July 29, 2002
By Electronic and Certified Mail
Adriel T. Desautels
Secure Network Operations, Inc.
5 Oak Ridge Drive, Apt. # 2
Maynard, MA 01754
Re: Tru64 UNIX Buffer Overflow Exploit
Dear Mr. Desautels:
It has been brought to my attention that, on July 18, 2002, a buffer overflow exploit of Tru64 UNIX was posted on securityfocus.com under the alias email@example.com (a/k/a "phased", firstname.lastname@example.org" and "James Green"). Based on information provided by Gil Novak to HP concerning aliases utilized by SnoSoft, we understand that this action was taken by an agent of SnoSoft despite SnoSoft's representations that it intended to comply with the industry standard practice of reporting its findings to CERT and despite the ongoing discussions between Gil Novak and Rich Boren on this issue.
Please be advised that the posting of the buffer overflow exploit has exposed SnoSoft and its members to potential federal criminal liability under both the Digital Millennium Copyright Act ("DMCA") and the Computer Fraud and Abuse Act. Under the DMCA, SnoSoft and its members could be fined up to $500,000 and imprisoned for up to five years for "offering to the public . . . any technology . . . that is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner." See 17 U.S.C. § 1201(b). In addition, under the Computer Fraud and Abuse Act, if anyone uses the buffer overflow exploit posted by SnoSoft on securityfocus.com to cause damage to a Tru64 UNIX system, SnoSoft and its members could be subject to significant criminal sanctions, including up to ten years in prison. See 18 U.S.C. § 1030(c)(3) & (4). Finally, SnoSoft and its members may face additional penalties under various criminal statues of the Commonwealth of Massachusetts including, but not limited to, criminal extortion (M.G.L. c. 265 § 25).
HP hereby requests that you cooperate with us to remove the buffer overflow exploit from securityfocus.com and to take all steps necessary to prevent the further dissemination by SnoSoft and its agents of this and similar exploits of Tru64 UNIX. If SnoSoft and its members fail to cooperate with HP, then this will be considered further evidence of SnoSoft's bad faith. Finally, HP also reserves its right to seek whatever legal recourse it has against SnoSoft and its members for monies and damages caused by the posting and any use of the buffer overflow exploit
cc: Gil Novak
bcc: David Cardos