[VIM] SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure (fwd)

security curmudgeon jericho at attrition.org
Wed Aug 9 05:12:51 EDT 2006

Chris beat me to the punch on this one. We're seeing the same thing on 
Full-Disclosure, but being an unmoderated list I don't expect otherwise. 
With Bugtraq though.. having all the details posted to the list allow the 
advisory to be archived all over now. @stake is only one of many sites 
that have since had their advisory archive disappear.

---------- Forwarded message ----------
From: Chris Wysopal <weld at vulnwatch.org>
To: secure at symantec.com
Cc: bugtraq at securityfocus.com
Date: Tue, 1 Aug 2006 22:22:02 -0500 (EST)
Subject: Re: SYM06-013 Symantec On-Demand Protection Encrypted Data Exposure

On Tue, 1 Aug 2006 secure at symantec.com wrote:

> Symantec has posted a Security Advisory for Symantec On-Demand Protection.
> PLease see the advisory for complete information:
> http://www.symantec.com/avcenter/security/Content/2006.08.01a.html

This Symantec posting contains minimal security information.  In December
2000[1] @stake modified their Bugtraq postings to include a small amount
of security information and a link back to the @stake website where the
full advisory resided.  The intention was to have a bit more control over
the way people viewed the advisories.  They would be viewed on the @stake
website only and not serve as content for for-profit advertising supported
websites.  The advisory could also be updated if there were errors or
updates and it would serve as the canonical reference.

Elias Levy, the Bugtraq moderator at the time, rejected the posting on the
grounds that it contained minimal security information.  His reasoning was
that forcing people to go to an additional website was inconvenient and
that if the advisory website ever went away the original advisory would be
lost.  He had a good point and @stake changed back to the old format.

One of the ironies of the security world is Symantec purchased
SecurityFocus and then later @stake.  After purchasing @stake, Symantec
removed the @stake advisory archive, thus bringing Elias' fear to reality.

Elias' reasoning still holds true today.  Companies come and go, are
acquired or change course.  Symantec should post its full advisories to
the list and so should everyone else.


1. Bugtraq: Administrivia & AOL IM Advisory,

More information about the VIM mailing list