Someone stole Symantec’s source code five years ago. Since that time, the only people who knew about the exploits were Symantec and the bad guys. So when Christine Ewing, the product manager, says “malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits,” she’s only half-right.
The other half of the truth is, “You can’t rely on Symantec to properly respond to a security breach, and since you’re utterly reliant on Symantec to fix any exploits, and we didn’t do that, you’ve been vulnerable for five years.”1
Having your source code in the wild isn’t inherently dangerous. It becomes dangerous if a) only the bad guys have it, and b) you’re not adequately responding to threats. Symantec, for whatever reason, allowed both of these things to be become true, and so put their customers in peril. If this software’s code was open, the good guys have just as much of a chance as the bad guys, even if Symantec wasn’t being responsive.
It’s been said before, but obviously bears repeating: if you’re relying on proprietary software for security, you’re taking unnecessary risks.
- Some would argue that running the same copy of PCAnywhere for five years is the real problem, but that’s orthogonal to my point. ↩