Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec to Acquire SecurityFocus

Posted by michael on from the woe-to-the-defeated dept.

cbv writes "Symantec Corp. today announced the acquisition of SecurityFocus for approximately US$75 million in cash. The press release reads, 'With this acquisition, Symantec will offer customers the most comprehensive, proactive early warning system across the broadest range of threats.' The transaction is expected to close by early to mid-August 2002."

13 of 200 comments (clear)

  1. Conflict of Interest? by darylp · · Score: 5, Insightful

    Will we be seeing more minor security issues inflated to cataclysmic proportions just so Symantec can sell a few more virus scanners?

    1. Re:Conflict of Interest? by tcc · · Score: 5, Insightful

      I'd be more worried about them *NOT* releasing some security issues of those 800 pounds gorilla that promotes security through obscurity instead of writing safer code.

      Symantec is a corporation after all. If let's say, a certain company would cut them vital information required for the lowlevel of the system so that their antivirus technology work effectively (on their future OS), well I can see a very *VERY* persuasive effort that could just work.

      I am happy for the people at security focus if it pays off their hard work, but I am worried about the quality and most importantly, the neutrality of the service that will result from this acquisition.

      --
      --- Metamoderating abusive downgraders since my 300th post.
  2. What Aleph1 has to say... by fungus · · Score: 5, Interesting

    From: aleph1@securityfocus.com [mailto:aleph1@securityfocus.com]
    Sent: Wednesday, July 17, 2002 5:28 PM
    To: bugtraq@securityfocus.com
    Subject: Administrivia: Symantec acquiring SecurityFocus

    Good day,

    Today, SecurityFocus and Symantec announced that Symantec is acquiring
    SecurityFocus. Symantec sees real value in the services SecurityFocus
    provides to its customers and believes they are an excellent fit with
    their current offerings. We at SecurityFocus see this as an opportunity to
    provide even better services for the security community.

    Symantec recognizes the value and uniqueness of the public services
    SecurityFocus provides to the community, such as the numerous mailing
    lists we host and the content we provide via the SecurityFocus Online web
    site.

    In particular, Symantec and SecurityFocus want to ease any fears as to
    whether the character of this mailing list will change.

    Frequently Asked Questions:

    Q. What is the Symantec strategy for keeping data sources?

    A. We believe it is critical to maintain the integrity of the existing
    security community currently part of the SecurityFocus portal and
    Bugtraq mailing list.

    Q. What is Symantec's disclosure policy?

    A. Symantec believes in responsible vulnerability disclosure and is active
    in initiatives to set best practices in this area. Our first priority
    is to help our customers protect their computing assets by providing
    tools and information to safeguard their systems.

    We will work with vendors, if we discover vulnerabilities in other
    products, to report and investigate the issue in a thorough and timely
    fashion, in the same way that Symantec will work with other security
    researchers if they find an issue with any Symantec technology.

    We observe a 30-day grace period after the notification of a security
    advisory to give users an opportunity to apply the patch. During this
    grace period, we provide our customers significant information about
    the vulnerability and the fix, but not step-by-step instructions for
    exploiting the vulnerability. We do not provide detailed exploit code
    or provide samples of malicious code except to other trusted security
    researchers and in a secured manner.

    Q. Will Symantec change SecurityFocus' vulnerability reporting policy?

    A. We believe that in order for the SecurityFocus/Bugtraq community to be
    effective, it must be an independent entity. We believe that its
    current disclosure policy is appropriate for the venue. Symantec will
    continue to operate with its separate disclosure policy.

    Sincerly,
    Elias Levy, David Ahmad,
    and the rest of the SecurityFocus staff

  3. Prediction! by Codex+The+Sloth · · Score: 5, Interesting

    Prediction: Symantecs products are going to suddenly become very secure.

    --
    I am not a number! I am a man! And don't you ... oh wait, I'm #93427. Ha ha! In your face #93428!
  4. Loss of credibility by BobRoss · · Score: 5, Insightful

    This buyout (sellout?) makes the site a lot less credible in my opinion. They are simply going to use the site to sell more virus protection software.

  5. symantec will NEVER be secure by GoatPigSheep · · Score: 5, Insightful

    their products will never be secure as long as they do not detect the fbi's spy software.

    --
    GoatPigSheep, the 3 most important food groups
  6. I think they'll need new servers.... by reaper20 · · Score: 5, Funny

    The contest is on...

    Which will be worse, the slashdot effect or the mass unsubscribes pounding the mailing lists??

  7. Full Disclosure Mailing List by eejack · · Score: 5, Informative

    There was a new list started about 2 weeks ago, directly because of this potential issue:

    Here was the announcement:

    Subject: Announcing new security mailing list

    We are pleased to announce the creation of a new security mailing list
    dedicated to FULL DISCLOSURE. When Scott Chasin handed over the bugtraq
    mailing list, it was clearly dedicated to the immediate and full
    dissemination of security issues. The current bugtraq mailing list has
    changed over the years, and some of us feel it has changed for the worse.

    If you believe in full disclosure, and wish to participate in unfettered,
    and unmoderated discussions, please feel free to subscribe to the new
    mailing list by accessing http://lists.netsys.com

  8. this is the company that would allow magic lantern by NetBoy · · Score: 5, Insightful
    Hmmm, this reminds me of something, lets see....

    Ahh, Symantec pledges to acquiese to FBI backdoor demands

    This is a real problem and needs to be addressed.

    Has Symantec policy changed with respect to things
    like magic lantern and so forth?

    bugtraq. Poof.

  9. Where is Symantec headed? by drew_ri · · Score: 5, Informative
    This is interesting news. It is a loss to the security community at large, since securityfocus was such a great resource, although once they went commercial it lost a lot of its appeal to me. Symantec is really positioning itself to be the M$ of security here. About 8 months ago, I was at a meeting with some of their top Sales and Product Dev. folks, and they presented their offerings roadmap. It included an appliance which would:

    Serve as a FW/VPN

    Act as a network IDS

    Serve as a management console for Host IDS

    Act as the A/V Manager
    Because they have agents installed on every machine when you run Intruder Alert, NAV, or other tools, it would allow them to sync up the status of a host, network, etc. with the mothership at Symantec-Focus, and determine in real-time what devices are vulnerable. This is kind of cool in concept but not easy in execution.

    My concern is that they already have bought other products, which are completely jacked up and are still not fixed. I spent my Thanksgiving morning last year doing a disaster recovery on a Symantec Intruder Alert System...what a mess that product is...where is the high availability, the fault tolerance, etc.? Again...cool concept, crappy execution.

    This merger puts Symantec in direct competion with folks like eSecurityOnline, and I can tell you that for people already in bed with Symantec who have legal obligations to stay on top of vulnerabilities (e.g. Banks) this makes it a one stop shop for them. I see it as a conflict of interest. They should buy a couple of pen-test companies while they're at it and they can even validate their product implementations are secure ;)

  10. Re:The new BugTraq by kir · · Score: 5, Insightful

    While exaggerated, I think your post is probably and example of the future of any mailing list done by SecurityFocus. Sad. Symantec always seemed cheap and sleezy to me while SecurityFocus at least tried to be legitimate.

    With this purchase, SecurityFocus' credibility (at least with me) has gone out the window. I can't see how they can continue to be credible when they've got a company in charge that ONLY cares about the bottom line. Just look at their irresponsible virus warnings (as you've so clearly demonstrated). Boooooo!

    --
    3cx.org - A truly bad website.
  11. It doesn't matter by platypus · · Score: 5, Insightful

    If they believe they just need to shell out 75 million dollars for a stinking mailing list in order to contral an important part of the world's infrastructure, they are idiots.
    Getting something to work like bugtraq technically is absolutely no problem. A mailing list with 30000 subscribers, ok let it be 300000, isn't voodoo.
    The "selling point" of bugtraq is/was the trust many people have in them, the people which post there, their policy. If anything would cause people to mistrust them, it needs just one trusted guy from the security community to start a new list, and bugtraq is dead. I've even read a post that one alternative has already started.
    If someone like Dan Farmer, Wietse Venema or, for the hell of it, Bruce Schneier decided to start a bugtraq clone, the original would not stand a chance if its reputation had already been damaged.

  12. Aleph1; and, all good things come to an end. by satch89450 · · Score: 5, Insightful

    We believe that in order for the SecurityFocus/Bugtraq community to be effective, it must be an independent entity. We believe that its current disclosure policy is appropriate for the venue. Symantec will continue to operate with its separate disclosure policy.

    Pretty words, Mr. Levy and Mr. Ahmad. Now where is the proof?

    Those of us who are working journalists remember the transition of ABC News under Roone Arlege from Cronkite-esque "news" to "entertainment" -- and know that "independence" is a very fragile concept, one that can be crushed very quickly and with little fanfare at any level including the board room. All it takes is one vote of no-confidence on the part of the management to completely change the editorial head, and thus the independence of SecurityFocus. You most likely mean well -- can the same be said of your bosses? Can you point to one Symantec acquition that proved that editorial independence has been achieved in the long run?

    I was an expert witness at a multi-million dollar trial because a well-respected computer magazine's editorial staff prostituted themselves to shore up a bad space-sales management decision. It only takes one episode to sully the good name of a publication. (The name of the publication is withheld from public statement to protect the guilty and to keep me out of civil court for defamation.)

    I'm happy you were able to get a pile of money, but don't think that SecurityFocus will be viewed the same way. Now, if you had made the sale to an outfit like O'Reilly, the SecurityFocus name would have retained its luster and elan in the industry.

    All good things must come to an end. Thanks for all the fish.