Symantec To Buy VeriSign's Authentication Business

overThruster writes "Security giant Symantec is taking another step toward global domination of the information security market with the purchase of VeriSign's authentication business. Back in April it purchased PGP Corporation and GuardianEdge. VeriSign is the best known Certificate Authority; they are virtually synonymous with certificates for SSL and PKI. It seems like this could dilute the trust value of their brand rather than enhance it. It is not clear yet what effects this will have on VeriSign customers but the cynic in me says it can't be good. In terms of putting all your eggs in one basket, this will sure make Symantec a juicy target for hackers (as if they weren't already). Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure."

FP

[Obstin8]

Nothing good can come of this...

Re:FP

[MightyMartian]

Oh look, Darth Vader has switched allegiances... to Sauron!

Re:FP

[dgatwood]

Actually, I think it's great. Symantec builds lousy, overpriced products, Verisign sells insufficiently verified, overpriced EV certificates. It's a match made in heaven. Better yet, we only have to hate one company instead of two, because what's left of Verisign should be mostly harmless.

Re:FP

[socceroos]

Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

Similarly, Imagine how easy it is for governments and security agencies to get access to all this stuff when its from the one compromised company.

Re:FP

[BestNicksRTaken]

Well yeah except HP is the other company who is buying up all the crap software; so now we only have Symantec and HP to hate, oh and I guess Novell (kernel) Microsoft (everything), Apple (Flash), Google (Streetview), IBM (malware) and Oracle (OpenSolaris). Wow, thinking about it, can any company do anything right?

I actually tried PGP Desktop 10 the other day and it really is rubbish for 180 quid. Their registration server has been offline for 5 years their software won't work with any OpenPGP keyservers.

Seahorse on Linux is a much better frontend, GnuPG2 a better backend, and I expect LUKS is a better full disk encryption system too (PGP's one is bound to have a backdoor) all for free too.

Re:FP

[silverglade00]

Everything it sells it bought somewhere, added its logo, and made it slower...

I think you figured it out. They use a 150GB logo file and just use height and width tags to shrink it to the right display size. That explains the slower-ness.

Surely they can't...

[dov_0]

Find a way to make SSL certification slow down your computer as well? Maybe they intend to slow down the whole internet?!?

Re:Surely they can't...

[MrEricSir]

And once you install an SSL certificate, you'll never be able to completely remove it.

Re:Surely they can't...

[Monkeedude1212]

They actually plan on making it like a worm, where it will check if the SSL Cert is there before duplicating it, but tricking applications into duplicating it anyways regardless if its there or not.

Thus everytime you visit a site with an SSL cert, you bog down your computer just a little bit more.

Re:Surely they can't...

[ascari]

Your computer is at risk!

Your Symantec SSL subscription has expired. All your secrets are visible to all users on the Internet. Click HERE to renew your Symantec SSL subscription.

Re:Surely they can't...

[stimpleton]

Moderation Score for this should be inverted: 70% insightful, 30% funny.

And by funny, it would be "ha....ha....oh :( "

Re:Surely they can't...

[GaryOlson]

AAAANNNNND....
For a limited time, get a free cert to use on any other system. Just copy this link onto another computer, click on it, and your FREE certificate will secure your system against against unknown threats.

Re:Surely they can't...

[Trecares]

Homer Simpson: NOOOOOO my secrets!

Re:Surely they can't...

[Meski]

Mod parent as funny, with a bittersweet flavour.
VM with a restore point is my answer.

One single point of failure

[orient]

... and failure is inevitable.

Re:One single point of failure

[marcansoft]

Actually, tons of points of failure, each of which is equally critical. The PKI infrastructure is fundamentally flawed. Control VeriSign and you don't control the bulk Internet's public key infrastructure; you control the entirety of the Internet's public key infrastructure. Or you could control any other CA, or even any other intermediate CA. All it takes is one rogue or compromised CA to sign anything and everything that the attacker wants.

Better than hacking one company...

[Ryvar]

instead, imagine you were a government official with no interest in civil rights and could quietly "persuade" one company and have access to the Root Certificate Authority...

Re:Better than hacking one company...

[DigitAl56K]

Imagine one company controlled this and PGP too. Oh wait...

There's a lot of eggs ending up in one basket here...

Surprised EMC didn't outbid them

[crow]

I'm surprised that EMC didn't outbid them to get the Verisign certificate business, as well as for PGP earlier. It seems like it would have been a great fit with RSA, and EMC has oodles of cash for acquisitions.

But surely they run antivirus

[Culture20]

Imagine you could hack [Symantec] and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

I'm sure they buy anti-virus and firewall software from a reputable vendor.

as juicy targets go...

[spazdor]

Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure

Sure, that'd be a nightmare, if it was possible to "hack a company". If Symantec has any sense at all (and as a security company, they just might) they will keep the certificate authority separate from the antivirus update servers. There is no reason why rooting either one should be able to get you the other, whether they're controlled by the same company or not.

Re:as juicy targets go...

[McNihil]

Well in the name of making everything more profitable and cheaper the consolidation of services will be done so that sooner or later the two offerings (AV and certs) will meet on the same server and an intruder will only need to root one machine. Its all about making money in every which way so the above is more true than anyone would like to think. Yes it is friggin sad.

Re:as juicy targets go...

[Cyberax]

More likely, they'll use a Hardware Security Module which are pretty tough. So far, I'm not aware of any remote vulnerabilities in them.

They even usually have a pretty good physical security.

Re:as juicy targets go...

[mlts]

HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key, you can go slaphappy signing/decrypting anything you want. And if this is a CA cert that is the top level for an enterprise, or a certificate signing an application, it might cause all kinds of trouble.

This also applies to smart cards. I'm sure eventually there will be malware that can do a MITM attack when a user is using a smart card.

Re:as juicy targets go...

[Cyberax]

"HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key"

That's the reason behind the HSMs. NOBODY can access the root key inside them. Usually, the root private key is kept in a strict physical security (http://en.wikipedia.org/wiki/Key_Ceremony).

Also, ability to sign certificates doesn't allow you to decrypt the users' data. It only allows you to do a transparent MITM.

Three models

[tepples]

If security is the problem, certificates are basically never a good answer.

How else should I be sure that I am communicating with the entity I think I am communicating with? I can think of three models: certificate authority, web of trust, and key continuity management. If you're referring to key continuity management, the approach used by SSH that makes sure that the key you're using matches the key you used last time, that doesn't work if you're behind an ISP that's all MITM all the time. (Yes, these exist in the wild; see bug 460374 at bugzilla.mozilla.org.) If you're referring to a web of trust based on the Bacon number of mutual face-to-face meetings at key signing parties between you and a company's CIO, that doesn't work for people who can't attend such parties in major-league cities.

Re:Three models

[Pinky's+Brain]

DNSSEC + RFC 2538

Re:Three models

[Pinky's+Brain]

Oops, that RFC is obsoleted ... but you get the idea I hope.

Re:Three models

[tepples]

RFC 4398 will work once the root, the major TLDs, and Go Daddy have deployed DNSSEC. At that point, the registrars will act as certificate authorities. But until that time, we rely on separate SSL and Authenticode CAs.

Re:Three models

[Peach+Rings]

It does (to a ridiculous degree of security, but not perfectly of course) guarantee that you're communicating with someone that VeriSign says is the entity you think you're communicating with. If you trust VeriSign (and essentially the entire internet does by default) then you can be sure.

Although Thawte is apparently a bit better, I've never had any reason to distrust VeriSign. But I definitely do not trust Symantec. Their "internet security suite" is what we in the biz like to call shitware.

Re:Three models

[bastion_xx]

You realize who owns Thawte????

Re:Three models

Try to implement https per spec. Make sure to have nothing sharp near you. Then you will understand.

Re:Three models

[icebraining]

That's all nice and dandy, but it's also completely unfeasible. The problem isn't "how can I communicate completely securely", it's "how can anyone using a computer communicate with another through the Internet in the most secure way possible?"

HTTPS may flawed, but it's the best solution we got. Yours isn't a solution to the given problem.

Re:Three models

[jd]

Doubly so given all the various articles posted here on flaws in SSL safety - starting, many years ago, with someone obtaining Microsoft's root certificates by, well, asking for them. The use of NULLs to produce fake certificates that seem valid, the breakage of MD5-secured SSL certificates -- there has been no shortage of problems for the approach.

The idea of webs of trust is that you can't go out and physically verify the path but you CAN ask others if they're confident that X really is X. In the event that you are on a system where there is a well-defined gateway that can establish a secure tunnel to a well-defined gateway adjacent to the end-point, you have two other points that you can verify. If you can be confident of getting to the gateway AND you are confident that the tunnel really is secure AND you are confident that the far end of the tunnel is who it is supposed to be, I really can't see you getting any safer than that.

The question, though, is how to be sure that the certificates are genuine and are issued to the person or organization they're supposed to be issued to and haven't been forwarded on to anyone else. The first part would seem to require that certificates use hashing schemes still regarded as "safe" AND to require that any tampering (before or after) using NULLs or anything else would foul up the fingerprint. You must be capable of being 100% certain that what you see is what the computer sees is ALL of what the certificate requester submitted as the public information.

The second part would seem to require that weak levels of trust be eliminated from the system. Digital certificates should inspire trust because they deserve it, not because 99% of people are either complacent sheep or suicidal lemmings. To do this, though, the trust must work both ways. The issuer of the certificate has to be just as trustworthy. That's doable. Tough, but doable. One option, borrowing from the idea of witnesses from legal frameworks, is that there must be a neutral third party that can countersign the signature as being between who the parties say they are.

This suggests you want two webs of trust. One, of total strangers who can countersign as witnesses, and one of "friends" who can actively vouch for one or both parties (the more traditional web of trust). But countersigning the key only tells you the key is valid, it doesn't tell you the private half of the key exists only where it claims it does.

Requiring that three points produce valid countersigned certificates would boost the confidence of that, as it requires two independent private keys be compromised. That is less likely than one private key being compromised. Certainly possible, but less likely. If the network ran IPv6 and the IETF doesn't remove any more of the security built into the protocol (and maybe adds a bit of it back), the odds of a stolen key passing inspection would be considerably reduced.

The only thing I can suggest beyond that is that client-side authentication be imposed. Yes, it reduces anonymity, but you cannot both be sure the end-point is who they are supposed to be AND be sure the end-point is 100% anonymous. That doesn't work. Passwords and/or other user authentication verifies the user, but you also want to be sure that the machine the user is talking to is also the machine the server is talking to. Easiest way to do that is have the machine counter-sign the user's authentication data and then have the server query the client machine's certificate to ensure that the certificate matches the counter-signature. There are probably superior methods, but it's better to have a starting point than never start at all.

As for the SSL protocol itself, it uses public-key cryptography. Far as I know, this is perfectly respectable. I'm not keen on the use of HMAC - T-TMAC is considered the most secure, from what I understand, although it's only really good for short messages. Which is fine, since you want the most security on the authentication section. If T-TMAC is used onl

Re:Three models

[zippthorne]

Who do I really need secure communications with?

My email provider, for one. That's tricky. My email provider is Google atm, so I pretty much have to trust a certificate signer if I want to use gmail over https.

But the other one is my bank. I'm totally cool with going to the branch office and picking up a biz-card CD, bar code, or whatever with the Bank's public key on it. Why should I have to trust a third party? Because my bank is lazy?

Re:Three models

[mlts]

Certificates are good and bad. If used in a smart WOT, they are great because if you have multiple people trusting someone, you know you are almost certain that that key belongs to that person.

The bad is just blindly trusting root certificates, especially certs from countries who are hostile to the West, and who would be happy to certify with their CA a key belonging to a known bank, then occasionally poisoning DNS or routing queries to the fake site, so they don't get immediately caught.

The best might be a combination all three. You have a "security cache" of keys or signed keys of places and people you have previously interacted with, which is crucial for ssh for the most secure communications. Next, you have a WOT with people you know trusting or not. Finally, you have a CA which may actually be valid, or not. CAs are really a part of WOT, and should be considered with little or no trust, compared to someone coming with (to continue the parent's example) a high Bacon number to yours. The only problem is someone who isn't familar with a WOT giving a key too high a trust that it deserves, but infiltration happens in every network, and with PGP or gpg, it is easy to mark a person's signatures as untrustworthy.

This reminds me of something different: Maybe it is time to get people and start doing PGP/gpg keysigning parties [1] again. This way,

[1]: Of course, there is the proper way of doing the key stuff. Send a list of public keys to the host, host prints out a list for everyone. Everyone then brings a copy of their key ID and hashes. Then go around matching the keys to the individual, perhaps asking for IDs, then circling the ones which pass the validity test. This way, no computers are used, and it is much harder to "compromise" someone's piece of paper showing vetted keys in the length of time it takes for them to leave the party and get home to sign everyone's keys and push the signatures to keyservers.

Re:Three models

[Meski]

Because we're all lazy, to some point. We want something that's good enough to deter low-level attacks, so we trust certificates. We trust the little digipass tokens. (whilst wishing that they'd get their act together enough that one digipass could be used for many institutions)

Re:Three models

[tepples]

Who do I really need secure communications with?

Any site that authenticates you using a name and password, for one, at least until every little blog, forum, and wiki starts taking your Gmail account over OpenID.

I'm totally cool with going to the branch office and picking up a biz-card CD, bar code, or whatever with the Bank's public key on it.

Some banks probably don't have branches in your area, such as Ally.

Re:Three models

[tepples]

HTTP already has mechanisms to validate and secure data, which no one can patent as it's a standard

Care to explain which mechanisms these happen to be? I've got a Google Search input field ready to take keywords or RFC numbers.

Re:Three models

[jd]

Consider that one of the biggest area of vulnerabilities is social engineering. If you trust the person behind the till (about whom you know nothing) to hand you a legitimate public key (which, without a third-part, you can't verify), then fine and good. On the other hand, if that same unknown (who might easily be a social engineer who has bluffed his or her way to the counter) hands you a fake key and you CAN verify it by verifying that it has been counter-signed by someone you independently trust, THEN you have a lot more confidence in that key. You aren't dependent on the person being legit because they said so.

Re:Three models

[zippthorne]

I dunno if I want to put my money in a bank I can't visit ever...

Symantec & information security

[Zedrick]

ha ha ha.

Not related to SSL and stuff like that, but anyway: a few years ago I got a job working doing technical support for Symantec. During training, I was first embedded with the customer service-people, and watched them sit talk to customers, while they took down credit card numbers and other details on paper, which were later thrown out the the general office-trash.

A few days later I was supposed to do "technical training" with the so-called 2nd line support... The day I had to explain to one of them how to unlock the taskbar on Windows XP was the day I quit - after a total of 6 or 7 days of employment.

And who buys their stuff anyway? I haven't touched any of it since then so I don't know if anything has improved, but I remember how the Norton Security-packages idea of protecting the computer was to slow it down to a crawl and basically block everything. Not to mention what a mess it is (was?) to remove it from the system...

Re:Symantec & information security

[carp3_noct3m]

Few people that are sane buy their product, their main customers are OEM's, who they pay assloads to preinstall their shit, and the computer illiterate. The only even semi-ok symantec product is the corporate version, but even that sucks big donkey dick. I have also worked with their nightmare of a backup system, it is just as much crap. Oh and their support is even worse (source: GP)

Re:Symantec & information security

[fusiongyro]

Most people make most of their purchases based on a blend of emotion and awareness. Computers are ubiquitous, computer skills are not. Therefore, there's a thriving market for products whose advertising makes you afraid of something and then they sell you the solution. It's the same in every industry. Symantec has a big name and they have lots of ads and people are afraid of the things their products pretend to protect them from. So it's a business model. And it doesn't matter if it's a shitty product if 95% of people think they need it and buying it makes them feel better, they'll do it. That's just life.

Re:Symantec & information security

[stonertom]

Uninstalling Symantec products == reinstall

Re:Symantec & information security

[mlts]

Just like the PP, If I were to recommend an A/V defense to someone, I rather take the method of having strong locks on the doors as opposed to an alarm system that notifies if someone is already in. Here is what I'd do with Windows:

First barrier to entry: A true hardware firewalling router. Unless the machine is a laptop which travels around, desktop boxes should not be facing the Internet if at all possible (and they are not doing server functions). Some services can be handled either by a port forward or a proxy.

Second barrier to entry: If you can run Windows's software firewall with "No Exceptions" checked, do so. If not, try to cut out as many apps/ports as possible, or as least make the ports only accessible to the local subnet.

Third barrier: Run as a user with no admin rights. If you can, do your system admin stuff under a "aausername", or a "usernamesu", which is a special user dedicated just to system admin functions that isn't root or admin. Yes, malware that infects a user is just one privilege escalation hole from superuser, but that is better than pwning the box just by claiming one user.

Fourth barrier: A web browser protected by an ad filter add-on. Because a lot of websites use unscrupulous third party ad-rotators, it is way too common for malformed Flash or HTML to be used as a possible exploit (the Antivirus 2010 attacks for example.) AdBlock, Privoxy, or even PeerBlock with a subscription come to mind here. Web browser choice comes into play, but this is more of a religious issue once the ads are out of the picture.

Fifth barrier: A basic A/V program. Enterprises need advanced reporting and auditing capabilities of Norton Endpoint Protection. SOHO users don't. So, I'd recommend something decent but lightweight like AVG, Avast!, or Microsoft Security Essentials, which are available (or have a version that is) at no charge.

First layer for after the fact: An external drive and a backup program (Acronis TrueImage, EMC Retrospect, etc.). The backup program Windows Vista offers different features depending on the edition. So, it is best just to use a third party program that allows you to make a restore CD so the PC user can do a "bare metal" recovery if everything gets trashed, as well as being able to get at a file after it was accidentally deleted. I'd rather spend money on a good third party backup utility than some premium version of commercial antivirus [1]. Also, third party backup utilities support encryption.

Second layer for after the fact: Mozy, Carbonite, or Backblaze. Say malware trashes your machine, your external drive, and everything else. This is why you use a keyfile and a remote backup service so you can get your documents back somehow. Since this is coming through the Internet, this is more of a last resort backup mechanism than anything else.

[1]: This goes for home usage. Companies are better off using an enterprise level program so they have audit capability and ability to know that all boxes are protected.

So, is Peter Norton going to show up?

[filesiteguy]

I can see his bespectacled face showing up on my website telling me I have a virus and that I'd be better buying the whole Norton Internet Suite from Symantec.

Re:So, is Peter Norton going to show up?

[jelizondo]

In a godawful pink shirt...

Re:So, is Peter Norton going to show up?

[jelizondo]

Sorry, screwed the link

the end is nigh

[bloodhawk]

Fantastic, now when you install an SSL Cert your computer will slow to a crawl, to uninstall the cert will require a complete rebuilt/reimage.

Symantec, as the guardian of 'net security?

[ibsteve2u]

Might as well put your keyboard at the bottom of a six foot-deep vat of molasses...cold, cold molasses...and start training.

it's business

[fusiongyro]

This is called diversification. Anti-virus is their flagship product, but the "benefit of the benefit" as they say in marketing is the warm fuzzy feeling of being secure. Well, certificates make people feel secure the same way AV does, so it fits the brand, so they're going to sell them. It's a great investment for them, I'm sure they'll make money on this deal.

All the time here on Slashdot I see people trying to read a technological message in a business decision or action. If you're puzzled or outraged by whatever Apple or Symantec or whoever are up to, just follow the dollar signs. This makes business sense and there's nothing more outrageous about Symantec selling certs than anyone else. Really. It's just business. There's no meaning here.

Re:it's business

[AHuxley]

You now have one firm with a deep love for the US federal government getting much more control over many aspects of computer security.
If they get PGP and GuardianEdge with this deal too, average computers will be as open to federal agents as the US telco system is today.
The ability of the feds to secure a persons electronic papers, by remote "reasonable" searches ... has just gotten a warm fuzzy boost.

Re:it's business

[thoughtsatthemoment]

Someone selling you a lock doesn't mean they have access to you treasure. Please don't confuse PGP with Google.

Re:it's business

[fusiongyro]

That's certainly an interesting take on it, but the government lately has been making it pretty clear that when they want something, they get it whether or not the firm is “cooperative.” Besides that, I don't think SSL is used to protect the kinds of communications the government would like to snoop. There's dozens of steganography programs out there you can use to hide malicious data out in the open with little chance of detection, and there are much stronger forms of encryption available that don't have a middle man taking money either. Even if this became a standard practice, it's hard to imagine how the government could either benefit from or defend a policy of watching people's credit card transactions go over the web. I'd worry more about mail but there are so many possible weak links in that chain and the amount of junk traffic is so high I doubt there's much to invest in that approach either.

Re:it's business

[AHuxley]

policy of watching people's credit card transactions go over the web - thats what SWIFT is for - until some privacy laws upset things.

Hmm... what will change?

[Opportunist]

Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.

So, essentially, the "secured by VeriSign" logo will look better.

Symantec gives me headaches

[LoudMusic]

The two Symantec products I use are the AV client / server line and Backup Exec. Both of which cause me nothing but trouble. This is going to be bad for everyone.

Re:Symantec gives me headaches

[QuantumRiff]

Sigh... Backup Exec was so awesome before it got bought by Symantec.. So simple, and easy..

Symantec has turned into he modern day CA. Its where good products go to die.

Really, how is CA still in business? Most people can't even name their products!

Re:Symantec gives me headaches

[RMH101]

Remember Norton Ghost? Turned the best imaging programme I can think of into some sort of half-assed consumer-focussed crapware. From a bootable floppy that did it all to a bloated CD of shovelware that actually removed all the useful features. Also allowed Acronis to compeletly steal their market. Ugh.

Symantec and the Feds

[AHuxley]

Thinking back to the feds getting their keystroke logging software whitelisted.
http://en.wikipedia.org/wiki/Magic_Lantern_(software)#Symantec
Then you have Symantec wanting to acquire the encryption companies PGP and GuardianEdge.
Soon many PC's will run to end Symantec solutions for all their data security.
Symantec: "The FBI's most trusted antiprivacy solution"

Re:Symantec and the Feds

Devil's advocate here: If a backdoor was found in PGP, (and so far none have been found, although there was the ADK issue about a decade ago), the company would be out of business immediately. People would ditch PGP for another solution in a heartbeat.

Already, PointSec, BestCrypt, or TrueCrypt offer hard disk encryption. Encryption of files can be done by gpg, and folders by tar or zip and gpg. Virtual hard disks can be created in BestCrypt, TrueCrypt, or FreeOTFE. Public/private keys can be handled by gpg. E-mail security can be handled by gpg and GUI tools. S/MIME can also do email security, assuming the root certificates are trustable.

If PGP is found to be untrustworthy, someone will step up to the plate and make a solution to replace it. However, I am sure in saying that this is not going to happen. PGP has had a great heritage since Zimmermann made it, with the commerical version coming from ViaCrypt. Symantec would not take the risk of ruining the goose that lays the golden eggs.

Re:Symantec and the Feds

[AHuxley]

So did Enigma and CryptoAG.
Thats the problem, the spooks can get their fast to plaintext hooks into most private products via patriotism, faith, profits, blackmail or the "promotion" of a more gov friendly competitor.
By the time "public" maths and historians work out that it was all 'fixed', a generation has moved on. Investing in the next round of expensive, useless private solution.

Re:Symantec and the Feds

[DarkOx]

That is nice to think but nobody can replace PGP at this point. As you point out in your post there are other technical and in many cases better solutions to everything PGP does; really does not matter though. PGP is entrenched, in government and guess what government spending is AT LEAST 1/6th of the GDP now. Want to work with the DOD you have to use PGP. If you are already doing PGP with your biggest client you are going to prefer to use the same solution as much as possible. PGP is safe from all the but the most wanton bungling at this point.

... but smell worse.

[zooblethorpe]

Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.

So, essentially, the "secured by VeriSign" logo will look better.

... but smell worse.

Cheers,

Defacto Identity Authorty in For-Profit Hands?

[artifactual]

Something as fundamental to business and security on the internet as a certificate-authority, shouldn't be at the mercy of a private, for-profit business. Imagine if passports or driver's licences were controlled by a private company who could sell that operation to anyone they wanted.

Even if Symantec were the most honest and scrupulous company in the world that could all change with no input from the real stake-holders, ie vritually everyone who uses the internet. They could make a mistake in their security procedures which aren't subject to outside scrutiny, they could sell the operation to someone else, etc.

Of course this sale only highlights the problem. It was a problem before they bought it, too.

Re:Defacto Identity Authorty in For-Profit Hands?

[thoughtsatthemoment]

shouldn't be at the mercy of a private, for-profit business.

So you'd rather trust the government or the church? There many companies in the cert business and nobody is forcing you to use one over another.

Re:Defacto Identity Authorty in For-Profit Hands?

[artifactual]

Yes I'd rather trust my government for issuing ID credentials. Would you trust a privately issued birth-certificate or passport over a government-issued one?

There are of course plenty of governments around the world who I wouldn't trust to do this, but there are plenty (including mine) who I would trust more than any private company in this area.

A private company is more likely to be bought, have their business practices changed in secret, or put profit above best-practice than the government of a developed, democratic nation. Not infinitely more likely, but a lot.

Re:Defacto Identity Authorty in For-Profit Hands?

[thoughtsatthemoment]

Certs have to be centrally stored somewhere, and you want to give the government all the information willingly?

The government of a developed, democratic nation

I do remember the US invaded Iraq under false pretense and got away with it.

Re:Defacto Identity Authorty in For-Profit Hands?

[artifactual]

Rather than a private company, yes. What do you imagine is the danger of the government storing certification information, that wouldn't exist (and probably to a greater extent) with a private company?

Re:Defacto Identity Authorty in For-Profit Hands?

[thoughtsatthemoment]

There are many private companies so that information is distributed. And they don't have political power, at least not directly.

Re:Symantec Rawks

[mlts]

Since Symantec has multiple backup programs, I really wish they would take the codebases of their two lines, and use them to make a really good next generation backup program, that eventually would phase out both BE and NetBackup.

For example, NetBackup allows for bare metal restores. But as soon as you restore, you must re-backup the box. Why not offer a facility to use the bare metal feature as a way to clone? Or shouldn't synthetic full backups be an innate part of the structure, like it is with TSM and Retrospect, while having the old fashioned full/incremental/differental structure available if someone wants it. Similar with deduplication. This should be something that is part of the core backup engine and backup file format, both on a file basis, as well as block by block (for things like duplicate VMs cloned from a single image.)

not again...

[lusid1]

Noooo.....

Every time I kill off my "last" Symantec app, they buy something else I'm using. It takes them 12-18 months to kill a product, and it takes me 24 months to swap it out.

Re:Personal certificates aren't THAT profitable..

[leonardofelin]

Verisign's milk cow is their SSL certificates for websites.

They need a huge infrastructure to analyse and issue personal certificates. Profit margins are a lot lower in this case.

They're just cutting a not-so-profitable business and keeping their main income untouched.

No, you are Wrong

[Burz]

Symantec are not Google or Apple or even Microsoft. They will not even be Verisign after acquiring that company. Not all corporations have the same work culture and Symantec in particular are a bunch of MBAs who are sucking the life out of the computing field. If they all spontaneously combusted today, they would not be missed by anyone but their shareholders for more than 5 minutes.

Security Systems

[HTH+NE1]

Theora: What if some really dangerous people got control of it?
Murray: Who do you think controls it now?