Slashdot Mirror
L0pht Joins MS As BUGTRAQ Outcasts
SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."
That would be a big step in quieting your enemies. IF you can't legally install the software without agreeing to a license that prevents you from telling anyone about its shortfalls then I suppose there will be much less ammo for the competition. If you don't know whats wrong with something it is hard to position yourself as an alternative.
They're sending you to a link which they can update as more information is available.
If they were really interested in improving security service to their customers, they'd just post a second advisory and adorn the first with a link to it.
That way, you get the early information when it's available, you get the later information when it arrives (and it gets brought to your attention), and you have a history to peruse of what was known and done.
The other way, if they change the advisory on their page, you're not notified of the potentially valuable new information, so it's much easier to miss it. If asked to demonstrate why you did something, you could return and find your supporting evidence reversed. The changes could actually drop information you remain interested in.
The only advantage provided by the approach they did take is that it conceals the history of the report, giving the company more room to falsely polish its image - at your expense.
This fits Microsoft (and many of today's "businesses") to a T: promote the company, trip up the customer.
I'm amazed anew every day by the apparent willingness of the majority of customers to be harmed and then bamboozled by transparent excuses. Perhaps someone (I speak seriously) could explain this to me.
I wonder if some freenet-like project could be devoted to archiving useful information which would otherwise be so controlled. I think there would be a very stong case for fair use, especially as the primary value of the archive would be in the contained facts, not their expression.
> I'll tell you exactly why this is dangerous. It
;)), thats annoying. However, if several companies start doing it - it essentially makes BUGTRAQ useless - I now have to spend more time bouncing from source to source.
> allows the vendor to add/edit or delete the
> advisory *without* telling anyone.
While the most obvious problem, its not the major issue in my mind.
When a message goes to bugtraq, it is immortal. It never goes away, ever. Even if the BUGTRAQ main archives are wiped out, its replicated in so many place, under so many different points of control.
When its on a website, if the company folds, or redesigns their website, or has a hard drive failure and finds their backups weren't working...
The adviseries are gone. So in the future, if anyone has a reason to need them for any reason, they simply are not available.
Thats only part of the problem. Its an annoyance. BUGTRAQ is a single point of information. I go there and I can find out about all sorts of security problems, with in-depth information (usually) on how I can assess my vulnerability and reduce or eliminate exposure.
If one company (like M$) starts releaseing no content adviseries, and making me go to their website for the info (M$ is a bad example of course since NO M$ advisery could possibly effect a UNIX sysadmin like myself
It discourages active security monitoring. It makes more work for me...and the end result 90% of the time is finding out that its not a problem that affects me anyway (either due to specific version issues, or not being software I am actually using, or depending on features that I am not using).
This is just bad all around. It decreases the value of the list. It makes it harder and more time consuming to keep current - which translates directly into more people deciding that they just don't have the time/energy to do it. Not all of us have infinite time to keep up with this stuff.
-Steve
"I opened my eyes, and everything went dark again"
I'll tell you exactly why this is dangerous. It allows the vendor to add/edit or delete the advisory *without* telling anyone.
Let's say Microsoft decides to end of life NT 4.0. Since it's not supported anymore, they don't publish advisories or fixes for it. Then one day, boom. ALL NT advisories are simply deleted from Microsoft's website. The only thing left in BugTraq archives is a bunch of dead links. OR worse yet... they go through all 98/Me/2000 advisories that also mention NT, and just remove NT from the affected OS's line. They could certainly do this, and could justify it by saying "NT isn't supported anymore." This would certainly accelerate any Win2000 upgrade plans i had, and that's the whole point of this.
@stake's new format is not nearly as bad as Microsoft's, but i still firmly believe they need to post then entire advisory to BugTraq.
-lb
A post on bugtraq has clarified this. Basically, the moderators of bugtraq felt that it is still a discussion list, and as such should not have bulletins posted that are just pointers to a website with information. Therefore, the l0pht has compromised and posted a mostly-complete version on bugtraq. Both sides agreed this works best. I really don't see any parallels between this and MS, since Microsoft wanted bugtraq to post less, and bugtraq requested that l0pht post more.
Question:
.ru or somewhere else untouchable for the greater good of the net?
How long would it take to kludge together a quick'n'dirty script to grab and parse those links to the main articles in the shortened advisories that they now publish, and then to run that script on some server in
Answer:
Not very long
Hopefully.
You know they call 'em fingers but I've never seen 'em fing. Oh, there they go.
ok, so maybe you're going off the deep end here, but I think it is very possible that this could have an adverse impact on the security industry. Advisory services (and even individual developers) are judged on the timelyness and accuracy of their alerts. When an administrator has to make a decision about how serious an advisory is, they look at the reputation of the advisor. If advisors have the right to change their advisories after the fact and prohibit offsite archiving (sort of like rewriting history) they are beyond retrospective analysis. A security expert may make the claim that someone released an inaccurate or late advisory but without a trustworthy archive to point at, they can't even claim that the advisory has been updated since first release. This seriously undermines peer review which is a cornerstone of software security.
How we know is more important than what we know.
When I write my operating system I'm going to folow Microsofts example.
In my liccens agreement I'll require that bugs in my operating system can only be published by me. The same with bug fixes.
I may issue liccens allowing a select few to publish bugs and bug patches but thats totally up to me.
All my bug reports and bug patches will be posted on my website. Nobody gets credit for finding bugs of course...
The goal of my operating system is to become the worlds crappyest operating system on the face of the earth....
(My spelling of course gose a long way to getting it there)
I don't actually exist.
Suppose I have a duty to demonstrate that I took appropriate measures given what was known at the time? Suppose I have to exercise "due diligence", and keep a record of what was done that can be verified by an auditor some time later. I may still be able to keep a record of what I did, but how can I show that it was reasonable given what was known at the time? If the details are on someone else's web site, with no assurance of a dated archive, and a copyright policy that prohibits me from taking snapshots and having them timestamped (by some independent notary), where does that leave me in producing some argument about what was known at the time? (Fortunately, I don't have to do this myself, but it is not such a crazy thing to expect.)
I understand the desire to provide the latest information, and it is a good idea, but it is not the only requirement. What would be so hard about putting a "latest information on this issue is here" link at the top of a full disclosure dated and signed bulletin? It may be uncomfortable to leave a fully detailed record of how long it took to deal with a problem, but I think companies that take that pain would get more respect once people got used to the idea, if it was allowed to run and not be killed by short-sighted liability claims.
When the internet worm struck (which was luckily not my problem 'cause i didn't have internet access other than e-mail routed through an ugly waffle gateway from a local bbs, and my usage basicly consisted of using some ftpmail gateway to get at the programming part of the simtel archive...) it took down a whole host of servers, and flooded a lot of pipes. There were a lot of places that could no longer communicate with eachoter. That is part of the reason everybody set up and is maintaining security lists. E-mail is good because if you send a message to all 10,000 people who are signed on to your security list, even if a lot of the net is down, anywhere that is still up will get them, and will be able to fix the problem. Now if you have all the guts of your message on a web server somewhere, you are stuck if that server is down. What this trend represents is taking a FUNCTIONAL ROBUST SYSTEM and replacing it with a system based on a SINGLE POINT OF FAILURE that is PROVEN TO BE WEAK. The slashdot effect takes servers out of commission for hours at a time, imagine a large network security crisis like the internet worm... People are for political or economic reasons undermining all sense of practicality. L0pht because they want you to read their disclamer so they don't get their asses sued, and microsoft because they want to have ultimate control of everything, even if it really screws over the end-user.
---
Play Six Pack Man. I
Ok, this is not a big problem. Bugtraq readers can still write their own version of the issue and post it to bugtraq. Their complete advisory is copyrighted. They own it and can ask you not to post it in its complete form.
The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq. UCITA has provisions for this right?
It could have been worse.
Geeze... people would love to create a war where there is none.
First of all, you can see Weld's reply to Elias' post here:
http://www.securityfocus.com/archive/1/150706
I don't think anyone can accuse @stake of being anti full-disclosure.
Second, no individual or group has been "banned". Elias decides what to allow on a per-post basis. If someone sends a message without any detail, he won't allow it, as indicated. Doesn't matter if it's Microsoft, the L0pht, or me. If someone sends a message with some good detail, he will let it through.
Don't forget that Bugtraq is an e-mail list. People want to read the stuff in e-mail format. If folks want to see bugs on the web, they can look at our vulnerability database, or visit the MS or @stake website.