Symantec 'fesses up: 'Code theft worse than we thought' Symantec has backtracked on its previous assurances about a recent source code theft, admitting its network was breached and code for a larger number of products than previously thought was swiped. Two weeks ago the security giant confessed that a blackhat crew had made off with source code for older versions of some of its …
How about buying a new expensive PC is like getting a expensive sports car, firmly applying the handbrake (Windows) and then removing all four wheels (Symantec/McAfee/Norton) to prevent the car being stolen.
Sure, you can still sit in the car(safe from viruses), but you don't get very far.
Thieves are aware that your car has no wheels and bring a truck with a crane to allow them to steal the car anyway (malware/viruses that manage to bypass the AV software).
If you attempt to reinstall the wheels (i.e. remove the AV software), the car falls to bits leaving you holding a very expensive steering wheel.
"Even so the whole Symantec hack soap opera/pantomime ('You've been hacked!", "Oh no we haven't"... "Oh maybe we have") raises serious questions about the security of Symantec's ecosystem..."
I can understand how that line came about to be honest - someone claims they've hacked Symantec and stolen their src code, they do an audit, find no evidence at all that their network has been compromised (as it wasn't) and say "lol, nice troll - no you haven't".
So, on the bright side, their network security doesn't appear to be an issue. On the not so bright side, the src code is still out there.
"... as well as turning the security giant into the punchline for jokes"
No argument there tho :)
The bigger story is surely that India (and I would bet my house on other gov's too) require src access to security related software sold in their country. Is it the same in the UK, US etc?
If the black hat / hackers have it, then you can bet they'll be working to exploit it. Why not release the code to everyone, so that the community could give Symantec a fighting chance at fixing it? I'm no fan of their software, being bloated and all, but they're going to be eaten alive by the hacker world. They'll be completely outnumbered, if not outgunned too.
One other possible outcome is Symantec releases their code, and real coders take one look at it and laugh. "You did what here????"
This post has been deleted by its author
If a program depends on its source code being private to be secure, then it really isn't very secure at all...
I have the sourcecode for Linux, OpenBSD, FreeBSD etc and it doesn't help me compromise all the various devices (including security oriented devices like firewalls).
If having the code disclosed results in serious security risks, then the code must have some pretty glaring security holes that will quickly be identified in the source but are much harder to detect in a binary... And if that's the case, it is absolutely unforgiveable for symantec to have known about such holes and not fixed them.
Sourcecode should always be open, not only would it prevent software from having obvious bugs that are easily found in the source but it would make stealing sourcecode an utterly pointless activity since you could just download it from the internet anyway.
>>"If a program depends on its source code being private to be secure, then it really isn't very secure at all..."
I take your point, though I guess at least if it came to active *security* software, it might be doing things to try and detect the compromising of a machine that are more effective if the people trying to write software to hide from detection don't have the latest techniques handed to them on a plate.
Even if someone could try and work out what the software was doing by other means, that takes time, time in which the security software writers could potentially use to come up with new tricks while the old ones were still largely working.
Also, there is a fair bit of asymmetry - the security software writers really have to try and defend against pretty much everything of significance to succeed.
The malware writers might only need to be able to compromise a small fraction of machines to be successful, and so any individual one might have less incentive to spend more than a limited amount of effort defeating security software as long as they expect that someone will find a way round a given technique if it becomes too ubiquitous.
It's a bit different from having OS software written to be secure in the first place, since if that's done well, it might stay secure for a long time even if everyone does have the source code.
"Even if someone could try and work out what the software was doing by other means ..."
If one uses a decent logic analyser with the appropriate software for the system CPU, one can work out *exactly* what the software does, one can look for specific events or sequences of code that one suspects are useful, even change the code "on-the-fly", conditionally, e.t.c. pretty much whatever the hardware can do.
It does not take very long to figure out where "the private bits" are kept. The "slowdown" is that good hackers and good hardware guys usually comes in separate bodies. But - with a team - anything will be cracked.
>>"If one uses a decent logic analyser with the appropriate software for the system CPU, one can work out *exactly* what the software does, one can look for specific events or sequences of code that one suspects are useful, even change the code "on-the-fly", conditionally, e.t.c. pretty much whatever the hardware can do."
Certainly, but the more complex something is, the more of a pain it might be to reverse-engineer it to a point where the *meaning* of what it's doing is understandable.
If what is being done is a subtle and convoluted attempt at detecting the presence of something, it might not be immediately obvious from the running program what has to be done to get detection to fail.
In places where efficiency is not crucial, it's possible to add all kinds of spurious code to do unnecessary things (maybe things which cancel out in the long run in all kinds of intricate ways, things which affect 'relevant' variables in ways which are effectively ignored), mixed up with the relevant operations to make working out what is really happening rather harder, and though doing that is possible whether source code is available or not, it seems likely to take longer to unravel if the source code is not available (and when it comes to people claiming that openness is no great downside to security, (which is the point I was replying to), obfuscating the source wouldn't really be being *that* open).
Now, if I want my personal info safe for N years, I might want inherently secure crypto with no reliance on obscurity.
But if I was writing invasion-detection software in an ongoing 'arms race', it might make a huge difference to me if something I write takes my opponent twice as long to understand as it would take if I gave them the source.
Obscurity isn't security, but it can potentially be a useful delaying tactic in some situations.
Firstly do you guys ever actually write any code. I am pretty proficient at Java,C#, VB (Don't laugh), PHP and JavaScript. While I admit they aren't the most hardcore languages, Even crappy indenting can make it difficult to read these languages, compound the problem with the number of lines of code, misleading comments and documentation (which exist in every project) and this "many lines of code makes bugs shallow" myth seem absolutely ridiculous.
There is another saying "too many cooks spoil the broth".
As for all source code being open and freely downloadable, how is anyone supposed to make profit? Sure you can sell support, but there is nothing stopping someone like Microsoft from undercutting you (Which is what Oracle do to Redhat with unbreakable Linux).
I've run their Internet Suite for years. Yes it slows stuff down, but I've not been virused and I was protected from the nitwit infections of family members who didn't get why they should clean up their machines and who e-mailed me e-syphilis over and over again as a result.
But.
They are gone as of this year. I have always found their policy of auto-renewing against my credit card a month and more before the due date annoying, but yesterday windows told me that Symantec "couldn't be sure my AV was up to date".
See, I changed my credit card and the auto-renew fell over, cuing umpteen begging letters.
But surely an AV subscription is either up to date or out of date? There is no third state here, and the NIS control applet was proudly displaying "23 days left" in the subscription alert so that binary status was indeed known to NIS. So where was the uncertainty?
I'm switching to windows firewall and Malwarebytes on that machine. It no longer has to defend me against my kid's and my wife's daft downloading.
I want to see what happens when the sub goes out. Does the software refuse to start?
And on top of that I was totally unimpressed by Norton Ghost, which set up unwanted scheduling, nagware and I dunno what else, failed to properly recreate the system disc after a crash (the sole reason it was deployed in the first place) and wouldn't work at all until all the Norton stuff had been deleted and re-installed in a given order.
Then there was the tech (yes, I found out how to talk to a Norton tech, but it turns out it isn't worth the hours it takes) who tried to fix it by remote desktop, and proved to my complete satisfaction that Symantec techs are no better at that than I am, and obliged me to change all my passwords afterwards - who the hell knows who these guys are anyway?
No, they've worn out their welcome and this news story only makes me more determined to be done with them.
You were protected from the nitwit infections NIS *told* you about yet I've cleaned up dozens of PCs that had variously NIS, N360, McAfee and were reporting all systems normals and secure.
Wouldn't surprise me in the slightest if running your PC against a couple of online and offline scanners reveals that it's harbouring some nasties.
'...I want to see what happens when the sub goes out. Does the software refuse to start?...'
Well, if the last laptop with an expired copy of Norton whatever I looked at was anything to go by, no, it starts, but refuses to do anything...y'know, like find viruses and shit..
Yes, a grudging yes, it's pretty good and for a free product it's very good. I looked hard for the 'catch' or problems but there really don't seem to be any that stop it being well worth the effort of downloading and installing.
It's also free for small businesses (up to ten users I think, check first though)
"Pouring through thousands of lines of code looking for holes sounds like quite a chore, unless you are very well paid."
What are you proposing to pour? A cheeky white, a robust red, or perhaps a dry sherry? Any of them should drain through the holes in the code rather nicely, and easily.
Now, poring through that code is a different matter...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
