BugTraq tiff 'a slippery slope'?

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2664666,00.html

By Robert Lemos, ZDNet News
December 13, 2000 5:14 PM PT

A week after banning Microsoft from a popular security mailing list,
the moderator of the BugTraq list has refused to post advisories from
a second company, @Stake Inc.

The fight pits the open atmosphere of an Internet mailing list with
the proprietary tactics of two corporations that are well-known in the
security field, said Elias Levy, chief technology officer of
SecurityFocus.com and moderator of the BugTraq security list.

Both Microsoft and @Stake posted advisories that summarized a
particular flaw and directed readers back to the companies' Web sites.

"This is just going to become a slippery slope," he said. "The
information will go someplace else, and that will really affect the
value of the list."

Two weeks ago, Microsoft changed its procedure for posting security
bulletins to mailing lists. Instead of full descriptions of the
problems and solutions, the Redmond, Wash., giant described a problem
and referred the reader back to the Microsoft Web site.

Microsoft knows best? The change made sense for the customers, said
Steven Lipner, manager of Microsoft's Security Response Center, during
an interview last week. "If we post an advisory with an error in it,
we would have to go out and get the information changed where ever
else it may be mirrored."

Levy didn't agree with Microsoft's logic.

On Thursday, Levy banned the software giant from posting further
advisories until its Vulnerability Response Center agreed to include
more information in its advisories.

The scene replayed itself this week.

On Tuesday, Levy refused to post an advisory from security services
firm @Stake Inc. regarding a flaw in America Online's Instant
Messenger service. The advisory did not give a detailed description of
the flaw, nor any remedy, unless the reader followed a link to the
@Stake site.

@Stake, BugTraq, @ odds "Weld Pond," who uses his hacker handle and is
director of vulnerability research for @Stake, said the advisory
explains enough of the problem for any administrator to gauge whether
the flaw should pose a concern.

"I think everyone out there knows that we are committed to full
disclosure and the concept of freely available security advisories,"
Pond said in a Wednesday posting to BugTraq. "What we are doing is
adding more information than we have in the past and we are adding it
on our Web site."

Yet, Levy remains unconvinced.

"Imagine if all advisory publishers decided to make this change," he
said in a Wednesday posting to the BugTraq list. "I fear such change
would create friction that would diminish valuable discussion on the
list and erode the BugTraq community."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".