Hackers beware
Is HP right to sue the person who found a glitch in its software?
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Hewlett-Packard unveiled a rather unusual approach to being informed about a flaw in one of its operating systems last week. It threatened to sue the person who uncovered the flaw under the US's "Digital Millennium Copyright Act", on the grounds that publicising it could let someone else work around the protections built into the software – something the DMCA forbids.
The threat (later withdrawn) was sent by Kent Ferson of HP. He warned SnoSoft, a group of security specialists, that they could be sued and might face prison sentences. HP's ire had been roused by the posting on a security discussion mailing list of a weakness in its Tru64 version of Unix – plus an example of the code that would let an attacker take over a Tru64 system without authority.
HP's interpretation was in stark contrast to that of Richard Clarke, the top computer security adviser to President Bush. At the "Black Hat" hacker conference in Las Vegas last week, he encouraged those present to try to break into systems – although he did allow that they might need a smidgen of legal protection before doing so.
Clarke, though, seemed to be on the hackers' side. "Some of us here have an obligation to find the vulnerabilities," he told them. Clarke was appointed Special Adviser for Cyberspace Security within the National Security Council last October, in the wake of the 11 September attacks.
But Clarke did put a couple of provisos to his encouragement to go forth and hack: if a flaw is found, then the software company should be told first, and if no response was forthcoming, go to the government.
While the former is the classic response of security groups – including SnoSoft – the second isn't. When companies don't deign to do anything about holes in software, the normal response is to post publicly about it. SnoSoft did inform HP about the Tru64 flaw, but the act that apparently angered the company was the leaking of the "exploit code". SnoSoft said that it was done by a member of the collective acting on his own.
Clarke's speech was very critical of the way that software companies, ISPs and even phone companies sell products that have glaring flaws in them. "It is irresponsible to sell a product in a way that can be easily misused by a customer in a way that jeopardises their confidential and proprietary and sensitive information," he said at a conference on wireless security, criticising weaknesses in the wireless encryption protocol (WEP) used for Wi-Fi networks.
But what chance is there that the software companies, ISPs and phone companies will take any notice? The only way Clarke knows is to use the spending muscle of the US government – which will stop using wireless networks until they have better encryption, and won't take software that has obvious flaws. The sight of President Bush's head of cyber security egging the geeks on is likely to be the tenor of the future – rather than gagging letters from HP.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments