Slashdot Mirror
Open Source Vulnerability Database Shuts Down (osvdb.org)
Reader StonyCreekBare writes: From the Blog at osvdb.org "As of today, a decision has been made to shut down the Open Source Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form. This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort."
I get that they want to take their ball home and stop playing. Guessing that they're not happy that vendors didn't play nice to or with them. Nothing wrong with that position either. But they could offer the DB for others to download. Maybe someone could do a better fork, or find a better way to work with vendors.
Not remotely saying that some/most vendors do a crap job with security disclosures and patching in general. But some folks don't make it easy to get along with.
"The industry didn't want to contribute and support such an effort." What did you expect? That they were going to throw money at you because OPEN SOURCE?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
http://www.securityfocus.com/ This is one I check on periodically. I has both open source and closed source vulnerabilities. Yea, I know it is Symantec, but even a stopped clock is right twice a day unless it's digital ;)
The project promoted greater, open collaboration between companies and individuals.
thats not what companies want. its been my experience as a security researcher that if and when you discover a vulnerability for $product, the parent vendor typically wants to:
1. STFU: stop reporting the issue, stop investigating the exploit, and dont touch the product ever again. Ive had cease and desist orders and gag orders show up at my door for finding pretty massive issues with PCI and point of sale vendors in particular.
2. get lost: fork over what you know, sign a nondisclosure form, and fuck off. if we see you at a conference, we will set you on fire. You were never here and we never spoke to you. medical vendors are pretty good at this.
3. go straight to jail: I once had an amusement park pull this shit over a SCADA report. Yes, i had to hire an attorney. No, they didnt 'win.' Yes, it wrecked a solid 4 months of my life.
the industry DGAF about what you found or how you found it. outside of devops darlings and well known players in cloud and open source, most companies would rather you drop dead than engage in any sensible reporting on their products vulnerability to common exploit.
Good people go to bed earlier.
This has been the front page story, until lately:
https://yro.slashdot.org/story/16/04/06/1529210/nest-reminds-customers-that-ownership-isnt-what-it-used-to-be
Is slashdot applying censorship? Who are really the new overlords? Has Alphabet paid SlashdotMedia to silence its criticism?
The article's text:
Alphabet-owned Nest recently announced that it will be turning off Revolv Hub next month. An anonymous reader shares an article on EFF, a privacy rights group:
Nest Labs, a home automation company acquired by Google in 2014, will disable some of its customers' home automation control devices in May. This move is causing quite a stir among people who purchased the $300 Revolv Hub devices -- customers who reasonably expected that the promised "lifetime" of updates would enable the hardware they paid for to actually work, only to discover the manufacturer can turn their device into a useless brick when it so chooses. This is far from the first time that customers' software and electronics have been downgraded by manufacturers. Updates can disable features the customer paid for that have fallen out of favor with the vendor, as when Google disabled privacy settings on Android or Sony took away the ability to run GNU/Linux on a Playstation 3. Manufacturers can even render a device unusable until the customer "agrees" to new terms of use, as Nintendo did with the Wii U. Other software and devices, including some video games, are designed so they simply stop working when they can no longer dial home to a server run by the vendor.
TFA: https://www.eff.org/deeplinks/2016/04/nest-reminds-customers-ownership-isnt-what-it-used-be
Never having visited the site before, I'd be interested to see what it looked like. Visiting the main page (http://osvdb.org/) just redirects to a blog note about the shutdown. Visiting the site on the wayback machine says "This URL has been excluded from the Wayback Machine."
They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.
MITRE itself has a list of things it thinks deserve CVE IDs: https://cve.mitre.org/cve/data_sources_product_coverage.html for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.
The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF as a primary example).
It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.
We are always looking for groups that show what we miss in potentially countless hours of testing, or exposing our inside voluntary or non-voluntary arrangements with government agencies (Especially US and China), or exposing how much effort make (or lack thereof) into securing our products.
We want to show people we truly put the safety and security of our customers above profitability. The we know the stockholders will understand.
(and if you believe that there is a bridge in Brooklyn I can show you..)
"Imagination is more important than knowledge" - Einstein
stop the lies
you stole that too just like you plagiarized your other work
See subject: Had a program delay release on false positives for 4++ months in 2012 on bs false positives due to "heuristics" rules (against compressing my executables which stalls dissassembly by 'scrambling' normal interior of an executable adding a loader too PLUS checking the .exe size @ startup & other areas of the code (if it altered, program would not run or shutdown), plus, putting in disassembler/debugger checks)
Nothing against you nimbius (you didn't do it) OR any 'security researcher' but I've seen "big name companies" listed below who made that mistake on my wares which literally protect themselves against viral infestation & 'hacking' them up via the methods noted above!
EACH company listed below HAD to rescind their false positives clearing my ware in 2012:
1.) McAfee/Intel
2.) Comodo
3.) Symantec/Norton
4.) Sophos
5.) ArcaVir
6.) ClamAV
7.) EmsiSoft
8.) Qihoo360
9.) Computer Associates
I've been programming since 1982 in over a dozen languages (professionally for nearly 24 yrs. till I semi-retired) for a total of 34++ yrs. - I don't claim to "know it all" or be a "rock-star" programmer (who really is?) & above all else, I wasn't some "phb" giving them crap either - I went thru the slow process of clearing my name - I had the time.
The "malware explosion" demanded I get it out there (especially by adbanner infections).
I didn't do ANY of what you noted in your enumerated list - why? I knew I was dead-on right + the program is FREE for the good of others.
The jackasses you dealt with "went legal" on you since it is ALL they know how to do, vs. fighting it out since 'their kind' doesn't even begin to understand how to construct programs typically. I can't stand them (never could - part of WHY I left the field fulltime & started a business of my own - much better way of life) - imo? They're USELESS dead-weight UNLESS they too are former competent coders. It's my experience that programmers, serious ones that love the art & science of computing, don't NEED 'bosses' other than owners of companies. We LOVE what we do!
(In fact, you're more than welcome to check the program yourself if you wish IF you have the time & inclination to do so (I won't bitch IF you find anything wrong with it security-wise since it only really HELPS ME in the end & yes, I've already been thru code checks too, see below, by a very competent security researcher!))
* Funniest part is they STILL use those rules that generate false positives galore on OTHERS (I pulled exe compression + debugger check to get by it - sucks as they're inflexible on that - but that makes code load faster off disk since a filemass is smaller + protects the program, a SECURITY PROGRAM no less, vs. infestation).
Lastly in closing: To the trolls downmodding me DAYS LATER no less, & to suppress truths I told here, & AFTER I was upmodded the last time I posted this here https://it.slashdot.org/commen... ?
As usual, I'll just repost exhausting you of your "downmod points" fools... it's TOO easy.
APK
P.S.=> Proof it's safe by 57++ antivirus' now (as well as having malwarebytes' folks see the code to audit it or they wouldn't host it for me as they still do years later now)-> https://www.virustotal.com/en/... ... apk