OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure

From: Chris Wysopal (weldvulnwatch.org)
Date: Tue Aug 01 2006 - 22:22:02 CDT


On Tue, 1 Aug 2006 securesymantec.com wrote:

> Symantec has posted a Security Advisory for Symantec On-Demand Protection.
> PLease see the advisory for complete information:
>
> http://www.symantec.com/avcenter/security/Content/2006.08.01a.html

This Symantec posting contains minimal security information. In December
2000[1] stake modified their Bugtraq postings to include a small amount
of security information and a link back to the stake website where the
full advisory resided. The intention was to have a bit more control over
the way people viewed the advisories. They would be viewed on the stake
website only and not serve as content for for-profit advertising supported
websites. The advisory could also be updated if there were errors or
updates and it would serve as the canonical reference.

Elias Levy, the Bugtraq moderator at the time, rejected the posting on the
grounds that it contained minimal security information. His reasoning was
that forcing people to go to an additional website was inconvenient and
that if the advisory website ever went away the original advisory would be
lost. He had a good point and stake changed back to the old format.

One of the ironies of the security world is Symantec purchased
SecurityFocus and then later stake. After purchasing stake, Symantec
removed the stake advisory archive, thus bringing Elias' fear to reality.

Elias' reasoning still holds true today. Companies come and go, are
acquired or change course. Symantec should post its full advisories to
the list and so should everyone else.

-Chris

1. Bugtraq: Administrivia & AOL IM Advisory,
   http://seclists.org/bugtraq/2000/Dec/0197.html