The most influential e-mail list among computer hackers is going corporate. BugTraq, the place where most of the world’s most influential computer hazards are made public, was purchased Wednesday by Symantec Corp. for $75 million cash.
FOR YEARS, HACKERS have sought publication on Bugtraq for prestige and attention — and to dress up their resumes, since BugTraq is the computer security world’s equivalent of a professional journal.
Most computer security workers subscribe to the list as an early warning system to hear about new flaws, and to learn how to guard systems against them.
Most computer criminals subscribe too, since the list is a constant source of new methods for breaking into computers.
Big-name flaws like Code Red and Nimda were first published on Bugtraq, along with thousands of other flaws in Windows, Linux, and Unix software.
“This acquisition will broaden Symantec’s leadership in Internet security response with the addition of the world’s first global threat management system, the most complete vulnerability database and customizable alert services,” said John W. Thompson, Symantec chairman and chief executive officer, in a press release.
The list has been a thorn in the side of software makers, thanks to its so-called “full disclosure” policy. Generally, that means publication of flaws — and the recipe for exploiting them — even before corporations have time to repair the products. Publish all the information, to both hackers and security professionals, and at least both are on even footing, the thinking goes.
But the policy has come under fire in recent years, as companies like Microsoft claimed it helped cause outbreaks like Code Red. Microsoft has argued that detailed descriptions of flaws shouldn’t be made public until companies involved have time to fix them.
Now, the question becomes: will computer hackers continue to publish their material on the list, now that it is owned by one of the world largest security companies?
Elias Levy, longtime BugTraq administrator, said Symantec would respect the community SecurityFocus had developed.
“Symantec and SecurityFocus want to ease any fears as to whether the character of this mailing list will change,” Levy said in an e-mail to subscribers. In its press release, Symantec said it would preserve the Security Focus brand.
But security expert Richard Smith, who himself has disclosed vulnerabilities on BugTraq, said that might be hard for Symantec.
“There’s always a conflict of interest,” he said. “If you go around pointing out bugs, you are helping bad guys. It’s a lot different if you’re a ragtag bunch like SecurityFocus than if you’re the No. 1 security company.” One reason: Symantec has far deeper pockets than SecurityFocus, and could face a steep lawsuit if information published on the list proves harmful.
But Kevin Poulsen, editorial director for SecurityFocus.com, said the company received animated assurances that the group would remain independent.
“Schwarz said repeatedly, explicitly, and convincingly that Symantec was committed on the highest levels to keeping SecurityFocus Online alive and editorially independent,” Poulsen said.
Maintaining the perception of independence among the computer underworld will be critical for SecurityFocus, which has several mailing lists in addition to BugTraq. The group’s value comes in large part from volunteers who agree to publish their cutting-edge findings on the list. If the list loses its luster, some hackers might chose to disclose information in other places. Just weeks ago, a list calling itself “Full-Disclose” was created, in part because of a perceived “softening” of the BugTraq list.
“When (founder) Scott Chasin handed over the BugTraq mailing list, it was clearly dedicated to the immediate and full dissemination of security issues,” an invitation to join the list reads. “The current BugTraq mailing list has changed over the years, and some of us feel it has changed for the worse.”
This is not the first high-profile hacker list that has gone corporate. Two years ago, NTBugTraq, a list devoted exclusively to Windows issues, was acquired by TruSecure Corp.