[ISN] Symantec official's quote rubs researchers the wrong way

From: InfoSec News (isnat_private)
Date: Tue Sep 16 2003 - 04:26:16 PDT

  • Next message: InfoSec News: "[ISN] Hacker put details on web in spite"

    http://www.smh.com.au/articles/2003/09/12/1063268553158.html
    
    By Sam Varghese
    September 12, 2003
    
    Security firm Symantec has rubbed subscribers to the Full-Disclosure
    mailing list the wrong way by due to a quote attributed to its chief
    operating officer, John Schwarz.
    
    In a Wired story titled " Just Say No to Viruses and Worms", Schwarz
    was quoted as calling for laws to make it a criminal offence to share
    information and tools online which could be used by malicious hackers
    and virus writers.
    
    Since Symantec owns Security Focus which runs the Bugtraq mailing list
    - it was bought for $US75 million in July last year - there were those
    who were more than merely surprised by this quote.
    
    Consultant Richard M. Smith, who raised the issue on the list, said:  
    "As we all know, when it comes to discussing information about
    computer security vulnerabilities, it is difficult to separate
    security uses of this information and hacking uses of the same
    information. For example, if Symantec were to get this law passed, are
    they prepared to see their employees who work on the Bugtraq email
    list go to jail?"
    
    Another subscriber, Andy Wood, said bluntly: "This is why
    SecurityFocus should not be considered a reliable source."
    
    In the past there have been questions raised whether a security
    company which owned such a list would hold back a vulnerability posted
    there by an independent researcher, in order that it could release its
    own advisory about the same vulnerability after first having informed
    its own customers.
    
    Jonathan Rickman, a third person to weigh into the discussion, said
    Symantec would just shut down BugTraq. "They don't want to see
    vulnerabilities discussed openly because that keeps them from being
    able to charge for advisories. The fact that these services still
    exist is due to their fear of community backlash, not corporate
    goodwill. Don't kid yourself, there are plenty of others out there
    just like them who would like nothing more than to make the so called
    'security community' an exclusive club open only to corporate types
    who see things their way," he said.
    
    Former black hat Thor Larholm said he hoped Schwarz had been
    misquoted. "You can't have any kind of research, whether it's security
    research online or academic research offline of any kind, without the
    very likely potential of bad guys having access to the same
    information and papers you release.
    
    "Following through on this would be equal to outlawing any kind of
    university research that could be used by 'bad guys', whatever form
    those might currently be - in effect, shutting down any kind of
    research," he opined.
    
    Asked whether Schwarz would like to clarify whether he had really
    meant that full disclosure should be legislated against, Symantec's
    Asia-Pacific public relations group manager Lindy Yarnold did not
    directly deal with the query but said: "Symantec fully supports
    information sharing on threats and vulnerabilities and believes it is
    an important tool for consumers and IT professionals to gain a measure
    of early warning of potential attacks."
    
    As proof of this she pointed out that the Bugtraq mailing list,
    "maintained as an independent entity under the SecurityFocus brand,"  
    remained one of the most respected and open sources for security
    information and early alerting by security professionals worldwide.  
    "Full disclosure is critical to the integrity of the Bugtraq
    community," she added.
    
    "With regards to cyber crime we need more and higher quality resources
    for law enforcement to work on computer forensics, and we need
    cooperation from government and industry to assist prosecutors in
    building cases against attackers," she said.
    
    "Given the increase in the number of security threats and the
    availability of online tools we also believe that the industry should
    focus on training and educating today's youth about the ethics of
    computer crime and its affects and impact on victims."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Sep 16 2003 - 07:20:10 PDT