Loading ...
Sorry, an error occurred while loading the content.

[fc:Comment.on.DMCA,.Security,.and.Vuln.Reporting]

Expand Messages
  • Fred Cohen
    Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
    Message 1 of 1 , Aug 1, 2002
    • 0 Attachment
      Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of
      Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
      comments of-value and worthy of relaying onto the list.

      The News.Com story with more details is at :
      <a href="http://news.com.com/2100-1023-947325.html?tag=fd_lede">http://news.com.com/2100-1023-947325.html?tag=fd_lede</a>

      ----------RFF Comments
      I find it sadly amusing that technology companies see "security debate" on
      the same level as "piracy" or "copyright controls." What it really serves as
      is a corporate secrecy tool and (as was said) cudgel against any and all
      potential enemies.

      HP, in its infinite corporate and legal wisdom - the same wisdom shared by
      Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and Bernie Ebbers - has
      opened a Pandora's Box here. Next you'll see folks saying that public
      disclosure of the generic password on the default Unix "guest" account will
      be prosecutable under DMCA, or that a given exploit uses a "buffer overflow"
      to cause its damage is likewise criminal to speak of. It's bad enough that
      black markers might become illegal, isn't it? But the madness continues.

      While I disagree with Adobe's use of DMCA last year against Dmitry, at least
      their claim was somehow - admitted tangentally - related to copyright
      protection. HP's case is just absurd and has nothing to do with copyrights
      and everything to do with avoiding embarassment and taking responsibility
      for their product's shortcomings.

      I believe system-level security is MUTUALLY-EXCLUSIVE from copyright
      protection -- or more accurately, the 'economic security' of the vendors.
      Taking reasonable steps - including public disclosure of exploits and their
      code - to protect a user's system from unauthorized compromise IN NO WAY
      impacts the copyright rights of HP, unless HP wrote the exploit code that's
      being publicly shared w/o permission....in which case it's truly their fault
      then. Regardless, either way you look at it, they're using DMCA to conceal
      their embarassment and duck responsibility.

      The way we're going, thanks to HP's legal geniuses, we may as well call
      NIST, NSA, SANS, and IETF to rewrite a new 'industry standard' definition
      for 'computer security' that places the vendor's profit and public image
      above the confidentiality, integrity, and availability of end-user data and
      systems. For all intents and purposes, Congress has already done that with
      DMCA and Berman's proposed "Hollywood Hacking" Bill -- they just forgot to
      inform (or seek counsel from) those of us working in the real information
      security community.

      Bleeping idiots. Congress and Corporate America. When it comes to technology
      policy, neither has the first clue . No wonder we're in the state we're in.
    Your message has been successfully submitted and would be delivered to recipients shortly.