Slashdot Mirror
L0pht Joins MS As BUGTRAQ Outcasts
SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."
You did not kill my point, only dragged in irrelevant sidepoints. You reduce the risk by spreading the data over multiple platforms. Granted, this requires a resourceful IT department. If you do, though, you will not lose it all when the kiddies attack.
Stop the brainwash
Since MS has posted KB on their MSDN and/or Technet CD's for quite a while, I fail to see how this can happen. Will they stop doing that as well? Doubt it.
Also, this really isn't l0pht we're talking about, its @stake. Once you sell out you are often forced to sumbit to things that you don't like. (like ads for PT Cruisers with your logo on the side)
I have put a copy of the original mail up at http://www.catatonia.org/bugtraq
Cheap UK and US VPS
That would be a big step in quieting your enemies. IF you can't legally install the software without agreeing to a license that prevents you from telling anyone about its shortfalls then I suppose there will be much less ammo for the competition. If you don't know whats wrong with something it is hard to position yourself as an alternative.
Not that I agree with this approach, but it's not like they're hiding anything. They are disclosing everything, but asking you to visit their site. For what gain I don't know since it's a plaintext file without any links, let alone any advertising...(which is of course a good thing)
-- Soruk
Or to further drive the point home with a hammer:
Butt "brought" is a reel word, so a spell chequer wood knot half pict up on it.
Anonymous Moron
At least I'm not an Anonymous Coward.
Ten bucks says "kludge" means what I thought it meant.
You dickhead.
You know they call 'em fingers but I've never seen 'em fing. Oh, there they go.
There are three types of hydrogen... there's your ordinary hydrogen, there's deuterium (with one neutron) and there's tritium (with two neutrons) - the last of these is also radioactive.
-- Soruk
Depends. IANAL, but since M$ would still be offering their own 'solutions' ala BugTraq available on a publically accessible web-page, it would be legal to copy and distribute that information provided that you make no claims to ownership, do not change the information, and do not charge for it.
:P
Because, let's face it, if we were not meant to print out copies from web-pages, Netscape would not have a Print button.
Mr. Hu is not a ninja.
Bugtraq isn't going away. If it becomes illegal to run it in the US, we have contingency plans. If it becomes illegal to read it in the US, then that risk is up to the US readers to assume.
They're sending you to a link which they can update as more information is available.
If they were really interested in improving security service to their customers, they'd just post a second advisory and adorn the first with a link to it.
That way, you get the early information when it's available, you get the later information when it arrives (and it gets brought to your attention), and you have a history to peruse of what was known and done.
The other way, if they change the advisory on their page, you're not notified of the potentially valuable new information, so it's much easier to miss it. If asked to demonstrate why you did something, you could return and find your supporting evidence reversed. The changes could actually drop information you remain interested in.
The only advantage provided by the approach they did take is that it conceals the history of the report, giving the company more room to falsely polish its image - at your expense.
This fits Microsoft (and many of today's "businesses") to a T: promote the company, trip up the customer.
I'm amazed anew every day by the apparent willingness of the majority of customers to be harmed and then bamboozled by transparent excuses. Perhaps someone (I speak seriously) could explain this to me.
I wonder if some freenet-like project could be devoted to archiving useful information which would otherwise be so controlled. I think there would be a very stong case for fair use, especially as the primary value of the archive would be in the contained facts, not their expression.
There already are assorted non-IE irritants scattered throughout the site, and a month ago the main page went blank for two weeks with my Netscape version (due to bad Javascript in the Netscape-oriented page). They're already not supporting Netscape well, and if they made IE their only supported browser then things can easily break.
A full description of the statement can be found here.
A full description of @Stake's response can be found here.
A full description of Microsoft's response can be found here.
this is a left handed sig
What I think should be done is the advisory should contain all of the details. There should be a link back to the posters site where they will be updating the advisory. They should also let vuldb@securityfocus know as well.
Microsoft aggravates my tourettes syndrome.
It does create however a single point of failure. I think the information should be posted to both places.
Microsoft aggravates my tourettes syndrome.
> I'll tell you exactly why this is dangerous. It
;)), thats annoying. However, if several companies start doing it - it essentially makes BUGTRAQ useless - I now have to spend more time bouncing from source to source.
> allows the vendor to add/edit or delete the
> advisory *without* telling anyone.
While the most obvious problem, its not the major issue in my mind.
When a message goes to bugtraq, it is immortal. It never goes away, ever. Even if the BUGTRAQ main archives are wiped out, its replicated in so many place, under so many different points of control.
When its on a website, if the company folds, or redesigns their website, or has a hard drive failure and finds their backups weren't working...
The adviseries are gone. So in the future, if anyone has a reason to need them for any reason, they simply are not available.
Thats only part of the problem. Its an annoyance. BUGTRAQ is a single point of information. I go there and I can find out about all sorts of security problems, with in-depth information (usually) on how I can assess my vulnerability and reduce or eliminate exposure.
If one company (like M$) starts releaseing no content adviseries, and making me go to their website for the info (M$ is a bad example of course since NO M$ advisery could possibly effect a UNIX sysadmin like myself
It discourages active security monitoring. It makes more work for me...and the end result 90% of the time is finding out that its not a problem that affects me anyway (either due to specific version issues, or not being software I am actually using, or depending on features that I am not using).
This is just bad all around. It decreases the value of the list. It makes it harder and more time consuming to keep current - which translates directly into more people deciding that they just don't have the time/energy to do it. Not all of us have infinite time to keep up with this stuff.
-Steve
"I opened my eyes, and everything went dark again"
If a particular exploit is changed from little or no risk to high risk, then a new advisory will be posted to warn people of this (if this was not the case, this means that you would have to spend all days and nights scanning little or no risk advisories to see if their rating change).
:-) ).
The real problem is in the other way. If an advisory have been posted, that said that on Operating System X version 6.37, the software foo version 117.12 have a hole, I expect this information to stay here. Having a link to an external resource make this information at risk. If, 5 years after that, I need that info (for instance, because I happen to have a X-6.37 with foo-118.12) I need the correct link. (I expect security report to be mounted with the immutable flag, like any respectable root partition, or beeing in a append-only chflaged file
I agree in advance with the fact that, in the l0pht case, the probably don't plan to remove advisories (but M$ surely do).
There are a lot resources here that were only avalaible in deja usenet archives. I recall replying to technical cocoa questions with deja usenet links on next-progs. If someone now scans the mailing list archive, he'll be left with incomplete answers. This is why linking is sometimes a bad idea.
Cheers,
--fred
1 reply beneath your current threshold.
This is definitely a struggle for control of information. bugtraq wants it all on their list and the vendor want's it back on their website. I honestly prefer to have the information available on a vendor-neutral site like bugtraq, but I fear trying to force vendors to do this may cause more problems than it solves.
I want to use bugtraq as my primary source for security updates - and if all of the posts are not sent to bugtraq. And especially if groups like l0pht or others stop sending them through bugtraq, I'll end up having to follow many more websites and mailing lists for my updates. This is not good for the security community at all.
--
Twivel
And stuff has been removed out of that. There have been articles I need taken out of the CD version.
You're not worried about wether people find out about a possible sercurity issue anymore. You worried about people coming to your web site so you can make $$$. Sure I need to make money as much as the next guy. Thats not the point. Do any of you really think this was the idea of any of the original L0pht members? Nope, its thier corp buddys they sold l0pht to.
Ok, here's one I just don't get. Of course we all know that MS, et al don't like full disclosure because then everyone knows how easily they can be 0wn3d.
But if L0pht is so leet, then wouldn't they want everyone to know about all the 'sploits they found?
Is this rock and roll, or a form of state control?
Sometimes, you come across conflicting information. If you know who's clued in and who's a moron, you know what to read first, and what to lean on (at your own risk). Microsoft is taking that away from us. How can we trust them when they are making our job harder?
Stop the brainwash
Let's assume for the moment that they're not trying to sit on bugs. So, they want people to read their content. Now, the only advantage to them reading their exact wording on their server exclusively is that it gets them onto their servers.
Except that neither of them carry banner ads, so a hit _costs_ them money rather than making them money. There's a small argument that they might want people on their site to get them to click around on it and get some more information (and therefore, hopefully, buy something) but if you're going to want that then surely it won't make any difference where you read it - I mean, if you're interested you'll go there from the e-mail in all probability and if you aren't you're just going to jump straight out anyway.
So the logic of this decision on both of their parts rather falls down IMHO. Microsoft come across as wanting to stifle reporting and discussion of problems in their software (what a surprise there!) and @stake come across as a group new to the game who don't understand what they're doing. Neither is something I'd want people to percieve of me.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
Yeah you could buy the MSDN CDs or you could order the free subscription like I did.
Date: Wed, 13 Dec 2000 16:24:53 -0500
c T1oN...,D0ntUNoW??
From: Weld Pond
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: @stake Advisory Notification Format
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit. we are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. we have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. we need many was to mitigate vulnerabilities because there are many environments.
The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis.
What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. we think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. we have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. we may even set up our own notification list if there is a demand for that.
We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. we pride ourselves in publishing our research on an academic level and always have. This will not change.
weld
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
ib3tUth1nKtH15ofF3r5U50M3/3-leet/++m345Ur30fPr0t3
-----END PGP SIGNATURE-----
If you know Weld Pond personally (I do) you'd probably have a different opinion. I think his quote in this particular article was paobably taken a bit out of context, or at least placed in the wrong context. I know that Mudge pushed fairly hard for the compromise that has actually been reached with BugTraq.
I'll tell you exactly why this is dangerous. It allows the vendor to add/edit or delete the advisory *without* telling anyone.
Let's say Microsoft decides to end of life NT 4.0. Since it's not supported anymore, they don't publish advisories or fixes for it. Then one day, boom. ALL NT advisories are simply deleted from Microsoft's website. The only thing left in BugTraq archives is a bunch of dead links. OR worse yet... they go through all 98/Me/2000 advisories that also mention NT, and just remove NT from the affected OS's line. They could certainly do this, and could justify it by saying "NT isn't supported anymore." This would certainly accelerate any Win2000 upgrade plans i had, and that's the whole point of this.
@stake's new format is not nearly as bad as Microsoft's, but i still firmly believe they need to post then entire advisory to BugTraq.
Who cares about Technet CD's? You missed the entire point. The Microsoft example was just that--an example. Any vendor could pull the same stunt. The point is, the new format is unacceptable from anyone--Microsoft, @stake, or whoever.
This is bad. Now I can't see the details about a security hole without firing up a web browser and going round half a dozen sites... Or if I've already been hit by some denial-of-service, I won't be *able* to fire up a web browser to see which of the many security holes it might have been.
MS doing this doesn't bother me personally since I trust them so little I don't run their software, but if this becomes a trend, it'll be a blow for security... and that's something so fragile we can't afford to make it harder...
And yes, I think everyone's fear of companies rewriting earlier reports to make them seem less serious or "accidentally" moving them so the links are dead is a very real one.
- Muggins the Mad
Have anyone noted the BIG security bug of this new approach? No? How about response time?
Let's think. L0pht or M$ find or get a new security exploit. Two ways go. One way is that the exploit is published ASAP. However links, bad communications, heavy traffic and this stupid copyright protection delay the spread of the news. In cases of serious and massive DoS or E-mail trojans this is a very serious possibility that some may exploit.
The second way. The notice is hold to avoid panic/bad publicity/exploits. Good if the bug came from inside. MAYDAY if the bug was found outside. RED ALERT if this is a crackers finding. Under such trend news will surely get quite slow. And meanwhile the underground may already attacking full arms somewhere. ut that's not the worst. Our good corps may try to force the white hats to shut their mouths on the basis of such copyrights and other things they may think. Then it will be a nightmare case. Imagine news roaming through the IRCs and underground chats and Bugtraq with a piece of material around its mouth. That will not be overkill. That will be the revival of Morrison's times.
Now L0pht may go the first way. M$ had already shown good examples of going the second way. Add the possibility of an UCITA on security issues and go get a cup of coffee. It may be the last you may calmly drink, without thinking too much about the work...
Is it just me or does it look like information exchange will become the next currency? As information like this with great value becomes more and more restricted as IP I bet we will see information of ANY value become something you have to exchange for or get paid for. Question exchange exemplifies this theory nearly perfectly. To get good ansers you have to pay for it.
Personaly I think this will continue in the direction of "Security Breach/Bug information is actualy IP to be sold" unless the community at large takes note and says "NO MORE!"
So what do you think? Will this go too far and threaten the security of the Net at large or will the information somehow "make it way" onto the net in free forums?
What? me have a sig? don't be ridiculous.
More to the point it's Microsoft wanting total control.
Microsoft allways makes the argument that when they don't have total control the consummer suffers.
But for all they crys for inovation.. Inovation dosn't happen in a vacume.
Microsoft dosn't trust it's users, dosn't trust develupers who code for them.. they don't even trust the Microsoft trainned SysAdm...
It's the SysAdms job to track this stuff.. Microsoft puts out the best patch they have.. They can update as submit new updates to bugtrap as things progress.. They don't need to retroactivly change bugtrap reports.. can they retroactivly change the work allready done? No.. they can't.. Change the bugfix and issue a NEW report..
Why dose anyone trust a company so clearly incapable of trust...
I don't actually exist.
The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq.
Could you really plausibly see this happening? I mean, I know there's some stupid laws around, and I know they have a habit of getting stupider, but the inability to point out software flaws? It's so easy to make comparisons to traditional industries like appliances, cars, food, and so on, and show how if you disallow software flaw reports, then you'd also have to disallow reports (including safety reports) in these traditional areas. Government agencies themselves will often produce these reports, consumer watch groups in particular. And the free speech is clear, the same as if you wrote a letter to a newspaper describing how some car can malfunction and kill you.
Sorry, but I just can't see this particular crazy thing happening, no matter how hard I try.
Quidquid latine dictum sit, altum viditur.
Well I forgot to mention this on my previous post. /. effect on a top security issue. And how they will react if their servers get damn loaded? What measures will be taken then?
/. or BuTraq after they do this?
Can these guys, who care so much about their customers, hold up a
If they down the server and don't present the info somewhere else? And if some one drops some snake oil on a forum like
Note - BugTraq is a list. So, no matter the critical level the situation, the information already manages to get critical mass. Besides BugTraq does not restrict information of being spread. Now we have here one point. One single Pearl Harbor. Oh, hey, Pentagon! How do YOU think about this stuff? It seems you talked about such things, well in somewhat different context, quite recently... How is the feel that suddenly Big Money Corp creates you a whole new Arizona right on your backs?
Date: Wed, 13 Dec 2000 16:24:53 -0500
From: Weld Pond
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: @stake Advisory Notification Format
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit. We are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. We have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. We need many was to mitigate vulnerabilities because there are many environments.
The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis.
What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. We think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. We have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. We may even set up our own notification list if there is a demand for that.
We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. We pride ourselves in publishing our research on an academic level and always have. This will not change.
weld
-----BEGIN PGP SIGNATURE-----
q e2RtlSn7gAoOzg
Version: PGP 7.0
iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/v1
C9aiKSrI694BEHvkh8uRE+mn
=MyCw
-----END PGP SIGNATURE-----
I try not to trust a single source, btw. If I find dissent among the experts, I'll look closer at it. But I want the option of looking at multiple sources. Though this may not be catastrophic, Microsoft is still trying to restrict information and move it onto their own servers that THEY control.
Crap. All they're doing is censoring their own information. The information you get from Bugtraq or on the MS web site will still be from the same source - MS. Noone elses opinion gets posted to the MS web site (and never has), but that doesn't mean that discussing the issue on other mailing lists is forbidden.
If anyone is censoring or restricting the flow of information it's Bugtraq.
How about this: links to advisories are accepted, but the publisher gives the list maintainer irrevokable permission to mirror the advisory, and to accept any updates to the site at his/her discretion.
This way, stuff doesn't dissappear or get 1984'd.
Not so insightful...
/. editors, here, /. made the point.
From Weld's post:
The advisory notifiction format we are using has about the same amount of
information as the paraphrased advisories that Elias posted for the latest
Microsoft advisories and the same amount of information that some other
researchers post in their advisories. This is more than enough information
to decide if the issue at hand effects you and you need to dive deeper into
our analysis.
Now pick up their controversial post and see what is there. There is not a single hint about the exploit. Only that there is one exploit and that AOL fixed "thank you"... The only detail:
"We initially contacted AOL on 11/22/2000 regarding this issue. They have a
fixed version, 4.3.2229, dated 12/6/2000 available now. We appreciate
their timely response."
That's the only detail in the whole post! Everything else is so general that I could say ICQ with the same success...
Now if we pick the Weld's citation we see one thing. He justifies his moves. But not in the point on how and why they feel they are right. They justify its amount as:
"same amount of
information as the paraphrased advisories that Elias posted for the latest
Microsoft advisories and the same amount of information that some other
researchers post in their advisories"
So they step themselves in the same side of Microsoft. M$ does this, we also do. Good point.
No matter the yellowness of some
-lb
we can do nothin to stop the cash engine to buy everthing from my shit to the whole hongkong,so what?
xcyber """"""Complexity for the sake of complexity is not a solution, neither is simplicity for the sake of simplicity
Perhaps places like BUGTRAQ should get themselves qualified as a library/archive. That way they can deal with copywrite issues that same way libraries do.
A post on bugtraq has clarified this. Basically, the moderators of bugtraq felt that it is still a discussion list, and as such should not have bulletins posted that are just pointers to a website with information. Therefore, the l0pht has compromised and posted a mostly-complete version on bugtraq. Both sides agreed this works best. I really don't see any parallels between this and MS, since Microsoft wanted bugtraq to post less, and bugtraq requested that l0pht post more.
Pretty dumb comment for a "unix guy". Supporting more than one operating system has numerous advantages, and not just in the security department. If there's simply a bug in one of the operating systems, then only half the computers get affected.
It requires more resources, however if your operation is of a critical nature, then a heterogenuous environment is absolutely neccessary, to prevent a single failure from taking down all systems.
For exceptionally important servers, (as an example), it's fairly standard to have two of them running in parallel, but with completely different hardware, running different operating systems. This way no one bug can take down the cluster. I've seen, more than once, a rack of Netfinitys, next to a rack of PowerEdges, and they all run the same apps.
As for interface risks, that's a bullshit argument made by somebody who either got bit by some minor incompatibility at some point, or who always runs homogenuous systems, blindly assuming that if they run the same OS, they must be more compatible. It's utterly and completely illogical, unless your inhouse coders haven't learned the word 'portable' yet.
Anyway, I shouldn't respond to trolls, it's a waste of time.
--
"Don't trolls get tired?"
I think that sending links instead of full descriptions, M$ has made bugtraq less useful, and removing M$ from bugtraq, it gets still less usefull.
It's sad, but in this war M$ has less to lose than bugtraq. And I'm afraid that other companies will do something like that.
I think that Bugtraq has been severe wounded. It won't be the same anymore.
The benifits to an agency that only posts links instead of the full advisory are mostly perceptual, so the image I've gotten from MS and AOL taking this stance is that they just want tracking (MS is (was?) using web bugs in articles). The l0pht doing this doesn't make any sense to me. What gives?
Anonymous Cowards need not reply.
When you live in a sick society, just about everything you do is wrong.
Question:
.ru or somewhere else untouchable for the greater good of the net?
How long would it take to kludge together a quick'n'dirty script to grab and parse those links to the main articles in the shortened advisories that they now publish, and then to run that script on some server in
Answer:
Not very long
Hopefully.
You know they call 'em fingers but I've never seen 'em fing. Oh, there they go.
hi weld
@stake bought l0pht, they did not bring them to us. Perhaps a spell checker was used...
So now L0pht, or what was, is as fucked up as M$ is. Whoooo.
Can we just shoot these people in the head for being retarded?
"Why do you consent to live in ignorance and fear?" - Bad Religion
-Legion
Wouldn't it be scary if lots of companies gave up their longstanding policies of full disclosure, started hiding security problems from their customers, or even denying that the problems existed, in lame hopes that obscurity would make their systems safer?
--
Sheesh, evil *and* a jerk. -- Jade
I don't think YOU get it. Would you want the manufacturer to assess the product, or hired outside help/expertise? Who would benefit from deception? And should we not be allowed to choose who we trust?
I try not to trust a single source, btw. If I find dissent among the experts, I'll look closer at it. But I want the option of looking at multiple sources. Though this may not be catastrophic, Microsoft is still trying to restrict information and move it onto their own servers that THEY control. If Microsoft was a government agency withdrawing previously public information, do you think the watchdog organizations would leave them alone? No? I didn't think so..
Stop the brainwash
Comming from a group of people that supposedly believe in full disclosure and information being free and accessible, this is certainly a step away from the accessibility part. Administrators checking their email could be using a console, and therefore it would be more difficult for them to get all the information on the advisory. AFAIK bugtraq was designed as a place to post security advisories, not pimp a link to an advisory and advertise your website.
this actually can be taken a step farther... with only one copy located under their control the companies become more lax about their initial releases due to the mentality that "we can always update it latter" and the quality suffers. Fact checking will be done after the fact, fixes wont be regression checked for new vulnerabilites untill they've already been installed by most people, and of course they won't issue this as a new relase, so people will think "I've already got the fix for that problem" when in reality they need the fix for the fix.
This is parallel to the quality of software in the "internet age" where the easy of shipping a fixpack or service release has greatly lowered the quality of "dot oh" or "point zero" releases. I know at least one company that has at least one, sometimes two fix releases in the pipeline at all times; usually there is a service pack ready for the web before the cds for initial release have made it to the customers.
ok, so maybe you're going off the deep end here, but I think it is very possible that this could have an adverse impact on the security industry. Advisory services (and even individual developers) are judged on the timelyness and accuracy of their alerts. When an administrator has to make a decision about how serious an advisory is, they look at the reputation of the advisor. If advisors have the right to change their advisories after the fact and prohibit offsite archiving (sort of like rewriting history) they are beyond retrospective analysis. A security expert may make the claim that someone released an inaccurate or late advisory but without a trustworthy archive to point at, they can't even claim that the advisory has been updated since first release. This seriously undermines peer review which is a cornerstone of software security.
How we know is more important than what we know.
When the LoveBug hit, it took something like 3 days for a search on microsoft.com to show even a mostly useless hit. Fortunately, Slashdot coverage was timely and informative enough to quickly clean up a couple of infected systems.
Cheap trick. Put something like 123@bad.news in your address book.
Too many MS droids with moderator points.
You raise a scary scenario. Reality may well be worse.
Some observations from the LoveBug episode. It took Microsoft something like three (3) days to get anything searchable on their site, and what they put there was not particularly useful. Slashdot coverage was timely and informative enough to actually quickly fix a couple of hits, and Slashdot is neither a virus-alert nor a Microsoft site. If, ie when, disaster strikes, you want as many lines of communication open as possible, right, wrong, and indifferent. If the information is relevant, surely you verify or check more than one source.
Funny thing is, that uSoft also warned against literally copying their own text. It wasn't permitted. I don't think liability is it...
nosig today
Unprintable. Unspeakable. Unpublishable.
When I write my operating system I'm going to folow Microsofts example.
In my liccens agreement I'll require that bugs in my operating system can only be published by me. The same with bug fixes.
I may issue liccens allowing a select few to publish bugs and bug patches but thats totally up to me.
All my bug reports and bug patches will be posted on my website. Nobody gets credit for finding bugs of course...
The goal of my operating system is to become the worlds crappyest operating system on the face of the earth....
(My spelling of course gose a long way to getting it there)
I don't actually exist.
Suppose I have a duty to demonstrate that I took appropriate measures given what was known at the time? Suppose I have to exercise "due diligence", and keep a record of what was done that can be verified by an auditor some time later. I may still be able to keep a record of what I did, but how can I show that it was reasonable given what was known at the time? If the details are on someone else's web site, with no assurance of a dated archive, and a copyright policy that prohibits me from taking snapshots and having them timestamped (by some independent notary), where does that leave me in producing some argument about what was known at the time? (Fortunately, I don't have to do this myself, but it is not such a crazy thing to expect.)
I understand the desire to provide the latest information, and it is a good idea, but it is not the only requirement. What would be so hard about putting a "latest information on this issue is here" link at the top of a full disclosure dated and signed bulletin? It may be uncomfortable to leave a fully detailed record of how long it took to deal with a problem, but I think companies that take that pain would get more respect once people got used to the idea, if it was allowed to run and not be killed by short-sighted liability claims.
Heh, I just worked it out. By sending bugs as links to web pages, they can gather extremely accurate information on who is running what and where in the net they are.
With the traditional email system, there is no feedback, other than the individual mailing list email address lists - which I hope are hidden even from list members.
With this method, most of the people who go to the trouble of reading the web page will be people who actually _use_ that piece of software. By making it _relatively_ difficult to read a bug report they are trimming off the "chaff". The rest of them will be crackers(90%) and some merely curious.
Now with the web logs, they can reverse lookup the IP and get company/organization name, location, approximate size (IP ranges) and even admin contact email address!!!!! Gee, those admins might even be the people reading the page!
Makes for a *damn* efficient database for targeted marketing campaigns, plus great statistical data for customers. The crackers and curious can be filtered out - dialup accounts, DSL @home, etc are probably crackers/curious and can be discarded without major impact on revinue.
Firstly, a company can see where people are using it's product. They can then choose to target those people for upgrades/other products. They can also save money by not trying to sell their product in a certain geographic area/market sector and concentrate on other, lagging market areas.
Second, and here's the kicker, a company can buy a compeditor's data - AND TARGET THEIR CUSTOMERS!
You can't buy that kind of information! Well, now you can. To have a list of companies who are almost certainly running a package with a security hole, and be able to contact either/both the Suits and the Admins with an alternative product within hours/days of the bug being announced - and it was announced by a trusted third party: bugtraq!
The market droids should be wetting themselves in anticipation!
Glen Harris
lgftsa + yahoo - com - au
Just because it's MS doesn't make it dangerous. They're sending you to a link which they can update as more information is available. That makes more sense than issuing a release of information everytime there's the slightest change. The main purpose of bug reports is to make sure everyone has the most up to date information. This seems like a good way to do it.
THIS SPACE FOR RENT
subject says it all...
They (@stake, Microsoft, and others) don't make money off page views over at BUGTRAQ. They do, however, have the opportunity to make money off page views on their own websites.
Speak truth to power.
In the case of L0pht, they aren't releasing advisories generally about their own products like MS is, and they aren't taking them from anyone else, they are writing them themselves based on their own research. So if they want to take all the glory.. that's just fine with me.
Repeat after me: A computer is not like a car!
Shit happens in the computer world that has no parallels in the rest of the world.
--
Fuck the system? Nah, you might catch something.
How many different OS-es will the kiddies need to master?
None.
Heterogenity is simply another obscurity, adding interface risks.
Oracle and unix guy.
When the internet worm struck (which was luckily not my problem 'cause i didn't have internet access other than e-mail routed through an ugly waffle gateway from a local bbs, and my usage basicly consisted of using some ftpmail gateway to get at the programming part of the simtel archive...) it took down a whole host of servers, and flooded a lot of pipes. There were a lot of places that could no longer communicate with eachoter. That is part of the reason everybody set up and is maintaining security lists. E-mail is good because if you send a message to all 10,000 people who are signed on to your security list, even if a lot of the net is down, anywhere that is still up will get them, and will be able to fix the problem. Now if you have all the guts of your message on a web server somewhere, you are stuck if that server is down. What this trend represents is taking a FUNCTIONAL ROBUST SYSTEM and replacing it with a system based on a SINGLE POINT OF FAILURE that is PROVEN TO BE WEAK. The slashdot effect takes servers out of commission for hours at a time, imagine a large network security crisis like the internet worm... People are for political or economic reasons undermining all sense of practicality. L0pht because they want you to read their disclamer so they don't get their asses sued, and microsoft because they want to have ultimate control of everything, even if it really screws over the end-user.
---
Play Six Pack Man. I
What's next, MS is going to stop me from going to the site and e-mailing it to somebody else. Then what if they forward my message to somebody else yet.
The whole reason for these bulletins is to notify customers of potential problems. The only reason I can see for the redirect to a website is so they can track who is actually looking at these things. Normally I wouldn't worry, but since it's MS I just have this creepy feeling that they're trying to doing something underhanded with the data they're going to collect. Lets face it, what could they possibly do to make the service better by knowing who's reading the bulletins. It can only get worse.
They'll probably do something like try to do a reverse lookup and find out who the customer is and give them a different synopsis so the bug doesn't sound that bad. Or maybe if nobody goes to a bulletin listing, they'll just stop reporting similar bugs so MS doesn't look as bad. Then it's just going to go back to where it was a year ago when everybody just posted the exploits. Then MS will try to use one of those new stupid laws that the techs understand better than the lawyers do, in order to halt posting of the code. Then it will infuriate everybody and they'll post it everywhere like DeCSS. They're just running around in circles. That's pretty normal for a company that can't innovate.
Yes! We really, really do need this. First, we need a homogenic environment, to make sure all computers can be taken down once one is down. Then, we need to make the users as unaware of the problems as possible, and thus let the skript kiddies rule the world. It will be SOOO nice when we're all 0wned. I can't wait. My ports are tickling in anticipation.
So - how do we tell our bosses that Microsoft is digging its own grave?
Since I'm on an honesty trip - are we sure it's wise to standardize on ANYTHING? If it's all standardized, the hackers usually get full access right away. However, if some work stations are macs, and some are win32 machines, with a couple of Linux-es in for good measure.. How many different OS-es will the kiddies need to master?
It's sort of like cloning. Sounds like a good idea, 'till a disease arises.
Maybe we can start suing them? Their software is not really malfunctioning, as much as their information policy. Could that be a way to attack them in court?
Stop the brainwash
This is in my opinion a bad desicion by MS.
If I cannot easily get full info about security (and other) issues in the OS I run on my servers,
guess what, I will NOT run that OS on any server I'm responsible for.
Seems like everytime MS does something like this, and new MS owned version pops up.
,at least. Make MS look good and other OSes bad. With all the heat they take for thier products.
May be a good idea, for them
Welcome to Microsofts bug.net. Please only use IE, asNetscape has an unresolved issue which will cause your computer to catch fire when you click refresh-
This months new reported bugs -
MS Windows (All flavors) - 0!
Linux (All flavors) - 11,843
*BSD - 1,253
MacOS - 1
Commercial Unix (except IBM) - 27
IBM (All flavors) - 12,335,672
News
New Mindcraft show new bug.net as most relaible for bug reports.
You get the idea. We've seen it a million times before
"This is a very dangerous new trend in the security industry." Yeah: All around security is going to go DOWN. So? Anyone who uses M$ is just asking for security problems already. As for the rest of us, we'll just have to put some work into finding holes in our systems before someone else does. It's not as as if without l0pht and M$ no one will know about bugs. It'll just be posted elseware. Big deal. Thats my 2 cents.
Maskirovka
-History is on the move: those who can't keep up will be left behind. Those who get in our way won't be around to see it.
Ok, this is not a big problem. Bugtraq readers can still write their own version of the issue and post it to bugtraq. Their complete advisory is copyrighted. They own it and can ask you not to post it in its complete form.
The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq. UCITA has provisions for this right?
It could have been worse.
From the article:
So - now we're not gonna be able to inspect the change logs? What the hell, Microsoft! Those of us who take security seriously, really NEED to know this stuff. When. What. Who. How. Was it successfully remedied? What remedies were proposed? This is all essential information when you assess who to trust. Maybe that's why they won't let us know.
Stop the brainwash
they know it so "inside out" that they wrote big security bugs into it.. thus the reason why we are talking about this!
How we know is more important than what we know.
you "obviously" have no argument. Bugs, yes, blatant security flaws, no.. that's irresponsible and inexcusable. We're not talking about "default password is null" bugs here. We're talking about "copies data into stack based buffer without checking source size", the same security bugs that have been reported in code since Zardoz. And I don't hide bugs from my supervisors.. we have a development process that is realistic and structured to handle the fixing of bugs, not the hiding of them. That's enough troll food for one day.
How we know is more important than what we know.
Quote - "This is a very dangerous new trend in the security industry." Since when is Microsoft part of the security industry? They ARE firmly entrenched in the obscurity industry. (and apparently digging themselves deeper)
No, @stake is. The l0pht guys probably aren't thrilled about it but I'm guessing they aren't the guys making the decisions.
It's not that hard to pull the UCITA from nccusl.com and look up the provision that you claim is in there.
If you're going to make public claims about what the law says, you really ought to provide a citation or do your research first.
Geeze... people would love to create a war where there is none.
First of all, you can see Weld's reply to Elias' post here:
http://www.securityfocus.com/archive/1/150706
I don't think anyone can accuse @stake of being anti full-disclosure.
Second, no individual or group has been "banned". Elias decides what to allow on a per-post basis. If someone sends a message without any detail, he won't allow it, as indicated. Doesn't matter if it's Microsoft, the L0pht, or me. If someone sends a message with some good detail, he will let it through.
Don't forget that Bugtraq is an e-mail list. People want to read the stuff in e-mail format. If folks want to see bugs on the web, they can look at our vulnerability database, or visit the MS or @stake website.
nccusl.org?!
Forged security bulletins - "You may follow this link to read a detailed description..." /. effect, a very bad joke, or some piece of trash that dessiminates panick over the community.
/.-otted and panick is generated by some secondary actions of the "ineterrorist".
On the other side - Trojans, diverted to other sites were either one gets a damn
Panick generation. One launches an exploit nd warns the app maker. Later, on the issuing of the exploit he passes the news through several sites. The app maker gets
War Games - Pearl Harbor attacks. Several scenarios where either the security issuer is taken down or his links diverted. In resume, the main information center is taken down. Meanwhile the attackers make another attack in other direction, the real objective. Among panick, chaos and desinformation, they get into it before anyone gets the point.
I recomend you people to concretize these ideas and some evolution of them... There are much worser case scenarios... Depending on some other issues...
My post to bugtraq should explain our position. We are committed to full disclosure. We are choosing to publish on our web site. Remember we are not the vendor. We do this as a free service to the security community. Sounds like people waiting line a long line for free beer that the dispensers aren't doing an adequate job.
v 1q e2RtlSn7gAoOzg
-weld
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit.
We are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. We have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. We need many was to mitigate vulnerabilities because there are many environments.
The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis.
What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. We think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. We have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. We may even set up our own notification list if there is a demand for that.
We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. We pride ourselves in publishing our research on an academic level and always have. This will not change.
weld
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/
C9aiKSrI694BEHvkh8uRE+mn
=MyCw
-----END PGP SIGNATURE-----
This is not going to become an issue, no more an issue than "bugs" in cars or toasters has become. All companies are going to try to hide information that may damage their reputations in the press, but, exploding gas tanks are still news, and Microsoft won't be able to stop anyone from publishing such information.
In Orwell's 1984, Winston Smith's job was to edit old records, in newspapers for example, to reflect 'the truth'. For example, if 'the Party' announced that there would be a surplus of clothing in the coming year, and it turned out the there was a defecit of clothing in that year, Smith would edit the record to show that either the party announced a defecit, or that that there was actually a surplus, as the party stated.
I'm being a little confusing here, but my point is that if the records are controlled by the company they're offending, and users aren't allowed to make copies of the advisories, other than ethics, which we all know that a certain company is in dire need of, there isn't any mechanism to keep the vendor honest.
Then again, is there anything stopping me from saying "Hey, I read on the [Microsoft/l0pht] site today that [package in question] has a buffer overflow, simple fix is to edit [file in question]." without actually quoting the site?
Either these guys want to track who is "interested" in these bug reports or they are just trying to siphon off bugtraqs users back to their sites. I condone what bugtraq is doing.
Flamebait? Where is any flame on this post? Oh, oh, oh. Overrated? Maybe. Redundant? Possible. But FLAMEBAIT? Better to stamp "Troll" if you wanna take this down.
/. and two/three other news sites? What will happen if sysadmins and hackers will stand in "what the Hell is this about" seeing a site taken down and a Trojan roaming >10,000 mail servers? Yes, someone may issue an external warning with details. But that will take time. More time than a first warning case. And all this may make a whole mess. Specially if rumours are set up on the wild.
If my considerations about response time are considered as "flame", then I ask this moderator to take the guts and tell where and what I'm flaming here. You wanna tell me that these sites will hold up if someone posts the news in BugTraq,
Ok flamebait again. Hope you hold enough moderator points. If not come up to the street man. Let's see how good you are...
Date: Wed, 13 Dec 2000 16:24:53 -0500
v 1q e2RtlSn7gAoOzg
From: Weld Pond <weld@ATSTAKE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: @stake Advisory Notification Format
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think everyone out there knows that we are committed to full disclosure
and the concept of freely available security advisories. Many vendors do
not issue bulletins after we report problems to them, even after they
subsequently fix the problems. Without advisories from independant
researchers there is no check on product vendors. This is a service that we
give to the security community because we think it is the right thing to do
with the fruits of our research. With our new mailing list notification
format we have not changed this one bit.
We are giving out more information now in our advisories than we ever have
before, so we are certainly not witholding anything. Quite the opposite.
Over the past few months we have expanded our overview sections that allow
non-technical people to scope the problem. We have expanded our detailed
technical discussions of issues, many times including detailed source code
examples. And, I think most importantly, we have greatly expanded our
solutions discussion so that people are not always reliant on vendor
patches. We need many was to mitigate vulnerabilities because there are
many environments.
The advisory notifiction format we are using has about the same amount of
information as the paraphrased advisories that Elias posted for the latest
Microsoft advisories and the same amount of information that some other
researchers post in their advisories. This is more than enough information
to decide if the issue at hand effects you and you need to dive deeper into
our analysis.
What we are doing is adding more information than we have in the past and we
are adding it on our web site. There are plans to add much more. We think
that our web site and its accompanying web technology is the best place to
expand our free information dissemination into the future. We have many
ideas in store that I know people will appreciate. Of course, notifications
of important information releases will be made to mailing lists that accept
them so everyone who wishes to can read and use the information. We may
even set up our own notification list if there is a demand for that.
We have stayed away from cluttering up our advisories with marketing gorp,
like ads about our services or ads about our company like many commercial
research teams do. We pride ourselves in publishing our research on an
academic level and always have. This will not change.
weld
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/
C9aiKSrI694BEHvkh8uRE+mn
=MyCw
-----END PGP SIGNATURE-----
Eventually, companies that deals in free/ publically supported software will also need to place these types fo restrictions (that is, those above and beyond an EULA) to prevent liability exposure.
The scripts that u prepose would be legal/ safe if it was listed as a news item. Linkage (printed or hyperlinked) should be provided, as well as a strong (lawyer reviewed) disclamer.
No IANAL, but ICUAB (i could use a beer)
Why is it so hard to compromise in this situation?? A solution would be to have @stake and MS include all the known information in the advisory, AND have a link to get "up to date" information.
Bang. Problem solved.
My 2% of 0$.02
-D
The l0pht's decision to remove detailed advisories from bugtraq, and instead use links to their site containing the detailed reports is just business as usual. I was a regular reader of www.hackernews.com until they merged with @stake.
It seems to me as though Weld Pond and the rest who used to be so dedicated to the security community have succumbed to the almighty dollar, as so many others have. Hackernews.com went seriously downhill when it turned into a revenue source. I find it hardly suprising though. If you owned @stake, wouldn't you be willing to sacrifice some respect for increased web traffic and advertising dollars? Probably.
-
I'd rather have a bottle in front of me than a frontal lobotomy.
IF YOU ARE A SYSTEM ADMINISTRATOR, OR EVEN AN ORDINARY USER, YOU NEED TO READ OUR SECURITY NOTICE. THIS AFFECTS ALL COMPUTERS RUNNING WINDOWS 95, 98, NT, MILLENIUM AND 2000. IT ALSO AFFECTS LINUX, FREEBSD, NETBSD, HPUX, AMIGA, MACOS X, BeOS, C-64, SCANT-TRON AND PALM-OS COMPUTERS.
PLEASE FOLLOW THIS LINK TO OUR SITE TO VIEW THIS IMPORTANT SECURITY BULLETION:
http://bigsecuritycompany.com /advisories
OR VISIT ONE OF OUR MIRRORS:
http://pocketstrum.harvard.edu
http://the-loft.com
Just not as big as it would have been if someone made it illegal to post. Whenever security-related information is hindered, the blackhats gain ground. It's that simple.
Stop the brainwash