Slashdot Mirror
L0pht Joins MS As BUGTRAQ Outcasts
SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."
That would be a big step in quieting your enemies. IF you can't legally install the software without agreeing to a license that prevents you from telling anyone about its shortfalls then I suppose there will be much less ammo for the competition. If you don't know whats wrong with something it is hard to position yourself as an alternative.
There are three types of hydrogen... there's your ordinary hydrogen, there's deuterium (with one neutron) and there's tritium (with two neutrons) - the last of these is also radioactive.
-- Soruk
Bugtraq isn't going away. If it becomes illegal to run it in the US, we have contingency plans. If it becomes illegal to read it in the US, then that risk is up to the US readers to assume.
They're sending you to a link which they can update as more information is available.
If they were really interested in improving security service to their customers, they'd just post a second advisory and adorn the first with a link to it.
That way, you get the early information when it's available, you get the later information when it arrives (and it gets brought to your attention), and you have a history to peruse of what was known and done.
The other way, if they change the advisory on their page, you're not notified of the potentially valuable new information, so it's much easier to miss it. If asked to demonstrate why you did something, you could return and find your supporting evidence reversed. The changes could actually drop information you remain interested in.
The only advantage provided by the approach they did take is that it conceals the history of the report, giving the company more room to falsely polish its image - at your expense.
This fits Microsoft (and many of today's "businesses") to a T: promote the company, trip up the customer.
I'm amazed anew every day by the apparent willingness of the majority of customers to be harmed and then bamboozled by transparent excuses. Perhaps someone (I speak seriously) could explain this to me.
I wonder if some freenet-like project could be devoted to archiving useful information which would otherwise be so controlled. I think there would be a very stong case for fair use, especially as the primary value of the archive would be in the contained facts, not their expression.
There already are assorted non-IE irritants scattered throughout the site, and a month ago the main page went blank for two weeks with my Netscape version (due to bad Javascript in the Netscape-oriented page). They're already not supporting Netscape well, and if they made IE their only supported browser then things can easily break.
> I'll tell you exactly why this is dangerous. It
;)), thats annoying. However, if several companies start doing it - it essentially makes BUGTRAQ useless - I now have to spend more time bouncing from source to source.
> allows the vendor to add/edit or delete the
> advisory *without* telling anyone.
While the most obvious problem, its not the major issue in my mind.
When a message goes to bugtraq, it is immortal. It never goes away, ever. Even if the BUGTRAQ main archives are wiped out, its replicated in so many place, under so many different points of control.
When its on a website, if the company folds, or redesigns their website, or has a hard drive failure and finds their backups weren't working...
The adviseries are gone. So in the future, if anyone has a reason to need them for any reason, they simply are not available.
Thats only part of the problem. Its an annoyance. BUGTRAQ is a single point of information. I go there and I can find out about all sorts of security problems, with in-depth information (usually) on how I can assess my vulnerability and reduce or eliminate exposure.
If one company (like M$) starts releaseing no content adviseries, and making me go to their website for the info (M$ is a bad example of course since NO M$ advisery could possibly effect a UNIX sysadmin like myself
It discourages active security monitoring. It makes more work for me...and the end result 90% of the time is finding out that its not a problem that affects me anyway (either due to specific version issues, or not being software I am actually using, or depending on features that I am not using).
This is just bad all around. It decreases the value of the list. It makes it harder and more time consuming to keep current - which translates directly into more people deciding that they just don't have the time/energy to do it. Not all of us have infinite time to keep up with this stuff.
-Steve
"I opened my eyes, and everything went dark again"
If a particular exploit is changed from little or no risk to high risk, then a new advisory will be posted to warn people of this (if this was not the case, this means that you would have to spend all days and nights scanning little or no risk advisories to see if their rating change).
:-) ).
The real problem is in the other way. If an advisory have been posted, that said that on Operating System X version 6.37, the software foo version 117.12 have a hole, I expect this information to stay here. Having a link to an external resource make this information at risk. If, 5 years after that, I need that info (for instance, because I happen to have a X-6.37 with foo-118.12) I need the correct link. (I expect security report to be mounted with the immutable flag, like any respectable root partition, or beeing in a append-only chflaged file
I agree in advance with the fact that, in the l0pht case, the probably don't plan to remove advisories (but M$ surely do).
There are a lot resources here that were only avalaible in deja usenet archives. I recall replying to technical cocoa questions with deja usenet links on next-progs. If someone now scans the mailing list archive, he'll be left with incomplete answers. This is why linking is sometimes a bad idea.
Cheers,
--fred
1 reply beneath your current threshold.
Let's assume for the moment that they're not trying to sit on bugs. So, they want people to read their content. Now, the only advantage to them reading their exact wording on their server exclusively is that it gets them onto their servers.
Except that neither of them carry banner ads, so a hit _costs_ them money rather than making them money. There's a small argument that they might want people on their site to get them to click around on it and get some more information (and therefore, hopefully, buy something) but if you're going to want that then surely it won't make any difference where you read it - I mean, if you're interested you'll go there from the e-mail in all probability and if you aren't you're just going to jump straight out anyway.
So the logic of this decision on both of their parts rather falls down IMHO. Microsoft come across as wanting to stifle reporting and discussion of problems in their software (what a surprise there!) and @stake come across as a group new to the game who don't understand what they're doing. Neither is something I'd want people to percieve of me.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
I'll tell you exactly why this is dangerous. It allows the vendor to add/edit or delete the advisory *without* telling anyone.
Let's say Microsoft decides to end of life NT 4.0. Since it's not supported anymore, they don't publish advisories or fixes for it. Then one day, boom. ALL NT advisories are simply deleted from Microsoft's website. The only thing left in BugTraq archives is a bunch of dead links. OR worse yet... they go through all 98/Me/2000 advisories that also mention NT, and just remove NT from the affected OS's line. They could certainly do this, and could justify it by saying "NT isn't supported anymore." This would certainly accelerate any Win2000 upgrade plans i had, and that's the whole point of this.
@stake's new format is not nearly as bad as Microsoft's, but i still firmly believe they need to post then entire advisory to BugTraq.
Is it just me or does it look like information exchange will become the next currency? As information like this with great value becomes more and more restricted as IP I bet we will see information of ANY value become something you have to exchange for or get paid for. Question exchange exemplifies this theory nearly perfectly. To get good ansers you have to pay for it.
Personaly I think this will continue in the direction of "Security Breach/Bug information is actualy IP to be sold" unless the community at large takes note and says "NO MORE!"
So what do you think? Will this go too far and threaten the security of the Net at large or will the information somehow "make it way" onto the net in free forums?
What? me have a sig? don't be ridiculous.
Well I forgot to mention this on my previous post. /. effect on a top security issue. And how they will react if their servers get damn loaded? What measures will be taken then?
/. or BuTraq after they do this?
Can these guys, who care so much about their customers, hold up a
If they down the server and don't present the info somewhere else? And if some one drops some snake oil on a forum like
Note - BugTraq is a list. So, no matter the critical level the situation, the information already manages to get critical mass. Besides BugTraq does not restrict information of being spread. Now we have here one point. One single Pearl Harbor. Oh, hey, Pentagon! How do YOU think about this stuff? It seems you talked about such things, well in somewhat different context, quite recently... How is the feel that suddenly Big Money Corp creates you a whole new Arizona right on your backs?
Date: Wed, 13 Dec 2000 16:24:53 -0500
From: Weld Pond
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: @stake Advisory Notification Format
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit. We are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. We have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. We need many was to mitigate vulnerabilities because there are many environments.
The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis.
What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. We think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. We have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. We may even set up our own notification list if there is a demand for that.
We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. We pride ourselves in publishing our research on an academic level and always have. This will not change.
weld
-----BEGIN PGP SIGNATURE-----
q e2RtlSn7gAoOzg
Version: PGP 7.0
iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/v1
C9aiKSrI694BEHvkh8uRE+mn
=MyCw
-----END PGP SIGNATURE-----
Not so insightful...
/. editors, here, /. made the point.
From Weld's post:
The advisory notifiction format we are using has about the same amount of
information as the paraphrased advisories that Elias posted for the latest
Microsoft advisories and the same amount of information that some other
researchers post in their advisories. This is more than enough information
to decide if the issue at hand effects you and you need to dive deeper into
our analysis.
Now pick up their controversial post and see what is there. There is not a single hint about the exploit. Only that there is one exploit and that AOL fixed "thank you"... The only detail:
"We initially contacted AOL on 11/22/2000 regarding this issue. They have a
fixed version, 4.3.2229, dated 12/6/2000 available now. We appreciate
their timely response."
That's the only detail in the whole post! Everything else is so general that I could say ICQ with the same success...
Now if we pick the Weld's citation we see one thing. He justifies his moves. But not in the point on how and why they feel they are right. They justify its amount as:
"same amount of
information as the paraphrased advisories that Elias posted for the latest
Microsoft advisories and the same amount of information that some other
researchers post in their advisories"
So they step themselves in the same side of Microsoft. M$ does this, we also do. Good point.
No matter the yellowness of some
-lb
A post on bugtraq has clarified this. Basically, the moderators of bugtraq felt that it is still a discussion list, and as such should not have bulletins posted that are just pointers to a website with information. Therefore, the l0pht has compromised and posted a mostly-complete version on bugtraq. Both sides agreed this works best. I really don't see any parallels between this and MS, since Microsoft wanted bugtraq to post less, and bugtraq requested that l0pht post more.
Pretty dumb comment for a "unix guy". Supporting more than one operating system has numerous advantages, and not just in the security department. If there's simply a bug in one of the operating systems, then only half the computers get affected.
It requires more resources, however if your operation is of a critical nature, then a heterogenuous environment is absolutely neccessary, to prevent a single failure from taking down all systems.
For exceptionally important servers, (as an example), it's fairly standard to have two of them running in parallel, but with completely different hardware, running different operating systems. This way no one bug can take down the cluster. I've seen, more than once, a rack of Netfinitys, next to a rack of PowerEdges, and they all run the same apps.
As for interface risks, that's a bullshit argument made by somebody who either got bit by some minor incompatibility at some point, or who always runs homogenuous systems, blindly assuming that if they run the same OS, they must be more compatible. It's utterly and completely illogical, unless your inhouse coders haven't learned the word 'portable' yet.
Anyway, I shouldn't respond to trolls, it's a waste of time.
--
"Don't trolls get tired?"
Question:
.ru or somewhere else untouchable for the greater good of the net?
How long would it take to kludge together a quick'n'dirty script to grab and parse those links to the main articles in the shortened advisories that they now publish, and then to run that script on some server in
Answer:
Not very long
Hopefully.
You know they call 'em fingers but I've never seen 'em fing. Oh, there they go.
Comming from a group of people that supposedly believe in full disclosure and information being free and accessible, this is certainly a step away from the accessibility part. Administrators checking their email could be using a console, and therefore it would be more difficult for them to get all the information on the advisory. AFAIK bugtraq was designed as a place to post security advisories, not pimp a link to an advisory and advertise your website.
ok, so maybe you're going off the deep end here, but I think it is very possible that this could have an adverse impact on the security industry. Advisory services (and even individual developers) are judged on the timelyness and accuracy of their alerts. When an administrator has to make a decision about how serious an advisory is, they look at the reputation of the advisor. If advisors have the right to change their advisories after the fact and prohibit offsite archiving (sort of like rewriting history) they are beyond retrospective analysis. A security expert may make the claim that someone released an inaccurate or late advisory but without a trustworthy archive to point at, they can't even claim that the advisory has been updated since first release. This seriously undermines peer review which is a cornerstone of software security.
How we know is more important than what we know.
When I write my operating system I'm going to folow Microsofts example.
In my liccens agreement I'll require that bugs in my operating system can only be published by me. The same with bug fixes.
I may issue liccens allowing a select few to publish bugs and bug patches but thats totally up to me.
All my bug reports and bug patches will be posted on my website. Nobody gets credit for finding bugs of course...
The goal of my operating system is to become the worlds crappyest operating system on the face of the earth....
(My spelling of course gose a long way to getting it there)
I don't actually exist.
Suppose I have a duty to demonstrate that I took appropriate measures given what was known at the time? Suppose I have to exercise "due diligence", and keep a record of what was done that can be verified by an auditor some time later. I may still be able to keep a record of what I did, but how can I show that it was reasonable given what was known at the time? If the details are on someone else's web site, with no assurance of a dated archive, and a copyright policy that prohibits me from taking snapshots and having them timestamped (by some independent notary), where does that leave me in producing some argument about what was known at the time? (Fortunately, I don't have to do this myself, but it is not such a crazy thing to expect.)
I understand the desire to provide the latest information, and it is a good idea, but it is not the only requirement. What would be so hard about putting a "latest information on this issue is here" link at the top of a full disclosure dated and signed bulletin? It may be uncomfortable to leave a fully detailed record of how long it took to deal with a problem, but I think companies that take that pain would get more respect once people got used to the idea, if it was allowed to run and not be killed by short-sighted liability claims.
They (@stake, Microsoft, and others) don't make money off page views over at BUGTRAQ. They do, however, have the opportunity to make money off page views on their own websites.
Speak truth to power.
In the case of L0pht, they aren't releasing advisories generally about their own products like MS is, and they aren't taking them from anyone else, they are writing them themselves based on their own research. So if they want to take all the glory.. that's just fine with me.
When the internet worm struck (which was luckily not my problem 'cause i didn't have internet access other than e-mail routed through an ugly waffle gateway from a local bbs, and my usage basicly consisted of using some ftpmail gateway to get at the programming part of the simtel archive...) it took down a whole host of servers, and flooded a lot of pipes. There were a lot of places that could no longer communicate with eachoter. That is part of the reason everybody set up and is maintaining security lists. E-mail is good because if you send a message to all 10,000 people who are signed on to your security list, even if a lot of the net is down, anywhere that is still up will get them, and will be able to fix the problem. Now if you have all the guts of your message on a web server somewhere, you are stuck if that server is down. What this trend represents is taking a FUNCTIONAL ROBUST SYSTEM and replacing it with a system based on a SINGLE POINT OF FAILURE that is PROVEN TO BE WEAK. The slashdot effect takes servers out of commission for hours at a time, imagine a large network security crisis like the internet worm... People are for political or economic reasons undermining all sense of practicality. L0pht because they want you to read their disclamer so they don't get their asses sued, and microsoft because they want to have ultimate control of everything, even if it really screws over the end-user.
---
Play Six Pack Man. I
Yes! We really, really do need this. First, we need a homogenic environment, to make sure all computers can be taken down once one is down. Then, we need to make the users as unaware of the problems as possible, and thus let the skript kiddies rule the world. It will be SOOO nice when we're all 0wned. I can't wait. My ports are tickling in anticipation.
So - how do we tell our bosses that Microsoft is digging its own grave?
Since I'm on an honesty trip - are we sure it's wise to standardize on ANYTHING? If it's all standardized, the hackers usually get full access right away. However, if some work stations are macs, and some are win32 machines, with a couple of Linux-es in for good measure.. How many different OS-es will the kiddies need to master?
It's sort of like cloning. Sounds like a good idea, 'till a disease arises.
Maybe we can start suing them? Their software is not really malfunctioning, as much as their information policy. Could that be a way to attack them in court?
Stop the brainwash
Seems like everytime MS does something like this, and new MS owned version pops up.
,at least. Make MS look good and other OSes bad. With all the heat they take for thier products.
May be a good idea, for them
Welcome to Microsofts bug.net. Please only use IE, asNetscape has an unresolved issue which will cause your computer to catch fire when you click refresh-
This months new reported bugs -
MS Windows (All flavors) - 0!
Linux (All flavors) - 11,843
*BSD - 1,253
MacOS - 1
Commercial Unix (except IBM) - 27
IBM (All flavors) - 12,335,672
News
New Mindcraft show new bug.net as most relaible for bug reports.
You get the idea. We've seen it a million times before
Ok, this is not a big problem. Bugtraq readers can still write their own version of the issue and post it to bugtraq. Their complete advisory is copyrighted. They own it and can ask you not to post it in its complete form.
The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq. UCITA has provisions for this right?
It could have been worse.
From the article:
So - now we're not gonna be able to inspect the change logs? What the hell, Microsoft! Those of us who take security seriously, really NEED to know this stuff. When. What. Who. How. Was it successfully remedied? What remedies were proposed? This is all essential information when you assess who to trust. Maybe that's why they won't let us know.
Stop the brainwash
they know it so "inside out" that they wrote big security bugs into it.. thus the reason why we are talking about this!
How we know is more important than what we know.
Geeze... people would love to create a war where there is none.
First of all, you can see Weld's reply to Elias' post here:
http://www.securityfocus.com/archive/1/150706
I don't think anyone can accuse @stake of being anti full-disclosure.
Second, no individual or group has been "banned". Elias decides what to allow on a per-post basis. If someone sends a message without any detail, he won't allow it, as indicated. Doesn't matter if it's Microsoft, the L0pht, or me. If someone sends a message with some good detail, he will let it through.
Don't forget that Bugtraq is an e-mail list. People want to read the stuff in e-mail format. If folks want to see bugs on the web, they can look at our vulnerability database, or visit the MS or @stake website.
Forged security bulletins - "You may follow this link to read a detailed description..." /. effect, a very bad joke, or some piece of trash that dessiminates panick over the community.
/.-otted and panick is generated by some secondary actions of the "ineterrorist".
On the other side - Trojans, diverted to other sites were either one gets a damn
Panick generation. One launches an exploit nd warns the app maker. Later, on the issuing of the exploit he passes the news through several sites. The app maker gets
War Games - Pearl Harbor attacks. Several scenarios where either the security issuer is taken down or his links diverted. In resume, the main information center is taken down. Meanwhile the attackers make another attack in other direction, the real objective. Among panick, chaos and desinformation, they get into it before anyone gets the point.
I recomend you people to concretize these ideas and some evolution of them... There are much worser case scenarios... Depending on some other issues...
This is not going to become an issue, no more an issue than "bugs" in cars or toasters has become. All companies are going to try to hide information that may damage their reputations in the press, but, exploding gas tanks are still news, and Microsoft won't be able to stop anyone from publishing such information.
In Orwell's 1984, Winston Smith's job was to edit old records, in newspapers for example, to reflect 'the truth'. For example, if 'the Party' announced that there would be a surplus of clothing in the coming year, and it turned out the there was a defecit of clothing in that year, Smith would edit the record to show that either the party announced a defecit, or that that there was actually a surplus, as the party stated.
I'm being a little confusing here, but my point is that if the records are controlled by the company they're offending, and users aren't allowed to make copies of the advisories, other than ethics, which we all know that a certain company is in dire need of, there isn't any mechanism to keep the vendor honest.
Then again, is there anything stopping me from saying "Hey, I read on the [Microsoft/l0pht] site today that [package in question] has a buffer overflow, simple fix is to edit [file in question]." without actually quoting the site?
Flamebait? Where is any flame on this post? Oh, oh, oh. Overrated? Maybe. Redundant? Possible. But FLAMEBAIT? Better to stamp "Troll" if you wanna take this down.
/. and two/three other news sites? What will happen if sysadmins and hackers will stand in "what the Hell is this about" seeing a site taken down and a Trojan roaming >10,000 mail servers? Yes, someone may issue an external warning with details. But that will take time. More time than a first warning case. And all this may make a whole mess. Specially if rumours are set up on the wild.
If my considerations about response time are considered as "flame", then I ask this moderator to take the guts and tell where and what I'm flaming here. You wanna tell me that these sites will hold up if someone posts the news in BugTraq,
Ok flamebait again. Hope you hold enough moderator points. If not come up to the street man. Let's see how good you are...
The l0pht's decision to remove detailed advisories from bugtraq, and instead use links to their site containing the detailed reports is just business as usual. I was a regular reader of www.hackernews.com until they merged with @stake.
It seems to me as though Weld Pond and the rest who used to be so dedicated to the security community have succumbed to the almighty dollar, as so many others have. Hackernews.com went seriously downhill when it turned into a revenue source. I find it hardly suprising though. If you owned @stake, wouldn't you be willing to sacrifice some respect for increased web traffic and advertising dollars? Probably.
-
I'd rather have a bottle in front of me than a frontal lobotomy.
Just not as big as it would have been if someone made it illegal to post. Whenever security-related information is hindered, the blackhats gain ground. It's that simple.
Stop the brainwash