Symantec's SecurityFocus buyout met with pessimism

Bug trackers fear BugTraq death

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

There's been considerable discussion this weekend of the recent sale of SecurityFocus to mega-corporation Symantec for a sweet $75 million. At issue in particular is SF's BugTraq mailing list, which has for years been the most popular full-disclosure vulnerability list going.

While Symantec has stated that it will not exert influence on BugTraq, which it now owns, many list members find that assurance hard to trust. However, in this case only time will tell. I personally have little doubt that the SF staff intend to keep BugTraq and its extensive archives independent and free. Whether they'll succeed in the long run is an entirely different matter.

The deal has generated further controversy because SF has sold something quite valuable which it received free of charge, namely the exploits submitted by list members. These are valuable for developing scanning software like Snort, Nessus, and the like. And naturally, when this much cash changes hands, people may get envious. They may also feel they're owed something for the free contributions they've voluntarily made.

Coincident with the Symantec announcement, a new list opened up to address the anticipated fall of BugTraq. It's actually called Full Disclosure and is unmoderated, meaning that within hours it began degenerating into a forum for the 'full disclosure' of members' opinions.

Among these are a comment from Charles Stevenson bringing the security 'community' to task for "supporting the exploitation and misuse of proprietary exploit source code to further the large companies' for-profit endeavours."

There was also a suggestion from Jay Dyson that exploit code submissions and vulnerability advisories be licensed in some way to prevent their use by profiteers.

Conflict alert

At this point I have to say that The Register and SecurityFocus have a longstanding business relationship involving content sharing. And I may as well add that SF Editorial Director Kevin Poulsen is a close friend of mine; and that I happen to like and respect co-founder Elias Levy, though I'm not closely acquainted with him. Now back to my completely unbiased article.

Sour resumes

It does seem odd that contributors to BugTraq should expect consideration after making free submissions to it with no expectation of reward. So far as I know no one at SF ever asked them to perform the work which their submissions represent, or ever promised them anything in return. The idea behind BugTraq has always been to make the information available to anyone who can use it. And so long as it remains freely available, there shouldn't be a problem.

As we saw at H2K2, some people believe that a large fraction of posts to BugTraq have more to do with resume padding than the free exchange of ideas and selfless sharing of research for the improvement of everyone's security. (I happen to agree with this observation.) According to the theory, people send in exploit code they've spent days or weeks perfecting in quest of the publicity needed to find fabulous jobs or to start up their own security firms.

But now people are concerned that BugTraq won't continue to function as it has in service of these ambitions. And if these fears should be justified over time, other public outlets for cleverness exhibition will have to be devised and other forms of compensation sought. Thus the idea of cashing in on the code is circulating.

Of course that would cause problems for developers of free and open-source products. Perhaps a EULA could be useful here, stipulating that the code is royalty-free to GPL'd open-source apps and share/freeware, and imposing a royalty on its use in proprietary, for-profit products. Or perhaps not. Personally, I don't see any way something of that sort can be enforced. If a big company steals your idea, they can all too easily claim that their vast team of researchers hit on the same item coincidentally (this often happens for real, as the publication of new discoveries will set many different people thinking along similar lines).

The questions surrounding vulnerability disclosure are endless and probably insoluble. Even the very fact of disclosure is controversial: many believe that the announcements give malicious hackers an unfair advantage; many others (like me) believe that withholding the information leaves users at increased risk on the theory that forewarned is forearmed.

And the timing of announcements is still in dispute. How long is 'long enough' for a vendor to patch an issue before the details are released publicly? I'm in favor of full disclosure, yet I was appalled when ISS recently gave Apache less than 24 hours to deal with a significant vulnerability.

And now we have the issue of what a researcher is owed for work freely offered. Publicity used to be enough; but now that people have begun worrying about the future independence of BugTraq, it may not be enough for long. As one observer remarked, there's a difference between contributing to SecurityFocus, and working for Symantec.

At this point I have to appeal to the wisdom of The Reg's beloved readers. Does the act of making a free contribution to a public, full-disclosure list imply that the material is up for grabs? Aren't restrictions on further use a contradiction of everything 'full disclosure' represents? Should contributors to open forums expect consideration when someone else profits from their work? Should they have the right to deny use of their contribution by for-profit concerns who refuse to pay? Should open-source developers be given freedom to use the data, while commercial developers are expected to kick back a royalty? Is there any hope of enforcing or defending a patent, copyright or EULA on such submissions? Is there any practice or standard that won't make network and software security an even more gargantuan mess than it already is?

I honestly don't know. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.