UPDATED: Symantec's spin department at work?

Source disclosure has Symantec in damage control mode...


So it's happened -- a significant chunk of Symantec's source code has been made available online as a torrent.

This followed the release of a pretty loltastic Pastebin dump which purports to show e-mail negotiations between a Symantec staffer and the hackers who obtained the source.

In the alleged correspondence the Symantec rep offers said hackers $50,000, paid in $2,500 monthly instalments, in exchange for guarantees they won't publish the source and issue a statement saying the breach never happened.

Symantec claims the whole thing was a setup designed to draw the attackers out. That claim is entirely credible.

The publication of the correspondence is nonetheless embarrassing for Symantec, which has actually handled this whole situation pretty well.

When it realised its source code for PC Anywhere had been walked in 2006 it initiated an urgent audit of the relevant code and found some major problems. It recommended users stop using PC Anywhere until it issued a series of patches correcting the bugs. Those patches are out.

Of course the question remains as to why they took until now to review the security of the PC Anywhere source. The bugs they found were really, really serious. And obvious. And had been there for five years at the very least.

But what really puzzles me is the company's attitude towards the publication of its corporate antivirus software. PC Magazine published an article that quoted a Symantec representative as saying:

    To be correct, the code is for Norton Antivirus Corporate Edition, i.e., what used to be used by enterprises. As it is, customers face no security threats if the code is posted. It's a product that is no longer available, supported, or sold.

    The code is so old that even if there were attempts to generate a cyber attack, it would take on the characteristics of a 2006 attack. The age of the code inherently limits what can be done with it. It is, essentially, worthless code. At this point, Anonymous would be releasing it for PR purposes and that's it.

That's a bold statement but it could well be true. But what exactly is Symantec saying here? Is it saying that absolutely no source code from its old Corporate Edition has found its way into current enterprise software?

Also, what characteristics, exactly, do "2006 attacks" possess? How does the "age of the code" limit what can be done with it?

That whole statement is just weird and until we get more information out of the big yellow S it just raises more questions that it answers.

I'll be firing off some questions to Symantec PR on this and we'll see what they say.

UPDATE: The PR gnomes at Symantec have issued this response:

    "Based on our analysis, the Norton Antivirus Corporate Edition code in question represents a small percentage of the pre-release source for the Symantec AntiVirus 10.2 product, accounting for less than 5% of the product.

    As such, that is not enough of a percentage to mount or develop a successful cyber attack against current Symantec and Norton solutions.

    If customers are using current version of their Symantec or Norton products, they will be protected against attacks that might result of the theft and possible disclosure of the code."

I've pushed back again to ask a few followups... like, WHICH 5% is still in the product? Was the other 95% of code rewritten from scratch? Or was some of it just "updated" from the original source? Did they have the AV products audited in the same way PC Anywhere got the once over? etc etc.

Will hopefully have an update soon.

Find Patrick Gray on Twitter.