How to handle a security hole

[Robert Kennedy]

Hi All,

Here's a scary item I expected to find already under
discussion. It was forwarded to me by the SysAdmin at
work.

Best,
Bob Kennedy

> 
> >  -----Original Message-----
> > From: 	S=======, Howard  
> > Sent:	Thursday, August 01, 2002 12:22 PM
> > To:	Kennedy, Bob
> > Subject:	How to handle a security hole
> > 
> > Say what you want about M$ but even they wouldn't
> (at least so far) have the guts to do this.
> > 
> > Howard
> > 
> > HP threatens to enforce DMCA 
> > This week, Hewlett-Packard threatened to take
> legal action 
> > against a group of security researchers who found
> and 
> > reported a very serious security hole in Tru64,
> HP's 64-bit 
> > version of UNIX. 
> > The hole is a doozy: a buffer overflow
> vulnerability in the 
> > critical "su" command, which allows users to
> assume 
> > "superuser" privileges. According to the
> researchers, it is 
> > quite easy for any user of HP's operating system
> to gain 
> > administrative privileges in a flash. They
> demonstrated just 
> > how easy it was for any user to take control of
> the system 
> > via a tiny snippet of code less than one
> typewritten page in length. 
> > Alas, instead of responding with thanks and
> rushing to 
> > disseminate a patch, HP threatened to sue the
> researchers for 
> > violation of the Digital Millennium Copyright Act,
> or DMCA. 
> > It is unclear whether this highly controversial
> law, which 
> > prohibits defeating copy protection, was actually
> violated. 
> > However, the company's threat to use the law as a
> club 
> > against consumer disclosure -- and to bring
> criminal charges 
> > against researchers for sounding a much needed
> alarm bell -- 
> > provoked much anger in the computer security
> community. HP, 
> > contacted by ExtremeTech regarding its threat,
> refused to 
> > state whether it would pursue a policy of
> threatening 
> > security researchers in the future. "It is company
> policy 
> > policy [sic] not to comment on potential
> litigation," wrote 
> > HP spokesperson Elizabeth Phillips. 
> > This incident is not the only one in which
> Hewlett-Packard 
> > has voiced support for the DMCA -- a law which is
> claimed by 
> > civil libertarians and others to suppress free
> speech and 
> > destroy the public's right to fair use of digital
> content. 
> > (The same law used by the record industry to
> threaten 
> > Princeton University researcher Edward Felten when
> he was too 
> > successful at solving their "Secure Digital Music
> Initiative" 
> > (SDMI) copy-protection challenge.) HP employee
> Bruce Perens, 
> > an advocate of open source software, was recently
> prohibited 
> > by HP from demonstrating the use of a region-free
> DVD player 
> > -- an act which is technically a violation of the
> DMCA even 
> > though millions do it daily. (Several countries
> outside the 
> > US, including Australia, have condemned region
> locking of 
> > DVDs as unlawful restraint of trade and/or a
> method of price 
> > fixing.) While he might simply have given the
> demonstration 
> > on his own time, making it clear that he was not
> acting as a 
> > representative of HP, the company cowed the
> normally 
> > outspoken Perens, who often claims that he works
> for HP but 
> > does not necessarily represent the corporation's
> viewpoints, 
> > into dropping his plans. One lawyer (see last link
> below) has 
> > gone as far as to claim that the organizers of the
> conference 
> > at which Perens spoke could have been subject to
> criminal 
> > penalties if Perens had attempted to exercise his
> right to 
> > free speech by giving the demonstration. 
> > 

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com