Please create an account to participate in the Slashdot moderation system


Forgot your password?

BugTraq No Longer Able To Publish MS Security UPDATED 312

krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."
This discussion has been archived. No new comments can be posted.

BugTraq No Longer Able To Publish MS Security Holes

Comments Filter:
  • I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.

    I agree in that the new way to handle advisories is terrible. I wouldn't want to find out about a potential vunerability and having to go to a web site and end up encountering a "404 - File not found" or even worse, an unavailable server.

    By all definitions, this is copyright enforcement. Microsoft wants to use its security advisories as a way to bolster their web stats. If BUGTRAQ wants to keep posting the Microsoft advisories, it will have to resist the enforcement or drive people to the web site.

    Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...

    I believe that the legislators in the US are working to fix this problem. Microsoft is one of the companies pushing hard for this legislation. I don't know about you, but I'm starting to worry...

  • For what it's worth, I don't think this guy was trolling. Many *NIX admins don't even bother checking their vendors for security bulletins, preferring instead to rely on Bugtraq to get their news. To be perfectly honest, it's not a horrible strategy, considering activity on that list. And I don't think macpeep meant to suggest that the problems weren't fixed, but rather he was trying to say (incorrectly) that the fixes weren't accompanied by formal bulletins.

  • The problem is that Security Focus was copy-and-pasting those bulletins, according to the article. By any reasonable interpretation of copyright law, they'll have to stop that practice, even though I think it's in MS's clients' best interest to allow it to continue.

    This brings up an idea: instead of just cut-n-pasting the bugs, all that SF would have to do is add some frame tags* to their page and include something like "frame src=" in one of the frames.

    * In general, frames suck, but they do have their uses.

    "Fdisk format reinstall, doo dah doo dah,
  • "MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses"

    Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs (heck, I've gotten three or four in the last hour), but Microsoft won't be able to spin the bugs in exactly the way they want through their own advisories. 90% of the MS advisories read something like:

    "A problem has been found in MS Blah. There is nothing to worry about. In certain extreme cases, undocumented of course, it's possible that some evil person might, if the phase of the moon is right, steal a filler image off a users hard drive. There is nothing to worry about."

    Not to mention the infamout credits, which read something like:

    "Credit goes to LeetHackerGroup for working with Microsoft to protect users."

    Someone's working to protect users and we all know who it _isn't_.

    No, I don't think I'll miss the MS advisories...

  • "Furthermore, that this information is needed, and was being distributed specifically to forward the end of stopping illegal activities and protecting the people. As such it was in the best interest of the public that the information be distributed."

    This is why the CPSC REQUIRES public domain safety bulletins on cars and other products. Why should Microsoft be entitled to keep control of their bug reports? After all, these reports are of interest to their customers and potential customers. And many M$ bugs are potentially dangerous (the I Love you virus, etc).
  • I fail to see how the DMCA actually applies to this case at all. The DMCA (or at least the part of it that /. readers usually care about) forbids the circumvention of access control methods

    The bugs in Microsoft's code are access control methods; they control your access to MS's software. By publishing information on them, you are circumventing them, thus rendering yourself liable under the DMCA.

    "Fdisk format reinstall, doo dah doo dah,
  • Possible evil motives:
    * Increase hits to their web site.
    * Charge money for access to bug reports. (Now that would be something new!)
    * Collect people's e-mail addresses
    * Spin control, suppress information, change it after the fact -- the ministry of truth.

    If they weren't up to something evil, they would simply give permission to reproduce the text of the report, as long as they include the copyright notice.

    Or, maybe it's just stupid lawyers with too much free time. [You'd think they'd be all busy with the antitrust case and all.]
  • MS makes perfect operating systems, so why should we care about the bugs?

    ...More Powerful than Otto Preminger...
  • by schon ( 31600 ) on Friday December 08, 2000 @06:14AM (#572855)
    If MS doesn't recant, here is my solution to this problem:

    Stop vendor notification of MS Security holes.

    There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.

    The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.

    If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
  • by pb ( 1020 ) on Friday December 08, 2000 @05:12AM (#572864)
    There goes half their traffic.

    Well, who cares? You always see it on BugTraq before it gets back to Microsoft, even when you tell them about it first...
    pb Reply or e-mail; don't vaguely moderate [].
  • by enrico_suave ( 179651 ) on Friday December 08, 2000 @07:10AM (#572867) Homepage
    I misread the above to say "illegal circumcision device" and got tweaked for a moment.

  • by PhilHibbs ( 4537 ) <> on Friday December 08, 2000 @05:14AM (#572869) Homepage Journal
    as the article implies, it's just the Microsoft releases that they can't mirror word for word. They'd still reporting the bugs.
  • by n3rd ( 111397 ) on Friday December 08, 2000 @05:15AM (#572870)
    I don't think this is really as bad as the headline makes it sound.

    If I was experimenting with IIS and found a bug (compromise, DoS, etc) I'm still free to post it on the Bugtraq mailing list. Microsoft cannot stop me from doing this.

    On the other hand, the Microsoft Security Announcements can't be posted. The solution? Go out to Microsoft's web site which can be found here [] and check the bulletins yourself. The other option is to subscribe to Microsoft's security mailing list.

    I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
  • So they just should summarize the bug report and include the link to the microsoft web page for the full report.
  • If you read Kaplan's decision, he took the position (that was strengthed by MPAA's case) that the defendants were hackers, and therefore his ruling was altered from one which should have been handed out if no bias on the defence was given. Specifically, from a factual point, code is free speech, and there is text allowing for bypassing encryption for interoperability in the DMCA (though there are also ones that say the reverse, so it's up to interpretation). So a unbiased judge *may* have found 2600 to be legally ok to distribute said code. Instead, a bias judge now has any push for a Linux DVD player slowed to a crawl, and potental First Amendment problems with the hyperlink problems. The judge *was* influenced and as many felt, misinterpreted even basic law because of how he was coerced. It can happen anywhere and anytime.

    On the Napster thing, among the numerous other defenses that they are approaching, one that I heard them using was that the RIAA groups were overly protecting their copyright to the point where they were behaving as a monopoly, and using that copyright protection to retain their monopoly, thus falling under Sherman act regulations. Of course, the problem here is that RIAA is a group, not one company, so "monopoly" is non-existent. But they are still persuing the concept that agressive copyright protection as to remove fair use rights is a problem.

  • I trust M$ to report bugs, fixes and keep pages stable like a girl should trust a guy to "only stick it in a little."

    Don't you know M$ products have no vulnerabilities and are perfect in every way. And if you reverse engineer it in anyway shape or form they'll have you drawn and quartered.

    Of course, if you're they kind of low-life who's writing viruses, you could give a sh*t... "There's an M$ box, here the lock-pick set. Lets have fun." By the way, lock-picking sets in the hands other than a lock-smith's is illegal. That doesn't stop thieves.
  • Seeems to me that MS has always believed most strongly in "Security by Obscurity" and that admitting to vulnerabilities is something that is bad for the bottom line. The fact that they aren't just trying to sue anyone who even THINKS bad thoughts about Microsoft is a mystery to me.

    They remind me of the Ravenous Bugblatter Beast of Traal: " amazingly stupid that it thinks that if you can't see it, then it can't see you..."


  • 1) If you don't use some sort of automatic rephraser, then that would probably cost $$ a LOT! more than BugTraq can afford.

    2) If your do, then some really interesting error reports will be generated.

    Any other choices?

    Caution: Now approaching the (technological) singularity.
  • What possible incentive is there other than the fact that they would be able to change their bulletins without notice? This just seems wrong ...

    Certainly not a comfirmed answer, but I think it comes down to similar issues as with trademarks [*]: if you don't defend it, you can lose it. Microsoft in the past has been caught with it's pants down with people distributing MS documents without approval (the whole MS-Kerboros thing) -- also remember that we're still waiting for the results of what happened in that MS breakin -- someone could be sitting on core .NET code. They might be moving to a case where you cannot republish *any* MS document, even one as simple as a bug report whose info is in the public domain, without MS permission, so that in a court trial, they will have a stronger defense against a copyright violator. If they continued to allow BugTraq to distribute without restrictions, a defendant in such a case could state that "BugTraq does this, with info freely available on MS's site, why can't I with the MS-Net spec, freely available on MS's site?"

    [*] Yes, I know that you don't have to actively defend copyrights -- you could let something slip by for years, and then sue as long as your copyright is still valid.

    What I think that BugTraq should do is encourage a system where would-be bug trackers report their info not only to MS, but also to BugTraq (so that we have an independent report of the symptom). BugTraq would not report on the bug until enough time has been given for MS to respond to it, at which point they release that info anyway. If MS does respond, they still provide the link as they are now doing, but also provide the bugtracker's version of the sympton. This will NOT allow MS to change the story of how the bug was found or manifested as to make them look like security professionals, without having a conflicting report between the original bugtracker and MS's version, but still leave them room to update info on how to fix and repair bugs.

  • "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."

    Call it CYA, call it ensuring the integrity of information, call it what you will. It's in their best interests to allow BugTraq to carry these items, and work with them than to bury it in a filing cabinet in a disused lavatory in a basement with "Beware the leopard" pasted on the door (obscure HHTTG ref)

    Probably better titled: Microsoft Encourages Customer Cynicism, Launches New Drive


  • by w00ly_mammoth ( 205173 ) on Friday December 08, 2000 @06:24AM (#572889)
    Why do you have to cut-n-paste the exact text? Just reword the stuff. Copyrights don't apply to rewritten synopses.

    Otherwise, movie reviews, book reviews, and bug reports would have ceased to exist a long time ago. In fact, these things make the original product even more popular, just consider the free publicity...
  • Is this saying only Microsoft can report bugs, or that only Microsoft can publish Microsoft's own bug reports? I gathered that bugtraq can only publish links to Microsoft's bulletins, not publish the full text on their own site anymore.

    I didn't see anything that said bugtraq can't publish bug reports on Microsoft products at all anymore?

  • Oh way, the DMCA is prior art. ;)

    That's true, according to the DMCA, breaking into a computer that has copyrighted software on it is illegal. Therefore, there's no need to fix security holes in windows, since it's illegal to break into a Windows box. No cracker wants to take the risk of being thrown in the same category as those evil people who listen to (their) DVD's using DeCSS, right?
  • Like 'autosummarize' in MSword?

    like if I took this one []...


    Microsoft Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows 2000 Advanced Server
    Patch Availability easeID=24500
    Frequently Asked Questions: Microsoft Security Bulletin MS00-096, /fq00-096.asp
    Microsoft Security Bulletin MS00-095, Microsoft Security Bulletin /MS00-095.asp.
    Microsoft TechNet Security web site, asp
    Information on contacting Microsoft Product Support Services is available at lt.asp. how it autosummarizes. nifty :)

  • This doesn't make sense. You say this:

    If they continued to allow BugTraq to distribute without restrictions, a defendant in such a case could state that "BugTraq does this, with info freely available on MS's site, why can't I with the MS-Net spec, freely available on MS's site?"

    Yet you also say this:

    Yes, I know that you don't have to actively defend copyrights -- you could let something slip by for years, and then sue as long as your copyright is still valid.

    Surely you understand that any defendent claiming that "BugTraq gets to do it, why can't I??" would have no case precisely because of what you say in your second statement above. Given that, this is not a legitimate legal reason for denying BugTraq the right to republish MS bug reports. Therefore there must be another reason. I think many of the posts above are much more likely than your scenario.

  • Actually it can work both ways so I'm not extremely bothered. >;).

    For example: if we find security bugs we could ask entities (corporations or individuals) which/who behave in this way to register on _our_ websites to see the info before we go public.

    And we could also formulate just as fair/unfair license agreements for them to agree to when registering. e.g. "REVERSE ENGINEERING AND CIRCUMVENTION OF THIS EXPLOIT (oops software!) IS PROHIBITED, TERMS AND CONDITIONS MAY CHANGE WITHOUT NOTICE, blahblahblah". All in nice ugly caps. The UCITA/DMCA comes to mind here :).

    Do unto others as you'd have them do unto you.

    Now we won't be selling the gathered info to doubleclick would we ;).


    Integrity is behaving properly even if nobody knows or they are helpless to stop you.
  • by Ektanoor ( 9949 ) on Friday December 08, 2000 @07:26AM (#572905) Journal
    If these concenrs only the bug reports that I do think they have some right to do it. Anyway they publish it. However if they try to restrict the discussion of their bugs through this way ten it is a problem and a serious one. Not that Microsoft loves to state that the reproduction of some of their documents is "resctricted in whole and in part". This is the case of their User's Guides for example. I would highly recomend to read it has the text is quite straightforward on this. And even overcomes some legalese about Copyright Law so it is juridically dubious. In particular the fact that it seems to restrict even the right to cite their works.

    In this point might be the danger. If Microsoft publishes a bug report and claims that someone violated their copyright because it cited it, then we do have a problem here. I leave the possible consequences to your conclusions...
  • by dudle ( 93939 ) on Friday December 08, 2000 @06:27AM (#572906) Homepage
    I have been following the story on Bugtraq and it's a little bit different than what the article suggests. Allow me to clear that up a bit.

    Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here []

    Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here []. As you can see, it a pain in the ass to read and getting the information becomes really hard.

    What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here [] but allow me to quote:

    I will no longer be approving any advisories with little or no content that point you to some other place for information.

    Pretty isn't it.

    What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here []. Please note that this email has been sent from Elias Levy ( and not from the usual Microsoft address. This is where Microsoft got pissy.

    In this [] email, Elias give the tone and I quote:

    It seems Microsoft was not very amused at my posting of their advisory to the list the other day.

    And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is [mailto]. Please tell them what you think about their new format.

  • If bugreports are copyright, then the bugs themselves are "derived works", and Microsoft can sue anyone who reports them.

    This should earn them enough money to see them through the current slump in tech stocks.

  • by Frank T. Lofaro Jr. ( 142215 ) on Friday December 08, 2000 @07:28AM (#572909) Homepage
    Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later

    BugTraq should md5 the bulletin and provide that next to the link to Microsoft. If Microsoft changes anything, people will be able to tell. If it goes away, people will see the dangling link. Microsoft will look bad either way...

  • I can't help but note, that this comes like maybe a week after a note on BUGTRAQ by Aleph1 stating that he would no longer be aproving bullitins that contained JUST a URL and that all posts should include the information.

    The idea being that its a security list and people subscribe to it to have the information delivered to them, not to have links so they can go find it.

    Luckily this doesn't effect me, as where I work we don't run any NT systems (well some groups do, we are all Unix). However, I have to agree with Alpeph1 - I want to be able to determine whether services that I am running are vulnerable or patches are available right here and now...I don't want to have to go off somewhere else - it makes BUGTRAQ less useful.

    I don't see the point of this. Isn't the whole idea of these bullitins to get the word out? This copyright bullshit is silly. These are security notices, not works of art. Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later>

    I really can't imagine any real reason for wanting this.

  • The worst thing about this is the I dont' even think people are still dumb enought o believe in security through obscurity.

    What's really happening here is that Microsoft is beefing up their MSN/web presence as much as possible to sell space and eyes to people. So people viewing all those important bug announcements all the time for the many many msft bugs mean more traffic on their site. Actually, in this way, they can make more money by having more bugs! HA! is one of the most visited sites on the internet today because IE defaults to it. Pretty nauseating. And they make very big money on the conent partnerships involved with that site. When I worked at a web tracking company,, they were trying to get us into some kind of detail and sending us big fat glossy three ring binders about all of their current partnerships with big e-commerce houses.

    ___________________________ []
  • That's not how the law works. They produced it, they have authority over it's copying and distribution. If they say we need permission, then yes, we need permission. It's the same authority the law grants you over your work. Ever written a line of GPL'd code? What would you think if that line ended up in some Windows code somewhere in Redmond? It's the same damn thing.

    If you don't like the authority the law grants, then you have basicly two options. 1) Lobby your national legislature to drastically change copyright law. 2) Find a country that isn't a Berne Convention signatory and move there.

    So let me turn your question back on you:
    How can you be so friggin (sic) dense?
  • However, by Microsoft controlling the availablity of the text of their releases, it allows for historical revisionism once the product is no longer relavent (10 years from now they could write in Encarta that IIS 4.0 had 1/5 the bugs of apache, and almost no security problems, for example, if no one can prove that the bulletins existed).

    Okay maybe I'm just paranoid, but IIRC, Encarta lists the release of NT 4.0 on a world timeline that also includes the dinosaurs, the moon landing, etc...
  • Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs

    Of course. Bugtraq will still have MicroSoft bugs, VULN-Dev will still be used to find errors in MS' programs. The point is, is not allowed to store or redistribute Microsoft's webpages. Its all up to microsoft if they allow their entire advisories/webpages to be published. And frankly, I don't expect aleph1 to "write his own advisory based on MicroSoft ones". He is denied to just post the damn webpage. That is all. This just _isnt_ a "everybody flame microsoft for trying to stop mouths" case. Its a "Microsoft suck at distributing information about security vulnerabilities"-case.

    Not to mention the infamout credits

    At least they _give_ credit. That is the important thing.

    No, I don't think I'll miss the MS advisories..

    Me neither, they are too full of BS instead of the facts you want to get. There is a great posting to bugtraq today (or maybe it was yesterday) about the trouble with microsofts security bulletins. Mainly that they lack consistency in what to do when they update the information.

  • >MS had a 30% increase in productivity this year: of security patches. :-)
    But it compares poorly with their 45% increase in bugs. ;-)
  • Bugtraq's use might be fair use, but it's not as simple as you make it out to be.

    It certainly would be fair use to create your own original description of a bug. However Microsoft's bug reports themselves may contain original expression. If so, just a movie critic's review is protected, so is their advisory. However, the factual parts of it are not protected, and fair use might also protect some copying of the advisory itself.

    Fair use has four factors, as defined in 17 USC 107 []. Applying those here we find:

    (1) BugTrac's use is noncommercial technical research, I believe. The mailing list doesn't come with any advertisements that I'm aware of.

    (2) The nature of the Microsoft advisories is factual -- they aren't fictional works.

    (3) The amount copied from Microsoft is presumably the whole thing, although if they used choice quotations this would help a fair use claim.

    (4) The effect on the market or value of the bug advisory is the key issue. If Microsoft isn't selling these or using them to sell bundled advertising, then it's hard to see any negative effect. If they start selling access to these advisories, then this would strongly disfavor fair use. If they are given away free, but generate advertising revenue, then it's more muddled but probably disfavors fair use.

    My non-lawyer "guess" is that unless Microsoft generates revenue somehow from these advisories that copying them in their entirety is actually not copyright infringement because it is fair use.

    If MS does generate revenue from these, then bugtraq could probably get away with quoting the key passages, but MS would have a very tenable case to take to court if the whole thing was copied. I'd guess there was a small chance the defense could win, but it'd be a long shot with a large cost.
  • Hello?

    Shoot yourself in the foot, why don't you?

    If you can't take bad press don't play the game, but don't stop others from playing it.
  • Not quite the same...

    Microsoft wants to stop bug reports, because they embarras the company, and I believe that Microsoft top brass doesn't really give a monkey's if you, I or some other poor consumer loses all his data through a security hole.

    Ford/Brigestone/AnyCompany regrets having to post recall notices, but realises that it is better to look a bit stupid rather than risk the deaths of consumers and almost certain litigation.

    Of course, I personally am very unlikely to lose any data through a Microsoft security hole. At home, I use only Linux, and at work I use a mix of SunOS, Irix and AIX... Colleagues using WinNT who were stupid enough to click on the LoveBug VirusBuilderScript may have lost some stuff, but then learning is often a painful experience for children.

    You fall, you get a bruise, you learn to look what you're doing and you fall less often.

  • Oh joy, another Microsoft apologist. The Stacker incident was a good example precisely because it IS old. It would be interesting to see how Microsoft explains the "development" of their disk compression technology today.

    If you want recent examples, I could refer to the DOJ case and Microsoft's lies and underhanded tricks related to that. Just let me know if you want to hear it...

  • by DickBreath ( 207180 ) on Friday December 08, 2000 @06:33AM (#572937) Homepage
    A Copyright is not the same as a trademark.

    I can understand why a company would (and must) vigorously defend it's trademarks. I also understand why companies want to prosecute violations of their valuable copyrighted works.

    But what is the value of trying to clamp down on control of information such as security problems and vulnerabilities? There must be some ulterior motive.

    After all, with a copyright, MS could just grant anyone permission to redistribute and reproduce the text of the bug report -- provided copyright notices remain intact.

    So why aren't they doing something like this? I think previous posters got it exactly right. They can silently edit things after the fact. Chagne links. Change the contents of linked pages, etc. One thing about news on the web is that no permanent record exists.

    One other thought: Since copyright doesn't protect the idea, BugTraq could explain the problem in their own words, and there is nothing MS could do about it.
  • by Ashran ( 107876 ) on Friday December 08, 2000 @05:16AM (#572946) Homepage
    BugTraq started posting the whole bulletins after Microsoft changed the bulletin format to only contain minimal information and a link to the Microsoft website.
    This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing.
    I guess Microsoft did that to create an easily updateable security information archive.
    But they should still put in the whole info into the email, and post a link where you could find updated informations.
    if you care, send an email to Microsoft Security Feedback [mailto]
  • If you want all of the bulletins, get them from the source.

    I don't see the same advantage you have - in my experience, many times the bug description is posted on BugTraq FIRST, and then the vendor will eventually send out a bulletin about the bug description (and hopefully) a workaround or fix.

    So really, if you want all of the bulletins as soon as possible, you go to a place like BugTraq - you don't wait for the vendors to respond.

  • No *INFORMATION* is restricted. Only the *TEXT* they wrote! You can describe the same bug. You can communicate the same *information* - you just can't copy their text wholesale.

    I don't know why they want to restrict it. Maybe to track which bugs people read. Maybe to ensure that sites which report on MS bugs have to actually do their own writing. I don't see it as a big deal; you can say anything you want, you just can't copy their precise wording. Big deal.
  • Really, it is only three paragraphs long, and the second one very, very clearly states: Of curse the vulnerabilities and their information will continue to be announced. ~luge(slowly but faithfully losing his faith in /.)
  • You could press the power button to turn off the machine, but a lot of them these days have Ethernet cards that can turn the system back on.

    A better method is the switch inside the circuit breaker box, but that's not a button. Instead, the button on a detonator attached to the hard drive of the machine in question is recommended.

    In extreme cases, a MIRV aimed at Redmond may be the only solution.

  • Isn't there some rule that says you can't copyright information? That is, doesn't copyright actually protect the presentation of information? You can't copyright, say, a phone number, but you're not supposed to distribute Xeroxes of the phone book. If I'm right, BugTraq will just have to do a lot of paraphrasing.
  • Just because Microsoft is claiming "copyright" protection on their announcements, does not mean they're trade secrets!!! You can publish copyrighted material under fair use laws, AND get away with it!

    I mean, you can publish copyrighted material and include a review of it, and that would be fair use.

    I really think SecurityFocus needs to talk to their lawyers about this. I'm sure they'll find that it's completely legal.

    As for Microsoft, they deserve everything coming to them.

  • For the jaded person. They can read about the hole. Get it to work, explain it to someone else then have the other person write it up with a much worse picture than MS. No copyright violation done since the writer never read the original post. But more damagin since the writeup was not done through the MS FUD factory.
  • And that's not what they said. They said that 'bugtraq will not be distributing Microsoft Security Bulletins'. They said nothign about 'information about microsoft security problems'... they just meant that you will not be able to rely on Bugtraq to release to you MS Security bulletins automatically when released by microsoft.
  • 1976 Copyright Act: Section 107. Limitation on exclusive rights: fair use. "...The fair use of a copyrighted work, including such use by reproduction in copies...for purposes such as criticism, comment, news reporting, teaching..., scholarship, or research, is not an infringement of copyright..." Microsoft is full of shit. I guess that's what you can do when you're a monopoly, eh -- send eduational, non-profit mailing lists cease and decists...
  • by tcdk ( 173945 ) on Friday December 08, 2000 @05:18AM (#572972) Homepage Journal
    But can you print it on a t-shirt?

    "One microsoft-bug-list-T-shirt, please. Size Hindenburg[1], please."

    [1] large object was choosen by random - the final fate of the Hindenburg, didn't have anything to do with it...
  • Yes, MS does have a security mailing list. I get email bulletins from them all the time.

    If you want the mailed bulletins try MS Product Security Notification Services [].

    I claim no preference one way or the other as to MS stuff.
  • by Sloppy ( 14984 ) on Friday December 08, 2000 @08:00AM (#572974) Homepage Journal

    The reason that copyright exists, is to encourage creators to create expression. That encouragement is normally implemented as profit. The profit comes from the creator having a temporary monopoly on the expression, so that they can sell it, license it, etc.

    Government grants copyright and legal protection to creators in order to get something in exchange: creative works (which, after it falls into public domain, then benefits the people that gave government its power).

    Microsoft issues security bulletins in order to increase the security of their installed base of users, thereby increasing the reputation of their product, thereby hopefully increasing sales of their product. They do not write security bulletins in order to sell them or license them for a profit.

    Government grants copyright and legal protection to Microsoft security bulletins in order to get ... what in return?

    My limited imagination does not see a connection between the purpose of government granting copyright, and Microsoft writing security bulletins.

    If anyone here ever ends up starting their own government and writing their own copyright laws from scratch, I hope that they consider this issue. ;-)

  • Microsoft wants to drive more traffic to its web site. Its security postings are one mechanism to do so. That takes precendent over things like full disclosure, or serving the security community.

    Web traffic is $$.

    Don't even think Microsoft cares about security - they don't except for its ability to make them look bad. If they can market something as secure, it really doesn't matter whether it is or not.

    And this is a direct attempt to hit BugTraq squarely in the wallet by taking most of their web traffic, and having them click through to Microsoft.

  • I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.

    You're on to something here. Microsoft gets to show ads and place promotional messages in its e-mail newsletters and on its web pages--even the bug report pages.

    Maybe the revenue derived from these ads (even if it's cross-marketing of other Microsoft products) is so great that they'll start issuing bulletins for nonexistent bugs just to draw more traffic to their security announcement site.
  • IANAL. But I have spent a good amount of time dealing with copyright both online and off. (If anyone remembers Intelligent Gamer Online circe 1994-1996, that was my baby...)

    You cannot protect a fact as intellectual property or under copyright protection. This is why anyone in the nation can publish the scores of an NBA game -- the NBA does not "own" the statistics of the players. Anyone can write a film or game review -- it is not illegal for me to say what happens in your movie or game. For this reason, there is nothing illegal about reporting bugs, DMCA be damned. 1st Amendment wins, fatality.

    Security Focus may not be able to copy-and-paste, but they can read a report in the Microsoft email and report on the report. Again, facts cannot be copyright protected.

  • by malraux ( 5479 ) on Friday December 08, 2000 @08:00AM (#572985)
    They just need to note the copyright holder.

    Microsoft can't do a thing about it.

    Pretty silly thing for MS to do, regardless. This just makes them look like they're trying to hide things.

    On an amusing note: MS had a 30% increase in productivity [] this year: of security patches. :-)

  • MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.

    You'd think that a company so into the Internet and selling web servers would understand the concept of URLs. They really do make it hard to link to anything on their site, which is the whole point of the web. Their URLs are neither uniform, nor let you locate resources. (To be fair, places like ZD Net are just as bad.)

  • That great post is here [].

    Basically xato went out and tried to figure out which bugs existed, which bug affected a given ms system, and which hot fix works for that bug... It was hell.


  • Apparently you can protect information only if it pertains to the Olympics. They suppressed Olympic athletes from posting journals to the web. Really horrible, in my opinion.

    Actually, you can protect some facts under trade secret laws. For example, the secret formula of Coca Cola. But the fact that Microsoft is giving the information out causes it not to be a trade secret.
  • Ok, let me repeat myself again. :)

    patches not bugs.


    Not that Bugtraq isn't good, just that if you need to keep up with vendor patches, it's not the way to fly.
  • i guess that ill have to stop diggin in their trash cans in hopes of getting bug reports. of course i wasnt getting much from them anyway as the lines are enormous.

    nothing much [] and if your smart goto this page [] and tell me how to get it working.
  • Security through obscurity works, in the end.

    Imagine how secure Fort Knox would be if nobody knew where it was.

    This situation is similar. After all, nobody but Microsoft can fix the flaws, so whats the point of having people know about it? People will predictably respond in their superior way that SysAdmins need to know the security holes so that they can take them into account and defend against hackers. But the only way the hackers find out is by reading bugtrak!

    I honestly think the net effect will be improved security for the great majority of sites.

    KTB:Lover, Poet, Artiste, Aesthete, Programmer.

  • >They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody

    Here's an idea:

    Why not provide an md5sum of the webpage contents? That wouldn't be illegal (no way that an md5sum is a copy of the material), and would quickly show foul play Microsoft. If they took one each week they would be able to tell how often and when the info is changed.
  • by Wirr ( 157970 ) on Friday December 08, 2000 @05:20AM (#573001)
    copyright, or better yet, patent their bugs.

    Wouldn't it be really fun if they sued everybody who reproduced their bugs...

    They could start with access violations in end-user programs, that should break the neck of 99% of all other software producers.

  • .. run 'em through Babelfish twice. That might make them different enough to be legal:


    If you are 5,0 years old basic visual current in mode of environment of development of SDI and have a form with a menu, StartupPosition of the form will be changed into " 0 handbooks " when the form is carried out. This problem occurs only if the form has a menu.


    menus are added to the form with the turn-around time, which causes a form gives to the coast the event to occur. The event to give to the coast causes StartupPosition with the change incorrectly.


    the only resolution available at this time must not carry out basic visual in mode of SDI. Microsoft MODE confirmed this to be an anomaly in the products of Microsoft enumerated at the beginning of this article. We seek this anomaly and will announce new information here in the base of knowledge of Microsoft while it becomes available.

    (English-to-French, French-to-English of 177/0/89.ASP [].)

    Of course, you might also run it through the Dialectizer []:

    If you are runnigg Bisual Basic 5.0 in SDI Debelopmin Enbironmin mode 'n habe a f'm wid a menu, the, uh uh uh, form's StartupPosishun will be changid to "0- Manual" when the, uh uh uh, form is run...


  • This md5 scheme will break when Microsoft updates their site's look and feel. The MD5 hash will change when they rearrange their HTML layout or change IMG filenames.

  • by mOdQuArK! ( 87332 ) on Friday December 08, 2000 @12:18PM (#573009)
    patches not bugs.

    All right, getting all the patches eventually is good - but you're not going to get them until the vendor has actually acknowledged the problem, analyzed it, created the patch, done (you hope) some testing, then posted it. And _that's_ if the vendor decides to actually acknowledge the problem.

    In the meantime, you need defenses & some kind of workaround - and the most timely method of getting that information is from the people who just got slammed by the bug, and who are reporting their experiences to services like BugTraq.

    In other words, I'm agreeing with you about needing to monitor the vendor releases closely so you can keep your system "officially" up to date, but if that's ALL you're relying on, then sooner or later you're going to get screwed and not even know what hit you.

    To do more than that, you need services neutral w/respect to any individual vendors, like BugTraq.

  • Someone ought to copyright an exploit or patent an exploit in the Windows operating system and make it illegal for them to fix it...
  • > One microsoft-bug-list-T-shirt, please. Size Hindenburg[1], please."

    It does need to be big. Giga is reporting that MS just hit the 93rd security patch for the year [] -- a 30% increase over last year.

  • That's not likely to work either. Another site (""? I can't remember the name) once tried to make a quick buck by linking a whole bunch of other news sites in a frame and running ads - essentially, they were making a links page and using ad revenue off it. They were cease-and-desisted out of existence, if memory serves.
  • I don't call into doubt that the rights of the copyright holder *should* trump the non-defense of similarly copyrighted material. However, we all know that judges can and will be misguided by certain arguements that may appear to be pleading and will win out over established court facts *cough*decss*cough*. So if MS did try to take someone to court on copyrighted documents, and Lawyer Cochran was able to plead "they don't actively defend them" to the judge, MS might lose what should be an obvious case. Heck, the Napster cases are trying a similar approach, but using the "too agressively defending" copyright stance, when the law simply states that copyright holders can defend, but doesn't specify how much or how little.

    Yes, this is probably not a strong reason, but given that there's little reason to begin with for MS's decision, speculation is all that we can do.

  • BugTraq shouldn't be publishing Microsoft documents verbatim (if Microsoft doesn't want them to). BugTraq should summarize, in their own words, and post a link to the Microsoft article. It's all about respecting the wishes of the copyright holder. It's the same story as Napster.
  • by Dr. Evil ( 3501 ) on Friday December 08, 2000 @08:29AM (#573024)

    Hmmm... download it for personal use, then take a diff. Post the diffs to bugtraq.

    What is surprising is that Microsoft is consistant with the timestamp in their updates. If something was edited last week, it will say so at the bottom... even if the article was first posted three years ago.

  • by PiterPan ( 235179 ) on Friday December 08, 2000 @05:23AM (#573029)
    Finally, because I'm so tired of spam from those Redmond guys....

  • by BlueAlien.Org ( 82929 ) on Friday December 08, 2000 @05:23AM (#573032) Homepage
    What Microsoft is doing is telling Elias (moderator of Bugtraq) that he cannot *change* the content of the original email that the MS security bulletins are sent out in. That is totally different than saying that MS has copyrighted the advisory and won't allow Bugtraq to post it...

    Basically, the new MS format is very non-informative, and therefore, not very helpful for those in need of information about a new vulnerability. They want to centralize the location of their advisories so that customers can get up to date information in one place on the web.

    I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.

    Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...

    - Rick
  • The DeCSS case was lost because of a bad law, and the fact that the defense really had no way to "prove" that DeCSS was developed for a "legitimate purpose" other than the words of one of its creators, who, being a 16 year old kid, didn't carry much weight with the judge apparently. With a copyright case, they can hold the lawbook under the judge's nose and point out why he cannot rule against them, because there is no such law that states that they must actively defend their copyright. There isn't any ambiguity as to whether or not a copyright holder can prohibit someone from distributing their copyrighted material, except in cases where the defendent is claiming that the alleged infringement is fair use. In that case it wouldn't even matter whether Microsoft let's others do it or not, so it's moot.

    I don't think you've got the Napster argument right either, but that's another discussion. All things considered, the earlier arguments about revisionism at Microsoft are probably much more likely given the fact that Microsoft has a history of doing such things.

  • BugTraq will still publish MS security bugs/holes - they just cannot cut & paste the MS bulletins directly. Most UNIX bugs will not even HAVE bulletins to copy & paste. This is an absolute non-issue and definitely not news-worthy, unlike many other stories.
  • Ok, so basicly BugTraq can't have verbatim copies posted because permission was never granted by Microsoft.

    Did anyone think to ask? How hard could it possibly be to tap Microsoft on the shoulder and say "Hey, a lot of people read this mailing list looking for security information. Specifically they want to know right away when vulnerabilities are discovered. It would be a shame if you disappointed those readers who run your software. May we have permission to post your advisories?"

    I think this is a mind shackle that a lot of people can't get past. I think most people see that phrase about authorization and permission and they stop there. No you can't do much without permission, but yes, you can ask for permission.
  • The real purpose is to further the public good. The founders of the United States concluded that the public good is furthered ONLY by increasing the number of works in the public domain.

    Ergo, Copyright law, which granted a time-limited limited monopoly. Authors can use it to require renumeration for their works.

    The purpose of copyright law is NOT to maximize the rate of return to the copyright holder (note, this isn't necessarily the origional artist) for copyrighted works. Nor is copyright law's purpose to maximize the number of works available. (If it was, then why did they put a time-limit on it?)

    Copyright law's purpose to further the public good by insuring the maximum number of artistic works are in the public domain.
  • Try telling that to the Football Association and Football League. (Soccer to those on the left side of the pond).

    Both have copyrighted their fixture lists, and some fan sites have been told not to post fixture lists. Apparantly you have to pay them money to be able to print such lists.

  • The simplest explanation is that, by refusing to allow bug reports on servers not controlled by MS, they can make the reports 'unreports' any chance they get.
    • 10,000 reports on someone else's server == 10,000 reports
    • 10,000 reports on MS server after deprecating ones that aren't really a problem == 0
    • PR spin advantage == priceless

    This is of course known as the REALLY FSCKING STUPID school of marketing, dominated by the idea, "Our customers will only listen to US! (and no bugs are really serious anyway)". Unfortunately software problems can cost customers buttloads of money, meaning that this 'ostrich mode' strategy will produce a small amount of unrealistically rosy PR and a world of hurting in practice.

    Couldn't happen to a nicer company- hopefully not too many other companies will really follow MS all the way down, marching into hell like trusting little lambs- if for no other reason than it'll be very costly to trust MS, and the bottom line will show it.

    Do MCSEs get training in how to spin consulting fees etc. so that it doesn't look like MS's fault when support costs are high? Probably the main strategy for dealing with an expected firestorm of hackings and security breaches is to paint intruders as brilliant evil hackers rather than boring script kiddies.

  • Now if I'm not mistaken, it's not about not publishing bugs, but rather about the bulletins themselves.
    It seems MS has copyrighted their bulletins(not the bugs ;-) ) and prohibit to distribute their copyrighted material.
    I guess you can still publish the incident, but you would have to write your own "bulletin".
    While I can understand that MS wants to protect their precious incredibly sophisticated and unique security bulletins I guess there are other reasons for this.
    What MS tries to do for security reasons (at least that's what I think) is to establish their site as the only way to obtain official bulletins.
    One can only suspect that they are scared that someone might post fake messages on those lists, making them in some way look official.

  • by jmv ( 93421 ) on Friday December 08, 2000 @05:27AM (#573060) Homepage
    This looks like a move towards having EULA on the security holes themselves: "By agreeing to this EULA, you accept that you will not use any of the security hole in Win 2000 and that you will act as if nothing was wrong..."

    I mean, who cares whether the system is secure or not. As long as you agree to the EULA, everyone's safe!
  • by stevey ( 64018 ) on Friday December 08, 2000 @05:29AM (#573069) Homepage

    Security through obscurity works, in the end.

    Sorry, but that's exactly wrong - security through obscurity doesn't work .. not longterm anyway.

    There have been many programs in wide scale use, with no source, that have been exploited by [ch]rackers - all it takes is one knowledgable person, and a dissasembler [].

    I've spent many a happy evening at home reverse engineering communications protocols, and the like - theres a fine example of something thats not automatically secure just because the details aren't published.

    But the only way the hackers find out is by reading bugtrak

    Granted some script kiddie[sz] will find details of exploits from reading SecurityFocus [], and BugTrack - but if those sites didn't exist they'd be talking about them on IRC anyway.

    A talented [hc]racker isn't going to need somebody to spoonfeed him/her exploits - they will sit and discover them by examining source code, or binaries.

  • .... Microsoft spent as much effort into debugging there code as they put into their Marketing and Legal departments, they wouldn't have as many security fixes to publish in the first place.
  • Actually, I think you'll find this actually prevents bugtraq from quoting Technet security releses in their entirety, word for word. Hence spin control will actually be lessened.

    Bugtraq can still report MS bugs, and use the Technet site as a research tool, but they have to produce their own vulnerablity reports. Which I hope they should, rather than relying on MSs own work. If they perform the research themselves, they might find out the exploit is actually wider than what MS thinks it is.

    This id good for Bugtraq and users. I don't like MS any better than the rest of you, but lets talk about what's really wrong with them, rather than this sort of paranoia.

    This situation is better for users and Bugtraq, though might delay advisory publication by a few minutes now that Bugtraq must confirm and document the exploit themselves.
  • I'll note for the record that when I wrote my post the text wasn't accurate- hemos has since corrected it, without noting it as a correction. I don't have this in cache, so no way to prove it, but both the headline and the text were incorrect.
  • Anyone know just how many lawyers are on the M$ payroll?

    A theory:

    Like the US Government, the number probably increases in size as necessary, but never decreases.
  • slashdot cannot be bothered to read their own links, or to be bothered to do even the slightest amount of fact checking.
    That's because the /. staff are all competing with each other to get first post.
  • by n3rd ( 111397 ) on Friday December 08, 2000 @05:51AM (#573116)
    Most UNIX bugs will not even HAVE bulletins to copy & paste

    You may be a troll and I'm feeding, but I'll give it a go.

    Like Microsoft, all of the major UNIX vendors have security mailing lists. They tell what program the bug is in, if it is a remote or local compromise, and what exactly the compromise can do (denial of service, gain root access, etc). This includes Sun (Solaris), HP (HP-UX), SGI (IRIX) and Digital (Digital UNIX, aka OSF1 aka Tru64).

    Same goes with the majority of the large (and even most of the small) Linux vendors. Do you see Bugtraq after a local root compromise has been found? I see updates from 7 or 8 Linux vendors announcing patches or packages with the fix.

    Some folks (such as OpenBSD and their code audit) do not report all bugs. As for their reasoning, I don't know, but they will report bugs that users find, but not things they find during their code audit.

    So yes, UNIX vendors DO report and patch their bugs.
  • by 0xdeadbeef ( 28836 ) on Friday December 08, 2000 @05:55AM (#573119) Homepage Journal
    Well, duh, Microsoft owns the copyright to text written by the company, but preventing the redistribution of product failure reports?

    Geez, isn't that a bit like a car manufacturer notifying the public that their latest SUVs flip over and explode, but preventing anyone from redistributing that notice? Has the software industry become so corrupt that our failure notices are now considered revenue generators and exclusive property?*

    What next, a EULA on their website that reads "By using this website, you agree not to disclose the details of these failures to third parties. This information is confidential, and only available to licensees of Microsoft products".

    * I forgot about the $90/hour tech support. I called Mickey$oft once to confirm that the behavior I was seeing was in fact a bug in IIS, and the wanker tried to charge me because he offered a half-assed workaround. Then it shows up as one of these bug reports [] on their website the next day (oh geez, it exists in 5.0 too!). They knew about the bug beforehand, as he had the workaround almost immediately, but did not publish until the prospect of someone else identifying and publishing the bug came up. My experience, and this current issue, says to me that Microsoft is only interested in spin control.
    Bush's assertion: there ought to be limits to freedom
  • From Richard M. Smith, via BugTraq:

    One thing that I noticed about the new Microsoft security bulletins is that they now contain Web bugs. The bugs look like they are used to count the number of people coming to read the bulletins. Here is the URL for one of these bugs: TYPE=PV&p=technet_security_bulletin []. I didn't see a tag for the bug, so I'm assuming it is generated by one of the JavaScript files included on the page.

    It may be innocuous - just to see which are popular - but they could do that via log analysis, or a visible counter..


  • by Cullpepper ( 106167 ) on Friday December 08, 2000 @05:59AM (#573133) Homepage
    Not the point.

    The only possible reason for this is Microsoft prefers spin control to efficient distribution in distributing bug reports.

    What, they were planning on releasing a "best of MS bugs" album? Copyright? Give me a break.

  • by schon ( 31600 ) on Friday December 08, 2000 @06:02AM (#573134)
    This week, MS has said that they no longer will be publishing full bulletins to Bugtraq; they will only publish links to web pages.

    This is bad for two reasons:

    First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.

    Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.

    Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
  • by mikethegeek ( 257172 ) <blair@NOwcmifm.c ... M minus language> on Friday December 08, 2000 @06:39AM (#573136) Homepage
    "If MS doesn't recant, here is my solution to this problem:
    Stop vendor notification of MS Security holes."

    You make an excellent and insightful point, but I think the gist of this action is that MS doesn't give a shit about bugs or bug reports. If they can stop people from KNOWING about bugs (and they are doing this by severely limiting and taking control of disseminating this information) then bugs aren't a problem.

    MS doesn't want to know about bugs, and they don't want YOU to know. They especially don't want the average MIS manager (who are typically much less technically astute than those they manage) to know about bugs.

  • by |0|4 ( 121989 ) on Friday December 08, 2000 @06:40AM (#573139)
    They did the same thing with the pages for their Y2K patches last year, as well. It was hell trying to keep up-to-date with everything, when the pages would disappear, the information would change, and the patches would be modified. The patch you'd download from a site one day would be different the next.

  • by arcade ( 16638 ) on Friday December 08, 2000 @06:04AM (#573147) Homepage
    This is just pure irritating. Hemos should do his homework instead of flaming microsoft this time. First of all, what has happened is as follows:

    MicroSoft is issuing, like other companies Security Advisories. These distributable security advisories were posted to bugtraq and other mailinglists, and were up until a week ago. The point is, MicroSoft has changed their Security Advisory layout, to only include a URL to the description of the bug and so forth.

    Aleph1 is running Bugtraq, which is a full disclosure mailinglist, and one of the policies is that the signal-noise ratio should be as good as possible. To avoid noise "no-content" advisories are rejected. Advisories with nothing but URL's are considered no-content advisories.

    That means that Aleph1 will no longer be publishing microsofts new security alerts. Instead he tried to post one of the security bulletins from their webpages, and that microsoft claims copyright on. Well, too bad for them. MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses, and even _less_ administrators will upgrade.

    In other words, they've done an Operation Foot Bullet. I don't complain though, as I don't run microsoft servers - and now have even more arguments when convincing companies I work for not to use their shitty products.

    Slashdot has in this case presented a very wrong view. Its aleph1 that is _rejecting_ microsofts security alerts because of them beeing NON-CONTENT. He is however not allowed to grab microsofts _webpages_ and publish them on bugtraq.


Promising costs nothing, it's the delivering that kills you.