Forgot your password?
typodupeerror
Security

Symantec to Acquire SecurityFocus 202

Posted by michael
from the woe-to-the-defeated dept.
cbv writes "Symantec Corp. today announced the acquisition of SecurityFocus for approximately US$75 million in cash. The press release reads, 'With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats.' The transaction is expected to close by early to mid-August 2002."
This discussion has been archived. No new comments can be posted.

Symantec to Acquire SecurityFocus

Comments Filter:
  • by darylp (41915) on Wednesday July 17, 2002 @06:27PM (#3905174)
    Will we be seeing more minor security issues inflated to cataclysmic proportions just so Symantec can sell a few more virus scanners?
    • by Anonymous Coward
      Probably. We'll may have to move SecurityFocus a little farther down on the list of sources that we trust and whose links that we visit regarding security matters. It remains to be seen if that trust (and link) winds up above or below that of ISS's. Let's hope Symantec can resist the temptation to turn their new acquisition into nothing more than a marketing tool.
    • by tcc (140386) on Wednesday July 17, 2002 @07:11PM (#3905410) Homepage Journal
      I'd be more worried about them *NOT* releasing some security issues of those 800 pounds gorilla that promotes security through obscurity instead of writing safer code.

      Symantec is a corporation after all. If let's say, a certain company would cut them vital information required for the lowlevel of the system so that their antivirus technology work effectively (on their future OS), well I can see a very *VERY* persuasive effort that could just work.

      I am happy for the people at security focus if it pays off their hard work, but I am worried about the quality and most importantly, the neutrality of the service that will result from this acquisition.
      • I think that's an absolutely valid concern, particularly given the propensity for the virus-killer companies (as they see themselves, anyway) to overblow virus threats.

        But, I would say two things in their defense:

        1) They tend to hype more than hide. The worst thing is that they will try to get securityfocus.com on the map with IT execs by hyping the security flaws disclosed in bugtraq. Now, it's a double-edge sword, but I don't think it will be awful if certain M$-based operating systems were a bit more publicly scrutinized.

        2) Slashdot didn't change after the aquisition, at least not outwardly. I don't work here, so I can't talk about the behind-the-scenes, but the postings are as hard-hitting as ever. Granted, Andover isn't a corporation the size or with the intrests of Symantec. But it's a valid point.
    • Yeah, Imagine in the investment world, if the underwriter, broker and analyst all worked for the same company.

      Oh Wait . . .
    • Absolutely this is COI! They will be publishing every minor non-threat virus and probably every virus which is theoretical and not in the wild as well.

      This is a bad thing IMHO.
      • So then it'll be just as bad as Bugtraq?

        Lil'HTTP Pbcgi.cgi XSS Vulnerability
        Remote ICQ Sound Desactivation
        AIM forced behavior "issue"

        etc. Man. Bugtraq is barely useful.
        • Don't forget the Half-Life server non-issue... Bugtraq is barely useful, its really sad. On the other hand, Security Focus' SIA is great, its of great help to me in the workplace.

          Now I'm quite honestly worried about vendor bias and conflict of interest. Trusting a third party to be objective is easy, trusting a divison of a vendor is not.

    • Or, will we be seeing less if Symantec institutes a policy of "the vendor has a year to respond before this can be made public, so don't post that?"
    • Will we be seeing more minor security issues inflated to cataclysmic proportions just so Symantec can sell a few more virus scanners?

      lol, I read this on another hardware site and came to /. looking for this post. Bugtraq was getting bad [theregister.co.uk] anyway. It looks like it's time to find another mailing list.

    • Given that Symantec have agreed to work with state intelligence agencies over Magic Lantern, I would expect we can no longer trust that we will see announcements the powers that be don't want us to.
  • by fungus (37425) on Wednesday July 17, 2002 @06:30PM (#3905188)
    From: aleph1@securityfocus.com [mailto:aleph1@securityfocus.com]
    Sent: Wednesday, July 17, 2002 5:28 PM
    To: bugtraq@securityfocus.com
    Subject: Administrivia: Symantec acquiring SecurityFocus

    Good day,

    Today, SecurityFocus and Symantec announced that Symantec is acquiring
    SecurityFocus. Symantec sees real value in the services SecurityFocus
    provides to its customers and believes they are an excellent fit with
    their current offerings. We at SecurityFocus see this as an opportunity to
    provide even better services for the security community.

    Symantec recognizes the value and uniqueness of the public services
    SecurityFocus provides to the community, such as the numerous mailing
    lists we host and the content we provide via the SecurityFocus Online web
    site.

    In particular, Symantec and SecurityFocus want to ease any fears as to
    whether the character of this mailing list will change.

    Frequently Asked Questions:

    Q. What is the Symantec strategy for keeping data sources?

    A. We believe it is critical to maintain the integrity of the existing
    security community currently part of the SecurityFocus portal and
    Bugtraq mailing list.

    Q. What is Symantec's disclosure policy?

    A. Symantec believes in responsible vulnerability disclosure and is active
    in initiatives to set best practices in this area. Our first priority
    is to help our customers protect their computing assets by providing
    tools and information to safeguard their systems.

    We will work with vendors, if we discover vulnerabilities in other
    products, to report and investigate the issue in a thorough and timely
    fashion, in the same way that Symantec will work with other security
    researchers if they find an issue with any Symantec technology.

    We observe a 30-day grace period after the notification of a security
    advisory to give users an opportunity to apply the patch. During this
    grace period, we provide our customers significant information about
    the vulnerability and the fix, but not step-by-step instructions for
    exploiting the vulnerability. We do not provide detailed exploit code
    or provide samples of malicious code except to other trusted security
    researchers and in a secured manner.

    Q. Will Symantec change SecurityFocus' vulnerability reporting policy?

    A. We believe that in order for the SecurityFocus/Bugtraq community to be
    effective, it must be an independent entity. We believe that its
    current disclosure policy is appropriate for the venue. Symantec will
    continue to operate with its separate disclosure policy.

    Sincerly,
    Elias Levy, David Ahmad,
    and the rest of the SecurityFocus staff
    • Read earlier post... they don't exactly define responsible disclosure, do they? A week? Two weeks? A month? A year? I think it was Fyodor who independantly came up with a framework for responsible disclosure. It will be interesting to see if Symantec is more interested in making potential problems public knowledge or protecting companies that could be embarrased by them.
    • by satch89450 (186046) on Wednesday July 17, 2002 @09:25PM (#3905953) Homepage

      We believe that in order for the SecurityFocus/Bugtraq community to be effective, it must be an independent entity. We believe that its current disclosure policy is appropriate for the venue. Symantec will continue to operate with its separate disclosure policy.

      Pretty words, Mr. Levy and Mr. Ahmad. Now where is the proof?

      Those of us who are working journalists remember the transition of ABC News under Roone Arlege from Cronkite-esque "news" to "entertainment" -- and know that "independence" is a very fragile concept, one that can be crushed very quickly and with little fanfare at any level including the board room. All it takes is one vote of no-confidence on the part of the management to completely change the editorial head, and thus the independence of SecurityFocus. You most likely mean well -- can the same be said of your bosses? Can you point to one Symantec acquition that proved that editorial independence has been achieved in the long run?

      I was an expert witness at a multi-million dollar trial because a well-respected computer magazine's editorial staff prostituted themselves to shore up a bad space-sales management decision. It only takes one episode to sully the good name of a publication. (The name of the publication is withheld from public statement to protect the guilty and to keep me out of civil court for defamation.)

      I'm happy you were able to get a pile of money, but don't think that SecurityFocus will be viewed the same way. Now, if you had made the sale to an outfit like O'Reilly, the SecurityFocus name would have retained its luster and elan in the industry.

      All good things must come to an end. Thanks for all the fish.

    • We do not provide detailed exploit code or provide samples of malicious code except to other trusted security researchers and in a secured manner.
      No one else has commented that this is a bad thing... Am I the only one that thinks so?

      Personally, I like nothing better than to get code which demonstrates and exploit, and see if the architecture I have put in place is designed well enough to stop attackers, or at least properly minimize the risk to my servers.

      What good will this do anyhow? Do they think script kiddies will not get the exploit code now? Or is this calculated to give Symantec, and those who will partner with them (no doubt, in exchange for a hefty chunk of change) a distinct advantage over the general public?

      Thank you for protecting me, and all sys-admins out there, from ourselves. How stupid we were to think we could secure and test the security of our systems without Symantec's approval!
      • Personally, I like nothing better than to get code which demonstrates and exploit, and see if the architecture I have put in place is designed well enough to stop attackers, or at least properly minimize the risk to my servers.

        But the exploit could be combined with others so that it would breach your defences. So knowing that you're immune to the published exploit may give you a false sense of security.

        I see publication of exploits as useful only when the vendor makes the 'purely theoretical' claim and refuses to patch a bug. Even then, the exploit should be sent to the vendor first.

        • But the exploit could be combined with others so that it would breach your defences.
          You're obviously not a system administrator. The whole idea is NOT just to see if some version of some software with whatever modifications is or is not vulnerable. The idea is to run vulnerable software, and exploiting it. Then, seeing if exploiting particular software using your own setup can negate or limit the exploit.
          • I do sometimes wear a system administrator's hat, but I think I misunderstood your comment. I would have thought that a description of what the exploit gets you would be sufficient, but maybe an actual working exploit is more useful.
  • Prediction! (Score:5, Interesting)

    by Codex The Sloth (93427) on Wednesday July 17, 2002 @06:31PM (#3905193)
    Prediction: Symantecs products are going to suddenly become very secure.
    • Nah. SecurityFocus will become very insecure.
    • I guess some people have faulty irony detector.
  • by BobRoss (63028) on Wednesday July 17, 2002 @06:31PM (#3905194)
    This buyout (sellout?) makes the site a lot less credible in my opinion. They are simply going to use the site to sell more virus protection software.
    • Norton's products are quite good. NAV and NIS are the best in their class and absolute requirements for any internet pc.
      • Re:Hogwash (Score:1, Funny)

        by Anonymous Coward
        Norton's products are quite good. NAV and NIS are the best in their class and absolute requirements for any internet pc.

        You watch too much techtv.
        • Re:Hogwash (Score:3, Interesting)

          by MsGeek (162936)
          Well, hogwash or no, Norton has never made any Windozer I've installed it on unbootable. Can't say that about McAfee. However, I am seriously looking at AVG because...well...you can't beat the price. NAV is a decent proggie for a less than extortionate price. If AVG can find the same number of viruses that NAV can, however, it's history here at Catseye Labs.
          • NAV is the standard at the place I work, for client stations. We use trend for servers and some other thing for exchange stores...Whole lotta scanning going on here
          • It's done it to me. Not just once, but twice (different versions). I must be a slow learner.

            NAV has hurt me worse than any virus I ever caught. LiveUpdate both times.

            Mind you, Ximian's Red Carpet has done something a bit similar more recently, only not as bad. It was fixable with a system reinstall (wiping the /usr partition). I could probably have fixed it with something a bit less enthusiastic, but there wasn't anything there that I wanted to keep, so I took the easy way. (I keep /usr/local in a separate partition partially for this reason.)

          • Norton has never made any Windozer I've installed it on unbootable

            I had to rebuild my WinNT4 system from scratch twice because NAV combined with WinFAX (from the same company) caused a blue-screen upon boot. I did not quite figure out went wrong the first time, and put over 40 hours trying to recover with out the total reinstall (trying registry edits, etc.).

            Once I rebuilt the system, I only reinstalled NAV (required to connect with my office). A few weeks later I reinstalled WinFAX, and boom it happened again. I used McAfee after that with no problems.

      • Does your 'absolute requirement' run on my Unix internet pc? And how much of the exact 0 viruses that ever infected it would require it?
      • Only on Windows... and I use macafee anyway on my gaming box. Ever heard of Snort? They DID port that to windows, you know :)
    • They are simply going to use the site to sell more virus protection software.

      That's a very narrow view to take. I bet they'll be trying to find ways to flog pcAnywhere, Ghost and WinFax, too.
  • Countdown..... (Score:3, Interesting)

    by Mr Guy (547690) on Wednesday July 17, 2002 @06:31PM (#3905198) Journal
    Countdown until Rob Rosenberger [vmyths.com] has a nervous breakdown begun... 10 ... 9 ... 8 ... 7 ...
  • Isn't it safer using a credit card?

  • by GoatPigSheep (525460) on Wednesday July 17, 2002 @06:34PM (#3905215) Homepage Journal
    their products will never be secure as long as they do not detect the fbi's spy software.
  • I've always had followed closely the bugtraq list, and I belive strongly it's cutting edge anything goes security ... wonder how the Symantec staff would moderate it
  • I wonder what kind of intentions Symantec has here. If they want to use SecurityFocus as a well-known security company to help make their products better, or if they just want them for the name. Consider "Tommy Boy"...
  • by reaper20 (23396) on Wednesday July 17, 2002 @06:36PM (#3905226) Homepage
    The contest is on...

    Which will be worse, the slashdot effect or the mass unsubscribes pounding the mailing lists??
  • I hate going to any symantec website. Their web pages reek of ads for different products. I'm glad I use Junkbuster to block all of them.

    And I'm doubly-glad I use mozilla to stop those damn pop-ups.

    And SecurityFocus.com was a great site... I can only hope Symantec doesn't run it into the advertising ground.
    • I just installed privoxy [privoxy.org] which is based on junkbuster. Not only does it filter out ads, but pop-ups as well. nice.
      • AND privoxy does a pretty decent job at filtering Flash ads. I don't mind ads in general... in fact, I've been slowly easing up privoxy's default config to allow for more ad banners. But I do hate Flash, user tracking, stupid java tricks, blinking ad banners... and other such marketing shennanigans.
        • Proxomitron (Score:2, Informative)

          Proxomitron [spamblocked.com] sees all, filters all. Regexp your Internet connections.
          • ...sees all, filters all... if you're running Windows. But hey, Windows users need good filtering too. =)

            • More than 90% of the desktop computers in the world run Windows. And... Windows ESPECIALLY needs filtering. Now Internet Explorer has a kind of serial number that it transmits to every site you visit.

              With Proxomitron, your browser can identify itself as "Space Bison", one of the built-in options, or anything you choose. I choose to take out the serial number.

              It gets old, Slashdot people saying they don't run Windows. I posted a link to an article on my web site, and lots of Slashdot people visited. Most were running IE and Windows. Other people have mentioned this also.

              There will be a day when almost everyone runs Linux, but that day is not here yet. I can't yet sell Linux to my customers because it is a little too technical yet.

              In spite of what the OSDN Terms of Service [osdn.com] says at section "4. CONTENT", paragraph 6, I own this comment, exclusively.

              • With Proxomitron, your browser can identify itself as "Space Bison", one of the built-in options, or anything you choose. I choose to take out the serial number.
                That's especially cool.

                Don't get me wrong - Proxomitron looks like a really cool piece of software. And yea, Windows users probably need this kind of thing even more considering the silliness going on in their environment. But for the most part, this just isn't for me.

                It gets old, Slashdot people saying they don't run Windows. I posted a link to an article on my web site, and lots of Slashdot people visited. Most were running IE and Windows. Other people have mentioned this also.

                There will be a day when almost everyone runs Linux, but that day is not here yet. I can't yet sell Linux to my customers because it is a little too technical yet.

                I believe Slashdot itself has a statistics page (forget where it is) that breaks down browser identifications that hit the site - and the vast majority is, in fact, IE. It makes sense - Windows is going to be in most environments no matter what your personal preference is.

                I personally prefer Linux. I run it on my desktop and my laptop. But I do still run Windows when needed (dual boot or vmware). And I work with Windows when customers need it. Of course, at the same time, I've been able to sell Linux solutions more and more often when Linux makes sense. Granted - I've yet to run in to a good oportunity to sell it as a desktop solution for a customer (although a lot of them find it interesting to see it on my laptop).
  • "With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats." How long do you think it will take befor an update is released for it after it is released? 5 10 mins? the most! Some one is going to be able to get through it just like everyone else.
  • by eejack (416145) on Wednesday July 17, 2002 @06:39PM (#3905246)
    There was a new list started about 2 weeks ago, directly because of this potential issue:

    Here was the announcement:

    Subject: Announcing new security mailing list

    We are pleased to announce the creation of a new security mailing list
    dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq
    mailing list, it was clearly dedicated to the immediate and full
    dissemination of security issues. The current bugtraq mailing list has
    changed over the years, and some of us feel it has changed for the worse.

    If you believe in full disclosure, and wish to participate in unfettered,
    and unmoderated discussions, please feel free to subscribe to the new
    mailing list by accessing http://lists.netsys.com [netsys.com]

    • by ShaunC (203807) on Thursday July 18, 2002 @12:26AM (#3906630)
      The "announcement" of the Netsys list's creation was spammed [google.com] to everyone who's posted to BugTraq lately. Let's see: unsolicited, bulk, advertising something, and sent to email addresses scraped from a webpage or mailing list. In my world, that's spam. What's worse, the list's owner - Len Rose from Netsys - said that people who were unhappy about the spam were "lunatic diehards" [google.com]. He then proceeded to tell one of them in particular to, quote, "FOAD."

      I don't trust a spamming pompous ass to run a security list any more than I trust Symantec to do it. I'm sorry, but Netsys really dropped the ball on this one; I'm not about to hand my email address over to them.

      Shaun
    • This list does not appear to be a replacement for Bugtraq, because it is unmoderated. There is a need for a list moderated by someone respected in the security community, so that we can be assured of both high quality and full disclosure.
  • What's REALLY interesting is I've heard that NAI/McAfee have been in acquisition discussions with Symantec.

    So, Symantec buys SecurityFocus, NAI busy Symantec, and boom, overnight you have a huge amalgam of one-stop Security and Anti-Virus.

    Jeez, kinda scary. No?

    --jordan


  • "Symantec To Aquire Bugs"

  • With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats.

    Does that include threating emails from ex-girl freinds?

    Cause if soo Sign me up!
  • by White Roses (211207) on Wednesday July 17, 2002 @06:47PM (#3905285)
    So, a company that I do not fully trust when it comes to acurate, honest security reporting purchased a forum (company?) which I do trust on those same matters.

    I don't really know what to say. It'd be like Ford buying Volvo or something. Oh, wait . . .

  • by Stephen VanDahm (88206) on Wednesday July 17, 2002 @06:52PM (#3905316) Homepage
    REALLY BAD SECURITY VULNERABILITY EXPOSED

    DATE: July 17, 2002

    AFFECTED SYSTEMS:

    All systems for which Symantec sells products.

    DESCRIPTION:

    Holy Fucking Shit!! The computer just, like, explodes! It's the end of the world!

    WORKAROUND:

    Install Norton Anti-Virus. If you already have Norton Antivirus installed, buy another copy and install it. That'll fix it, we promise.
    • Re:The new BugTraq (Score:5, Insightful)

      by kir (583) on Wednesday July 17, 2002 @07:26PM (#3905473) Homepage

      While exaggerated, I think your post is probably and example of the future of any mailing list done by SecurityFocus. Sad. Symantec always seemed cheap and sleezy to me while SecurityFocus at least tried to be legitimate.

      With this purchase, SecurityFocus' credibility (at least with me) has gone out the window. I can't see how they can continue to be credible when they've got a company in charge that ONLY cares about the bottom line. Just look at their irresponsible virus warnings (as you've so clearly demonstrated). Boooooo!

    • I would love to see "Really Bad" used in any newspaper headline at all.

      (I ran across the phrase "wild sex" in a graduate thesis once. That was amusing. This would be more so.)
  • There goes another usefull service being prostituted by corporate morons with a MILK THE MASSES mission statement, I guess well have to use another means of information :D
  • by NetBoy (131975) on Wednesday July 17, 2002 @06:59PM (#3905356)
    Hmmm, this reminds me of something, lets see....

    Ahh, Symantec pledges to acquiese to FBI backdoor demands [politechbot.com]

    This is a real problem and needs to be addressed.

    Has Symantec policy changed with respect to things
    like magic lantern and so forth?

    bugtraq. Poof.

  • by Aknaton (528294)
    I'm sure SecurityFocus will suck by the time they are done with it.

    (Sorry if this is trollish but it just seems like things get worse when an outside company aquires something useful.)
  • Bad news... (Score:2, Interesting)

    by Cinabrium (571473)
    for all the information security community. Some of the probable effects have already been discussed in other postings:
    1. Would we believe the seriousness of virus threat anouncements? (BTW, please see the interesting musings of Bruce Schneier in the last issue of CRYPTO-GRAM [counterpane.com].
    2. Would we believe in the security of Symantec's products?
    3. Would Symantec take advantage of first hand information before releasing it to public knowledge?
    Even if bugtraq keeps its objectivity (and what a big "if" is that!), doubt will ever remain. A critical resource for the security community has been lost, at least because of the lack of credibility in the new owners.
  • by drew_ri (236095) on Wednesday July 17, 2002 @07:06PM (#3905385)
    This is interesting news. It is a loss to the security community at large, since securityfocus was such a great resource, although once they went commercial it lost a lot of its appeal to me. Symantec is really positioning itself to be the M$ of security here. About 8 months ago, I was at a meeting with some of their top Sales and Product Dev. folks, and they presented their offerings roadmap. It included an appliance which would:

    Serve as a FW/VPN

    Act as a network IDS

    Serve as a management console for Host IDS

    Act as the A/V Manager
    Because they have agents installed on every machine when you run Intruder Alert, NAV, or other tools, it would allow them to sync up the status of a host, network, etc. with the mothership at Symantec-Focus, and determine in real-time what devices are vulnerable. This is kind of cool in concept but not easy in execution.

    My concern is that they already have bought other products, which are completely jacked up and are still not fixed. I spent my Thanksgiving morning last year doing a disaster recovery on a Symantec Intruder Alert System...what a mess that product is...where is the high availability, the fault tolerance, etc.? Again...cool concept, crappy execution.

    This merger puts Symantec in direct competion with folks like eSecurityOnline, and I can tell you that for people already in bed with Symantec who have legal obligations to stay on top of vulnerabilities (e.g. Banks) this makes it a one stop shop for them. I see it as a conflict of interest. They should buy a couple of pen-test companies while they're at it and they can even validate their product implementations are secure ;)

    • As any security person (be he/she Guru or Technician) can tell you having a one-stop-shop app is A Bad Thing. Almost all of the security systems I've implemented in the past 8 years have been open-source (where I can see what's up) or have been a collection of simple apps where I can directly test the effectiveness and determine for myself whether it meets my requirements. Havine a monolithic black box for security just DOES NOT make me feel all warm and fuzzy. There is no amount of Saki which will do so in this case. Unfortunately, the world is becoming so overly point-and-click. It's too easy to sell an IT manager a singular panacea now. Caveat emptor, you say? But what if that makes it easier for some asshole to create multiple launch points for attacks? Being a good Netizen means making your system secure if for nothing else than to prevent it being perverted for use for attacking another's systems.
  • Not that I have anything against Symantec, but it depresses me to see a great resource such as SecurityFocus acquired by a company that notoriously blows the very thing people look to SecurityFocus to provide out of proportions.
  • Now Symantec can screw up SecurityFocus like they've screwed up everything else that was useful until they bought it!

    Sorry for the flamebait, but I've bought too many Symantec products over the years, and they seem to get worse with every revision. I remember when Norton Utilities was something beneficial, now I refer to that package as Norton Anti-System.

    Other fun past experiences with Symantec products have included Act, which was a big pile of poo, and WinFax, which was pretty good last time I used it, as long as you limited your use to a specific subset of it's advertised functionality.

    • >Now Symantec can screw up SecurityFocus like they've screwed up everything else that was useful until they bought it!

      Atguard is the perfect example of this...

      Tried systemworks with internet security 2002? well "DUDE you need a GHZ DELL" to run this thing, and what more does it give than the original atguard? well.. list updates, and some automated features that punches holes left and right therough the firewall, for "user's simplicity"'s sake... Everything slowed down to molasse and it's a shame.

      At least ghost is still working well and the improvements are nice, but that's the only product that I can only say good things about since it got acquired.


    • I agree. It is amazing how badly managed Symantec is.

      There are many stories to tell, so I'll tell only one. Once I was having a problem with a Symantec product and I called Symantec technical support and told them how much time I had lost over it. This time they actually had an answer: The problem was caused by another Symantec product.

      Microsoft wannabes.

      Symantec is not as badly managed as Microsoft, but they are putting in an impressive effort.
  • If Symantec wishes to maintain the bugtraq in similar fashion as it presently exists, why would they shell-out 75 million dollars when they could have just perused the site fo' free?

    Next is dotSymantec, subscribe for yearly fee to get AntiVirus software, updates, and security advisories...The Internet is beginning to suck, I'm going back to the library, some of those are still FREE!
    • This seems like a sign pointing out that Symantec only wants the SecurityFocus name.
    • It doesn't matter (Score:5, Insightful)

      by platypus (18156) on Wednesday July 17, 2002 @08:10PM (#3905682) Homepage
      If they believe they just need to shell out 75 million dollars for a stinking mailing list in order to contral an important part of the world's infrastructure, they are idiots.
      Getting something to work like bugtraq technically is absolutely no problem. A mailing list with 30000 subscribers, ok let it be 300000, isn't voodoo.
      The "selling point" of bugtraq is/was the trust many people have in them, the people which post there, their policy. If anything would cause people to mistrust them, it needs just one trusted guy from the security community to start a new list, and bugtraq is dead. I've even read a post that one alternative has already started.
      If someone like Dan Farmer, Wietse Venema or, for the hell of it, Bruce Schneier decided to start a bugtraq clone, the original would not stand a chance if its reputation had already been damaged.
      • If they believe they just need to shell out 75 million dollars for a stinking mailing list in order to contral an important part of the world's infrastructure, they are idiots.

        BUGTRAQ is not all the infrastructure controlled by SecurityFocus. Symantec is probably more interested in the world-wide sensors network.

        Furthermore, quite a few people already Cc other lists when posting to BUGTRAQ. (There are reports that BUGTRAQ moderators try to force submitters to make pointless changes to their articles.) Lately, BUGTRAQ hasn't seen many interesting discussions. I don't think it could get a lot worse...
  • As if they were the enemy or something...
    the enemy is NOT microsoft nor virus authors.
    the enemy IS those ignorant programmers that have no idea how to test their code to see if the CODE is vulnerable...

    Symantec taking over should have little effect on the amount of product they sell. They are simply heading into a new market and doing so by purchasing the leader in that market. By being ready for what may come, they can better attack the problems when they arrive and better serve their customer base.

    --Huck
    • No, the enemy is the script kiddies and worms that prey on low-hanging fruit. To defend against them, you need to know when an exploit is in the wild. Knowing when a vendor and/or Symantec made the problem the exploit exploits public is useless if it's too late. You want the most current information you can get... at least that way, you can just disable a service or do a work-around until a patch comes out. Do I trust a large corporation not to brush things under the rug in exchange for keeping other large corporations from being embarassed? No. Should you? Personal choice, I guess. I'll stick to IRC and the more arcane sites for info until I'm proved wrong. Word spreads fast these days, what with the internet and all...
  • by klp (169904) <klp@wired.com> on Wednesday July 17, 2002 @07:16PM (#3905430) Homepage
    At the company-wide meeting about the acquisition, Symantec president John Schwarz said repeatedly that Symantec is committed on the highest levels to keeping the SecurityFocus Web site [securityfocus.com] alive, and editorially independant. A written policy will set this out explicitly in the weeks to come.
    • by Quixote (154172) on Wednesday July 17, 2002 @07:43PM (#3905562) Homepage Journal
      "Editorial independance" (sic) lasts only as long as they don't get sued by Micro$oft over some trivial little exploit that gets posted on SecurityFocus. After that, "independance" goes out the window, and the answer is "how high?" (IYKWIM).
    • Are they going to make that a legally binding committment? How can it be enforced, and who will do the enforcing? Who has hiring and firing authority over the people who work on the list?

      Sorry. A management statement is one thing. Truth is something else. Often quite something else.

      Independence isn't a policy directive. It requires an organizational structure that supports it. At minimum. If the mailing list were maintained as a separate company under the same board of directors, I would still doubt that there was real independence, though at the day-to-day level I would accept that there could be a great deal of independence. But for any lesser degree of separation ... well, the less the degree of separartion, the more it looks like a PR statement rather than anything meaningful.

      Once upon a time Symantec made great products. Before it merged with Norton. And in those times, Norton also made great products. After the merger, both product lines went into a slump in quality from which I have not heard either recovered from. My guess is that there was a management change at that point, and the bean-counters took over from the technocrats. But this is just a guess from the outside.

  • They (the list administrators for securityfocus.com) have sent me this about a billion times now- one copy to each list I subscribe too. Then I check slashdot for a break from all the email spam and there it is again..

    So I guess that means that Symantec has acquired SecurityFocus. I also heard that Symantec has acquired SecurityFocus. And in related news, yeah, you guessed it- Symantec has acquired SecurityFocus.
  • Packetstorm..... (Score:2, Interesting)

    by micaiah (593598)
    Yeah this really is depressing. However, another site I like in case any of you are unaware is Packetstorm [packetstormsecurity.org]. I like it a lot and so far it hasn't sold out. :-(
  • Symantec claims that it SecurityFocus will still be "independent". It's possible, but unlikely. The true test will be how often a vulnerability shows up before Symantec releases a fix.
  • Other acquisitions (Score:4, Informative)

    by LiNT_ (65569) on Wednesday July 17, 2002 @07:51PM (#3905603)
    They also acquired Recourse Technologies and Riptech. Symantec corporate [symantec.com]
  • No kidding! [thestreet.com] Here's Riptech's press release [riptech.com] and Recourse's news [recourse.com]. This follows the purchase of MountainWave [mountainwave.com] earlier this month.

    Helevius

  • Mixed feelings... (Score:4, Interesting)

    by Rain (5189) <slashdot&t,themuffin,net> on Wednesday July 17, 2002 @08:00PM (#3905645) Homepage
    While it appears that Symantec will generally leave Bugtraq alone (not that it's been very useful for some time, imho), I don't really trust them.

    Let me provide my basis (petty as it may seem): I'm the system administrator at an ISP small enough that I do some of the tech support. I've seen NAV's mail scanner totally screw up peoples' mail settings enough times that I don't think quality is something they emphisize. To make matters worse, this problem tends not to be fixed by a reboot, and NAV will lock the mail server fields in OE (I don't think it can do that in Netscape/Mozilla, but I'm not sure) making it impossible to use the affected mail account without completely deleting it and readding it. Sometimes, disabling and re-enabling mail scanning will fix the problem, but that's not always the case.

    I used to prefer NAV over most other virus scanners (and some other Symantec products back in the days of MS-DOS), but I really think they've gone downhill in the past several years. I hope that the same fate doesn't come to Bugtraq--the list has already become bad enough.
  • Now I'm terrified.

    The company who's tech support told me "Sir, you shouldn't use that program, it's dangerous" when I called, as their customer, to ask how I could remove a so-called 'virus' from the scanning list.

  • SecurityFocus is an excellent asset to the security community and I do hope it manages to retain its journalistic independence through this whole process. I've been running my own small security portal/company the past few years - helps pay the college tuition and all. We do have very thorough daily coverage of news and significant vulnerabilities and the site has a Slashdot-esque feel...URL is in my sig if anyone wants to check it out.
  • This brings up the interesting point of what Symantec will do about employing people with felony convictions. Anyone know what Poulsen is going to do?
  • MSFT today announced the acquisition of Integrity [dictionary.com] for $358 billion(USD).

    This follows on the footsteps of several recent corporate buyouts, including the impending $5.8x10^300 (USD) Church of Scientology buyout of Truth [dictionary.com] and Morality [dictionary.com].

    Man, I am so glad I'm a fucking trans-national megacorporation. Suckas!
  • Editorial independence does not necessarily end if one company buys another. It is premature to assume that the quality of SecurityFocus (however you assess that) will materially change for the worse. Don't jump to conclusions until there is a reason to warrant the charges that are being thrown around.

    That said, if Symantec simply wanted to support the growth and dissemination of security-related information it could have paid for ads and provided technical resources to SecurityFocus, (however much that may have spurred charges of bias or interference) instead of buying it outright.

    The acquisition legitimately raises questions of conflict of interest.

    Will we see Symantec advertorial content written by product marketing managers? Will we see Symantec's products being touted as the solutions to problems and vulnerabilities?

    The most valuable commodity that SecurityFocus had was its independence (of ownership) from any of the product vendors. Without that independence there will always be doubt and doubters.

  • Is it just me or... (Score:2, Interesting)

    by ultrapenguin (2643)
    Has all the useful security news for *nix sites have been going down the drain lately?
    I mean, I am sure symantec is a great windoze security company, but what do they care about securityfocus?
    Now that website is probably going to be filled with even more useless HTML and crap
    bleh!

"It is better to have tried and failed than to have failed to try, but the result's the same." - Mike Dennison

Working...