OT: Copyright on Security advisories

[aviram () JENIK COM (Aviram Jenik)]

I'm sorry for this off topic message, but I think others share my
opinion on this.

My message is directed mainly at H.E.R.T (Hacker Emergency Response
Team) and at ISS Alert, but also to all bugtraq subscribers.
I'm writing behalf of a small group of people, operating a security
portal page (www.SecuriTeam.com), where we try to write about important
security issues and security news. Our site is non-commercial and
totally advetisement free, and we see it as a service to the security
community (just like many other free services offered to the security
community by others).
Naturally, we don't discover all the security holes ourselves, and we
rely heavily on mailing lists such as the Microsoft alert, ISS alert,
CERT alert, bugtraq, NTBugtraq and other helpful mailing lists and web
site that deal with security.

The problem starts with advisories that contain:
"Permission is granted to reproduce and distribute HERT advisories in
their
entirety, provided the HERT PGP signature is included and provided the
alert is used for noncommercial purposes and
with the intent of increasing the aware-
ness of the Internet community"

(this is taken from a HERT advisory. ISS have a similar policy).

So what are my options (mine, and all the other folks who want to
publish this information)? The way I see it, I can only do copy & paste
of this information into an html page (including the PGP signature!!!),
and put it on-line.
I agree that this advisory has a very nice design to it, but it's way
different from the design of our web pages. The content is also
different. The target audience is different. These advisories are
usually long, and very technical. Our articles are short, and less
technical.

On the bottom line, my options shrink to one: Wait until someone else
publishes it, and paraphrase them. (now they're the "offenders").

I don't want to take the credit away from the authors. Every article we
publish contains explicit mentions of who found the bug, who reported
the bug, who published the fix, etc. We don't want to take credit for
things we didn't do, but we *do* want to provide good service to the
people who come to our web site! And this good service cannot include
"It is not to be edited in any way without express consent of X-Force"
(taken from the ISS alert advisories). I can't wait to get ISS's
permission for every exploit they find! Doing so will make the whole
concept of "security news" pointless.

I can only see two roads from here. The first road means the gradual
disappearance of non-commercial security information centers. Security
information will not be shared in forums such as bugtraq/ntbugtraq,
security newsgroups and web sites. You'll have to pay security
consultants to get information . (Actually, this doesn't sound that bad.
It means we'll make a lot of money)
The second road leads to totally free and open sharing of information.
ISS and HERT: If this is what you would like to see when you look at the
future, please loosen your restrictions from the security advisories you
publish.

I really want to emphasize one important point. We *really* don't want
the credit. We believe that if a someone discovered a bug or exploit
they should have all the credit they deserve (hell, they could name the
bug after themselves if they wish. Am I right, Mr. Cuartango?). It seems
to me, they get more recognition when information about their exploit
spreads. But the actual text they wrote about the bug/exploit should not
be the main issue here, and putting a copyright on the full text misses
the point entirely.

I apologize for boring to death some (most?) of you on this list, but I
believe this is important enough to share with you, and I would really
like to hear what you all have to say about this issue.

--
-------------------------
Aviram Jenik

"Addicted to Chaos"

-------------------------
Today's quote:
Service to others is the rent you pay for your room here on earth.
                         - Muhammad Ali, in "Time", 1978