lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.55.0608012203400.26783@vikki.vulnwatch.org>
Date: Tue, 1 Aug 2006 22:22:02 -0500 (EST)
From: Chris Wysopal <weld@...nwatch.org>
To: secure@...antec.com
Cc: bugtraq@...urityfocus.com
Subject: Re: SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure



On Tue, 1 Aug 2006 secure@...antec.com wrote:

> Symantec has posted a Security Advisory for Symantec On-Demand Protection.
> PLease see the advisory for complete information:
>
> http://www.symantec.com/avcenter/security/Content/2006.08.01a.html

This Symantec posting contains minimal security information.  In December
2000[1] @stake modified their Bugtraq postings to include a small amount
of security information and a link back to the @stake website where the
full advisory resided.  The intention was to have a bit more control over
the way people viewed the advisories.  They would be viewed on the @stake
website only and not serve as content for for-profit advertising supported
websites.  The advisory could also be updated if there were errors or
updates and it would serve as the canonical reference.

Elias Levy, the Bugtraq moderator at the time, rejected the posting on the
grounds that it contained minimal security information.  His reasoning was
that forcing people to go to an additional website was inconvenient and
that if the advisory website ever went away the original advisory would be
lost.  He had a good point and @stake changed back to the old format.

One of the ironies of the security world is Symantec purchased
SecurityFocus and then later @stake.  After purchasing @stake, Symantec
removed the @stake advisory archive, thus bringing Elias' fear to reality.

Elias' reasoning still holds true today.  Companies come and go, are
acquired or change course.  Symantec should post its full advisories to
the list and so should everyone else.

-Chris

1. Bugtraq: Administrivia & AOL IM Advisory,
   http://seclists.org/bugtraq/2000/Dec/0197.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ