http://www.theregister.co.uk/content/55/26315.html

[For an unbiased article on alternative lists to BugTraq, I find it
interesting there is no mention of Vulnwatch moderated by RFP,
Manzuik, and Wysopal. - WK]

By Thomas C Greene in Washington
Posted: 22/07/2002 at 19:05 GMT

There's been considerable discussion this weekend of the recent sale
of SecurityFocus [1] to mega-corporation Symantec for a sweet $75
million. At issue in particular is SF's BugTraq mailing list, which
has for years been the most popular full-disclosure vulnerability list
going.

While Symantec has stated that it will not exert influence on BugTraq,
which it now owns, many list members find that assurance hard to
trust. However, in this case only time will tell. I personally have
little doubt that the SF staff intend to keep BugTraq and its
extensive archives independent and free. Whether they'll succeed in
the long run is an entirely different matter.

The deal has generated further controversy because SF has sold
something quite valuable which it received free of charge, namely the
exploits submitted by list members. These are valuable for developing
scanning software like Snort, Nessus, and the like. And naturally,
when this much cash changes hands, people may get envious. They may
also feel they're owed something for the free contributions they've
voluntarily made.

Coincident with the Symantec announcement, a new list opened up to
address the anticipated fall of BugTraq. It's actually called Full
Disclosure [2] and is unmoderated, meaning that within hours it began
degenerating into a forum for the 'full disclosure' of members'
opinions.

Among these are a comment from Charles Stevenson bringing the security
'community' to task for "supporting the exploitation and misuse of
proprietary exploit source code to further the large companies'
for-profit endeavours."

There was also a suggestion from Jay Dyson that exploit code
submissions and vulnerability advisories be licensed in some way to
prevent their use by profiteers.

Conflict alert

At this point I have to say that The Register and SecurityFocus have a
longstanding business relationship involving content sharing. And I
may as well add that SF Editorial Director Kevin Poulsen is a close
friend of mine; and that I happen to like and respect co-founder Elias
Levy, though I'm not closely acquaited with him. Now back to my
completely unbiased article.

Sour resumes

It does seem odd that contributors to BugTraq should expect
consideration after making free submissions to it with no expectation
of reward. So far as I know no one at SF ever asked them to perform
the work which their submissions represent, or ever promised them
anything in return. The idea behind BugTraq has always been to make
the information available to anyone who can use it. And so long as it
remains freely available, there shouldn't be a problem.

As we saw at H2K2, some people [3] believe that a large fraction of
posts to BugTraq have more to do with resume padding than the free
exchange of ideas and selfless sharing of research for the improvement
of everyone's security. (I happen to agree with this observation.)
According to the theory, people send in exploit code they've spent
days or weeks perfecting in quest of the publicity needed to find
fabulous jobs or to start up their own security firms.

But now people are concerned that BugTraq won't continue to function
as it has in service of these ambitions. And if these fears should be
justified over time, other public outlets for cleverness exhibition
will have to be devised and other forms of compensation sought. Thus
the idea of cashing in on the code is circulating.

Of course that would cause problems for developers of free and
open-source products. Perhaps a EULA could be useful here, stipulating
that the code is royalty-free to GPL'd open-source apps and
share/freeware, and imposing a royalty on its use in proprietary,
for-profit products. Or perhaps not. Personally, I don't see any way
something of that sort can be enforced. If a big company steals your
idea, they can all too easily claim that their vast team of
researchers hit on the same item coincidentally (this often happens
for real, as the publication of new discoveries will set many
different people thinking along similar lines).

The questions surrounding vulnerability disclosure are endless and
probably insoluble. Even the very fact of disclosure is controversial:
many believe that the announcements give malicious hackers an unfair
advantage; many others (like me) believe that withholding the
information leaves users at increased risk on the theory that
forewarned is forearmed.

And the timing of announcements is still in dispute. How long is 'long
enough' for a vendor to patch an issue before the details are released
publicly? I'm in favor of full disclosure, yet I was appalled [4] when
ISS recently gave Apache less than 24 hours to deal with a significant
vulnerability.

And now we have the issue of what a researcher is owed for work freely
offered. Publicity used to be enough; but now that people have begun
worrying about the future independence of BugTraq, it may not be
enough for long. As one observer remarked, there's a difference
between contributing to SecurityFocus, and working for Symantec.

At this point I have to appeal to the wisdom of The Reg's beloved
readers. Does the act of making a free contribution to a public,
full-disclosure list imply that the material is up for grabs? Aren't
restrictions on further use a contradiction of everything 'full
disclosure' represents? Should contributors to open forums expect
consideration when someone else profits from their work? Should they
have the right to deny use of their contribution by for-profit
concerns who refuse to pay? Should open-source developers be given
freedom to use the data, while commercial developers are expected to
kick back a royalty? Is there any hope of enforcing or defending a
patent, copyright or EULA on such submissions? Is there any practice
or standard that won't make network and software security an even more
gargantuan mess than it already is?

I honestly don't know.

-=-

[1] http://securityfocusonline.com/
[2] http://lists.netsys.com/pipermail/full-disclosure/2002-July/thread.html
[3] http://www.theregister.co.uk/content/55/26198.html
[4] http://www.theregister.co.uk/content/4/25766.html

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]