Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Bug

L0pht Joins MS As BUGTRAQ Outcasts 123

Posted by timothy from the why-not-a-link-in-addition-not-instead? dept.
SmellyBrain writes: "As a follow up to the recent story of BUGTRAQ no longer publishing Microsoft advisories, it seems they are no longer publishing advisories by @stake (the company that brought the L0pht). ZDNet has an article about this here. It seems that just like Microsoft @stake changed their advisories to include minimal information and a link to their Web site. You can find the message by the moderator, Elias Levy, asking for the subscribers feedback here. This is a very dangerous new trend in the security industry."
This discussion has been archived. No new comments can be posted.

L0pht Joins MS As BUGTRAQ Outcasts More

L0pht Joins MS As BUGTRAQ Outcasts

Comments Filter:
  • You did not kill my point, only dragged in irrelevant sidepoints. You reduce the risk by spreading the data over multiple platforms. Granted, this requires a resourceful IT department. If you do, though, you will not lose it all when the kiddies attack.
  • Since MS has posted KB on their MSDN and/or Technet CD's for quite a while, I fail to see how this can happen. Will they stop doing that as well? Doubt it.
  • As fucked up as MS might be exaggerating a bit. They haven't tried to force us all to use any shitty software yet, they just want to force us to go to their site to read about it.

    Also, this really isn't l0pht we're talking about, its @stake. Once you sell out you are often forced to sumbit to things that you don't like. (like ads for PT Cruisers with your logo on the side)

  • I have put a copy of the original mail up at http://www.catatonia.org/bugtraq [catatonia.org]

  • Its the first step (Score:3)

    by Prophet of Doom ( 250947 ) on Thursday December 14, 2000 @12:43AM (#560296)
    This might be the first step in controlling how information about software is disseminated. If you look at the license for some of Oracle's products you'll see that by installing it it you agree to allow Oracle's to review any benchmarks you wish to publish. Now we see companies copyrighting their security advisories so they can force you to go to their site (and presumably submit to their terms) to read them. How long before to have to click past a license to read them? How long before that license is essentially an NDA that prevents you from distributing the information in the advisory?

    That would be a big step in quieting your enemies. IF you can't legally install the software without agreeing to a license that prevents you from telling anyone about its shortfalls then I suppose there will be much less ammo for the competition. If you don't know whats wrong with something it is hard to position yourself as an alternative.

  • L0pht, of all groups, is now going against full disclosure?

    Not that I agree with this approach, but it's not like they're hiding anything. They are disclosing everything, but asking you to visit their site. For what gain I don't know since it's a plaintext file without any links, let alone any advertising...(which is of course a good thing)

  • Or to further drive the point home with a hammer:

    Butt "brought" is a reel word, so a spell chequer wood knot half pict up on it.

    Anonymous Moron

  • Ten bucks says "kludge" means what I thought it meant [tuxedo.org].

    You dickhead.

  • What about Sun's non-disclosure on all support contracts? Anybody hearing about the large memory problems the Enterprise 10000s are having? Every time a customer has a problem with their hardware, they are not permitted to discuss the problem with outside individuals. Therefore, it has taken a lot of leaks to put together a piece that says Sun has a hardware problem and won't face up to it.
    Intel could have gone the same way with RAMBUS (and might have even done so for a while) but they don't control all their customers the way Sun does.
    What I'm getting at is this: some hardware has this nasty list non-disclosure wrapped around sharing bugs/exploits, so what is to stop industries like Oracle, Windows SERVERS, MS Certified Network Administrators and the like from being allowed to disclose system problems.
    It wouldn't make reporting bugs illegal, but so much of the industry would have voluntarily signed the NDAs that no-one will report on anything but open-source software.
  • This is why there only being one value of PI and one type of Hydrogen has done us so badly...

    There are three types of hydrogen... there's your ordinary hydrogen, there's deuterium (with one neutron) and there's tritium (with two neutrons) - the last of these is also radioactive.

  • Depends. IANAL, but since M$ would still be offering their own 'solutions' ala BugTraq available on a publically accessible web-page, it would be legal to copy and distribute that information provided that you make no claims to ownership, do not change the information, and do not charge for it.

    Because, let's face it, if we were not meant to print out copies from web-pages, Netscape would not have a Print button. :P

  • Bugtraq isn't going away. If it becomes illegal to run it in the US, we have contingency plans. If it becomes illegal to read it in the US, then that risk is up to the US readers to assume.

  • Re:Why is this dangerous? (Score:3)

    by Anonymous Coward on Thursday December 14, 2000 @03:44AM (#560304)

    They're sending you to a link which they can update as more information is available.

    If they were really interested in improving security service to their customers, they'd just post a second advisory and adorn the first with a link to it.

    That way, you get the early information when it's available, you get the later information when it arrives (and it gets brought to your attention), and you have a history to peruse of what was known and done.

    The other way, if they change the advisory on their page, you're not notified of the potentially valuable new information, so it's much easier to miss it. If asked to demonstrate why you did something, you could return and find your supporting evidence reversed. The changes could actually drop information you remain interested in.

    The only advantage provided by the approach they did take is that it conceals the history of the report, giving the company more room to falsely polish its image - at your expense.

    This fits Microsoft (and many of today's "businesses") to a T: promote the company, trip up the customer.

    I'm amazed anew every day by the apparent willingness of the majority of customers to be harmed and then bamboozled by transparent excuses. Perhaps someone (I speak seriously) could explain this to me.

    I wonder if some freenet-like project could be devoted to archiving useful information which would otherwise be so controlled. I think there would be a very stong case for fair use, especially as the primary value of the archive would be in the contained facts, not their expression.

  • With MS's site, there is another danger: It can stop working for browsers other than IE.

    There already are assorted non-IE irritants scattered throughout the site, and a month ago the main page went blank for two weeks with my Netscape version (due to bad Javascript in the Netscape-oriented page). They're already not supporting Netscape well, and if they made IE their only supported browser then things can easily break.

  • A full description of the statement can be found here [securityfocus.com].
    A full description of @Stake's response can be found here [l0pht.com].
    A full description of Microsoft's response can be found here [microsoft.com].
  • What I think should be done is the advisory should contain all of the details. There should be a link back to the posters site where they will be updating the advisory. They should also let vuldb@securityfocus know as well.
  • It does create however a single point of failure. I think the information should be posted to both places.

  • Re:exactly how is this dangerous? (Score:3)

    by TheCarp ( 96830 ) <sjc.carpanet@net> on Thursday December 14, 2000 @06:32AM (#560309) Homepage
    > I'll tell you exactly why this is dangerous. It
    > allows the vendor to add/edit or delete the
    > advisory *without* telling anyone.

    While the most obvious problem, its not the major issue in my mind.

    When a message goes to bugtraq, it is immortal. It never goes away, ever. Even if the BUGTRAQ main archives are wiped out, its replicated in so many place, under so many different points of control.

    When its on a website, if the company folds, or redesigns their website, or has a hard drive failure and finds their backups weren't working...

    The adviseries are gone. So in the future, if anyone has a reason to need them for any reason, they simply are not available.

    Thats only part of the problem. Its an annoyance. BUGTRAQ is a single point of information. I go there and I can find out about all sorts of security problems, with in-depth information (usually) on how I can assess my vulnerability and reduce or eliminate exposure.

    If one company (like M$) starts releaseing no content adviseries, and making me go to their website for the info (M$ is a bad example of course since NO M$ advisery could possibly effect a UNIX sysadmin like myself ;)), thats annoying. However, if several companies start doing it - it essentially makes BUGTRAQ useless - I now have to spend more time bouncing from source to source.

    It discourages active security monitoring. It makes more work for me...and the end result 90% of the time is finding out that its not a problem that affects me anyway (either due to specific version issues, or not being software I am actually using, or depending on features that I am not using).

    This is just bad all around. It decreases the value of the list. It makes it harder and more time consuming to keep current - which translates directly into more people deciding that they just don't have the time/energy to do it. Not all of us have infinite time to keep up with this stuff.

    -Steve
  • If a particular exploit is changed from little or no risk to high risk, then a new advisory will be posted to warn people of this (if this was not the case, this means that you would have to spend all days and nights scanning little or no risk advisories to see if their rating change).

    The real problem is in the other way. If an advisory have been posted, that said that on Operating System X version 6.37, the software foo version 117.12 have a hole, I expect this information to stay here. Having a link to an external resource make this information at risk. If, 5 years after that, I need that info (for instance, because I happen to have a X-6.37 with foo-118.12) I need the correct link. (I expect security report to be mounted with the immutable flag, like any respectable root partition, or beeing in a append-only chflaged file :-) ).

    I agree in advance with the fact that, in the l0pht case, the probably don't plan to remove advisories (but M$ surely do).

    There are a lot resources here that were only avalaible in deja usenet archives. I recall replying to technical cocoa questions with deja usenet links on next-progs. If someone now scans the mailing list archive, he'll be left with incomplete answers. This is why linking is sometimes a bad idea.

    Cheers,

    --fred
  • I am a long-time subscriber to bugtraq. I have mostly used it as a resource for securing operating systems. My concern with disallowing certain posts is that the vendors may discontinue using bugtraq all together, thus splintering the distribution of information to many other sources.

    This is definitely a struggle for control of information. bugtraq wants it all on their list and the vendor want's it back on their website. I honestly prefer to have the information available on a vendor-neutral site like bugtraq, but I fear trying to force vendors to do this may cause more problems than it solves.

    I want to use bugtraq as my primary source for security updates - and if all of the posts are not sent to bugtraq. And especially if groups like l0pht or others stop sending them through bugtraq, I'll end up having to follow many more websites and mailing lists for my updates. This is not good for the security community at all.
    --
    Twivel

  • And stuff has been removed out of that. There have been articles I need taken out of the CD version.
  • You're not worried about wether people find out about a possible sercurity issue anymore. You worried about people coming to your web site so you can make $$$. Sure I need to make money as much as the next guy. Thats not the point. Do any of you really think this was the idea of any of the original L0pht members? Nope, its thier corp buddys they sold l0pht to.

  • Ok, here's one I just don't get. Of course we all know that MS, et al don't like full disclosure because then everyone knows how easily they can be 0wn3d.

    But if L0pht is so leet, then wouldn't they want everyone to know about all the 'sploits they found?
  • Sometimes, you come across conflicting information. If you know who's clued in and who's a moron, you know what to read first, and what to lean on (at your own risk). Microsoft is taking that away from us. How can we trust them when they are making our job harder?
  • Let's assume for the moment that they're not trying to sit on bugs. So, they want people to read their content. Now, the only advantage to them reading their exact wording on their server exclusively is that it gets them onto their servers.

    Except that neither of them carry banner ads, so a hit _costs_ them money rather than making them money. There's a small argument that they might want people on their site to get them to click around on it and get some more information (and therefore, hopefully, buy something) but if you're going to want that then surely it won't make any difference where you read it - I mean, if you're interested you'll go there from the e-mail in all probability and if you aren't you're just going to jump straight out anyway.

    So the logic of this decision on both of their parts rather falls down IMHO. Microsoft come across as wanting to stifle reporting and discussion of problems in their software (what a surprise there!) and @stake come across as a group new to the game who don't understand what they're doing. Neither is something I'd want people to percieve of me.
  • Yeah you could buy the MSDN CDs or you could order the free subscription like I did.
  • Date: Wed, 13 Dec 2000 16:24:53 -0500
    From: Weld Pond
    To: BUGTRAQ@SECURITYFOCUS.COM
    Subject: @stake Advisory Notification Format

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I think everyone out there knows that we [stake.com]are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we [stake.com]report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we [stake.com]give to the security community because we [stake.com]think it is the right thing to do with the fruits of our [stake.com]research. With our [stake.com]new mailing list notification format we [stake.com]have not changed this one bit. we [stake.com]are giving out more information now in our [stake.com]advisories than we [stake.com]ever have before, so we [stake.com]are certainly not witholding anything. Quite the opposite. Over the past few months we [stake.com]have expanded our [stake.com]overview sections that allow non-technical people to scope the problem. we [stake.com]have expanded our [stake.com]detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we [stake.com]have greatly expanded our [stake.com]solutions discussion so that people are not always reliant on vendor patches. we [stake.com]need many was to mitigate vulnerabilities because there are many environments.

    The advisory notifiction format we [stake.com]are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our [stake.com]analysis.

    What we [stake.com]are doing is adding more information than we [stake.com]have in the past and we [stake.com]are adding it on our [stake.com]web site. There are plans to add much more. we [stake.com]think that our [stake.com]web site and its accompanying web technology is the best place to expand our [stake.com]free information dissemination into the future. we [stake.com]have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. we [stake.com]may even set up our [stake.com]own notification list if there is a demand for that.

    We have stayed away from cluttering up our [stake.com]advisories with marketing gorp, like ads about our [stake.com]services or ads about our [stake.com]company like many commercial research teams do. we [stake.com]pride ourselves in publishing our [stake.com]research on an academic level and always have. This will not change.

    weld

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    ib3tUth1nKtH15ofF3r5U50M3/3-leet/++m345Ur30fPr0t3c T1oN...,D0ntUNoW??

    -----END PGP SIGNATURE-----
  • If you know Weld Pond personally (I do) you'd probably have a different opinion. I think his quote in this particular article was paobably taken a bit out of context, or at least placed in the wrong context. I know that Mudge pushed fairly hard for the compromise [securityfocus.com] that has actually been reached with BugTraq.

  • Re:exactly how is this dangerous? (Score:5)

    by rdejean ( 150504 ) on Wednesday December 13, 2000 @11:54PM (#560320) Journal
    I'll tell you exactly why this is dangerous. It allows the vendor to add/edit or delete the advisory *without* telling anyone.

    Let's say Microsoft decides to end of life NT 4.0. Since it's not supported anymore, they don't publish advisories or fixes for it. Then one day, boom. ALL NT advisories are simply deleted from Microsoft's website. The only thing left in BugTraq archives is a bunch of dead links. OR worse yet... they go through all 98/Me/2000 advisories that also mention NT, and just remove NT from the affected OS's line. They could certainly do this, and could justify it by saying "NT isn't supported anymore." This would certainly accelerate any Win2000 upgrade plans i had, and that's the whole point of this.

    @stake's new format is not nearly as bad as Microsoft's, but i still firmly believe they need to post then entire advisory to BugTraq.
  • Who cares about Technet CD's? You missed the entire point. The Microsoft example was just that--an example. Any vendor could pull the same stunt. The point is, the new format is unacceptable from anyone--Microsoft, @stake, or whoever.

  • This is bad. Now I can't see the details about a security hole without firing up a web browser and going round half a dozen sites... Or if I've already been hit by some denial-of-service, I won't be *able* to fire up a web browser to see which of the many security holes it might have been.

    MS doing this doesn't bother me personally since I trust them so little I don't run their software, but if this becomes a trend, it'll be a blow for security... and that's something so fragile we can't afford to make it harder...

    And yes, I think everyone's fear of companies rewriting earlier reports to make them seem less serious or "accidentally" moving them so the links are dead is a very real one.

    - Muggins the Mad
  • Have anyone noted the BIG security bug of this new approach? No? How about response time?

    Let's think. L0pht or M$ find or get a new security exploit. Two ways go. One way is that the exploit is published ASAP. However links, bad communications, heavy traffic and this stupid copyright protection delay the spread of the news. In cases of serious and massive DoS or E-mail trojans this is a very serious possibility that some may exploit.

    The second way. The notice is hold to avoid panic/bad publicity/exploits. Good if the bug came from inside. MAYDAY if the bug was found outside. RED ALERT if this is a crackers finding. Under such trend news will surely get quite slow. And meanwhile the underground may already attacking full arms somewhere. ut that's not the worst. Our good corps may try to force the white hats to shut their mouths on the basis of such copyrights and other things they may think. Then it will be a nightmare case. Imagine news roaming through the IRCs and underground chats and Bugtraq with a piece of material around its mouth. That will not be overkill. That will be the revival of Morrison's times.

    Now L0pht may go the first way. M$ had already shown good examples of going the second way. Add the possibility of an UCITA on security issues and go get a cup of coffee. It may be the last you may calmly drink, without thinking too much about the work...
  • Is it just me or does it look like information exchange will become the next currency? As information like this with great value becomes more and more restricted as IP I bet we will see information of ANY value become something you have to exchange for or get paid for. Question exchange exemplifies this theory nearly perfectly. To get good ansers you have to pay for it.

    Personaly I think this will continue in the direction of "Security Breach/Bug information is actualy IP to be sold" unless the community at large takes note and says "NO MORE!"

    So what do you think? Will this go too far and threaten the security of the Net at large or will the information somehow "make it way" onto the net in free forums?

  • More to the point it's Microsoft wanting total control.

    Microsoft allways makes the argument that when they don't have total control the consummer suffers.

    But for all they crys for inovation.. Inovation dosn't happen in a vacume.

    Microsoft dosn't trust it's users, dosn't trust develupers who code for them.. they don't even trust the Microsoft trainned SysAdm...

    It's the SysAdms job to track this stuff.. Microsoft puts out the best patch they have.. They can update as submit new updates to bugtrap as things progress.. They don't need to retroactivly change bugtrap reports.. can they retroactivly change the work allready done? No.. they can't.. Change the bugfix and issue a NEW report..

    Why dose anyone trust a company so clearly incapable of trust...
  • The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq.

    Could you really plausibly see this happening? I mean, I know there's some stupid laws around, and I know they have a habit of getting stupider, but the inability to point out software flaws? It's so easy to make comparisons to traditional industries like appliances, cars, food, and so on, and show how if you disallow software flaw reports, then you'd also have to disallow reports (including safety reports) in these traditional areas. Government agencies themselves will often produce these reports, consumer watch groups in particular. And the free speech is clear, the same as if you wrote a letter to a newspaper describing how some car can malfunction and kill you.

    Sorry, but I just can't see this particular crazy thing happening, no matter how hard I try.
  • Well I forgot to mention this on my previous post.
    Can these guys, who care so much about their customers, hold up a /. effect on a top security issue. And how they will react if their servers get damn loaded? What measures will be taken then?
    If they down the server and don't present the info somewhere else? And if some one drops some snake oil on a forum like /. or BuTraq after they do this?

    Note - BugTraq is a list. So, no matter the critical level the situation, the information already manages to get critical mass. Besides BugTraq does not restrict information of being spread. Now we have here one point. One single Pearl Harbor. Oh, hey, Pentagon! How do YOU think about this stuff? It seems you talked about such things, well in somewhat different context, quite recently... How is the feel that suddenly Big Money Corp creates you a whole new Arizona right on your backs?
  • Why don't you try following BugTraq a little. If you did then you might have seen this message [securityfocus.com] from Weld Pond which explains the reasoning behind the switch.

    Date: Wed, 13 Dec 2000 16:24:53 -0500
    From: Weld Pond
    To: BUGTRAQ@SECURITYFOCUS.COM
    Subject: @stake Advisory Notification Format

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit. We are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. We have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. We need many was to mitigate vulnerabilities because there are many environments.

    The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis.

    What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. We think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. We have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. We may even set up our own notification list if there is a demand for that.

    We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. We pride ourselves in publishing our research on an academic level and always have. This will not change.

    weld

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/v1q e2RtlSn7gAoOzg
    C9aiKSrI694BEHvkh8uRE+mn
    =MyCw
    -----END PGP SIGNATURE-----

  • I try not to trust a single source, btw. If I find dissent among the experts, I'll look closer at it. But I want the option of looking at multiple sources. Though this may not be catastrophic, Microsoft is still trying to restrict information and move it onto their own servers that THEY control.

    Crap. All they're doing is censoring their own information. The information you get from Bugtraq or on the MS web site will still be from the same source - MS. Noone elses opinion gets posted to the MS web site (and never has), but that doesn't mean that discussing the issue on other mailing lists is forbidden.
    If anyone is censoring or restricting the flow of information it's Bugtraq.
  • How about this: links to advisories are accepted, but the publisher gives the list maintainer irrevokable permission to mirror the advisory, and to accept any updates to the site at his/her discretion.

    This way, stuff doesn't dissappear or get 1984'd.
  • Not so insightful...
    From Weld's post:

    The advisory notifiction format we are using has about the same amount of
    information as the paraphrased advisories that Elias posted for the latest
    Microsoft advisories and the same amount of information that some other
    researchers post in their advisories. This is more than enough information
    to decide if the issue at hand effects you and you need to dive deeper into
    our analysis.

    Now pick up their controversial post and see what is there. There is not a single hint about the exploit. Only that there is one exploit and that AOL fixed "thank you"... The only detail:

    "We initially contacted AOL on 11/22/2000 regarding this issue. They have a
    fixed version, 4.3.2229, dated 12/6/2000 available now. We appreciate
    their timely response."

    That's the only detail in the whole post! Everything else is so general that I could say ICQ with the same success...

    Now if we pick the Weld's citation we see one thing. He justifies his moves. But not in the point on how and why they feel they are right. They justify its amount as:

    "same amount of
    information as the paraphrased advisories that Elias posted for the latest
    Microsoft advisories and the same amount of information that some other
    researchers post in their advisories"

    So they step themselves in the same side of Microsoft. M$ does this, we also do. Good point.

    No matter the yellowness of some /. editors, here, /. made the point.

  • exactly how is this dangerous? (Score:3)

    by Elby 23 ( 234458 ) on Wednesday December 13, 2000 @11:02PM (#560332) Homepage
    I don't see any way that this is a dangerous turn of events. It's a little bit lame, but you can't fault someone for driving web traffic to their site. Is the security community really gaining anything by banning them from The Spot on the net to find out security information, simply because of this?

    -lb

  • we can do nothin to stop the cash engine to buy everthing from my shit to the whole hongkong,so what?
  • Perhaps places like BUGTRAQ should get themselves qualified as a library/archive. That way they can deal with copywrite issues that same way libraries do.

  • Incorrect info... (Score:5)

    by Watts ( 3033 ) on Wednesday December 13, 2000 @11:09PM (#560335)
    A post on bugtraq has clarified this. Basically, the moderators of bugtraq felt that it is still a discussion list, and as such should not have bulletins posted that are just pointers to a website with information. Therefore, the l0pht has compromised and posted a mostly-complete version on bugtraq. Both sides agreed this works best. I really don't see any parallels between this and MS, since Microsoft wanted bugtraq to post less, and bugtraq requested that l0pht post more.
  • Pretty dumb comment for a "unix guy". Supporting more than one operating system has numerous advantages, and not just in the security department. If there's simply a bug in one of the operating systems, then only half the computers get affected.

    It requires more resources, however if your operation is of a critical nature, then a heterogenuous environment is absolutely neccessary, to prevent a single failure from taking down all systems.

    For exceptionally important servers, (as an example), it's fairly standard to have two of them running in parallel, but with completely different hardware, running different operating systems. This way no one bug can take down the cluster. I've seen, more than once, a rack of Netfinitys, next to a rack of PowerEdges, and they all run the same apps.

    As for interface risks, that's a bullshit argument made by somebody who either got bit by some minor incompatibility at some point, or who always runs homogenuous systems, blindly assuming that if they run the same OS, they must be more compatible. It's utterly and completely illogical, unless your inhouse coders haven't learned the word 'portable' yet.

    Anyway, I shouldn't respond to trolls, it's a waste of time.

    --
    "Don't trolls get tired?"

  • I think that sending links instead of full descriptions, M$ has made bugtraq less useful, and removing M$ from bugtraq, it gets still less usefull.

    It's sad, but in this war M$ has less to lose than bugtraq. And I'm afraid that other companies will do something like that.

    I think that Bugtraq has been severe wounded. It won't be the same anymore.

  • First Microsoft, next AOL, then ... the l0pht?

    The benifits to an agency that only posts links instead of the full advisory are mostly perceptual, so the image I've gotten from MS and AOL taking this stance is that they just want tracking (MS is (was?) using web bugs in articles). The l0pht doing this doesn't make any sense to me. What gives?

    Anonymous Cowards need not reply.

  • Or even just a rewording of what is there? After all if there is a security hole and MS describes it one way, can't Bugtraq describe it a slightly different way. Aren't there certain types of info that aren't copyrightable, like certain simple instructions or descriptions, either because they are too generic/common or that is just the only way to represent the information (i.e. I can't copyright "2+2=4")?

  • Free / semi-legal version (Score:3)

    by CurlyG ( 8268 ) on Wednesday December 13, 2000 @11:06PM (#560340)

    Question:

    How long would it take to kludge together a quick'n'dirty script to grab and parse those links to the main articles in the shortened advisories that they now publish, and then to run that script on some server in .ru or somewhere else untouchable for the greater good of the net?

    Answer:

    Not very long

    Hopefully.

  • Hi weld (Score:1)

    by ahde ( 95143 )
    hi weld
  • @stake bought l0pht, they did not bring them to us. Perhaps a spell checker was used...
  • Huh? This is not an attack on any model. The independant advisories can still be posted by the exploit finder. The fact that a vendor wants to centralize their security information so that it is current is bad? How? I would much rather know I am viewing the most current advisory than one that is a month or even a week out of date. I have to go to their website to download the patch anyway. What's the problem??? Jordan
  • So now L0pht, or what was, is as fucked up as M$ is. Whoooo.

    Can we just shoot these people in the head for being retarded?

  • Keep posting exploits and known holes, and link to the M$ site for patches and new info. Bugtraq doesn't have to cut-n-paste the advisories; they can just summarize.

    -Legion

  • Wouldn't it be scary if lots of companies gave up their longstanding policies of full disclosure, started hiding security problems from their customers, or even denying that the problems existed, in lame hopes that obscurity would make their systems safer?

    --
  • I don't think YOU get it. Would you want the manufacturer to assess the product, or hired outside help/expertise? Who would benefit from deception? And should we not be allowed to choose who we trust?

    I try not to trust a single source, btw. If I find dissent among the experts, I'll look closer at it. But I want the option of looking at multiple sources. Though this may not be catastrophic, Microsoft is still trying to restrict information and move it onto their own servers that THEY control. If Microsoft was a government agency withdrawing previously public information, do you think the watchdog organizations would leave them alone? No? I didn't think so..
  • Comming from a group of people that supposedly believe in full disclosure and information being free and accessible, this is certainly a step away from the accessibility part. Administrators checking their email could be using a console, and therefore it would be more difficult for them to get all the information on the advisory. AFAIK bugtraq was designed as a place to post security advisories, not pimp a link to an advisory and advertise your website.
  • That's not likely to happen though is it?

    And really, MS is not the only documentation for their bugs. As someone quite rightly pointed out in the previous discussion on this topic, most if not all holes in MS software are posted to BugTraq well before MS publish their advisories.

  • this actually can be taken a step farther... with only one copy located under their control the companies become more lax about their initial releases due to the mentality that "we can always update it latter" and the quality suffers. Fact checking will be done after the fact, fixes wont be regression checked for new vulnerabilites untill they've already been installed by most people, and of course they won't issue this as a new relase, so people will think "I've already got the fix for that problem" when in reality they need the fix for the fix.

    This is parallel to the quality of software in the "internet age" where the easy of shipping a fixpack or service release has greatly lowered the quality of "dot oh" or "point zero" releases. I know at least one company that has at least one, sometimes two fix releases in the pipeline at all times; usually there is a service pack ready for the web before the cds for initial release have made it to the customers.

  • Rewriting history (Score:4)

    by QuantumG ( 50515 ) <qg@biodome.org> on Thursday December 14, 2000 @12:03AM (#560351) Homepage Journal
    ok, so maybe you're going off the deep end here, but I think it is very possible that this could have an adverse impact on the security industry. Advisory services (and even individual developers) are judged on the timelyness and accuracy of their alerts. When an administrator has to make a decision about how serious an advisory is, they look at the reputation of the advisor. If advisors have the right to change their advisories after the fact and prohibit offsite archiving (sort of like rewriting history) they are beyond retrospective analysis. A security expert may make the claim that someone released an inaccurate or late advisory but without a trustworthy archive to point at, they can't even claim that the advisory has been updated since first release. This seriously undermines peer review which is a cornerstone of software security.
  • When the LoveBug hit, it took something like 3 days for a search on microsoft.com to show even a mostly useless hit. Fortunately, Slashdot coverage was timely and informative enough to quickly clean up a couple of infected systems.
    Cheap trick. Put something like 123@bad.news in your address book.
  • Too many MS droids with moderator points.
    You raise a scary scenario. Reality may well be worse.
    Some observations from the LoveBug episode. It took Microsoft something like three (3) days to get anything searchable on their site, and what they put there was not particularly useful. Slashdot coverage was timely and informative enough to actually quickly fix a couple of hits, and Slashdot is neither a virus-alert nor a Microsoft site. If, ie when, disaster strikes, you want as many lines of communication open as possible, right, wrong, and indifferent. If the information is relevant, surely you verify or check more than one source.
  • Funny thing is, that uSoft also warned against literally copying their own text. It wasn't permitted. I don't think liability is it...
  • Unprintable. Unspeakable. Unpublishable.
  • yes.. and Sprite sponsors 90210, they didn't make the show but they "bring" it to us.

  • Re:exactly how is this dangerous? (Score:4)

    by f5426 ( 144654 ) on Thursday December 14, 2000 @02:02AM (#560357)
    The trend is very dangerous. It is the same kind of trend that try to forbid deep linking.

    As a user of the web, I seek information. Old information is very valuable for me. This is why I loved deja usenet archives when they worked.

    OTOH, information providers are marketing driven. They run. Their web site changes very very often to track the new trends. Take one of your old bookmarks (say 4 or 5 years ago). There should still be very valuable _information_ in there. I bet that 90% of the links are broken. The information is lost because the links have changed.

    Copyrighting information and asking for links instead of copies is planned obsolescense of the information. This is a very very bad trend.

    Unfortunately, it is just what marketing want. I bet that, in a few years, the concept of linking will disapear in comercial sites. URLs will probably be based on the value of personal cookies, ie: will only work for you. Other users will have to seek for the information for themselves. You will only be allowed to link to front pages. (I am already pretty depressed of the current state of the web. Lame articles, like the various P4 tests, that are splitted on 12 or 15 pages of 10 lines each make me vomit. Unfortunately, it can only go worse...)

    Cheers,

    --fred
  • It's not difficult at all... in fact, this sort of thing exists already. However, it wouldn't have the same sort of status at the current bugtraq list has.

    Moz.

  • When I write my operating system (Score:3)

    by Felinoid ( 16872 ) on Thursday December 14, 2000 @02:03AM (#560359) Homepage Journal
    When I write my operating system I'm going to folow Microsofts example.
    In my liccens agreement I'll require that bugs in my operating system can only be published by me. The same with bug fixes.
    I may issue liccens allowing a select few to publish bugs and bug patches but thats totally up to me.

    All my bug reports and bug patches will be posted on my website. Nobody gets credit for finding bugs of course...

    The goal of my operating system is to become the worlds crappyest operating system on the face of the earth....

    (My spelling of course gose a long way to getting it there)
  • What makes you think they don't? M$ has a long history of not correcting bugs before their programs are released and then ignoring or denying the bugs until a patch is released. Not that they are the only ones. IBM has done it too, as have darn near every single computer game company, especially those with online playing.

    It's nothing new, though. M$ is just taking it a little further then most...

    Kierthos
  • But "brought" is a real word, so a spellchecker would not have picked up on it. Perhaps a good grammar checker would, but that's debateable.

    Kierthos

  • Goodbye audit trail and due diligence (Score:3)

    by Shirotae ( 44882 ) on Thursday December 14, 2000 @02:18AM (#560362)

    Suppose I have a duty to demonstrate that I took appropriate measures given what was known at the time? Suppose I have to exercise "due diligence", and keep a record of what was done that can be verified by an auditor some time later. I may still be able to keep a record of what I did, but how can I show that it was reasonable given what was known at the time? If the details are on someone else's web site, with no assurance of a dated archive, and a copyright policy that prohibits me from taking snapshots and having them timestamped (by some independent notary), where does that leave me in producing some argument about what was known at the time? (Fortunately, I don't have to do this myself, but it is not such a crazy thing to expect.)

    I understand the desire to provide the latest information, and it is a good idea, but it is not the only requirement. What would be so hard about putting a "latest information on this issue is here" link at the top of a full disclosure dated and signed bulletin? It may be uncomfortable to leave a fully detailed record of how long it took to deal with a problem, but I think companies that take that pain would get more respect once people got used to the idea, if it was allowed to run and not be killed by short-sighted liability claims.

  • Explanation - Data gathering (Score:1)

    by Anonymous Coward
    Heh, I just worked it out. By sending bugs as links to web pages, they can gather extremely accurate information on who is running what and where in the net they are.

    With the traditional email system, there is no feedback, other than the individual mailing list email address lists - which I hope are hidden even from list members.

    With this method, most of the people who go to the trouble of reading the web page will be people who actually _use_ that piece of software. By making it _relatively_ difficult to read a bug report they are trimming off the "chaff". The rest of them will be crackers(90%) and some merely curious.

    Now with the web logs, they can reverse lookup the IP and get company/organization name, location, approximate size (IP ranges) and even admin contact email address!!!!! Gee, those admins might even be the people reading the page!

    Makes for a *damn* efficient database for targeted marketing campaigns, plus great statistical data for customers. The crackers and curious can be filtered out - dialup accounts, DSL @home, etc are probably crackers/curious and can be discarded without major impact on revinue.

    Firstly, a company can see where people are using it's product. They can then choose to target those people for upgrades/other products. They can also save money by not trying to sell their product in a certain geographic area/market sector and concentrate on other, lagging market areas.

    Second, and here's the kicker, a company can buy a compeditor's data - AND TARGET THEIR CUSTOMERS!

    You can't buy that kind of information! Well, now you can. To have a list of companies who are almost certainly running a package with a security hole, and be able to contact either/both the Suits and the Admins with an alternative product within hours/days of the bug being announced - and it was announced by a trusted third party: bugtraq!

    The market droids should be wetting themselves in anticipation!

    Glen Harris
    lgftsa + yahoo - com - au
  • Just because it's MS doesn't make it dangerous. They're sending you to a link which they can update as more information is available. That makes more sense than issuing a release of information everytime there's the slightest change. The main purpose of bug reports is to make sure everyone has the most up to date information. This seems like a good way to do it.
  • subject says it all...
  • They (@stake, Microsoft, and others) don't make money off page views over at BUGTRAQ. They do, however, have the opportunity to make money off page views on their own websites.
  • yeah, some one put up a multi terabyte server on a fast line somewhere and start archiving selected websites and stuff now .. guess that would not be easy, legaly speaking but hey, I wouldn't mind clicking thru a few banners, the information is worth it.
  • In the case of L0pht, they aren't releasing advisories generally about their own products like MS is, and they aren't taking them from anyone else, they are writing them themselves based on their own research. So if they want to take all the glory.. that's just fine with me.

  • Re:Incorrect info... (Score:4)

    by DaveHowe ( 51510 ) on Thursday December 14, 2000 @02:42AM (#560369)
    Pretty close - as @stake spin it, they are not giving any less info than they have ever done, but are merely adding ADDITIONAL information to their bulletins on their website - which is their option. @stake aren't a vendor, so don't have any duty to customers, and aren't trying to assert any control over the basic alert. anyhow, decide for yourself - their message to the bugtraq users [securityfocus.com] is available in the archives for you to read....
    --
  • Try harder. Isn't it equally unthinkable to you that, say, Mitsubishi would sell you a car with an EULA that prohibits you from publishing "benchmarks" for the car without their approval? Yet that's the kind of deal you get when you "buy" Oracle.

    Repeat after me: A computer is not like a car!

    Shit happens in the computer world that has no parallels in the rest of the world.
    --

  • How many different OS-es will the kiddies need to master?

    None.

    Heterogenity is simply another obscurity, adding interface risks.

  • Yep. And they could continue publishing the advisories to Bugtraq and NTbugtraq and just delete all SP's and patches. What's the difference? Same end.

  • Central Point Of Failure (Score:4)

    by drenehtsral ( 29789 ) on Thursday December 14, 2000 @05:24AM (#560373) Homepage
    When the internet worm struck (which was luckily not my problem 'cause i didn't have internet access other than e-mail routed through an ugly waffle gateway from a local bbs, and my usage basicly consisted of using some ftpmail gateway to get at the programming part of the simtel archive...) it took down a whole host of servers, and flooded a lot of pipes. There were a lot of places that could no longer communicate with eachoter. That is part of the reason everybody set up and is maintaining security lists. E-mail is good because if you send a message to all 10,000 people who are signed on to your security list, even if a lot of the net is down, anywhere that is still up will get them, and will be able to fix the problem. Now if you have all the guts of your message on a web server somewhere, you are stuck if that server is down. What this trend represents is taking a FUNCTIONAL ROBUST SYSTEM and replacing it with a system based on a SINGLE POINT OF FAILURE that is PROVEN TO BE WEAK. The slashdot effect takes servers out of commission for hours at a time, imagine a large network security crisis like the internet worm... People are for political or economic reasons undermining all sense of practicality. L0pht because they want you to read their disclamer so they don't get their asses sued, and microsoft because they want to have ultimate control of everything, even if it really screws over the end-user.
  • What's next, MS is going to stop me from going to the site and e-mailing it to somebody else. Then what if they forward my message to somebody else yet.

    The whole reason for these bulletins is to notify customers of potential problems. The only reason I can see for the redirect to a website is so they can track who is actually looking at these things. Normally I wouldn't worry, but since it's MS I just have this creepy feeling that they're trying to doing something underhanded with the data they're going to collect. Lets face it, what could they possibly do to make the service better by knowing who's reading the bulletins. It can only get worse.

    They'll probably do something like try to do a reverse lookup and find out who the customer is and give them a different synopsis so the bug doesn't sound that bad. Or maybe if nobody goes to a bulletin listing, they'll just stop reporting similar bugs so MS doesn't look as bad. Then it's just going to go back to where it was a year ago when everybody just posted the exploits. Then MS will try to use one of those new stupid laws that the techs understand better than the lawyers do, in order to halt posting of the code. Then it will infuriate everybody and they'll post it everywhere like DeCSS. They're just running around in circles. That's pretty normal for a company that can't innovate.

  • I keep seeing this point made. I don't think it's valid. For example, every time Georgi Guninski finds a vulnerability, he lets MS know. MS and Georgi generally post an announcement and fix within a short time frame of one another. Georgi posts his findings, and generally even has an example. So, the indepth advisories are still there. Maybe not from the source, but Georgi's advisories live on. Same with rainforestpuppy, same with many other folks who find vulnerabilities. Give me something better. This argument is invalid. -Jordan
  • <sarcasm>Yes! We really, really do need this. First, we need a homogenic environment, to make sure all computers can be taken down once one is down. Then, we need to make the users as unaware of the problems as possible, and thus let the skript kiddies rule the world. It will be SOOO nice when we're all 0wned. I can't wait. My ports are tickling in anticipation.</sarcasm>

    So - how do we tell our bosses that Microsoft is digging its own grave?

    Since I'm on an honesty trip - are we sure it's wise to standardize on ANYTHING? If it's all standardized, the hackers usually get full access right away. However, if some work stations are macs, and some are win32 machines, with a couple of Linux-es in for good measure.. How many different OS-es will the kiddies need to master?

    It's sort of like cloning. Sounds like a good idea, 'till a disease arises.

    Maybe we can start suing them? Their software is not really malfunctioning, as much as their information policy. Could that be a way to attack them in court?
  • Seems like everytime MS does something like this, and new MS owned version pops up.

    May be a good idea, for them ,at least. Make MS look good and other OSes bad. With all the heat they take for thier products.

    Welcome to Microsofts bug.net. Please only use IE, asNetscape has an unresolved issue which will cause your computer to catch fire when you click refresh-

    This months new reported bugs -
    MS Windows (All flavors) - 0!
    Linux (All flavors) - 11,843
    *BSD - 1,253
    MacOS - 1
    Commercial Unix (except IBM) - 27
    IBM (All flavors) - 12,335,672

    News
    New Mindcraft show new bug.net as most relaible for bug reports.

    You get the idea. We've seen it a million times before

  • Not a big deal (Score:4)

    by simpleguy ( 5686 ) on Wednesday December 13, 2000 @11:28PM (#560386) Homepage
    Ok, this is not a big problem. Bugtraq readers can still write their own version of the issue and post it to bugtraq. Their complete advisory is copyrighted. They own it and can ask you not to post it in its complete form.

    The real evil thing will happen when it will be ILLEGAL to report a security flaw to lists such as Bugtraq. UCITA has provisions for this right?

    It could have been worse.

  • From the article:

    Microsoft knows best? The change made sense for the customers, said Steven Lipner, manager of Microsoft's Security Response Center, during an interview last week. "If we post an advisory with an error in it, we would have to go out and get the information changed where ever else it may be mirrored."

    So - now we're not gonna be able to inspect the change logs? What the hell, Microsoft! Those of us who take security seriously, really NEED to know this stuff. When. What. Who. How. Was it successfully remedied? What remedies were proposed? This is all essential information when you assess who to trust. Maybe that's why they won't let us know.

  • they know it so "inside out" that they wrote big security bugs into it.. thus the reason why we are talking about this!

  • Hang on (Score:3)

    by ryanr ( 30917 ) <ryan@thievco.com> on Thursday December 14, 2000 @05:44AM (#560395) Homepage Journal
    Geeze... people would love to create a war where there is none.

    First of all, you can see Weld's reply to Elias' post here:

    http://www.securityfocus.com/archive/1/150706 [securityfocus.com]

    I don't think anyone can accuse @stake of being anti full-disclosure.

    Second, no individual or group has been "banned". Elias decides what to allow on a per-post basis. If someone sends a message without any detail, he won't allow it, as indicated. Doesn't matter if it's Microsoft, the L0pht, or me. If someone sends a message with some good detail, he will let it through.

    Don't forget that Bugtraq is an e-mail list. People want to read the stuff in e-mail format. If folks want to see bugs on the web, they can look at our vulnerability database, or visit the MS or @stake website.
  • Forged security bulletins - "You may follow this link to read a detailed description..."
    On the other side - Trojans, diverted to other sites were either one gets a damn /. effect, a very bad joke, or some piece of trash that dessiminates panick over the community.

    Panick generation. One launches an exploit nd warns the app maker. Later, on the issuing of the exploit he passes the news through several sites. The app maker gets /.-otted and panick is generated by some secondary actions of the "ineterrorist".

    War Games - Pearl Harbor attacks. Several scenarios where either the security issuer is taken down or his links diverted. In resume, the main information center is taken down. Meanwhile the attackers make another attack in other direction, the real objective. Among panick, chaos and desinformation, they get into it before anyone gets the point.

    I recomend you people to concretize these ideas and some evolution of them... There are much worser case scenarios... Depending on some other issues...
  • Publish and be-dammed, I say!

    If I ever came across such stupidity as NDA reporting of a problem I'd let everyone know, and screw the NDA. It's probably illegal under some EU regulations anyway to restrict infomation in such a way.

    Many a time I've come across serious problems in commercial software or hardware which the manufacturers have known about, yet not bothered to fix.

  • This is not going to become an issue, no more an issue than "bugs" in cars or toasters has become. All companies are going to try to hide information that may damage their reputations in the press, but, exploding gas tanks are still news, and Microsoft won't be able to stop anyone from publishing such information.
  • In Orwell's 1984, Winston Smith's job was to edit old records, in newspapers for example, to reflect 'the truth'. For example, if 'the Party' announced that there would be a surplus of clothing in the coming year, and it turned out the there was a defecit of clothing in that year, Smith would edit the record to show that either the party announced a defecit, or that that there was actually a surplus, as the party stated.

    I'm being a little confusing here, but my point is that if the records are controlled by the company they're offending, and users aren't allowed to make copies of the advisories, other than ethics, which we all know that a certain company is in dire need of, there isn't any mechanism to keep the vendor honest.

    Then again, is there anything stopping me from saying "Hey, I read on the [Microsoft/l0pht] site today that [package in question] has a buffer overflow, simple fix is to edit [file in question]." without actually quoting the site?
  • Flamebait? Where is any flame on this post? Oh, oh, oh. Overrated? Maybe. Redundant? Possible. But FLAMEBAIT? Better to stamp "Troll" if you wanna take this down.

    If my considerations about response time are considered as "flame", then I ask this moderator to take the guts and tell where and what I'm flaming here. You wanna tell me that these sites will hold up if someone posts the news in BugTraq, /. and two/three other news sites? What will happen if sysadmins and hackers will stand in "what the Hell is this about" seeing a site taken down and a Trojan roaming >10,000 mail servers? Yes, someone may issue an external warning with details. But that will take time. More time than a first warning case. And all this may make a whole mess. Specially if rumours are set up on the wild.

    Ok flamebait again. Hope you hold enough moderator points. If not come up to the street man. Let's see how good you are...
  • The l0pht's decision to remove detailed advisories from bugtraq, and instead use links to their site containing the detailed reports is just business as usual. I was a regular reader of www.hackernews.com [hackernews.com] until they merged with @stake.
    It seems to me as though Weld Pond and the rest who used to be so dedicated to the security community have succumbed to the almighty dollar, as so many others have. Hackernews.com went seriously downhill when it turned into a revenue source. I find it hardly suprising though. If you owned @stake, wouldn't you be willing to sacrifice some respect for increased web traffic and advertising dollars? Probably.
    -
  • Well, I'm not quite sure that dangerous is the right word, but it's the same stuff "we" don't like about the progress and commercialization of services. Just imagine, you don't get the details of a security flaw, just a notice of it, and if they decide that it's bigger than they thought, they simply revoke the info on the web page. The first hundred visitor is then threatened to not distribute the former version.

    Convenient for the companies, but useless for "us". Why do the need to rely on power games every time? Let them get a clue. (cluetrain.com anyone?)

  • Just not as big as it would have been if someone made it illegal to post. Whenever security-related information is hindered, the blackhats gain ground. It's that simple.
  • I don't see any way that this is a dangerous turn of events.
    It is an attack on our model. What was once open (thank BugTraq)is now going to much less open. The free flow of information is stiffled. I question whether this is to drive traffic or or to drive BugTraq into the ground.
    This turn of events is a chipping away...one little chip is not so dangerous...but does make us less than we once were.
  • Not so insightful...

    Were you disagreeing with something I said, or what Weld said?

    I simply said that Elias would post advisories that are useful. I never said that the AOL advisory was. I believe Elias posted it as an example of a "problem" advisory, not that he felt it was in the right shape to go through. That's why it was attached to an administrivia message rather than sent through on its own.

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close