Insecurity By Obscurity

This week saw a surprising and shocking announcement by Symantec. According to ComputerWorld's Gregg Keizer: Symantec this week took the highly unusual step of telling users of its pcAnywhere remote access software to disable or uninstall the...

Share

This week saw a surprising and shocking announcement by Symantec. According to ComputerWorld's Gregg Keizer:

Symantec this week took the highly unusual step of telling users of its pcAnywhere remote access software to disable or uninstall the software while it fixes an unknown number of bugs.
:
The advice to yank pcAnywhere from service was prompted by a 2006 leak of its source code and the much more recent involvement of Anonymous,
:
Last week, Symantec admitted its own network had been breached in 2006. Tuesday, it again said source code for several of its products, including pcAnywhere, had been stolen at that time.


A security breach can happen to anyone. Like an STD, it's embarrassing and reflects badly on the victim, but ultimately isn't likely to be fatal. But there are some much, much deeper questions to be answered.

As a thirty-year veteran of the software industry who has seen the inside of several corporate software sausage machines, I have three questions I would like to see answered honestly and clearly about about Symantec's code leak:

  1. Why has it taken over five years for this admission and warning to surface from Symantec? Why did it take pressure from technology geeks to get them to own up, rather than a commitment to paying customers or concern for their own brand reputation?
  2. Why have they allowed security defects - ones so serious customers are recommended to stop using their software - to persist known but unfixed for those same five years?
  3. Why are they depending on code secrecy in commercial software advertised with a "trust us, we're experts" theme? Any reliable commercial security mechanism will rely on a strong algorithm, and it's widely understood that a strong algorithm is one that has been publicly scrutinized and publicly implemented. "Security by obscurity" is as discredited as it is inappropriate, as the open source movement has amply demonstrated for over a decade.


In the age of open source, the only advantage the proprietary vendors had left over pure subscriptions was the extra value that they claimed comes from having "complete control" of the source code. I'm looking forward to serious answers to these serious questions, Symantec.


Follow Simon as @webmink on Twitter and Identi.Ca and also on Google+