Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Open Source Vulnerability Database Goes Live

Posted by michael on Fri Apr 02, 2004 09:37 AM
from the got-bugs? dept.
Bug Programming IT Technology
Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Open Source Vulnerability Database Goes Live 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Running on PostgreSQL, too... (Score:5, Interesting)

    by tcopeland (32225) * <tomNO@SPAMinfoether.com> on Friday April 02 2004, @09:39AM (#8746260) Homepage
    ...per the database info [osvdb.org] page.

    <shameless>
    Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis [rubyforge.org]!
    </shameless>

  • Naming is important (Score:5, Interesting)

    by Space cowboy (13680) * on Friday April 02 2004, @09:40AM (#8746267) Journal

    The name implied to me that it is only vulnerabilities in Open Source programs/systems that will be tracked, but reading the FAQ it seems to be that the database itself is open-source, and the database covers all systems. I think they could have named it better.

    Simon

  • Old news (Score:4, Informative)

    by RT Alec (608475) * <alec@nOspAm.slashdot.chuckle.com> on Friday April 02 2004, @09:40AM (#8746271) Homepage Journal
    Not the project, just the posts. Sendmail vulnerability from 2002? FreeBSD vulnerability (top of the list, no less) from 2000? Did I miss something?

    • Re:Old news (Score:5, Insightful)

      by Arathrael (742381) on Friday April 02 2004, @09:55AM (#8746431)

      There's two conflicting maxims when it comes to updating systems:

      'Always apply the latest updates' and 'If it ain't broke, don't fix it'.

      Given that many people are both lazy and ignorant, they like to assume that if it appears to be working, it is, and thus they don't have to update/fix it. I imagine there's a lot of sendmail systems out there unpatched since before 2002. Old news, in terms of serious vulnerabilities, is therefore still highly relevant, since it provides a quick way of pointing and saying: 'Look, it is broken, fix it you lazy muppet'. :-)

      Having said that, those are just the 'most recent entries' on the frontpage in relation to date of entry to the database. I think that's useful to have there so you know what's been added since a previous check.

    • Re:Old news (Score:5, Informative)

      by CaptainBaz (621098) on Friday April 02 2004, @09:56AM (#8746436) Homepage Journal
      Not really - it's hard to take, but there really are systems out there who still haven't patched these vulnerabilities!

  • securityfocus (Score:2, Interesting)

    by Anonymous Coward
    is'nt securityfocus doing that already?

  • They forgot one. . . (Score:5, Funny)

    by UFNinja (726662) on Friday April 02 2004, @09:41AM (#8746277)
    Slashdotting. ;)

  • Mmmmm.... (Score:4, Interesting)

    by jwthompson2 (749521) * <jwthompson2NO@SPAMgmail.com> on Friday April 02 2004, @09:42AM (#8746283) Homepage
    No vendor spin on security issues. Now we can know the truth to the best of our ability without corporate FUD, hype or downplay.

    Gotta love technology when it helps get the full-truth out there.
    • Like spin and hype are a vendor monopol... Is OS spin really better ?

      Spin is everywhere where there is subjectivity.
    • >No vendor spin on security issues. ... yet.

      If this thing becomes popular you don't think that every profit or non-profit group will use it to enforce their own narrow point of view?

  • Can hear MS from here (Score:4, Interesting)

    by Phisbut (761268) on Friday April 02 2004, @09:42AM (#8746285)
    I can hear it from here... Microsoft saying "See, Open Source isn't more secure than our stuff... there is a public database that all hackers and crackers can use to exploit known vulnerabilities..."

    How long will it take till they say that?

    • How long will it take till they say that?
      If you're calculating time using Windows, it could be as long as 54,367 minutes.
    • The irony is it will make the strong, stronger, and the weak weaker. In other areas of society we shunn this, or at least claim to.
    • Actually there is truth to your statement. Previous it was easier to hide vulnerabilities in open source projects or keep them on some obscure page.

      For instance do a search on Mozilla. They are issuing reports on vulnerabilities in 1.6. That represents a very big hole in Mozilla's normally security model, which relies on keeping all the vulnerability they have a secret for 2 minor versions. If this site starts making public the almost monthly arbitrary code execution vulnerabilities in Mozilla, while a lot

  • This is certainly a good thing. (Score:4, Insightful)

    by paroneayea (642895) on Friday April 02 2004, @09:43AM (#8746296) Homepage
    I could see many users getting angry over this, thinking this is to the disadvantage of open source technology, but no.... this is clearly an advantage! This database will help ensure that essential bug fixes get worked on immediately.
    So don't flame over this... it will help make open source software more secure!Oh, right, and if you might think to the contrary, that people not knowing about vulnerabilities is the best way to go for security, you clearly need to do more research on the way open source software works, and why it is so effective.

  • Cool! (Score:4, Interesting)

    by MrFreshly (650369) on Friday April 02 2004, @09:43AM (#8746306)
    This should be done for all types of software...Perhaps developers will be a little more careful with their codeing and end users will be able to see just how secure the software is before they commit to it.

  • Slashdotted? (Score:5, Informative)

    by luferbu (703405) <luferbu@fluidsig ... m minus math_god> on Friday April 02 2004, @09:44AM (#8746310) Homepage
    As it seems to be already /.ed here is the Google cache [66.102.9.104]
    • I hope they get funding or donations to beef up their web serving capability, since if it becomes successful, I'd imagine nearly every slashdot story (and other mass-media coverage) concerning big vulnerabilities will link to their site.

  • Oh, yeah, this'll be *real* useful (Score:3, Funny)

    by 0x0d0a (568518) on Friday April 02 2004, @09:48AM (#8746357) Journal
    Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

    • Re:Oh, yeah, this'll be *real* useful (Score:5, Funny)

      by rbolkey (74093) on Friday April 02 2004, @10:03AM (#8746499)
      "There's a Win 3.11 vulnerability, and ... wow, it's listed as a feature in XP."

    • Re:Oh, yeah, this'll be *real* useful (Score:4, Interesting)

      by AKnightCowboy (608632) on Friday April 02 2004, @10:18AM (#8746643)
      Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

      Why would the data become obsolete after 8 hours? Not everyone runs out and installs the latest version of something for the hell of it you know.

    • Re:Oh, yeah, this'll be *real* useful (Score:5, Insightful)

      by MoonBuggy (611105) on Friday April 02 2004, @10:53AM (#8746976) Homepage
      It's unfortunate, however, that DBs like this have a habit of publicising vulnerabilities without telling the software authors first. IMO if you find a problem you should tell the software dev team, give them a chance to fix it and then publicise the vulnerability along with the patch, minimising the impact that crackers could have with the info.

      I do agree that if the software developers are uncooperative then publicise the software problems, worst case scenario with OSS someone else can patch it. What irritates me is when people make a problem public without giving anyone a chance to get a fix out the door.

      • Re:Oh, yeah, this'll be *real* useful (Score:5, Insightful)

        by caudron (466327) on Friday April 02 2004, @02:59PM (#8749476) Homepage
        DBs like this have a habit of publicising vulnerabilities without telling the software authors first.

        Seems like they could fill a niche need here by allowing people to report vulnerabilities, but not automatically posting them until a set time after the report date. Then having it automatically notify the vendor of the vulnerability. The vendor could ignore it (in which case after a set interval the issue would go public) or fix it and let it go public sooner.

        Just a thought.
  • Kudos to the OSVDB crew!
    I wish you much success on completing your vulnerability update/addition modules so that your moderators' inboxes can have some breathing room!

    With Retina [eeye.com] at $995 for 16 IP's, this additional gunpower for OSS will really keep the commercial vendors on their toes.

    Maybe this will create a better turn-around time for M$'s "Security Initiative" too... Oh, wait, it's 4/2!

  • Open source vulnerability database goes live...and two days later, it goes dead.

    Slashdot - bringing you customizable DDoS attacks for years to come.

  • Professionalism (Score:4, Insightful)

    by schnarff (557058) <alex@@@schnarff...com> on Friday April 02 2004, @09:56AM (#8746441) Homepage Journal
    I think that this is an excellent concept...I just wish that it were executed well enough that the site wasn't Slashdotted after 25 comments. I mean, damn, we're already trying to shake off the image of being a bunch of amateurs, and having a web site that can't even stand up to moderate traffic doesn't help.
    • A slashdotting is an honour, not a disgrace ;) The sistes of many commercial adventures have gone down after a couple of comments - hell, some have even gone down while the story is still in "The Distant Future" waiting for the front page. A slashdotting is nothing to be ashamed of.
  • I sure hope they will provide nice charts with statistics like which OS is more secure. Or perhaps a toplist with an approximation of how many users are affected. That would be very useful to the (h|cr)acker community. ;-)

  • already been done (Score:5, Informative)

    by musikit (716987) on Friday April 02 2004, @10:02AM (#8746496)
    you know i hate the company but it has already been done and is most likely a better DB.

    the MITRE Common Vulerability and Exposures DB

    http://www.cve.mitre.org/

    • Re:already been done (Score:5, Interesting)

      by brennz (715237) on Friday April 02 2004, @10:48AM (#8746935)
      The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE

      You would be better off to compare the OSVDB against the ICAT metabase [nist.gov]

      The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).

      OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.

      We expect great things from you.

  • Finally == Security Focus BIASED as hell (Score:4, Interesting)

    by Anonymous Coward on Friday April 02 2004, @10:06AM (#8746538)
    Security Focus became BIASED as heel from when Symantec bought them. Finally a really neutral source of information. Thank you for doing this guys ...

  • What makes this database "open source" ? (Score:5, Insightful)

    by possible (123857) on Friday April 02 2004, @12:08PM (#8747650)

    Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.

    First, the licensing terms [osvdb.org] Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc. [digitaldefense.net], a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".

    Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.

    Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.

    You know, there are non-trivial, free (GFDL) databases [wikipedia.org] out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.

  • Easy livin' (Score:5, Insightful)

    by Doc Ruby (173196) on Friday April 02 2004, @01:56PM (#8748825) Homepage Journal
    Where's the OSVDB client, that I install on a host on my LAN, that gets up-to-date security notices selected from queries defined by my local configs? That is the missing layer in OSS SW distribution. Installers, like apt-get, should register installed packages with the local OSVDB.

    The local DB gets queried by the client for installed inventory, queries the remote server. Vulnerable SW is tagged with advisory instructions, including patch URLs, confirmation URLs, and "help me" URLs, as well as the URL of the Internet site with that support and more (discussions, etc). The client sends a notification email to the sysadmin, optionally including clickable HTML to install the patch packages (which are, of course, registered with the local DB). Confirmation reports are easily entered in the HTML interface, pointing at the client, which first posts them to the local DB cache for later analyis, then posts them to the remote OSVDB. Requests for help are passed to tech support, based on a policy config'ed when the client is installed: existing support contracts, filtered marketplace pool, goverment/industry referral service.

    This infrastructure is the natural evolution of the global infosystem. It mirrors the evolution of the cell: we've got a cell (fire)wall already, and the nucleus (sysadmin server) is now growing a membrane (security infrastructure), with tRNA codes (patches) keeping homeostasis (uptime). As the organism (network) is sickened (exploited) by viruses (viruses) and genetic defects (bugs), vaccines (patches) and therapies (upgrades) keep the organism healthy, and reduce the risk of epidemic infection (every few days on the Internet). Once organisms got an immune system, and communities that worked with it, we took over the world from the volcanoes, eventually freeing our brains for human endeavors (gaming, surfing porn, online dating). If developers bundle the straightforward complexity in simple automated tools, the infosystem's health will become as implicit as our own.

    • Re:Disagree (Score:5, Insightful)

      by Anonymous Coward on Friday April 02 2004, @10:13AM (#8746597)

      Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.

      And what happens when it isn't being fixed? Vendors have shown time and time again that unless pressure is put upon them, security fixes have a very low priority. Full disclosure is the best method of increasing that priority.

    • You miss the point. (Score:5, Insightful)

      by GirTheRobot (689378) on Friday April 02 2004, @10:14AM (#8746607)
      Customers have a right to know that they are using vulnerable software, and be given the chance to secure themselves in any way possible. When I say customers, that means not only joe sixpack, but the admins of mission-critical and sensitive systems as well. If the vendor is unable or unwilling to fix the problem in a reasonable amount of time, the public should be given the ability to. Security through obscurity is a farce. Script kiddies might take exploit code once it is posted, but the crackers that otherwise know of these exploits are the ones doing the real damage.

      Information can be abused, yes, but personally, I think it is better than ignorance.

    • that isnt what a vulerability DB is. it's not a huge patch server. its a place you can goto to see if an error you found while messing with bash (and accidently get root access) 1. has been reported 2. if there is a work around and 3. report it if it is a. repeatable and b. not yet reported.
    • Ok, one more time: Obscurity does not create security. Assume the crackers already know the vulnerabilities. This is to allow the "white hats" to defend themselves.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.