The announcement came out earlier today that SecurityFocus, a long standing security news portal started in 1999 and home of a number of popular mailing lists including the well known Bugtraq is being shuttered by Symantec. While aspects of the site will continue (the mailing lists will remain and some content will be moved to Symantec Connect), the loss of the news portal and site itself is a significant loss of historical perspective on the information security industry from what was a long standing news and research source.
From the announcement:
Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.
From: Change in Focus
SecurityFocus.com kicked off as an online computer security news source in 1999, founded by a couple of parties (Arthur Wong, Al Huger, Elias Levy, et al.). In the summer of 1999 the Bugtraq mail list was subsumed into SecurityFocus. In 2002 the site was acquired by Symantec, the well known anti-virus vendor, for around $75 million in cash.
Bugtraq itself kicked off on November 5th, 1993, when Scott Chasin (Doc Holiday) started it as a response to perceived failure on the part of CERT to properly publish security warnings. Its founding policy was to publish vulnerabilities without regard to vendor response, an early salvo in the ongoing industry fight regarding full disclosure, or disclosing all known details of a security flaw.
The list was initially unmoderated but by the middle of 1995 was switched to moderated to cut down on the noise being generated. From 1996 to 2001 the list was moderated by Elias Levy (Aleph One), then turned over to David Ahmad, and finally rests in the hands as far as we know of David McKinney, a threat analyst at Symantec. The list was first hosted at Crimelab.com and moved to the NetSpace Project at Brown University when moderation began. In the summer of 1999, the list became part of SecurityFocus and thus in 2002 when SecurityFocus was acquired by Symantec it was part of that deal.
The philosophical underpinnings of full disclosure are complex, and long debated, but the major pro argument is that once security vulnerabilities are well known, the vendors responsible for the vulnerable code correct the problem faster. A secondary argument is that having the full details allows the security practitioner who is paying attention to react with some form of mitigation to a complex issue. The con argument is of course that releasing such information allows the vulnerability to be exploited by a larger audience of attackers.
Elias Levy (Aleph One) from Venezuela, well known as the author of the seminal article Smashing the Stack for Fun and Profit in Phrack, moderated the list from 1996 to 2001. In his words: “the environment at that time was such that vendors weren’t making any patches. So the focus was on how to fix software that companies weren’t fixing.” Some might question the pace of progress over the past ten years, we do have Patch Tuesday and all that entails, and the environment has shifted in a somewhat positive way, but the issue of timely patching of security problems is still a front burner concern in information security.
Interestingly, when Symantec acquired SecurityFocus, and with it BugTraq, there were accusations that Levy had ‘sold out’ on the original principles of the list. Partially in response to this, the Full-Disclosure mail list was born.
SecurityFocus certainly lost whatever unbiased independence it had back in 2002, however that move (the Symantec buyout) also may have allowed it to keep going until now. The articles on the site were unusually complete (long for a security news site) making it possible to completely explain an idea, and some notably written by technically capable authors who could provide good commentary and insight into the issues they were presenting. The loss of this information, from a history of the security industry perspective, is unfortunate, because if there is an industry that does not always effectively carry forward and build upon lessons learned, it is this one.
Or as Santayana put it: “Those who do not learn from history are doomed to repeat it”.
Further there are not too many sources that have picked up the security news mantle effectively. Churnalism sites that offer a morsel of new information wrapped in an awkward product pitch presented as news aren’t going to cut it. Blogs, corporate ones, are heavily censored as their raison d’etre is marketing. And many independent blogs place value on brevity, a positive at times but not when it doesn’t allow an idea to be fully fleshed out.
So we’re left with the thought that someone, somewhere, needs to fire up the next SecurityFocus.
Filed Under: Industrial Complex