I'm sorry for this off topic message, but I think others share my opinion on this. My message is directed mainly at H.E.R.T (Hacker Emergency Response Team) and at ISS Alert, but also to all bugtraq subscribers. I'm writing behalf of a small group of people, operating a security portal page (www.SecuriTeam.com), where we try to write about important security issues and security news. Our site is non-commercial and totally advetisement free, and we see it as a service to the security community (just like many other free services offered to the security community by others). Naturally, we don't discover all the security holes ourselves, and we rely heavily on mailing lists such as the Microsoft alert, ISS alert, CERT alert, bugtraq, NTBugtraq and other helpful mailing lists and web site that deal with security. The problem starts with advisories that contain: "Permission is granted to reproduce and distribute HERT advisories in their entirety, provided the HERT PGP signature is included and provided the alert is used for noncommercial purposes and with the intent of increasing the aware- ness of the Internet community" (this is taken from a HERT advisory. ISS have a similar policy). So what are my options (mine, and all the other folks who want to publish this information)? The way I see it, I can only do copy & paste of this information into an html page (including the PGP signature!!!), and put it on-line. I agree that this advisory has a very nice design to it, but it's way different from the design of our web pages. The content is also different. The target audience is different. These advisories are usually long, and very technical. Our articles are short, and less technical. On the bottom line, my options shrink to one: Wait until someone else publishes it, and paraphrase them. (now they're the "offenders"). I don't want to take the credit away from the authors. Every article we publish contains explicit mentions of who found the bug, who reported the bug, who published the fix, etc. We don't want to take credit for things we didn't do, but we *do* want to provide good service to the people who come to our web site! And this good service cannot include "It is not to be edited in any way without express consent of X-Force" (taken from the ISS alert advisories). I can't wait to get ISS's permission for every exploit they find! Doing so will make the whole concept of "security news" pointless. I can only see two roads from here. The first road means the gradual disappearance of non-commercial security information centers. Security information will not be shared in forums such as bugtraq/ntbugtraq, security newsgroups and web sites. You'll have to pay security consultants to get information . (Actually, this doesn't sound that bad. It means we'll make a lot of money) The second road leads to totally free and open sharing of information. ISS and HERT: If this is what you would like to see when you look at the future, please loosen your restrictions from the security advisories you publish. I really want to emphasize one important point. We *really* don't want the credit. We believe that if a someone discovered a bug or exploit they should have all the credit they deserve (hell, they could name the bug after themselves if they wish. Am I right, Mr. Cuartango?). It seems to me, they get more recognition when information about their exploit spreads. But the actual text they wrote about the bug/exploit should not be the main issue here, and putting a copyright on the full text misses the point entirely. I apologize for boring to death some (most?) of you on this list, but I believe this is important enough to share with you, and I would really like to hear what you all have to say about this issue. -- ------------------------- Aviram Jenik "Addicted to Chaos" ------------------------- Today's quote: Service to others is the rent you pay for your room here on earth. - Muhammad Ali, in "Time", 1978
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:46 PDT