Feeds

BugTraq, @Stake differ on vulnerability reports

And we think they're both right

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Two respected names in Internet security, SecurityFocus and @Stake, have encountered what we hope will be a brief impasse on the issue of how to share vulnerability reports, into which a great deal of unremunerated work is put.

Recently, @Stake, which also runs the Hacker News Network Web site, submitted an abbreviated notice to the BugTraq mailing list concerning a security hole in AOL's Instant Messenger (AIM) explaining how a malicious URL can be used to take control of someone else's AIM client and run arbitrary code on their machine.

SecurityFocus' Elias Levy, who moderates the BugTraq list, rejected the submission on grounds that it included too little descriptive detail to be appropriate for his subscribers.

@Stake's Weld Pond countered that the submission, while brief, contained a link to the full text on the @Stake Web site so that BugTraq subscribers might easily examine all the gruesome technical details if they pleased.

"We want to draw readers to our Web site to present them with additional helpful information that cannot be accomplished in the mailing list format," Weld Pond told The Register.

And that, of course, is perfectly reasonable.

Levy argues that while "some people....may prefer to receive a short notice instead of the full advisory, that is not the case with BugTraq." It is, rather, "a mailing list for the dissemination and discussion of security vulnerabilities," rather than announcements, he told us.

And that, too, is perfectly reasonable. What we have here is a difference of opinion in which both parties are making sound, rational arguments.

@Stake certainly has every right to influence the way in which their original content is presented by third parties. "We do not wish to have our research work presented as the content of another site that has another company's banner ads or branding around it. If you look at the advisory presentation on our site, there are no ads or marketing messages. It is a strictly academic presentation," Weld Pond told us.

And yet again, Levy made a good point when he noted to us that posting less than the full advisory to the BugTraq list "breaks down the flow of discussion. Now people need to visit the Web site, read the advisory, and if they want to comment copy and paste into a new message."

"For very long we have tolerated the marketing copy on vendor advisories because while annoying they were accompanied by useful information. But in this change there is no value added to list subscribers. It's for this reason that we are not accepting such advisories," Levy added.

This development comes on the heels of a dispute with Microsoft which told BugTraq that MS security advisories may not be reproduced in whole on the list, citing copyright issues, as we reported here.

"I must admit I don't understand the change @Stake made. Microsoft I can understand; @Stake I can't," Levy said.

"I've asked the list subscribers for their opinions. I've received over five-hundred messages to far. While a handful of people liked the notices, the large majority of them, probably around 95 per cent, found the change to be a negative one and want me to hold firm to the policy of not approving them."

Meanwhile, Weld Pond notes that @Stake's work remains freely available on their site. "People can always reference our work and make fair use of it. We do not wish to stop anyone from learning from it or using it to better secure their computing resources or build better security products. This is of course the primary reason we publish our research and make it freely available for all to read. The fundamental values of full disclosure remains unchanged," he told us.

But referencing the work is not the same as reproducing it. So we might conclude that BugTraq's perfectly legitimate posting requirements are simply incompatible with @Stake's perfectly legitimate desire to draw Web surfers to their own site to view the material in the format they prefer.

A recent story by ZD-Net may have added fuel to a fire that doesn't quite exist. "The fight pits the open atmosphere of an Internet mailing list with the proprietary tactics of two corporations that are well-known in the security field, said Elias Levy," ZD-Net wrote.

We were immediately startled by the word "fight" attributed to Levy, who is as peaceable a fellow as one might ever meet.

"I would not call it a feud. There haven't been any unpleasant exchanges. I can't speak for @Stake but I get the impression they may think I am being inflexible. After all, they did modify their notice format once. Maybe I am being inflexible," Levy told us.

Hardly the words of a man girding himself for battle.

We would hope that these two organisations, whose work we admire greatly, will be able to strike a compromise acceptable to both.

"The one compromise that seems obvious and was suggested by several list members -- that of publishing the whole advisory but with a large notice at top pointing people to the @Stake Web site for the most up-to-date information -- seems not to be to @Stake's liking. I don't know that there is a middle ground," Levy said.

Perhaps a copyright notice or 'reproduced by permission' notice would be helpful here; we don't know. But we do know that it would be most unfortunate if anything like the "fight" rumoured to be underway should actually result from what we perceive as a mere difference of opinion.

But we rather think it won't. At a minimum we reckon the two would simply agree to disagree. Not the best of all possible outcomes surely, but certainly not the worst. ®

Using blade systems to cut costs and sharpen efficiencies

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.