BugTraq, @Stake differ on vulnerability reports

[William Knowles <wk () C4I ORG>]

http://www.theregister.co.uk/content/6/15533.html

By: Thomas C Greene in Washington
Posted: 15/12/2000 at 22:03 GMT

Two respected names in Internet security, SecurityFocus and @Stake,
have encountered what we hope will be a brief impasse on the issue of
how to share vulnerability reports, into which a great deal of
unremunerated work is put.

Recently, @Stake, which also runs the Hacker News Network Web site,
submitted an abbreviated notice to the BugTraq mailing list concerning
a security hole in AOL's Instant Messenger (AIM) explaining how a
malicious URL can be used to take control of someone else's AIM client
and run arbitrary code on their machine.

SecurityFocus' Elias Levy, who moderates the BugTraq list, rejected
the submission on grounds that it included too little descriptive
detail to be appropriate for his subscribers.

@Stake's Weld Pond countered that the submission, while brief,
contained a link to the full text on the @Stake Web site so that
BugTraq subscribers might easily examine all the gruesome technical
details if they pleased.

"We want to draw readers to our Web site to present them with
additional helpful information that cannot be accomplished in the
mailing list format," Weld Pond told The Register.

And that, of course, is perfectly reasonable.

Levy argues that while "some people....may prefer to receive a short
notice instead of the full advisory, that is not the case with
BugTraq." It is, rather, "a mailing list for the dissemination and
discussion of security vulnerabilities," rather than announcements, he
told us.

And that, too, is perfectly reasonable. What we have here is a
difference of opinion in which both parties are making sound, rational
arguments.

@Stake certainly has every right to influence the way in which their
original content is presented by third parties. "We do not wish to
have our research work presented as the content of another site that
has another company's banner ads or branding around it. If you look at
the advisory presentation on our site, there are no ads or marketing
messages. It is a strictly academic presentation," Weld Pond told us.

And yet again, Levy made a good point when he noted to us that posting
less than the full advisory to the BugTraq list "breaks down the flow
of discussion. Now people need to visit the Web site, read the
advisory, and if they want to comment copy and paste into a new
message."

"For very long we have tolerated the marketing copy on vendor
advisories because while annoying they were accompanied by useful
information. But in this change there is no value added to list
subscribers. It's for this reason that we are not accepting such
advisories," Levy added.

This development comes on the heels of a dispute with Microsoft which
told BugTraq that MS security advisories may not be reproduced in
whole on the list, citing copyright issues, as we reported here.

"I must admit I don't understand the change @Stake made. Microsoft I
can understand; @Stake I can't," Levy said.

"I've asked the list subscribers for their opinions. I've received
over five-hundred messages to far. While a handful of people liked the
notices, the large majority of them, probably around 95 per cent,
found the change to be a negative one and want me to hold firm to the
policy of not approving them."

Meanwhile, Weld Pond notes that @Stake's work remains freely available
on their site. "People can always reference our work and make fair use
of it. We do not wish to stop anyone from learning from it or using it
to better secure their computing resources or build better security
products. This is of course the primary reason we publish our research
and make it freely available for all to read. The fundamental values
of full disclosure remains unchanged," he told us.

But referencing the work is not the same as reproducing it. So we
might conclude that BugTraq's perfectly legitimate posting
requirements are simply incompatible with @Stake's perfectly
legitimate desire to draw Web surfers to their own site to view the
material in the format they prefer.

A recent story by ZD-Net may have added fuel to a fire that doesn't
quite exist. "The fight pits the open atmosphere of an Internet
mailing list with the proprietary tactics of two corporations that are
well-known in the security field, said Elias Levy," ZD-Net wrote.

We were immediately startled by the word "fight" attributed to Levy,
who is as peaceable a fellow as one might ever meet.

"I would not call it a feud. There haven't been any unpleasant
exchanges. I can't speak for @Stake but I get the impression they may
think I am being inflexible. After all, they did modify their notice
format once. Maybe I am being inflexible," Levy told us.

Hardly the words of a man girding himself for battle.

We would hope that these two organisations, whose work we admire
greatly, will be able to strike a compromise acceptable to both.

"The one compromise that seems obvious and was suggested by several
list members -- that of publishing the whole advisory but with a large
notice at top pointing people to the @Stake Web site for the most
up-to-date information -- seems not to be to @Stake's liking. I don't
know that there is a middle ground," Levy said.

Perhaps a copyright notice or 'reproduced by permission' notice would
be helpful here; we don't know. But we do know that it would be most
unfortunate if anything like the "fight" rumoured to be underway
should actually result from what we perceive as a mere difference of
opinion.

But we rather think it won't. At a minimum we reckon the two would
simply agree to disagree. Not the best of all possible outcomes
surely, but certainly not the worst.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".