Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Businesses Security The Internet IT

Symantec To Buy VeriSign's Authentication Business 97

Posted by timothy
from the watch-that-basket-carefully dept.
overThruster writes "Security giant Symantec is taking another step toward global domination of the information security market with the purchase of VeriSign's authentication business. Back in April it purchased PGP Corporation and GuardianEdge. VeriSign is the best known Certificate Authority; they are virtually synonymous with certificates for SSL and PKI. It seems like this could dilute the trust value of their brand rather than enhance it. It is not clear yet what effects this will have on VeriSign customers but the cynic in me says it can't be good. In terms of putting all your eggs in one basket, this will sure make Symantec a juicy target for hackers (as if they weren't already). Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure."
This discussion has been archived. No new comments can be posted.

Symantec To Buy VeriSign's Authentication Business

Comments Filter:
  • FP (Score:5, Insightful)

    by Obstin8 (827030) on Thursday May 20, 2010 @05:08PM (#32286226)
    Nothing good can come of this...
    • Re:FP (Score:5, Funny)

      by MightyMartian (840721) on Thursday May 20, 2010 @05:21PM (#32286384) Journal

      Oh look, Darth Vader has switched allegiances... to Sauron!

    • Re:FP (Score:5, Funny)

      by dgatwood (11270) on Thursday May 20, 2010 @05:26PM (#32286428) Journal

      Actually, I think it's great. Symantec builds lousy, overpriced products, Verisign sells insufficiently verified, overpriced EV certificates. It's a match made in heaven. Better yet, we only have to hate one company instead of two, because what's left of Verisign should be mostly harmless.

      • Well yeah except HP is the other company who is buying up all the crap software; so now we only have Symantec and HP to hate, oh and I guess Novell (kernel) Microsoft (everything), Apple (Flash), Google (Streetview), IBM (malware) and Oracle (OpenSolaris). Wow, thinking about it, can any company do anything right?

        I actually tried PGP Desktop 10 the other day and it really is rubbish for 180 quid. Their registration server has been offline for 5 years their software won't work with any OpenPGP keyservers.

        Sea

    • Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

      Similarly, Imagine how easy it is for governments and security agencies to get access to all this stuff when its from the one compromised company.

    • Verisign's milk cow is their SSL certificates for websites.

      They need a huge infrastructure to analyse and issue personal certificates. Profit margins are a lot lower in this case.

      They're just cutting a not-so-profitable business and keeping their main income untouched.

  • by dov_0 (1438253) on Thursday May 20, 2010 @05:10PM (#32286254)
    Find a way to make SSL certification slow down your computer as well? Maybe they intend to slow down the whole internet?!?
  • ... and failure is inevitable.
    • Actually, tons of points of failure, each of which is equally critical. The PKI infrastructure is fundamentally flawed. Control VeriSign and you don't control the bulk Internet's public key infrastructure; you control the entirety of the Internet's public key infrastructure. Or you could control any other CA, or even any other intermediate CA. All it takes is one rogue or compromised CA to sign anything and everything that the attacker wants.

  • by Ryvar (122400) on Thursday May 20, 2010 @05:15PM (#32286312) Homepage

    instead, imagine you were a government official with no interest in civil rights and could quietly "persuade" one company and have access to the Root Certificate Authority...

    • Imagine one company controlled this and PGP too. Oh wait...

      There's a lot of eggs ending up in one basket here...

      • ...into a black hole. These Symantec / Verisign / PGP mergers show how the utterly decrepit Windows PC market failure (desktop monopoly, plus a small handful of app vendors like Symantec) has made the Internet much more treacherous by failing to deliver reasonably secure systems. And now these incompetent and greedy beasts (who are in fact more interested in hobbling our computers to keep us on that 3-year upgrade cycle) are going to finish the job by devouring important Internet institutions.

        Symantec: The

  • I'm surprised that EMC didn't outbid them to get the Verisign certificate business, as well as for PGP earlier. It seems like it would have been a great fit with RSA, and EMC has oodles of cash for acquisitions.

  • by Culture20 (968837) on Thursday May 20, 2010 @05:22PM (#32286388)

    Imagine you could hack [Symantec] and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

    I'm sure they buy anti-virus and firewall software from a reputable vendor.

  • Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure

    Sure, that'd be a nightmare, if it was possible to "hack a company". If Symantec has any sense at all (and as a security company, they just might) they will keep the certificate authority separate from the antivirus update servers. There is no reason why rooting either one should be able to get you the other, whether they're controlled by the same company or not.

    • by McNihil (612243)

      Well in the name of making everything more profitable and cheaper the consolidation of services will be done so that sooner or later the two offerings (AV and certs) will meet on the same server and an intruder will only need to root one machine. Its all about making money in every which way so the above is more true than anyone would like to think. Yes it is friggin sad.

    • by Cyberax (705495)

      More likely, they'll use a Hardware Security Module which are pretty tough. So far, I'm not aware of any remote vulnerabilities in them.

      They even usually have a pretty good physical security.

      • by mlts (1038732) *

        HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key, you can go slaphappy signing/decrypting anything you want. And if this is a CA cert that is the top level for an enterprise, or a certificate signing an application, it might cause all kinds of trouble.

        This also applies to smart cards. I'm sure eventually there will be malware that can do a MITM attack when a user is using a smart card.

        • by Cyberax (705495)

          "HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key"

          That's the reason behind the HSMs. NOBODY can access the root key inside them. Usually, the root private key is kept in a strict physical security (http://en.wikipedia.org/wiki/Key_Ceremony).

          Also, ability to sign certificates doesn't allow you to decrypt the users' data. It only allows you to do a transparent MITM.

  • by Zedrick (764028) on Thursday May 20, 2010 @05:32PM (#32286506)
    ha ha ha.

    Not related to SSL and stuff like that, but anyway: a few years ago I got a job working doing technical support for Symantec. During training, I was first embedded with the customer service-people, and watched them sit talk to customers, while they took down credit card numbers and other details on paper, which were later thrown out the the general office-trash.

    A few days later I was supposed to do "technical training" with the so-called 2nd line support... The day I had to explain to one of them how to unlock the taskbar on Windows XP was the day I quit - after a total of 6 or 7 days of employment.

    And who buys their stuff anyway? I haven't touched any of it since then so I don't know if anything has improved, but I remember how the Norton Security-packages idea of protecting the computer was to slow it down to a crawl and basically block everything. Not to mention what a mess it is (was?) to remove it from the system...
    • Few people that are sane buy their product, their main customers are OEM's, who they pay assloads to preinstall their shit, and the computer illiterate. The only even semi-ok symantec product is the corporate version, but even that sucks big donkey dick. I have also worked with their nightmare of a backup system, it is just as much crap. Oh and their support is even worse (source: GP)

    • Re: (Score:3, Interesting)

      by fusiongyro (55524)

      Most people make most of their purchases based on a blend of emotion and awareness. Computers are ubiquitous, computer skills are not. Therefore, there's a thriving market for products whose advertising makes you afraid of something and then they sell you the solution. It's the same in every industry. Symantec has a big name and they have lots of ads and people are afraid of the things their products pretend to protect them from. So it's a business model. And it doesn't matter if it's a shitty product if 95

    • by stonertom (831884)
      Uninstalling Symantec products == reinstall
  • I can see his bespectacled face showing up on my website telling me I have a virus and that I'd be better buying the whole Norton Internet Suite from Symantec.
  • the end is nigh (Score:3, Insightful)

    by bloodhawk (813939) on Thursday May 20, 2010 @05:49PM (#32286710)
    Fantastic, now when you install an SSL Cert your computer will slow to a crawl, to uninstall the cert will require a complete rebuilt/reimage.
  • by ibsteve2u (1184603) on Thursday May 20, 2010 @05:54PM (#32286760)
    Might as well put your keyboard at the bottom of a six foot-deep vat of molasses...cold, cold molasses...and start training.
  • it's business (Score:3, Insightful)

    by fusiongyro (55524) <faxfreemosquitoNO@SPAMyahoo.com> on Thursday May 20, 2010 @05:55PM (#32286780) Homepage

    This is called diversification. Anti-virus is their flagship product, but the "benefit of the benefit" as they say in marketing is the warm fuzzy feeling of being secure. Well, certificates make people feel secure the same way AV does, so it fits the brand, so they're going to sell them. It's a great investment for them, I'm sure they'll make money on this deal.

    All the time here on Slashdot I see people trying to read a technological message in a business decision or action. If you're puzzled or outraged by whatever Apple or Symantec or whoever are up to, just follow the dollar signs. This makes business sense and there's nothing more outrageous about Symantec selling certs than anyone else. Really. It's just business. There's no meaning here.

    • by AHuxley (892839)
      You now have one firm with a deep love for the US federal government getting much more control over many aspects of computer security.
      If they get PGP and GuardianEdge with this deal too, average computers will be as open to federal agents as the US telco system is today.
      The ability of the feds to secure a persons electronic papers, by remote "reasonable" searches ... has just gotten a warm fuzzy boost.
      • Someone selling you a lock doesn't mean they have access to you treasure. Please don't confuse PGP with Google.
      • by fusiongyro (55524)

        That's certainly an interesting take on it, but the government lately has been making it pretty clear that when they want something, they get it whether or not the firm is “cooperative.” Besides that, I don't think SSL is used to protect the kinds of communications the government would like to snoop. There's dozens of steganography programs out there you can use to hide malicious data out in the open with little chance of detection, and there are much stronger forms of encryption available that

        • by AHuxley (892839)
          policy of watching people's credit card transactions go over the web - thats what SWIFT is for - until some privacy laws upset things.
    • Symantec are not Google or Apple or even Microsoft. They will not even be Verisign after acquiring that company. Not all corporations have the same work culture and Symantec in particular are a bunch of MBAs who are sucking the life out of the computing field. If they all spontaneously combusted today, they would not be missed by anyone but their shareholders for more than 5 minutes.

  • Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.

    So, essentially, the "secured by VeriSign" logo will look better.

    • Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.

      So, essentially, the "secured by VeriSign" logo will look better.

      ... but smell worse.

      Cheers,

  • by LoudMusic (199347) on Thursday May 20, 2010 @06:25PM (#32287094)

    The two Symantec products I use are the AV client / server line and Backup Exec. Both of which cause me nothing but trouble. This is going to be bad for everyone.

    • Sigh... Backup Exec was so awesome before it got bought by Symantec.. So simple, and easy..

      Symantec has turned into he modern day CA. Its where good products go to die.

      Really, how is CA still in business? Most people can't even name their products!

      • by RMH101 (636144)
        Remember Norton Ghost? Turned the best imaging programme I can think of into some sort of half-assed consumer-focussed crapware. From a bootable floppy that did it all to a bloated CD of shovelware that actually removed all the useful features. Also allowed Acronis to compeletly steal their market. Ugh.
  • by AHuxley (892839) on Thursday May 20, 2010 @06:27PM (#32287104) Homepage Journal
    Thinking back to the feds getting their keystroke logging software whitelisted.
    http://en.wikipedia.org/wiki/Magic_Lantern_(software)#Symantec
    Then you have Symantec wanting to acquire the encryption companies PGP and GuardianEdge.
    Soon many PC's will run to end Symantec solutions for all their data security.
    Symantec: "The FBI's most trusted antiprivacy solution"
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Devil's advocate here: If a backdoor was found in PGP, (and so far none have been found, although there was the ADK issue about a decade ago), the company would be out of business immediately. People would ditch PGP for another solution in a heartbeat.

      Already, PointSec, BestCrypt, or TrueCrypt offer hard disk encryption. Encryption of files can be done by gpg, and folders by tar or zip and gpg. Virtual hard disks can be created in BestCrypt, TrueCrypt, or FreeOTFE. Public/private keys can be handled by

      • by AHuxley (892839)
        So did Enigma and CryptoAG.
        Thats the problem, the spooks can get their fast to plaintext hooks into most private products via patriotism, faith, profits, blackmail or the "promotion" of a more gov friendly competitor.
        By the time "public" maths and historians work out that it was all 'fixed', a generation has moved on. Investing in the next round of expensive, useless private solution.
      • by DarkOx (621550)

        That is nice to think but nobody can replace PGP at this point. As you point out in your post there are other technical and in many cases better solutions to everything PGP does; really does not matter though. PGP is entrenched, in government and guess what government spending is AT LEAST 1/6th of the GDP now. Want to work with the DOD you have to use PGP. If you are already doing PGP with your biggest client you are going to prefer to use the same solution as much as possible. PGP is safe from all the

  • Something as fundamental to business and security on the internet as a certificate-authority, shouldn't be at the mercy of a private, for-profit business. Imagine if passports or driver's licences were controlled by a private company who could sell that operation to anyone they wanted.

    Even if Symantec were the most honest and scrupulous company in the world that could all change with no input from the real stake-holders, ie vritually everyone who uses the internet. They could make a mistake in their secur

    • shouldn't be at the mercy of a private, for-profit business.

      So you'd rather trust the government or the church? There many companies in the cert business and nobody is forcing you to use one over another.

      • Yes I'd rather trust my government for issuing ID credentials. Would you trust a privately issued birth-certificate or passport over a government-issued one?

        There are of course plenty of governments around the world who I wouldn't trust to do this, but there are plenty (including mine) who I would trust more than any private company in this area.

        A private company is more likely to be bought, have their business practices changed in secret, or put profit above best-practice than the government of a develop

        • Certs have to be centrally stored somewhere, and you want to give the government all the information willingly?

          The government of a developed, democratic nation

          I do remember the US invaded Iraq under false pretense and got away with it.

          • Rather than a private company, yes. What do you imagine is the danger of the government storing certification information, that wouldn't exist (and probably to a greater extent) with a private company?
  • Noooo.....

    Every time I kill off my "last" Symantec app, they buy something else I'm using. It takes them 12-18 months to kill a product, and it takes me 24 months to swap it out.

  • Theora: What if some really dangerous people got control of it?
    Murray: Who do you think controls it now?

Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"

Working...