According to a white paper released by Symantec, the source code to various of its produces that hacker group Anonymous recently threatened to disclose was stolen in 2006, and users are advised to disable pcAnywhere until further notice. Specifically, the paper states:
"pcAnywhere is a product that allows for direct PC to PC communication and this does expose some risk if the compromised code is actually released."
This seems to imply that pcAnywhere is based on security through obscurity. (Presumably, the same security risk actually exists, albeit to a lesser extent, whether or not somebody releases the source code: whatever information is in the source code is in principle available by reverse engineering the compiled code.)
To me, the event underlines at least two lessons:
- this is precisely what may happen if you rely on security through obscurity
- if you have some security-sensitive source code stolen, "right now" would be a good time to review the stolen code, rather than 6 years later...
Or is there something about the content of the white paper and the incident in general that I'm misunderstanding?
Showing posts with label Symantec. Show all posts
Showing posts with label Symantec. Show all posts
Wednesday, January 25, 2012
Tuesday, March 10, 2009
PIFTS.EXE: Symantec finally own up
So, the world can rest easy in their beds. A message tucked away on Symantec's forums-- the same forums from which all communication about the issue was previously banned-- in which they have finally owned up to what happened:
(And yes, I did back up my recipe collection... just in case.)
- they released a patch to do some boring things that any old patch might have done
- but they released the patch unsigned, causing it to hit the firewall when it otherwise wouldn't have done
- because some of the posts on the Symantec forum were judged to be abusive, all posts were pulled down.
(And yes, I did back up my recipe collection... just in case.)
Subscribe to:
Posts (Atom)