Slashdot Mirror
Open Source Vulnerability Database Shuts Down (osvdb.org)
Reader StonyCreekBare writes: From the Blog at osvdb.org "As of today, a decision has been made to shut down the Open Source Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form. This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort."
I get that they want to take their ball home and stop playing. Guessing that they're not happy that vendors didn't play nice to or with them. Nothing wrong with that position either. But they could offer the DB for others to download. Maybe someone could do a better fork, or find a better way to work with vendors.
Not remotely saying that some/most vendors do a crap job with security disclosures and patching in general. But some folks don't make it easy to get along with.
"The industry didn't want to contribute and support such an effort." What did you expect? That they were going to throw money at you because OPEN SOURCE?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
http://www.securityfocus.com/ This is one I check on periodically. I has both open source and closed source vulnerabilities. Yea, I know it is Symantec, but even a stopped clock is right twice a day unless it's digital ;)
The project promoted greater, open collaboration between companies and individuals.
thats not what companies want. its been my experience as a security researcher that if and when you discover a vulnerability for $product, the parent vendor typically wants to:
1. STFU: stop reporting the issue, stop investigating the exploit, and dont touch the product ever again. Ive had cease and desist orders and gag orders show up at my door for finding pretty massive issues with PCI and point of sale vendors in particular.
2. get lost: fork over what you know, sign a nondisclosure form, and fuck off. if we see you at a conference, we will set you on fire. You were never here and we never spoke to you. medical vendors are pretty good at this.
3. go straight to jail: I once had an amusement park pull this shit over a SCADA report. Yes, i had to hire an attorney. No, they didnt 'win.' Yes, it wrecked a solid 4 months of my life.
the industry DGAF about what you found or how you found it. outside of devops darlings and well known players in cloud and open source, most companies would rather you drop dead than engage in any sensible reporting on their products vulnerability to common exploit.
Good people go to bed earlier.
This has been the front page story, until lately:
https://yro.slashdot.org/story/16/04/06/1529210/nest-reminds-customers-that-ownership-isnt-what-it-used-to-be
Is slashdot applying censorship? Who are really the new overlords? Has Alphabet paid SlashdotMedia to silence its criticism?
The article's text:
Alphabet-owned Nest recently announced that it will be turning off Revolv Hub next month. An anonymous reader shares an article on EFF, a privacy rights group:
Nest Labs, a home automation company acquired by Google in 2014, will disable some of its customers' home automation control devices in May. This move is causing quite a stir among people who purchased the $300 Revolv Hub devices -- customers who reasonably expected that the promised "lifetime" of updates would enable the hardware they paid for to actually work, only to discover the manufacturer can turn their device into a useless brick when it so chooses. This is far from the first time that customers' software and electronics have been downgraded by manufacturers. Updates can disable features the customer paid for that have fallen out of favor with the vendor, as when Google disabled privacy settings on Android or Sony took away the ability to run GNU/Linux on a Playstation 3. Manufacturers can even render a device unusable until the customer "agrees" to new terms of use, as Nintendo did with the Wii U. Other software and devices, including some video games, are designed so they simply stop working when they can no longer dial home to a server run by the vendor.
TFA: https://www.eff.org/deeplinks/2016/04/nest-reminds-customers-ownership-isnt-what-it-used-be
Never having visited the site before, I'd be interested to see what it looked like. Visiting the main page (http://osvdb.org/) just redirects to a blog note about the shutdown. Visiting the site on the wayback machine says "This URL has been excluded from the Wayback Machine."
They probably shut down because the MITRE's CVE database is pretty much regarded as the canonical database for all vulnerabilities, open and proprietary. I've not see a security advisory that didn't have a CVE number for a long time. I don't remember ever seeing one with a reference to OSVDB.
MITRE itself has a list of things it thinks deserve CVE IDs: https://cve.mitre.org/cve/data_sources_product_coverage.html for details. Things outside of this list may not ever receive a CVE ID, even if they are valid vulnerabilities.
The takeaway is that lots of products have vulnerabilities but never receive CVEs or are included in the CVE dictionary. This is why alternates like OSVDB popped up, and why alternate vulnerability ID systems popped up recently (see DWF as a primary example).
It's a shame to lose something like OSVDB, as there really isn't a good canonical source of ALL vulnerabilities. MITRE's CVE works for vulnerabilities in big name products, but it is nowhere near inclusive of all vulnerabilities reported. Of course, OSVDB hasn't been updated recently either, so there's a big gap in even knowing what's out there. Maybe projects like DWF will help us move in that direction.
We are always looking for groups that show what we miss in potentially countless hours of testing, or exposing our inside voluntary or non-voluntary arrangements with government agencies (Especially US and China), or exposing how much effort make (or lack thereof) into securing our products.
We want to show people we truly put the safety and security of our customers above profitability. The we know the stockholders will understand.
(and if you believe that there is a bridge in Brooklyn I can show you..)
"Imagination is more important than knowledge" - Einstein
Empire in decline, itself. You can't For it. I don't of business and was end, we need you time wholesome and Nigger Association Goals I personally used to. SHIT ON
See subject: Had a program delay release on false positive for 4++ months in 2012 on bs false positives due to "heuristics" rules (against compressing my executables which stalls dissassembly by 'scrambling' normal interior of an executable adding a loader too PLUS checking the .exe size @ startup & other areas of the code (if it altered, program would not run or shutdown), plus, putting in disassembler/debugger checks)
Nothing against you nimbius (you didn't do it) OR any 'security researcher' but I've seen "big name companies" listed below who made that mistake on my wares which literally protect themselves against viral infestation & 'hacking' them up via the methods noted above!
EACH company listed below HAD to rescind their false positives clearing my ware in 2012:
1.) McAfee/Intel
2.) Comodo
3.) Symantec/Norton
4.) Sophos
5.) ArcaVir
6.) ClamAV
7.) EmsiSoft
8.) Qihoo360
9.) Computer Associates
I've been programming since 1982 in over a dozen languages (professionally for nearly 24 yrs. till I semi-retired) for a total of 34++ yrs. - I don't claim to "know it all" or be a "rock-star" programmer (who really is?) & above all else, I wasn't some "phb" giving them crap either - I went thru the slow process of clearing my name - I had the time. It's not mission critical for the life of a business etc. but the "malware explosion" demanded I get it out there (especially by adbanner infections).
I didn't do ANY of what you noted in your enumerated list - why? I knew I was dead-on right + the program is FREE for the good of others. The jackasses you dealt with "went legal" on you since it is ALL they know how to do, vs. fighting it out since 'their kind' doesn't even begin to understand how to construct programs typically. I can't stand them (never could - part of WHY I left the field fulltime & started a business of my own - much better way of life) - imo? They're USELESS dead-weight UNLESS they too are former competent coders. It's my experience that programmers, serious ones that love the art & science of computing, don't NEED 'bosses' other than owners of companies. We LOVE what we do!
(In fact, you're more than welcome to check the program yourself if you wish IF you have the time & inclination to do so (I won't bitch IF you find anything wrong with it security-wise since it only really HELPS ME in the end & yes, I've already been thru code checks too, see below, by a very competent security researcher!))
* Funniest part is they STILL use those rules that generate false positives galore on OTHERS (I pulled exe compression + debugger check to get by it - sucks as they're inflexible on that - but that makes code load faster off disk since a filemass is smaller + protects the program, a SECURITY PROGRAM no less, vs. infestation).
APK
P.S.=> Proof of it being clean/safe by 57++ antivirus' now (as well as having malwarebytes' folks see the code to audit it or they wouldn't host it for me as they still do years later now)-> https://www.virustotal.com/en/... ... apk
To quote Apollo from StarTrek TOS episode "Who Mourns for Adonais" on that note: "In a real sense, we were gods - we had the power of life & death: We could have struck out from Olympus, & destroyed. We have no wish to destroy..." & adding to that? Destroy others OR yourself.
Imo it really all comes down to that - what kind of man/person you are, inside + face it - what you have to lose on many levels concerned...
Imo, he's most likely a GOOD man who does well @ his job in security + doing more on the side with it (since to do his job typically you SHOULD be proficient in OS used + it's API & HLL languages above it, networking, + analysis tools like disassemblers/debuggers & VM's) & my guess based on that?
He doesn't wish to ruin his standing on any levels or jeopardize those who depend on him either is why & has no wish to destroy (per my analogy, such as it is, up there (big 'trek' fan here, TOS only though) imo & experience by observation is, that in the end,. ultimately that attitude will destroy you + possibly others around you.
That's NOT right to do to yourself (takes time to become 'good' in this field, education too which costs BIG, for whatever that relative term 'good' means) - why throw all that time away or your life or those of your loved ones too. Taking YOURSELF down is 1 thing. Doing it to others who need you (let alone innocent others too)? It's wrong.
I'll tell you guys something IF you aren't into this stuff @ this level - a GOOD experienced programmer (imo takes about a decade++ to "get there" & you never know it all) who is also a networking 'guru' (most are eventually, it comes with the job in order to do it fully/properly) are the MOST DANGEROUS guys online because of that kind of knowledge (it's power, but it can go either way - it's a matter of SELF-control NOT to abuse it & lose repsect for that 'power' or more importantly perhaps, yourself...). It's NOT worth it, especially in anger - righteous indignation or not. It only causes more havoc ultimately, everyone takes a beating.
He's probably on that level. You do NOT want to see guys of that calibre 'going bad'. After all, today, if you read the security journals? You catch on pretty fast that it IS those kinds of guys designing & building the truly MEAN malware out there (not script kiddie bs).
Idiots 'destroy', as imo, they either have NOTHING TO LOSE, or they're just desperate taking the 'easy way out' day tripper style. You see a LOT of this in poorer nations. This latter kind I have more sympathy for but... once you go down that road? Can you get out??
Above ALL else here:
I don't mean to speak for others, & I certainly do NOT 'know it all' in the art & science of computing (too big & varied) or life even but I'm learning as I go along!
See, yes... I have been there myself, & thought about 'vengeaful' retaliation for definite wrongs directed my way (per link below relating it all + yes, others from idiots online or in real life too) - it made me absolutely furious since the nature of my work IS for the "absolute good".
I'll tell you that since what I posted here (thanks for the upmod on it whoever did it -> https://it.slashdot.org/commen... ) as the program is meant for the absolute good, for others (today's internet needs things like it, it's so full of malicious exploits is why - the net's a great thing, idiots ruin great things vs. helping to make them even better)
APK
P.S.=> But, what do I know, right? I'm just a person, & like you all "just visiting" here on earth in this life, but I love making analogies to film, a common-ground most folks can relate to provided they too understand & have seen the reference used (my FAV startrek TOS episode in fact) - it's better than utilizing classical literature or scripture quotes etc. imo because of that - so if anyone thinks I am 'strange' for putting it this way? "Oh well!"... apk
See subject: Mr. Steven Burn of Malwarebytes verified my code - He knows it's MY code & unique as opposed to my inferior competitors of like kind in fact! E.G. - they use DB engines, I don't, & wrote it 'from scratch/by hand' other than what the Delphi IDE/compiler combo 'case-tool' generated.
* The program does things that even it's nearest competitor in quality + features doesn't (64-bit design, & speeding you up + making internet connectivity MORE reliable, avoiding DNS security issues, to name some). His use of SQLite imo, isn't a 'great idea' in case it goes out of business or develops a bug (which means turn-around time & apps dependent on it MIGHT have issues due to that).
APK
P.S.=> Now, as to your trolling off-topic reply: In fact, that is what "Open SORES" folks do! Yes, I've seen it 1st hand - so have you, example? 1st, you learn nothing by that (other than what I allude to above in depending on OTHERS' work, when bugs hit, as I've seen recently in various "javascript frameworks" that anyone using it pays the price in that bug - having to await fixes that MAY never come & they aren't able to fix it themselves, as they did not write it), not really, & passing it off as "yours" is bogus too - your reply? It projects YOU probably do that in fact... apk
See subject: Had a program delay release on false positives for 4++ months in 2012 on bs false positives due to "heuristics" rules (against compressing my executables which stalls dissassembly by 'scrambling' normal interior of an executable adding a loader too PLUS checking the .exe size @ startup & other areas of the code (if it altered, program would not run or shutdown), plus, putting in disassembler/debugger checks)
Nothing against you nimbius (you didn't do it) OR any 'security researcher' but I've seen "big name companies" listed below who made that mistake on my wares which literally protect themselves against viral infestation & 'hacking' them up via the methods noted above!
EACH company listed below HAD to rescind their false positives clearing my ware in 2012:
1.) McAfee/Intel
2.) Comodo
3.) Symantec/Norton
4.) Sophos
5.) ArcaVir
6.) ClamAV
7.) EmsiSoft
8.) Qihoo360
9.) Computer Associates
I've been programming since 1982 in over a dozen languages (professionally for nearly 24 yrs. till I semi-retired) for a total of 34++ yrs. - I don't claim to "know it all" or be a "rock-star" programmer (who really is?) & above all else, I wasn't some "phb" giving them crap either - I went thru the slow process of clearing my name - I had the time.
The "malware explosion" demanded I get it out there (especially by adbanner infections).
I didn't do ANY of what you noted in your enumerated list - why? I knew I was dead-on right + the program is FREE for the good of others.
The jackasses you dealt with "went legal" on you since it is ALL they know how to do, vs. fighting it out since 'their kind' doesn't even begin to understand how to construct programs typically. I can't stand them (never could - part of WHY I left the field fulltime & started a business of my own - much better way of life) - imo? They're USELESS dead-weight UNLESS they too are former competent coders. It's my experience that programmers, serious ones that love the art & science of computing, don't NEED 'bosses' other than owners of companies. We LOVE what we do!
(In fact, you're more than welcome to check the program yourself if you wish IF you have the time & inclination to do so (I won't bitch IF you find anything wrong with it security-wise since it only really HELPS ME in the end & yes, I've already been thru code checks too, see below, by a very competent security researcher!))
* Funniest part is they STILL use those rules that generate false positives galore on OTHERS (I pulled exe compression + debugger check to get by it - sucks as they're inflexible on that - but that makes code load faster off disk since a filemass is smaller + protects the program, a SECURITY PROGRAM no less, vs. infestation).
Lastly in closing: To the trolls downmodding me DAYS LATER no less, & to suppress truths I told here, & AFTER I was upmodded the last time I posted this here https://it.slashdot.org/commen... ?
As usual, I'll just repost exhausting you of your "downmod points" fools... it's TOO easy.
APK
P.S.=> Proof it's safe by 57++ antivirus' now (as well as having malwarebytes' folks see the code to audit it or they wouldn't host it for me as they still do years later now)-> https://www.virustotal.com/en/... ... apk