Symantec official's quote rubs researchers the wrong way

[InfoSec News <isn () c4i org>]

http://www.smh.com.au/articles/2003/09/12/1063268553158.html

By Sam Varghese
September 12, 2003

Security firm Symantec has rubbed subscribers to the Full-Disclosure
mailing list the wrong way by due to a quote attributed to its chief
operating officer, John Schwarz.

In a Wired story titled " Just Say No to Viruses and Worms", Schwarz
was quoted as calling for laws to make it a criminal offence to share
information and tools online which could be used by malicious hackers
and virus writers.

Since Symantec owns Security Focus which runs the Bugtraq mailing list
- it was bought for $US75 million in July last year - there were those
who were more than merely surprised by this quote.

Consultant Richard M. Smith, who raised the issue on the list, said:  
"As we all know, when it comes to discussing information about
computer security vulnerabilities, it is difficult to separate
security uses of this information and hacking uses of the same
information. For example, if Symantec were to get this law passed, are
they prepared to see their employees who work on the Bugtraq email
list go to jail?"

Another subscriber, Andy Wood, said bluntly: "This is why
SecurityFocus should not be considered a reliable source."

In the past there have been questions raised whether a security
company which owned such a list would hold back a vulnerability posted
there by an independent researcher, in order that it could release its
own advisory about the same vulnerability after first having informed
its own customers.

Jonathan Rickman, a third person to weigh into the discussion, said
Symantec would just shut down BugTraq. "They don't want to see
vulnerabilities discussed openly because that keeps them from being
able to charge for advisories. The fact that these services still
exist is due to their fear of community backlash, not corporate
goodwill. Don't kid yourself, there are plenty of others out there
just like them who would like nothing more than to make the so called
'security community' an exclusive club open only to corporate types
who see things their way," he said.

Former black hat Thor Larholm said he hoped Schwarz had been
misquoted. "You can't have any kind of research, whether it's security
research online or academic research offline of any kind, without the
very likely potential of bad guys having access to the same
information and papers you release.

"Following through on this would be equal to outlawing any kind of
university research that could be used by 'bad guys', whatever form
those might currently be - in effect, shutting down any kind of
research," he opined.

Asked whether Schwarz would like to clarify whether he had really
meant that full disclosure should be legislated against, Symantec's
Asia-Pacific public relations group manager Lindy Yarnold did not
directly deal with the query but said: "Symantec fully supports
information sharing on threats and vulnerabilities and believes it is
an important tool for consumers and IT professionals to gain a measure
of early warning of potential attacks."

As proof of this she pointed out that the Bugtraq mailing list,
"maintained as an independent entity under the SecurityFocus brand,"  
remained one of the most respected and open sources for security
information and early alerting by security professionals worldwide.  
"Full disclosure is critical to the integrity of the Bugtraq
community," she added.

"With regards to cyber crime we need more and higher quality resources
for law enforcement to work on computer forensics, and we need
cooperation from government and industry to assist prosecutors in
building cases against attackers," she said.

"Given the increase in the number of security threats and the
availability of online tools we also believe that the industry should
focus on training and educating today's youth about the ethics of
computer crime and its affects and impact on victims."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.