Slashdot Mirror
BugTraq No Longer Able To Publish MS Security UPDATED
krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."
I agree in that the new way to handle advisories is terrible. I wouldn't want to find out about a potential vunerability and having to go to a web site and end up encountering a "404 - File not found" or even worse, an unavailable server.
By all definitions, this is copyright enforcement. Microsoft wants to use its security advisories as a way to bolster their web stats. If BUGTRAQ wants to keep posting the Microsoft advisories, it will have to resist the enforcement or drive people to the web site.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
I believe that the legislators in the US are working to fix this problem. Microsoft is one of the companies pushing hard for this legislation. I don't know about you, but I'm starting to worry...
For what it's worth, I don't think this guy was trolling. Many *NIX admins don't even bother checking their vendors for security bulletins, preferring instead to rely on Bugtraq to get their news. To be perfectly honest, it's not a horrible strategy, considering activity on that list. And I don't think macpeep meant to suggest that the problems weren't fixed, but rather he was trying to say (incorrectly) that the fixes weren't accompanied by formal bulletins.
The problem is that Security Focus was copy-and-pasting those bulletins, according to the article. By any reasonable interpretation of copyright law, they'll have to stop that practice, even though I think it's in MS's clients' best interest to allow it to continue.
This brings up an idea: instead of just cut-n-pasting the bugs, all that SF would have to do is add some frame tags* to their page and include something like "frame src=http://microsoft.com/..." in one of the frames.
* In general, frames suck, but they do have their uses.
---
"Fdisk format reinstall, doo dah doo dah,
I pledge allegiance to the flag...
of the Corporate States of America...
"MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses"
Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs (heck, I've gotten three or four in the last hour), but Microsoft won't be able to spin the bugs in exactly the way they want through their own advisories. 90% of the MS advisories read something like:
"A problem has been found in MS Blah. There is nothing to worry about. In certain extreme cases, undocumented of course, it's possible that some evil person might, if the phase of the moon is right, steal a filler image off a users hard drive. There is nothing to worry about."
Not to mention the infamout credits, which read something like:
"Credit goes to LeetHackerGroup for working with Microsoft to protect users."
Someone's working to protect users and we all know who it _isn't_.
No, I don't think I'll miss the MS advisories...
c.
Log in or piss off.
"Furthermore, that this information is needed, and was being distributed specifically to forward the end of stopping illegal activities and protecting the people. As such it was in the best interest of the public that the information be distributed."
This is why the CPSC REQUIRES public domain safety bulletins on cars and other products. Why should Microsoft be entitled to keep control of their bug reports? After all, these reports are of interest to their customers and potential customers. And many M$ bugs are potentially dangerous (the I Love you virus, etc).
=== The price of freedom is eternal vigilance
I fail to see how the DMCA actually applies to this case at all. The DMCA (or at least the part of it that /. readers usually care about) forbids the circumvention of access control methods
The bugs in Microsoft's code are access control methods; they control your access to MS's software. By publishing information on them, you are circumventing them, thus rendering yourself liable under the DMCA.
---
"Fdisk format reinstall, doo dah doo dah,
I pledge allegiance to the flag...
of the Corporate States of America...
Possible evil motives:
* Increase hits to their web site.
* Charge money for access to bug reports. (Now that would be something new!)
* Collect people's e-mail addresses
* Spin control, suppress information, change it after the fact -- the ministry of truth.
If they weren't up to something evil, they would simply give permission to reproduce the text of the report, as long as they include the copyright notice.
Or, maybe it's just stupid lawyers with too much free time. [You'd think they'd be all busy with the antitrust case and all.]
I'll see your senator, and I'll raise you two judges.
MS makes perfect operating systems, so why should we care about the bugs?
-Chris
...More Powerful than Otto Preminger...
If MS doesn't recant, here is my solution to this problem:
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
There goes half their traffic.
Well, who cares? You always see it on BugTraq before it gets back to Microsoft, even when you tell them about it first...
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
as the article implies, it's just the Microsoft releases that they can't mirror word for word. They'd still reporting the bugs.
I don't think this is really as bad as the headline makes it sound.
If I was experimenting with IIS and found a bug (compromise, DoS, etc) I'm still free to post it on the Bugtraq mailing list. Microsoft cannot stop me from doing this.
On the other hand, the Microsoft Security Announcements can't be posted. The solution? Go out to Microsoft's web site which can be found here and check the bulletins yourself. The other option is to subscribe to Microsoft's security mailing list.
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
So they just should summarize the bug report and include the link to the microsoft web page for the full report.
I trust M$ to report bugs, fixes and keep pages stable like a girl should trust a guy to "only stick it in a little."
Don't you know M$ products have no vulnerabilities and are perfect in every way. And if you reverse engineer it in anyway shape or form they'll have you drawn and quartered.
Of course, if you're they kind of low-life who's writing viruses, you could give a sh*t... "There's an M$ box, here the lock-pick set. Lets have fun." By the way, lock-picking sets in the hands other than a lock-smith's is illegal. That doesn't stop thieves.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Seeems to me that MS has always believed most strongly in "Security by Obscurity" and that admitting to vulnerabilities is something that is bad for the bottom line. The fact that they aren't just trying to sue anyone who even THINKS bad thoughts about Microsoft is a mystery to me.
They remind me of the Ravenous Bugblatter Beast of Traal: "...so amazingly stupid that it thinks that if you can't see it, then it can't see you..."
+++++++++++++++++++++
The Digital Sorceress
1) If you don't use some sort of automatic rephraser, then that would probably cost $$ a LOT! more than BugTraq can afford.
2) If your do, then some really interesting error reports will be generated.
Any other choices?
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Call it CYA, call it ensuring the integrity of information, call it what you will. It's in their best interests to allow BugTraq to carry these items, and work with them than to bury it in a filing cabinet in a disused lavatory in a basement with "Beware the leopard" pasted on the door (obscure HHTTG ref)
Probably better titled: Microsoft Encourages Customer Cynicism, Launches New Drive
--
A feeling of having made the same mistake before: Deja Foobar
Why do you have to cut-n-paste the exact text? Just reword the stuff. Copyrights don't apply to rewritten synopses.
Otherwise, movie reviews, book reviews, and bug reports would have ceased to exist a long time ago. In fact, these things make the original product even more popular, just consider the free publicity...
Oh way, the DMCA is prior art. ;)
That's true, according to the DMCA, breaking into a computer that has copyrighted software on it is illegal. Therefore, there's no need to fix security holes in windows, since it's illegal to break into a Windows box. No cracker wants to take the risk of being thrown in the same category as those evil people who listen to (their) DVD's using DeCSS, right?
Opus: the Swiss army knife of audio codec
Actually it can work both ways so I'm not extremely bothered. >;).
:).
;).
For example: if we find security bugs we could ask entities (corporations or individuals) which/who behave in this way to register on _our_ websites to see the info before we go public.
And we could also formulate just as fair/unfair license agreements for them to agree to when registering. e.g. "REVERSE ENGINEERING AND CIRCUMVENTION OF THIS EXPLOIT (oops software!) IS PROHIBITED, TERMS AND CONDITIONS MAY CHANGE WITHOUT NOTICE, blahblahblah". All in nice ugly caps. The UCITA/DMCA comes to mind here
Do unto others as you'd have them do unto you.
Now we won't be selling the gathered info to doubleclick would we
Cheerio,
Link.
---
Integrity is behaving properly even if nobody knows or they are helpless to stop you.
If these concenrs only the bug reports that I do think they have some right to do it. Anyway they publish it. However if they try to restrict the discussion of their bugs through this way ten it is a problem and a serious one. Not that Microsoft loves to state that the reproduction of some of their documents is "resctricted in whole and in part". This is the case of their User's Guides for example. I would highly recomend to read it has the text is quite straightforward on this. And even overcomes some legalese about Copyright Law so it is juridically dubious. In particular the fact that it seems to restrict even the right to cite their works.
In this point might be the danger. If Microsoft publishes a bug report and claims that someone violated their copyright because it cited it, then we do have a problem here. I leave the possible consequences to your conclusions...
Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here
Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.
What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:
I will no longer be approving any advisories with little or no content that point you to some other place for information.
Pretty isn't it.
What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.
In this email, Elias give the tone and I quote:
It seems Microsoft was not very amused at my posting of their advisory to the list the other day.
And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.
Looking for a great online backup: Green Backup
This should earn them enough money to see them through the current slump in tech stocks.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
BugTraq should md5 the bulletin and provide that next to the link to Microsoft. If Microsoft changes anything, people will be able to tell. If it goes away, people will see the dangling link. Microsoft will look bad either way...
Just because it CAN be done, doesn't mean it should!
I can't help but note, that this comes like maybe a week after a note on BUGTRAQ by Aleph1 stating that he would no longer be aproving bullitins that contained JUST a URL and that all posts should include the information.
The idea being that its a security list and people subscribe to it to have the information delivered to them, not to have links so they can go find it.
Luckily this doesn't effect me, as where I work we don't run any NT systems (well some groups do, we are all Unix). However, I have to agree with Alpeph1 - I want to be able to determine whether services that I am running are vulnerable or patches are available right here and now...I don't want to have to go off somewhere else - it makes BUGTRAQ less useful.
I don't see the point of this. Isn't the whole idea of these bullitins to get the word out? This copyright bullshit is silly. These are security notices, not works of art. Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later>
I really can't imagine any real reason for wanting this.
-Steve
"I opened my eyes, and everything went dark again"
That's not how the law works. They produced it, they have authority over it's copying and distribution. If they say we need permission, then yes, we need permission. It's the same authority the law grants you over your work. Ever written a line of GPL'd code? What would you think if that line ended up in some Windows code somewhere in Redmond? It's the same damn thing.
If you don't like the authority the law grants, then you have basicly two options. 1) Lobby your national legislature to drastically change copyright law. 2) Find a country that isn't a Berne Convention signatory and move there.
So let me turn your question back on you:
How can you be so friggin (sic) dense?
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs
Of course. Bugtraq will still have MicroSoft bugs, VULN-Dev will still be used to find errors in MS' programs. The point is, SecurityFocus.com is not allowed to store or redistribute Microsoft's webpages. Its all up to microsoft if they allow their entire advisories/webpages to be published. And frankly, I don't expect aleph1 to "write his own advisory based on MicroSoft ones". He is denied to just post the damn webpage. That is all. This just _isnt_ a "everybody flame microsoft for trying to stop mouths" case. Its a "Microsoft suck at distributing information about security vulnerabilities"-case.
Not to mention the infamout credits
At least they _give_ credit. That is the important thing.
No, I don't think I'll miss the MS advisories..
Me neither, they are too full of BS instead of the facts you want to get. There is a great posting to bugtraq today (or maybe it was yesterday) about the trouble with microsofts security bulletins. Mainly that they lack consistency in what to do when they update the information.
--
"Rune Kristian Viken" - http://www.nwo.no - arca
>MS had a 30% increase in productivity this year: of security patches. :-)
;-)
But it compares poorly with their 45% increase in bugs.
Bugtraq's use might be fair use, but it's not as simple as you make it out to be.
It certainly would be fair use to create your own original description of a bug. However Microsoft's bug reports themselves may contain original expression. If so, just a movie critic's review is protected, so is their advisory. However, the factual parts of it are not protected, and fair use might also protect some copying of the advisory itself.
Fair use has four factors, as defined in 17 USC 107. Applying those here we find:
(1) BugTrac's use is noncommercial technical research, I believe. The mailing list doesn't come with any advertisements that I'm aware of.
(2) The nature of the Microsoft advisories is factual -- they aren't fictional works.
(3) The amount copied from Microsoft is presumably the whole thing, although if they used choice quotations this would help a fair use claim.
(4) The effect on the market or value of the bug advisory is the key issue. If Microsoft isn't selling these or using them to sell bundled advertising, then it's hard to see any negative effect. If they start selling access to these advisories, then this would strongly disfavor fair use. If they are given away free, but generate advertising revenue, then it's more muddled but probably disfavors fair use.
My non-lawyer "guess" is that unless Microsoft generates revenue somehow from these advisories that copying them in their entirety is actually not copyright infringement because it is fair use.
If MS does generate revenue from these, then bugtraq could probably get away with quoting the key passages, but MS would have a very tenable case to take to court if the whole thing was copied. I'd guess there was a small chance the defense could win, but it'd be a long shot with a large cost.
Hello?
Shoot yourself in the foot, why don't you?
If you can't take bad press don't play the game, but don't stop others from playing it.
Not quite the same...
Microsoft wants to stop bug reports, because they embarras the company, and I believe that Microsoft top brass doesn't really give a monkey's if you, I or some other poor consumer loses all his data through a security hole.
Ford/Brigestone/AnyCompany regrets having to post recall notices, but realises that it is better to look a bit stupid rather than risk the deaths of consumers and almost certain litigation.
Of course, I personally am very unlikely to lose any data through a Microsoft security hole. At home, I use only Linux, and at work I use a mix of SunOS, Irix and AIX... Colleagues using WinNT who were stupid enough to click on the LoveBug VirusBuilderScript may have lost some stuff, but then learning is often a painful experience for children.
You fall, you get a bruise, you learn to look what you're doing and you fall less often.
Oh joy, another Microsoft apologist. The Stacker incident was a good example precisely because it IS old. It would be interesting to see how Microsoft explains the "development" of their disk compression technology today.
If you want recent examples, I could refer to the DOJ case and Microsoft's lies and underhanded tricks related to that. Just let me know if you want to hear it...
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
A Copyright is not the same as a trademark.
I can understand why a company would (and must) vigorously defend it's trademarks. I also understand why companies want to prosecute violations of their valuable copyrighted works.
But what is the value of trying to clamp down on control of information such as security problems and vulnerabilities? There must be some ulterior motive.
After all, with a copyright, MS could just grant anyone permission to redistribute and reproduce the text of the bug report -- provided copyright notices remain intact.
So why aren't they doing something like this? I think previous posters got it exactly right. They can silently edit things after the fact. Chagne links. Change the contents of linked pages, etc. One thing about news on the web is that no permanent record exists.
One other thought: Since copyright doesn't protect the idea, BugTraq could explain the problem in their own words, and there is nothing MS could do about it.
I'll see your senator, and I'll raise you two judges.
BugTraq started posting the whole bulletins after Microsoft changed the bulletin format to only contain minimal information and a link to the Microsoft website.
This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing.
I guess Microsoft did that to create an easily updateable security information archive.
But they should still put in the whole info into the email, and post a link where you could find updated informations.
if you care, send an email to Microsoft Security Feedback
Before you email me, remember: "There is no god!"
I don't see the same advantage you have - in my experience, many times the bug description is posted on BugTraq FIRST, and then the vendor will eventually send out a bulletin about the bug description (and hopefully) a workaround or fix.
So really, if you want all of the bulletins as soon as possible, you go to a place like BugTraq - you don't wait for the vendors to respond.
Really, it is only three paragraphs long, and the second one very, very clearly states: Of curse the vulnerabilities and their information will continue to be announced. ~luge(slowly but faithfully losing his faith in /.)
IAAL,BIANLY
A better method is the switch inside the circuit breaker box, but that's not a button. Instead, the button on a detonator attached to the hard drive of the machine in question is recommended.
In extreme cases, a MIRV aimed at Redmond may be the only solution.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Isn't there some rule that says you can't copyright information? That is, doesn't copyright actually protect the presentation of information? You can't copyright, say, a phone number, but you're not supposed to distribute Xeroxes of the phone book. If I'm right, BugTraq will just have to do a lot of paraphrasing.
Just because Microsoft is claiming "copyright" protection on their announcements, does not mean they're trade secrets!!! You can publish copyrighted material under fair use laws, AND get away with it!
I mean, you can publish copyrighted material and include a review of it, and that would be fair use.
I really think SecurityFocus needs to talk to their lawyers about this. I'm sure they'll find that it's completely legal.
As for Microsoft, they deserve everything coming to them.
For the jaded person. They can read about the hole. Get it to work, explain it to someone else then have the other person write it up with a much worse picture than MS. No copyright violation done since the writer never read the original post. But more damagin since the writeup was not done through the MS FUD factory.
And that's not what they said. They said that 'bugtraq will not be distributing Microsoft Security Bulletins'. They said nothign about 'information about microsoft security problems'... they just meant that you will not be able to rely on Bugtraq to release to you MS Security bulletins automatically when released by microsoft.
1976 Copyright Act: Section 107. Limitation on exclusive rights: fair use. "...The fair use of a copyrighted work, including such use by reproduction in copies...for purposes such as criticism, comment, news reporting, teaching..., scholarship, or research, is not an infringement of copyright..." Microsoft is full of shit. I guess that's what you can do when you're a monopoly, eh -- send eduational, non-profit mailing lists cease and decists...
But can you print it on a t-shirt?
"One microsoft-bug-list-T-shirt, please. Size Hindenburg[1], please."
[1] large object was choosen by random - the final fate of the Hindenburg, didn't have anything to do with it...
--
TC - My Photos..
The reason that copyright exists, is to encourage creators to create expression. That encouragement is normally implemented as profit. The profit comes from the creator having a temporary monopoly on the expression, so that they can sell it, license it, etc.
Government grants copyright and legal protection to creators in order to get something in exchange: creative works (which, after it falls into public domain, then benefits the people that gave government its power).
Microsoft issues security bulletins in order to increase the security of their installed base of users, thereby increasing the reputation of their product, thereby hopefully increasing sales of their product. They do not write security bulletins in order to sell them or license them for a profit.
Government grants copyright and legal protection to Microsoft security bulletins in order to get ... what in return?
My limited imagination does not see a connection between the purpose of government granting copyright, and Microsoft writing security bulletins.
If anyone here ever ends up starting their own government and writing their own copyright laws from scratch, I hope that they consider this issue. ;-)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Microsoft wants to drive more traffic to its web site. Its security postings are one mechanism to do so. That takes precendent over things like full disclosure, or serving the security community.
Web traffic is $$.
Don't even think Microsoft cares about security - they don't except for its ability to make them look bad. If they can market something as secure, it really doesn't matter whether it is or not.
And this is a direct attempt to hit BugTraq squarely in the wallet by taking most of their web traffic, and having them click through to Microsoft.
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
You're on to something here. Microsoft gets to show ads and place promotional messages in its e-mail newsletters and on its web pages--even the bug report pages.
Maybe the revenue derived from these ads (even if it's cross-marketing of other Microsoft products) is so great that they'll start issuing bulletins for nonexistent bugs just to draw more traffic to their security announcement site.
You cannot protect a fact as intellectual property or under copyright protection. This is why anyone in the nation can publish the scores of an NBA game -- the NBA does not "own" the statistics of the players. Anyone can write a film or game review -- it is not illegal for me to say what happens in your movie or game. For this reason, there is nothing illegal about reporting bugs, DMCA be damned. 1st Amendment wins, fatality.
Security Focus may not be able to copy-and-paste, but they can read a report in the Microsoft email and report on the report. Again, facts cannot be copyright protected.
Online wrestling as a trading card game? WWF With Authority.
They just need to note the copyright holder.
:-)
Microsoft can't do a thing about it.
Pretty silly thing for MS to do, regardless. This just makes them look like they're trying to hide things.
On an amusing note: MS had a 30% increase in productivity this year: of security patches.
Regards,
-scott
Regards,
-scott
You'd think that a company so into the Internet and selling web servers would understand the concept of URLs. They really do make it hard to link to anything on their site, which is the whole point of the web. Their URLs are neither uniform, nor let you locate resources. (To be fair, places like ZD Net are just as bad.)
Software sucks. Open Source sucks less.
Basically xato went out and tried to figure out which bugs existed, which bug affected a given ms system, and which hot fix works for that bug... It was hell.
--locust
Apparently you can protect information only if it pertains to the Olympics. They suppressed Olympic athletes from posting journals to the web. Really horrible, in my opinion.
Actually, you can protect some facts under trade secret laws. For example, the secret formula of Coca Cola. But the fact that Microsoft is giving the information out causes it not to be a trade secret.
Software sucks. Open Source sucks less.
Ok, let me repeat myself again. :)
patches not bugs.
and
Not that Bugtraq isn't good, just that if you need to keep up with vendor patches, it's not the way to fly.
i guess that ill have to stop diggin in their trash cans in hopes of getting bug reports. of course i wasnt getting much from them anyway as the lines are enormous.
-:-:-:-:-:-
nothing much and if your smart goto this page and tell me how to get it working.
Imagine how secure Fort Knox would be if nobody knew where it was.
This situation is similar. After all, nobody but Microsoft can fix the flaws, so whats the point of having people know about it? People will predictably respond in their superior way that SysAdmins need to know the security holes so that they can take them into account and defend against hackers. But the only way the hackers find out is by reading bugtrak!
I honestly think the net effect will be improved security for the great majority of sites.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
There is no
>They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody
Here's an idea:
Why not provide an md5sum of the webpage contents? That wouldn't be illegal (no way that an md5sum is a copy of the material), and would quickly show foul play Microsoft. If they took one each week they would be able to tell how often and when the info is changed.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Wouldn't it be really fun if they sued everybody who reproduced their bugs...
They could start with access violations in end-user programs, that should break the neck of 99% of all other software producers.
(English-to-French, French-to-English of http://support.microsoft.com/support/kb/articles/Q 177/0/89.ASP.)
Of course, you might also run it through the Dialectizer:
--
This md5 scheme will break when Microsoft updates their site's look and feel. The MD5 hash will change when they rearrange their HTML layout or change IMG filenames.
cpeterso
All right, getting all the patches eventually is good - but you're not going to get them until the vendor has actually acknowledged the problem, analyzed it, created the patch, done (you hope) some testing, then posted it. And _that's_ if the vendor decides to actually acknowledge the problem.
In the meantime, you need defenses & some kind of workaround - and the most timely method of getting that information is from the people who just got slammed by the bug, and who are reporting their experiences to services like BugTraq.
In other words, I'm agreeing with you about needing to monitor the vendor releases closely so you can keep your system "officially" up to date, but if that's ALL you're relying on, then sooner or later you're going to get screwed and not even know what hit you.
To do more than that, you need services neutral w/respect to any individual vendors, like BugTraq.
Someone ought to copyright an exploit or patent an exploit in the Windows operating system and make it illegal for them to fix it...
That's not likely to work either. Another site ("TotalNews.com"? I can't remember the name) once tried to make a quick buck by linking a whole bunch of other news sites in a frame and running ads - essentially, they were making a links page and using ad revenue off it. They were cease-and-desisted out of existence, if memory serves.
BugTraq shouldn't be publishing Microsoft documents verbatim (if Microsoft doesn't want them to). BugTraq should summarize, in their own words, and post a link to the Microsoft article. It's all about respecting the wishes of the copyright holder. It's the same story as Napster.
Hmmm... download it for personal use, then take a diff. Post the diffs to bugtraq.
What is surprising is that Microsoft is consistant with the timestamp in their updates. If something was edited last week, it will say so at the bottom... even if the article was first posted three years ago.
Finally, because I'm so tired of spam from those Redmond guys....
--
--
On scale from -14 to 56 this post is '-15, Nonexistent'
What Microsoft is doing is telling Elias (moderator of Bugtraq) that he cannot *change* the content of the original email that the MS security bulletins are sent out in. That is totally different than saying that MS has copyrighted the advisory and won't allow Bugtraq to post it...
Basically, the new MS format is very non-informative, and therefore, not very helpful for those in need of information about a new vulnerability. They want to centralize the location of their advisories so that customers can get up to date information in one place on the web.
I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
- Rick
www.bluealien.org
www.bluealien.org
Prophets of the Blue Alien
BugTraq will still publish MS security bugs/holes - they just cannot cut & paste the MS bulletins directly. Most UNIX bugs will not even HAVE bulletins to copy & paste. This is an absolute non-issue and definitely not news-worthy, unlike many other stories.
Ok, so basicly BugTraq can't have verbatim copies posted because permission was never granted by Microsoft.
Did anyone think to ask? How hard could it possibly be to tap Microsoft on the shoulder and say "Hey, a lot of people read this mailing list looking for security information. Specifically they want to know right away when vulnerabilities are discovered. It would be a shame if you disappointed those readers who run your software. May we have permission to post your advisories?"
I think this is a mind shackle that a lot of people can't get past. I think most people see that phrase about authorization and permission and they stop there. No you can't do much without permission, but yes, you can ask for permission.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Yes.
The real purpose is to further the public good. The founders of the United States concluded that the public good is furthered ONLY by increasing the number of works in the public domain.
Ergo, Copyright law, which granted a time-limited limited monopoly. Authors can use it to require renumeration for their works.
The purpose of copyright law is NOT to maximize the rate of return to the copyright holder (note, this isn't necessarily the origional artist) for copyrighted works. Nor is copyright law's purpose to maximize the number of works available. (If it was, then why did they put a time-limit on it?)
Copyright law's purpose to further the public good by insuring the maximum number of artistic works are in the public domain.
Both have copyrighted their fixture lists, and some fan sites have been told not to post fixture lists. Apparantly you have to pay them money to be able to print such lists.
This is of course known as the REALLY FSCKING STUPID school of marketing, dominated by the idea, "Our customers will only listen to US! (and no bugs are really serious anyway)". Unfortunately software problems can cost customers buttloads of money, meaning that this 'ostrich mode' strategy will produce a small amount of unrealistically rosy PR and a world of hurting in practice.
Couldn't happen to a nicer company- hopefully not too many other companies will really follow MS all the way down, marching into hell like trusting little lambs- if for no other reason than it'll be very costly to trust MS, and the bottom line will show it.
Do MCSEs get training in how to spin consulting fees etc. so that it doesn't look like MS's fault when support costs are high? Probably the main strategy for dealing with an expected firestorm of hackings and security breaches is to paint intruders as brilliant evil hackers rather than boring script kiddies.
Now if I'm not mistaken, it's not about not publishing bugs, but rather about the bulletins themselves. ;-) ) and prohibit to distribute their copyrighted material.
It seems MS has copyrighted their bulletins(not the bugs
I guess you can still publish the incident, but you would have to write your own "bulletin".
While I can understand that MS wants to protect their precious incredibly sophisticated and unique security bulletins I guess there are other reasons for this.
What MS tries to do for security reasons (at least that's what I think) is to establish their site as the only way to obtain official bulletins.
One can only suspect that they are scared that someone might post fake messages on those lists, making them in some way look official.
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
This looks like a move towards having EULA on the security holes themselves: "By agreeing to this EULA, you accept that you will not use any of the security hole in Win 2000 and that you will act as if nothing was wrong..."
I mean, who cares whether the system is secure or not. As long as you agree to the EULA, everyone's safe!
Opus: the Swiss army knife of audio codec
.... Microsoft spent as much effort into debugging there code as they put into their Marketing and Legal departments, they wouldn't have as many security fixes to publish in the first place.
Actually, I think you'll find this actually prevents bugtraq from quoting Technet security releses in their entirety, word for word. Hence spin control will actually be lessened.
Bugtraq can still report MS bugs, and use the Technet site as a research tool, but they have to produce their own vulnerablity reports. Which I hope they should, rather than relying on MSs own work. If they perform the research themselves, they might find out the exploit is actually wider than what MS thinks it is.
This id good for Bugtraq and users. I don't like MS any better than the rest of you, but lets talk about what's really wrong with them, rather than this sort of paranoia.
This situation is better for users and Bugtraq, though might delay advisory publication by a few minutes now that Bugtraq must confirm and document the exploit themselves.
Anyone know just how many lawyers are on the M$ payroll?
A theory:
Like the US Government, the number probably increases in size as necessary, but never decreases.
I'll see your senator, and I'll raise you two judges.
The text on the Microsoft sites can change at any time, so a link to text makes comments about the remote page unstable. The page being linked to can change in ways which change the meaning of the BugTraq information. The actual text being referred to is necessary, particularly with the obtuse phrasing which Microsoft uses. (ie, bypassing server security with a non-Microsoft client is the fault of the client and not the server)
The BBC and ITV tried this many years ago, claiming that the information in the Radio Times and TV Times respectively was copyrighted. I forget which was the first daily newspaper to ignore them and start publishing its own list (probably the Sun). The Beeb (or maybe it was the ITC) sued, and lost. Now pretty much every newspaper publishes the day's TV & radio listings.
Please, let's use the right language here. Of course Microsoft has a copyright in the text of the bug report -- copyright subsists in all original works of authorship fixed in a tangible medium.
/., whomever, to excerpt parts of the work, and distribute it for the purpose of criticism or academic study. Similarly, as has been pointed out elsewhere, the facts underlying the work can't be copyrighted at all (although they may be trade secrets of some sort; but that's another can of worms).
If you write something, and it's not something unoriginal like an alphabetical list of names, you have a copyright in it. Thus, you have certain exclusive rights with respect to your work.
What Microsoft is doing is ENFORCING their copyright on the bulletin, by saying that no one can redistribute it. Since the bulletin is posted on the website, they've given an implied license for people to view it. Whether there's also an implied license for someone to take it from the website and copy it onto mailing lists is debatable; Microsoft is arguing that they can control further distribution.
Certainly, fair use allows Bugtraq,
There's a big difference between this copyright enforcement and the protection of trademarks or trade secrets, which a lot of the posts seem to be confused about.
IAAL. So there. (But this should not be construed as legal advice, etc. etc.)
If you must submit a bug to a commercial software company, indicate that you do not transfer copyright to them. Or, even better, submit it to BugTraq first.
Just quote the most damning parts of the bulletins under fair use, and tell MS to stick it if they don't like it.
When MS gets tired of having only the worst part quoted, maybe they'll lighten up a bit.
Though more likely they'll fall back on UCITA, and claim that it's illegal to publish, quote, discuss, think about, or even be aware of any bugs in their software.
--
Sheesh, evil *and* a jerk. -- Jade
Microsoft probably wants more people to subscribe to their security bulletins and get the information directly from them and not a third party.
Smells like Microsoft is protecting its right to sell advertisement space in Microsoft Bulletins.
Will I retire or break 10K?
This is another example of a company using the threat of hundreds of lawyers to silence critismm.
Fight Spammers!
Well, duh, Microsoft owns the copyright to text written by the company, but preventing the redistribution of product failure reports?
Geez, isn't that a bit like a car manufacturer notifying the public that their latest SUVs flip over and explode, but preventing anyone from redistributing that notice? Has the software industry become so corrupt that our failure notices are now considered revenue generators and exclusive property?*
What next, a EULA on their website that reads "By using this website, you agree not to disclose the details of these failures to third parties. This information is confidential, and only available to licensees of Microsoft products".
* I forgot about the $90/hour tech support. I called Mickey$oft once to confirm that the behavior I was seeing was in fact a bug in IIS, and the wanker tried to charge me because he offered a half-assed workaround. Then it shows up as one of these bug reports on their website the next day (oh geez, it exists in 5.0 too!). They knew about the bug beforehand, as he had the workaround almost immediately, but did not publish until the prospect of someone else identifying and publishing the bug came up. My experience, and this current issue, says to me that Microsoft is only interested in spin control.
--
Bush's assertion: there ought to be limits to freedom
But I hope you're joking, or not a sysadmin. Bugtraq is a service for sysadmins, so they know what to look out for, not for crackers to get the latest cracks. Crackers get their 1337 cracking advice and tips from other 1337 crackers.
MS usually don't patch any security holes till crackers find them, even if they are aware of them. You can't 'just trust' Microsoft. I mean, think of the DOJ.
If you want to use the Fort Knox example, think of 5 million people all running their own Fort Knox, not telling anyone about it, but leaving the door wide open... Do you think nobody will find out?
If you're still not convinced, Inoshiro at kuro5hin has some very good security tutorials that go over this in detail.
Better to stay silent, and let people think you're an idiot than to open your mouth and remove all doubt
One thing that I noticed about the new Microsoft security bulletins is that they now contain Web bugs. The bugs look like they are used to count the number of people coming to read the bulletins. Here is the URL for one of these bugs: http://c.microsoft.com/trans_pixel.asp?source=www& TYPE=PV&p=technet_security_bulletin
. I didn't see a tag for the bug, so I'm assuming
it is generated by one of the JavaScript files included
on the page.
It may be innocuous - just to see which are popular - but they could do that via log analysis, or a visible counter..
-dg-
The problem is that Security Focus was copy-and-pasting those bulletins, according to the article. By any reasonable interpretation of copyright law, they'll have to stop that practice, even though I think it's in MS's clients' best interest to allow it to continue.
Its a shame that M$ is trying to hide its deficiencies and prevent any criticism. This way people, its own customers, will break their legs in the pot holes and M$ trusworthiness will disappear.
:-)
This heavy-handed suppression is the kind of action that marked the functionning (or lack thereof,) of the Soviet Union. Along with five-year plans based on sheer mental masturbation and the inevitable subsequent show trials when reality reared its ugly head and bit the planners in the ass four years out.
Please note where the Soviet Union is today
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
This week, MS has said that they no longer will be publishing full bulletins to Bugtraq; they will only publish links to web pages.
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
I'm not one to partake in the most fashionable MS-bashing, but I call shit as I see it. In this case, I can't believe these ASSHOLES treating bug reports as 'content.' As if they are not bad enough about fixing (Or not creating in the first place for that matter.) bugs now they consider bug reports valuable content? The next thing you know MS will create a 'developers first-look' service where you have to subscribe to their for-pay service as the only way to view bug/security reports. hmm... /me runs off to email a business proposal to MS. ;)
Regards
This is just pure irritating. Hemos should do his homework instead of flaming microsoft this time. First of all, what has happened is as follows:
MicroSoft is issuing, like other companies Security Advisories. These distributable security advisories were posted to bugtraq and other mailinglists, and were up until a week ago. The point is, MicroSoft has changed their Security Advisory layout, to only include a URL to the description of the bug and so forth.
Aleph1 is running Bugtraq, which is a full disclosure mailinglist, and one of the policies is that the signal-noise ratio should be as good as possible. To avoid noise "no-content" advisories are rejected. Advisories with nothing but URL's are considered no-content advisories.
That means that Aleph1 will no longer be publishing microsofts new security alerts. Instead he tried to post one of the security bulletins from their webpages, and that microsoft claims copyright on. Well, too bad for them. MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses, and even _less_ administrators will upgrade.
In other words, they've done an Operation Foot Bullet. I don't complain though, as I don't run microsoft servers - and now have even more arguments when convincing companies I work for not to use their shitty products.
Slashdot has in this case presented a very wrong view. Its aleph1 that is _rejecting_ microsofts security alerts because of them beeing NON-CONTENT. He is however not allowed to grab microsofts _webpages_ and publish them on bugtraq.
--
"Rune Kristian Viken" - http://www.nwo.no - arca
He who controls the present, controls the past. He who controls the past, controls the future.
Orwell wasn't wrong, he was just a little bit off on the dates.
It may look like I'm doing nothing, but I'm actively waiting for my problems to go away.
--Scott Adams
I don't think so. Patents still have to be useful. A bug is not useful, and so it is fairly easy to argue that they not patentable. Of course I can't afford a lawyer to defend myself so I guess the patent holds until soemone with deep pockets decided to sue.