Information Security News mailing list archives
BugTraq tiff 'a slippery slope'?
From: InfoSec News <isn () C4I ORG>
Date: Thu, 14 Dec 2000 14:11:40 -0600
http://www.zdnet.com/zdnn/stories/news/0,4586,2664666,00.html By Robert Lemos, ZDNet News December 13, 2000 5:14 PM PT A week after banning Microsoft from a popular security mailing list, the moderator of the BugTraq list has refused to post advisories from a second company, @Stake Inc. The fight pits the open atmosphere of an Internet mailing list with the proprietary tactics of two corporations that are well-known in the security field, said Elias Levy, chief technology officer of SecurityFocus.com and moderator of the BugTraq security list. Both Microsoft and @Stake posted advisories that summarized a particular flaw and directed readers back to the companies' Web sites. "This is just going to become a slippery slope," he said. "The information will go someplace else, and that will really affect the value of the list." Two weeks ago, Microsoft changed its procedure for posting security bulletins to mailing lists. Instead of full descriptions of the problems and solutions, the Redmond, Wash., giant described a problem and referred the reader back to the Microsoft Web site. Microsoft knows best? The change made sense for the customers, said Steven Lipner, manager of Microsoft's Security Response Center, during an interview last week. "If we post an advisory with an error in it, we would have to go out and get the information changed where ever else it may be mirrored." Levy didn't agree with Microsoft's logic. On Thursday, Levy banned the software giant from posting further advisories until its Vulnerability Response Center agreed to include more information in its advisories. The scene replayed itself this week. On Tuesday, Levy refused to post an advisory from security services firm @Stake Inc. regarding a flaw in America Online's Instant Messenger service. The advisory did not give a detailed description of the flaw, nor any remedy, unless the reader followed a link to the @Stake site. @Stake, BugTraq, @ odds "Weld Pond," who uses his hacker handle and is director of vulnerability research for @Stake, said the advisory explains enough of the problem for any administrator to gauge whether the flaw should pose a concern. "I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories," Pond said in a Wednesday posting to BugTraq. "What we are doing is adding more information than we have in the past and we are adding it on our Web site." Yet, Levy remains unconvinced. "Imagine if all advisory publishers decided to make this change," he said in a Wednesday posting to the BugTraq list. "I fear such change would create friction that would diminish valuable discussion on the list and erode the BugTraq community." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- BugTraq tiff 'a slippery slope'? InfoSec News (Dec 15)