RealTime IT News

HP Backs Down on DMCA Threat

Less than a week after it put the thumbscrews on a security research firm for finding a hole in its server operating software, Hewlett-Packard Friday said it has withdrawn its legal threats.

The Palo Alto, Calif.-based computer and printer maker had sent a letter to Secure Network Operations (SNOSoft) saying the company, "could be fined up to $500,000 and imprisoned for up to five years" just for publishing an exploit in HP's Tru64 UNIX operating system.

The Maynard, Mass.-based-company said the "su utility on Tru64 Unix systems is prone to a locally exploitable buffer overflow condition," and that an attacker might potentially exploit this condition to execute arbitrary instructions as root.

HP verified that there is a security vulnerability with Tru64 UNIX, first brought to its attention July 18. The company said the problem has been isolated and HP has been preparing a fix, which will be available by Monday, August 5 at the latest.

In an e-mail acquired by internetnews.com, HP said, it would not comment on the specifics of its discussions with SnoSoft, but was did apologize for the hullabaloo.

"We take our customers' security requirements very seriously and have a strong track record following industry-standard security practices," HP said in its statement.

SNOsoft said it attempted on numerous occasions to build a working relationship with HP, but was asked to go through a trusted third party, in this case the CERT Coordination Center, and to wait forty-five days before releasing any proof-of-concept exploit code.

In its letter to SnoSoft, HP used the Digital Millennium Copyright Act (DMCA) and the Computer Fraud Abuse Act as the basis for its demand to remove the posting. If HP had played the DMCA card, it would be the first time since its 1998 debut that the law was applied to a research firm.

"Where and how the DMCA should be applied is a matter of great controversy. The reported letter to SnoSoft was not consistent or indicative of HP's policy. We can say emphatically that HP will not use the DMCA to stifle research or impede the flow of information that would benefit our customers and improve their system security," the company said in its release.

SnoSoft said it appreciates HP's retraction of their DMCA threats.

"We are dedicated to performing security research on a wide range of operating systems, following either an independent research/full disclosure model or a contract-based/NDA model. We hope to build productive relationships with many vendors in the future."

The posting has since been removed from its original posting on SecurityFocus's Web site.