Symantec Tells Customers To Stop Using pcAnywhere

Orome1 writes "In a perhaps not wholly unexpected move, Symantec has advised the customers of its pcAnywhere remote control application to stop using it until patches for a slew of vulnerabilities are issued. If the attackers place a network sniffer on a customer's internal network and have access to the encryption details, the pcAnywhere traffic — including exchanged user login credentials — could be intercepted and decoded. If the attackers get their hands on the cryptographic key they can launch remote control sessions and, thus, access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, they can also carry out other malicious activities on the network."

Way ahead of you, Symantec

[elrous0]

Most /.er's stopped using your products a long time ago.

Next up, Intel CEO admits "McAfee is just bloatware that doesn't actually do anything. To be honest, most of it just runs loops that eat up CPU, so people think it's doing something and want to buy a faster Intel CPU. It hasn't stopped an actual virus since the mid-90's."

Re:Way ahead of you, Symantec

Next up, Intel CEO admits "McAfee is just bloatware that doesn't actually do anything. To be honest, most of it just runs loops that eat up CPU, so people think it's doing something and want to buy a faster Intel CPU. It hasn't stopped an actual virus since the mid-90's."

Honestly, I wouldn't be suprised at all.

Re:Way ahead of you, Symantec

[Baloroth]

t hasn't stopped an actual virus since the mid-90's."

I wouldn't say that, it seems to do a pretty good job shutting down Windows.

Re:Way ahead of you, Symantec

[beachcoder]

Most /.er's stopped using your products a long time ago.

Quite. We used PC Anywhere around a decade ago. 'PC Anyone' we called it. I honestly didn't think it was still an active product.

Re:Way ahead of you, Symantec

You can't hack a hardlocked machine.

Re:Way ahead of you, Symantec

Symantec software is bloated, buggy and rapes the wallet.

There are plenty of free (or at least much cheaper) and competent alternatives out there.

Even Norton Ghost, an admirable software in its own right, has seen its quality dropped in recent years. Acronis True Image is much better.

Re:Way ahead of you, Symantec

[mcavic]

We have a server at our office running a PCAnywhere host, but it's on a custom port that's normally closed at the firewall.

Re:Way ahead of you, Symantec

Most /.er's never started that nasty habit thankfully. It's only the Apple (tm) toadies and lickspittles (r) that do that.

Re:Way ahead of you, Symantec

[postmortem]

Yep, from behavior of McAfee scanning compressed files, implementation has to be something like this:
int scan_zipped_file(char * file, int file_size)
{
      int i=0;
      int j=0;
      while (j < file_size)
      {
            while (i < 0x7FFFFFFF)
            {
              i++;
            }
            j++;
      }
      return 1;
}

Re:Way ahead of you, Symantec

You jest, but PC Anywhere passwords used to be encrypted by ye olde xor $A5 algorithm. I seriously don't understand why anyone with a brain would think PC Anywhere is in any way secure.

Re:Way ahead of you, Symantec

[cusco]

DriveImage used to be a great product, blew away Ghost in almost all respects. Then Symantec bought them with the supposed intention of rolling the technology into Ghost. Instead Ghost just got slower and buggier and the interface got even worse. Oh, and the price was twice what DriveImage used to be, for half the utility.

Years ago I used to use Delrina WinFax. Nice product, installed off of two floppies. Nothing fancy, just did exactly what I wanted it to and nothing else. Then Symantec bought it. I made the mistake of recommending WinFax to my employer and we installed it throughout the Claims department. Took up over 100 mb of hard drive (when a 500 mb hard drive was considered large) before even receiving any faxes. Buggy, slow, and a CPU hog. Then machines in the department started to blue screen at least once a week. Symantec tech support said, "Yes, that's a known issue." Huh? Is there going to be a fix coming out? "None is planned at this time." WTF? We installed the next version of WinFax when it came out and the blue screen issue was still there. Another call to tech support, and another repetition of "Yes, that's a known issue, and we don't have any sort of fix for it planned. Just reboot your PC and you'll be fine."

That last call presented me with the best music on hold that I've ever experienced, though. Their hold music machine had gone down that morning, so someone ran out and grabbed their Walkman out of the car and plugged it in. The CD that was in it was Bill Cosby's 'Wonderfullness'. By the time they picked up the phone a half hour later I was in a pretty good mood.

Re:Way ahead of you, Symantec

[CAIMLAS]

Yeah, but Symantec is still the undisputed champion in that regard.

Re:Way ahead of you, Symantec

[LinuxIsGarbage]

McAfee does more than that, it just makes Intel's own computers stop working.
http://www.zdnet.com/blog/bott/defective-mcafee-update-causes-worldwide-meltdown-of-xp-pcs/2003

But of course

[Magada]

this has nothing to do with the leaked source code. Right?

Re:But of course

I'm pretty sure that they made this clear in their disclosure?

http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

First two paragraphs from their Introduction:

Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

Re:But of course

[mcgrew]

If it had been open sourced the bugs would have been found and fixed years ago. How do you know some blackhat didn't find the holes without the source long before it was leaked? Security through obscurity is about as dependable as the TSA groping children in the airport is at keeping terrorists out.

Re:But of course

[Magada]

Oh, I am pretty sure I remember a 0-day being bandied about in certain circles, 2005-ish. I just assumed it was patched at some point.

Come on

[jayhawk88]

If the attackers place a network sniffer on a customer's internal network...

You've got a hell of a lot bigger problems than pcAnywhere.

Re:Come on

[cduffy]

If the attackers place a network sniffer on a customer's internal network...

You've got a hell of a lot bigger problems than pcAnywhere.

Au contraire -- if your infrastructure isn't robust against this class of attack (all internal traffic authenticated and encrypted, particularly during password exchange), you're Doing It Wrong.

Moreover, the concept of "defense in depth" applies -- a hard outer shell with a soft inner core means that when the eventual successful attack does happen (and it will!), the damage is that much worse. You can't have decent security if you design all the internal components assuming that the outer layer will protect them.

Re:Come on

[SpanglerIsAGod]

I find it interesting how many enterprise software companies don't understand that. When we run scans against their software and tell them we need them to fix vulnerabilities it's amazing how often they come back with, "This product is designed to be used internally." Like that matters, if your company is bigger then 10 people you shouldn't be surprised to have internal users trying to hack your system.

Re:Come on

[Dishevel]

On the other hand your hard inner shell can cost the company massive amounts in lost productivity. The harder the core is the more people hate to go to work.
You really need specific defenses set up. We have a mostly open wifi network connected to the internet. (Personal Devices, Visitors and the like) We also have a highly filtered connection to the internet for company systems. Servers are set on the local network behind a firewall that drops anything not expected and also drops anything that is expected if it is not coming from the place that it is expected to come from. Really critically confidential stuff is (Credit card data, personnel crap and the like are set nested behind an even more secure firewall.
You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

Re:Come on

[NotBorg]

It's worse than that. You don't have to have a "guy on the inside" for many sites. There's this myth that if you throw up a big firewall then all the applications behind it are protected. It doesn't take a genius to see that a single compromised machine on the "secured" side of the wall (not uncommon) effectively exposes all those "protected" (internal) applications to risk. Unless you're sure you can keep all your user's workstations free from compromise (good luck with that), you should just start with the assumption that your "protected" (internal) applications are exposed.

Re:Come on

[Dishevel]

The use of capitals is really nice. Not sure where I stated that I was allowing rlogin to anything on my network. But if you want to assume that I do ...
What part of my network would I be using them on? Rlogin over wifi to personal devices? Rlogin from a relatively untrusted segment of my local network to my credit card database? Rlogin over a naked connection from the internet directly to my servers? One I care not about, one are a very bad idea, and one would fit your capitals.
Am I doing any of them?
If I were to point out a really fucking stupid attitude it would be the attitude of some fucking tool that dreams of being "The BOFH".
BOFH had great reading comprehension. You ... Not so much.

Re:Come on

It doesn't take a genius to see that...

That's the problem. On the level of the people making those decisions, anyone who can understand that is effectively a "genius".

Re:Come on

[cduffy]

You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed.

I'm talking about end-to-end encryption -- your jump into password policies is just bringing up the Mordok the Preventer strawman.

Using TLS for your internal services doesn't make users' lives worse; for that matter, a number of technologies offering end-to-end encryption and authentication make users' lives better by offering single-sign-on capabilities (see: Kerberos) while doing host- and service-level authentication and encryption in the background. Having your hard core kerberized means no additional hoops to jump through on login, but ensures that your backend services are able to determine that their access is eventually tied back to an active and valid session.

Fighting any and all attempts at defense-in-depth because some people do it horribly wrong is simply misguided.

Re:Come on

[fish_in_the_c]

some estimates are that more then 50% of attacks come from inside the firewall.. ( disgruntled employees , corporate espionage , or sometimes people just trying to see things they without permission ( curiosity) ). ( that was what the marketing people at the firewall company I worked for claimed).

Of coarse if you can detect such things , you can always fire those people, part of the problem is most medium and small companies don't have the money it takes to pay some one to act full time as a security officer , which is really what is needed to set up , secure, optimize a network with more then 20 machines and heterogeneous software.

Small business ( under 20 ) probably don't need it because hopefully you can trust everyone , and when you are taking out your own trash probably can't afford full time security. However most medium sized businesses take a long time to move away from that mentality.

Re:Come on

this is a bullshit strawman, anyone with a mobile device can sniff the internal network if it has an ethernet port; seriously, its not like insiders are ever a threat either....

Re:Come on

[jimicus]

You can not expect everything to be secure. You have to pick and choose your battles. Workers must have some freedoms. Most of the stuff they do should be easy. Difficulty should be reserved for where it is really needed. I hate seeing a system that has 54 character passwords that are reset every 28 days and must include lower case, uppercase, numbers and punctuation so that a call taker can log into the system to take calls. That is stupid shit.

You're not talking about security, you're talking about policies that are thrown together piecemeal in the form of a constantly-updated list of "Things that have been described as insecure in the latest issue of "IT Security for - and written by - PHBs Magazine"". You know how it goes:

Month 1: "Are your users using passwords that are too short?"
EEKS! PANIC! From now all, all passwords must be at least 8 characters long!

Month 2: "Are your users using easily guessable passwords?"
PANIC! From now on, all passwords must be at least 8 characters long and consist of letters and numbers!

Month 3: "Are your users using passwords that are too long? Yes, it's possible. Read our article..."
SHIT! SHIT! SHIT! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers!

Month 4: "Do you change your passwords often enough?"
PANIC! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, and must change every 30 days!

Month 5: "Are your users abusing your policy by typing in the same password every time they're prompted to change it? Read our exclusive report...."
ACTION STATIONS! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long and consist of letters and numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 6: "Are you secure against dictionary attacks? Read our article about this SHOCKING new attack method!"
AAARGH! Right, from now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 7: "Did you know? 70% of people use a simple password like 'aaaaaaaaa' or '1234567890123' (not particularly surprising if you've been following everything we've said) Turn to page 12 for our exclusive report!"
DAMN! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 8: "New research suggests 30% of people use their own telephone number as a password!"
OH NO YOU DON'T! From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

I think you've got the idea by now....

Re:Come on

[liquidweaver]

I wonder if all your negative responders have ever managed a network.
By the way, I get what you are saying. Even thinking you can lock down everything on a network and believing it will still be useful is naive.
You can create an internal certificate structure for all your employees, IPSec everything end-to-end, full disk encryption, etc... you will still have break in's from social engineering. Beyond Joomla/wordpress/insert spaghetti code php script here, it's becoming far far and few in between where some black hat sitting in bumfuckistan remote exploits his way in without talking to a single person. The best and highest profile hacks of all time were through humans, not by defeating your naive everything-is-encrypted-hard-inner-core circle jerk.

Yeah, I'm working hard for a flamebait tag, but I see this all the time, it's annoying as hell.

Re:Come on

[hairyfeet]

Not to mention those places with BOFH password policies are usually less secure than no passwords at all! I'll never forget a story one of my teachers told me about taking some kids on a tour of a place with a BOFH that just kept droning on and on about how is super asshole password policies made them so super secure, finally mike got tired of it and said 'i bet you $100 and a steak dinner that you let me loose in this place for just 20 minutes i'll be in the system' and of course Mr BOFH wanted to show he was hot shit in front of the kids and so took the bet. Sure enough not 15 minutes later mike hands him a list of no less than a half a dozen passwords and usernames, all good. When the BOFH demanded to know how he did that mike just led him to the cubicles and started flipping over keyboards and sure enough the passwords were sticky noted all over the place!

like that old XKCD bit all those insane passwords do is make for really confused and frustrated users.

Re:Come on

[cduffy]

The best and highest profile hacks of all time were through humans, not by defeating your naive everything-is-encrypted-hard-inner-core circle jerk.

And you're right, of course, but that's not an excuse for being sloppy.

Re:Come on

[Dishevel]

Yup. If you make things too difficult for user they will try and figure out a way to make it easier. I am sure that my easy way is much more secure than their easy way.
Though I will state again. There are some things that must be as secure as you can make them. If you treat everything that way though your security will end up for shit.

Re:Come on

[Dadoo]

As usual, XKCD to the rescue:

http://www.xkcd.com/936/

Possibly the best advice I've ever heard about passwords. The problem is that people are so concerned about following the rules you discussed, they're actually making their networks less secure.

Re:Come on

[hairyfeet]

Exactly there is no damned point in making Sally the secretary jump through flaming security hoops if she isn't handling payroll or other sensitive information, its just being a BOFH and tying a boat anchor to her productivity. BTW I'm curious about your sig, what is it about dell servers that sucks so bad? i'm out of corporate IT thank the Gods so i haven't messed with a Dell server in ages (always preferred HP myself) but the last time i messed with them, back in the days of the Optiplex p4 office boxes, they didn't seem to be any better or worse than any other bog standard server, so what has changed? I'm sure with a sig like that it'll be a good rant but I am curious and would like to know what to warn my SMB customers if one starts thinking Dell.

Re:Come on

[jimicus]

They're even worse than that.

Granted, I gave an extreme example - but the thing is a dictionary attack is fantastically easy to defend against. So much so that many half-decent authentication schemes have protection against that baked right into them and turned on by default - get your password wrong too many times in a row and you get locked out.

I would dearly love to know exactly how many security breaches in the real world come from password brute-forcing (either through trying to login with every conceivable password or obtaining a list of hashes). I'm prepared to bet that in a significant percentage of cases, serious security breaches come from one of a handful of sources. Sources like:

  - People whose unencrypted data (be it on CD, laptop, USB stick or whatever) gets stolen.
  - Malware that grabs passwords.
  - Corrupt employees/contractors.

Re:Come on

I run firewalls between different collections on servers. I'm always amazaed at how many vendors are confused and unable to deal with a firewall between the web server and database server.

Re:Come on

[frank_adrian314159]

You left out the punctuation mark requirements.

Re:Come on

[jimicus]

Month 9: "New research suggests that including punctuation marks in your password can make it 43% harder to guess!"
BRILLIANT. From now on, all passwords must be at least 8 characters long, no greater than 15 characters long, consist of letters, numbers and punctuation, not appear in any dictionary even if common number/letter substitutions are accounted for, must not contain the same character repeated more than twice, must not contain sequential letters or numbers, will be checked against the phone number we have on record for you to ensure it's not that, must change every 30 days and you can't use the same password twice in a year! We'll keep records of your last 12 passwords to enforce this!

Month 10: "Security experts say onerous password rules can make systems less secure!"
OK. From now on, all password rules are eliminated!

Month 11: "Are your users using passwords that are too short?"
EEKS! PANIC! From now all, all passwords must be at least 8 characters long!

Happy?

Re:Come on

[the_B0fh]

It is not difficult to have a hard inner shell. Or at least pretty decent security inside. But I see a lot of people with your attitude (oh, it's hard, and it makes it difficult, and it's inside, so who cares anyway).

The rlogin was a _ne plus ultra_ if you couldn't tell from context.

Re:Come on

[Dishevel]

Here is what I know about Dell.
Ordered a pair of servers from Dell for a dirty little project that had to be up by a specific time. Thought that instaed of ordering parts on newegg and throwing them together I might like a little bit of support. Was going to be buying a bunch more servers over time and thought that using Dells and letting them do all the ID tracking on my systems might give me a little more time things I should not be getting paid for. Ordered the servers. Nothing special. They said they would be shipped in about 10 days. I though 10 days for in stock windows 2008 server without RAID was a bit long, but I had time. The day AFTER they were supposed to ship they send me an Email saying it will be another week and a half! I called and after digging through support teams got to a place where I found out they had the parts it just need to be built. I say build it and ship it. They say best they can do is 4 days. 4 days to slap in a cpu, some sticks of ram and a hard drive? 4 days to image the drive? That would take me to near my deadline. On top of that they treated me like crap before they got my money. What will support be like once they get it? Ordered 2 chassis and some parts on NewEgg and had them overninghted. Had everything in 2 days.Had it ready to go before Dell could have shipped it.
So my sig is a lie.
Have no idea how bad the servers are. I guess it is the company that I feel is shit.

Re:Come on

[SpanglerIsAGod]

Yes. I'm also surprised by how many vendors and developers don't know what ports they use.

Re:Come on

[SignOfZeta]

The only problem with that is the fact that the space bar makes a unique noise when pressed. It's a good clue to a shoulder surfer.

Of course, following xkcd's advice while removing spaces is quite acceptable.

Re:Come on

[Bert64]

Keeping records of the last 12 passwords is flawed, you should keep record of infinite passwords for a predetermined period of time otherwise the user can simply change their password repeatedly to expire the old ones from the cache.

Also passwords need to be sufficiently different from previous passwords, or you will get ridiculous situations where Password1 becomes Password2, and then Password3 etc...

Of course, if a password was strong in the first place, stored using a strong hashing algorithm and isn't suspected to have been leaked (eg by a keylogger) then it's often beneficial NOT to change it...
People are not good at remembering passwords, especially complex ones, so if you make them change regularly this always results in...
Easily remembered passwords.
Passwords being written down.
Passwords being forgotten, generating helpdesk calls or requiring a (probably very insecure) reset procedure.
Passwords reused in other places (therefore only as secure as the weakest of those places).

Re:Come on

[Bert64]

You have lots of vendors selling firewalls, who will insist that is all thats needed...
Lots of non technical (and even more pseudo-technical types) believe this, and its become a corporate standard to build networks like this.

After a while, you have so much cruft that it's not viable (in terms of time and cost) to secure the network properly... There are simply too many machines to reconfigure, and too many services you depend on which are fundamentally insecure and would need to be replaced.

Re:Come on

[CAIMLAS]

You can not expect everything to be secure. You have to pick and choose your battles.

Yet, if you do not pick and win all the battles, it's quite likely you'll lose your job when (not if) there is an intrusion.

I've yet to meet an employer who is forgiving about a person leaving the doors unlocked, resulting in a burglary. It doesn't matter if there are 2,000 doors which need to be checked/audited on a daily basis next to the First International Burglary Institute - your (and my) employers are otherwise ignorant to all of this. They live in tiny, simple worlds where "due diligence" means using the electronic locks on their cars and double-checking their front door when they go to work in the morning.

Re:Come on

[ArsenneLupin]

Keeping records of the last 12 passwords is flawed, you should keep record of infinite passwords for a predetermined period of time otherwise the user can simply change their password repeatedly to expire the old ones from the cache.

That's why the stupider systems not only have maximum password change intervals ("you must change your password at least once every 42 days") but also minimum change intervals ("you can't change your password if you already changed it today or yesterday").
Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...

Re:Come on

[ArsenneLupin]

You forgot:

Month 9: "New research suggests 95% of people have their password written on a post-it stuck to their screen!"
... which is understandable, because who is able to remember a password that is at least 8 characters long, no greater than 15 characters long, consist of letters and numbers, does not appear in any dictionary even if common number/letter substitutions are accounted for, does not contain the same character repeated more than twice, does not contain sequential letters or numbers, and is checked against the phone number we have on record for you to ensure it's not that, and which must change every 30 days (just when you got the hang of it) and can't use the same password twice in a year, nor any that is too similar to a previous one!

Re:Come on

[hairyfeet]

Ahhh...been there friend, been there. Had a company that didn't want to listen to me and went Dell small business and got the same jerking around, finally they called me and said "We've canceled it and are stuck, help please?" and did a variation of what you did only i prefer Tigerdirect barebones. even figuring in my labor they ended up getting nicer systems a good 20% cheaper and as i told them that meant for each five systems i could build them a spare for the same money they were paying so fuck dell support. They ended up with with nicer AMD triples and quads instead of the bottom of the line Pentium duals Dell had quoted them and used the money they saved by doing it my way to add better graphics to the main graphics editing workstations and adding a spare. Talked to the guy the other week when i walked by his printing business and he said the systems i built him ran so good he ended up taking the spare home and giving it to his wife because he figured with my fast turnaround if anything ever died he'd just next day a barebone and pay me a little extra to rush build.

Ya see running a little mom & pop PC shop HERE is what i don't like about the OEMs...unless you get assraped on the price frankly the parts they use are just garbage. You actually got off lucky friend because I've seen those entry level servers and desktops have PSUs that barely had enough power to feed the system so if anything changed it would fry, we are talking 250w PSUs on a machine drawing 238w, fans that are woefully underpowered that make the systems prone to overheat, cases so small to save on metal that they were like little toaster ovens, just real garbage. I've got 3 off lease dells sitting in the shop i'm gonna end up dumping on CL simply because the specs on those things royally suck and the upgrade options nonexistent.

As I told the owner of the print shop every single system i built can easily have a 6 core dropped in, can hold 16gb of RAM, have cases roomy enough and PSUs big enough he can drop in 3 more HDDs without even a second thought, has solid caps so they'll last for bloody ages, hell most of my builds just end up passed from hand to hand as their needs outgrow it they just pass it to friends/relatives. I often make reference in my posts for "things being easy enough for Suzy the checkout girl" because she sticks in my mind, I was checking out at the local grocery when she spoke up and said "Hey i heard you fix computers and i have one that was give to me and is a little slow, would you mind following me to my car just to see what you think?" and when i saw it I busted out laughing until i saw the poor thing start to cry. i told her 'i'm not laughing at you honey, i'm laughing because i built this baby nearly a decade ago. See these are my initials on the bottom" and damned if that thing hadn't gone through her bosses entire family before ending up with her! I slapped a late model P4 and board in there for her cheap and last I heard that old dino is still chugging along, working for her and her kids 7 days a week!

So I know exactly what you felt friend, I've dealt with support hell from the OEMs enough to know the money and hassle i save by just going DIY for my customers makes it a no brainer. again unless you spend insane amounts on contracts and boxes their "support" is beyond worthless IMHO, I've dealt with enough Indian tech support to know that's a fact. one of the things i loved about the consulting job i held at the capital was we had a little indian gal working the desk and when we'd get stuck in support hell we'd hand her the phone and let her curse them in Hindi LOL! You'd think selling so many corporate systems it'd save time and hassle but frankly its cheaper and less hair pulling to just figure in the price of spares and call it a day. I'm proud to say everything i build is built like a tank and short of a lightning strike or pouring coke down the front ain't going nowhere.

Re:Come on

[_0xd0ad]

Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...

That's when you call the IT help line and tell them you accidentally just shredded the post-it your new password was on.

Unless that's grounds for disciplinary action where you work... in which case, just say you forgot it.

Re:Come on

[ArsenneLupin]

Great if you just noticed that you accidentally typed your password into a non-obscured field while a coworker was looking over your shoulder...

That's when you call the IT help line and tell them you accidentally just shredded the post-it your new password was on.

Nice! Must remember this one :-)

Unless that's grounds for disciplinary action where you work... in which case, just say you forgot it.

Or even better: just forget about the incident... after all it's not your personal data that is at risk, but just the company's, and if the company doesn't care more, why should you?

Re:Come on

[_0xd0ad]

Nice! Must remember this one :-)

You could write it on a post-it so you won't forget.

it's not your personal data that is at risk, but just the company's, and if the company doesn't care more, why should you?

It's not your personal data that is at risk; it's the ability to use your username and password to do things that would make the company start caring very quickly. Like sending its data to places it shouldn't be. Or, for that matter, to access data that shouldn't be accessed from the company's internet connection (e.g. porn).

Re:Come on

[Bert64]

Exactly, stupider... You mitigate one problem (that of repeated password changes) and create some new ones instead of fixing the problem properly by implementing an algorithm which remembers passwords by age rather than a fixed number of them.

Re:Come on

[cduffy]

Let me be a little more specific --

You're entirely right that a successful targeted attack (unlike the everyday automated ones) is likely to involve social engineering. Question is -- once an attacker is in, and has achieved the objectives they targeted through their social engineering efforts, how far can they continue to penetrate?

Defense-in-depth gives you better chances of being able to prevent an attacker from reaching targets of opportunity. It's not prevention (against the determined and resourceful -- and being able to successfully deter those who are neither is an important goal), but rather containment... but containment is important too.

Moreover, a great many attacks are insiders at work; a "hard inner core" makes pulling off an insider attack without leaving traces (forcing someone to steal credentials from a coworker, for instance, gives them that much more opportunity to slip up) that much harder. Sure, the attack may still happen, but being able to audit the Kerberos logs and determine that server ${A} originally granted a ticket for user ${B} on workstation ${C} which was used to authenticate to service ${D}... well, that auditing makes the forensics that much easier.

Re:Come on

[liquidweaver]

Oh for sure - you have to have something. I have a a log server on the inside that gets an audio trail from all my servers, and is not accessible beyond that (and that it can send email too). We use a ticket based auth system as well, LDAP+MIT Kerberos. We do, however, have a file server that has no credentials on the inside, for commonly used files and templates. We do not secure our printers. Our VPN is based on 1-year expiring certs, so they cannot forget their password as they don't have one, and on the off chance they lose their laptop, we can just revoke and grant a new one.

My problem, and where I take issue, is where everything is locked down with unuseably long passwords and there is 3 layers of neutered admins to get anything done because they have discovered POLP. It happens all over the place. Oooohh - we can enable SSL on the inside! Of course, if they have an attacker on the inside they can either get to the webserver, or just setup a mitm and the users will click right past the cert warning. If you have a true internal break in, the only thing that can help is backups, good logs, and a quick notification system. Everything else is an elaborate, time consuming house of cards.

tl;dr - I essentially agree with you, I just want to define "hard inner core", and I think a reasonable measure of security is a good thing.

Security through obscurity?

[Sockatume]

What the story doesn't mention is that the pcAnywhere source was nicked. It sounds like Symantec was aware of the weaknesses, and chose not to act until the source was stolen and the security weaknesses became public.

http://www.channelregister.co.uk/2012/01/18/symantec_leak_latest/

Re:Security through obscurity?

[jesseck]

The source was stole in 2006. This means that they corrected the problems in their other products which had stolen source, but not pcAnywhere. For 5-6 years, Symantec has been selling software which was potentially compromised.

The current reported theft happened recently, but that source code came from a theft (unreported by Symantec, but known) back in 2006. That means, since 2006, Symantec has known the pcAnywhere source was stolen, knew of vulnerabilities, and chose not to fix that product. It sounds like they patched the rest of their products, though.

Re:Security through obscurity?

I haven't kept track of this story all that well; while I know the source was yoinked in 2006, was Symantec AWARE of that fact since 2006? If not, it's believable they didn't fix the problems in their other products until now.

Re:Security through obscurity?

[SlippyToad]

For 5-6 years, Symantec has been selling software which was potentially compromised.

This does not surprise me. Symantec is the shit-king of shit software.

And, like many others here, I certainly threw all my weight into helping get that crap outta MY house several years ago. In fact, I personally headed up and executed our Windows XP rollout several years back to get rid of Win2k, and a major selling point in my cost-benefit analysis was dumping PCAnywhere, and all of the headaches, security holes, and bullshit with RDP and Remote Assistance.

What I unfortunately didn't count on was how slowly the business would move . . . but we are moving in the right direction, even if it has taken 5 years to get there.

Re:Security through obscurity?

[EETech1]

The (stolen with our source code and now quite useless but we'll still try to make them sound like their secure and somehow useful) encryption details...

FTFS

Cheers

Re:Security through obscurity?

[knarf]

There is another possibility here: pcAnywhere, being closed-source commercial software made by a vendor who is keen to sell as many copies to as many countries as possible, might contain one or more backdoors to enable Those_Who_Make_The_Rules (or those who pay enough) to access any pcAnywhere installation out there. These backdoors might not have changed since 2006, especially if they are based on some 'secret' certificate or another 'secret' sauce. With the source leaked, these secrets might not be so secret anymore - and might have not been so for the past 6 years. This being pcAnywhere, made by a commercial vendor who is keen to sell as much as possible while doing as little as possible, the fact that they knew the secret to be out there might not have bothered them all that much as long as it was not published in CEO magazine.
Is this tin foil territory? It might sound like it, until you contemplate what mobile communications vendors regularly do to get access to controlled markets.

Re:Security through obscurity?

[cpu6502]

>>>Symantec has known the pcAnywhere source was stolen,

How is this different from any open-source anti-virus software? The source is "out there" and compromised in both cases.

Ooops. I guess I should not have said that.

Re:Security through obscurity?

[tjbp]

Open-source software can be patched.

Symantec AV will kill your PC

[na1led]

I can't understand why people still put Symantec on their PC. It's a bloated piece of crap that blocks everything without intelligently deciding if it's a good idea. When I had Symantec installed on my laptop, the CPU was at 100% and I had to manually turn off the firewall just to browse the web.

Re:Symantec AV will kill your PC

[couchslug]

Because they don't know how the magic box works, that's why.

Yes, really.

Re:Symantec AV will kill your PC

[jason777]

I'm required to at work. And yes it brings the system to a crawl.

Re:Symantec AV will kill your PC

[lwriemen]

This is the same reason Windows has a monopoly on the PC. (Along with the illegal use of monopoly power, natch.)

Re:Symantec AV will kill your PC

[Anrego]

I think much like McAfee, they don't.

Dell or whoever they buy the computer from does it for them, and makes it insanely painful to remove.

Re:Symantec AV will kill your PC

[DrXym]

Might be different for corporates but for individuals I don't see any reason to use anything more than the MS Security Essentials app. It's free, it provides good protection, gets new virus definition updates all the time, it doesn't hog the cpu or nag you. That's all one can hope for from antivirus software. It's a refreshing change from the days of MS DOS 6.0 where MS Antivirus was so broken that it was worse than useless.

For enterprises perhaps there is merit in some antivirus to be centrally controlled since they often do more than just detect viruses.

Re:Symantec AV will kill your PC

[timbo234]

Because they don't know that there's free antivirus software out there that does the job just as well, and even if they did they wouldn't trust it - and rightfully so given the amount of malware out there posing as 'anti-virus' and 'anti-spyware' software.

My parents went throuh this painful cycle. First they got duped by some flashing ad on the internet into downloading one of the malware 'anti-virus' programs, then they went to a local big-name store (Australia's infamous Harvey Norman) who were more than happy to sell them an expensive yearly subscription to Symantec's bloated anti-virus to try and fix it up. When I visited them after that I put MS Security Essentials on and everything's fine since.

I wish MS would just have Security Essentials installed and on by default and end this game where both malware authors and big-name 'respectable' firms rip off non-technical computer users?

Re:Symantec AV will kill your PC

[Cro+Magnon]

Many vendors preinstall Symantec. Unless the customer actually knows how big a POS it is and stops them, they'll get it crammed on their box.

Re:Symantec AV will kill your PC

[cusco]

And then, like my mom, they don't see the point of spending $50/year on it or just plain forget, then a year or two down the road they lose everything because some malware kills their system.

Re:Symantec AV will kill your PC

It's probably a choice restriction thing. Like the browser choice BS a few years ago. Doesn't matter that the MS software is the best in this case, you still have to choose to manually install it yourself. Otherwise some people might argue "OMG MS is forcing us to use Security Essentials".

Symantec white paper

[Azarman]

Had to deal with this issue this morning

Extra information http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

Presently if you use PCanywhere for WAN access disable now, if you use it in a closed network should be ok, unless someone is already on the network but if that is the case, you already have a problem better than this.

I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement about what they had, mainly 2006 code. Anon yesterday declared they had a few zero days Symantec issued a statement dealing with it last night.

Re:Symantec white paper

[jesseck]

I think Symantec handled this ok, when Anon stated they had the source code last week Symantec issued a statement about what they had, mainly 2006 code.

Personally, I would feel better if Symantec could come out and say, "You know, Anon does have the source code that was stolen from us in 2006, but we've patched those vulnerabilities over the last 5 years. All of our products, including pcAnywhere, are secure and reliable."

I know that Symantec says the rest of the products are safe- I just wonder why it couldn't be "all" products.

Re:Symantec white paper

[cusco]

If they didn't patch a product that they knew their customers had installed on mission-critical servers I sincerely doubt that they've bothered with any of their other software.

Re:Symantec white paper

[Stuarticus]

Anyone using Symantec pcanywhere in mission critical servers should be instantly shot.

Who still uses PCAnywhere?

[ArcherB]

I remember the first time I used it. It was a Godsend. It was so nice to simply take control and do it rather than sit there on the phone saying, "Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. Hit CTRL-ESC. Control Escape. It's on your keyboard. Press and hold control and then press and release escape. Keyboard. It's on your keyboard. Nevermind. Do you see Start on your screen?" Even though we were connecting via dialup, it was lightyears better than trying to imagine the screen the use was describing and then describing elements of it it back to them.

But those days are long gone. Now we have RDP, VNC, WebEx, and a host of other remote desktop utilities and protocols. There is no longer a need for PCAW.

Re:Who still uses PCAnywhere?

[Zocalo]

"Click Start. Start. It's on the bottom left. S-T-A-R-T! No, don't type it. Click the button labeled 'Start'. No, it's not on your keyboard. No, wait. ...

And that's where you went wrong. The correct procedure for any self respecting BOFH at this point would be:

"Turn off the PC at the power switch, turn it back on and call back when you have logged back in. Bye." *Hang up phone* "I'm going on my coffee/cigarette break guys. See you in twenty!

Re:Who still uses PCAnywhere?

And that's where you went wrong. The correct procedure for any self respecting BOFH at this point would be:

"Turn off the PC at the power switch, turn it back on and call back when you have logged back in. Bye." *Hang up phone* "I'm going on my coffee/cigarette break guys. See you in twenty!

Hah, the jokes on you. With all the spyware and viruses installed, theres no way you can reboot and login in less than 20 minutes.

Re:Who still uses PCAnywhere?

[LordLimecat]

RDP requires port forwarding, which requires access to the firewall, which is not always available; it also will not work if your ISP NATs you. Ditto with VNC, unless you use a repeater or know for sure what ip you will be connecting from (so you can do a reverse VNC). WebEx is not free.

There ARE good, free alternatives-- TeamViewer, ShowMyPC, hamachi+rdp, LogMeIn, CrossLoop, etc.

Re:Who still uses PCAnywhere?

[thereitis]

That's enough to drive someone to drink! I could never do phone support.

Re:Who still uses PCAnywhere?

.......that was the point.....?

Re:Who still uses PCAnywhere?

In fact, the problem is that there are so many different solutions (both free and non-free).
For every software supplier we have, we need to use a different program.
As users are not allowed to install software (or run software they download), each of them has to be installed and kept uptodate.
This is becoming an ever bigger headache.
It'd really like to see a standard protocol used by all remote assistance software, so a single installed piece of software can
be used with all remote assistance.

Re:Who still uses PCAnywhere?

[MachineShedFred]

Unfortunately, Symantec just finished purchasing and absorbing the Altiris Client Management Suite.

Guess what one of the changes was in the latest major version (7.1)? You guessed it: a wholesale replacement of the existing remote control applet with PCAnywhere.

Once again, Symantec buys a functional company that makes a decent product, and then proceeds to ruin it until no one buys it anymore, then they go acquire what everyone moved to so they can ruin that too.

It's like financial speculators, only worse: They add no value to the commodity; in fact, they subtract value from it.

Good Job Symantec

[rudy_wayne]

According to this article, the source code for PCANywhere was stolen from Symantec's network in 2006. That's right . . . . 2006. Good work Symantec. It only took you 6 years.

Re:Good Job Symantec

[elrous0]

It only took you 6 years.

They would have gotten an email out sooner, but Norton was REALLY slowing their computers down.

Re:Good Job Symantec

[L4t3r4lu5]

The disclosure of the breach was drafted in 2006, but the tech at the time decided to start a virus scan before sending it.

The mail server only just started responding again.

Re:Good Job Symantec

[GrBear]

Parent modded "Funny", but exasperates why Slashdot needs a "Sad But True" mod tag.

Re:Good Job Symantec

[s.o.terica]

Odd situation, because I think you meant to say exacerbates, yet I don't think that exacerbates is what you meant.

Finish that sentence!

... and have access to the encryption details ...

Um.. yes. Combine those two things, and you might as well consider Ethernet cables to be inherently insecure.

I don't understand the concern here at all.

Re:Finish that sentence!

[alittle158]

...you might as well consider Ethernet cables to be inherently insecure...

Shh...don't let the people at monster cable know that. They might find a new source of revenue in "encrypted ethernet cables"

Re:Finish that sentence!

Shh...don't let the people at monster cable know that. They might find a new source of revenue in "encrypted ethernet cables"

To get around the fraud lawsuits, I think they'd sell them as "shielded cables", with lots of visuals and a vague explanation of what they're shielding you from.

There was never a need anyway if you used unix

[Viol8]

This isn't another juvenile does-it-run-on-linux rant, but I think its reasonable to point out that remote full screen GUI access via X windows has been around since the mid 80s. A LONG time before any remote GUI windows app or even Windows itself existed.

Re:There was never a need anyway if you used unix

Windows 1.0 released November of 1985. X was developed in 1984.

Re:There was never a need anyway if you used unix

[Sockatume]

It's not exactly relevant to the subject at hand, is it? His point is that it was really, really handy to be able to do that with Windows. Nobody even brought up Unix, or who did it first.

Re:There was never a need anyway if you used unix

But if someone did bring it up, UNIX did it first.

Re:There was never a need anyway if you used unix

[mrclisdue]

I don't know what you classify as a 'long' time, but I was using a remote solution for Windows as early as 3.1 (1991-92?); called PC Commute, which iirc was made by Winsim, who also had something to do with AccPac. Pretty sure vnc for windows freeware was around then, as well...perhaps a precursor to RealVNC. I think Close-up was bundled with a major software package by about '95.

Anyhow, I *do* subscribe to the *nix fanboy newsletter, (slackware ftw!)...just sayin'

cheers,

Re:There was never a need anyway if you used unix

[Sockatume]

My point is that it pretty much by definition has to be a juvenile does-it-run-on-linux rant, if it's wedged in apropos of nothing to a conversation on a different topic.

Re:There was never a need anyway if you used unix

This isn't another juvenile does-it-run-on-linux rant,

Yes it is. No one gives a shit that Unix did it "first" (by the way your estimates are totally wrong, lmao) and you spend time posting just to tell us that, something no one cares about.

Re:There was never a need anyway if you used unix

[Viol8]

The OP was saying that people no longer have to use PCAW these days because of VNC etc. My point is we never had to use PCAW anyway if we used unix or linux on a PC. If that explanation still isn't simple enough for you let me know and I'll mail you one drawn in crayon.

Re:There was never a need anyway if you used unix

Windows 1.0 released November of 1985. X was developed in 1984.

Exactly, a LONG time. I mean, in that amount of time, fifteen versions of Firefox could've been released!

Re:There was never a need anyway if you used unix

[Viol8]

I'd say 7 years is a long time in the computer world! :o)

Anyway , all these old remote packages - and even some around today - simply streamed whatever the graphics card was displaying (instead of setting up an independent network desktop which X win did from the start) which is franky just retarded and useless for any serious remote usage.

Re:There was never a need anyway if you used unix

[RCL]

I think you haven't actually tried using X windows over internet, let alone on a dialup connection.

Re:There was never a need anyway if you used unix

[Sockatume]

Well, that must've been very nice for you.

Re:There was never a need anyway if you used unix

[pak9rabid]

This isn't another juvenile does-it-run-on-linux rant, but I think its reasonable to point out that remote full screen GUI access via X windows has been around since the mid 80s. A LONG time before any remote GUI windows app or even Windows itself existed.

Yeah, and unless you're connecting over a LAN connection, it's 100% terrible. That's why projects like FreeNX and x2go exist...to clean up the massive bloat and waste the X11 protocol introduces.

Re:There was never a need anyway if you used unix

[Skuld-Chan]

Scraping what someone actually see's on their X-Serv for support reasons is a bit different problem - one that most people solve with VNC oddly enough.

PC-Anywhere had support for modem's too - I remember using it to support backwater glass shops on MS-Dos applications...

Re:There was never a need anyway if you used unix

[Viol8]

LOL , yeah , if you say so. I guess I must have been dreaming when I used it to connet to company networks over ISDN in the early 90s.

Re:There was never a need anyway if you used unix

[ArcherB]

The OP was saying that people no longer have to use PCAW these days because of VNC etc. My point is we never had to use PCAW anyway if we used unix or linux on a PC. If that explanation still isn't simple enough for you let me know and I'll mail you one drawn in crayon.

The problem was that I was working for a digital imaging company that installed photo imaging kiosks in photo labs. Now, this was before digital cameras became popular so the majority of our business was from customers scanning images using flatbed scanner or negative scanner. Our software allowed for customers to manipulate their images in a number of ways and reprint them in minutes using the dye sublimation printer.

Now, I would have loved to used Linux or Unix but we had some issues. First, was finding drivers for the scanners we used. SANE sucked at the time. Next was finding drivers for the dye sub printers. The drivers simply didn't exist. Finally, there would have been issues finding drivers for the touchscreen interface for the CRT monitors we used at the time. Again, none were available.

So, yeah. It would have been nice to use a *n?x solution, but it simply was not an option.

Oh, and this was before most businesses had an Internet connection, so throw in modem drivers as well. Remember in 1999, Winmodems were all the rage and Linux drivers, again, did not exist.

Finally, Kodak, our competition, did use Sun machines that ran a version of Unix, but they had millions to throw at the project and had the machines, drivers and software custom designed by Sun. We had 30 employees and had to use off the shelf components and modify them ourselves if need be.

Re:There was never a need anyway if you used unix

[mcgrew]

I'd say 7 years is a long time in the computer world! :o)

Not really.

Sniffers are so *EASY* to avoid

[mark-t]

Just use a secret encrypted key exchange, like Diffie-Hellman, to set up a secure communication channel on the wire. While Diffie-Hellman may be susceptible to MitM attacks, it is about the closest thing you can get to foolproof protection against any form of eavesdropping on any type of broadcast channel, be that over radio, or on local ethernet line (unless the sniffer is a quantum computer, and would be thus break the encryption). To prevent MitM attacks, you need another type of system built on top of that, of course, but this article clearly states that the system in question is vulnerable to sniffers placed on the customer's physical LAN, and not MitM.

Re:Sniffers are so *EASY* to avoid

[dkf]

Just use a secret encrypted key exchange, like Diffie-Hellman, to set up a secure communication channel on the wire.

Or use SSL, which uses protocols like DH (depending on configured protocol suite) to set up a secure communication channel. And it's a heck of a lot simpler than writing all that stuff yourself; both the protocols used and the implementation even get independently audited from time to time.

No, you don't actually need to use a CA to use SSL. Or rather, you can easily run with an explicit list of trusted certificates or operate a private CA. Those are in fact a highly secure option (if harder work to scale up).

Re:Best: stop using Symantec and MS-Windows produc

[Jeng]

Not immune.

http://en.wikipedia.org/wiki/Linux_malware

Symantec is a little slow on the uptake here

[IGnatius+T+Foobar]

Most of us have been advising people not to use pcAnywhere for more than a decade now. :)

Re:Symantec is a little slow on the uptake here

[ConceptJunkie]

I stopped using it in the late 90s when I discovered VNC was free _and_ worked about 10 times faster.

Re:Symantec is a little slow on the uptake here

I stopped using VNC when I discovered the source code for VNC and was able to quickly make servers and clients that required no passwords/authentication, hiding the systemtray icon, copying itself to other locations on the drive, auto starting itself, copying itself to other computers on the network.

Re:Symantec is a little slow on the uptake here

Oh noes! By rearranging the 1s and 0s in this binary executable, you can create a virus!

Nobody is using your malicious version of VNC. Unless you have an exploit for the version people actually use, you'll get nowhere.

Unless you can create a client that exploits a weakness in the VNC server to open a no-auth session on a server that should be password protected, or unless you found an exploitable flaw in the VNC client that lets you compromise that machine. If machines with the normal VNC server/client can't be compromised in any way due to VNC, then why on earth would you consider that a reason to stop using it?

Re:Symantec is a little slow on the uptake here

[ConceptJunkie]

I couldn't figure out the AC's point either. "I can write a virus so I shouldn't use software?"

Re:Best: stop using Symantec and MS-Windows produc

[jeremyjo]

Are you kidding? If we're supposed to stop using pcAnywhere because the source code is out there, just think how unsecure Linux is! It's source code has been out there way longer.

New name

[Rik+Sweeney]

(Your) pcEverywhere

Re:Obligatory XKCD

[RyuuzakiTetsuya]

Eventually there's going to be a story about IPv4 address space going scarce again. When that happens what copypaste drivel are you going to paste? Or are you willing to risk being on topic for once?

If....

[LordLimecat]

The researchers continued, "If the Active Directory credentials were used as part of an DoD Exchange tie in, the attackers could get access to incriminating government official emails. If they got access to incriminating DoD emails, they could extort nuclear launch codes out of the officials. If they extorted launch codes out of the officials, they could start a nuclear holocaust."

The researchers concluded, "and that is why you never give a mouse a cookie."

Re:If....

[silverglade00]

I will spend the rest of the day imagining the parts in between the cookie and obtaining the Active Directory credentials. My boss will hate you. I will not.

M0R0N5!

[aglider]

So I understand that Symantec is either using very poor cryptography or even exchanging authentication credentials in plain text!
Have they had any chance to read a few basic documents about, say, ssh?
M0R0N5!

Re:M0R0N5!

[aglider]

... and please, yes, troll me down!

Re:M0R0N5!

[MachineShedFred]

Or, maybe a Diffie-Hellman Exchange? I mean, that's only been around since 1976...

http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

Re:Come on - you are of coarse correct

[fish_in_the_c]

you are of coarse correct , unfortunately 90% or so of offices in the U.S are 'doing it wrong'

Not a bug...

but rather a 'feature'. Software package to be renamed to pcAnyone.

Re:Best: stop using Symantec and MS-Windows produc

Availability of source code isn't a problem if you don't depend on "security by [source] obscurity." The problem is that Semantec not only relies on source obscurity but didn't do anything (for years) when the weak security was defeated by exposing the source.

The goal of security is not to hide the security method but to make it clear that not having something (e.g. a key or lock combo) will make it very difficult to penetrate. Essentially you want put it all on the user. You make it so hard to break the security that it makes compromising the user easier. You steal his keys even though you know how the key was cut with a laser and how its RFID tag works. You steal his private encryption keys even though you have the encryption algorithm. If a vault is good enough, you'll have to attack the owner until he gives up the vault's combination.

If you want to obscure your design details to add one more hurdle, go for it. Just don't depend on it keeping you safe. Layer's folks. Security by obscurity is a single layer. You shouldn't let it be a single point of failure.

Class Action Suit

Class-action suit in 3 .. 2 .. 1 :-)
No really a company that pretends to sell security is compromised in 2K6, refuses to inform anyone about it. So technically, if someone is able to provide some sort of proof that systems are compromised because the source code is out in the wide open as of 2K6 and $$$ got lost, then it's up to Symantec to pay for it.
This is the stuff that I really intensively hate about the ICT sector, them 'take the money and run' companies that don't give a damn about anything, as long as the sales figures are going up.

Hah.

[wiedzmin]

if the attackers place a network sniffer on a customer's internal network

...that customer has much bigger problems to worry about than Symantec applications.

Re:Typical for the Windows world

[dave420]

Microsoft's terminal services are pretty decent. It seems you've not used them.

Meanwhile

[Local+ID10T]

"Symantec Tells Customers To Stop Using pcAnywhere" ...IT staff have been begging users to stop using pcAnywhere for years.

Re:Typical for the Windows world

[Local+ID10T]

There is no reason for remote access to a desktop PC in a business environment.

I can understand remote access to data and remote application sessions (citrix/terminal services/remote desktop server/etc), but what is the business case justification for remotely logging in to the PC on your desktop at work?

Re:Typical for the Windows world

Work from home ?

Unfortunately...

[nurb432]

Symantec has bought out several good companies where there is no good replacement yet ( free or commercial ).

Im taking things such as Ghost ( corporate, not the mess they made of the home version ), much of the Altiris management suite and workflow, some backup tools... And I'm sure there are others too.

But i agree, that most of what they have bought they have eventually destroyed, and what isn't toast yet will be in time.

Re:Best: stop using Symantec and MS-Windows produc

No, you are correct. Viruses and Malware exists for Linux.

Now compare it to the windows list http://en.wikipedia.org/wiki/List_of_computer_viruses. It's split into 5 separate wiki pages, all of which are at LEAST 5 times longer the entire Linux list.

When dealing with STDs, which are you more likely to catch one from, the cheap whore house with asian girls in slavery, or the Playboy mansion.

Re:Best: stop using Symantec and MS-Windows produc

[mcgrew]

Did you even read what you linked to? The link doesn't even come close to backing up your point. In fact, its lack of naming a single piece of malware in the wild actually moots your point (yes, I verbified a noun).

The worst it has to say is that the kernel didn't prevent buffer overflows until 2009. You only need AV on Windows. Yes, you can be socially engineered on any OS, trojans will run on any OS, and no AV will protect you from deliberately installing anything you want. And yes, given a dedicated enough cracker any sytem can be compromised in time.

But as long as you're not a complete idiot, the only platform that's at risk is Windows.

Re:Best: stop using Symantec and MS-Windows produc

[Jeng]

Did you even read what you linked to? The link doesn't even come close to backing up your point

I did, it does. First sentence even.

But as long as you're not a complete idiot,

My point was simply that it is not immune, nothing more.

Re:Best: stop using Symantec and MS-Windows produc

[Jeng]

When dealing with STDs, which are you more likely to catch one from, the cheap whore house with asian girls in slavery, or the Playboy mansion.

Herpes is pervasive in the adult entertainment industry so you are likely to get one from either choice, but yes you are more likely to get a deadly STD from the the whore house than from the bunnies.

Didn't know people still used PCAnywhere

[yoyhed]

LogMeIn, RDP, VNC.. all better alternatives to paying for that shit.

h8 Windows

[bonezed]

hahaha, this is funny. My company just rolled out pcAnywhere across all desktops (internally!)

Re:h8 Windows

[acoustix]

That must have cost a pretty penny compared to UltraVNC that will do the same thing for free.

Re:Typical for the Windows world

Appearently you have never worked in I.T doing things like uh, I don't know SUPPORT.

No you can't give the user the admin password to rejoin the domain or download the latest softare from the shares over the phone

Re:There is no reason for remote access to a deskt

1. So you can work from home. I don't keep 100% of my files on network shares, and don't even have the exact same programs loaded on my home pc, so I need to remote into my work pc sometimes.
2. So HelpDesk staff can remote into your pc for troubleshooting and support.