Symantec Acquires SecurityFocus– Good or Evil?
The Crocodile tcroc@pasture.com
http://www.pasture.com/~tcroc
“SecurityFocus is a leading provider of
enterprise security threat management systems. SecurityFocus provides
customized and comprehensive alerts of impending cyber attacks worldwide - with
countermeasures to prevent attacks before they occur - enabling companies to
mitigate risk, manage threats, and ensure business continuity. The company also
licenses the world's largest, most complete vulnerability database, hosts the
most popular security community mailing list, Bugtraq™,
and publishes original security content at www.securityfocus.com.”
Symantec Corporation was founded in 1982 and did an IPO in June of 1989. Symantec is arguably one of the premier corporations in the world when it comes to virus detection and eradication. Symantec describes themselves as the following on their web page:
“Symantec,
the world leader in Internet security technology, provides a broad range of
content and network security software and appliance solutions to individuals,
enterprises and service providers. The company is a leading provider of
client, gateway and server security solutions for virus protection, firewall
and virtual private network, vulnerability management, intrusion detection,
Internet content and e-mail filtering, and remote management technologies and
security services to enterprises and service providers around the world.
Symantec's Norton brand of consumer security products is a leader in worldwide
retail sales and industry awards. Headquartered in
While much of corporate
I’m sure many of the security professionals out there don’t mind this purchase and actually think that by pushing SecurityFocus under the wing of a more “responsible” big-brother figure they will thereby get additional responsibility out of the mailing list and reader constituency. The upper management of both companies will suggest that by merging, they will somehow allow “responsible disclosure” as opposed to the “full disclosure” policy used by SecurityFocus in previous incantations. Some will try to claim that Symantec will be able to keep a division politically between SecurityFocus and Symantec. Yes, for the first few months, or even possibly quarters, there won’t be much, if any, change in the mailing lists and focused intelligent content on the SecurityFocus web site. These suggestions are most likely true; however is that what you want one of our most noted security portals to become?
The ability to divide the two companies will only last for a short period. That is until the management of Symantec can figure out the correct way to capitalize on the purchase that they just made. The revenue model of SecurityFocus won’t be enough to justify the purchase of the company at the inflated price that Symantec paid for them. As a whole you will end up seeing the security policy and beliefs of a single corporation (Symantec), with a vested interest in the outcome, being pushed onto what once was a free expression, nearly anything goes, moderated, technology based, mailing list. In the FAQ that SecurityFocus published to announce the purchase, it states the following:
Q: What is Symantec’s Disclosure Policy?
A: Symantec believes
in responsible vulnerability disclosure and is active in initiatives to set
best practices in this area. Our first priority is to help our customers protect their
computing assets by providing tools and information to safeguard their systems. We will work with vendors, if we discover
vulnerabilities in other products, to report and investigate the issue in a
thorough and timely fashion, in the same way that Symantec will work with other
security researchers if they find an issue with any Symantec technology. We observe a
30-day grace period after the notification of a security advisory to give users
an opportunity to apply the patch.
During this grace period, we provide our customers significant
information about the vulnerability and the fix, but not step-by-step
instructions for exploiting the vulnerability.
We do not provide detailed exploit code or
provide samples of malicious code except to other trusted security researchers
and in a secure manner.
I have underlined (and colored for those who are reading this in HTML format) some of the points that I wish to bring up. “Our first priority…” Symantec’s first priority, contrary to what they are saying here, is to make money. They are a publicly traded company whose primary focus really is that of making shareholders happy and rich. It would be in their best interest financially to be able to monitor the pulse of the security industry and gather information faster and hold it in escrow for a longer period of time then any other security company out there. That will give them a business advantage over their competitors. By owning what many consider to be the foremost mailing list on security related information, they will not only be able to see things submitted prior to putting it on the list, but they will have to ability to use that knowledge whenever they see fit.
“We observe a 30-day grace period…” If you go back to the original Bugtraq lists, prior to SecurityFocus, when the security community was much smaller and truly “hacker” oriented, there was a 0-day grace period. If a researcher found something interesting it was posted almost immediately. This forced companies to be on their toes and to fix their products in a very short time frame. As the security community matured many researchers worked directly with the manufacturer for a small period of time to ensure that a proper patch would be available prior to releasing the vulnerability on Bugtraq. Either way, Bugtraq would release the information on their lists as soon as it hit their doorstep. That was because they didn’t stand to make any money on withholding the information from the general public. Now that there is a large amount of money involved, business relationships between Symantec and other companies, as well as the potential for lawsuits (Yes this is now a potential in our litigious society), Symantec can, and most likely will, end up enforcing what they consider “Responsible Disclosure” onto the members and research contributors of the mailing lists. This is unacceptable. The direct result of this action will be to drive the people that are researching the incidents and discovering the vulnerabilities further underground. It will result in the security researcher releasing their information in small circles. These circles will invariably leak the vulnerabilities (either directly or through blackhat hacks of their machines) to people who WILL use the vulnerability for evil purposes. The researches don’t want their information and discoveries to be the cash cow for the company that is currently running the mailing lists, while at the same time they don’t want their information to necessarily be used for illegal practices. As much as I liked the maturity that has occurred within the last few years to the information security field, I can’t agree with a mailing list of this magnitude being owned by a single corporation like Symantec. The negative effects are just going to be too grand.
“We do not provide detailed exploit code…” The Symantec policy does not produce exploit code for release to the general public, however they state that they can and will share this exploit code with outside “trusted” security engineers. So what we have here is the classic little circle of information. This inner circle, no matter how tight and how linked, will eventually leak the information to non-trusted persons. That is just a matter of indisputable fact. So why try?! One can only hope that in the sake of “business” and making more money for Symantec, they don’t decide to push this policy onto the mailing list. If they do make this decision the mailing list will perish.
In conclusion, I mourn the loss of a positive source of intelligent information and a chunk of our community. The future for Bugtraq, and the other previously SecurityFocus moderated mailing lists, is bleak. When corporations of this magnitude become involved, there is less and less reason to listen to the people and more of a reason to listen to the businesses and governments that are involved. I sincerely hope that Symantec is able to find a way to keep the integrity of the SecurityFocus mailing lists in tact, however I find the chances to be very slim. Elias Levy himself sent this email in support of full disclosure about a year ago. Let’s see if he stays with Symantec long enough to keep them honest.
From: aleph1@securityfocus.com