Return-Path: <sentto-279987-5101-1028204819-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 01 Aug 2002 05:32:09 -0700 (PDT) Received: (qmail 32579 invoked by uid 510); 1 Aug 2002 12:27:15 -0000 Received: from n28.grp.scd.yahoo.com (66.218.66.84) by all.net with SMTP; 1 Aug 2002 12:27:15 -0000 X-eGroups-Return: sentto-279987-5101-1028204819-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.199] by n28.grp.scd.yahoo.com with NNFMP; 01 Aug 2002 12:26:59 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 1 Aug 2002 12:26:58 -0000 Received: (qmail 77770 invoked from network); 1 Aug 2002 12:26:58 -0000 Received: from unknown (66.218.66.216) by m6.grp.scd.yahoo.com with QMQP; 1 Aug 2002 12:26:58 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 1 Aug 2002 12:26:58 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g71CTYu08811 for iwar@onelist.com; Thu, 1 Aug 2002 05:29:34 -0700 Message-Id: <200208011229.g71CTYu08811@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 1 Aug 2002 05:29:33 -0700 (PDT) Subject: [iwar] [fc:Comment.on.DMCA,.Security,.and.Vuln.Reporting] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: Given the recent news about HP using DMCA to shutter a Bugtraq disclosure of Tru64 vulnerability, I felt it appropriate to chime in. I hope you find my comments of-value and worthy of relaying onto the list. The News.Com story with more details is at : <a href="http://news.com.com/2100-1023-947325.html?tag=fd_lede">http://news.com.com/2100-1023-947325.html?tag=fd_lede> ----------RFF Comments I find it sadly amusing that technology companies see "security debate" on the same level as "piracy" or "copyright controls." What it really serves as is a corporate secrecy tool and (as was said) cudgel against any and all potential enemies. HP, in its infinite corporate and legal wisdom - the same wisdom shared by Ken Lay, Jeff Skilling, Fritz "Hollywood" Holings, and Bernie Ebbers - has opened a Pandora's Box here. Next you'll see folks saying that public disclosure of the generic password on the default Unix "guest" account will be prosecutable under DMCA, or that a given exploit uses a "buffer overflow" to cause its damage is likewise criminal to speak of. It's bad enough that black markers might become illegal, isn't it? But the madness continues. While I disagree with Adobe's use of DMCA last year against Dmitry, at least their claim was somehow - admitted tangentally - related to copyright protection. HP's case is just absurd and has nothing to do with copyrights and everything to do with avoiding embarassment and taking responsibility for their product's shortcomings. I believe system-level security is MUTUALLY-EXCLUSIVE from copyright protection -- or more accurately, the 'economic security' of the vendors. Taking reasonable steps - including public disclosure of exploits and their code - to protect a user's system from unauthorized compromise IN NO WAY impacts the copyright rights of HP, unless HP wrote the exploit code that's being publicly shared w/o permission....in which case it's truly their fault then. Regardless, either way you look at it, they're using DMCA to conceal their embarassment and duck responsibility. The way we're going, thanks to HP's legal geniuses, we may as well call NIST, NSA, SANS, and IETF to rewrite a new 'industry standard' definition for 'computer security' that places the vendor's profit and public image above the confidentiality, integrity, and availability of end-user data and systems. For all intents and purposes, Congress has already done that with DMCA and Berman's proposed "Hollywood Hacking" Bill -- they just forgot to inform (or seek counsel from) those of us working in the real information security community. Bleeping idiots. Congress and Corporate America. When it comes to technology policy, neither has the first clue . No wonder we're in the state we're in. ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT