Don't fix that security hole - sue the finder instead (fwd)

Wed Jul 31 10:18:49 EDT 2002

|   HP had a security hole in their Tru64 UNIX.  The fact was
| apparently made public last year.  Someone recently published
| the info, along with sample C code that exploits the hole.  HP
| threatened them with DMCA prosecution and with a lawsuit.
|
| http://news.com.com/2100-1023-947325.html?tag=fd_lede

Yeah; there's been a bit of discussion of this topic on slashdot:
  http://slashdot.org/article.pl?sid=02/07/31/0030239&mode=thread&tid=153
Included are a number of interesting replies by Bruce Perens.

So far, the whole story seems pretty damning.  It seems that  HP  was
informed  of  the  problem  (a rootkit exploit in Tru64 Unix) about a
year ago, and pretty much ignored  the  problem  although  there  was
working code.  A few months ago, when the SnoSoft people who found it
tried getting a bit more action, HP's response was to  ask  them  how
much  money  it  would take to keep them quiet.  SnoSoft responded to
this bribery attempt by describing the problem on a security  mailing
list. Next, HP threatened to prosecute them under the DMCA. SnoSoft's
informed them that the person responsible for  outing  HP  wasn't  an
American  citizen  and  didn't  live  in  the US, so there was little
chance of an arrest. When HP stood by their threat, SnoSoft published
the code of the exploit.

HP may have just lost a whole lot of credibility in tech circles with
this  one.  Anyone concerned with computer security now has to assume
that there are  probably  more  serious  security  problems  with  HP
systems,  since HP's policy is to suppress information about problems
rather than fix them. It's been about a year since they were notified
of this one, after all.

The slashdot discussion has pointers to the C source for the exploit.