- Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of
Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my
comments of-value and worthy of relaying onto the list.
The News.Com story with more details is at :
I find it sadly amusing that technology companies see "security debate" on
the same level as "piracy" or "copyright controls." What it really serves as
is a corporate secrecy tool and (as was said) cudgel against any and all
HP, in its infinite corporate and legal wisdom - the same wisdom shared by
Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and Bernie Ebbers - has
opened a Pandora's Box here. Next you'll see folks saying that public
disclosure of the generic password on the default Unix "guest" account will
be prosecutable under DMCA, or that a given exploit uses a "buffer overflow"
to cause its damage is likewise criminal to speak of. It's bad enough that
black markers might become illegal, isn't it? But the madness continues.
While I disagree with Adobe's use of DMCA last year against Dmitry, at least
their claim was somehow - admitted tangentally - related to copyright
protection. HP's case is just absurd and has nothing to do with copyrights
and everything to do with avoiding embarassment and taking responsibility
for their product's shortcomings.
I believe system-level security is MUTUALLY-EXCLUSIVE from copyright
protection -- or more accurately, the 'economic security' of the vendors.
Taking reasonable steps - including public disclosure of exploits and their
code - to protect a user's system from unauthorized compromise IN NO WAY
impacts the copyright rights of HP, unless HP wrote the exploit code that's
being publicly shared w/o permission....in which case it's truly their fault
then. Regardless, either way you look at it, they're using DMCA to conceal
their embarassment and duck responsibility.
The way we're going, thanks to HP's legal geniuses, we may as well call
NIST, NSA, SANS, and IETF to rewrite a new 'industry standard' definition
for 'computer security' that places the vendor's profit and public image
above the confidentiality, integrity, and availability of end-user data and
systems. For all intents and purposes, Congress has already done that with
DMCA and Berman's proposed "Hollywood Hacking" Bill -- they just forgot to
inform (or seek counsel from) those of us working in the real information
Bleeping idiots. Congress and Corporate America. When it comes to technology
policy, neither has the first clue . No wonder we're in the state we're in.