

Symantec: Anonymous stole source code, users should disable pcAnywhere - jonmc12
http://arstechnica.com/business/news/2012/01/symantec-says-anonymous-stole-source-code-tells-customers-to-disable-security-product.ars

======
pyre

      > Symantec released a patch fixing three vulnerabilities
      > in pcAnywhere version 12.5 (the current version) on
      > Monday, and said it will continue issuing patches
      > "until a new version of pcAnywhere that addresses all
      > currently known vulnerabilities is released."
    

Sounds like they've been sitting on a bunch known vulnerabilities. At least
this acts as a kick in the pants to _actually_ fix them.

~~~
pnathan
These sorts of reactions by vendors really imply to me that the full
disclosure philosophy is better. How much better would things be if Symantec
had kept - or been kept - on the ball?

~~~
un1xl0ser
The philosophy of responsible disclosure is something only pushed by security
vendors, people who use open-source software (it's being a good member of a
community) and brainwashed white-hats.

The security professionals who do this for a living, and study this should
disclose fully, but a corporate entity will never. They cannot because of
shareholders, and there are way to many bugs out there and it would be
embarrassing cleaning up that much crap.

Security vulnerabilities are sometimes architectural problems, some are
related to ignorance, but a LOT more are just stupid bugs and people not
writing code that is correct. A good attacker doesn't care how they get in,
there is always a way.

It's a losing battle, just ask EWD.

[http://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340....](http://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340.html)

\\\ Edit: Words are tough.

~~~
burgerbrain
The _point_ of full disclosure is to give the "corporate entities" that like
to sit on vulnerabilities a swift kick in the ass and get them to do
something...

~~~
un1xl0ser
I plead no contest to PWI. I swear that it was all straight in my head.

~~~
redthrowaway
You blew over .08; I'm rescinding your Internet license. You can apply to the
MPAA to get it back in three months.

------
tga
> Symantec says the theft actually occurred in 2006

So somebody stole the source code _five_ years ago and they're starting to fix
_some_ of the glaring vulnerabilities today because this somehow got in the
news?

That's reason enough to stay away from all network-enabled Symantec products,
I would expect them to be equally insecure if this is the way they do things.

~~~
Urgo
Did it happen in 2006? I thought the 2006 version was what was stolen, but
this happened just recently.

EDIT: Never mind.. it did.. wow.. well supposedly nothing was released
publicly until just now though. Someone was just sitting on it. Ex-employee?

~~~
dspillett
Even if the theft did happen yesterday, they had still been sitting on serious
vulnerabilities for several years.

------
baddox
If hackers can find exploits in your software after its code is made public,
then they can find them before as well. Relying on source code being secret is
security through obscurity, which everyone should know is not security at all.
Especially for software with security implications (remote access, encryption,
etc.) the last thing you want is proprietary code.

------
MarkTraceur
Protip: ClamAV [0] is a software that doesn't need to rely on code secrecy,
and it's completely free (as in beer and, more importantly, freedom).

[0] <http://www.clamav.net/lang/en/>

~~~
bad_user
I've been using ClamAV / ClamWin for several years.

It was primarily design for scanning email attachments, but the client is OK
for usage on your desktop. Also, it only detects threats but doesn't clean the
infected files - which is OK, because you shouldn't trust AV software to clean
your files. Once your computer is compromised, you're better off formatting
your hard-drive and reinstalling everything from scratch (which is why it's
always a good idea to have periodic backups of your work).

------
peterb
Oh yeah, sure. Anonymous stole your source code 6 years ago. Give me a break.

~~~
a_a_r_o_n
But the theft was obscure, so our jobs were secure.

------
click170
I think this stands as a perfect example that I can use to educate friends and
family on why having access to the source code for the programs that you use
is important.

When someone is proud of their work, they like to show it off, and this is
true of programmers as well. If I make a neat program, and I'm really proud of
the job I did writing it, I want to show that off by showing people the source
code -- thus increasing my epenis/karma/reputation points etc. Conversely, if
I presided over a software product that I knew had bugs and I needed to
release said product regardless, I would _have_ to keep the source code tucked
away so that nobody could tell how bad said product is.

~~~
corin_
Your first paragraph nailed it, it is of course a great reason for open source
code - letting others audit it.

Second paragraph, way off base. Reasons for keeping source code private are
far more likely to be based on a business plan, not on coders being embarassed
about their work.

------
colton36
TIL that pcAnywhere still exists. Last time I used it, 56k modem was the state
of the art.

~~~
Kadrith
We use it extensively since we require logging and the ability for remote
troubleshooting.

~~~
nknight
You know those same capabilities are included for free with every modern
operating system, right?

~~~
Kadrith
We can't standardize on RDP because it closes the remote display when we need
someone to walk our help desk through what they are experiencing, VNC was hit
or miss for features and support when we were looking at products so that
wasn't used. pcAnywhere also integrates with our asset management system and
help desk; both from Symantec.

~~~
nknight
> _We can't standardize on RDP because it closes the remote display when we
> need someone to walk our help desk through what they are experiencing_

That means you're looking in the wrong place. You don't want Remote Desktop.
On Windows XP you want Remote Assistance, and from Windows Vista you want
Windows Desktop Sharing. Same underlying protocol, but different semantics --
the session stays open on both ends.

------
B0Z
People still use PCAnywhere?

