Slashdot Mirror
BugTraq No Longer Able To Publish MS Security UPDATED
krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."
If MS doesn't recant, here is my solution to this problem:
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
as the article implies, it's just the Microsoft releases that they can't mirror word for word. They'd still reporting the bugs.
I don't think this is really as bad as the headline makes it sound.
If I was experimenting with IIS and found a bug (compromise, DoS, etc) I'm still free to post it on the Bugtraq mailing list. Microsoft cannot stop me from doing this.
On the other hand, the Microsoft Security Announcements can't be posted. The solution? Go out to Microsoft's web site which can be found here and check the bulletins yourself. The other option is to subscribe to Microsoft's security mailing list.
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
I can't help but note, that this comes like maybe a week after a note on BUGTRAQ by Aleph1 stating that he would no longer be aproving bullitins that contained JUST a URL and that all posts should include the information.
The idea being that its a security list and people subscribe to it to have the information delivered to them, not to have links so they can go find it.
Luckily this doesn't effect me, as where I work we don't run any NT systems (well some groups do, we are all Unix). However, I have to agree with Alpeph1 - I want to be able to determine whether services that I am running are vulnerable or patches are available right here and now...I don't want to have to go off somewhere else - it makes BUGTRAQ less useful.
I don't see the point of this. Isn't the whole idea of these bullitins to get the word out? This copyright bullshit is silly. These are security notices, not works of art. Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later>
I really can't imagine any real reason for wanting this.
-Steve
"I opened my eyes, and everything went dark again"
A Copyright is not the same as a trademark.
I can understand why a company would (and must) vigorously defend it's trademarks. I also understand why companies want to prosecute violations of their valuable copyrighted works.
But what is the value of trying to clamp down on control of information such as security problems and vulnerabilities? There must be some ulterior motive.
After all, with a copyright, MS could just grant anyone permission to redistribute and reproduce the text of the bug report -- provided copyright notices remain intact.
So why aren't they doing something like this? I think previous posters got it exactly right. They can silently edit things after the fact. Chagne links. Change the contents of linked pages, etc. One thing about news on the web is that no permanent record exists.
One other thought: Since copyright doesn't protect the idea, BugTraq could explain the problem in their own words, and there is nothing MS could do about it.
I'll see your senator, and I'll raise you two judges.
BugTraq started posting the whole bulletins after Microsoft changed the bulletin format to only contain minimal information and a link to the Microsoft website.
This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing.
I guess Microsoft did that to create an easily updateable security information archive.
But they should still put in the whole info into the email, and post a link where you could find updated informations.
if you care, send an email to Microsoft Security Feedback
Before you email me, remember: "There is no god!"
You cannot protect a fact as intellectual property or under copyright protection. This is why anyone in the nation can publish the scores of an NBA game -- the NBA does not "own" the statistics of the players. Anyone can write a film or game review -- it is not illegal for me to say what happens in your movie or game. For this reason, there is nothing illegal about reporting bugs, DMCA be damned. 1st Amendment wins, fatality.
Security Focus may not be able to copy-and-paste, but they can read a report in the Microsoft email and report on the report. Again, facts cannot be copyright protected.
Online wrestling as a trading card game? WWF With Authority.
What Microsoft is doing is telling Elias (moderator of Bugtraq) that he cannot *change* the content of the original email that the MS security bulletins are sent out in. That is totally different than saying that MS has copyrighted the advisory and won't allow Bugtraq to post it...
Basically, the new MS format is very non-informative, and therefore, not very helpful for those in need of information about a new vulnerability. They want to centralize the location of their advisories so that customers can get up to date information in one place on the web.
I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
- Rick
www.bluealien.org
www.bluealien.org
Prophets of the Blue Alien
Most UNIX bugs will not even HAVE bulletins to copy & paste
You may be a troll and I'm feeding, but I'll give it a go.
Like Microsoft, all of the major UNIX vendors have security mailing lists. They tell what program the bug is in, if it is a remote or local compromise, and what exactly the compromise can do (denial of service, gain root access, etc). This includes Sun (Solaris), HP (HP-UX), SGI (IRIX) and Digital (Digital UNIX, aka OSF1 aka Tru64).
Same goes with the majority of the large (and even most of the small) Linux vendors. Do you see Bugtraq after a local root compromise has been found? I see updates from 7 or 8 Linux vendors announcing patches or packages with the fix.
Some folks (such as OpenBSD and their code audit) do not report all bugs. As for their reasoning, I don't know, but they will report bugs that users find, but not things they find during their code audit.
So yes, UNIX vendors DO report and patch their bugs.
This week, MS has said that they no longer will be publishing full bulletins to Bugtraq; they will only publish links to web pages.
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.