BugTraq No Longer Able To Publish MS Security UPDATED 312
krow writes: "According to a BugTraq administrative note, they are no longer able to publish Microsoft Bulletins. They are copyrighting their bug reports so that others can not publish them." Bugtraq will continue to publish the vulnerabilities/bugs, but only the URLs; readers will have to click to read them. Says a SecurityFocus employee: "As the copyright holders of the work they have told me in no uncertain terms that I do not have their permission to redistribute a text version of their web page bulletins...doing so would be considered an act of copyright violation."
Re:Thats not the case... (Score:2)
I agree in that the new way to handle advisories is terrible. I wouldn't want to find out about a potential vunerability and having to go to a web site and end up encountering a "404 - File not found" or even worse, an unavailable server.
By all definitions, this is copyright enforcement. Microsoft wants to use its security advisories as a way to bolster their web stats. If BUGTRAQ wants to keep posting the Microsoft advisories, it will have to resist the enforcement or drive people to the web site.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
I believe that the legislators in the US are working to fix this problem. Microsoft is one of the companies pushing hard for this legislation. I don't know about you, but I'm starting to worry...
Re:READ the article before you submit it! (Score:2)
For what it's worth, I don't think this guy was trolling. Many *NIX admins don't even bother checking their vendors for security bulletins, preferring instead to rely on Bugtraq to get their news. To be perfectly honest, it's not a horrible strategy, considering activity on that list. And I don't think macpeep meant to suggest that the problems weren't fixed, but rather he was trying to say (incorrectly) that the fixes weren't accompanied by formal bulletins.
Re:Facts are not protected by copyright protection (Score:2)
This brings up an idea: instead of just cut-n-pasting the bugs, all that SF would have to do is add some frame tags* to their page and include something like "frame src=http://microsoft.com/..." in one of the frames.
* In general, frames suck, but they do have their uses.
---
"Fdisk format reinstall, doo dah doo dah,
Re:Slashdot - get a grip and get some knowledge. (Score:2)
Actually, it's more subtle than that. SecurityFocus will still publish stuff about MS bugs (heck, I've gotten three or four in the last hour), but Microsoft won't be able to spin the bugs in exactly the way they want through their own advisories. 90% of the MS advisories read something like:
"A problem has been found in MS Blah. There is nothing to worry about. In certain extreme cases, undocumented of course, it's possible that some evil person might, if the phase of the moon is right, steal a filler image off a users hard drive. There is nothing to worry about."
Not to mention the infamout credits, which read something like:
"Credit goes to LeetHackerGroup for working with Microsoft to protect users."
Someone's working to protect users and we all know who it _isn't_.
No, I don't think I'll miss the MS advisories...
c.
Re:IANAL, but . . . Fair Use? (Score:2)
This is why the CPSC REQUIRES public domain safety bulletins on cars and other products. Why should Microsoft be entitled to keep control of their bug reports? After all, these reports are of interest to their customers and potential customers. And many M$ bugs are potentially dangerous (the I Love you virus, etc).
Re:Funniest thing I've heard in years (Score:2)
The bugs in Microsoft's code are access control methods; they control your access to MS's software. By publishing information on them, you are circumventing them, thus rendering yourself liable under the DMCA.
---
"Fdisk format reinstall, doo dah doo dah,
It's a new revenue stream (Score:2)
* Increase hits to their web site.
* Charge money for access to bug reports. (Now that would be something new!)
* Collect people's e-mail addresses
* Spin control, suppress information, change it after the fact -- the ministry of truth.
If they weren't up to something evil, they would simply give permission to reproduce the text of the report, as long as they include the copyright notice.
Or, maybe it's just stupid lawyers with too much free time. [You'd think they'd be all busy with the antitrust case and all.]
Nobody needs bugtraq anyway! (Score:2)
-Chris
...More Powerful than Otto Preminger...
Solution (Score:5)
Stop vendor notification of MS Security holes.
There is a "gentleman's rule" of disclosure that says you should always notify the vendor of any security hole found, and give them time to create a patch, before publicly disclosing the hole.
The solution is to recind this rule for MS products; because there is another "gentleman's rule" that says that vendors will admit to the hole, and issue a public bulletin.
If MS wants to issue private bulletins (which is what they're doing - you're not allowed to quote it verbaitm) then it's time to forego the vendor notification.
Oh well. (Score:4)
Well, who cares? You always see it on BugTraq before it gets back to Microsoft, even when you tell them about it first...
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
Re:Oh well. (Score:3)
E.
It's not as bad (Score:5)
Is This Really As Terrible As It Sounds? (Score:5)
If I was experimenting with IIS and found a bug (compromise, DoS, etc) I'm still free to post it on the Bugtraq mailing list. Microsoft cannot stop me from doing this.
On the other hand, the Microsoft Security Announcements can't be posted. The solution? Go out to Microsoft's web site which can be found here [microsoft.com] and check the bulletins yourself. The other option is to subscribe to Microsoft's security mailing list.
I don't think this hurts customers very much, although it does have the side effect of either giving your e-mail address to Microsoft or visiting their web site more often.
Not a big deal (Score:2)
Re:Is This Really As Terrible As It Sounds? (Score:2)
On the Napster thing, among the numerous other defenses that they are approaching, one that I heard them using was that the RIAA groups were overly protecting their copyright to the point where they were behaving as a monopoly, and using that copyright protection to retain their monopoly, thus falling under Sherman act regulations. Of course, the problem here is that RIAA is a group, not one company, so "monopoly" is non-existent. But they are still persuing the concept that agressive copyright protection as to remove fair use rights is a problem.
Go to a canibal and ask him if he likes you... (Score:2)
Don't you know M$ products have no vulnerabilities and are perfect in every way. And if you reverse engineer it in anyway shape or form they'll have you drawn and quartered.
Of course, if you're they kind of low-life who's writing viruses, you could give a sh*t... "There's an M$ box, here the lock-pick set. Lets have fun." By the way, lock-picking sets in the hands other than a lock-smith's is illegal. That doesn't stop thieves.
Deep Thoughts(pun intended) about MS (Score:2)
Seeems to me that MS has always believed most strongly in "Security by Obscurity" and that admitting to vulnerabilities is something that is bad for the bottom line. The fact that they aren't just trying to sue anyone who even THINKS bad thoughts about Microsoft is a mystery to me.
They remind me of the Ravenous Bugblatter Beast of Traal: "...so amazingly stupid that it thinks that if you can't see it, then it can't see you..."
+++++++++++++++++++++
Re:Umm...just rewrite the text (Score:2)
2) If your do, then some really interesting error reports will be generated.
Any other choices?
Caution: Now approaching the (technological) singularity.
Re:Is This Really As Terrible As It Sounds? (Score:2)
Certainly not a comfirmed answer, but I think it comes down to similar issues as with trademarks [*]: if you don't defend it, you can lose it. Microsoft in the past has been caught with it's pants down with people distributing MS documents without approval (the whole MS-Kerboros thing) -- also remember that we're still waiting for the results of what happened in that MS breakin -- someone could be sitting on core .NET code. They might be moving to a case where you cannot republish *any* MS document, even one as simple as a bug report whose info is in the public domain, without MS permission, so that in a court trial, they will have a stronger defense against a copyright violator. If they continued to allow BugTraq to distribute without restrictions, a defendant in such a case could state that "BugTraq does this, with info freely available on MS's site, why can't I with the MS-Net spec, freely available on MS's site?"
[*] Yes, I know that you don't have to actively defend copyrights -- you could let something slip by for years, and then sue as long as your copyright is still valid.
What I think that BugTraq should do is encourage a system where would-be bug trackers report their info not only to MS, but also to BugTraq (so that we have an independent report of the symptom). BugTraq would not report on the bug until enough time has been given for MS to respond to it, at which point they release that info anyway. If MS does respond, they still provide the link as they are now doing, but also provide the bugtracker's version of the sympton. This will NOT allow MS to change the story of how the bug was found or manifested as to make them look like security professionals, without having a conflicting report between the original bugtracker and MS's version, but still leave them room to update info on how to fix and repair bugs.
Origins of Modern Customer Service (Score:2)
Call it CYA, call it ensuring the integrity of information, call it what you will. It's in their best interests to allow BugTraq to carry these items, and work with them than to bury it in a filing cabinet in a disused lavatory in a basement with "Beware the leopard" pasted on the door (obscure HHTTG ref)
Probably better titled: Microsoft Encourages Customer Cynicism, Launches New Drive
--
Umm...just rewrite the text (Score:4)
Otherwise, movie reviews, book reviews, and bug reports would have ceased to exist a long time ago. In fact, these things make the original product even more popular, just consider the free publicity...
Re:Go to a canibal and ask him if he likes you... (Score:2)
I didn't see anything that said bugtraq can't publish bug reports on Microsoft products at all anymore?
Re:I know what's next... (Score:2)
That's true, according to the DMCA, breaking into a computer that has copyrighted software on it is illegal. Therefore, there's no need to fix security holes in windows, since it's illegal to break into a Windows box. No cracker wants to take the risk of being thrown in the same category as those evil people who listen to (their) DVD's using DeCSS, right?
Re:Umm...just rewrite the text (Score:2)
like if I took this one [microsoft.com]...
Re:Is This Really As Terrible As It Sounds? (Score:2)
This doesn't make sense. You say this:
If they continued to allow BugTraq to distribute without restrictions, a defendant in such a case could state that "BugTraq does this, with info freely available on MS's site, why can't I with the MS-Net spec, freely available on MS's site?"
Yet you also say this:
Yes, I know that you don't have to actively defend copyrights -- you could let something slip by for years, and then sue as long as your copyright is still valid.
Surely you understand that any defendent claiming that "BugTraq gets to do it, why can't I??" would have no case precisely because of what you say in your second statement above. Given that, this is not a legitimate legal reason for denying BugTraq the right to republish MS bug reports. Therefore there must be another reason. I think many of the posts above are much more likely than your scenario.
Re: Do unto others... (Score:2)
For example: if we find security bugs we could ask entities (corporations or individuals) which/who behave in this way to register on _our_ websites to see the info before we go public.
And we could also formulate just as fair/unfair license agreements for them to agree to when registering. e.g. "REVERSE ENGINEERING AND CIRCUMVENTION OF THIS EXPLOIT (oops software!) IS PROHIBITED, TERMS AND CONDITIONS MAY CHANGE WITHOUT NOTICE, blahblahblah". All in nice ugly caps. The UCITA/DMCA comes to mind here
Do unto others as you'd have them do unto you.
Now we won't be selling the gathered info to doubleclick would we
Cheerio,
Link.
---
Integrity is behaving properly even if nobody knows or they are helpless to stop you.
What this may come up... (Score:3)
In this point might be the danger. If Microsoft publishes a bug report and claims that someone violated their copyright because it cited it, then we do have a problem here. I leave the possible consequences to your conclusions...
The story is not accurate. Please read. (Score:3)
Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here [securityfocus.com]
Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here [securityfocus.com]. As you can see, it a pain in the ass to read and getting the information becomes really hard.
What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here [securityfocus.com] but allow me to quote:
I will no longer be approving any advisories with little or no content that point you to some other place for information.
Pretty isn't it.
What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here [securityfocus.com]. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.
In this [securityfocus.com] email, Elias give the tone and I quote:
It seems Microsoft was not very amused at my posting of their advisory to the list the other day.
And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com [mailto]. Please tell them what you think about their new format.
Moneyspinner (Score:2)
This should earn them enough money to see them through the current slump in tech stocks.
Re:Timining is everything (Score:3)
BugTraq should md5 the bulletin and provide that next to the link to Microsoft. If Microsoft changes anything, people will be able to tell. If it goes away, people will see the dangling link. Microsoft will look bad either way...
Timining is everything (Score:5)
The idea being that its a security list and people subscribe to it to have the information delivered to them, not to have links so they can go find it.
Luckily this doesn't effect me, as where I work we don't run any NT systems (well some groups do, we are all Unix). However, I have to agree with Alpeph1 - I want to be able to determine whether services that I am running are vulnerable or patches are available right here and now...I don't want to have to go off somewhere else - it makes BUGTRAQ less useful.
I don't see the point of this. Isn't the whole idea of these bullitins to get the word out? This copyright bullshit is silly. These are security notices, not works of art. Why do they need this extra measure of "control" over them? So they can change them and pretend that any mistakes were never there? So they can make them dissapear later>
I really can't imagine any real reason for wanting this.
-Steve
Re:It's not as bad (Score:2)
What's really happening here is that Microsoft is beefing up their MSN/web presence as much as possible to sell space and eyes to people. So people viewing all those important bug announcements all the time for the many many msft bugs mean more traffic on their site. Actually, in this way, they can make more money by having more bugs! HA!
MSN.com is one of the most visited sites on the internet today because IE defaults to it. Pretty nauseating. And they make very big money on the conent partnerships involved with that site. When I worked at a web tracking company, spidergate.net, they were trying to get us into some kind of detail and sending us big fat glossy three ring binders about all of their current partnerships with big e-commerce houses.
___________________________
http://www.hyperpoem.net [hyperpoem.net]
Re:Just Ask...Bleet for me sheeple (Score:2)
If you don't like the authority the law grants, then you have basicly two options. 1) Lobby your national legislature to drastically change copyright law. 2) Find a country that isn't a Berne Convention signatory and move there.
So let me turn your question back on you:
How can you be so friggin (sic) dense?
Re:Is This Really As Terrible As It Sounds? (Score:2)
Okay maybe I'm just paranoid, but IIRC, Encarta lists the release of NT 4.0 on a world timeline that also includes the dinosaurs, the moon landing, etc...
Re:Slashdot - get a grip and get some knowledge. (Score:2)
Of course. Bugtraq will still have MicroSoft bugs, VULN-Dev will still be used to find errors in MS' programs. The point is, SecurityFocus.com is not allowed to store or redistribute Microsoft's webpages. Its all up to microsoft if they allow their entire advisories/webpages to be published. And frankly, I don't expect aleph1 to "write his own advisory based on MicroSoft ones". He is denied to just post the damn webpage. That is all. This just _isnt_ a "everybody flame microsoft for trying to stop mouths" case. Its a "Microsoft suck at distributing information about security vulnerabilities"-case.
Not to mention the infamout credits
At least they _give_ credit. That is the important thing.
No, I don't think I'll miss the MS advisories..
Me neither, they are too full of BS instead of the facts you want to get. There is a great posting to bugtraq today (or maybe it was yesterday) about the trouble with microsofts security bulletins. Mainly that they lack consistency in what to do when they update the information.
--
30% increase in productivity (Score:2)
But it compares poorly with their 45% increase in bugs.
Re:Bugtraq's use is FAIR USE and thus OK! Read Thi (Score:2)
It certainly would be fair use to create your own original description of a bug. However Microsoft's bug reports themselves may contain original expression. If so, just a movie critic's review is protected, so is their advisory. However, the factual parts of it are not protected, and fair use might also protect some copying of the advisory itself.
Fair use has four factors, as defined in 17 USC 107 [cornell.edu]. Applying those here we find:
(1) BugTrac's use is noncommercial technical research, I believe. The mailing list doesn't come with any advertisements that I'm aware of.
(2) The nature of the Microsoft advisories is factual -- they aren't fictional works.
(3) The amount copied from Microsoft is presumably the whole thing, although if they used choice quotations this would help a fair use claim.
(4) The effect on the market or value of the bug advisory is the key issue. If Microsoft isn't selling these or using them to sell bundled advertising, then it's hard to see any negative effect. If they start selling access to these advisories, then this would strongly disfavor fair use. If they are given away free, but generate advertising revenue, then it's more muddled but probably disfavors fair use.
My non-lawyer "guess" is that unless Microsoft generates revenue somehow from these advisories that copying them in their entirety is actually not copyright infringement because it is fair use.
If MS does generate revenue from these, then bugtraq could probably get away with quoting the key passages, but MS would have a very tenable case to take to court if the whole thing was copied. I'd guess there was a small chance the defense could win, but it'd be a long shot with a large cost.
Moderators: May be redundant - but my vote counts (Score:2)
Shoot yourself in the foot, why don't you?
If you can't take bad press don't play the game, but don't stop others from playing it.
Re:Can Ford/GM, et all do the same? (Score:2)
Not quite the same...
Microsoft wants to stop bug reports, because they embarras the company, and I believe that Microsoft top brass doesn't really give a monkey's if you, I or some other poor consumer loses all his data through a security hole.
Ford/Brigestone/AnyCompany regrets having to post recall notices, but realises that it is better to look a bit stupid rather than risk the deaths of consumers and almost certain litigation.
Of course, I personally am very unlikely to lose any data through a Microsoft security hole. At home, I use only Linux, and at work I use a mix of SunOS, Irix and AIX... Colleagues using WinNT who were stupid enough to click on the LoveBug VirusBuilderScript may have lost some stuff, but then learning is often a painful experience for children.
You fall, you get a bruise, you learn to look what you're doing and you fall less often.
Re:Some background info (Score:2)
Oh joy, another Microsoft apologist. The Stacker incident was a good example precisely because it IS old. It would be interesting to see how Microsoft explains the "development" of their disk compression technology today.
If you want recent examples, I could refer to the DOJ case and Microsoft's lies and underhanded tricks related to that. Just let me know if you want to hear it...
Yes, this is as terrible as it sounds (Score:5)
I can understand why a company would (and must) vigorously defend it's trademarks. I also understand why companies want to prosecute violations of their valuable copyrighted works.
But what is the value of trying to clamp down on control of information such as security problems and vulnerabilities? There must be some ulterior motive.
After all, with a copyright, MS could just grant anyone permission to redistribute and reproduce the text of the bug report -- provided copyright notices remain intact.
So why aren't they doing something like this? I think previous posters got it exactly right. They can silently edit things after the fact. Chagne links. Change the contents of linked pages, etc. One thing about news on the web is that no permanent record exists.
One other thought: Since copyright doesn't protect the idea, BugTraq could explain the problem in their own words, and there is nothing MS could do about it.
Some background info (Score:5)
This is very annoying if you want to download your emails to a laptop and read them somewhere where you dont have i-net access to read the whole thing.
I guess Microsoft did that to create an easily updateable security information archive.
But they should still put in the whole info into the email, and post a link where you could find updated informations.
if you care, send an email to Microsoft Security Feedback [mailto]
Re:READ the article before you submit it! (Score:2)
I don't see the same advantage you have - in my experience, many times the bug description is posted on BugTraq FIRST, and then the vendor will eventually send out a bulletin about the bug description (and hopefully) a workaround or fix.
So really, if you want all of the bulletins as soon as possible, you go to a place like BugTraq - you don't wait for the vendors to respond.
Re:Yes, this is as terrible as it sounds (Score:2)
I don't know why they want to restrict it. Maybe to track which bugs people read. Maybe to ensure that sites which report on MS bugs have to actually do their own writing. I don't see it as a big deal; you can say anything you want, you just can't copy their precise wording. Big deal.
Is it too much to ask to /read/ the damn thing? (Score:3)
How to secure a Windows system with one button (Score:2)
A better method is the switch inside the circuit breaker box, but that's not a button. Instead, the button on a detonator attached to the hard drive of the machine in question is recommended.
In extreme cases, a MIRV aimed at Redmond may be the only solution.
Copyrightable? (Score:2)
Copyrighting does not make top-secret. (Score:2)
Just because Microsoft is claiming "copyright" protection on their announcements, does not mean they're trade secrets!!! You can publish copyrighted material under fair use laws, AND get away with it!
I mean, you can publish copyrighted material and include a review of it, and that would be fair use.
I really think SecurityFocus needs to talk to their lawyers about this. I'm sure they'll find that it's completely legal.
As for Microsoft, they deserve everything coming to them.
This could be worse for MS. (Score:2)
No, there isn't. (Score:2)
Bugtraq's use is FAIR USE and thus OK! Read This! (Score:2)
Wow! (Score:3)
"One microsoft-bug-list-T-shirt, please. Size Hindenburg[1], please."
[1] large object was choosen by random - the final fate of the Hindenburg, didn't have anything to do with it...
--
Re:Is This Really As Terrible As It Sounds? (Score:2)
If you want the mailed bulletins try MS Product Security Notification Services [microsoft.com].
I claim no preference one way or the other as to MS stuff.
Purpose of copyright (Score:3)
The reason that copyright exists, is to encourage creators to create expression. That encouragement is normally implemented as profit. The profit comes from the creator having a temporary monopoly on the expression, so that they can sell it, license it, etc.
Government grants copyright and legal protection to creators in order to get something in exchange: creative works (which, after it falls into public domain, then benefits the people that gave government its power).
Microsoft issues security bulletins in order to increase the security of their installed base of users, thereby increasing the reputation of their product, thereby hopefully increasing sales of their product. They do not write security bulletins in order to sell them or license them for a profit.
Government grants copyright and legal protection to Microsoft security bulletins in order to get ... what in return?
My limited imagination does not see a connection between the purpose of government granting copyright, and Microsoft writing security bulletins.
If anyone here ever ends up starting their own government and writing their own copyright laws from scratch, I hope that they consider this issue. ;-)
---
Motivation (Score:2)
Web traffic is $$.
Don't even think Microsoft cares about security - they don't except for its ability to make them look bad. If they can market something as secure, it really doesn't matter whether it is or not.
And this is a direct attempt to hit BugTraq squarely in the wallet by taking most of their web traffic, and having them click through to Microsoft.
Ah! Bug reports as revenue source! (Score:2)
You're on to something here. Microsoft gets to show ads and place promotional messages in its e-mail newsletters and on its web pages--even the bug report pages.
Maybe the revenue derived from these ads (even if it's cross-marketing of other Microsoft products) is so great that they'll start issuing bulletins for nonexistent bugs just to draw more traffic to their security announcement site.
Facts are not protected by copyright protection. (Score:5)
You cannot protect a fact as intellectual property or under copyright protection. This is why anyone in the nation can publish the scores of an NBA game -- the NBA does not "own" the statistics of the players. Anyone can write a film or game review -- it is not illegal for me to say what happens in your movie or game. For this reason, there is nothing illegal about reporting bugs, DMCA be damned. 1st Amendment wins, fatality.
Security Focus may not be able to copy-and-paste, but they can read a report in the Microsoft email and report on the report. Again, facts cannot be copyright protected.
BugTraq can still publish parts: Fair Use (Score:3)
Microsoft can't do a thing about it.
Pretty silly thing for MS to do, regardless. This just makes them look like they're trying to hide things.
On an amusing note: MS had a 30% increase in productivity [theregister.co.uk] this year: of security patches.
Regards,
-scott
MS vs. URLs (Score:2)
You'd think that a company so into the Internet and selling web servers would understand the concept of URLs. They really do make it hard to link to anything on their site, which is the whole point of the web. Their URLs are neither uniform, nor let you locate resources. (To be fair, places like ZD Net are just as bad.)
Warning: No Content Post (Score:2)
Basically xato went out and tried to figure out which bugs existed, which bug affected a given ms system, and which hot fix works for that bug... It was hell.
--locust
Unless you are the International Olympic Committee (Score:2)
Actually, you can protect some facts under trade secret laws. For example, the secret formula of Coca Cola. But the fact that Microsoft is giving the information out causes it not to be a trade secret.
Re:READ the article before you submit it! (Score:2)
patches not bugs.
and
Not that Bugtraq isn't good, just that if you need to keep up with vendor patches, it's not the way to fly.
well ... (Score:2)
-:-:-:-:-:-
nothing much [angelfire.com] and if your smart goto this page [angelfire.com] and tell me how to get it working.
I can see their point. (Score:2)
Imagine how secure Fort Knox would be if nobody knew where it was.
This situation is similar. After all, nobody but Microsoft can fix the flaws, so whats the point of having people know about it? People will predictably respond in their superior way that SysAdmins need to know the security holes so that they can take them into account and defend against hackers. But the only way the hackers find out is by reading bugtrak!
I honestly think the net effect will be improved security for the great majority of sites.
KTB:Lover, Poet, Artiste, Aesthete, Programmer.
Re:Yes, it is! (Score:2)
Here's an idea:
Why not provide an md5sum of the webpage contents? That wouldn't be illegal (no way that an md5sum is a copy of the material), and would quickly show foul play Microsoft. If they took one each week they would be able to tell how often and when the info is changed.
Microsoft should better... (Score:4)
Wouldn't it be really fun if they sued everybody who reproduced their bugs...
They could start with access violations in end-user programs, that should break the neck of 99% of all other software producers.
Here's a solution .. (Score:2)
(English-to-French, French-to-English of http://support.microsoft.com/support/kb/articles/Q 177/0/89.ASP [microsoft.com].)
Of course, you might also run it through the Dialectizer [rinkworks.com]:
--
Re:Yes, it is! (Score:2)
Re:READ the article before you submit it! (Score:3)
All right, getting all the patches eventually is good - but you're not going to get them until the vendor has actually acknowledged the problem, analyzed it, created the patch, done (you hope) some testing, then posted it. And _that's_ if the vendor decides to actually acknowledge the problem.
In the meantime, you need defenses & some kind of workaround - and the most timely method of getting that information is from the people who just got slammed by the bug, and who are reporting their experiences to services like BugTraq.
In other words, I'm agreeing with you about needing to monitor the vendor releases closely so you can keep your system "officially" up to date, but if that's ALL you're relying on, then sooner or later you're going to get screwed and not even know what hit you.
To do more than that, you need services neutral w/respect to any individual vendors, like BugTraq.
Copyright or Patent Exploit (Score:2)
Re:Wow! (Score:2)
It does need to be big. Giga is reporting that MS just hit the 93rd security patch for the year [theregister.co.uk] -- a 30% increase over last year.
--
The frames dodge (Score:2)
Re:Is This Really As Terrible As It Sounds? (Score:2)
Yes, this is probably not a strong reason, but given that there's little reason to begin with for MS's decision, speculation is all that we can do.
Seems fair (Score:2)
Re:Yes, it is! (Score:3)
Hmmm... download it for personal use, then take a diff. Post the diffs to bugtraq.
What is surprising is that Microsoft is consistant with the timestamp in their updates. If something was edited last week, it will say so at the bottom... even if the article was first posted three years ago.
FINALLY!!! (Score:3)
--
Thats not the case... (Score:5)
Basically, the new MS format is very non-informative, and therefore, not very helpful for those in need of information about a new vulnerability. They want to centralize the location of their advisories so that customers can get up to date information in one place on the web.
I applaud them for trying this out, but I don't think it is the best way to go. I still prefer the old method of sending out all of the advisory in a single email.
Furthermore, this won't stop MS advisories from being posted by the people who have found the hole(there will be plenty of those I am sure) - and those are usually more informative anyway...
- Rick
www.bluealien.org
Re:Is This Really As Terrible As It Sounds? (Score:2)
The DeCSS case was lost because of a bad law, and the fact that the defense really had no way to "prove" that DeCSS was developed for a "legitimate purpose" other than the words of one of its creators, who, being a 16 year old kid, didn't carry much weight with the judge apparently. With a copyright case, they can hold the lawbook under the judge's nose and point out why he cannot rule against them, because there is no such law that states that they must actively defend their copyright. There isn't any ambiguity as to whether or not a copyright holder can prohibit someone from distributing their copyrighted material, except in cases where the defendent is claiming that the alleged infringement is fair use. In that case it wouldn't even matter whether Microsoft let's others do it or not, so it's moot.
I don't think you've got the Napster argument right either, but that's another discussion. All things considered, the earlier arguments about revisionism at Microsoft are probably much more likely given the fact that Microsoft has a history of doing such things.
READ the article before you submit it! (Score:2)
Just Ask (Score:2)
Did anyone think to ask? How hard could it possibly be to tap Microsoft on the shoulder and say "Hey, a lot of people read this mailing list looking for security information. Specifically they want to know right away when vulnerabilities are discovered. It would be a shame if you disappointed those readers who run your software. May we have permission to post your advisories?"
I think this is a mind shackle that a lot of people can't get past. I think most people see that phrase about authorization and permission and they stop there. No you can't do much without permission, but yes, you can ask for permission.
Has the software industry become so corrupt that.. (Score:2)
Nope. The real purpose of copyright: (Score:2)
Ergo, Copyright law, which granted a time-limited limited monopoly. Authors can use it to require renumeration for their works.
The purpose of copyright law is NOT to maximize the rate of return to the copyright holder (note, this isn't necessarily the origional artist) for copyrighted works. Nor is copyright law's purpose to maximize the number of works available. (If it was, then why did they put a time-limit on it?)
Copyright law's purpose to further the public good by insuring the maximum number of artistic works are in the public domain.
Re:Facts are not protected by copyright protection (Score:2)
Both have copyrighted their fixture lists, and some fan sites have been told not to post fixture lists. Apparantly you have to pay them money to be able to print such lists.
Newthink (Score:2)
This is of course known as the REALLY FSCKING STUPID school of marketing, dominated by the idea, "Our customers will only listen to US! (and no bugs are really serious anyway)". Unfortunately software problems can cost customers buttloads of money, meaning that this 'ostrich mode' strategy will produce a small amount of unrealistically rosy PR and a world of hurting in practice.
Couldn't happen to a nicer company- hopefully not too many other companies will really follow MS all the way down, marching into hell like trusting little lambs- if for no other reason than it'll be very costly to trust MS, and the bottom line will show it.
Do MCSEs get training in how to spin consulting fees etc. so that it doesn't look like MS's fault when support costs are high? Probably the main strategy for dealing with an expected firestorm of hackings and security breaches is to paint intruders as brilliant evil hackers rather than boring script kiddies.
The bulletins, not the bugs (Score:2)
It seems MS has copyrighted their bulletins(not the bugs
I guess you can still publish the incident, but you would have to write your own "bulletin".
While I can understand that MS wants to protect their precious incredibly sophisticated and unique security bulletins I guess there are other reasons for this.
What MS tries to do for security reasons (at least that's what I think) is to establish their site as the only way to obtain official bulletins.
One can only suspect that they are scared that someone might post fake messages on those lists, making them in some way look official.
I know what's next... (Score:3)
I mean, who cares whether the system is secure or not. As long as you agree to the EULA, everyone's safe!
Re:I can see their point. (Score:3)
Security through obscurity works, in the end.
Sorry, but that's exactly wrong - security through obscurity doesn't work .. not longterm anyway.
There have been many programs in wide scale use, with no source, that have been exploited by [ch]rackers - all it takes is one knowledgable person, and a dissasembler [geocities.com].
I've spent many a happy evening at home reverse engineering communications protocols, and the like - theres a fine example of something thats not automatically secure just because the details aren't published.
But the only way the hackers find out is by reading bugtrak
Granted some script kiddie[sz] will find details of exploits from reading SecurityFocus [securityfocus.com], and BugTrack - but if those sites didn't exist they'd be talking about them on IRC anyway.
A talented [hc]racker isn't going to need somebody to spoonfeed him/her exploits - they will sit and discover them by examining source code, or binaries.
Steve
---
If only... (Score:2)
Bzzt! Thanks for playing! (Score:2)
Bugtraq can still report MS bugs, and use the Technet site as a research tool, but they have to produce their own vulnerablity reports. Which I hope they should, rather than relying on MSs own work. If they perform the research themselves, they might find out the exploit is actually wider than what MS thinks it is.
This id good for Bugtraq and users. I don't like MS any better than the rest of you, but lets talk about what's really wrong with them, rather than this sort of paranoia.
This situation is better for users and Bugtraq, though might delay advisory publication by a few minutes now that Bugtraq must confirm and document the exploit themselves.
Re:Is it too much to ask to /read/ the damn thing? (Score:3)
~luge
How many lawyers on the M$ payroll? (Score:2)
A theory:
Like the US Government, the number probably increases in size as necessary, but never decreases.
Re:Is it too much to ask to /read/ the damn thing? (Score:3)
Re:READ the article before you submit it! (Score:5)
You may be a troll and I'm feeding, but I'll give it a go.
Like Microsoft, all of the major UNIX vendors have security mailing lists. They tell what program the bug is in, if it is a remote or local compromise, and what exactly the compromise can do (denial of service, gain root access, etc). This includes Sun (Solaris), HP (HP-UX), SGI (IRIX) and Digital (Digital UNIX, aka OSF1 aka Tru64).
Same goes with the majority of the large (and even most of the small) Linux vendors. Do you see Bugtraq after a local root compromise has been found? I see updates from 7 or 8 Linux vendors announcing patches or packages with the fix.
Some folks (such as OpenBSD and their code audit) do not report all bugs. As for their reasoning, I don't know, but they will report bugs that users find, but not things they find during their code audit.
So yes, UNIX vendors DO report and patch their bugs.
What's next... (Score:3)
Geez, isn't that a bit like a car manufacturer notifying the public that their latest SUVs flip over and explode, but preventing anyone from redistributing that notice? Has the software industry become so corrupt that our failure notices are now considered revenue generators and exclusive property?*
What next, a EULA on their website that reads "By using this website, you agree not to disclose the details of these failures to third parties. This information is confidential, and only available to licensees of Microsoft products".
* I forgot about the $90/hour tech support. I called Mickey$oft once to confirm that the behavior I was seeing was in fact a bug in IIS, and the wanker tried to charge me because he offered a half-assed workaround. Then it shows up as one of these bug reports [microsoft.com] on their website the next day (oh geez, it exists in 5.0 too!). They knew about the bug beforehand, as he had the workaround almost immediately, but did not publish until the prospect of someone else identifying and publishing the bug came up. My experience, and this current issue, says to me that Microsoft is only interested in spin control.
--
Bush's assertion: there ought to be limits to freedom
Microsoft is also using a web bug to monitor views (Score:4)
One thing that I noticed about the new Microsoft security bulletins is that they now contain Web bugs. The bugs look like they are used to count the number of people coming to read the bulletins. Here is the URL for one of these bugs: http://c.microsoft.com/trans_pixel.asp?source=www& TYPE=PV&p=technet_security_bulletin
[microsoft.com]. I didn't see a tag for the bug, so I'm assuming
it is generated by one of the JavaScript files included
on the page.
It may be innocuous - just to see which are popular - but they could do that via log analysis, or a visible counter..
-dg-
Re:Is This Really As Terrible As It Sounds? (Score:3)
The only possible reason for this is Microsoft prefers spin control to efficient distribution in distributing bug reports.
What, they were planning on releasing a "best of MS bugs" album? Copyright? Give me a break.
Yes, it is! (Score:5)
This is bad for two reasons:
First, MS has a nasty habit of moving their web pages around, and not using redirects; so the link they publish today may not be available tomorrow (or next week, or next month) even if the vulnerability is still important.
Second, MS can "edit" the web page to say anything they want, after the fact. They can surrepititiously add/remove information from any bulletin at any time, and not tell anybody - an "extension" to a known vulnerability (such as the IIS Unicode bug, which was patched a year ago, but still reared it's ugly head this summer) can be silently "updated", and nobody is any wiser.
Bugtraq is a full disclosure list - and this is a definite step away from full disclosure.
Re:Solution (Score:3)
Stop vendor notification of MS Security holes."
You make an excellent and insightful point, but I think the gist of this action is that MS doesn't give a shit about bugs or bug reports. If they can stop people from KNOWING about bugs (and they are doing this by severely limiting and taking control of disseminating this information) then bugs aren't a problem.
MS doesn't want to know about bugs, and they don't want YOU to know. They especially don't want the average MIS manager (who are typically much less technically astute than those they manage) to know about bugs.
Re:Yes, it is! (Score:3)
Slashdot - get a grip and get some knowledge. (Score:3)
MicroSoft is issuing, like other companies Security Advisories. These distributable security advisories were posted to bugtraq and other mailinglists, and were up until a week ago. The point is, MicroSoft has changed their Security Advisory layout, to only include a URL to the description of the bug and so forth.
Aleph1 is running Bugtraq, which is a full disclosure mailinglist, and one of the policies is that the signal-noise ratio should be as good as possible. To avoid noise "no-content" advisories are rejected. Advisories with nothing but URL's are considered no-content advisories.
That means that Aleph1 will no longer be publishing microsofts new security alerts. Instead he tried to post one of the security bulletins from their webpages, and that microsoft claims copyright on. Well, too bad for them. MicroSoft is forgetting that they now have made sure that even _less_ security administrators will get to know about their products weaknesses, and even _less_ administrators will upgrade.
In other words, they've done an Operation Foot Bullet. I don't complain though, as I don't run microsoft servers - and now have even more arguments when convincing companies I work for not to use their shitty products.
Slashdot has in this case presented a very wrong view. Its aleph1 that is _rejecting_ microsofts security alerts because of them beeing NON-CONTENT. He is however not allowed to grab microsofts _webpages_ and publish them on bugtraq.
--