Mailing List Archive

From: "Muhammad Faisal Rauf Danka" <mfrd@attitudex.com>
Sent: Wednesday, July 17, 2002 16:32
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others..

(snip)

. I mean what do they mean by the vulnerabilities they find ?

I think we are talking about two different things here -- vulnerabilities
reported via BUGTRAQ, and vulnerabilities found elsewhere (internal
research, priviledged access, whatever). Vulnerabilities reported via
BUGTRAQ will still be published on BUGTRAQ, in the same timely way it has
always been. The others... they might take longer to make it to BUGTRAQ.

This is actually not different from what most of those here (us?) do -- when
we receive priviledged information on a vulnerability (or when we find one),
most of us will maintain secrecy for some time -- so that we can contact the
vendor, work out a bypass, play of being a black hat, whatever. At least, we
will NOT publish it until we can verify it's authenticity.

. What they do is just moderate the damn list, and stop slipping useful
. vulnerability details about Microsoft and alike.. wtf?

Hold the fire, folks. Make sure it is an enemy you are firing on.

Give them time. Symantec is a business, yes, but being a business is not
identical to being stupid. The value of BUGTRAQ lies in it's history of
being fair. Elias, and now Dave, have always done a very good job on the
moderation. We may not always agree with them (I myself have had -- under
other encarnations -- difference on points of view with Elias), but it is
their right, since they are the moderators.

(snip)

. looks like another one bites the dust.

Again, please remember -- if Symantec decides to censor BUGTRAQ... they will
have killed it in a more effective way than any other. BUGTRAQ is followed
not because it is SecurityFocus, but because it is BUGTRAQ. If BUGTRAQ will
bite the dust, or not, will (hopefully) depend on what Symantec forces in. I
certainly hope it will not die because of what one thinks it is, or is not.
This would be pure prejudice.

..hggdh..

On Thursday, July 18, 2002 09:40, HggdH [mailto:hggdh@attbi.com] wrote:

> Again, please remember -- if Symantec decides to censor BUGTRAQ... they will
> have killed it in a more effective way than any other. BUGTRAQ is followed
> not because it is SecurityFocus, but because it is BUGTRAQ. If BUGTRAQ will
> bite the dust, or not, will (hopefully) depend on what Symantec forces in. I
> certainly hope it will not die because of what one thinks it is, or is not.
> This would be pure prejudice.

In my humble opinion, it seems like it could be a major conflict of interest
to have the primary vulnerability reporting outlet controlled by a party who
also makes vulnerability scanning and intrusion detections products. This has
always been the case under SF, but it is *really* bad now. Note that
Symantec also announced purchases of Riptech and Recourse yesterday.

It would seem that Symantec would have an edge in updating their product line
before competitors have a chance to update theirs... Also, not to be cynical
but they have an economic incentive to "play games" with vulnerabilities
reported through outlets they control (keep in mind that there are no guarantees
about timeliness with respect to when the moderator must act on messages.) I'm
not saying they would do this; I'm just saying that they would have economic
incentive to do so.

Throughout the years, I have always used BugTraq as a means to "give back" to
the community; I do not appreciate my gift of free research to the community
being used to make other people money. Something needs to be done. Hopefully,
this list is the answer.

-E

Does anyone here think NTBUGTRAQ is a better list since TruSecure bought
it? The same will happen to bugtraq. Mark my words. The launching of
this list could not have been more timely.

Paul Schmehl (pauls@utdallas.edu)
Supervisor of Support Services
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

NTBugtraq started sliding down hill long before TruSecure bought it.
Russ' ego is what dragged that list down, and TruSecure bought into the
whole seurgen general BS and fed it even more.

On Thu, 18 Jul 2002, Schmehl, Paul L wrote:

> Date: Thu, 18 Jul 2002 09:49:53 -0500
> From: "Schmehl, Paul L" <pauls@utdallas.edu>
> Reply-To: full-disclosure@lists.netsys.com
> To: full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] Symantec Buys SecurityFocus, among others..
>
> Does anyone here think NTBUGTRAQ is a better list since TruSecure bought
> it? The same will happen to bugtraq. Mark my words. The launching of
> this list could not have been more timely.
>
> Paul Schmehl (pauls@utdallas.edu)
> Supervisor of Support Services
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-