Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec To Buy VeriSign's Authentication Business

Posted by timothy on from the watch-that-basket-carefully dept.

overThruster writes "Security giant Symantec is taking another step toward global domination of the information security market with the purchase of VeriSign's authentication business. Back in April it purchased PGP Corporation and GuardianEdge. VeriSign is the best known Certificate Authority; they are virtually synonymous with certificates for SSL and PKI. It seems like this could dilute the trust value of their brand rather than enhance it. It is not clear yet what effects this will have on VeriSign customers but the cynic in me says it can't be good. In terms of putting all your eggs in one basket, this will sure make Symantec a juicy target for hackers (as if they weren't already). Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure."

97 comments

  1. FP by Obstin8 · · Score: 5, Insightful

    Nothing good can come of this...

    1. Re:FP by MightyMartian · · Score: 4, Funny

      Oh look, Darth Vader has switched allegiances... to Sauron!

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:FP by dgatwood · · Score: 4, Funny

      Actually, I think it's great. Symantec builds lousy, overpriced products, Verisign sells insufficiently verified, overpriced EV certificates. It's a match made in heaven. Better yet, we only have to hate one company instead of two, because what's left of Verisign should be mostly harmless.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:FP by socceroos · · Score: 1

      Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

      Similarly, Imagine how easy it is for governments and security agencies to get access to all this stuff when its from the one compromised company.

    4. Re:FP by Anonymous Coward · · Score: 0

      Is there anything that Symantec does by itself? Everything it sells it bought somewhere, added its logo, and made it slower...

    5. Re:FP by ILuvRamen · · Score: 0

      In fact, I would bet they're going to replace the verisign seal of a shrugging cartoon or some crossed fingers to accurately represent the new level of security.

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
    6. Re:FP by BestNicksRTaken · · Score: 1

      Well yeah except HP is the other company who is buying up all the crap software; so now we only have Symantec and HP to hate, oh and I guess Novell (kernel) Microsoft (everything), Apple (Flash), Google (Streetview), IBM (malware) and Oracle (OpenSolaris). Wow, thinking about it, can any company do anything right?

      I actually tried PGP Desktop 10 the other day and it really is rubbish for 180 quid. Their registration server has been offline for 5 years their software won't work with any OpenPGP keyservers.

      Seahorse on Linux is a much better frontend, GnuPG2 a better backend, and I expect LUKS is a better full disk encryption system too (PGP's one is bound to have a backdoor) all for free too.

      --
      #include <sig.h>
    7. Re:FP by silverglade00 · · Score: 1

      Everything it sells it bought somewhere, added its logo, and made it slower...

      I think you figured it out. They use a 150GB logo file and just use height and width tags to shrink it to the right display size. That explains the slower-ness.

  2. Surely they can't... by dov_0 · · Score: 5, Funny

    Find a way to make SSL certification slow down your computer as well? Maybe they intend to slow down the whole internet?!?

    --
    sudo mount --milk --sugar /cup/tea /mouth /etc/init.d/relax start
    1. Re:Surely they can't... by MrEricSir · · Score: 4, Funny

      And once you install an SSL certificate, you'll never be able to completely remove it.

      --
      There's no -1 for "I don't get it."
    2. Re:Surely they can't... by Monkeedude1212 · · Score: 1

      They actually plan on making it like a worm, where it will check if the SSL Cert is there before duplicating it, but tricking applications into duplicating it anyways regardless if its there or not.

      Thus everytime you visit a site with an SSL cert, you bog down your computer just a little bit more.

    3. Re:Surely they can't... by ascari · · Score: 5, Funny

      Your computer is at risk!

      Your Symantec SSL subscription has expired. All your secrets are visible to all users on the Internet. Click HERE to renew your Symantec SSL subscription.

    4. Re:Surely they can't... by stimpleton · · Score: 1

      Moderation Score for this should be inverted: 70% insightful, 30% funny.

      And by funny, it would be "ha....ha....oh :( "

      --

      In post Patriot Act America, the library books scan you.
    5. Re:Surely they can't... by GaryOlson · · Score: 1

      AAAANNNNND....
      For a limited time, get a free cert to use on any other system. Just copy this link onto another computer, click on it, and your FREE certificate will secure your system against against unknown threats.

      --
      Every mans' island needs an ocean; choose your ocean carefully.
    6. Re:Surely they can't... by Trecares · · Score: 1

      Homer Simpson: NOOOOOO my secrets!

    7. Re:Surely they can't... by Meski · · Score: 1

      Mod parent as funny, with a bittersweet flavour.
      VM with a restore point is my answer.

  3. One single point of failure by orient · · Score: 1

    ... and failure is inevitable.

    --
    Laudele lor desigur m-ar mahni peste masura.
    1. Re:One single point of failure by marcansoft · · Score: 1

      Actually, tons of points of failure, each of which is equally critical. The PKI infrastructure is fundamentally flawed. Control VeriSign and you don't control the bulk Internet's public key infrastructure; you control the entirety of the Internet's public key infrastructure. Or you could control any other CA, or even any other intermediate CA. All it takes is one rogue or compromised CA to sign anything and everything that the attacker wants.

  4. Better than hacking one company... by Ryvar · · Score: 2, Insightful

    instead, imagine you were a government official with no interest in civil rights and could quietly "persuade" one company and have access to the Root Certificate Authority...

    1. Re:Better than hacking one company... by DigitAl56K · · Score: 1

      Imagine one company controlled this and PGP too. Oh wait...

      There's a lot of eggs ending up in one basket here...

  5. Surprised EMC didn't outbid them by crow · · Score: 1

    I'm surprised that EMC didn't outbid them to get the Verisign certificate business, as well as for PGP earlier. It seems like it would have been a great fit with RSA, and EMC has oodles of cash for acquisitions.

  6. Apple buy-out by Anonymous Coward · · Score: 0

    Apple should buy Symantec, move the PC security workers over to Mac security exclusively, and incorporate PGP technology into Mac OS X and iPhone OS, to produce the most security- and privacy-concious platforms in the industry.

  7. Maybe we'll ditch the hacks that are SSL and TLS. by Anonymous Coward · · Score: 0

    This might not be such a bad thing. Perhaps it will help encourage the community as a whole to ditch the shitty hacks that are SSL and TLS.

    If security is the problem, certificates are basically never a good answer.

  8. Symantec Rawks by Anonymous Coward · · Score: 0

    They have done wonders for Netbackup (soon be known as BackupExec Super Plus from Altiris and dropping non-Windows support)

    As for it being a single point of failure...no way. That would require them to actually integrate all the technology they buy...it's all still the same individual bits and pieces with updated panels and bitmaps....

    1. Re:Symantec Rawks by mlts · · Score: 1

      Since Symantec has multiple backup programs, I really wish they would take the codebases of their two lines, and use them to make a really good next generation backup program, that eventually would phase out both BE and NetBackup.

      For example, NetBackup allows for bare metal restores. But as soon as you restore, you must re-backup the box. Why not offer a facility to use the bare metal feature as a way to clone? Or shouldn't synthetic full backups be an innate part of the structure, like it is with TSM and Retrospect, while having the old fashioned full/incremental/differental structure available if someone wants it. Similar with deduplication. This should be something that is part of the core backup engine and backup file format, both on a file basis, as well as block by block (for things like duplicate VMs cloned from a single image.)

  9. But surely they run antivirus by Culture20 · · Score: 5, Funny

    Imagine you could hack [Symantec] and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

    I'm sure they buy anti-virus and firewall software from a reputable vendor.

    1. Re:But surely they run antivirus by Anonymous Coward · · Score: 0

      sadly no; internally they're all windows xp machines with symantec crud on them. they had their own aurora problem, they just didnt tell anyone.

    2. Re:But surely they run antivirus by Anonymous Coward · · Score: 0

      On an OS that needs antivirus...

  10. as juicy targets go... by spazdor · · Score: 1

    Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure

    Sure, that'd be a nightmare, if it was possible to "hack a company". If Symantec has any sense at all (and as a security company, they just might) they will keep the certificate authority separate from the antivirus update servers. There is no reason why rooting either one should be able to get you the other, whether they're controlled by the same company or not.

    --
    DRM: Terminator crops for your mind!
    1. Re:as juicy targets go... by McNihil · · Score: 1

      Well in the name of making everything more profitable and cheaper the consolidation of services will be done so that sooner or later the two offerings (AV and certs) will meet on the same server and an intruder will only need to root one machine. Its all about making money in every which way so the above is more true than anyone would like to think. Yes it is friggin sad.

    2. Re:as juicy targets go... by Cyberax · · Score: 1

      More likely, they'll use a Hardware Security Module which are pretty tough. So far, I'm not aware of any remote vulnerabilities in them.

      They even usually have a pretty good physical security.

    3. Re:as juicy targets go... by mlts · · Score: 1

      HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key, you can go slaphappy signing/decrypting anything you want. And if this is a CA cert that is the top level for an enterprise, or a certificate signing an application, it might cause all kinds of trouble.

      This also applies to smart cards. I'm sure eventually there will be malware that can do a MITM attack when a user is using a smart card.

    4. Re:as juicy targets go... by Cyberax · · Score: 1

      "HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key"

      That's the reason behind the HSMs. NOBODY can access the root key inside them. Usually, the root private key is kept in a strict physical security (http://en.wikipedia.org/wiki/Key_Ceremony).

      Also, ability to sign certificates doesn't allow you to decrypt the users' data. It only allows you to do a transparent MITM.

  11. Three models by tepples · · Score: 5, Insightful

    If security is the problem, certificates are basically never a good answer.

    How else should I be sure that I am communicating with the entity I think I am communicating with? I can think of three models: certificate authority, web of trust, and key continuity management. If you're referring to key continuity management, the approach used by SSH that makes sure that the key you're using matches the key you used last time, that doesn't work if you're behind an ISP that's all MITM all the time. (Yes, these exist in the wild; see bug 460374 at bugzilla.mozilla.org.) If you're referring to a web of trust based on the Bacon number of mutual face-to-face meetings at key signing parties between you and a company's CIO, that doesn't work for people who can't attend such parties in major-league cities.

    1. Re:Three models by Anonymous Coward · · Score: 0

      A certificate, no matter how much money is paid for it, doesn't guarantee that you're communicating with the entity that you think you're communicating with.

      The only way you can ever be sure is if you're using a dedicated connection where you can follow it from endpoint to endpoint, and can ensure that the endpoint opposite to you is where you actually think it is, and is being used by the entity you think is actually using it.

    2. Re:Three models by Pinky's+Brain · · Score: 1

      DNSSEC + RFC 2538

    3. Re:Three models by Pinky's+Brain · · Score: 1

      Oops, that RFC is obsoleted ... but you get the idea I hope.

    4. Re:Three models by tepples · · Score: 1

      RFC 4398 will work once the root, the major TLDs, and Go Daddy have deployed DNSSEC. At that point, the registrars will act as certificate authorities. But until that time, we rely on separate SSL and Authenticode CAs.

    5. Re:Three models by Peach+Rings · · Score: 2, Insightful

      It does (to a ridiculous degree of security, but not perfectly of course) guarantee that you're communicating with someone that VeriSign says is the entity you think you're communicating with. If you trust VeriSign (and essentially the entire internet does by default) then you can be sure.

      Although Thawte is apparently a bit better, I've never had any reason to distrust VeriSign. But I definitely do not trust Symantec. Their "internet security suite" is what we in the biz like to call shitware.

    6. Re:Three models by bastion_xx · · Score: 2, Informative

      You realize who owns Thawte????

    7. Re:Three models by Anonymous Coward · · Score: 1, Insightful

      Try to implement https per spec. Make sure to have nothing sharp near you. Then you will understand.

    8. Re:Three models by icebraining · · Score: 2, Insightful

      That's all nice and dandy, but it's also completely unfeasible. The problem isn't "how can I communicate completely securely", it's "how can anyone using a computer communicate with another through the Internet in the most secure way possible?"

      HTTPS may flawed, but it's the best solution we got. Yours isn't a solution to the given problem.

      --
      Dilbert RSS feed
    9. Re:Three models by jd · · Score: 2, Interesting

      Doubly so given all the various articles posted here on flaws in SSL safety - starting, many years ago, with someone obtaining Microsoft's root certificates by, well, asking for them. The use of NULLs to produce fake certificates that seem valid, the breakage of MD5-secured SSL certificates -- there has been no shortage of problems for the approach.

      The idea of webs of trust is that you can't go out and physically verify the path but you CAN ask others if they're confident that X really is X. In the event that you are on a system where there is a well-defined gateway that can establish a secure tunnel to a well-defined gateway adjacent to the end-point, you have two other points that you can verify. If you can be confident of getting to the gateway AND you are confident that the tunnel really is secure AND you are confident that the far end of the tunnel is who it is supposed to be, I really can't see you getting any safer than that.

      The question, though, is how to be sure that the certificates are genuine and are issued to the person or organization they're supposed to be issued to and haven't been forwarded on to anyone else. The first part would seem to require that certificates use hashing schemes still regarded as "safe" AND to require that any tampering (before or after) using NULLs or anything else would foul up the fingerprint. You must be capable of being 100% certain that what you see is what the computer sees is ALL of what the certificate requester submitted as the public information.

      The second part would seem to require that weak levels of trust be eliminated from the system. Digital certificates should inspire trust because they deserve it, not because 99% of people are either complacent sheep or suicidal lemmings. To do this, though, the trust must work both ways. The issuer of the certificate has to be just as trustworthy. That's doable. Tough, but doable. One option, borrowing from the idea of witnesses from legal frameworks, is that there must be a neutral third party that can countersign the signature as being between who the parties say they are.

      This suggests you want two webs of trust. One, of total strangers who can countersign as witnesses, and one of "friends" who can actively vouch for one or both parties (the more traditional web of trust). But countersigning the key only tells you the key is valid, it doesn't tell you the private half of the key exists only where it claims it does.

      Requiring that three points produce valid countersigned certificates would boost the confidence of that, as it requires two independent private keys be compromised. That is less likely than one private key being compromised. Certainly possible, but less likely. If the network ran IPv6 and the IETF doesn't remove any more of the security built into the protocol (and maybe adds a bit of it back), the odds of a stolen key passing inspection would be considerably reduced.

      The only thing I can suggest beyond that is that client-side authentication be imposed. Yes, it reduces anonymity, but you cannot both be sure the end-point is who they are supposed to be AND be sure the end-point is 100% anonymous. That doesn't work. Passwords and/or other user authentication verifies the user, but you also want to be sure that the machine the user is talking to is also the machine the server is talking to. Easiest way to do that is have the machine counter-sign the user's authentication data and then have the server query the client machine's certificate to ensure that the certificate matches the counter-signature. There are probably superior methods, but it's better to have a starting point than never start at all.

      As for the SSL protocol itself, it uses public-key cryptography. Far as I know, this is perfectly respectable. I'm not keen on the use of HMAC - T-TMAC is considered the most secure, from what I understand, although it's only really good for short messages. Which is fine, since you want the most security on the authentication section. If T-TMAC is used onl

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    10. Re:Three models by zippthorne · · Score: 1

      Who do I really need secure communications with?

      My email provider, for one. That's tricky. My email provider is Google atm, so I pretty much have to trust a certificate signer if I want to use gmail over https.

      But the other one is my bank. I'm totally cool with going to the branch office and picking up a biz-card CD, bar code, or whatever with the Bank's public key on it. Why should I have to trust a third party? Because my bank is lazy?

      --
      Can you be Even More Awesome?!
    11. Re:Three models by mlts · · Score: 3, Interesting

      Certificates are good and bad. If used in a smart WOT, they are great because if you have multiple people trusting someone, you know you are almost certain that that key belongs to that person.

      The bad is just blindly trusting root certificates, especially certs from countries who are hostile to the West, and who would be happy to certify with their CA a key belonging to a known bank, then occasionally poisoning DNS or routing queries to the fake site, so they don't get immediately caught.

      The best might be a combination all three. You have a "security cache" of keys or signed keys of places and people you have previously interacted with, which is crucial for ssh for the most secure communications. Next, you have a WOT with people you know trusting or not. Finally, you have a CA which may actually be valid, or not. CAs are really a part of WOT, and should be considered with little or no trust, compared to someone coming with (to continue the parent's example) a high Bacon number to yours. The only problem is someone who isn't familar with a WOT giving a key too high a trust that it deserves, but infiltration happens in every network, and with PGP or gpg, it is easy to mark a person's signatures as untrustworthy.

      This reminds me of something different: Maybe it is time to get people and start doing PGP/gpg keysigning parties [1] again. This way,

      [1]: Of course, there is the proper way of doing the key stuff. Send a list of public keys to the host, host prints out a list for everyone. Everyone then brings a copy of their key ID and hashes. Then go around matching the keys to the individual, perhaps asking for IDs, then circling the ones which pass the validity test. This way, no computers are used, and it is much harder to "compromise" someone's piece of paper showing vetted keys in the length of time it takes for them to leave the party and get home to sign everyone's keys and push the signatures to keyservers.

    12. Re:Three models by Meski · · Score: 1

      Because we're all lazy, to some point. We want something that's good enough to deter low-level attacks, so we trust certificates. We trust the little digipass tokens. (whilst wishing that they'd get their act together enough that one digipass could be used for many institutions)

    13. Re:Three models by emptycorp · · Score: 0

      HTTP already has mechanisms to validate and secure data, which no one can patent as it's a standard, thus we have the hacky SSL/TLS combo run proprietary by a few companies who basically control the internet.

      Technology has long suffered due to greed; anti-net neutrality anyone?

    14. Re:Three models by tepples · · Score: 1

      Who do I really need secure communications with?

      Any site that authenticates you using a name and password, for one, at least until every little blog, forum, and wiki starts taking your Gmail account over OpenID.

      I'm totally cool with going to the branch office and picking up a biz-card CD, bar code, or whatever with the Bank's public key on it.

      Some banks probably don't have branches in your area, such as Ally.

    15. Re:Three models by tepples · · Score: 1

      HTTP already has mechanisms to validate and secure data, which no one can patent as it's a standard

      Care to explain which mechanisms these happen to be? I've got a Google Search input field ready to take keywords or RFC numbers.

    16. Re:Three models by jd · · Score: 1

      Consider that one of the biggest area of vulnerabilities is social engineering. If you trust the person behind the till (about whom you know nothing) to hand you a legitimate public key (which, without a third-part, you can't verify), then fine and good. On the other hand, if that same unknown (who might easily be a social engineer who has bluffed his or her way to the counter) hands you a fake key and you CAN verify it by verifying that it has been counter-signed by someone you independently trust, THEN you have a lot more confidence in that key. You aren't dependent on the person being legit because they said so.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    17. Re:Three models by zippthorne · · Score: 1

      I dunno if I want to put my money in a bank I can't visit ever...

      --
      Can you be Even More Awesome?!
  12. What do they want certificates for? by Anonymous Coward · · Score: 0

    Now they can make virus that can generate valid SSL certificates!

  13. Symantec & information security by Zedrick · · Score: 3, Interesting

    ha ha ha.

    Not related to SSL and stuff like that, but anyway: a few years ago I got a job working doing technical support for Symantec. During training, I was first embedded with the customer service-people, and watched them sit talk to customers, while they took down credit card numbers and other details on paper, which were later thrown out the the general office-trash.

    A few days later I was supposed to do "technical training" with the so-called 2nd line support... The day I had to explain to one of them how to unlock the taskbar on Windows XP was the day I quit - after a total of 6 or 7 days of employment.

    And who buys their stuff anyway? I haven't touched any of it since then so I don't know if anything has improved, but I remember how the Norton Security-packages idea of protecting the computer was to slow it down to a crawl and basically block everything. Not to mention what a mess it is (was?) to remove it from the system...

    1. Re:Symantec & information security by carp3_noct3m · · Score: 1

      Few people that are sane buy their product, their main customers are OEM's, who they pay assloads to preinstall their shit, and the computer illiterate. The only even semi-ok symantec product is the corporate version, but even that sucks big donkey dick. I have also worked with their nightmare of a backup system, it is just as much crap. Oh and their support is even worse (source: GP)

      --
      "It's ok, I'm completely secure as long as my iron is off"
    2. Re:Symantec & information security by fusiongyro · · Score: 2, Interesting

      Most people make most of their purchases based on a blend of emotion and awareness. Computers are ubiquitous, computer skills are not. Therefore, there's a thriving market for products whose advertising makes you afraid of something and then they sell you the solution. It's the same in every industry. Symantec has a big name and they have lots of ads and people are afraid of the things their products pretend to protect them from. So it's a business model. And it doesn't matter if it's a shitty product if 95% of people think they need it and buying it makes them feel better, they'll do it. That's just life.

    3. Re:Symantec & information security by stonertom · · Score: 1

      Uninstalling Symantec products == reinstall

      --
      Shameless plugs and inaccessible site design FTW! - www.mistletoestreetmusic.com
    4. Re:Symantec & information security by Anonymous Coward · · Score: 0

      To be fair, technical support is like that everywhere. There's a reason it has a very high turnover rate.

    5. Re:Symantec & information security by Anonymous Coward · · Score: 0

      Everything they touch turns to dogshit. Does anyone remember SecurityFocus? It used to be a respectable place to read security related news. I remember reading about stuff like portsentry and the trisentry suite (prior to it's Cisco acquisition) and hardening apache. Good times. In 2002 they were acquired by Symantec and now the website looks like a parked domain. I should have known it was all going downhill when I first saw Symantec's "internet defcon" banner plastered on the front page. Sad really, I barely even remember why I stopped visiting, they kinda just faded away into obscurity. There used to be some great articles on that website.

    6. Re:Symantec & information security by Anonymous Coward · · Score: 0

      I have to say Symantec isn't that great although I sell it for a number of reasons even though I would never use it or recommend it to my customers over another brand. You see I have a business that competes with BestBuy, Staples, etc. Customers are dumb and while I want to push people to use free software and operating systems getting them there isn't always easy. It takes time. People aren't always ready to purchase a new computer and that is the best way to give them them a good free software experience. We also have to make money off the non-free software. When customers aren't ready to switch or purchase a new computer we need to maximize the profit and to do that Symantec is well- the best candidate. We can get Symantec's Norton product line licenses for resale really cheap in comparison to everybody else. From out stand-point Norton is easy to install and we haven't had any license key headaches compared to McAfee-the next price competitive product. Plus-have you tried McAfee? It's horrible. We still install whatever people would like/have. We're a services based business even though the products we sell make us extra $$.

      I also want you to know before we sell Symantec's Norton product we always warn people that anti-virus products are a quite fraudulent for a number of reasons in general. The way they are advertised and sold is deceiving. Paying more doesn't get you more and the "better" "360" product or "total" security product lines within the security industry sold by anti-virus companies don't protect the PC at all (and actually we don't even sell them for that reason). They actually add back-up and fraud monitoring services (not that we can't get you these things if you wanted them). Only the basic version or basic part protects the PC and even if you get that it doesn't actually do much which is why a MS Windows PC can get infected despite having anti-virus software installed. However I always add despite having said that there is little you can do to protect yourself so I'm not suggesting doing nothing. Rather there are three things you can do and two out of the three are user education. One is use a different web browser- Firefox- it's free you can download it. We do this for free for people. The other is keep MS Windows up to date and lastly anti-virus software. It is a multi-pronged approach and despite all of these things you are still vulnerable-but less so. Fortunately two of the three things won't cost you anything.

    7. Re:Symantec & information security by Anonymous Coward · · Score: 0

      We bought Altiris NS7.

      Good product to manage endpoints, though I personally would have rather hired a team of developers to roll out a similar system that was more in line with what we need.

      The problem I see with them is that it is always about FEATURES. Lets make sure this release has all the features, even if they are bloated or buggy.

      Hell, their web interface is built using .NET!
      and if you install the newest SP for 3.5 it breaks!

      Not saying I could build something better, but given the kind of money they charge for licenses, I think I could hire the right team of people to build a system far better.

      But I can't complain, I am getting a paycheck to deploy and maintain it (among my normal job duties).

    8. Re:Symantec & information security by mlts · · Score: 1

      Just like the PP, If I were to recommend an A/V defense to someone, I rather take the method of having strong locks on the doors as opposed to an alarm system that notifies if someone is already in. Here is what I'd do with Windows:

      First barrier to entry: A true hardware firewalling router. Unless the machine is a laptop which travels around, desktop boxes should not be facing the Internet if at all possible (and they are not doing server functions). Some services can be handled either by a port forward or a proxy.

      Second barrier to entry: If you can run Windows's software firewall with "No Exceptions" checked, do so. If not, try to cut out as many apps/ports as possible, or as least make the ports only accessible to the local subnet.

      Third barrier: Run as a user with no admin rights. If you can, do your system admin stuff under a "aausername", or a "usernamesu", which is a special user dedicated just to system admin functions that isn't root or admin. Yes, malware that infects a user is just one privilege escalation hole from superuser, but that is better than pwning the box just by claiming one user.

      Fourth barrier: A web browser protected by an ad filter add-on. Because a lot of websites use unscrupulous third party ad-rotators, it is way too common for malformed Flash or HTML to be used as a possible exploit (the Antivirus 2010 attacks for example.) AdBlock, Privoxy, or even PeerBlock with a subscription come to mind here. Web browser choice comes into play, but this is more of a religious issue once the ads are out of the picture.

      Fifth barrier: A basic A/V program. Enterprises need advanced reporting and auditing capabilities of Norton Endpoint Protection. SOHO users don't. So, I'd recommend something decent but lightweight like AVG, Avast!, or Microsoft Security Essentials, which are available (or have a version that is) at no charge.

      First layer for after the fact: An external drive and a backup program (Acronis TrueImage, EMC Retrospect, etc.). The backup program Windows Vista offers different features depending on the edition. So, it is best just to use a third party program that allows you to make a restore CD so the PC user can do a "bare metal" recovery if everything gets trashed, as well as being able to get at a file after it was accidentally deleted. I'd rather spend money on a good third party backup utility than some premium version of commercial antivirus [1]. Also, third party backup utilities support encryption.

      Second layer for after the fact: Mozy, Carbonite, or Backblaze. Say malware trashes your machine, your external drive, and everything else. This is why you use a keyfile and a remote backup service so you can get your documents back somehow. Since this is coming through the Internet, this is more of a last resort backup mechanism than anything else.

      [1]: This goes for home usage. Companies are better off using an enterprise level program so they have audit capability and ability to know that all boxes are protected.

  14. So, is Peter Norton going to show up? by filesiteguy · · Score: 1

    I can see his bespectacled face showing up on my website telling me I have a virus and that I'd be better buying the whole Norton Internet Suite from Symantec.

    --
    The Kai's Semi-Updated Website Thingy
    1. Re:So, is Peter Norton going to show up? by jelizondo · · Score: 1

      In a godawful pink shirt...

      --
      Be very, very careful what you put into that head, because you will never, ever get it out. - Cardinal Wolsey
    2. Re:So, is Peter Norton going to show up? by jelizondo · · Score: 1

      Sorry, screwed the link

      --
      Be very, very careful what you put into that head, because you will never, ever get it out. - Cardinal Wolsey
  15. the end is nigh by bloodhawk · · Score: 2, Insightful

    Fantastic, now when you install an SSL Cert your computer will slow to a crawl, to uninstall the cert will require a complete rebuilt/reimage.

  16. Symantec, as the guardian of 'net security? by ibsteve2u · · Score: 2, Insightful

    Might as well put your keyboard at the bottom of a six foot-deep vat of molasses...cold, cold molasses...and start training.

    --
    Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
  17. it's business by fusiongyro · · Score: 2, Insightful

    This is called diversification. Anti-virus is their flagship product, but the "benefit of the benefit" as they say in marketing is the warm fuzzy feeling of being secure. Well, certificates make people feel secure the same way AV does, so it fits the brand, so they're going to sell them. It's a great investment for them, I'm sure they'll make money on this deal.

    All the time here on Slashdot I see people trying to read a technological message in a business decision or action. If you're puzzled or outraged by whatever Apple or Symantec or whoever are up to, just follow the dollar signs. This makes business sense and there's nothing more outrageous about Symantec selling certs than anyone else. Really. It's just business. There's no meaning here.

    1. Re:it's business by AHuxley · · Score: 1

      You now have one firm with a deep love for the US federal government getting much more control over many aspects of computer security.
      If they get PGP and GuardianEdge with this deal too, average computers will be as open to federal agents as the US telco system is today.
      The ability of the feds to secure a persons electronic papers, by remote "reasonable" searches ... has just gotten a warm fuzzy boost.

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:it's business by thoughtsatthemoment · · Score: 1

      Someone selling you a lock doesn't mean they have access to you treasure. Please don't confuse PGP with Google.

    3. Re:it's business by fusiongyro · · Score: 1

      That's certainly an interesting take on it, but the government lately has been making it pretty clear that when they want something, they get it whether or not the firm is “cooperative.” Besides that, I don't think SSL is used to protect the kinds of communications the government would like to snoop. There's dozens of steganography programs out there you can use to hide malicious data out in the open with little chance of detection, and there are much stronger forms of encryption available that don't have a middle man taking money either. Even if this became a standard practice, it's hard to imagine how the government could either benefit from or defend a policy of watching people's credit card transactions go over the web. I'd worry more about mail but there are so many possible weak links in that chain and the amount of junk traffic is so high I doubt there's much to invest in that approach either.

    4. Re:it's business by AHuxley · · Score: 1

      policy of watching people's credit card transactions go over the web - thats what SWIFT is for - until some privacy laws upset things.

      --
      Domestic spying is now "Benign Information Gathering"
  18. Another step backward?! by Anonymous Coward · · Score: 0

    [...]Security giant Symantec is taking another step toward global domination[...]

    Did anyone else read that as "another step backward"?!

  19. Hmm... what will change? by Opportunist · · Score: 1

    Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.

    So, essentially, the "secured by VeriSign" logo will look better.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  20. Trading in their last good card by Anonymous Coward · · Score: 0

    Verisign lost points with me on their handling of DNS.
    They'll lose all credibility once their certificates are gone. Symantec is laughed at by the few people who buy certificates.

  21. Obligatory by Anonymous Coward · · Score: 0

    At least they're unhackable; they have Norton after all.

  22. Symantec gives me headaches by LoudMusic · · Score: 2, Insightful

    The two Symantec products I use are the AV client / server line and Backup Exec. Both of which cause me nothing but trouble. This is going to be bad for everyone.

    --
    No sig for you. YOU GET NO SIG!
    1. Re:Symantec gives me headaches by QuantumRiff · · Score: 1

      Sigh... Backup Exec was so awesome before it got bought by Symantec.. So simple, and easy..

      Symantec has turned into he modern day CA. Its where good products go to die.

      Really, how is CA still in business? Most people can't even name their products!

      --

      What are we going to do tonight Brain?
    2. Re:Symantec gives me headaches by RMH101 · · Score: 1

      Remember Norton Ghost? Turned the best imaging programme I can think of into some sort of half-assed consumer-focussed crapware. From a bootable floppy that did it all to a bloated CD of shovelware that actually removed all the useful features. Also allowed Acronis to compeletly steal their market. Ugh.

  23. Symantec and the Feds by AHuxley · · Score: 2, Informative

    Thinking back to the feds getting their keystroke logging software whitelisted.
    http://en.wikipedia.org/wiki/Magic_Lantern_(software)#Symantec
    Then you have Symantec wanting to acquire the encryption companies PGP and GuardianEdge.
    Soon many PC's will run to end Symantec solutions for all their data security.
    Symantec: "The FBI's most trusted antiprivacy solution"

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Symantec and the Feds by Anonymous Coward · · Score: 1, Interesting

      Devil's advocate here: If a backdoor was found in PGP, (and so far none have been found, although there was the ADK issue about a decade ago), the company would be out of business immediately. People would ditch PGP for another solution in a heartbeat.

      Already, PointSec, BestCrypt, or TrueCrypt offer hard disk encryption. Encryption of files can be done by gpg, and folders by tar or zip and gpg. Virtual hard disks can be created in BestCrypt, TrueCrypt, or FreeOTFE. Public/private keys can be handled by gpg. E-mail security can be handled by gpg and GUI tools. S/MIME can also do email security, assuming the root certificates are trustable.

      If PGP is found to be untrustworthy, someone will step up to the plate and make a solution to replace it. However, I am sure in saying that this is not going to happen. PGP has had a great heritage since Zimmermann made it, with the commerical version coming from ViaCrypt. Symantec would not take the risk of ruining the goose that lays the golden eggs.

    2. Re:Symantec and the Feds by AHuxley · · Score: 1

      So did Enigma and CryptoAG.
      Thats the problem, the spooks can get their fast to plaintext hooks into most private products via patriotism, faith, profits, blackmail or the "promotion" of a more gov friendly competitor.
      By the time "public" maths and historians work out that it was all 'fixed', a generation has moved on. Investing in the next round of expensive, useless private solution.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Symantec and the Feds by DarkOx · · Score: 1

      That is nice to think but nobody can replace PGP at this point. As you point out in your post there are other technical and in many cases better solutions to everything PGP does; really does not matter though. PGP is entrenched, in government and guess what government spending is AT LEAST 1/6th of the GDP now. Want to work with the DOD you have to use PGP. If you are already doing PGP with your biggest client you are going to prefer to use the same solution as much as possible. PGP is safe from all the but the most wanton bungling at this point.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  24. ... but smell worse. by zooblethorpe · · Score: 1

    Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.

    So, essentially, the "secured by VeriSign" logo will look better.

    ... but smell worse.

    Cheers,

    --
    "What in the name of Fats Waller is that?"
    "A four-foot prune."
  25. Defacto Identity Authorty in For-Profit Hands? by artifactual · · Score: 1

    Something as fundamental to business and security on the internet as a certificate-authority, shouldn't be at the mercy of a private, for-profit business. Imagine if passports or driver's licences were controlled by a private company who could sell that operation to anyone they wanted.

    Even if Symantec were the most honest and scrupulous company in the world that could all change with no input from the real stake-holders, ie vritually everyone who uses the internet. They could make a mistake in their security procedures which aren't subject to outside scrutiny, they could sell the operation to someone else, etc.

    Of course this sale only highlights the problem. It was a problem before they bought it, too.

    1. Re:Defacto Identity Authorty in For-Profit Hands? by thoughtsatthemoment · · Score: 1

      shouldn't be at the mercy of a private, for-profit business.

      So you'd rather trust the government or the church? There many companies in the cert business and nobody is forcing you to use one over another.

    2. Re:Defacto Identity Authorty in For-Profit Hands? by artifactual · · Score: 1

      Yes I'd rather trust my government for issuing ID credentials. Would you trust a privately issued birth-certificate or passport over a government-issued one?

      There are of course plenty of governments around the world who I wouldn't trust to do this, but there are plenty (including mine) who I would trust more than any private company in this area.

      A private company is more likely to be bought, have their business practices changed in secret, or put profit above best-practice than the government of a developed, democratic nation. Not infinitely more likely, but a lot.

    3. Re:Defacto Identity Authorty in For-Profit Hands? by thoughtsatthemoment · · Score: 1

      Certs have to be centrally stored somewhere, and you want to give the government all the information willingly?

      The government of a developed, democratic nation

      I do remember the US invaded Iraq under false pretense and got away with it.

    4. Re:Defacto Identity Authorty in For-Profit Hands? by artifactual · · Score: 1

      Rather than a private company, yes. What do you imagine is the danger of the government storing certification information, that wouldn't exist (and probably to a greater extent) with a private company?

    5. Re:Defacto Identity Authorty in For-Profit Hands? by thoughtsatthemoment · · Score: 1

      There are many private companies so that information is distributed. And they don't have political power, at least not directly.

  26. This can't be good.. by Anonymous Coward · · Score: 0

    If other software solutions by Symantec are any indication of what is to come, this can't be a good thing. I can't wait for the nag screens and subscription renewal screens to be blasted at us left right and center.
    That's not to say that VeriSign itself is free of issues, but Symantec is known for their over-complicated, bloated, inadequate software, and they should focus on building a competing product.... Oh wait! They can't possibly compete with VeriSign! The only solution is to buy them out.

    Wonder what the competition bureau has to say about that. I know if Microsoft ever tried to by out such thing, bells and whistles would go off.

  27. not again... by lusid1 · · Score: 1

    Noooo.....

    Every time I kill off my "last" Symantec app, they buy something else I'm using. It takes them 12-18 months to kill a product, and it takes me 24 months to swap it out.

  28. Will that be Paypal or Cheque? by __aatirs3925 · · Score: 0

    I wonder if the transaction will take place through an SSL secure connection.

  29. Re:Personal certificates aren't THAT profitable.. by leonardofelin · · Score: 1

    Verisign's milk cow is their SSL certificates for websites.

    They need a huge infrastructure to analyse and issue personal certificates. Profit margins are a lot lower in this case.

    They're just cutting a not-so-profitable business and keeping their main income untouched.

  30. Windows sector dragging rest of Internet down by Burz · · Score: 0, Redundant

    ...into a black hole. These Symantec / Verisign / PGP mergers show how the utterly decrepit Windows PC market failure (desktop monopoly, plus a small handful of app vendors like Symantec) has made the Internet much more treacherous by failing to deliver reasonably secure systems. And now these incompetent and greedy beasts (who are in fact more interested in hobbling our computers to keep us on that 3-year upgrade cycle) are going to finish the job by devouring important Internet institutions.

    Symantec: The gross Microsoft toadies who not long ago tried to scare Mac users into buying their crapware with fevered stories of impending viral doom. Their white papers have the tone of 'buy into our security model you little mislead Unix neophytes, or your computers are gonna get it any day now!'

    BE VERY AFRAID OF THIS MERGER.

  31. No, you are Wrong by Burz · · Score: 1

    Symantec are not Google or Apple or even Microsoft. They will not even be Verisign after acquiring that company. Not all corporations have the same work culture and Symantec in particular are a bunch of MBAs who are sucking the life out of the computing field. If they all spontaneously combusted today, they would not be missed by anyone but their shareholders for more than 5 minutes.

  32. Thawte is part of the sale.... by Anonymous Coward · · Score: 0

    Just got an email from Thawte about our SSL Certs:

    "Upon closing of the transaction, Thawte and its retail and enterprise offerings will become part of the Security and Compliance Group at Symantec. Certain Authentication related brands and trademarks, such as the Thawte seal, will be included in the transfer to Symantec."

    Here is the whole email:

    Dear Thawte Customer,

    I am writing to inform you that VeriSign, Thawte's parent company, has signed a definitive agreement to
    sell our Authentication Services business to Symantec, a premier end-to-end Internet security provider
    with extensive distribution, broad product offerings and integrated service delivery. Upon closing of the
    transaction, Thawte and its retail and enterprise offerings will become part of the Security and
    Compliance Group at Symantec. Certain Authentication related brands and trademarks, such as the
    Thawte seal, will be included in the transfer to Symantec.

    In the last few years, the industry has seen consolidation in the security market, and we have heard
    repeatedly from you, our customers, of your interest in having our offerings integrated into a larger
    services suite. The combination of Thawte's SSL product lines with Symantec's broad portfolio of
    information security solutions delivers on this request. You will now be able to authenticate your
    business, secure your website and transactions, safeguard your corporate network, and protect
    employee accounts and devices with a suite of products from a single company.

    Over the years you have supported us with your business and helped guide us on our product
    development and company strategy. It is because of this that Thawte and parent company VeriSign have
    category-leading products and is a brand synonymous with trust on the Internet. I'd like to emphasize that
    we plan to continue this effort during the transition period and onward. Additionally, you can expect the
    following from us going forward:

    - Continued product support and service. All Thawte product and support contract obligations will
    be upheld. Nothing changes here. All support procedures, announced support timelines, and contacts
    remain unchanged, so please continue to use the same account management, sales, product,
    business and customer support channels you've been using.

    - Continued access to personnel and management. To help ensure a quick and seamless
    integration in conjunction with uninterrupted continuity of your services, Authentication Business leads
    Atri Chatterjee and Fran Rosch will remain with the business along with most of the Authentication
    Service employees. Additionally, your Thawte points of contact will remain the same throughout the
    closing process, which we anticipate will be within 60 to 90 days. Any changes after that will be
    announced well in advance ensuring that the transition is smooth.

    - Improved technology and product synergies. We expect customers will benefit from the broader,
    complementary product offerings brought by VeriSign and its brands with Symantec: from leveraging
    Symantec's security research and analysis technology to including strong authentication as a core
    component of data leak prevention.

    We are dedicated to bringing world class services to our world class customers. Please do not hesitate to
    reach out to your local point of contact if you have any questions or concerns.

    Thank you for your continued support.

    Sincerely,

    Mark McLaughlin
    President and CEO
    VeriSign, Inc.

  33. Security Systems by HTH+NE1 · · Score: 1

    Theora: What if some really dangerous people got control of it?
    Murray: Who do you think controls it now?

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?