging it can be to a persons rights as well as to a community of developers, not to mention privacy advocates.

    Unfortuantely we have lost another great opportunity. HP like all the others want this law to remain. Only when the stakes are really high will they seek to enforce it ... or denounce it.

    • Re:This is bad ... (Score:3, Insightful)

      by kcbrown ( 7426 )
      I'm sure any judge will realise how broad the DMCA is and as a result how damaging it can be to a persons rights as well as to a community of developers, not to mention privacy advocates.

      You mean like Judge Kaplan did in the 2600 DeCSS case?

  • money for exploits? (Score:5, Interesting)

    by dR.fuZZo ( 187666 ) on Thursday August 01, 2002 @11:03PM (#3996610)
    So... someone fill me in here. Is it normal for organizations to ask companies for money before they'll share info about exploits? After reading the note from SNOsoft, it seems clear that they must have asked for money. How else do you explain them trying "to build a working relationship with HP" and HP (mis?)perceiving their actions as extortion.

    Don't get me wrong, as far as I'm concerned, it sounds like HP needs to spend more money on developers and less on lawyers. I'm not trying to defend their actions at all. But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."

    • "working relationship" could also mean that 1) HP has a contact person assigned to snosoft, who will actually read and respond to snosoft's emails, and 2) snosoft will promise keep exploits and advisories quiet until HP says they are ready.

      of course, you'd think this is how it would work anyway, without any formal agreements..

    • Re:money for exploits? (Score:2, Interesting)

      by dd301 ( 141836 )

      But, it seems to me that if SNOsoft was merely acting altruistically, they shouldn't need to "build a relationship" in order to "transfer the information privately."

      The point in question was whether "third party" (read CERT) would have to be in on the information sharing. Many people feel that CERT is just piggybacking on the efforts of real security researchers.

      • There's at least one good reason for having a third party mediate in cases of security holes. It's a good way to "anonymize" the bug report.

        Recent cases such as the HP/SnoSoft, Sklarov and DeCCS incidents show that the likely response of corporations to security bug reports is to threaten the person who made the report. This inherently has a chilling effect. If the person is intimidated by the corporation's lawyers, the problem may not be fixed.

        If a third party like CERT can maintain a reputation for protecting people like me from the wrath of corporations like HP, I'm much more likely to tell them what I know about vulnerabilities. If not, I'll just stick to my policy of not risking my bank account and professional future.

    • Which raises another question: is it OK to expect to be paid to find such bugs/exploits? On the one hand, the hacker ethic says no; on the other, by finding such bugs & exploits the finder is doing the vendor a service and might reasonably expect to get paid.

      What do y'all think of this issue? It is possible this has been discussed before, though.

      • Hacker ethic says "share the information with everyone, including the guys in black hats". HP would prefer if the Snosoft guys would only share the information with HP so they can fix the problem. Snosoft was willing to do that, so long as they are paid as consultants.

        Even hackers need to pay the rent and put food on the table. We're not all independantly wealthy heirs to petroleum fortunes.

        • I read their statement as, "If we're hired to audit some code, we won't report our findings publicly. If we independently audit some code, we will report our findings publicly." This seems to be perfectly reasonable to me.

    • Re:money for exploits? (Score:5, Insightful)

      by Jester99 ( 23135 ) on Friday August 02, 2002 @11:30AM (#3999014) Homepage
      Just about any time that two companies collaborate, some sort of agreement must be signed between the two.

      (#include<std/disclaimer.h>, IANAL, etc)

      But anyway, assume that SNO simply emailed HP the bug and a patch and HP said "thanks, guys" and rolled it out in the next point release. Six months down the line, SNO *could* (if they were evil enough) sue HP for breech of copyright. Delete the part of the email that said they had permission, etc, and boom.

      That's no good.

      So, they almost always put stuff out in writing specifying exactly who's giving what to whom and what each party's allowed to do with it.

      This is why, if you watch MTV's Jackass, they specifically say at the end of each show "If you send us tapes of yourselves being jackasses, we won't open them. They will be thrown away." It's not that they don't think you could be funny; rather the contrary. They're afraid that if they see your stuff, and then end up publishing something similar by coincidence, they could be sued by you. Because there was no contract.

      Furthermore, a contract between two parties, to be legal, must allow both parties to benefit from it. (Which is what separates a contract from extortion.) That's why you don't just give somebody a car and hand them the deed. They always pay you a dollar - so that a contractual agreement was fulfilled between the two of you. If HP and SNO were going to write some sort of contract stating what info SNO was going to give HP, and what HP was allowed to do with it, a transfer of money or other consideration must be given to SNO. (Now, it doesn't have to be a large sum of money. But corporations usually don't work in pocket change. So, SNO probably did want a decent chunk of cash for their part of the bargain.)

      So, to summarize, "working relationships" always involve paperwork. Usually to cover people's collective asses. And they usually have cash involved, so that a mutual exchange occurs when the contract is signed. As to why that made HP's lawyers go trigger-happy, well, that's anyone's guess.

  • Snosoft security... (Score:2, Interesting)

    by FyRE666 ( 263011 )
    So snosoft are a security research company? Then how come they haven't bothered updating their web server to fix the security flaw mentioned over a month ago [apache.org]?

    According to Netcraft [netcraft.com], they're still running Apache 2.0.35 [netcraft.com]...

    • Re:Snosoft security... (Score:4, Informative)

      by Cryptnotic ( 154382 ) on Friday August 02, 2002 @12:30AM (#3996908)
      Maybe it's because that security flaw doesn't affect them unless they're running on Windows, which they're not.

      • From the Apache.org advisory:

        "While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential remote exploit vulnerability."

        So, while the problem was initially detected on the Windows platform, it has been found to affect other platforms. In fact at the very top of the advisory we see this:

        "Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
        up to 2.0.36; Apache 1.2 all versions."

        Now I'm not sure what "all versions" means to you, but to me it doesn't mean "Windows only"...
    • They might have backported the fix.
  • If there is anything that the Enron/Worldcom/corporate scandals of the week and ludicrous xxAA-backed legislation has taught us, it is that greedy people will try and get away with as much as possible until they get caught. HP didn't suddenly get a conscience, they just found the point of diminishing returns for this particular type of legal attack. The fundamental attitude of "how can we exploit the law to our own benefit" without any regard to it's intent or long-term consequences remains the same.

    One can only hope that vigorous outcry from vigilant people can convince corporations that they don't always have to do what their lawyer says. Lawyers don't have consciences. At least, they don't have independent ones. A lawyer believes whatever he is paid to believe. And so they are incapable of looking at any situation from a non-opportunistic/exploitative point of view. Only when their paymasters say, wait a minute, this policy doesn't work, I'm not going to just send that cease-and-desist or SLAPP or call the FBI or whatever, do these corporations do something in the public interest.

  • I thought so! (Score:4, Insightful)

    by www.sorehands.com ( 142825 ) on Thursday August 01, 2002 @11:07PM (#3996629) Homepage
    Just like the RIAA with Felton.

    They knew they would have their posterior kicked black and blue which would eliminate the DMCA threat power.

    • The power of the DMCA is not necessarily in court. The threat of a long drawn out legal battle is usually enough to get what the large corps want, sort of a reverse "O.J." strategy, if you will. The DMCA can be milked by RIAA and others for many years without actually having to be tested. That won't lessen either it's application or damage to the IT sector.

  • Retaliation? (Score:2, Interesting)

    by dissy ( 172727 )
    So, my question is why dont they bring charges aginst HP for knowingly forcing people to use software that does not do what they claim (Unless being broken into is on the features list) as well as claim damages for the couple days their DMCA invocation caused by making us all run their vulnerable software?

    Also, i cant remember the name, but if you threaten someone with a lawsuit and have no intentions of following through with it, that is a crime as well.

    Ah well, thats the joy of the USA.. everything is a crime now

  • Anyone else email Ferson? (Score:4, Interesting)

    by teaserX ( 252970 ) on Thursday August 01, 2002 @11:22PM (#3996674) Homepage Journal
    Appreciate your note and concern. Let me just start by saying, "don't
    believe everything you read in the press :-)". I can assure you that my
    primary interest and concern is for the Tru64 customers and that the
    Tru64 engineering team is committed to finding and fixing any security
    problem in the product and getting these fixes/notifications out to
    customers ASAP. Trying to do everything possible for Tru64
    customers is what motivates and brings me to work every day
    (and night :-). We also encourage our customers and 3rd parties
    that find security issues in the product to coordinate through the
    CERT process, which has been set up to support both product
    vendors and customers. Again, I appreciate your concern and
    feedback.

    Kent ...

    -----Original Message-----
    From: XXXXXXX
    [mailto:teaser@XXXX.com]
    Sent: Tuesday, July 30, 2002 10:56 PM
    To: Ferson, Kent
    Subject: Rethink this approach.

    Concerning this Zdnet article: http://news.com.com/2100-1023-947325.html

    HP is going about this all wrong. You have managed to alert many more
    people of the mentioned exploit (by making legal threats) than would
    otherwise have ever noticed the Bugtraq post. That genie is way to far oput
    of the bottle to to be put back now and the poster will just comply to any
    cease and desist requests. Besides, there are plenty of buffer overflows in
    True64 according to the Bugtraq poster Phased.
    My suggestion to you and your colleagues would be that you quietly fix the
    code, in a timely fashion, and avoid both the bad publicity and potential
    liability.

    Thank you.
    • Let me just start by saying, "don't believe everything you read in the press :-)".

      What a lame answer. Whats preventing him from coming on /. and posting his side of the story? Did he, or did he not, threaten to sic the DMCA on SnoSoft?

  • Actions, not words (Score:5, Insightful)

    by v77 ( 221577 ) on Thursday August 01, 2002 @11:23PM (#3996678)
    I think this is too early to tell. Since they already did say they could use DMCA, some damage is done. This obviously came through lawyers, so someone somewhere DID make that decision, regardless of who they blame. Now, even though they said they wouldn't, there is doubt in a researchers mind if anything might happen. You can not just release a program without "following standard procedures" any more (that's what I got from CNet's article). Following such procedures is a good thing, but it should NOT be a requirement to free speech.

    Lets wait for actions from HP, who knows what they'll do a year from now on some other bug. This also opens the door for MS or Oracle or whoever to do this, without being first, and citing HP, regardless of what HP said today. Can you really open your toaster now and see what's inside? This threat, even though withdrawn, has done what it was supposed to do.

    It is what they call the slippery slope.

  • How many people sent Mrs. Fiorina (CEO) Feedback? (Score:3, Interesting)

    by Proudrooster ( 580120 ) on Thursday August 01, 2002 @11:45PM (#3996761) Homepage
    Last night, when I read about HP swinging the DMCA club I sent their CEO "intelligent feedback". It was polite and used words like "extremely disappointed" and accused HP of shooting the messenger instead of fixing the problem. Additionally, I told her that I wish I had discovered the flaw and had to defend this action and faced a jury.

    I imagined the cross examination as follows with HP on the hotseat:

    1. Isn't it true that HP learned of this exploit nearly a year ago and has done nothing except try to "silence" someone sounding a critical warning?

    2. Can you explain to us what type control a person could have gained over an HP server using this security flaw?

    3. Isn't it true that HP servers are used in key government installations, biomedical research labs, and fortune 500 companies and this flaw could have been used to compromise national security and commit corporate espionage?

    4. Why would HP delay acting on this information for so long when so much was at risk?

    Oh, this would have been soooo much fun to watch on Court TV!

    Anyway, I was just curious how many slashdotters fired off a "polite" feedback.

  • Hollow Victory (Score:3, Interesting)

    by Anonymous Coward on Friday August 02, 2002 @12:13AM (#3996860)
    I am sorry, I do not see the point of this.

    The DMCA still stands, it stifles research. Alan Cox is still afraid to step on US soil for fear of being arrested for doing a moral and ethical work.

    How is this any sort of victory. HP wussied out. Snosoft wussied out. And maybe Bruce Perens wussied out too.

    Where were the necessary changes to the law. Hackers need some sort of protection from this crap.

    Imagine if GM said you could open the hood of a car? Would the american public stand for that?
    If you found a fault in a Ford, would the american public want Ford to have 30 days to figure out if they want to deal with the problem?
    Corps are getting to manhandle us because the public doesnt understand the issues and we're a powerless minority.

    Does the auto insurance institute which does crash testing need to inform the car companies thirty days in adnvance prior to disclosing bugs?

    We need a secure receipt mechanism when reporting bugs.

    We need full disclosure.

    We need full authorization to learn from each other, this means sharing how buffer exploit vulnerabilities are found and how they can be exploited.

    Simply reporting vulnerabilities to companies is irreponsible in the public scheme of things. If coders dont know how these exploits occur it prevents them from writing secure code.

    We need the ability to learn from each other.

    DMCA needs SERIOUS changes.

    Bruce has done a lot more for hacker freedoms than many of us here, but I'm sorry but it hasnt been enough (not necessarily his fault).

    • Re:Hollow Victory (Score:5, Informative)

      by Bruce Perens ( 3872 ) <bruce@perens.com> on Friday August 02, 2002 @01:33AM (#3997106) Homepage Journal
      Dear AC,

      I agree that this is hardly the last shot in the battle. Hardly. If anything, we kept a bad situation from getting a drop worse. But I don't know if "wussied out" is really a fair description. I modified my own DMCA paper to protect HP's Linux program. When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP and (along with a cast of good people within HP) convinced everyone, including Kent, that using DMCA this way was a bad idea.

      But I didn't get the law repealed this week. I'll keep working on that. It would be really nice if you would put in a lot of work on this, too. This is the sort of issue where every one of us has to help or we'll lose.

      Thanks

      Bruce

      • When Kent Ferson sent his letter a whole 4 days later, I lit fires all over HP

        Damn, Bruce. Now I really want to know what you had planned for your anti-DMCA presentation...

    • Re:Hollow Victory (Score:5, Interesting)

      by gilroy ( 155262 ) on Friday August 02, 2002 @02:53AM (#3997268) Homepage Journal
      Blockquoth the poster:
      Imagine if GM said
      you could open the hood of a car? Would the american public stand for that? (emphasis added)
      Yep, it'd be terrible if people could examine the inside of their car's engine. We'd have all these underworked overinquisitive teenagers poking around, figuring out how things work, modifying and maybe even improving the engine... it'd be chaos!

      OK, OK, I shouldn't make fun of someone just because they pressed "Submit" too fast. But the slip opens up an interesting thought in my mind: It is a fact of history that in World War II, American infantry units were the only ones to get progressively more mechanized as a campaign went on. For most armies, continuing action meant trucks and tanks broke down (bad maintenance, lack of supplies, etc.). But for the US, the infantry units would gain mechanized capacity. It was not unheard of that a unit not have to march anywhere, having scrounged enough vehicles to ride. This made the infantry many times more effective and enhanced the efficiency of armor, too (since the infantry could keep up with the tanks).

      It doesn't seem that, with the wear-and-tear of battle, you should get more capacity. What was the secret? Well, just about every man in a US unit had some experience with motor vehicles. Most owned their own; many if not all repaired their own. So on the battlefield, they were able to scrabble spare parts together and keep the trucks rolling. In fact, they were often able to scavenge from damaged enemy machines! When a truck or car broke down, most armies had to call in a specialist repair team. But the US infantry could fix it themselves and keep moving. (Source: Dirty Little Secrets of World War II [barnesandnoble.com] , Dunnigan and Nofi)

      What's the point? Well, consider that everyone thinks sooner or later we're going to get into a "cyberwar" -- assaults upon information infrastructure. Maybe our only chance of winning such a conflict is to have legions of people familiar with computers and security, with securing a system or attacking it, with picking apart a program and then putting it back together better. In other words, maybe we need a culture of "hackers" (in both sense) as an insurance policy.

      In which case, the DMCA is not just intrusive and unbalanced. It's actually a threat to national security. How do you like them apples?

      • Some my first thoughts when all the DMCA nonsense started were along these same lines. I have written my congresscritters explaining my reasoning, which I believe to be perfectly sound, but I don't think they're listening. I think they're simply more concerned about their short term RIAA/MPAA provided kickbacks, exclusive parties, prostitutes, etc.

        But it goes even further than "cyberwar". If we don't have talented computer professionals in this country, the CIA, NSA, FBI, Armed Forces are all going to suffer disasterously. What are we gonna do, hire foreigners to protect our national security? ;-)

        And then there's long term economic problems we'll run into as well. Corporations won't be able to hire security experts with enough talent and experience to protect them from corporate espionage, script kiddies, disgruntled employees, etc.

        Our "leaders" are going to bring about our own demise. Stupid bastards...

    • OK, perhaps this is a little OT, but I thought I'd share what I posted a while back on /. Basically, Americans have had their rights legislated away from them for some time now...

      A common question Open Source advocates like to pose to the general populace is "Would you buy a car with the hood welded shut?"

      Of course, we all know that the answer is supposed to be no, but what most people don't realize is that this very thing has, in essence, been going on since the Clean Air Act of 1967. It is actually illegal to modify the engine in a passenger car to produce more horsepower, though such modification is seldom prosecuted. I came in on the tail end of the hot rod era; today, the integration of computers and engines has become so pervasive that the average hot rodder cannot modify his machine without a great deal of knowledge and expense. And those days of doubling or tripling the horsepower output of an engine are long gone.

      But the point is this: the same thing that happened with automobiles will happen with the computer. You will have to be a specially licensed and bonded technician in order to own certain development tools (compilers, debuggers, and the like). While you will still be able to take apart your computer, making unauthorized modifications (to thwart the onboard DRM and Palladium chips) will be illegal. Unlike the hot rodder of today who is seldom prosecuted by the police, the machine will "call home" to Big Brother if it detects that it has been modified, and federal agents will show up to "fix" your computer.

      And just wait until GPS units are mandatory in cars, and the FBI can find out everywhere you've been with a simple database query.

      The erosion of our liberties is very real. Those of us who care about our liberties need to stand up and be heard; we need to do something about this before it gets out of hand. Learn a lesson from the automotive enthusiasts - if you don't vigilantly protect your liberties, the government will take them away.

      • Of course, we all know that the answer is supposed to be no, but what most people don't realize is that this very thing has, in essence, been going on since the Clean Air Act of 1967. It is actually illegal to modify the engine in a passenger car to produce more horsepower, though such modification is seldom prosecuted.
        Correct me if I am wrong, but I believe that the CAA makes it illegal to modify the emissions controls systems of a vehicle for hire. You may still modify a personally owned automobile to your heart's content.

        sPh

  • If you had anything to do with the reconsideration, we appreciate it.

  • Those of you who emailed HP to complain (Score:4, Insightful)

    by BoneFlower ( 107640 ) <anniethebruce&gmail,com> on Friday August 02, 2002 @12:53AM (#3996982) Journal
    Should now email them to express thanks that they have reversed the decision. I had emailed them to state my displeasure and to vow never to buy another HP product again(which would be tough, as my Pavillion continues to surprise me in quality).

    Now that they have reversed it, I sent a follow up thanking them and stating that I again looked forward to purchasing from them in the future. The rest of you should do the same- Express displeasure when they fuck up like this, but also express appreciation when they fix it as they have.
    • Here's the problem.
      HP cried DMCA.
      Where the hell are the Feds? Once you cry DMCA you can't take it back. The probable cause is there.
      Where's the FBI busting these guys? Because HP changed their mind? What about Adobe?
      Where is the consistency?
      We need a trial, NOW.
  • After reading SNOSofts response, I've gotta say it looks like they were trying to drum up business and it back fired big time.

    Im not supporting HP in any way and personally I think the DMCA is the greatest piece of loo paper I've ever seen but if you go to someone and say "I know how to break into your house and steal all your hidden money and Im not going to tell you unless you pay me" you gotta expect to get burnt.
  • I am as against the DMCA Anti-circumvision clauses as much as any other freedom of speech and fair use loving American. I however think in this case Secure Network Operations tactics have a bad odor to them. The contracted NDA on vulnerabilities sounds like extortion. "We are dedicated to performing security research on a wide range of operating systems, following either an independent research/full disclosure model or a contract-based/NDA model. We hope to build productive relationships with many vendors in the future." Plain and simple interpretation of the quote in my personal opinion is that if you pay us we will keep your dirty little secret buried. We hope many companies will pay us to keep our mouths shut.
    • This could also be construed as "if you're being proactive about security, there's less of a need for ful disclosure. If an NDA is the price we have to pay to audit your stuff, we can live with that".

      Very few businesses are completely altruistic. Money corrupts. They're probably not as bad as you suspect, but still corrupt.

  • The difference is that they didn't immediately call the feds in on it. But its the same process. They played the same "threaten severe legal problems and they'll do our bidding" game that corporations have been playing for years. The only problem is, HP suddenly realized, as did Adobe, that their market pays attention to these activities, and a great many of them steadfastly denounce them, especially when controversial laws like the DMCA are invoked.

    The movie industry can sue the DECSS people with little concern. No matter how irate they might make people, 95% of their market will never hear about it, not to mention actually form an opinion on the matter. HP and Adobe however don't have that luxury. A significant percentage of their customer base pays attention to these issues, and when they pull stunts like these, they risk losing a LOT of their market share from pissed off users. Why else would they suddenly back off. Although its quite possible in HP's case that one hand in the company isn't aware of what another is doing, and the official position of the corporation is not to legally abuse their market base.

    At least its a good thing this was only a threat. They shot themselves in the foot, certainly, but now its past us. Adobe's snafu is still brewing in court, even though they've long since retracted their original complaint.

    -Restil
  • ....has HP fired those lawyers or their firm?

    I doubt it.

    If only more lawyers would get fired. There are far too many upright-walking cockroaches in that profession. There are good lawyers too of course, just look at the ACLU, but there are also plenty of the worst type of scum known to man.

    I guess if you're an amoral sociopath, career choices that match your temperament are few and far between. Your choices are basically car salesman, CEO, or legalistic henchman/mercenary.

    Lee

  • Quote: "At the high point there was an e-mail to (HP CEO Carly Fiorina) every 90 seconds."

    It looks like there are quite a lot of HP workers that knows what a bad thing the DMCA is. Thanks for reacting!

  • The thing about this entire affair that upset me the most was that SecurityFocus.com, operators of Bugtraq, quickly buckled under and removed the Snosoft guy's posting from their archive as requested by HP.

    A lot of people are worried that Symantec will influence how Bugtraq is moderated and operated, and here we have a case where the deal isn't even closed yet, and already "things are different" down at ole Bugtraq...

    Coincidence? Methinks not.

    • The post is there [securityfocus.com]. Now I gotta go find the message I read yesterday where they pulled it so I don't look like a complete assshat. Either that or they put it back up...

      Sigh, moderate parent down, although the influence concern is still valid, the claim may not be.

  • Corporate IP Rights? (Score:3, Insightful)

    by Lord MJ ( 574227 ) on Friday August 02, 2002 @08:39AM (#3997891)
    In another BBS I go to, when I posted about Palladium and the DMCA, all I got in reply were firey defenses of corporate intellectual property. You can't disclose specifics of design flaws in proprietary works since it violates the copyrights and trade secrets of the IP owner. Microsoft can impose Palladium, since you don't have an inherent right to choose which software you run on your computer, since windows is the property of M$ and the processor is the property of Intel. You don't have an inherent right to transfer your data out of a proprietary format, since the format is IP and if the vendor doesn't want you to have the ability to convert to other formats, then they have the right to say you can't because it's intellectual property. So on and so forth. Note that IP law doesn't give corporations the right to do any of those things. And in cases where IP does apply, those rights are overridden by anti-trust laws, monopoly laws, and restraint of trade laws. (I would argue that M$ using closed file formats in order to lock you in could be legitamately considered to be a restraint of trade.) But it seems that outside communities such as /. corporate IP takes precedence over anything, and to restrict companies like Micorsoft is a violation of corporate constitutional rights by a tyrannical government!
  • HP blames the snafu on... their lawyers!

    This is wrong, legally and morally. HP is a corporation; their lawyeres are a part of them. The non-corporate analogy would be a little like punching someone in the nose and then saying "I didn't do it! It was my hands!" Someone who honestly presented this as a defense would be encouraged to undergo a psychiatric evaluation. I see NO difference in HP's behavior. Their attorneys, BY LAW, represent HP. Attorneys are not allowed to do things their clients don't want. Any action an attorney takes is legally the action of the client; that's what the word "attorney" means. When your attorney threatens legal action, YOU are threatening legal action; the attorney was hired by YOU to take actions YOU want by using the tool of the American legal system. The attorney may suggest courses of action; YOU decide what your legal representative will do.

    The ONLY time I'd be willing to make an exception to this is if the corporation fires their lawyers or files suit against their law firm for legal malpractice.

    Anyone who tries to tell you that it's not their fault because their attorney did it needs to be punched in the face.
  • IMHO, this is too little, too late. Yeah, they're backpedaling after a justifiably furious outcry. However, the fact that one of their VPs sent this letter in the first place goes to show you how the HP/Compaq top brass think about security: keep it quiet.
  • Until Wednesday, SnoSoft's home page stressed that it had a policy of "full disclosure" of security threats--unless that company retains SnoSoft as consultants. "If someone hires us to do research we can not disclose that information since the information becomes theirs--they purchase it," said Snosoft's Desautels.

    Ok, so SnoSoft says, "Hey, we found a security hole in your Tru64 product, but we are only going to tell you if you fork over some dough!" How ethical is that? Its hardly full disclosure. HP was threatening legal action on this basis, not that they found a hole. If I were HP I would sue the extorting bastards, too. Either disclose all holes publicly upon discovery or give the opportunity for vendors to fix them, but disclosing security holes within 24 hours to bugtraq only in the cases where the vendor does not pay you for cracking their system is unethical, IMO.

Slashdot Top Deals

The bogosity meter just pegged.

Close