Status on PGP NTFS File Wipe issue, 11 Dec 2005

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Status on PGP NTFS File Wipe issue, 11 Dec 2005
From: Jon Callas <jon@xxxxxxx>
Date: Sun, 11 Dec 2005 09:04:20 -0800
Cc: Jon Callas <jon@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On December 8, 2005, Vinnie Liu and The Metasploit Project releasedan issue with PGP Desktop's free space wipe feature. Their web pageon the issue can be found at<http://metasploit.com/research/vulns/pgp_slackspace/>. This reporthas been replicated in other fora, including Bugtraq and Secunia.

At PGP, we take all security issues seriously. We pride ourselves oncreating software of the highest quality and being leaders inresponsible development. We also pride ourselves in improving ourprocesses when we learn that we have not performed to the highstandards that we and our customers hold us to.

We are presently in contact with Mr Liu to look at this claim.However, we must also address our delay in responding to him. He sentour customer support center a message on August 2, at 4:35pm. Wereplied to him on August 3, at 8:57am. As of now, we're eachexamining our communications processes to improve them.

The real issue, however, is making sure that PGP is the best productpossible. We are presently examining whether the issue that Mr Liuhas discovered is a known limitation of the NTFS file system that isdocumented in PGP Desktop or if it is a new problem. We will announcehere the resolution after our analysis is complete.

We appreciate the attention and thoughtfulness that we've had in ourdiscussions with Mr Liu. Despite the difficulties we had in startingwork together, he has been very helpful and responsive and is apleasure to work with. We are working now to investigate this issuethoroughly and come up with the best solution for our customers.


        Jon

--
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d




________________________________________________________________
This message could have been secured by PGP Universal. To secure
future messages from this sender, please click this link:

https://keys.pgp.com/b/b.e?r=bugtraq%40securityfocus.com&n=PJ9X8B3iNqa2D%2F6sI5Yy4A%3D%3D

Prev by Date: Re: [KAPDA::#16] - SMF SQL Injection
Next by Date: [OpenPKG-SA-2005.028] OpenPKG Security Advisory (curl)
Previous by thread: [PHP-CHECKER] 99 potential SQL injection vulnerabilities
Next by thread: [OpenPKG-SA-2005.028] OpenPKG Security Advisory (curl)
Index(es):
- Date
- Thread