Robin Gross, an attorney at the Electronic Frontier Foundation (EFF), predicted HP would be one of many companies striving for broad interpretations of the DMCA. "These are the kinds of letters that we can expect to see now that the DMCA has granted such broad powers to copyright holders," Gross said. "Any information that can bypass controls will trigger DMCA penalties. "The DMCA is so broad in what it prohibits it does include preventing researchers from revealing security weaknesses in operating systems -- even though that has nothing to do with protecting copyright." The EFF represented Princeton University professor Ed Felten after he was threatened with a DMCA lawsuit for exposing weaknesses in a music watermarking scheme. The San Francisco-based nonprofit group also backed hacker publication 2600, which was successfully sued by eight movie studios for distributing a DVD-decrypting utility. SnoSoft representatives stressed in an interview that they wanted a cordial relationship with HP. They provided a copy of an email message sent before the 19 July posting in which HP had discussed a deal with SnoSoft, asking what it would "cost for you to share, under NDA, the problems you have discovered to date for Tru64 Unix V5.1 and/or V5.1a." HP has known about the Tru64 vulnerability "for some time," SnoSoft's Finisterre said, but never fixed the problem. An HP spokesman said he did not know if a patch had been released. Another researcher, who uses the alias K2 and is part of the ADM hacking group, released a similar exploit in 2001 that also gave a person complete access to a Tru64 Unix system. Finisterre said that while he wanted to resolve the dispute with HP, he resented receiving DMCA threats. "We are like the guys that found out that Firestone tyres have issues on Ford explorers," he said. "It's not our fault your Explorer has crap tyres. We just pointed it out. We should not get attacked for pointing out issues in someone's product nor for proving it is possible." Ahmad of SecurityFocus.com said that HP's Tru64 operating system is no more secure than other mainstream Unix variants. "A lot of the time, when a major Unix has some vulnerability, Tru64 Unix will also be vulnerable just as a result of shared code," Ahmad said. "Also it's old code, and it's my belief that much of it was written without an understanding of the modern code problems that can be exploited by hackers." Tru64 Unix came in last place in a recent survey by a computing research firm. As a result of HP's acquisition of Compaq, Tru64 is being phased out over the next few years, and its features are supposed to be folded into HP-UX. In an unrelated incident last week, HP asked one of its employees not to engage in a public demonstration that would have arguably violated the DCMA.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
