Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

It takes two to tango

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 30 Jul 2002 22:52:45 -0400
Hi,

I just read the article at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft.  It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
were published by "Phased", a security researcher with Snosoft, here on
Bugtraq.  I really feel that HP went way over the line by trying to
place all the blame on Snosoft for HP's security hole by invoking the
DMCA and the Computer Fraud and Abuse Act. 

If this particular security hole is ever exploited by the "bad guys",
we'll probably have both HP and Phased to thank.  It really does take
two to tango.  The Phased exploit code would never have been published
if HP programmers didn't mess up in the first place.

So this quote from Kent Ferson of HP in the News.com article was
probably a big mistake:

   "Ferson also said that HP reserves 
   the right to sue SnoSoft and its members "for monies 
   and damages caused by the posting and any use of the 
   buffer overflow exploit." 

Pretty clearly if there were ever to be any lawsuits over this
particular bug, HP has much deeper pockets which are much easier to get
to.

BTW, I'm neither a fan of the DMCA nor of people publishing exploit code
for security holes:

   Digital Copyright Act Harms Research
 
http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0

   Can we afford full disclosure of security holes?
   http://www.computerbytesman.com/security/fd.htm

Thanks,
Richard M. Smith
http://www.ComputerBytesMan.com
Previous By Date Next
Previous By Thread Next

Current thread: