Slashdot Log In
BugTraq No Longer Able To Publish MS Security UPDATED
Posted by
Hemos
on Fri Dec 08, 2000 09:10 AM
from the dumb-move dept.
from the dumb-move dept.
krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."
This discussion has been archived.
No new comments can be posted.
BugTraq No Longer Able To Publish MS Security Holes
|
Log In/Create an Account
| Top
| 312 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Solution (Score:5)
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
Oh well. (Score:4)
Well, who cares? You always see it on BugTraq before it gets back to Microsoft, even when you tell them about it first...
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
Re:Oh well. (Score:3)
E.
It's not as bad (Score:5)
Is This Really As Terrible As It Sounds? (Score:5)
If I was experimenting with IIS and found a bug (compromise, DoS, etc) I'm still free to post it on the Bugtraq mailing list. Microsoft cannot stop me from doing this.
On the other hand, the Microsoft Security Announcements can't be posted. The solution? Go out to Microsoft's web site which can be found here [microsoft.com] and check the bulletins yourself. The other option is to subscribe to Microsoft's security mailing list.
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
Umm...just rewrite the text (Score:4)
Otherwise, movie reviews, book reviews, and bug reports would have ceased to exist a long time ago. In fact, these things make the original product even more popular, just consider the free publicity...
What this may come up... (Score:3)
In this point might be the danger. If Microsoft publishes a bug report and claims that someone violated their copyright because it cited it, then we do have a problem here. I leave the possible consequences to your conclusions...
The story is not accurate. Please read. (Score:3)
Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here [securityfocus.com]
Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here [securityfocus.com]. As you can see, it a pain in the ass to read and getting the information becomes really hard.
What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here [securityfocus.com] but allow me to quote:
I will no longer be approving any advisories with little or no content that point you to some other place for information.
Pretty isn't it.
What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here [securityfocus.com]. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.
In this [securityfocus.com] email, Elias give the tone and I quote:
It seems Microsoft was not very amused at my posting of their advisory to the list the other day.
And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com [mailto]. Please tell them what you think about their new format.
Re:Timining is everything (Score:3)
BugTraq should md5 the bulletin and provide that next to the link to Microsoft. If Microsoft changes anything, people will be able to tell. If it goes away, people will see the dangling link. Microsoft will look bad either way...
Timining is everything (Score:5)
The idea being that its a security list and people subscribe to it to have the information delivered to them, not to have links so they can go find it.
Luckily this doesn't effect me, as where I work we don't run any NT systems (well some groups do, we are all Unix). However, I have to agree with Alpeph1 - I want to be able to determine whether services that I am running are vulnerable or patches are available right here and now...I don't want to have to go off somewhere else - it makes BUGTRAQ less useful.
I don't see the point of this. Isn't the whole idea of these bullitins to get the word out? This copyright bullshit is silly. These are security notices, not works of art. Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later>
I really can't imagine any real reason for wanting this.
-Steve
Yes, this is as terrible as it sounds (Score:5)
I can understand why a company would (and must) vigorously defend it's trademarks. I also understand why companies want to prosecute violations of their valuable copyrighted works.
But what is the value of trying to clamp down on control of information such as security problems and vulnerabilities? There must be some ulterior motive.
After all, with a copyright, MS could just grant anyone permission to redistribute and reproduce the text of the bug report -- provided copyright notices remain intact.
So why aren't they doing something like this? I think previous posters got it exactly right. They can silently edit things after the fact. Chagne links. Change the contents of linked pages, etc. One thing about news on the web is that no permanent record exists.
One other thought: Since copyright doesn't protect the idea, BugTraq could explain the problem in their own words, and there is nothing MS could do about it.
Some background info (Score:5)
This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing.
I guess Microsoft did that to create an easily updateable security information archive.
But they should still put in the whole info into the email, and post a link where you could find updated informations.
if you care, send an email to Microsoft Security Feedback [mailto]
Is it too much to ask to /read/ the damn thing? (Score:3)
Wow! (Score:3)
"One microsoft-bug-list-T-shirt, please. Size Hindenburg[1], please."
[1] large object was choosen by random - the final fate of the Hindenburg, didn't have anything to do with it...
--
Purpose of copyright (Score:3)
The reason that copyright exists, is to encourage creators to create expression. That encouragement is normally implemented as profit. The profit comes from the creator having a temporary monopoly on the expression, so that they can sell it, license it, etc.
Government grants copyright and legal protection to creators in order to get something in exchange: creative works (which, after it falls into public domain, then benefits the people that gave government its power).
Microsoft issues security bulletins in order to increase the security of their installed base of users, thereby increasing the reputation of their product, thereby hopefully increasing sales of their product. They do not write security bulletins in order to sell them or license them for a profit.
Government grants copyright and legal protection to Microsoft security bulletins in order to get ... what in return?
My limited imagination does not see a connection between the purpose of government granting copyright, and Microsoft writing security bulletins.
If anyone here ever ends up starting their own government and writing their own copyright laws from scratch, I hope that they consider this issue. ;-)
---
Facts are not protected by copyright protection. (Score:5)
You cannot protect a fact as intellectual property or under copyright protection. This is why anyone in the nation can publish the scores of an NBA game -- the NBA does not "own" the statistics of the players. Anyone can write a film or game review -- it is not illegal for me to say what happens in your movie or game. For this reason, there is nothing illegal about reporting bugs, DMCA be damned. 1st Amendment wins, fatality.
Security Focus may not be able to copy-and-paste, but they can read a report in the Microsoft email and report on the report. Again, facts cannot be copyright protected.
BugTraq can still publish parts: Fair Use (Score:3)
Microsoft can't do a thing about it.
Pretty silly thing for MS to do, regardless. This just makes them look like they're trying to hide things.
On an amusing note: MS had a 30% increase in productivity [theregister.co.uk] this year: of security patches.
Regards,
-scott
Microsoft should better... (Score:4)
Wouldn't it be really fun if they sued everybody who reproduced their bugs...
They could start with access violations in end-user programs, that should break the neck of 99% of all other software producers.
Re:READ the article before you submit it! (Score:3)
All right, getting all the patches eventually is good - but you're not going to get them until the vendor has actually acknowledged the problem, analyzed it, created the patch, done (you hope) some testing, then posted it. And _that's_ if the vendor decides to actually acknowledge the problem.
In the meantime, you need defenses & some kind of workaround - and the most timely method of getting that information is from the people who just got slammed by the bug, and who are reporting their experiences to services like BugTraq.
In other words, I'm agreeing with you about needing to monitor the vendor releases closely so you can keep your system "officially" up to date, but if that's ALL you're relying on, then sooner or later you're going to get screwed and not even know what hit you.
To do more than that, you need services neutral w/respect to any individual vendors, like BugTraq.
Re:Yes, it is! (Score:3)
Hmmm... download it for personal use, then take a diff. Post the diffs to bugtraq.
What is surprising is that Microsoft is consistant with the timestamp in their updates. If something was edited last week, it will say so at the bottom... even if the article was first posted three years ago.
FINALLY!!! (Score:3)
--
Thats not the case... (Score:5)
Basically, the new MS format is very non-informative, and therefore, not very helpful for those in need of information about a new vulnerability. They want to centralize the location of their advisories so that customers can get up to date information in one place on the web.
I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
- Rick
www.bluealien.org
I know what's next... (Score:3)
I mean, who cares whether the system is secure or not. As long as you agree to the EULA, everyone's safe!
Re:I can see their point. (Score:3)
Security through obscurity works, in the end.
Sorry, but that's exactly wrong - security through obscurity doesn't work .. not longterm anyway.
There have been many programs in wide scale use, with no source, that have been exploited by [ch]rackers - all it takes is one knowledgable person, and a dissasembler [geocities.com].
I've spent many a happy evening at home reverse engineering communications protocols, and the like - theres a fine example of something thats not automatically secure just because the details aren't published.
But the only way the hackers find out is by reading bugtrak
Granted some script kiddie[sz] will find details of exploits from reading SecurityFocus [securityfocus.com], and BugTrack - but if those sites didn't exist they'd be talking about them on IRC anyway.
A talented [hc]racker isn't going to need somebody to spoonfeed him/her exploits - they will sit and discover them by examining source code, or binaries.
Steve
---
Re:Is it too much to ask to /read/ the damn thing? (Score:3)
~luge
Re:Is it too much to ask to /read/ the damn thing? (Score:3)
Re:READ the article before you submit it! (Score:5)
You may be a troll and I'm feeding, but I'll give it a go.
Like Microsoft, all of the major UNIX vendors have security mailing lists. They tell what program the bug is in, if it is a remote or local compromise, and what exactly the compromise can do (denial of service, gain root access, etc). This includes Sun (Solaris), HP (HP-UX), SGI (IRIX) and Digital (Digital UNIX, aka OSF1 aka Tru64).
Same goes with the majority of the large (and even most of the small) Linux vendors. Do you see Bugtraq after a local root compromise has been found? I see updates from 7 or 8 Linux vendors announcing patches or packages with the fix.
Some folks (such as OpenBSD and their code audit) do not report all bugs. As for their reasoning, I don't know, but they will report bugs that users find, but not things they find during their code audit.
So yes, UNIX vendors DO report and patch their bugs.
What's next... (Score:3)
Geez, isn't that a bit like a car manufacturer notifying the public that their latest SUVs flip over and explode, but preventing anyone from redistributing that notice? Has the software industry become so corrupt that our failure notices are now considered revenue generators and exclusive property?*
What next, a EULA on their website that reads "By using this website, you agree not to disclose the details of these failures to third parties. This information is confidential, and only available to licensees of Microsoft products".
* I forgot about the $90/hour tech support. I called Mickey$oft once to confirm that the behavior I was seeing was in fact a bug in IIS, and the wanker tried to charge me because he offered a half-assed workaround. Then it shows up as one of these bug reports [microsoft.com] on their website the next day (oh geez, it exists in 5.0 too!). They knew about the bug beforehand, as he had the workaround almost immediately, but did not publish until the prospect of someone else identifying and publishing the bug came up. My experience, and this current issue, says to me that Microsoft is only interested in spin control.
--
Bush's assertion: there ought to be limits to freedom
Microsoft is also using a web bug to monitor views (Score:4)
One thing that I noticed about the new Microsoft security bulletins is that they now contain Web bugs. The bugs look like they are used to count the number of people coming to read the bulletins. Here is the URL for one of these bugs: http://c.microsoft.com/trans_pixel.asp?source=www& TYPE=PV&p=technet_security_bulletin
[microsoft.com]. I didn't see a tag for the bug, so I'm assuming
it is generated by one of the JavaScript files included
on the page.
It may be innocuous - just to see which are popular - but they could do that via log analysis, or a visible counter..
-dg-
Re:Is This Really As Terrible As It Sounds? (Score:3)
The only possible reason for this is Microsoft prefers spin control to efficient distribution in distributing bug reports.
What, they were planning on releasing a "best of MS bugs" album? Copyright? Give me a break.
Yes, it is! (Score:5)
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
Re:Solution (Score:3)
Stop vendor notification of MS Security holes."
You make an excellent and insightful point, but I think the gist of this action is that MS doesn't give a shit about bugs or bug reports. If they can stop people from KNOWING about bugs (and they are doing this by severely limiting and taking control of disseminating this information) then bugs aren't a problem.
MS doesn't want to know about bugs, and they don't want YOU to know. They especially don't want the average MIS manager (who are typically much less technically astute than those they manage) to know about bugs.
Re:Yes, it is! (Score:3)
Slashdot - get a grip and get some knowledge. (Score:3)
MicroSoft is issuing, like other companies Security Advisories. These distributable security advisories were posted to bugtraq and other mailinglists, and were up until a week ago. The point is, MicroSoft has changed their Security Advisory layout, to only include a URL to the description of the bug and so forth.
Aleph1 is running Bugtraq, which is a full disclosure mailinglist, and one of the policies is that the signal-noise ratio should be as good as possible. To avoid noise "no-content" advisories are rejected. Advisories with nothing but URL's are considered no-content advisories.
That means that Aleph1 will no longer be publishing microsofts new security alerts. Instead he tried to post one of the security bulletins from their webpages, and that microsoft claims copyright on. Well, too bad for them. MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses, and even _less_ administrators will upgrade.
In other words, they've done an Operation Foot Bullet. I don't complain though, as I don't run microsoft servers - and now have even more arguments when convincing companies I work for not to use their shitty products.
Slashdot has in this case presented a very wrong view. Its aleph1 that is _rejecting_ microsofts security alerts because of them beeing NON-CONTENT. He is however not allowed to grab microsofts _webpages_ and publish them on bugtraq.
--