zundel

Thursday 18

Quis custodiet ipsos custodes?

Filed under: Computers, Security — Tags: , , — zundel @ pm

Quis custodiet ipsos custodes?

There is no security through obscurity.

Symantec admits to more exposed code

Symantec’s code got taken, and now we have reason to doubt the security and usefulnes of their products, such as: Norton Internet Security, Norton Utilities, Norton GoBack, and pcAnywhere. We also have reason to doubt Symantec’s competence. If they cannot protect themselves, how can they protect you?

If you cannot publish the source code openly and still have a secure product, then your product is only as secure as your ability to keep it secret.

Symantec says hackers stole source code in 2006

Yet Laura DiDio, an analyst with ITIC who helps companies evaluate security software, said that Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some of the protections in Symantec’s software.

Many eyes make all bug shallow.

The bad guys now have the code.
If everyone had seen the code all along,
the good guys could have fixed the vulnerabilities in the code.

RSA got owned last year. Supposedly the very best at security had a very serious breach, the full consequences we don’t yet know and probably never will.

Then there’s the black farce of HBGary and defense and government attempts at security.

As I wrote in the takeaway: “If you need security, don’t use anything these guys mentioned.”

If you like the product on the supermarket shelf that implies it will make you look young and beautiful (whether cereal or shampoo) you’ll love the security in a box at Office Depot or for download. You can no more buy security than you can buy youth. Stop falling for the silicon snake oil.

Update:
Symantec discovered (admitted) that source code stolen in 2006 does compromise the security of their product. Symantec now recommends disabling pcAnywhere until they release a final set of updates.

Symantec publishes pcAnywhere security recommendations

In addition, an attacker with cryptography knowledge could conduct man-in-the-middle attacks on encrypted connections and create unauthorised connections to remote machines, thereby potentially gaining access to whole networks.

Advertisements

Blog at WordPress.com.

%d bloggers like this: