[ISN] Symantec's SecurityFocus buyout met with pessimism

From: InfoSec News (isnat_private)
Date: Tue Jul 23 2002 - 00:16:54 PDT

  • Next message: InfoSec News: "[ISN] Hard Disk Will Have Hackers Seeing Double"

    [For an unbiased article on alternative lists to BugTraq, I find it
    interesting there is no mention of Vulnwatch moderated by RFP,
    Manzuik, and Wysopal.  - WK]
    By Thomas C Greene in Washington
    Posted: 22/07/2002 at 19:05 GMT
    There's been considerable discussion this weekend of the recent sale
    of SecurityFocus [1] to mega-corporation Symantec for a sweet $75
    million.  At issue in particular is SF's BugTraq mailing list, which
    has for years been the most popular full-disclosure vulnerability list
    While Symantec has stated that it will not exert influence on BugTraq, 
    which it now owns, many list members find that assurance hard to 
    trust. However, in this case only time will tell. I personally have 
    little doubt that the SF staff intend to keep BugTraq and its 
    extensive archives independent and free. Whether they'll succeed in 
    the long run is an entirely different matter. 
    The deal has generated further controversy because SF has sold 
    something quite valuable which it received free of charge, namely the 
    exploits submitted by list members. These are valuable for developing 
    scanning software like Snort, Nessus, and the like. And naturally, 
    when this much cash changes hands, people may get envious. They may 
    also feel they're owed something for the free contributions they've 
    voluntarily made. 
    Coincident with the Symantec announcement, a new list opened up to 
    address the anticipated fall of BugTraq. It's actually called Full 
    Disclosure [2] and is unmoderated, meaning that within hours it began 
    degenerating into a forum for the 'full disclosure' of members' 
    Among these are a comment from Charles Stevenson bringing the security 
    'community' to task for "supporting the exploitation and misuse of 
    proprietary exploit source code to further the large companies' 
    for-profit endeavours." 
    There was also a suggestion from Jay Dyson that exploit code 
    submissions and vulnerability advisories be licensed in some way to 
    prevent their use by profiteers. 
    Conflict alert 
    At this point I have to say that The Register and SecurityFocus have a 
    longstanding business relationship involving content sharing. And I 
    may as well add that SF Editorial Director Kevin Poulsen is a close 
    friend of mine; and that I happen to like and respect co-founder Elias 
    Levy, though I'm not closely acquaited with him. Now back to my 
    completely unbiased article. 
    Sour resumes 
    It does seem odd that contributors to BugTraq should expect 
    consideration after making free submissions to it with no expectation 
    of reward. So far as I know no one at SF ever asked them to perform 
    the work which their submissions represent, or ever promised them 
    anything in return. The idea behind BugTraq has always been to make 
    the information available to anyone who can use it. And so long as it 
    remains freely available, there shouldn't be a problem. 
    As we saw at H2K2, some people [3] believe that a large fraction of
    posts to BugTraq have more to do with resume padding than the free
    exchange of ideas and selfless sharing of research for the improvement
    of everyone's security. (I happen to agree with this observation.)  
    According to the theory, people send in exploit code they've spent
    days or weeks perfecting in quest of the publicity needed to find
    fabulous jobs or to start up their own security firms.
    But now people are concerned that BugTraq won't continue to function 
    as it has in service of these ambitions. And if these fears should be 
    justified over time, other public outlets for cleverness exhibition 
    will have to be devised and other forms of compensation sought. Thus 
    the idea of cashing in on the code is circulating. 
    Of course that would cause problems for developers of free and 
    open-source products. Perhaps a EULA could be useful here, stipulating 
    that the code is royalty-free to GPL'd open-source apps and 
    share/freeware, and imposing a royalty on its use in proprietary, 
    for-profit products. Or perhaps not. Personally, I don't see any way 
    something of that sort can be enforced. If a big company steals your 
    idea, they can all too easily claim that their vast team of 
    researchers hit on the same item coincidentally (this often happens 
    for real, as the publication of new discoveries will set many 
    different people thinking along similar lines). 
    The questions surrounding vulnerability disclosure are endless and 
    probably insoluble. Even the very fact of disclosure is controversial: 
    many believe that the announcements give malicious hackers an unfair 
    advantage; many others (like me) believe that withholding the 
    information leaves users at increased risk on the theory that 
    forewarned is forearmed. 
    And the timing of announcements is still in dispute. How long is 'long
    enough' for a vendor to patch an issue before the details are released
    publicly? I'm in favor of full disclosure, yet I was appalled [4] when
    ISS recently gave Apache less than 24 hours to deal with a significant
    And now we have the issue of what a researcher is owed for work freely 
    offered. Publicity used to be enough; but now that people have begun 
    worrying about the future independence of BugTraq, it may not be 
    enough for long. As one observer remarked, there's a difference 
    between contributing to SecurityFocus, and working for Symantec. 
    At this point I have to appeal to the wisdom of The Reg's beloved 
    readers. Does the act of making a free contribution to a public, 
    full-disclosure list imply that the material is up for grabs? Aren't 
    restrictions on further use a contradiction of everything 'full 
    disclosure' represents? Should contributors to open forums expect 
    consideration when someone else profits from their work? Should they 
    have the right to deny use of their contribution by for-profit 
    concerns who refuse to pay? Should open-source developers be given 
    freedom to use the data, while commercial developers are expected to 
    kick back a royalty? Is there any hope of enforcing or defending a 
    patent, copyright or EULA on such submissions? Is there any practice 
    or standard that won't make network and software security an even more 
    gargantuan mess than it already is? 
    I honestly don't know. 
    [1] http://securityfocusonline.com/
    [2] http://lists.netsys.com/pipermail/full-disclosure/2002-July/thread.html
    [3] http://www.theregister.co.uk/content/55/26198.html
    [4] http://www.theregister.co.uk/content/4/25766.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 02:49:45 PDT