Slashdot Mirror
BugTraq No Longer Able To Publish MS Security UPDATED
krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."
I agree in that the new way to handle advisories is terrible. I wouldn't want to find out about a potential vunerability and having to go to a web site and end up encountering a "404 - File not found" or even worse, an unavailable server.
By all definitions, this is copyright enforcement. Microsoft wants to use its security advisories as a way to bolster their web stats. If BUGTRAQ wants to keep posting the Microsoft advisories, it will have to resist the enforcement or drive people to the web site.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
I believe that the legislators in the US are working to fix this problem. Microsoft is one of the companies pushing hard for this legislation. I don't know about you, but I'm starting to worry...
For what it's worth, I don't think this guy was trolling. Many *NIX admins don't even bother checking their vendors for security bulletins, preferring instead to rely on Bugtraq to get their news. To be perfectly honest, it's not a horrible strategy, considering activity on that list. And I don't think macpeep meant to suggest that the problems weren't fixed, but rather he was trying to say (incorrectly) that the fixes weren't accompanied by formal bulletins.
The problem is that Security Focus was copy-and-pasting those bulletins, according to the article. By any reasonable interpretation of copyright law, they'll have to stop that practice, even though I think it's in MS's clients' best interest to allow it to continue.
This brings up an idea: instead of just cut-n-pasting the bugs, all that SF would have to do is add some frame tags* to their page and include something like "frame src=http://microsoft.com/..." in one of the frames.
* In general, frames suck, but they do have their uses.
---
"Fdisk format reinstall, doo dah doo dah,
I pledge allegiance to the flag...
of the Corporate States of America...
"MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses"
Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs (heck, I've gotten three or four in the last hour), but Microsoft won't be able to spin the bugs in exactly the way they want through their own advisories. 90% of the MS advisories read something like:
"A problem has been found in MS Blah. There is nothing to worry about. In certain extreme cases, undocumented of course, it's possible that some evil person might, if the phase of the moon is right, steal a filler image off a users hard drive. There is nothing to worry about."
Not to mention the infamout credits, which read something like:
"Credit goes to LeetHackerGroup for working with Microsoft to protect users."
Someone's working to protect users and we all know who it _isn't_.
No, I don't think I'll miss the MS advisories...
c.
Log in or piss off.
"I guess Microsoft did that to create an easily updateable security information archive. "
Yeah. Easily updateable like "we've never been at war with oceania".
Security hole? What Security hole? I see no security hole. Windows has no security holes. Never has. Stop spreading disinformation or we'll sue you.
They probably give you the same kind of revisionist history if you ask them how they developed their compressed filesystem technology **cough**Stacker**cough**.
"Furthermore, that this information is needed, and was being distributed specifically to forward the end of stopping illegal activities and protecting the people. As such it was in the best interest of the public that the information be distributed."
This is why the CPSC REQUIRES public domain safety bulletins on cars and other products. Why should Microsoft be entitled to keep control of their bug reports? After all, these reports are of interest to their customers and potential customers. And many M$ bugs are potentially dangerous (the I Love you virus, etc).
=== The price of freedom is eternal vigilance
As someone pointed out to me recently, "Never underestimate the power of lawers to bill by the hour." It might be "fair use", but is it worth getting sued and going to court?
karma is for the weak >)
copyright, or better yet, patent their bugs.
Wouldn't it be really fun if they sued everybody who reproduced their bugs...
Don't laugh. The DMCA (law of the land) and UCITA (possible law of the land in at least a couple of states) make it at least in principle possible for Microsoft to sue anybody who just mentions their bugs, never mind reproduces them.
-Rob
I fail to see how the DMCA actually applies to this case at all. The DMCA (or at least the part of it that /. readers usually care about) forbids the circumvention of access control methods
The bugs in Microsoft's code are access control methods; they control your access to MS's software. By publishing information on them, you are circumventing them, thus rendering yourself liable under the DMCA.
---
"Fdisk format reinstall, doo dah doo dah,
I pledge allegiance to the flag...
of the Corporate States of America...
Does this mean that I violate the DCMA if I tell you [...]
/. readers usually care about) forbids the circumvention of access control methods.
I fail to see how the DMCA actually applies to this case at all. The DMCA (or at least the part of it that
Microsoft is publishing its security bulletins in plaintext on a publicly-accessible web page. No access control. No DMCA implications.
Correct me if I'm wrong, but didn't MS essentially tell SlashDot that having links to places that contained copyrighted information was the same as posting it?
So... Maybe Microsoft bugs should just not be posted anywhere.
Possible evil motives:
* Increase hits to their web site.
* Charge money for access to bug reports. (Now that would be something new!)
* Collect people's e-mail addresses
* Spin control, suppress information, change it after the fact -- the ministry of truth.
If they weren't up to something evil, they would simply give permission to reproduce the text of the report, as long as they include the copyright notice.
Or, maybe it's just stupid lawyers with too much free time. [You'd think they'd be all busy with the antitrust case and all.]
I'll see your senator, and I'll raise you two judges.
And the point is that the script kiddies will get the info anyway, by talking to whoever was willing to spend the time reverse engineering a system and sharing the information.
MS makes perfect operating systems, so why should we care about the bugs?
-Chris
...More Powerful than Otto Preminger...
If MS doesn't recant, here is my solution to this problem:
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
Why not?
dude, i've been checking your stuff out for a while, and you most certainly should have your own parrot section here. keep it up!!
"Operation Foot Bullet"
... umm, bottoms.
That comment kicks serious
Cheers!
- Steeltoe
http://www.debunkingskeptics.com/
Best of MS Bugs? Sweet!
Make some program that converts the buggy bits of code into music, and then sell the album!
Sure it'd be crap, but Yoko Ono managed to sell a few albums, right?
Without the pad, it's not Dance Dance Revolution, it's Listen
If the MS advisories ever contained enough information to be useful, this might have an affect on us. But they were always very carefully worded to be vague. We'd know there was a problem, for example, in IIS, and that there was a patch - and that's all we'd know. Just that there was a patch. No information specific enough for us to use. A lot of the time, other people or groups would release more info, and that was great. But the rest of the time, well.....
reverend lola
the titanium sheep
provider of steel wool
N/T
------------------------
Now Microsoft claims copyright on their BUG reports? How is this different from reports on car defects? Those reports are always published.
Now can Ford/Firestone, et all use the Microsoft method and bury their reports of defects under some obscure URL?
And yes, bugs in Microsoft software ARE safety threatening. How many of the most embarassing bugs in MS software have been gaping exploits that have allowed hackers in, and allowed new generations of viruses exploit MS software to transmit themselves worldwide, quickly?
If Microsoft made cars the hood would be welded shut so you can't look at the engine, and Consumer Reports would be put out of business because they wouldn't be allowed to publish recall notices.
I think the Consumer Products Safety Comission needs to look at this. Microsoft bugs and holes demonstrably threaten consumer safety, and should be published and public domain when they are discovered. You have a RIGHT to know that a product you bought is defective and potentially dangerous.
=== The price of freedom is eternal vigilance
First, using the phrase "security by obscurity" when that's not the issue *is* trolling, whether you realized it or not.
Second, it's obvious that you aren't a reader of bugtraq. Bugtraq encompasses *all* vendor security issues, be that *BSD, Linux, Unix, firewalls, web appliances, etc. Without MS, Bugtraq is still the same and will continue full disclosure.
Third, MS is still writing security bulletins, but the problem is that they are only publishing it on a web page and sending a link to Bugtraq. Elias took the info on that web page and cut and pasted it into an email for Bugtraq. That's when MS got pissy about "copyright" crap. Not having the info in the body of the email is bad because MS is not held accountable to what they say.
and one final thing, nobody at security focus "jumps at a MS whim." Please...
--------
-------
"Every artist is a cannibal, every poet is a thief."
There goes half their traffic.
Well, who cares? You always see it on BugTraq before it gets back to Microsoft, even when you tell them about it first...
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
I'm glad someone brought that up. Not only should it be fair use to publish it with a review, but also just publishing the whole damn thing unmodified should qualify as fair use under the public service clause!!! BugTraq should have every right to continue to publish Microsoft's bullitens. In fact they should be suing Microsoft over threat tactics.
I think you're missing the point here. Yes, the vulnerabilities will still be announced. The problem is, the patches won't.
Every SkRiPt KiDdIe on the planet knows about Bugtraq, and hunts down vulnerabilities there. Not every sysadmin in the world knows about the MS mailing list, so the hackers will have a distinct advantage.
I wonder how much space this will free up?
mE
----- I hate sigs.
as the article implies, it's just the Microsoft releases that they can't mirror word for word. They'd still reporting the bugs.
I don't think this is really as bad as the headline makes it sound.
If I was experimenting with IIS and found a bug (compromise, DoS, etc) I'm still free to post it on the Bugtraq mailing list. Microsoft cannot stop me from doing this.
On the other hand, the Microsoft Security Announcements can't be posted. The solution? Go out to Microsoft's web site which can be found here and check the bulletins yourself. The other option is to subscribe to Microsoft's security mailing list.
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
That said, bugtraq's just one more instance of third party support Microsoft is trying to do without by consuming. It's the black widow spider of software companies, and it's moving towards the extinction it deserves.
Reducing reporting of bugs won't reduce bugs. Quite the opposite. The answer is to stop using software that not only sucks, but has a company intent on making the whole experience less enjoyable.
Rob
So they just should summarize the bug report and include the link to the microsoft web page for the full report.
I trust M$ to report bugs, fixes and keep pages stable like a girl should trust a guy to "only stick it in a little."
Don't you know M$ products have no vulnerabilities and are perfect in every way. And if you reverse engineer it in anyway shape or form they'll have you drawn and quartered.
Of course, if you're they kind of low-life who's writing viruses, you could give a sh*t... "There's an M$ box, here the lock-pick set. Lets have fun." By the way, lock-picking sets in the hands other than a lock-smith's is illegal. That doesn't stop thieves.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Bugtraq also announced that it will no longer be posting reports that contain only URL's because they want the whole report to be archived rather than a URL that will soon change...
--
*Condense fact from the vapor of nuance*
25: ten.knilrevlis@wkcuhc
*Condense fact from the vapor of nuance*
Seeems to me that MS has always believed most strongly in "Security by Obscurity" and that admitting to vulnerabilities is something that is bad for the bottom line. The fact that they aren't just trying to sue anyone who even THINKS bad thoughts about Microsoft is a mystery to me.
They remind me of the Ravenous Bugblatter Beast of Traal: "...so amazingly stupid that it thinks that if you can't see it, then it can't see you..."
+++++++++++++++++++++
The Digital Sorceress
Bugs may not be useful to you, but to millions of script kiddies everywhere, they are their lifeblood. Please give more bugs to the Help A Script Kiddie Foundation.
Wouldn't that be a full-time job for someone? What with all the holes in MS code
Not a troll, just bad humour!
-Binner
Say what you mean, mean what you say! But please know what #$@% you are talking about!
1) If you don't use some sort of automatic rephraser, then that would probably cost $$ a LOT! more than BugTraq can afford.
2) If your do, then some really interesting error reports will be generated.
Any other choices?
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Oh way, the DMCA is prior art. ;)
Just because it CAN be done, doesn't mean it should!
Just catagorize the bugs and rate the severity of the bug with the link. That way you avoid the copyright violation, and people don't have to go through every bug report to find what their looking for.
Call it CYA, call it ensuring the integrity of information, call it what you will. It's in their best interests to allow BugTraq to carry these items, and work with them than to bury it in a filing cabinet in a disused lavatory in a basement with "Beware the leopard" pasted on the door (obscure HHTTG ref)
Probably better titled: Microsoft Encourages Customer Cynicism, Launches New Drive
--
A feeling of having made the same mistake before: Deja Foobar
Why do you have to cut-n-paste the exact text? Just reword the stuff. Copyrights don't apply to rewritten synopses.
Otherwise, movie reviews, book reviews, and bug reports would have ceased to exist a long time ago. In fact, these things make the original product even more popular, just consider the free publicity...
when only crackers know
bugs in the windows
only crackers can get in
Oh way, the DMCA is prior art. ;)
That's true, according to the DMCA, breaking into a computer that has copyrighted software on it is illegal. Therefore, there's no need to fix security holes in windows, since it's illegal to break into a Windows box. No cracker wants to take the risk of being thrown in the same category as those evil people who listen to (their) DVD's using DeCSS, right?
Opus: the Swiss army knife of audio codec
Hmm, that's interesting.. Does that go for commercial channels too? Can you just copy their listings or do you have to make your own somehow? Do you have a link?
ATM I'm having some problems with that when republishing tv listings on my site (with a grep interface), and would love to hear about similar cases, even if it is across the channel (I'm in holland)
makes you wonder if microsoft doesn't like the idea that the bulletins appear in the archives of the bugtraq mailing list, which they don't have control over.
Karma only matters to me now and zen.
heck, if Slashdot is changing story postings without any record of having updated it, why should we trust MS not to do the same?
"Of course Microsoft has a copyright in the text of the bug report -- copyright subsists in all original works of authorship fixed in a tangible medium."
wouldn't the copyright of the text then belong to the author of the bug report, and not to microsoft?
eudas
Blessed is he who expects the worst, for he shall not be disappointed.
Actually it can work both ways so I'm not extremely bothered. >;).
:).
;).
For example: if we find security bugs we could ask entities (corporations or individuals) which/who behave in this way to register on _our_ websites to see the info before we go public.
And we could also formulate just as fair/unfair license agreements for them to agree to when registering. e.g. "REVERSE ENGINEERING AND CIRCUMVENTION OF THIS EXPLOIT (oops software!) IS PROHIBITED, TERMS AND CONDITIONS MAY CHANGE WITHOUT NOTICE, blahblahblah". All in nice ugly caps. The UCITA/DMCA comes to mind here
Do unto others as you'd have them do unto you.
Now we won't be selling the gathered info to doubleclick would we
Cheerio,
Link.
---
Integrity is behaving properly even if nobody knows or they are helpless to stop you.
This is an easy problem to solve. All bugtraq needs to do is "review" the security announcements. They then are legally entitled to quote the material that is being used.
"I fail to see how the DMCA actually applies to this case at all. The DMCA (or at least the part of it that /. readers usually care about) forbids the circumvention of access control methods.
Microsoft is publishing its security bulletins in plaintext on a publicly-accessible web page. No access control. No DMCA implications."
This may be the next step though. They may take the bug bulletins private, even implementing some kind of very weak protection.
And yes, the DMCA can apply to this. Microsoft is now establishing copyright control on their bugs. Therefore, they could imvoke the DMCA on anyone, any site, that discloses, analyzes, comments on them, etc.
This is a scary precedent if allowed to stand. I think purchasers of defective products have a right to know what potentially harmful defects exist. Especially when your company's information could be hacked, stolen, destroyed.
Maybe it is time to start firing MIS managers for purchasing Microsoft...
=== The price of freedom is eternal vigilance
If these concenrs only the bug reports that I do think they have some right to do it. Anyway they publish it. However if they try to restrict the discussion of their bugs through this way ten it is a problem and a serious one. Not that Microsoft loves to state that the reproduction of some of their documents is "resctricted in whole and in part". This is the case of their User's Guides for example. I would highly recomend to read it has the text is quite straightforward on this. And even overcomes some legalese about Copyright Law so it is juridically dubious. In particular the fact that it seems to restrict even the right to cite their works.
In this point might be the danger. If Microsoft publishes a bug report and claims that someone violated their copyright because it cited it, then we do have a problem here. I leave the possible consequences to your conclusions...
Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here
Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.
What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:
I will no longer be approving any advisories with little or no content that point you to some other place for information.
Pretty isn't it.
What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.
In this email, Elias give the tone and I quote:
It seems Microsoft was not very amused at my posting of their advisory to the list the other day.
And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.
Looking for a great online backup: Green Backup
Wow! That's such a great idea, though i prefer http://c.microsoft.com/trans_pixel.asp?source=www& TYPE=PV&p=bill_can_suck_it
It almost makes me want to start a chain letter getting people to click that a couple dozen times each... Maybe it'll be one of those HTML emails that readers like Outlook and NS load automatically, and i'll just embed the image a few dozen times...
Too many good ideas!
-benc
This should earn them enough money to see them through the current slump in tech stocks.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
BugTraq should md5 the bulletin and provide that next to the link to Microsoft. If Microsoft changes anything, people will be able to tell. If it goes away, people will see the dangling link. Microsoft will look bad either way...
Just because it CAN be done, doesn't mean it should!
I can't help but note, that this comes like maybe a week after a note on BUGTRAQ by Aleph1 stating that he would no longer be aproving bullitins that contained JUST a URL and that all posts should include the information.
The idea being that its a security list and people subscribe to it to have the information delivered to them, not to have links so they can go find it.
Luckily this doesn't effect me, as where I work we don't run any NT systems (well some groups do, we are all Unix). However, I have to agree with Alpeph1 - I want to be able to determine whether services that I am running are vulnerable or patches are available right here and now...I don't want to have to go off somewhere else - it makes BUGTRAQ less useful.
I don't see the point of this. Isn't the whole idea of these bullitins to get the word out? This copyright bullshit is silly. These are security notices, not works of art. Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later>
I really can't imagine any real reason for wanting this.
-Steve
"I opened my eyes, and everything went dark again"
its been a while since i have been to the site, but from what i remember site patrons, and site controlers (webmasters or whatever) could post bugs that they found on thier own. they might have had to mail them in to Bugtraq for posting or something but i remeber that it could be done.
Does this mean that they aren't allowed to post any MS bugs, sort of like how MS sued that databasing (oracle?) company for publishing test results comparing their product to an MS product?
Or what happens if BugTraq finds publishes a bug, then MS publishes the same bug after words, Is bugtraq at fault for publishing it once MS does so later?
can Bugtraq publish a bug as long as it doesn't publish the exact same document? or does the MS copyright cover like documents under their (IMO rather gray) interpritation of intelectual property laws.
i really don't know the ins and outs of the legal implications of this and I'm curious to see how it applies to other technical consumer watchdog groups.
I support and repect a companies right to profit from things they've made and produced in most cases, but I also think its important for people and groups to be able to criticize a companies product if it is flawed and compare against other similar products by other companies. i suspect its one of the things that drives our countries economic model (im not an economist and dont know for sure) and I think that those watchdog groups are important to keep companies on thier toes.
maybe I'm getting a little extreme in my examples, but can anyone answer my questions?
-RA7
"Consistency is the hobgoblin of small minds" - RWE
If the author of the bug report is a Microsoft employee, writing the report as part of his job, then it's a "work for hire", and Microsoft is considered the copyright holder.
That's not how the law works. They produced it, they have authority over it's copying and distribution. If they say we need permission, then yes, we need permission. It's the same authority the law grants you over your work. Ever written a line of GPL'd code? What would you think if that line ended up in some Windows code somewhere in Redmond? It's the same damn thing.
If you don't like the authority the law grants, then you have basicly two options. 1) Lobby your national legislature to drastically change copyright law. 2) Find a country that isn't a Berne Convention signatory and move there.
So let me turn your question back on you:
How can you be so friggin (sic) dense?
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs
Of course. Bugtraq will still have MicroSoft bugs, VULN-Dev will still be used to find errors in MS' programs. The point is, SecurityFocus.com is not allowed to store or redistribute Microsoft's webpages. Its all up to microsoft if they allow their entire advisories/webpages to be published. And frankly, I don't expect aleph1 to "write his own advisory based on MicroSoft ones". He is denied to just post the damn webpage. That is all. This just _isnt_ a "everybody flame microsoft for trying to stop mouths" case. Its a "Microsoft suck at distributing information about security vulnerabilities"-case.
Not to mention the infamout credits
At least they _give_ credit. That is the important thing.
No, I don't think I'll miss the MS advisories..
Me neither, they are too full of BS instead of the facts you want to get. There is a great posting to bugtraq today (or maybe it was yesterday) about the trouble with microsofts security bulletins. Mainly that they lack consistency in what to do when they update the information.
--
"Rune Kristian Viken" - http://www.nwo.no - arca
Well maybe we won't have to wait forever to load their pages! The Security Focus website is slow as a turtle these days! Delrin Kenro
This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing. Well, if you run MS products, and are concerned about this sort of thing, you could always s*bscribe to their security mailing list The bulletins don't just contain links, the actually describe the issue in detail. --
"Operation Foot Bullet" ... umm, bottoms.
That comment kicks serious
Its ripped from Operation Clambake which flames the scientologists.
:-)
--
"Rune Kristian Viken" - http://www.nwo.no - arca
>MS had a 30% increase in productivity this year: of security patches. :-)
;-)
But it compares poorly with their 45% increase in bugs.
Hey,
could you leave that poor kid alone so he can sleep?
---CONFLICT!!---
Bugtraq's use might be fair use, but it's not as simple as you make it out to be.
It certainly would be fair use to create your own original description of a bug. However Microsoft's bug reports themselves may contain original expression. If so, just a movie critic's review is protected, so is their advisory. However, the factual parts of it are not protected, and fair use might also protect some copying of the advisory itself.
Fair use has four factors, as defined in 17 USC 107. Applying those here we find:
(1) BugTrac's use is noncommercial technical research, I believe. The mailing list doesn't come with any advertisements that I'm aware of.
(2) The nature of the Microsoft advisories is factual -- they aren't fictional works.
(3) The amount copied from Microsoft is presumably the whole thing, although if they used choice quotations this would help a fair use claim.
(4) The effect on the market or value of the bug advisory is the key issue. If Microsoft isn't selling these or using them to sell bundled advertising, then it's hard to see any negative effect. If they start selling access to these advisories, then this would strongly disfavor fair use. If they are given away free, but generate advertising revenue, then it's more muddled but probably disfavors fair use.
My non-lawyer "guess" is that unless Microsoft generates revenue somehow from these advisories that copying them in their entirety is actually not copyright infringement because it is fair use.
If MS does generate revenue from these, then bugtraq could probably get away with quoting the key passages, but MS would have a very tenable case to take to court if the whole thing was copied. I'd guess there was a small chance the defense could win, but it'd be a long shot with a large cost.
the reason openbsd doesn't post all the fixes they find in the security audit has been discussed before. basically, if the openbsd guys posted everything they found in their audit, bugtraq would have to change its name to potential-openbsd-holes.
MS: We are copyrighting bulletins. No one may redistribute said bulletins. But you can talk about them all you want.
/. slapsuit? Well SF backed down /. didn't. Had /. backed down they would have had a legally binding responsibility (look it up dear) to completely shut down the site and set up a post review board. ZDnet has one, LinuxToady has one, quite a few have them. Now who wants this to turn into ZDdot?
Parsing... Parsing... Parsing... Segmentation fault!
Why?
You can't talk about bulletins unless you get them from Microsoft. You can't discuss previous emails from Microsoft which may have been changed because that would be redistribution. You would literally have to invite everyone you are discussing things with to your home. Remember MS vs
The message on the other side of this sig is false.
What I don't understand is why BugTraq can't simply read the release and restate it in their own words. This isn't copyright violation, just as writing a book synopsis for a grade 7 report isn't. All the information can stay there, and MS can take the copyright and shove it. It's a copyright, not and NDA, and last I heard what was copyrighted was the particular instance of symbols used to express the information (ie, the words), not the information itself. If this is a problem for MS, can you imagine the problems for all the GPL'ed "work-alikes" which exist? No more gnumeric, abiword, XMMS, and boy oh boy is WINE ever in trouble!
Seriously, all it takes is a bit less effort than posting a regular bug report which they have to generate entirely themselves without any help. I don't see why this is an issue at all. If they're really concerned, they could even give a reference with the URL for the curious.
The Signal/Noise ratio can be improved in two ways. Remaining silent is the OTHER way.
If you're the least bit concerned that BugTraq will not be posting MS security releases why not go and send an email to microsoft_security-subscribe-request@announce.micr osoft.com
Anyone administering NT systems should probably be subscribed to this list anyway.
Can anyone tell me why the posting script put a space between the r and o in microsoft when I previewed it even though I didn't type a space?
Just rewrite the bug report from scratch, using only the facts and, when needed, fair use.
--
Game over, 2000!
Hello?
Shoot yourself in the foot, why don't you?
If you can't take bad press don't play the game, but don't stop others from playing it.
If thats the way MS wants to be, then release bugs/exploits on bugtraq first. This way the security community will be advised first. MS can read about it on bugtraq, like everyone else. The idea of working with a vendor to help them solve problems before advisories are released works as a two way street, give and take for all parties involved. MS has clearly shown they're not interested as such in working with the security community in this latest decision by their management.
Oh joy, another Microsoft apologist. The Stacker incident was a good example precisely because it IS old. It would be interesting to see how Microsoft explains the "development" of their disk compression technology today.
If you want recent examples, I could refer to the DOJ case and Microsoft's lies and underhanded tricks related to that. Just let me know if you want to hear it...
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
A Copyright is not the same as a trademark.
I can understand why a company would (and must) vigorously defend it's trademarks. I also understand why companies want to prosecute violations of their valuable copyrighted works.
But what is the value of trying to clamp down on control of information such as security problems and vulnerabilities? There must be some ulterior motive.
After all, with a copyright, MS could just grant anyone permission to redistribute and reproduce the text of the bug report -- provided copyright notices remain intact.
So why aren't they doing something like this? I think previous posters got it exactly right. They can silently edit things after the fact. Chagne links. Change the contents of linked pages, etc. One thing about news on the web is that no permanent record exists.
One other thought: Since copyright doesn't protect the idea, BugTraq could explain the problem in their own words, and there is nothing MS could do about it.
I'll see your senator, and I'll raise you two judges.
copy and paste it to an html page
throw quotes around the whole thing.
put (Microsoft, $url) at the end.
http://jones.ling.indiana.edu/~prrodrig
Yeah. Surely offtopic talking about bugs and Microsoft, when the Topic is Bugtraq and Microsoft. :-/
Uh, no.
totalnews.com still exists. Interestingly, instead of displaying the LA Times inside the frame, they open a new window for them. But for most other papers, the ones that didn't complain, their site still opens in the frame.
Untrue! This is really a GOOD thing! Micro$haft can't help but shoot itself in the foot, this time by impeding the dissemination of security information by adopting an uncooperative position with the Internet's Security Community. Let's all admit that Billy Boy Gates dislikes playing with other children in the same sandbox. Just another Micro$haft marketing gem, right up there with Liscensing Audits and Law Suits!
Maybe Micro$haft is in league with the DOJ/FBI - both intent on heightening cybercrime hysteria. By protecting software with weak security from timely peer review, if Micro$haft is able to deliver "The Global Internet Meltdown", Imagine the powerful and draconinan cybercrime laws John Q. Public would rush to embrace!
Don't laugh! The Micro$ahft Outlook vunerabilities have already delivered the very same Law Enforcement Quid Pro Quo.
oh....my!
...that probably won't make M$ bug reports any less informative, but it is likely to at least make them funnier.
Got time? Spend some of it coding or testing
Actually, in Feist, fake listings from the white pages were copied. There were a thousand or so entries directly lifted that were impossible to verify.
Although I suppose the copying of the four "made up" names is a technical infringement, since making up names is probably sufficiently original to warrant a copyright...But that wasn't addressed in the case.
Can you say "Digging their own grave" ?
Bill Gates: "I know...let's make it more difficult for admins to find out about bugs in our OS - if they don't know about the bug, then it doesn't exist, right?"
[Steve]
This is just the latest application of MicroSquish's well-known "Stick your fingers in your ears, close your eyes tight, and yell 'la la la la' and hope it all goes away" approach to security.
NT is not secure, it's not securable, and trying to keep the script kiddies out of an NT host is a complete waste of time and money.
The solution is, run BSD, Linux, MVS, or any other secureable system, and if you have the misfortune to have apps that require NT, run it under VMWare.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
BugTraq started posting the whole bulletins after Microsoft changed the bulletin format to only contain minimal information and a link to the Microsoft website.
This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing.
I guess Microsoft did that to create an easily updateable security information archive.
But they should still put in the whole info into the email, and post a link where you could find updated informations.
if you care, send an email to Microsoft Security Feedback
Before you email me, remember: "There is no god!"
That's just security bulletins. Near the bottom of those messages Microsoft even puts a disclaimer about redistributing them. This is not going to prevent BugTraq from annouing bugs or security "features" on their mailing lists. Microsoft probably wants more people to subscribe to their security bulletins and get the information directly from them and not a third party.
patience is a virtue... anger is a gift
It is truely said to here that Microsoft is copyrighting their bug reports. I guess that is a good way to control the perception of their products, but it is truly a disservice to their users.
But I guess users come last in the Microsoft food chain, right?
This was >=15 years ago. It included the commercial channels.
If M$ wants to copyright their bulletins, that's completely reasonable; they wrote them. As far as the content of the bugtraq message goes, what stops someone from REWRITING the content of the bug in their own words, commenting on it, and republishing the bug regardless of what microsoft says. This is legal, and completely covered under the first admendment. Stop complaining, and start writing.
I don't see the same advantage you have - in my experience, many times the bug description is posted on BugTraq FIRST, and then the vendor will eventually send out a bulletin about the bug description (and hopefully) a workaround or fix.
So really, if you want all of the bulletins as soon as possible, you go to a place like BugTraq - you don't wait for the vendors to respond.
Really, it is only three paragraphs long, and the second one very, very clearly states: Of curse the vulnerabilities and their information will continue to be announced. ~luge(slowly but faithfully losing his faith in /.)
IAAL,BIANLY
If they're copyrighting the bugfix page, isn't that some sort of acknowledgement of legal responsibility for the bug, and therefore should be liable for damages it causes?
I may be way off base.
A better method is the switch inside the circuit breaker box, but that's not a button. Instead, the button on a detonator attached to the hard drive of the machine in question is recommended.
In extreme cases, a MIRV aimed at Redmond may be the only solution.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Isn't there some rule that says you can't copyright information? That is, doesn't copyright actually protect the presentation of information? You can't copyright, say, a phone number, but you're not supposed to distribute Xeroxes of the phone book. If I'm right, BugTraq will just have to do a lot of paraphrasing.
They aren't charging for their security bulletins yet, so what is the loss?
;).
If the damages are because people know that their stuff isn't so good so they lose money, then I don't think that's a good way to convince even a half-decent judge
In places where you get decent judges you do get rulings like: OK Plaintiff A wins, awarded sum of 1 dollar in damages, Plaintiff A to pay legal costs of both parties. I'm not a judge but I believe that's judge-speak for "Stop wasting everybody's time with _stupid_ cases".
Cheerio,
Link.
Just because Microsoft is claiming "copyright" protection on their announcements, does not mean they're trade secrets!!! You can publish copyrighted material under fair use laws, AND get away with it!
I mean, you can publish copyrighted material and include a review of it, and that would be fair use.
I really think SecurityFocus needs to talk to their lawyers about this. I'm sure they'll find that it's completely legal.
As for Microsoft, they deserve everything coming to them.
You know, it just figures Microsoft would pull something like this. This is an obvious attemp at getting them to stop publishing "damaging" information about Microsoft. This is EXACTLY why I can't stand Microsoft. Alot of people say "You hate Microsoft because they make lots of money and you're just a Linux zealot." BUT it is not that at all, its that 1) All Microsoft cares about is their image and profits. Yes, I realize that companies are in business to make money, but they also have a responsibility to those who are paying them, and to the greater community. Microsoft could care less about the companies they pay them money, just as long as they keep paying them money.
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
For the jaded person. They can read about the hole. Get it to work, explain it to someone else then have the other person write it up with a much worse picture than MS. No copyright violation done since the writer never read the original post. But more damagin since the writeup was not done through the MS FUD factory.
And that's not what they said. They said that 'bugtraq will not be distributing Microsoft Security Bulletins'. They said nothign about 'information about microsoft security problems'... they just meant that you will not be able to rely on Bugtraq to release to you MS Security bulletins automatically when released by microsoft.
1976 Copyright Act: Section 107. Limitation on exclusive rights: fair use. "...The fair use of a copyrighted work, including such use by reproduction in copies...for purposes such as criticism, comment, news reporting, teaching..., scholarship, or research, is not an infringement of copyright..." Microsoft is full of shit. I guess that's what you can do when you're a monopoly, eh -- send eduational, non-profit mailing lists cease and decists...
Yes, the vulnerability can still be summarized and published, but that adds a layer between the true and only source of information (in the case of propriatry software) and the BugTraq audience. We will miss the dialog when BugTraq subscribers challenge the Microsoft advisories for failing to resolve, or even understand, the issues. This is a regular occurance when it comes to MS advisories.
Personally, I think they are doing this because they are tired of getting called on the carpet when their "fixes" aren't, their "workarounds" don't, and their downplaying of the real impact is trounced.
But can you print it on a t-shirt?
"One microsoft-bug-list-T-shirt, please. Size Hindenburg[1], please."
[1] large object was choosen by random - the final fate of the Hindenburg, didn't have anything to do with it...
--
TC - My Photos..
The reason that copyright exists, is to encourage creators to create expression. That encouragement is normally implemented as profit. The profit comes from the creator having a temporary monopoly on the expression, so that they can sell it, license it, etc.
Government grants copyright and legal protection to creators in order to get something in exchange: creative works (which, after it falls into public domain, then benefits the people that gave government its power).
Microsoft issues security bulletins in order to increase the security of their installed base of users, thereby increasing the reputation of their product, thereby hopefully increasing sales of their product. They do not write security bulletins in order to sell them or license them for a profit.
Government grants copyright and legal protection to Microsoft security bulletins in order to get ... what in return?
My limited imagination does not see a connection between the purpose of government granting copyright, and Microsoft writing security bulletins.
If anyone here ever ends up starting their own government and writing their own copyright laws from scratch, I hope that they consider this issue. ;-)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Microsoft is now establishing copyright control on their bugs. Therefore, they could imvoke the DMCA on anyone, any site, that discloses, analyzes, comments on them, etc.
I don't think so. IF Microsoft implemented some sort of weak protection (ie, only allowing paying customers to see the bulletins), and someone hacked the protection, the act of circumvention (hacking) would be a violation of the DMCA.
But disclosing the content of the bulletins themselves (and analyzing and commenting on them) is the same issue that has been bandied about on this thread -- we have fair use to criticize, quote facts, etc.
Look at it this way: the DMCA applies to deCSS. It's a violation of the DMCA to circumvent the CSS on DVD's. But there's no DMCA violation involved on other copyright violations of the CSS-protected material.
Here's an example. Hacker uses deCSS to decode a DVD. That's a DMCA violation. Trader distributes the decoded version that Hacker mailed to him. That's a copyright violation, but Trader did not circumvent access controls, nor did he traffic in circumvention technology. So Trader doesn't violate the DMCA.
This is hair-splitting, admittedly (and should not be taken as legal advice).
But while I think it's fair to be worried about the DMCA and UCITA, this vanilla enforcement of copyrights by Microsoft, while draconian and unwise, shouldn't lead to paranoia and hysteria.
Microsoft wants to drive more traffic to its web site. Its security postings are one mechanism to do so. That takes precendent over things like full disclosure, or serving the security community.
Web traffic is $$.
Don't even think Microsoft cares about security - they don't except for its ability to make them look bad. If they can market something as secure, it really doesn't matter whether it is or not.
And this is a direct attempt to hit BugTraq squarely in the wallet by taking most of their web traffic, and having them click through to Microsoft.
A method whereby a computer program inputs an amount of data greater than the size of the buffer which receives that data, allowing on-the-fly modifications of the program's behavior... oh wait, prior art. Damn.
Though it's almost a shame one can't do something like this--it would be a great argument to take to pointy-eared bosses who want to ignore security problems...
--
BACKNEXTFINISHCANCEL
So justify to me the wisdom of copyrighting a bug advisory.
Don't ask me, I didn't copyright it. And it's not the copyright that's at issue here. Just because it's copyrighted doesn't mean it's automatically restricted. It's the way Microsoft has exercised the rights granted by copyright law that's at issue. I'm sure RedHat copyrights their advisories, too. The difference is that they want people to copy them. Have you ever actually read the Terms of Use applied to a RedHat advisory? They basically say copy to your heart's content and send it where ever you please, but do not modify the adivisory.
it is NOT "the same damn thing". No one is making a profit off of informing the public of a hole in an operating system
It is too the same thing. They produce some information and copyright it. You produce some information and copyright it. Motive is not an issue here and neither is profit. It's their information and they have a right to control its distribution. It's too bad they chose to handle it the way the did, but that's their prerogative. You can bitch and moan all you want, you have that right, but you can't copy and distribute Microsoft's advisories any way other than they allow, and that's their right.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
You're on to something here. Microsoft gets to show ads and place promotional messages in its e-mail newsletters and on its web pages--even the bug report pages.
Maybe the revenue derived from these ads (even if it's cross-marketing of other Microsoft products) is so great that they'll start issuing bulletins for nonexistent bugs just to draw more traffic to their security announcement site.
You cannot protect a fact as intellectual property or under copyright protection. This is why anyone in the nation can publish the scores of an NBA game -- the NBA does not "own" the statistics of the players. Anyone can write a film or game review -- it is not illegal for me to say what happens in your movie or game. For this reason, there is nothing illegal about reporting bugs, DMCA be damned. 1st Amendment wins, fatality.
Security Focus may not be able to copy-and-paste, but they can read a report in the Microsoft email and report on the report. Again, facts cannot be copyright protected.
Online wrestling as a trading card game? WWF With Authority.
If they can't copyright mistakes, then how are they gonna stop people from pirating windows??
They just need to note the copyright holder.
:-)
Microsoft can't do a thing about it.
Pretty silly thing for MS to do, regardless. This just makes them look like they're trying to hide things.
On an amusing note: MS had a 30% increase in productivity this year: of security patches.
Regards,
-scott
Regards,
-scott
I don't think that they would have a leg to stand on if Bugtraq still posted them. As long as they aren't used to generate profit, I think that reproducing them would fit under the fair use provisions in copyright law.
Anyone want to comment on that?
You'd think that a company so into the Internet and selling web servers would understand the concept of URLs. They really do make it hard to link to anything on their site, which is the whole point of the web. Their URLs are neither uniform, nor let you locate resources. (To be fair, places like ZD Net are just as bad.)
Software sucks. Open Source sucks less.
Well, no, not really. With Open Source, you can _see_ what the changes are.
reverend lola
the titanium sheep
provider of steel wool
Its the perfect buisness model i tell you.
1. quickly through togeather a piece of software
2. make people pay you to test it for you (msdn beta tests)
3. package all the "undocumented features" up in a database, then sell that too (msdn technet)
4. crush anyone who even hints at your product being in any way inferior to any other product.
of course MS told bugtraq to stop, no one is making any money off of it, you just can't respect someone thats just performing a valuable service for free, people like that must be crushed for the good of all capitalism!
if they're not stopped, it will catch on! pretty soon people will be helping other people all over for free! the whole system will break down! it'll be anarchy!!!
this has been a test of the emergency sarcasm system(c) if was an actual rant it would have been followed with a series of flames...
gotta luv MS, just when life is getting dull they do something else worth laughing at.
RA7
-
"Consistency is the hobgoblin of small minds" - RWE
This is clearly information that shouldn't be hoarded... This is not 'art' and to consider limiting/selling 411 for security problems that are your OWN fault is ridiculous... Oh wait, I guess that's not different than their OS strategy... Sorry, my mistake. PS: If they are copyrighting this 411, then they also be liable for any problems due to them.
"The pure and simple truth is rarely pure and never simple." -Oscar Wilde
Basically xato went out and tried to figure out which bugs existed, which bug affected a given ms system, and which hot fix works for that bug... It was hell.
--locust
Apparently you can protect information only if it pertains to the Olympics. They suppressed Olympic athletes from posting journals to the web. Really horrible, in my opinion.
Actually, you can protect some facts under trade secret laws. For example, the secret formula of Coca Cola. But the fact that Microsoft is giving the information out causes it not to be a trade secret.
Software sucks. Open Source sucks less.
The next step for Microsoft is to check the http_referer and deny traffic coming from BugTraq. If they do, you heard it here first.
Michael
Do you have ESP?
Ok, let me repeat myself again. :)
patches not bugs.
and
Not that Bugtraq isn't good, just that if you need to keep up with vendor patches, it's not the way to fly.
i guess that ill have to stop diggin in their trash cans in hopes of getting bug reports. of course i wasnt getting much from them anyway as the lines are enormous.
-:-:-:-:-:-
nothing much and if your smart goto this page and tell me how to get it working.
how about this... Microsoft writes really bad reviews of thier own software and then copyrights it. Then anyone who says bad things about Windows etc. gets told they are breaking the copyright and gets a C&D letter. (Sadly i really think they would do this if they could)
Imagine how secure Fort Knox would be if nobody knew where it was.
This situation is similar. After all, nobody but Microsoft can fix the flaws, so whats the point of having people know about it? People will predictably respond in their superior way that SysAdmins need to know the security holes so that they can take them into account and defend against hackers. But the only way the hackers find out is by reading bugtrak!
I honestly think the net effect will be improved security for the great majority of sites.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
There is no
>They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody
Here's an idea:
Why not provide an md5sum of the webpage contents? That wouldn't be illegal (no way that an md5sum is a copy of the material), and would quickly show foul play Microsoft. If they took one each week they would be able to tell how often and when the info is changed.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Wouldn't it be really fun if they sued everybody who reproduced their bugs...
They could start with access violations in end-user programs, that should break the neck of 99% of all other software producers.
(English-to-French, French-to-English of http://support.microsoft.com/support/kb/articles/Q 177/0/89.ASP.)
Of course, you might also run it through the Dialectizer:
--
This just isn't that bad. There is no way that the fact of the existence of a bug can be copyrighted, only the text. No judge in the world would uphold an action for reporting, in your own words, the existence of a security hole.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
This md5 scheme will break when Microsoft updates their site's look and feel. The MD5 hash will change when they rearrange their HTML layout or change IMG filenames.
cpeterso
They are copyrighting their bug reports so that others can not publish them.
OMG, that has to be one of the funniest things I've ever heard. Jeez, I don't even know where to begin. Does this mean that I violate the DCMA if I tell you all that sometimes, Windows 98 has problems shutting down when setup with 5 or more network drives? Or that 98 scandisk sometimes fails to run when McAfee is installed?
Who do they think they're kidding? This is obviously a pathetic attempt to control the spin on the Microsoft Bug-O-The-Week(tm). Gee Microsoft, instead of worrying so much about who reports your bugs and when, why not FIX THE DAMN BUGS! Hello? Justice Department? Are you paying attention?
All right, rant over. Everytime I think this world can't get any weirder, I'm yet again proved wrong.
All right, getting all the patches eventually is good - but you're not going to get them until the vendor has actually acknowledged the problem, analyzed it, created the patch, done (you hope) some testing, then posted it. And _that's_ if the vendor decides to actually acknowledge the problem.
In the meantime, you need defenses & some kind of workaround - and the most timely method of getting that information is from the people who just got slammed by the bug, and who are reporting their experiences to services like BugTraq.
In other words, I'm agreeing with you about needing to monitor the vendor releases closely so you can keep your system "officially" up to date, but if that's ALL you're relying on, then sooner or later you're going to get screwed and not even know what hit you.
To do more than that, you need services neutral w/respect to any individual vendors, like BugTraq.
In the case you cited the defendants selectively copied certain entries that were useful to them. Had they copied the whole thing it would have been infringement.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Someone ought to copyright an exploit or patent an exploit in the Windows operating system and make it illegal for them to fix it...
That's all well and good, but the sections of Title 17 you've just cited cover fair use. We're not talking about fair use here. Fair use includes things like excerptation, citation, summarization, paraphrasing, and not complete verbatim copies for the purposes of publishing, which I'm sure is what Microsoft thinks BugTraq is doing with their advisories. Complete verbatim copies do fall under the doctrine of fair use under a number of circumstances, but not publishing, and that is what we're talking about here. You can argue all you want about whether BugTraq reporting news or publishing other people's work, but Elias Levy sure isn't going to take Microsoft to court to split hairs. And if he did, who do you think would have the bigger guns? No, IANAL, and I am especially not ones of Microsoft's, and I certainly hope YANAL either.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Microsoft obviously has a massive example of 'prior art' in this arena and with all the past, present and future bugs in their code, they're likely to double their revenue.
---
seumas.com
That's not likely to work either. Another site ("TotalNews.com"? I can't remember the name) once tried to make a quick buck by linking a whole bunch of other news sites in a frame and running ads - essentially, they were making a links page and using ad revenue off it. They were cease-and-desisted out of existence, if memory serves.
until (succeed) try { again(); }
until (succeed) try { again(); }
Consider a novel like Dune. I may not reproduce the book online, but I can summarize the plot by telling you what that it is about how the Harkkonnen's destroyed Atreides, claiming back the planet of Dune for themselves. And how the surviving heir, Paul Atreides leads the Fremen of the desert to take back Dune.
If MS thinks this can prevent prevent people from talking about a bugs in MS software - it can't. If I was a hacker, I ould simply say: "There is a bug in the SSL module of IE. This is the program for the exploit." The program is copyrighted by me. If anything, they are infringing upon my copyright by telling me where and whom I can distribute it to.
BugTraq shouldn't be publishing Microsoft documents verbatim (if Microsoft doesn't want them to). BugTraq should summarize, in their own words, and post a link to the Microsoft article. It's all about respecting the wishes of the copyright holder. It's the same story as Napster.
Hmmm... download it for personal use, then take a diff. Post the diffs to bugtraq.
What is surprising is that Microsoft is consistant with the timestamp in their updates. If something was edited last week, it will say so at the bottom... even if the article was first posted three years ago.
Ever tried to visit the M$ site with a non-M$ browser - generally their pages are full of ActiveX controls and MS$ proprietary "extensions". Looks like we'll all need to maintain a copy of M$ to access the reports.
maybe MS is just worried that people will find out just how bad the bugs are, and hope people will be too lazy to click on links
..bugs or "issues" as MS calls them are probably their most creative work and there is an abundance of it. Let them be jealous of their art pieces.
If this is true, then it's really sad to see that throught law they manage to enforce censorship.
What's next... ?
Finally, because I'm so tired of spam from those Redmond guys....
--
--
On scale from -14 to 56 this post is '-15, Nonexistent'
What Microsoft is doing is telling Elias (moderator of Bugtraq) that he cannot *change* the content of the original email that the MS security bulletins are sent out in. That is totally different than saying that MS has copyrighted the advisory and won't allow Bugtraq to post it...
Basically, the new MS format is very non-informative, and therefore, not very helpful for those in need of information about a new vulnerability. They want to centralize the location of their advisories so that customers can get up to date information in one place on the web.
I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
- Rick
www.bluealien.org
www.bluealien.org
Prophets of the Blue Alien
This is a big load of bullcrike on the part of M$... Economicall (I know, economic science is different from economic practice.) pressures cause mircosoft to "blind" their customers as much as possible, but BugTraq is great for adminstraters to use as a resource if they dont want to subscribe to microsoft-conglomerate-press.
But hey, who gives a damn, end users are gonna die anyway...
BugTraq will still publish MS security bugs/holes - they just cannot cut & paste the MS bulletins directly. Most UNIX bugs will not even HAVE bulletins to copy & paste. This is an absolute non-issue and definitely not news-worthy, unlike many other stories.
I wonder why Microsoft has not come up with this: bug report licenses! Everybody who wants to read them has to agree to the EULA first and pays a small amout for each report. I volunteer for a bug-report distributor :-)
Ok, so basicly BugTraq can't have verbatim copies posted because permission was never granted by Microsoft.
Did anyone think to ask? How hard could it possibly be to tap Microsoft on the shoulder and say "Hey, a lot of people read this mailing list looking for security information. Specifically they want to know right away when vulnerabilities are discovered. It would be a shame if you disappointed those readers who run your software. May we have permission to post your advisories?"
I think this is a mind shackle that a lot of people can't get past. I think most people see that phrase about authorization and permission and they stop there. No you can't do much without permission, but yes, you can ask for permission.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
This is the kind of thing that XML's supposed to fix. Let's all speed up the migration to a better markup language, and pronto! Then, we'd just diff against the content, not the presentation...
Yes.
Microsoft is a large corporation. I am not going to try to dog on them or anything, I will give it to them that they probably have a lot to worry about and security response probably doesn't get the same reaction time as a smaller corporation would. A source like BugTraq which helps make the IT world more aware of vulnerabilities and how to guard against them would be a huge benefit for a place like microsoft. It should be more comfort to them that more people can secure themselves against their own bugs. They are obviously profit-oriented, so how does controlling the source of knowledge help them? It really doesn't make any sense to me that they would try to control their bulletins issued like that. It really won't hurt bugtraq any though, microsoft is usually the last person to release anything about their own vulnerabilites.
Microsoft announced yet another gaping security hole in Internet Exploder 5.x. This time, it's the print template feature. A hostile web site could run code on the user's machine; insert viruses, trojans, or other hostile code. It may be possible for a hostile web site to install Back Orifice 2000 via this mechanism and take over the user's machine. Spammers and DoS attackers who need to take over large numbers of machines may also exploit this hole. Stealing credit card numbers via this mechanism may be possible...
This is yet another example of the harm Microsoft has illegally caused its users to increase its market share. As Judge Jackson wrote in his decision in US vs. Microsoft, "To the extent that browsing-specific routines have been commingled with operating system routines to a greater degree than is necessary to provide any consumer benefit, Microsoft has unjustifiably jeopardized the stability and security of the operating system." Users affected by this bug may thus wish to consult with legal counsel and may wish to report the event to their state attorney general if their state is a plaintiff in US vs. Microsoft. To do so, click here...
Now that's how to do it. A few weeks of that, and Microsoft will be begging SecurityFocus to go back to echoing Microsoft PR.
This totally rules!!!!!!!!!!!!
You should submit this for an episode!
Truth isn't Truth - Guliani
I'll just copyright the bug in my cerebral software that always makes me bash Microsoft products.
The real purpose is to further the public good. The founders of the United States concluded that the public good is furthered ONLY by increasing the number of works in the public domain.
Ergo, Copyright law, which granted a time-limited limited monopoly. Authors can use it to require renumeration for their works.
The purpose of copyright law is NOT to maximize the rate of return to the copyright holder (note, this isn't necessarily the origional artist) for copyrighted works. Nor is copyright law's purpose to maximize the number of works available. (If it was, then why did they put a time-limit on it?)
Copyright law's purpose to further the public good by insuring the maximum number of artistic works are in the public domain.
Both have copyrighted their fixture lists, and some fan sites have been told not to post fixture lists. Apparantly you have to pay them money to be able to print such lists.
And most importantly, any open source programmer worth his salt will call the new patch a different name/version that the older, in order to avoid those confusions. You may get daily patches, but you can tell them easily apart by their name alone, no secrecy nor sneakyness involved.
Say no to software patents.
So you can't copy word for word, big deal. bugtraq could quote and attribute to the source, paraphrase and list MS as the source etc etc etc. Can't even properly implement a sinister plan to conceal their problems
This is of course known as the REALLY FSCKING STUPID school of marketing, dominated by the idea, "Our customers will only listen to US! (and no bugs are really serious anyway)". Unfortunately software problems can cost customers buttloads of money, meaning that this 'ostrich mode' strategy will produce a small amount of unrealistically rosy PR and a world of hurting in practice.
Couldn't happen to a nicer company- hopefully not too many other companies will really follow MS all the way down, marching into hell like trusting little lambs- if for no other reason than it'll be very costly to trust MS, and the bottom line will show it.
Do MCSEs get training in how to spin consulting fees etc. so that it doesn't look like MS's fault when support costs are high? Probably the main strategy for dealing with an expected firestorm of hackings and security breaches is to paint intruders as brilliant evil hackers rather than boring script kiddies.
...patent software bugs, and sue Microsoft !
Now if I'm not mistaken, it's not about not publishing bugs, but rather about the bulletins themselves. ;-) ) and prohibit to distribute their copyrighted material.
It seems MS has copyrighted their bulletins(not the bugs
I guess you can still publish the incident, but you would have to write your own "bulletin".
While I can understand that MS wants to protect their precious incredibly sophisticated and unique security bulletins I guess there are other reasons for this.
What MS tries to do for security reasons (at least that's what I think) is to establish their site as the only way to obtain official bulletins.
One can only suspect that they are scared that someone might post fake messages on those lists, making them in some way look official.
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
Is Microsoft going after Google as well, now?
And if not, why not?
--
I feel fantastic, and I'm still alive.
This looks like a move towards having EULA on the security holes themselves: "By agreeing to this EULA, you accept that you will not use any of the security hole in Win 2000 and that you will act as if nothing was wrong..."
I mean, who cares whether the system is secure or not. As long as you agree to the EULA, everyone's safe!
Opus: the Swiss army knife of audio codec
They might not be copyrightable, but they might be patented. Wouldn't that be neat - living in a world where you were legally unable to actually have bugs because M$ owned them all!
Sorry - you cannot have General Protection Faults in your system because we at M$ have patented that bug!
Sorry - invalid pointers and sloppy code as a process for product delivery is ours as well!
I donate all spillover Karma to the charity of my choice... Ada was still a babe despite what people may say...
Hi! This is the Sig, blatantly attached to the end of this comment.
I clearly cited the section that supports my argument, where is section of the law that supports yours?
From Title 17 section 106 "Exclusive rights in copyrighted works":
"...the owner of copyright under this title has the exclusive rights to do and to authorize any of the following:
(1) to reproduce the copyrighted work in copies or
phonorecords;
..."
Need I say more? The preceding bit that I didn't cite says subject to section 107, but that's the part you cited and is basically the legal definition of the criteria of fair use. The only way it will ever be resolved whether BugTraq's posting is fair use or infringement is if it's tested in court, and like I said, Elias Levy won't be taking on Microsoft anytime soon. So for reasons of practicallity, he's going to treat the posting of Microsoft advisories on Bugtraq as an infringement, and so will Microsoft.
The Law doesn't give a tinkers damn what Microsoft thinks...(or at least it shouldn't).
You're absolutely right, but the law doesn't care what you or I think either. What matters is what a judge, or perhaps a panel of judges thinks. And again, we'll never find that out.
Publishing is irrelevant, how can you reproduce something without "publishing" it? Pick any form you like. Newspaper, Oil painting or scratching in the dirt with a stick, if you put it where other people can see it you are "publishing" it.
Ok, so I picked the wrong word, but look at it this way: If Elias lets the advisories onto Bugtraq he faces the wrath of Microsoft, and for fear of losing a court case the likes of which have fallen in favor of the big corporate interests of late, he won't do it. And if he did Microsoft would threaten and threaten and could very well take him to court. Considering the track record of U.S. courts in intellectual property cases lately, Microsoft stands a much better chance than Elias. You and I may consider BugTraq news reporting, but judges just haven't seen it that way. They are still way behind the paradigm.
I love that quote because to me it personifies Microsoft perfectly.
Me, too. I find the correlation fascinating, even if frightening.
I see no hair to split, I have concrete statutes, what do you have? In reference to "bigger guns", that is irrelevant. The question is "Who is right?". The fact that "he who has the most money/lawyers wins" is simply pointing out the sad state that humanity has gotten itself into. I personally am sick of it.
The question of who is right is not for you or I to answer, but for a court. Yes, I am merely making a prediction, but do you honestly think a judge would see in favor of Elias Levy, a guy who runs a mailing list frequented by *gasp* "hackers"?
And by the way, that sad state you refer to is the state we are in, not some leftist scare scenario. "Bigger guns" are relevant, because unfortunately that's the state of affairs the U.S. "justice system" has fallen into. Look what they got for O.J. Look what they got for the MPAA. These are very recent concrete examples of the thinking of the courts. One member of the EFF's legal team said "We're going to need some bigger guns" pretty near the beginning of the DeCSS case, IIRC that was right before Garbus joined up with them. The big corporations are in control. I don't like it either, and to be completely frank, neither should most people. The fact that most people are cut from the same mold as the proverbial Joe Sixpack is what will keep it that way until evolution takes its course and the informed, motivated few outnumber the beer chugging, football watching masses.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Bill and his team of angry armed monkeys have struck again. ..
What will stop him?
How many more angry microsoft-bashers will disappear before
.... Microsoft spent as much effort into debugging there code as they put into their Marketing and Legal departments, they wouldn't have as many security fixes to publish in the first place.
Just use that thing inside your skull while you're reading this. Last I heard, that thing was called a brain, though with the disturbing trend in nomenclature lately, that's probably "subject to change without notice".
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Actually, I think you'll find this actually prevents bugtraq from quoting Technet security releses in their entirety, word for word. Hence spin control will actually be lessened.
Bugtraq can still report MS bugs, and use the Technet site as a research tool, but they have to produce their own vulnerablity reports. Which I hope they should, rather than relying on MSs own work. If they perform the research themselves, they might find out the exploit is actually wider than what MS thinks it is.
This id good for Bugtraq and users. I don't like MS any better than the rest of you, but lets talk about what's really wrong with them, rather than this sort of paranoia.
This situation is better for users and Bugtraq, though might delay advisory publication by a few minutes now that Bugtraq must confirm and document the exploit themselves.
Well, their source was stolen. They were cracked twice. They were disgraced. M$ is known for this.
M$ stock dropped in 1/2 since last year. If you are a MCSE, you will be broke.
Anyone know just how many lawyers are on the M$ payroll?
A theory:
Like the US Government, the number probably increases in size as necessary, but never decreases.
I'll see your senator, and I'll raise you two judges.
We all know that Microsoft's strongest security is "obscurity". They can't have us publishing all of their "trade secrets"...
-- Windows security? Sure, which ONE would you like? -me
The text on the Microsoft sites can change at any time, so a link to text makes comments about the remote page unstable. The page being linked to can change in ways which change the meaning of the BugTraq information. The actual text being referred to is necessary, particularly with the obtuse phrasing which Microsoft uses. (ie, bypassing server security with a non-Microsoft client is the fault of the client and not the server)
The BBC and ITV tried this many years ago, claiming that the information in the Radio Times and TV Times respectively was copyrighted. I forget which was the first daily newspaper to ignore them and start publishing its own list (probably the Sun). The Beeb (or maybe it was the ITC) sued, and lost. Now pretty much every newspaper publishes the day's TV & radio listings.
disclaimer: (just so I don't get sued too...) The preceding was completely made up.
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"
Yeah, but what if they just use say, for instance, lynx for downloading the page. Convert it to plain text, and strip the "crap". At that point, some pretty major site renovations would have to happen to ruin the page.
:-/
But this is Microsoft, so yeah, those major renovations will happen someday.
What can ya do...
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Please, let's use the right language here. Of course Microsoft has a copyright in the text of the bug report -- copyright subsists in all original works of authorship fixed in a tangible medium.
/., whomever, to excerpt parts of the work, and distribute it for the purpose of criticism or academic study. Similarly, as has been pointed out elsewhere, the facts underlying the work can't be copyrighted at all (although they may be trade secrets of some sort; but that's another can of worms).
If you write something, and it's not something unoriginal like an alphabetical list of names, you have a copyright in it. Thus, you have certain exclusive rights with respect to your work.
What Microsoft is doing is ENFORCING their copyright on the bulletin, by saying that no one can redistribute it. Since the bulletin is posted on the website, they've given an implied license for people to view it. Whether there's also an implied license for someone to take it from the website and copy it onto mailing lists is debatable; Microsoft is arguing that they can control further distribution.
Certainly, fair use allows Bugtraq,
There's a big difference between this copyright enforcement and the protection of trademarks or trade secrets, which a lot of the posts seem to be confused about.
IAAL. So there. (But this should not be construed as legal advice, etc. etc.)
If you must submit a bug to a commercial software company, indicate that you do not transfer copyright to them. Or, even better, submit it to BugTraq first.
Just quote the most damning parts of the bulletins under fair use, and tell MS to stick it if they don't like it.
When MS gets tired of having only the worst part quoted, maybe they'll lighten up a bit.
Though more likely they'll fall back on UCITA, and claim that it's illegal to publish, quote, discuss, think about, or even be aware of any bugs in their software.
--
Sheesh, evil *and* a jerk. -- Jade
Hemos- /.. Try to be a little consistent, eh?
/. really could be better?)
This is really, really just embarassing. Unlike coding, journalism really should be gotten right the first time. Or at least a reasonable facsimile thereof. To change and keep changing the story, without indicating it as such, is irresponsible and reflects poorly on you and on
~luge(was I naive to last this long thinking
IAAL,BIANLY
No, they want people to pay and they're trying to force them with threats, but in fact there is no circumstances under UK law where the information "Arsenal is playing QPR on Friday the 12th" can be copyrighted. None. They're just trying it on.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
BugTraq No Longer Able To Publish MS Security Holes
The problem is not that they can't publish the security bulletin, but they don't want to anymore.
All companies do a full disclosure and Microsoft is not willing to do this anymore so the moderator doesn't post the security bulletins anymore.
It's just like it has always been. If there exists an unwritten (or even written) standard, then Microsoft wants to change it!
There's a policy and even Microsoft has to obey that!
So, Elias, you are right and MS is wrong! Don't crack under their pressure!
Microsoft probably wants more people to subscribe to their security bulletins and get the information directly from them and not a third party.
Smells like Microsoft is protecting its right to sell advertisement space in Microsoft Bulletins.
Will I retire or break 10K?
This is another example of a company using the threat of hundreds of lawyers to silence critismm.
Fight Spammers!
Microsoft cannot stop anyone from describing a bug in language other than the language copyrighted by Microsoft.
Therefore, if I read M$'s bus report, and then re-phrase, they shouldn't have any rights against me except perhaps if I have misstated the problem in a way that commercially harms them.
By forcing BugTraq to point back to Microsoft instead of duplicating the information on their site, MS is creating a security vulnerability.
Should the MS site be owned, DOS'd, or the database corrupted, then their information could not be either trusted or accessed.
In a sense BT is providing a backup function to MS for getting out security information. And for any valuable information, no backup is an unnecessary risk.
Well, duh, Microsoft owns the copyright to text written by the company, but preventing the redistribution of product failure reports?
Geez, isn't that a bit like a car manufacturer notifying the public that their latest SUVs flip over and explode, but preventing anyone from redistributing that notice? Has the software industry become so corrupt that our failure notices are now considered revenue generators and exclusive property?*
What next, a EULA on their website that reads "By using this website, you agree not to disclose the details of these failures to third parties. This information is confidential, and only available to licensees of Microsoft products".
* I forgot about the $90/hour tech support. I called Mickey$oft once to confirm that the behavior I was seeing was in fact a bug in IIS, and the wanker tried to charge me because he offered a half-assed workaround. Then it shows up as one of these bug reports on their website the next day (oh geez, it exists in 5.0 too!). They knew about the bug beforehand, as he had the workaround almost immediately, but did not publish until the prospect of someone else identifying and publishing the bug came up. My experience, and this current issue, says to me that Microsoft is only interested in spin control.
--
Bush's assertion: there ought to be limits to freedom
But I hope you're joking, or not a sysadmin. Bugtraq is a service for sysadmins, so they know what to look out for, not for crackers to get the latest cracks. Crackers get their 1337 cracking advice and tips from other 1337 crackers.
MS usually don't patch any security holes till crackers find them, even if they are aware of them. You can't 'just trust' Microsoft. I mean, think of the DOJ.
If you want to use the Fort Knox example, think of 5 million people all running their own Fort Knox, not telling anyone about it, but leaving the door wide open... Do you think nobody will find out?
If you're still not convinced, Inoshiro at kuro5hin has some very good security tutorials that go over this in detail.
Better to stay silent, and let people think you're an idiot than to open your mouth and remove all doubt
One thing that I noticed about the new Microsoft security bulletins is that they now contain Web bugs. The bugs look like they are used to count the number of people coming to read the bulletins. Here is the URL for one of these bugs: http://c.microsoft.com/trans_pixel.asp?source=www& TYPE=PV&p=technet_security_bulletin
. I didn't see a tag for the bug, so I'm assuming
it is generated by one of the JavaScript files included
on the page.
It may be innocuous - just to see which are popular - but they could do that via log analysis, or a visible counter..
-dg-
Here it is, I just cut & paste. I hope securityfocus won't sue me now... :)
To: BugTraq
Subject: Administrivia: No More Microsoft Bulletins
Date: Thu Dec 07 2000 19:29:34
Author: Elias Levy aleph1@securityfocus.com
Message-ID: 20001207202934.D1769@securityfocus.com
It seems Microsoft was not very amused at my posting of their
advisory to the list the other day. As the copyright holders
of the work they have told me in no uncertain terms that I do
not have their permission to redistribute a text version of
their web page bulletins via the mailing list or the
securityfocus.com web site, and that doing so would be considered
an act of copyright violation.
There you have it. So until Microsoft changes their policy or
changes their email bulletins back to the old format you won't
see them on the list. Of curse the vulnerabilities and their
information will continue to be announced.
They did state that they are continuing to accept feedback from
customers about their new email format. So if you liked better
the old one you may wish to let them know. You can send your
comments to:
secfdbck@microsoft.com
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
The problem is that Security Focus was copy-and-pasting those bulletins, according to the article. By any reasonable interpretation of copyright law, they'll have to stop that practice, even though I think it's in MS's clients' best interest to allow it to continue.
With the SecurityFocus website ranked number 1 on my list of sucky websites--thanks to a ton of java, adds, frames, et al. crap--it's not like we were ever able to read anything there anyway.
Hell, I'm STILL waiting for the page to render...
Beetle
--
Beetle
Beetle
http://ruff.cs.jmu.edu/~beetle/
Its a shame that M$ is trying to hide its deficiencies and prevent any criticism. This way people, its own customers, will break their legs in the pot holes and M$ trusworthiness will disappear.
:-)
This heavy-handed suppression is the kind of action that marked the functionning (or lack thereof,) of the Soviet Union. Along with five-year plans based on sheer mental masturbation and the inevitable subsequent show trials when reality reared its ugly head and bit the planners in the ass four years out.
Please note where the Soviet Union is today
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
This week, MS has said that they no longer will be publishing full bulletins to Bugtraq; they will only publish links to web pages.
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
Problem Report There was a communication problem
Message ID TCP_ERROR
Problem DescriptionThe system was unable to communicate with the server.
etc
It took me a good few seconds before I realised I was looking at an error that had just occurred, rather than a description of a vulnerablilty.
I'm not one to partake in the most fashionable MS-bashing, but I call shit as I see it. In this case, I can't believe these ASSHOLES treating bug reports as 'content.' As if they are not bad enough about fixing (Or not creating in the first place for that matter.) bugs now they consider bug reports valuable content? The next thing you know MS will create a 'developers first-look' service where you have to subscribe to their for-pay service as the only way to view bug/security reports. hmm... /me runs off to email a business proposal to MS. ;)
Regards
~~~
This is just pure irritating. Hemos should do his homework instead of flaming microsoft this time. First of all, what has happened is as follows:
MicroSoft is issuing, like other companies Security Advisories. These distributable security advisories were posted to bugtraq and other mailinglists, and were up until a week ago. The point is, MicroSoft has changed their Security Advisory layout, to only include a URL to the description of the bug and so forth.
Aleph1 is running Bugtraq, which is a full disclosure mailinglist, and one of the policies is that the signal-noise ratio should be as good as possible. To avoid noise "no-content" advisories are rejected. Advisories with nothing but URL's are considered no-content advisories.
That means that Aleph1 will no longer be publishing microsofts new security alerts. Instead he tried to post one of the security bulletins from their webpages, and that microsoft claims copyright on. Well, too bad for them. MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses, and even _less_ administrators will upgrade.
In other words, they've done an Operation Foot Bullet. I don't complain though, as I don't run microsoft servers - and now have even more arguments when convincing companies I work for not to use their shitty products.
Slashdot has in this case presented a very wrong view. Its aleph1 that is _rejecting_ microsofts security alerts because of them beeing NON-CONTENT. He is however not allowed to grab microsofts _webpages_ and publish them on bugtraq.
--
"Rune Kristian Viken" - http://www.nwo.no - arca
He who controls the present, controls the past. He who controls the past, controls the future.
Orwell wasn't wrong, he was just a little bit off on the dates.
It may look like I'm doing nothing, but I'm actively waiting for my problems to go away.
--Scott Adams
I don't think so. Patents still have to be useful. A bug is not useful, and so it is fairly easy to argue that they not patentable. Of course I can't afford a lawyer to defend myself so I guess the patent holds until soemone with deep pockets decided to sue.