Security News > 2003 > September > Symantec official's quote rubs researchers the wrong way
http://www.smh.com.au/articles/2003/09/12/1063268553158.html By Sam Varghese September 12, 2003 Security firm Symantec has rubbed subscribers to the Full-Disclosure mailing list the wrong way by due to a quote attributed to its chief operating officer, John Schwarz. In a Wired story titled " Just Say No to Viruses and Worms", Schwarz was quoted as calling for laws to make it a criminal offence to share information and tools online which could be used by malicious hackers and virus writers. Since Symantec owns Security Focus which runs the Bugtraq mailing list - it was bought for $US75 million in July last year - there were those who were more than merely surprised by this quote. Consultant Richard M. Smith, who raised the issue on the list, said: "As we all know, when it comes to discussing information about computer security vulnerabilities, it is difficult to separate security uses of this information and hacking uses of the same information. For example, if Symantec were to get this law passed, are they prepared to see their employees who work on the Bugtraq email list go to jail?" Another subscriber, Andy Wood, said bluntly: "This is why SecurityFocus should not be considered a reliable source." In the past there have been questions raised whether a security company which owned such a list would hold back a vulnerability posted there by an independent researcher, in order that it could release its own advisory about the same vulnerability after first having informed its own customers. Jonathan Rickman, a third person to weigh into the discussion, said Symantec would just shut down BugTraq. "They don't want to see vulnerabilities discussed openly because that keeps them from being able to charge for advisories. The fact that these services still exist is due to their fear of community backlash, not corporate goodwill. Don't kid yourself, there are plenty of others out there just like them who would like nothing more than to make the so called 'security community' an exclusive club open only to corporate types who see things their way," he said. Former black hat Thor Larholm said he hoped Schwarz had been misquoted. "You can't have any kind of research, whether it's security research online or academic research offline of any kind, without the very likely potential of bad guys having access to the same information and papers you release. "Following through on this would be equal to outlawing any kind of university research that could be used by 'bad guys', whatever form those might currently be - in effect, shutting down any kind of research," he opined. Asked whether Schwarz would like to clarify whether he had really meant that full disclosure should be legislated against, Symantec's Asia-Pacific public relations group manager Lindy Yarnold did not directly deal with the query but said: "Symantec fully supports information sharing on threats and vulnerabilities and believes it is an important tool for consumers and IT professionals to gain a measure of early warning of potential attacks." As proof of this she pointed out that the Bugtraq mailing list, "maintained as an independent entity under the SecurityFocus brand," remained one of the most respected and open sources for security information and early alerting by security professionals worldwide. "Full disclosure is critical to the integrity of the Bugtraq community," she added. "With regards to cyber crime we need more and higher quality resources for law enforcement to work on computer forensics, and we need cooperation from government and industry to assist prosecutors in building cases against attackers," she said. "Given the increase in the number of security threats and the availability of online tools we also believe that the industry should focus on training and educating today's youth about the ethics of computer crime and its affects and impact on victims." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
News URL
http://www.smh.com.au/articles/2003/09/12/1063268553158.html