HP threatens Tru64 hole publisher

The Digital Millennium Copyright Act (DMCA) has reared its ugly head again, with Hewlett Packard (HP) using it as a stick to beat a small group of security researchers.

Citing breach of the DMCA and Computer Fraud Abuse Act as grounds for attack, HP is threatening to sue security researcher SnoSoft for publishing an exploit for a vulnerability in HP's Tru64 Unix operating system.

The move has, predictably, upset the security and internet communities.

On Monday, HP warned SnoSoft that it could be fined up to $500,000 and imprisoned for up to five years for its publications of details that could allow an attacker to exploit a Tru64 box.

On 19 July, Phased, a member of SnoSoft, posted a note to the BugTraq security mailing list which read: "Got fed up of corporate bullshit. Here is the warez, nothing special, but it does the job."

Posted with the note was a link to a C script that would exploit a vulnerability in Tru64 and give an attacker admin rights to the machine.

Presumably, when Phased said that he was "fed up of corporate bullshit", he meant that he had not yet received any feedback from HP over his report of the vulnerability and had decided to publish the exploit anyway.

HP then apparently requested that SnoSoft remove all links to the exploit code or face the company's legal wrath.

SnoSoft has since obliged and killed all instances of the code.

It is thought that Phased may have released the exploit independently, against the group's rules. But because SnoSoft is such a disparate group of hackers and researchers, Phased may be difficult to track down.

He may have a Russian email address, but no one knows for certain where he comes from.

HP's actions have prompted cries of foul play in the BugTraq mailing list. One other security researcher, Richard Smith from ComputerBytesMan.com, said: "I really feel that HP went way over the line by trying to place all the blame on Snosoft for HP's security hole by invoking the DMCA and the Computer Fraud and Abuse Act.

"If this particular security hole is ever exploited by the 'bad guys', we'll probably have both HP and Phased to thank. It really does take two to tango. The Phased exploit code would never have been published if HP programmers didn't mess up in the first place," he said.