UPDATED: Symantec's spin department at work?
UPDATED WITH COMMENT FROM SYMANTEC BELOW
So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent.
This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source.
In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened.
Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible.
The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well.
When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out.
Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least.
But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying:
- To be correct, the code is for Norton Antivirus Corporate Edition, i.e., what used to be used by enterprises. As it is, customers face no security threats if the code is posted. It's a product that is no longer available, supported, or sold.
The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.
That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software?
Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it?
That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers.
I'll be firing off some questions to Symantec PR on this and we'll see what they say.
UPDATE: The PR gnomes at Symantec have issued this response:
- "Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.
As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions.
If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code."
I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc.
Will hopefully have an update soon.
Find Patrick Gray on Twitter.
Public satellite imagery yields a wealth of intelligence...5 days 18 hours ago
Awesome feature track this week. Check it out here!5 days 18 hours ago
Special guests The Grugq, Singe, Charl and Andrew...1 week 6 days ago
Pwnage! Malware! Cats and dogs living together!1 week 6 days ago
All your herp derps are belong to RPTs...3 weeks 6 days ago
- Love the Das Efx tribute.
11 weeks 6 hours ago
- LOL so no comment by Adobe's
12 weeks 2 days ago
- Welcome back, great stuff as
14 weeks 5 days ago
- AEDs are very accurate and
21 weeks 1 day ago
- I did see that after we
21 weeks 3 days ago
- Great podcast, a small
22 weeks 2 days ago
- Peck of pickled peppers? We
25 weeks 23 hours ago
- Link to Sophail: Applied
27 weeks 6 days ago
- Fixed. I got autocorrected...
30 weeks 2 hours ago
- it's jduck, not duck
30 weeks 3 hours ago