Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share
  • icon

HP Threatens Legal Action Against Security Group


Researchers may become reluctant to publicize vulnerabilities

By George V. Hulme
InformationWeek
August 5, 2002 12:00 AM (From the August 5, 2002 issue)

As businesses, government officials, and security pros grow increasingly wary of software vendors shipping applications laden with vulnerabilities, Hewlett-Packard has decided to go on the offensive.

The vendor last week threatened Secure Network Operations Inc., a security-services firm better known as SnoSoft, with legal action for publishing code that exposes a serious hole in HP's Tru64 Unix operating system, which HP acquired when it bought Compaq. Kent Ferson, a VP at HP, cited the Digital Millennium Copyright Act, the Computer Fraud and Abuse Act, and additional penalties under Massachusetts law, where SnoSoft is headquartered, in a letter he fired off to software security researchers at SnoSoft.

More Software Insights

White Papers

Webcasts

Reports

Videos


Business Guru C.K. Prahalad Talks About What Innovation Means, How Technology Vendors Can Help, And What IT Can Do To Continue Its Own Innovative Practices Likewise Software Lets You Take Advantage of Active Directory Infrastructure Across Linux, Windows and Mac Systems Belgium-based Aventiv showed off its collaboration/file sharing software in a discussion with John Foley at Interop 2008 in Las Vegas.
Business Guru C.K. Prahalad Talks About What Innovation Means, How Technology Vendors Can Help, And What IT Can Do To Continue Its Own Innovative Practices
On Aug. 1, HP issued a statement backing off the copyright act threat. But it's unclear whether it will attempt other legal action against SnoSoft. "HP is being pretty ridiculous," says John Pescatore, a Gartner security analyst. "I think this is a public service to force HP to fix bugs faster than it would have otherwise."

Security experts and IT managers fear that if HP follows through on its threat, researchers could become more reluctant to publicly disclose future software flaws they ferret out. That "could certainly chill public discourse on security research of commercial software," Internet security consultant Richard Smith says. "It comes down to the fact that corporations just don't want to be embarrassed."

SnoSoft crossed the line, most agree, when one of its members unilaterally posted a copy of the actual exploit code rather than just an informational advisory. "There is never a security need to release exploit code," Pescatore says.

SnoSoft founder Kevin Finisterre contends that a member, known as Phased, released the exploit on his own, without the group's consent. SnoSoft operates a loosely organized research group and Phased, a member of that group, had access to its servers. He copied the code and posted it on the BugTraq security mailing list. He said he posted it because he "got fed up" with what he perceived as HP's runaround.

SnoSoft notified HP-Compaq about the vulnerability on April 15, Finisterre says, but the vendor never gave researchers an appropriate contact. "I think they were just totally dragging us on, telling us to go talk to this guy, then go talk to that guy. They should have just fixed it and released a patch," he says. Phased posted the exploit three months later. HP said in an Aug. 1 statement that it would issue a patch within 48 hours.

Security experts have long feared that vendors would use legal threats, especially the copyright act, to stifle public disclosure of flaws found by private researchers. "This is a bad law," says Robin Gross, an attorney at the Electronic Frontier Foundation. It gives companies "very broad powers."

But so far, it hasn't intimidated SnoSoft: The group says it has found 22 more Tru64-related vulnerabilities that will be released in the next few weeks.



Subscribe to RSS


Advertisement

CAREER CENTER
Ready to take that job and shove it?



TechCareers

SEARCH
Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center





Subscription Info
Apply for a free 52-week subscription to InformationWeek (a $199 value)

Last Name:

First Name:

Title:

Company Name:

City:

Business Address:

Zip:

State:

Email Address:

NOTE: Offer valid for U.S., U.S. possessions, & Canada only

            

Join economist Chris Cornell and 3 CIOs in an Exclusive Online Exchange for Senior IT Executives: Using IT to Drive Value in a Turbulent Economy. November 5th only.