Symantec's SecurityFocus buyout met with pessimism

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/26315.html

[For an unbiased article on alternative lists to BugTraq, I find it
interesting there is no mention of Vulnwatch moderated by RFP,
Manzuik, and Wysopal.  - WK]


By Thomas C Greene in Washington
Posted: 22/07/2002 at 19:05 GMT

There's been considerable discussion this weekend of the recent sale
of SecurityFocus [1] to mega-corporation Symantec for a sweet $75
million.  At issue in particular is SF's BugTraq mailing list, which
has for years been the most popular full-disclosure vulnerability list
going.

While Symantec has stated that it will not exert influence on BugTraq, 
which it now owns, many list members find that assurance hard to 
trust. However, in this case only time will tell. I personally have 
little doubt that the SF staff intend to keep BugTraq and its 
extensive archives independent and free. Whether they'll succeed in 
the long run is an entirely different matter. 

The deal has generated further controversy because SF has sold 
something quite valuable which it received free of charge, namely the 
exploits submitted by list members. These are valuable for developing 
scanning software like Snort, Nessus, and the like. And naturally, 
when this much cash changes hands, people may get envious. They may 
also feel they're owed something for the free contributions they've 
voluntarily made. 

Coincident with the Symantec announcement, a new list opened up to 
address the anticipated fall of BugTraq. It's actually called Full 
Disclosure [2] and is unmoderated, meaning that within hours it began 
degenerating into a forum for the 'full disclosure' of members' 
opinions. 

Among these are a comment from Charles Stevenson bringing the security 
'community' to task for "supporting the exploitation and misuse of 
proprietary exploit source code to further the large companies' 
for-profit endeavours." 

There was also a suggestion from Jay Dyson that exploit code 
submissions and vulnerability advisories be licensed in some way to 
prevent their use by profiteers. 

Conflict alert 

At this point I have to say that The Register and SecurityFocus have a 
longstanding business relationship involving content sharing. And I 
may as well add that SF Editorial Director Kevin Poulsen is a close 
friend of mine; and that I happen to like and respect co-founder Elias 
Levy, though I'm not closely acquaited with him. Now back to my 
completely unbiased article. 

Sour resumes 

It does seem odd that contributors to BugTraq should expect 
consideration after making free submissions to it with no expectation 
of reward. So far as I know no one at SF ever asked them to perform 
the work which their submissions represent, or ever promised them 
anything in return. The idea behind BugTraq has always been to make 
the information available to anyone who can use it. And so long as it 
remains freely available, there shouldn't be a problem. 

As we saw at H2K2, some people [3] believe that a large fraction of
posts to BugTraq have more to do with resume padding than the free
exchange of ideas and selfless sharing of research for the improvement
of everyone's security. (I happen to agree with this observation.)  
According to the theory, people send in exploit code they've spent
days or weeks perfecting in quest of the publicity needed to find
fabulous jobs or to start up their own security firms.

But now people are concerned that BugTraq won't continue to function 
as it has in service of these ambitions. And if these fears should be 
justified over time, other public outlets for cleverness exhibition 
will have to be devised and other forms of compensation sought. Thus 
the idea of cashing in on the code is circulating. 

Of course that would cause problems for developers of free and 
open-source products. Perhaps a EULA could be useful here, stipulating 
that the code is royalty-free to GPL'd open-source apps and 
share/freeware, and imposing a royalty on its use in proprietary, 
for-profit products. Or perhaps not. Personally, I don't see any way 
something of that sort can be enforced. If a big company steals your 
idea, they can all too easily claim that their vast team of 
researchers hit on the same item coincidentally (this often happens 
for real, as the publication of new discoveries will set many 
different people thinking along similar lines). 

The questions surrounding vulnerability disclosure are endless and 
probably insoluble. Even the very fact of disclosure is controversial: 
many believe that the announcements give malicious hackers an unfair 
advantage; many others (like me) believe that withholding the 
information leaves users at increased risk on the theory that 
forewarned is forearmed. 

And the timing of announcements is still in dispute. How long is 'long
enough' for a vendor to patch an issue before the details are released
publicly? I'm in favor of full disclosure, yet I was appalled [4] when
ISS recently gave Apache less than 24 hours to deal with a significant
vulnerability.

And now we have the issue of what a researcher is owed for work freely 
offered. Publicity used to be enough; but now that people have begun 
worrying about the future independence of BugTraq, it may not be 
enough for long. As one observer remarked, there's a difference 
between contributing to SecurityFocus, and working for Symantec. 

At this point I have to appeal to the wisdom of The Reg's beloved 
readers. Does the act of making a free contribution to a public, 
full-disclosure list imply that the material is up for grabs? Aren't 
restrictions on further use a contradiction of everything 'full 
disclosure' represents? Should contributors to open forums expect 
consideration when someone else profits from their work? Should they 
have the right to deny use of their contribution by for-profit 
concerns who refuse to pay? Should open-source developers be given 
freedom to use the data, while commercial developers are expected to 
kick back a royalty? Is there any hope of enforcing or defending a 
patent, copyright or EULA on such submissions? Is there any practice 
or standard that won't make network and software security an even more 
gargantuan mess than it already is? 

I honestly don't know. 

-=-

[1] http://securityfocusonline.com/
[2] http://lists.netsys.com/pipermail/full-disclosure/2002-July/thread.html
[3] http://www.theregister.co.uk/content/55/26198.html
[4] http://www.theregister.co.uk/content/4/25766.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.