29 comments

[ 3.3 ms ] story [ 76.7 ms ] thread

  > Symantec released a patch fixing three vulnerabilities
  > in pcAnywhere version 12.5 (the current version) on
  > Monday, and said it will continue issuing patches
  > "until a new version of pcAnywhere that addresses all
  > currently known vulnerabilities is released."
Sounds like they've been sitting on a bunch known vulnerabilities. At least this acts as a kick in the pants to actually fix them.
These sorts of reactions by vendors really imply to me that the full disclosure philosophy is better. How much better would things be if Symantec had kept - or been kept - on the ball?
The philosophy of responsible disclosure is something only pushed by security vendors, people who use open-source software (it's being a good member of a community) and brainwashed white-hats.

The security professionals who do this for a living, and study this should disclose fully, but a corporate entity will never. They cannot because of shareholders, and there are way to many bugs out there and it would be embarrassing cleaning up that much crap.

Security vulnerabilities are sometimes architectural problems, some are related to ignorance, but a LOT more are just stupid bugs and people not writing code that is correct. A good attacker doesn't care how they get in, there is always a way.

It's a losing battle, just ask EWD.

http://www.cs.utexas.edu/~EWD/transcriptions/EWD03xx/EWD340....

\\ Edit: Words are tough.

The point of full disclosure is to give the "corporate entities" that like to sit on vulnerabilities a swift kick in the ass and get them to do something...
I plead no contest to PWI. I swear that it was all straight in my head.
No worries, happens to the best of us. ;)
You blew over .08; I'm rescinding your Internet license. You can apply to the MPAA to get it back in three months.
TIL that pcAnywhere still exists. Last time I used it, 56k modem was the state of the art.
We use it extensively since we require logging and the ability for remote troubleshooting.
You know those same capabilities are included for free with every modern operating system, right?
We can't standardize on RDP because it closes the remote display when we need someone to walk our help desk through what they are experiencing, VNC was hit or miss for features and support when we were looking at products so that wasn't used. pcAnywhere also integrates with our asset management system and help desk; both from Symantec.
> We can't standardize on RDP because it closes the remote display when we need someone to walk our help desk through what they are experiencing

That means you're looking in the wrong place. You don't want Remote Desktop. On Windows XP you want Remote Assistance, and from Windows Vista you want Windows Desktop Sharing. Same underlying protocol, but different semantics -- the session stays open on both ends.

> Symantec says the theft actually occurred in 2006

So somebody stole the source code five years ago and they're starting to fix some of the glaring vulnerabilities today because this somehow got in the news?

That's reason enough to stay away from all network-enabled Symantec products, I would expect them to be equally insecure if this is the way they do things.

The key question here is, when did they become aware of the theft?
No, the key issue is not fixing serious known (to them at least) security isses in the years they have been aware of them.

Even if the code was never stolen at all, this to me is at very least a shocking lack of due diligence and at worst completely and utterly unprofessional ignorance of the importance of security (to the point where if I'd paid for that particular software in the last X years I'd be considering action to get a refund on the basis that the software was not fit for purpose).

Did it happen in 2006? I thought the 2006 version was what was stolen, but this happened just recently.

EDIT: Never mind.. it did.. wow.. well supposedly nothing was released publicly until just now though. Someone was just sitting on it. Ex-employee?

Or someone who has been making use of those holes for the past 5 years...
Even if the theft did happen yesterday, they had still been sitting on serious vulnerabilities for several years.
If hackers can find exploits in your software after its code is made public, then they can find them before as well. Relying on source code being secret is security through obscurity, which everyone should know is not security at all. Especially for software with security implications (remote access, encryption, etc.) the last thing you want is proprietary code.
(comment deleted)
Oh, pcAnywhere, I hope you come out of this ok.

I still remember when you opened up a world of remote working to me, first with dialup and then over the internet.

I could sit anywhere and work anywhere else. The remote access you opened my life up to is right up there with wifi, and laptops, for things I just didn't know how I lived without.

Oh yeah, sure. Anonymous stole your source code 6 years ago. Give me a break.
But the theft was obscure, so our jobs were secure.
Protip: ClamAV [0] is a software that doesn't need to rely on code secrecy, and it's completely free (as in beer and, more importantly, freedom).

[0] http://www.clamav.net/lang/en/

I've been using ClamAV / ClamWin for several years.

It was primarily design for scanning email attachments, but the client is OK for usage on your desktop. Also, it only detects threats but doesn't clean the infected files - which is OK, because you shouldn't trust AV software to clean your files. Once your computer is compromised, you're better off formatting your hard-drive and reinstalling everything from scratch (which is why it's always a good idea to have periodic backups of your work).

People still use PCAnywhere?
This cannot be done with PC Anywhere

    unsigned int cnt=0;

    void ThreadProc()
    {
      while (TRUE)
        cnt++;
    }

    int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
    {
	    int i,nRetCode = 0;
	    CreateThread(0,65536,(LPTHREAD_START_ROUTINE)ThreadProc,0,0,0);
	    while (TRUE) {
	      getchar();
	      printf("Line:%u\r\n",cnt%100000);
	    }
	    return nRetCode;
    }
You are retarded.

God says... Line 36801

staff was like a weaver's beam.

20:6 And yet again there was war at Gath, where was a man of great stature, whose fingers and toes were four and twenty, six on each hand, and six on each foot and he also was the son of the giant.

20:7 But when he defied Israel, Jonathan the son of Shimea David's brother slew him.

20:8 These were born unto the giant in Gath; and they fell by the hand of David, and by the hand of his servants.

21:1 And Satan stood up against Israel, and provoked David to number Israel.

----

You might puppet this:

    10 i = i + 5
    20 PRINT i
    30 IF i > 99999 THEN i = 0: GOTO 10
    40 IF INKEY$ = "" THEN 10
    50 PRINT "Bible, Line:", i
God says Line 22190

8:28 Thus was Midian subdued before the children of Israel, so that they lifted up their heads no more. And the country was in quietness forty years in the days of Gideon.

8:29 And Jerubbaal the son of Joash went and dwelt in his own house.

8:30 And Gideon had threescore and ten sons of his body begotten: for he had many wives.

8:31 And his concubine that was in Shechem, she also bare him a son, whose name he called Abimelech.

I think this stands as a perfect example that I can use to educate friends and family on why having access to the source code for the programs that you use is important.

When someone is proud of their work, they like to show it off, and this is true of programmers as well. If I make a neat program, and I'm really proud of the job I did writing it, I want to show that off by showing people the source code -- thus increasing my epenis/karma/reputation points etc. Conversely, if I presided over a software product that I knew had bugs and I needed to release said product regardless, I would have to keep the source code tucked away so that nobody could tell how bad said product is.

Your first paragraph nailed it, it is of course a great reason for open source code - letting others audit it.

Second paragraph, way off base. Reasons for keeping source code private are far more likely to be based on a business plan, not on coders being embarassed about their work.