L0pht Joins MS As BUGTRAQ Outcasts

SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."

Re:exactly how is this dangerous?

[rdejean]

I'll tell you exactly why this is dangerous. It allows the vendor to add/edit or delete the advisory *without* telling anyone.

Let's say Microsoft decides to end of life NT 4.0. Since it's not supported anymore, they don't publish advisories or fixes for it. Then one day, boom. ALL NT advisories are simply deleted from Microsoft's website. The only thing left in BugTraq archives is a bunch of dead links. OR worse yet... they go through all 98/Me/2000 advisories that also mention NT, and just remove NT from the affected OS's line. They could certainly do this, and could justify it by saying "NT isn't supported anymore." This would certainly accelerate any Win2000 upgrade plans i had, and that's the whole point of this.

@stake's new format is not nearly as bad as Microsoft's, but i still firmly believe they need to post then entire advisory to BugTraq.

Incorrect info...

[Watts]

A post on bugtraq has clarified this. Basically, the moderators of bugtraq felt that it is still a discussion list, and as such should not have bulletins posted that are just pointers to a website with information. Therefore, the l0pht has compromised and posted a mostly-complete version on bugtraq. Both sides agreed this works best. I really don't see any parallels between this and MS, since Microsoft wanted bugtraq to post less, and bugtraq requested that l0pht post more.