Bugtraq

Last updated

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, [1] and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

Contents

History

Bugtraq was created on November 5, 1993 by Scott Chasin [2] in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure. The list was sometimes spelled BugTraq, but common usage over the years called it Bugtraq. It grew to 2,500 subscribers by May 19, 1995 [3] and over 40,000 by February, 2000. [4]

Elias Levy, known as Aleph One (alluding to the cardinal number aleph one), noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing." Levy considered the idea of abstracting Bugtraq to be platform-specific, to reduce irrelevant information for those interested only in particular operating systems. [5] [6]

Bugtraq was originally hosted at Crimelab.com, run by Scott Chasin. It was moved to the Brown University NetSpace Projectwhich has since been reorganized as the NetSpace Foundation on June 5, 1995, the same day its moderation began. In July 1999 it became the property of SecurityFocus and was moved there. [7] [8] SecurityFocus was acquired in full by Symantec on August 6, 2002. [9] As of February 25, 2020, traffic from the list stopped without explanation. [10] In 2002, the Full-Disclosure mailing list was created because many people feeling the list had "changed for the worse". [11]

On April 30, 2020, Accenture Security completed its acquisition of Symantec's Cybersecurity Services including SecurityFocus, which included Bugtraq. [12]

Controversy

Moderation

The mailing list was originally unmoderated, then received only occasional moderation that many participants considered inadequate. In one incident, what appeared to be sensitive credit-card information was allowed to be posted. [13] Subsequent posts challenged many aspects of the list, including the full disclosure of vulnerabilities, and suggested it either go unmoderated or that moderators change the way they approached it. [14]

Moderation began on June 5, 1995. Elias Levy moderated the list from June 14, 1996 until he stepped down on October 15, 2001. David Mirza Ahmad, one of the many co-authors of Hack Proofing Your Network, Second Edition, took over from Levy and continued until he stepped down on February 23, 2006. [15] David McKinney, a DeepSight threat analyst at Symantec, took over from Ahmad. Moderation duties have now been assumed by another DeepSight analyst, Prasanna. [16]

During his tenure, Ahmad proposed the list adopt more "community involvement" and "a more democratic process for making important decisions on the future of Bugtraq and the Security Focus website". [17] Despite receiving feedback according to Alfred Huger, [18] further community involvement did not manifest.

Delays in Moderation

Delays in list moderation occurred several times, sometimes due to technical issues [19] and DDoS attacks. [20] Other times, posts to the lists vanished due to unspecified "mail problems". [21] In August, 1997, the list went quiet for several days as Aleph One was on vacation and the person entrusted to moderate failed to do so. [22] After the list was transitioned to SecurityFocus and Symantec acquired the company, some researchers noticed that their posts to the lists were delayed, as moderation no longer occurred on weekends. Despite the delays, vulnerability information from some of those posts were used in Symantec's DeepSight commercial offering which includes a vulnerability database. [23]

Copyrighted Advisories

In late 2000, when Levy posted the full content of a Microsoft security advisory to the list, Microsoft complained it that was a copyright violation. [24]

Demise

As of February 24, 2020, Symantec stopped approving posts to Bugtraq. [25] No final message from the list administrators and no statement from Symantec was posted. This came after the BID vulnerability database maintained by Symantec stopped being publicly updated on July 26, 2019, just over one month before it was acquired by Broadcom. [26] On January 1, 2021, Accenture announced that Bugtraq would be shut down. [27] On January 15, 2021, what appeared to be a final email was sent to the list confirming it was being shut down, citing "resources for the BugTraq mailing list have not been prioritized". [28] However, the decision was reconsidered based on feedback from the community; and on January 17, 2021, Accenture posted a message to the list announcing the continuation of the Bugtraq, [29] and followed up with a lengthier blog explaining their goals. [30] The continuation announcement was the last message ever published to the mailing list and no further activity is recorded in any of the public archives.

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unforeseen circumstances. Defensive programming practices are often used where high availability, safety, or security is needed.

SQL Slammer is a 2003 computer worm that caused a denial of service on some Internet hosts and dramatically slowed general Internet traffic. It also crashed routers around the world, causing even more slowdowns. It spread rapidly, infecting most of its 75,000 victims within 10 minutes.

<span class="mw-page-title-main">Accenture</span> Irish multinational consulting company

Accenture plc is an Irish-American professional services company based in Dublin, specializing in information technology (IT) services and consulting. A Fortune Global 500 company, it reported revenues of $64.1 billion in 2023. Accenture's current clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. As of 2022, Accenture is considered the largest consulting firm in the world by number of employees.

Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf . A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf and similar functions to write the number of bytes formatted to an address stored on the stack.

Elias Levy is a computer scientist. He was the moderator of "Bugtraq", a full disclosure vulnerability mailing list, from May 14, 1996 until October 15, 2001.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

Session poisoning is a method to exploit insufficient input validation within a server application. Typically a server application that is vulnerable to this type of exploit will copy user input into session variables.

<span class="mw-page-title-main">HackThisSite</span> Organization

HackThisSite.org, commonly referred to as HTS, is an online hacking and security website founded by Jeremy Hammond. The site is maintained by members of the community after he left the organization. It aims to provide users with a way to learn and practice basic and advanced "hacking" skills through a series of challenges in a safe and legal environment. The organization has a user base of over a million, though the number of active members is believed to be much lower. The most users online at the same time was 19,950 on February 5, 2018 at 2:46 a.m.CT.

<span class="mw-page-title-main">Broadcom</span> American semiconductor company

Broadcom Inc. is an American multinational designer, developer, manufacturer, and global supplier of a wide range of semiconductor and infrastructure software products. Broadcom's product offerings serve the data center, networking, software, broadband, wireless, storage, and industrial markets. As of 2023, some 79 percent of Broadcom's revenue was coming from its semiconductor-based products and 21 percent from its infrastructure software products and services.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

vendor-sec was an electronic mailing list dedicated to distributors of operating systems using free and open-source software. The list was used to discuss potential distribution element security vulnerabilities, as well as to co-ordinate the release of security updates by members.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Antisec Movement</span> Hacking (computer security)

The Anti Security Movement is a movement opposed to the computer security industry. Antisec is against full disclosure of information relating to software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information. The general thought behind this is that the computer security industry uses full disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services.

Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

Full disclosure is a "lightly moderated" security mailing list generally used for discussion about information security and disclosure of vulnerabilities. The list was created on July 9, 2002, by Len Rose and also administered by him, who later handed it off to John Cartwright. After Len Rose shut down netsys.com, the list was hosted and sponsored by Secunia.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

References

  1. "Bugtraq" . Retrieved 2021-01-17.
  2. "History" . Retrieved 2021-01-17.
  3. "From the moderator: READ Please". 1995-05-19. Retrieved 2021-01-17.
  4. "Administrivia". 2000-02-14. Retrieved 2021-01-17.
  5. "Administrivia". 1999-10-11. Retrieved 2021-01-17.
  6. "Administrivia: Mailing List Software". 2001-03-10. Retrieved 2021-01-17.
  7. "Administrivia". 1999-07-05. Retrieved 2021-01-17.
  8. Masnick, Mike (2002-07-17). "Symantec Buys SecurityFocus/BugTraq". TechDirt . Retrieved 2021-01-17.
  9. "Symantec Acquisition of SecurityFocus Completed". 2002-08-06. Archived from the original on December 6, 2003. Retrieved 2021-01-17.
  10. "Bugtraq: 40 messages starting Feb 03 20 and ending Feb 25 20" . Retrieved 2021-01-17.
  11. "Re: Announcing new security mailing list". July 11, 2002. Retrieved 2021-01-17.
  12. "Accenture Completes Acquisition of Broadcom's Symantec Cyber Security Services Business". Accenture.com. April 30, 2020. Retrieved 2020-01-17.
  13. "Time for moderation?".
  14. "What is the point here?".
  15. "Administrivia: New Bugtraq moderator".
  16. SecurityFocus
  17. "Administrivia: [Important] Community Involvement in the Future of Bugtraq".
  18. "Results of the vote query".
  19. "Administrivia: Recent list delays".
  20. "Administrivia".
  21. "Administrivia: Mail Problems".
  22. "Dead Air".
  23. jerichoattrition (June 16, 2017). "Your yearly reminder to post to Full-Disclosure, not Bugtraq". Archived from the original on 2018-11-01. Retrieved 2020-05-17.
  24. "Administrivia: No More Microsoft Bulletins".
  25. "Bugtraq: by thread (Feb 2020 Archive)".
  26. "Broadcom acquires Symantec's enterprise business for $10.7 billion". CNBC . 8 August 2019. Retrieved 19 May 2020.
  27. "BugTraq Shutdown". seclists.org. 2021-01-15. Retrieved 2021-01-17.
  28. "Bugtraq: BugTraq Shutdown". seclists.org. Retrieved 2021-01-15.
  29. "On Second Thought..." seclists.org. 2021-01-17. Retrieved 2021-01-17.
  30. "The Future of Bugtraq | Accenture". WordPressBlog. Retrieved 2021-02-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.