Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Creating an Open Alternative to Bugtraq?

Cliff posted more than 11 years ago | from the routing-around-primarily-commercial-interests dept.

Security 25

mbogosian asks: "I am not a sysadmin, nor am I a security expert, but I appreciate those who are. In response to a recent story, I went out and registered two domain names: opentraq.org and opentraq.net. I am hereby throwing down the gauntlet: I am willing to have them resolve to DNS servers belonging to a group of volunteers who wish to start and maintain an Open alternative to security services like BugTraq and others offered at the SecurityFocus website without being encumbered by the OIS Security Vulnerability Reporting And Response Process. I will continue to pay the renewal fees for the names as long as someone wants to continue the the effort. After the project becomes established and is maintained by a reputable (i.e., non-commercial) group of volunteers, I am willing transfer ownership of the domains to that group at no cost. Feel free to contact me if you are interested. Let the discussion begin! " Do you feel such a thing is necessary at this time? Why or why not?

cancel ×

25 comments

dude. (2, Insightful)

Naikrovek (667) | more than 11 years ago | (#6205604)

uhh, dude, you should direct those efforts into fixing what's there, not creating something new, doubling the whole effort just because of one thing. Sure its a non-trivial thing, but I think it would be a lot easier to fix what's there than redoing the whole thing, just because some folks can't get their exploits in time to exploit others.

Re:dude. (4, Insightful)

crotherm (160925) | more than 11 years ago | (#6205663)

OK.. so how do you fix Security Focus' plan to snip the balls from bugtraq? Watching SF's change from a small site to a very corporate site, I wonder how long it would take for bugtraq to lose what made it the first mail list I read every morning.

IMO, having a open and non-corp backed mail list to handle security buq and the like would be the natural evolution needed to insure sysadmins have the most up to date info.

Re:dude. (1)

mbogosian (537034) | more than 11 years ago | (#6216339)

uhh, dude, you should direct those efforts into fixing what's there, not creating something new, doubling the whole effort just because of one thing.

It's hard to fix an existing project when the problem is not in the project itself but in who owns it and dictates policy. Unless BugTraq ceases to be owned and controlled by Symantec (or influenced by Microsoft), then I still believe in the necessity of a Free (as in speech) alternative.

What I did not know is that there were already efforts to do this very same thing. They just aren't very popular or well-known. In this event, the hard part will be educating sysadmins to visit the alternative sites that already exist.

erm (3, Insightful)

sydlexic (563791) | more than 11 years ago | (#6205608)

let me get this straight, you ripped off an idea, spent $9 bucks on a domain and expect the real hard work to be done by a bunch of grateful volunteers. meanwhile, some dufus thought this was so amazing they posted the story on slashdot. great work all around people. if only it were really this easy.

Re:erm (1)

slashdot_commentator (444053) | more than 11 years ago | (#6206703)

Talk about corporate shill. "Ripped off an idea"? Do you think Symantec "invented" bugtraq? Or is entitled to dictate what gets posted on bugtraq by virtue of hosting it? (I'd argue it is, but it underlies the problem the guy who bought the domains wanted to correct.) Who do you think was paying the original maintainers before SecurityFocus agreed to host bugtraq?

Man, I can't believe someone upmodded you. The question should be whether there has been enough telltale tampering by Symantec to dictate the need for an open forum to replace what bugtraq used to be. (But I have not been following the mailing list close enough to have an opinion on it.)

Re:erm (1)

mbogosian (537034) | more than 11 years ago | (#6216206)

let me get this straight, you ripped off an idea, spent $9 bucks on a domain and expect the real hard work to be done by a bunch of grateful volunteers. meanwhile, some dufus thought this was so amazing they posted the story on slashdot. great work all around people. if only it were really this easy.

Actually, the intention was not to rip off an idea. It was more to provide a security information platform without corporate influence (which is what led to the problem in the first place). I'm certainly not trying to make any money from this (I certainly won't accept any). I'm just trying to initiate a Free (as in speech) alternative.

Nice that someone is willing (2, Insightful)

Coyote67 (220141) | more than 11 years ago | (#6205610)

I don't know about you guys but I don't think whether its necessary is important. Is there really a justifiable reason not to have an OSS community run bug tracking site? If you think about it, it can benefit a lot of people, and maybe even speed up patches/fixes/updates/whatever.
I'd also like to see something like this supported by major firms, maybe just by setting up a system where the community can easily communicate with firms regarding security and bug issues.

Bugtraq works just fine (4, Insightful)

DeadSea (69598) | more than 11 years ago | (#6205620)

The previous article you point to shows recommendations from a group of companies that argue that bug reports should not be made public. Bugtraq does not follow this recommendation, and I doubt that it ever will. Bugtraq fully discloses bugs to the general public and I don't see that changing any time soon.

The bug finding, reporting, fixing, and patching process should minimize the potential damage. If your goal is to minimize damage then neither full immediate discloser or no disclosure is a good answer. Bruce Schneier has written a good article about full disclosure in his Crypto-Gram newsletter [counterpane.com] .

Unless bugtraq is falling down on the job, why do we need another one?

Re:Bugtraq works just fine (2, Insightful)

lpontiac (173839) | more than 11 years ago | (#6208472)

The previous article you point to shows recommendations from a group of companies that argue that bug reports should not be made public. Bugtraq does not follow this recommendation, and I doubt that it ever will

"ever" is a strong word. Remember that one of the companies giving those recommendations is Symantec. Symantec own SecurityFocus. SecurityFocus runs Bugtraq.

Re:Bugtraq works just fine (1)

mbogosian (537034) | more than 11 years ago | (#6216444)

Bugtraq does not follow this recommendation, and I doubt that it ever will. Bugtraq fully discloses bugs to the general public and I don't see that changing any time soon.

My fear is that the controlling organization will exert pressure to change policies. The only way to avoid this is to have a system over which commercial organizations cannot exert pressure in this way. I hope you are right that BugTraq does not change their policy, but look at who pays their bills....

I LIKE KISSIN BOIS (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6205625)

I like kissin kewsh the most

Yet Another Try... *yawn* (3, Insightful)

Hanashi (93356) | more than 11 years ago | (#6205647)

This isn't a new idea. Various people or groups dissatisfied with Bugtraq have created their own alternative lists over the years. No one pays much attention to any of them. For a good example, check out BugDev [avet.com.pl] .

I applaud your initiative, but honestly, I don't see either the need or the point.

Re:Yet Another Try... *yawn* (1, Informative)

Anonymous Coward | more than 11 years ago | (#6205710)

Full-Disclosure [netsys.com] would be a better example.

Re:Yet Another Try... *yawn* (1)

swillden (191260) | more than 11 years ago | (#6206923)

I applaud your initiative

Registering two domains is initiative? They guy could at least offer to provide the servers behind them, if he's not willing to do any of the work.

Re:Yet Another Try... *yawn* (1)

mbogosian (537034) | more than 11 years ago | (#6216474)

Registering two domains is initiative? They guy could at least offer to provide the servers behind them, if he's not willing to do any of the work.

I'm willing to help in any way I can. I thought domain registration and a SlashDot article was a good first step. I'm just one guy without very much money (having been laid off in the past year), but I'd be happy to donate what I can towards bandwidth or server costs. I thought I might try and get the ball rolling to see how much response there was. I'll be the first to admit I'm not qualified to head the effort up or maintain it, but I am qualified to register a few domains before the corporations can and see if the idea gets any traction with the community.

Re:Yet Another Try... *yawn* (1)

swillden (191260) | more than 11 years ago | (#6216724)

I imagine you'll be about as successful as all those non-programmers with a great application idea who go create a sourceforge project, write up some ideas, and wait for the programmers to come build it.

Good luck; I sincerely hope you'll get better results than I expect you to.

Vulnwatch (1, Informative)

El Volio (40489) | more than 11 years ago | (#6206088)

Someone's already done this and it's called VulnWatch [vulnwatch.org] .

Full-Disclosure (1)

dodobh (65811) | more than 11 years ago | (#6206449)

http://lists.netsys.com/mailman/listinfo/full-disc losure

Already does what you want it to do.

Re:Full-Disclosure (1)

hrbrmstr (324215) | more than 11 years ago | (#6207784)

I second the full-disclosure link. Check it out. It's pretty much what you're looking for minus the shifty FQDN...

If you're really serious about having a "bugtraq alternative", then start posting on full-disclosure and encourage others to do so as well.

New twist on an old ploy. (3, Interesting)

FreeLinux (555387) | more than 11 years ago | (#6206621)

I'm sorry if you are being genuine, as I do not mean to offend but.....

This smells like a slightly new twist on good old domain prospecting, parking, hijacking. You want someone else to build a site that will require a lot of work and moreover, A LOT of bandwidth and in return you will allow them to use your name. So, if this new superfluous site is successful, you get the credit/money with virtually no investment, monetary or sweat equity.

I doubt very much that anyone will take you up on this offer.

Re:New twist on an old ploy. (1)

mbogosian (537034) | more than 11 years ago | (#6216292)

This smells like a slightly new twist on good old domain prospecting, parking, hijacking. You want someone else to build a site that will require a lot of work and moreover, A LOT of bandwidth and in return you will allow them to use your name. So, if this new superfluous site is successful, you get the credit/money with virtually no investment, monetary or sweat equity.

The truth is, I'm just one individual without much money to spend on bandwidth and servers, etc. My intention is not to hijack domains. I tried (but probably failed) to convey that I'm perfectly willing to transfer them at no cost to the recipient as long as I could be certain that they are not Symantec/Microsoft/etc.

As it now stands, I am now of many of the alternatives, so the best solution might be to point them at one of those and then offer to donate the domains to that organization. Recommendations?

Re:New twist on an old ploy. (1)

mbogosian (537034) | more than 11 years ago | (#6216392)

...I am now of many of the alternatives....

That should have read, "...I am now aware of many of the alternatives...".

"me too" (3, Interesting)

aggieben (620937) | more than 11 years ago | (#6206868)

I don't see any problem with bugtraq. I'm happily subscribed and read the emails I get. I don't really see the need for effort to duplicate a system that exists and works, more or less. For the parts that don't work so great, there are already several other groups/systems/sites out there (that have been mentioned in this thread), and individuals and very small groups fill in the cracks even further.

Too Much (2, Insightful)

truffle pig (555677) | more than 11 years ago | (#6221446)

I Personally think that Bugtraq does a pretty good job already. The problem I see happening with having multiple lists such as the one being presented here is a case of information overload. All I can think about is having to sift through a series of duplicate vulnerabilities that people posted to both lists. It already takes me long enough some mornings to keep up with everything that has posted to Bugtraq overnight.

Knowing this I would say if you want to do something, make it a couple degrees more useful than Bugtraq. I think a more interactive forum would be nice. I see some value in being able to perform advanced searches for vulnerabilities and code samples, as well as more filtering capabilties on the mailing list to sort out vulnerabilities that are only relevant to your enviroment.

Just some thoughts, but my impression is that the person who submitted the story doesn't want to do any real work anyway so this is all probably a moot point.

In Soviet Russia... (-1)

I'm not a script, da (638454) | more than 11 years ago | (#6229856)

...bug traqs you!
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...