Creating an Open Alternative to Bugtraq? 25
mbogosian asks: "I am not a sysadmin, nor am I a security expert, but I appreciate those who are. In response to a recent story, I went out and registered two domain names: opentraq.org and opentraq.net. I am hereby throwing down the gauntlet: I am willing to have them resolve to DNS servers belonging to a group of volunteers who wish to start and maintain an Open alternative to security services like BugTraq and others offered at the SecurityFocus website without being encumbered by the OIS Security Vulnerability Reporting And Response Process. I will continue to pay the renewal fees for the names as long as someone wants to continue the the effort. After the project becomes established and is maintained by a reputable (i.e., non-commercial) group of volunteers, I am willing transfer ownership of the domains to that group at no cost. Feel free to contact me if you are interested. Let the discussion begin! " Do you feel such a thing is necessary at this time? Why or why not?
dude. (Score:3, Insightful)
Re:dude. (Score:5, Insightful)
IMO, having a open and non-corp backed mail list to handle security buq and the like would be the natural evolution needed to insure sysadmins have the most up to date info.
Re:dude. (Score:2)
It's hard to fix an existing project when the problem is not in the project itself but in who owns it and dictates policy. Unless BugTraq ceases to be owned and controlled by Symantec (or influenced by Microsoft), then I still believe in the necessity of a Free (as in speech) alternative.
What I did not know is that there were already efforts to do this very
erm (Score:3, Insightful)
Re:erm (Score:2)
Man, I can't believe someone upmodded you. The question should be whether there has been enough telltale tampering by Symantec to dictate
Re:erm (Score:2)
Actually, the intention was not to rip off an idea. It was more to provide a security information platform without corporate influence (which is what led to the problem in the first place). I'm certainly not t
Nice that someone is willing (Score:2, Insightful)
I'd also like to see something like this supported by major firms, maybe just by setting up a system where the community can easily communicate with firms regarding security and bug issues.
Bugtraq works just fine (Score:5, Insightful)
The bug finding, reporting, fixing, and patching process should minimize the potential damage. If your goal is to minimize damage then neither full immediate discloser or no disclosure is a good answer. Bruce Schneier has written a good article about full disclosure in his Crypto-Gram newsletter [counterpane.com].
Unless bugtraq is falling down on the job, why do we need another one?
Re:Bugtraq works just fine (Score:3, Insightful)
"ever" is a strong word. Remember that one of the companies giving those recommendations is Symantec. Symantec own SecurityFocus. SecurityFocus runs Bugtraq.
Re:Bugtraq works just fine (Score:2)
My fear is that the controlling organization will exert pressure to change policies. The only way to avoid this is to have a system over which commercial organizations cannot exert pressure in this way. I hope you are right that BugTraq does not change their policy, but look at who pays their bills....
Yet Another Try... *yawn* (Score:4, Insightful)
I applaud your initiative, but honestly, I don't see either the need or the point.
Re:Yet Another Try... *yawn* (Score:1, Informative)
Re:Yet Another Try... *yawn* (Score:2)
I applaud your initiative
Registering two domains is initiative? They guy could at least offer to provide the servers behind them, if he's not willing to do any of the work.
Re:Yet Another Try... *yawn* (Score:2)
I'm willing to help in any way I can. I thought domain registration and a SlashDot article was a good first step. I'm just one guy without very much money (having been laid off in the past year), but I'd be happy to donate what I can towards bandwidth or server costs. I thought I might try and get the ball rolling to see how much response there was. I'll be the
Re:Yet Another Try... *yawn* (Score:2)
Good luck; I sincerely hope you'll get better results than I expect you to.
Vulnwatch (Score:2, Informative)
Full-Disclosure (Score:1)
Already does what you want it to do.
Re:Full-Disclosure (Score:2)
If you're really serious about having a "bugtraq alternative", then start posting on full-disclosure and encourage others to do so as well.
New twist on an old ploy. (Score:4, Interesting)
This smells like a slightly new twist on good old domain prospecting, parking, hijacking. You want someone else to build a site that will require a lot of work and moreover, A LOT of bandwidth and in return you will allow them to use your name. So, if this new superfluous site is successful, you get the credit/money with virtually no investment, monetary or sweat equity.
I doubt very much that anyone will take you up on this offer.
Re:New twist on an old ploy. (Score:2)
The truth is, I'm just one individual without much money to spend on bandwidth and servers, etc. My intention is not to hijack domains. I
Re:New twist on an old ploy. (Score:2)
That should have read, "...I am now aware of many of the alternatives...".
"me too" (Score:3, Interesting)
Too Much (Score:2, Insightful)
Knowing this I would say if you want to do something, make it a couple degrees more useful