I agree fully, with what both of you have to say, and I have another point to bring up. If companies like HP or Microsoft can put in their license, terms which remove all liability of themselves for damage caused security in their products or general defects, and this stands up in court (and as we know it has), how can teh courts say that the producer of the product is not liable at all, but that a consumer investigating security holes in that product is liable for damages resulting from his research on vulnerabilities in that product. The whole concept itself is ludicrous, and the HP case is particularly troubling. If indeed HP knew of the bug for a year and either didn't acknowledge the problem or didn't fix it, then would it be safe to say they knew of its existence, but chose to not proceed in announcing or fixing the problem? What is a consumer to do? The company is not liable for the hole in their product, has in most cases to way to fix it, and the lack of liability on HP's part makes it impossible for the consumer to force them to fix it. This leaves the consumer with a dangerous and defective product which could cost them endless amounts financial loss if the problem is not resolved before a hacker resolves to take advantage. In publishing an exploit for said vulnerability, a consumer is in a sense promoting action to be taken by administrators (assuming a patch is available) and on HP's part as well, now that the public is aware of the hole more pressure can be levied to get the company to fix the problem. But this now leaves them vulnerable to be sued under Copyright laws? Where does the Copyright come into play? Is the 'su' on HP systems purely HP's code or is it derived from older shared code? What right then would have to sue them if this vulnerability affected other operating systems as well. Furthermore the exploit is not remote and thus its hard to see how HP could prove damages from such an exploit given it's local nature on the OS. This brings me to Phase. Phase@mail.ru, is he even in the US or is he indeed in Russia? I hate this whole situation and the power large corporations have over our government and our courts. I look at the law about allowing groups like MPAA to hack the systems of consumers and their networks based on cirumstantial evidence as a clear sign that corporate corruption in our government has already gone to far, and too many of our rights are already limited for them to stop now. I'm not so sure any court is going to be willing to challenge this , as lawmakers are too influenced by large corporations to care about learning the least bit about programming and compters work. They rely on their pocket-lining supporters to tell them that. Things look grim, and my goal of being a security researcher is far from certain. If such limitation are arising that you cannot investigate commercial software's vulnerabilities, I don't see a lucrative future and may continue down a different in the near future. I lost faith in my government long ago. -Stan Bubrouski (Soon to be ) Middler Computer Science Major at Northeastern University, Boston, MA Chris Paget wrote: ><snip> > > > >> "Ferson also said that HP reserves >> the right to sue SnoSoft and its members "for monies >> and damages caused by the posting and any use of the >> buffer overflow exploit." >> >> > >This raises a very interesting point. Bruce Schneier has stated >publicly that he believes vendors should be held responsible for >security flaws in their products >(http://www.nwfusion.com/columnists/2002/0422faceoffyes.html). I >agree with this viewpoint, as, I am sure, do many people on this list. >However, how would this affect the vulnerability disclosure process? > >1) Researcher R finds a security hole in vendor V's product. >2) R attempts to contact V to reveal the bug. >3) V does not respond. >4) R attempts communication several times over the next 90 days, but >never receives a response. >5) R releases an advisory. >6) Attacker A writes an exploit for the hole, and uses it to hack >into company C. >7) C successfully sues V for several million dollars compensation. > >Does V still have the right to sue R? If vendors are made liable for >security holes, and those vendors have the right to sue the people who >find advisories and / or release exploits, then we'll be seeing >security researchers on the wrong end of multi-million dollar >lawsuits. I'm sure I'm not the only person who feels uncomfortable >about this. Buffer overflow exploits are not difficult to write; it >doesn't come down to whether there's exploit code or just an advisory. > >IMHO, vendors SHOULD be responsible for security holes. However, >before that can be done there needs to be some kind of law put in >place to protect the researchers who find the holes. Doesn't need to >be much, just a blanket law that if the researcher has taken >reasonable steps to alert the vendor, they cannot be held liable for >the consequences of releasing the advisory. If that doesn't happen, >things are going to get messy. > >Chris > > >