[free-sklyarov] Security warning draws DMCA threat

[Vladimir Katalov]

http://news.com.com/2100-1023-947325.html?tag=fd_top

By Declan McCullagh
Staff Writer, CNET News.com
July 30, 2002, 4:48 PM PT

WASHINGTON--Hewlett Packard has found a new club to use to pound
researchers who unearth flaws in the company's software: the Digital
Millennium Copyright Act.

Invoking both the controversial 1998 DMCA and computer crime laws, HP
has threatened to sue a team of researchers who publicized a
vulnerability in the company's Tru64 Unix operating system.

In a letter sent on Monday, an HP vice president warned SnoSoft, a
loosely organized research collective, that it "could be fined up to
$500,000 and imprisoned for up to five years" for its role in
publishing information on a bug that lets an intruder take over a
Tru64 Unix system.

HP's dramatic warning appears to be the first time the DMCA has been
invoked to stifle research related to computer security. Until now,
it's been used by copyright holders to pursue people who distribute
computer programs that unlock copyrighted content such as DVDs or
encrypted e-books.

If HP files suit or persuades the federal government to prosecute, the
company could set a precedent that stifles research into computer
security flaws, a practice that frequently involves publishing code
that demonstrates vulnerabilities. The DMCA restricts code that "is
primarily designed or produced for the purpose of circumventing
protection" of copyrighted works.

On July 19, a researcher at SnoSoft posted a note to
SecurityFocus.com's popular Bugtraq mailing list with a hyperlink to a
computer program letting a Tru64 user gain full administrator
privileges. The researcher, who goes by the alias "Phased," said in
the message: "Here is the warez, nothing special, but it does the
job."

That public disclosure drew the ire of Kent Ferson, a vice president
in HP's Unix systems unit, who alleged in his letter on Monday that
the post violated the DMCA and the Computer Fraud and Abuse Act.

[...]