Slashdot Mirror
L0pht Joins MS As BUGTRAQ Outcasts
SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."
I'll tell you exactly why this is dangerous. It allows the vendor to add/edit or delete the advisory *without* telling anyone.
Let's say Microsoft decides to end of life NT 4.0. Since it's not supported anymore, they don't publish advisories or fixes for it. Then one day, boom. ALL NT advisories are simply deleted from Microsoft's website. The only thing left in BugTraq archives is a bunch of dead links. OR worse yet... they go through all 98/Me/2000 advisories that also mention NT, and just remove NT from the affected OS's line. They could certainly do this, and could justify it by saying "NT isn't supported anymore." This would certainly accelerate any Win2000 upgrade plans i had, and that's the whole point of this.
@stake's new format is not nearly as bad as Microsoft's, but i still firmly believe they need to post then entire advisory to BugTraq.
A post on bugtraq has clarified this. Basically, the moderators of bugtraq felt that it is still a discussion list, and as such should not have bulletins posted that are just pointers to a website with information. Therefore, the l0pht has compromised and posted a mostly-complete version on bugtraq. Both sides agreed this works best. I really don't see any parallels between this and MS, since Microsoft wanted bugtraq to post less, and bugtraq requested that l0pht post more.
ok, so maybe you're going off the deep end here, but I think it is very possible that this could have an adverse impact on the security industry. Advisory services (and even individual developers) are judged on the timelyness and accuracy of their alerts. When an administrator has to make a decision about how serious an advisory is, they look at the reputation of the advisor. If advisors have the right to change their advisories after the fact and prohibit offsite archiving (sort of like rewriting history) they are beyond retrospective analysis. A security expert may make the claim that someone released an inaccurate or late advisory but without a trustworthy archive to point at, they can't even claim that the advisory has been updated since first release. This seriously undermines peer review which is a cornerstone of software security.
How we know is more important than what we know.
The trend is very dangerous. It is the same kind of trend that try to forbid deep linking.
As a user of the web, I seek information. Old information is very valuable for me. This is why I loved deja usenet archives when they worked.
OTOH, information providers are marketing driven. They run. Their web site changes very very often to track the new trends. Take one of your old bookmarks (say 4 or 5 years ago). There should still be very valuable _information_ in there. I bet that 90% of the links are broken. The information is lost because the links have changed.
Copyrighting information and asking for links instead of copies is planned obsolescense of the information. This is a very very bad trend.
Unfortunately, it is just what marketing want. I bet that, in a few years, the concept of linking will disapear in comercial sites. URLs will probably be based on the value of personal cookies, ie: will only work for you. Other users will have to seek for the information for themselves. You will only be allowed to link to front pages. (I am already pretty depressed of the current state of the web. Lame articles, like the various P4 tests, that are splitted on 12 or 15 pages of 10 lines each make me vomit. Unfortunately, it can only go worse...)
Cheers,
--fred
1 reply beneath your current threshold.
When the internet worm struck (which was luckily not my problem 'cause i didn't have internet access other than e-mail routed through an ugly waffle gateway from a local bbs, and my usage basicly consisted of using some ftpmail gateway to get at the programming part of the simtel archive...) it took down a whole host of servers, and flooded a lot of pipes. There were a lot of places that could no longer communicate with eachoter. That is part of the reason everybody set up and is maintaining security lists. E-mail is good because if you send a message to all 10,000 people who are signed on to your security list, even if a lot of the net is down, anywhere that is still up will get them, and will be able to fix the problem. Now if you have all the guts of your message on a web server somewhere, you are stuck if that server is down. What this trend represents is taking a FUNCTIONAL ROBUST SYSTEM and replacing it with a system based on a SINGLE POINT OF FAILURE that is PROVEN TO BE WEAK. The slashdot effect takes servers out of commission for hours at a time, imagine a large network security crisis like the internet worm... People are for political or economic reasons undermining all sense of practicality. L0pht because they want you to read their disclamer so they don't get their asses sued, and microsoft because they want to have ultimate control of everything, even if it really screws over the end-user.
---
Play Six Pack Man. I
Ok, this is not a big problem. Bugtraq readers can still write their own version of the issue and post it to bugtraq. Their complete advisory is copyrighted. They own it and can ask you not to post it in its complete form.
The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq. UCITA has provisions for this right?
It could have been worse.