From the ‘Security by Obscurity’ files:
Over the last several weeks, the saga of Symantec’s pcAnywhere source code ‘leak’ has been all over the tech media. Apparently the source code was stolen (or otherwise inappropriately appropriated) and has now illegally been made public on bittorrent.
The ‘funny’ part of this whole saga for me, is that none of this happens to open source vendors. I use open source software every day and in a very real sense it secures (nearly) everything I do. I also know full well that open source technology (security and otherwise) helps to secure strategic assets for the U.S. Government and others around the world.
Being open – shouldn’t necessarily be equal to be more at risk — yet that’s what has happened with the pcAnywhere leak. All Linux distros use OpenSSL and OpenSSH which are free and open – to help secure traffic (and hey I’m pretty sure you can run a remote desktop pcAnywhere type deployment over SSH too). While both OpenSSL and OpenSSH have been dinged by their fair share of security vulnerabilities over the years, being open hasn’t made those technologies less secure, it has made them more secure.
It’s the ‘many eyes’ theory of open source. That being, if there are many eyes looking at code, there is greater chance of flaw discovery. Security by obscurity does work…sometimes, but when you can be secure being totally open, that’s real security because you’ve got nothing to hide.
If I was Symantec – I’d turn this exercise into a positive experience and open source the code with some kind copyleft license, preferably the GPL. The packaged version can and could still exist as a fully supported version, so there wouldn’t necessarily be a revenue loss either. That’s not likely to happen though given the circumstances under which the code was leaked and the fact that Symantec isn’t exactly an open source vendor either.