[vox-tech] Apache OpenSSL worm passing around the internet...

Fri, 13 Sep 2002 15:34:15 -0700

[Cross-posts snipped.]

Quoting ME (dugan@passwall.com):

> Now is a good time to subscribe to bugtraq! You get notices such as this
> about possible risks in security.

A couple of interesting issues have come up, over the last year, about
Bugtraq.

1.  Its sponsoring firm, security--management firm SecurityFocus, was
recently bought up by Symantec.  Much virtual ink was then spilled over
loss of editorial independence -- but this is probably an issue, if at
all, only concerning viruses and anti-viral software.

2.  Disclosure policy.  Oh my, what a political football has been!  A
succession of crybaby organisations lead by -- yep -- Microsoft
Corporation keep screaming to high heaven about Bugtraq's policy of
allowing posting to include full technical details of vulnerabilities,
including exploits.  Elias Levy and the rest of the SecurityFocus staff
have stuck to their guns on this one, even after the Symantec
acquisition.  (Symantec's own policy is to withhold details for a 30-day
"grace period".)

It's largely _because_ of its full-disclosure policy that Bugtraq is so
very useful -- arguably essential.  Alternatives such as CERT advisories
tend toward the useless end of the spectrum, for lack of that policy.

If you're running production servers, the timeliness of Bugtraq
vulnerability postings can matter.  In fact, a former colleague used to
autofeed the incoming message stream through pattern-matching filters,
attempting to trap urgent-for-his-network posts and notify him via
text pager.  This paid off in spades, as his network (a gay-oriented 
ISP) was under attack pretty much all the time, and sometimes he was
able to sidestep new exploits by mere minutes.

-- 
Cheers,               "That article and its poster have been cancelled." 
Rick Moen                   -- David B. O'Donnel, sysadmin for America Online
rick@linuxmafia.com