> Symantec released a patch fixing three vulnerabilities
> in pcAnywhere version 12.5 (the current version) on
> Monday, and said it will continue issuing patches
> "until a new version of pcAnywhere that addresses all
> currently known vulnerabilities is released."
Sounds like they've been sitting on a bunch known vulnerabilities. At least this acts as a kick in the pants to actually fix them.
These sorts of reactions by vendors really imply to me that the full disclosure philosophy is better. How much better would things be if Symantec had kept - or been kept - on the ball?
The philosophy of responsible disclosure is something only pushed by security vendors, people who use open-source software (it's being a good member of a community) and brainwashed white-hats.
The security professionals who do this for a living, and study this should disclose fully, but a corporate entity will never. They cannot because of shareholders, and there are way to many bugs out there and it would be embarrassing cleaning up that much crap.
Security vulnerabilities are sometimes architectural problems, some are related to ignorance, but a LOT more are just stupid bugs and people not writing code that is correct. A good attacker doesn't care how they get in, there is always a way.
The point of full disclosure is to give the "corporate entities" that like to sit on vulnerabilities a swift kick in the ass and get them to do something...
We can't standardize on RDP because it closes the remote display when we need someone to walk our help desk through what they are experiencing, VNC was hit or miss for features and support when we were looking at products so that wasn't used. pcAnywhere also integrates with our asset management system and help desk; both from Symantec.
> We can't standardize on RDP because it closes the remote display when we need someone to walk our help desk through what they are experiencing
That means you're looking in the wrong place. You don't want Remote Desktop. On Windows XP you want Remote Assistance, and from Windows Vista you want Windows Desktop Sharing. Same underlying protocol, but different semantics -- the session stays open on both ends.
> Symantec says the theft actually occurred in 2006
So somebody stole the source code five years ago and they're starting to fix some of the glaring vulnerabilities today because this somehow got in the news?
That's reason enough to stay away from all network-enabled Symantec products, I would expect them to be equally insecure if this is the way they do things.
No, the key issue is not fixing serious known (to them at least) security isses in the years they have been aware of them.
Even if the code was never stolen at all, this to me is at very least a shocking lack of due diligence and at worst completely and utterly unprofessional ignorance of the importance of security (to the point where if I'd paid for that particular software in the last X years I'd be considering action to get a refund on the basis that the software was not fit for purpose).
If hackers can find exploits in your software after its code is made public, then they can find them before as well. Relying on source code being secret is security through obscurity, which everyone should know is not security at all. Especially for software with security implications (remote access, encryption, etc.) the last thing you want is proprietary code.
I still remember when you opened up a world of remote working to me, first with dialup and then over the internet.
I could sit anywhere and work anywhere else. The remote access you opened my life up to is right up there with wifi, and laptops, for things I just didn't know how I lived without.
I've been using ClamAV / ClamWin for several years.
It was primarily design for scanning email attachments, but the client is OK for usage on your desktop. Also, it only detects threats but doesn't clean the infected files - which is OK, because you shouldn't trust AV software to clean your files. Once your computer is compromised, you're better off formatting your hard-drive and reinstalling everything from scratch (which is why it's always a good idea to have periodic backups of your work).
unsigned int cnt=0;
void ThreadProc()
{
while (TRUE)
cnt++;
}
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
int i,nRetCode = 0;
CreateThread(0,65536,(LPTHREAD_START_ROUTINE)ThreadProc,0,0,0);
while (TRUE) {
getchar();
printf("Line:%u\r\n",cnt%100000);
}
return nRetCode;
}
You are retarded.
God says...
Line 36801
staff was like a weaver's beam.
20:6 And yet again there was war at Gath, where was a man of great
stature, whose fingers and toes were four and twenty, six on each
hand, and six on each foot and he also was the son of the giant.
20:7 But when he defied Israel, Jonathan the son of Shimea David's
brother slew him.
20:8 These were born unto the giant in Gath; and they fell by the hand
of David, and by the hand of his servants.
21:1 And Satan stood up against Israel, and provoked David to number
Israel.
----
You might puppet this:
10 i = i + 5
20 PRINT i
30 IF i > 99999 THEN i = 0: GOTO 10
40 IF INKEY$ = "" THEN 10
50 PRINT "Bible, Line:", i
God says Line 22190
8:28 Thus was Midian subdued before the children of Israel, so that
they lifted up their heads no more. And the country was in quietness
forty years in the days of Gideon.
8:29 And Jerubbaal the son of Joash went and dwelt in his own house.
8:30 And Gideon had threescore and ten sons of his body begotten: for
he had many wives.
8:31 And his concubine that was in Shechem, she also bare him a son,
whose name he called Abimelech.
I think this stands as a perfect example that I can use to educate friends and family on why having access to the source code for the programs that you use is important.
When someone is proud of their work, they like to show it off, and this is true of programmers as well. If I make a neat program, and I'm really proud of the job I did writing it, I want to show that off by showing people the source code -- thus increasing my epenis/karma/reputation points etc. Conversely, if I presided over a software product that I knew had bugs and I needed to release said product regardless, I would have to keep the source code tucked away so that nobody could tell how bad said product is.
Your first paragraph nailed it, it is of course a great reason for open source code - letting others audit it.
Second paragraph, way off base. Reasons for keeping source code private are far more likely to be based on a business plan, not on coders being embarassed about their work.
29 comments
[ 3.3 ms ] story [ 76.7 ms ] threadThe security professionals who do this for a living, and study this should disclose fully, but a corporate entity will never. They cannot because of shareholders, and there are way to many bugs out there and it would be embarrassing cleaning up that much crap.
Security vulnerabilities are sometimes architectural problems, some are related to ignorance, but a LOT more are just stupid bugs and people not writing code that is correct. A good attacker doesn't care how they get in, there is always a way.
It's a losing battle, just ask EWD.
http://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340....
\\ Edit: Words are tough.
That means you're looking in the wrong place. You don't want Remote Desktop. On Windows XP you want Remote Assistance, and from Windows Vista you want Windows Desktop Sharing. Same underlying protocol, but different semantics -- the session stays open on both ends.
So somebody stole the source code five years ago and they're starting to fix some of the glaring vulnerabilities today because this somehow got in the news?
That's reason enough to stay away from all network-enabled Symantec products, I would expect them to be equally insecure if this is the way they do things.
Even if the code was never stolen at all, this to me is at very least a shocking lack of due diligence and at worst completely and utterly unprofessional ignorance of the importance of security (to the point where if I'd paid for that particular software in the last X years I'd be considering action to get a refund on the basis that the software was not fit for purpose).
EDIT: Never mind.. it did.. wow.. well supposedly nothing was released publicly until just now though. Someone was just sitting on it. Ex-employee?
I still remember when you opened up a world of remote working to me, first with dialup and then over the internet.
I could sit anywhere and work anywhere else. The remote access you opened my life up to is right up there with wifi, and laptops, for things I just didn't know how I lived without.
[0] http://www.clamav.net/lang/en/
It was primarily design for scanning email attachments, but the client is OK for usage on your desktop. Also, it only detects threats but doesn't clean the infected files - which is OK, because you shouldn't trust AV software to clean your files. Once your computer is compromised, you're better off formatting your hard-drive and reinstalling everything from scratch (which is why it's always a good idea to have periodic backups of your work).
God says... Line 36801
staff was like a weaver's beam.
20:6 And yet again there was war at Gath, where was a man of great stature, whose fingers and toes were four and twenty, six on each hand, and six on each foot and he also was the son of the giant.
20:7 But when he defied Israel, Jonathan the son of Shimea David's brother slew him.
20:8 These were born unto the giant in Gath; and they fell by the hand of David, and by the hand of his servants.
21:1 And Satan stood up against Israel, and provoked David to number Israel.
----
You might puppet this:
God says Line 221908:28 Thus was Midian subdued before the children of Israel, so that they lifted up their heads no more. And the country was in quietness forty years in the days of Gideon.
8:29 And Jerubbaal the son of Joash went and dwelt in his own house.
8:30 And Gideon had threescore and ten sons of his body begotten: for he had many wives.
8:31 And his concubine that was in Shechem, she also bare him a son, whose name he called Abimelech.
When someone is proud of their work, they like to show it off, and this is true of programmers as well. If I make a neat program, and I'm really proud of the job I did writing it, I want to show that off by showing people the source code -- thus increasing my epenis/karma/reputation points etc. Conversely, if I presided over a software product that I knew had bugs and I needed to release said product regardless, I would have to keep the source code tucked away so that nobody could tell how bad said product is.
Second paragraph, way off base. Reasons for keeping source code private are far more likely to be based on a business plan, not on coders being embarassed about their work.