Symantec has backtracked on its previous assurances about a recent source code theft, admitting its network was breached and code for a larger number of products than previously thought was swiped. Two weeks ago the security giant confessed that a blackhat crew had made off with source code for older versions of some of its …
"Upgrade to the latest version that is much safer....for a price!"
Symantec have been going down the pan for years and it's the first thing that gets removed when I buy any new PC's.
Installing Symantec on a Windows machine is a bit like buying a Porsche (hardware), then pour a foot worth of concrete in it (Windows) and then firmly pull up the handbrake (Symantec) before trying to drive.
How about buying a new expensive PC is like getting a expensive sports car, firmly applying the handbrake (Windows) and then removing all four wheels (Symantec/McAfee/Norton) to prevent the car being stolen.
Sure, you can still sit in the car(safe from viruses), but you don't get very far.
Thieves are aware that your car has no wheels and bring a truck with a crane to allow them to steal the car anyway (malware/viruses that manage to bypass the AV software).
If you attempt to reinstall the wheels (i.e. remove the AV software), the car falls to bits leaving you holding a very expensive steering wheel.
I can see it now, try the latest version of our Internet Security software, now disables the ability to turn your computer on, for the ultimate in virus protection.
"How could Symantec have gotten hacked? Don't they use AV?"
No they do use AV.. Symantec AV.. that's probably why they got hacked in the first place! LOL
Perhaps they should 'upgrade' to McAfee?
Maybe they should switch to Avast? It's free. ;-)
That's easy to fix, just unplug your modem or ISDN card.
"Even so the whole Symantec hack soap opera/pantomime ('You've been hacked!", "Oh no we haven't"... "Oh maybe we have") raises serious questions about the security of Symantec's ecosystem..."
I can understand how that line came about to be honest - someone claims they've hacked Symantec and stolen their src code, they do an audit, find no evidence at all that their network has been compromised (as it wasn't) and say "lol, nice troll - no you haven't".
So, on the bright side, their network security doesn't appear to be an issue. On the not so bright side, the src code is still out there.
"... as well as turning the security giant into the punchline for jokes"
No argument there tho :)
The bigger story is surely that India (and I would bet my house on other gov's too) require src access to security related software sold in their country. Is it the same in the UK, US etc?
Bang on here!
"The bigger story is surely that India (and I would bet my house on other gov's too) require src access to security related software sold in their country. Is it the same in the UK, US etc?"
And to answer. Well if India can, what are the odds that the UK, US and others do as well.
Round'ere trouble start when po-lice shows up!
Cloaked in some obscure law complex about public waterworks - or something of equal excitement - there will almost certainly be a paragraph that requires The Authorities to be given full access via these tools on demand! We 'r Fucked!!
Now it's open source, we might get a version of Symantec Endpoint Protection that actually bloody works.
Wouldn't be much better
to open the source code from the beginning ? That will surely prevent the embarrassment in these particular scenarios.
release it open source for the white hats now
If the black hat / hackers have it, then you can bet they'll be working to exploit it. Why not release the code to everyone, so that the community could give Symantec a fighting chance at fixing it? I'm no fan of their software, being bloated and all, but they're going to be eaten alive by the hacker world. They'll be completely outnumbered, if not outgunned too.
One other possible outcome is Symantec releases their code, and real coders take one look at it and laugh. "You did what here????"
"Pouring through thousands of lines of code looking for holes sounds like quite a chore, unless you are very well paid. Looking for holes in pcAnywhere is also potentially labour-intensive."
Hakkurs who have 0day skills also have REGEX skills.
If a program depends on its source code being private to be secure, then it really isn't very secure at all...
I have the sourcecode for Linux, OpenBSD, FreeBSD etc and it doesn't help me compromise all the various devices (including security oriented devices like firewalls).
If having the code disclosed results in serious security risks, then the code must have some pretty glaring security holes that will quickly be identified in the source but are much harder to detect in a binary... And if that's the case, it is absolutely unforgiveable for symantec to have known about such holes and not fixed them.
Sourcecode should always be open, not only would it prevent software from having obvious bugs that are easily found in the source but it would make stealing sourcecode an utterly pointless activity since you could just download it from the internet anyway.
>>"If a program depends on its source code being private to be secure, then it really isn't very secure at all..."
I take your point, though I guess at least if it came to active *security* software, it might be doing things to try and detect the compromising of a machine that are more effective if the people trying to write software to hide from detection don't have the latest techniques handed to them on a plate.
Even if someone could try and work out what the software was doing by other means, that takes time, time in which the security software writers could potentially use to come up with new tricks while the old ones were still largely working.
Also, there is a fair bit of asymmetry - the security software writers really have to try and defend against pretty much everything of significance to succeed.
The malware writers might only need to be able to compromise a small fraction of machines to be successful, and so any individual one might have less incentive to spend more than a limited amount of effort defeating security software as long as they expect that someone will find a way round a given technique if it becomes too ubiquitous.
It's a bit different from having OS software written to be secure in the first place, since if that's done well, it might stay secure for a long time even if everyone does have the source code.
Many eyes make bugs shallow myth
There is another saying "too many cooks spoil the broth".
As for all source code being open and freely downloadable, how is anyone supposed to make profit? Sure you can sell support, but there is nothing stopping someone like Microsoft from undercutting you (Which is what Oracle do to Redhat with unbreakable Linux).
"Even if someone could try and work out what the software was doing by other means ..."
If one uses a decent logic analyser with the appropriate software for the system CPU, one can work out *exactly* what the software does, one can look for specific events or sequences of code that one suspects are useful, even change the code "on-the-fly", conditionally, e.t.c. pretty much whatever the hardware can do.
It does not take very long to figure out where "the private bits" are kept. The "slowdown" is that good hackers and good hardware guys usually comes in separate bodies. But - with a team - anything will be cracked.
>>"If one uses a decent logic analyser with the appropriate software for the system CPU, one can work out *exactly* what the software does, one can look for specific events or sequences of code that one suspects are useful, even change the code "on-the-fly", conditionally, e.t.c. pretty much whatever the hardware can do."
Certainly, but the more complex something is, the more of a pain it might be to reverse-engineer it to a point where the *meaning* of what it's doing is understandable.
If what is being done is a subtle and convoluted attempt at detecting the presence of something, it might not be immediately obvious from the running program what has to be done to get detection to fail.
In places where efficiency is not crucial, it's possible to add all kinds of spurious code to do unnecessary things (maybe things which cancel out in the long run in all kinds of intricate ways, things which affect 'relevant' variables in ways which are effectively ignored), mixed up with the relevant operations to make working out what is really happening rather harder, and though doing that is possible whether source code is available or not, it seems likely to take longer to unravel if the source code is not available (and when it comes to people claiming that openness is no great downside to security, (which is the point I was replying to), obfuscating the source wouldn't really be being *that* open).
Now, if I want my personal info safe for N years, I might want inherently secure crypto with no reliance on obscurity.
But if I was writing invasion-detection software in an ongoing 'arms race', it might make a huge difference to me if something I write takes my opponent twice as long to understand as it would take if I gave them the source.
Obscurity isn't security, but it can potentially be a useful delaying tactic in some situations.
I've run their Internet Suite for years. Yes it slows stuff down, but I've not been virused and I was protected from the nitwit infections of family members who didn't get why they should clean up their machines and who e-mailed me e-syphilis over and over again as a result.
They are gone as of this year. I have always found their policy of auto-renewing against my credit card a month and more before the due date annoying, but yesterday windows told me that Symantec "couldn't be sure my AV was up to date".
See, I changed my credit card and the auto-renew fell over, cuing umpteen begging letters.
But surely an AV subscription is either up to date or out of date? There is no third state here, and the NIS control applet was proudly displaying "23 days left" in the subscription alert so that binary status was indeed known to NIS. So where was the uncertainty?
I'm switching to windows firewall and Malwarebytes on that machine. It no longer has to defend me against my kid's and my wife's daft downloading.
I want to see what happens when the sub goes out. Does the software refuse to start?
And on top of that I was totally unimpressed by Norton Ghost, which set up unwanted scheduling, nagware and I dunno what else, failed to properly recreate the system disc after a crash (the sole reason it was deployed in the first place) and wouldn't work at all until all the Norton stuff had been deleted and re-installed in a given order.
Then there was the tech (yes, I found out how to talk to a Norton tech, but it turns out it isn't worth the hours it takes) who tried to fix it by remote desktop, and proved to my complete satisfaction that Symantec techs are no better at that than I am, and obliged me to change all my passwords afterwards - who the hell knows who these guys are anyway?
No, they've worn out their welcome and this news story only makes me more determined to be done with them.
Was the tech guy an Indian called Yama Tough by any chance?
You were protected from the nitwit infections NIS *told* you about yet I've cleaned up dozens of PCs that had variously NIS, N360, McAfee and were reporting all systems normals and secure.
Wouldn't surprise me in the slightest if running your PC against a couple of online and offline scanners reveals that it's harbouring some nasties.
Re what happens when your sub sinks...
'...I want to see what happens when the sub goes out. Does the software refuse to start?...'
Well, if the last laptop with an expired copy of Norton whatever I looked at was anything to go by, no, it starts, but refuses to do anything...y'know, like find viruses and shit..
'Well, if the last laptop with an expired copy of Norton whatever I looked at was anything to go by, no, it starts, but refuses to do anything...y'know, like find viruses and shit..'
So, pretty much the same as the paid for version then...
Free (as in beer) AV
I've found MSE to be a very good free solution to AV, and recommend it to friends and family.
Yes, a grudging yes, it's pretty good and for a free product it's very good. I looked hard for the 'catch' or problems but there really don't seem to be any that stop it being well worth the effort of downloading and installing.
It's also free for small businesses (up to ten users I think, check first though)
If they have been relying upon secrecy of the source code for protection then that's just security-by-obscurity.
That has never been good security policy, and they deserve all the beating they get.
It's not likely many people are using 2006-2007 anti-virus software these days. If you knew how to hack these systems then you need to find them.
This would best be descibed as a waste of effort by the hackers. So sad.
I would not give room in my trashcan for anything made by them.
I've noticed that here in Toronto a lot of those big TV type billboards use pcanywhere. Might be a chance for some amusing programming changes.
A draining endeavour
"Pouring through thousands of lines of code looking for holes sounds like quite a chore, unless you are very well paid."
What are you proposing to pour? A cheeky white, a robust red, or perhaps a dry sherry? Any of them should drain through the holes in the code rather nicely, and easily.
Now, poring through that code is a different matter...
Pooring thru the code
Maybe the hacker has no money and that's why he's "pooring" thru millions of lines of code looking for meat loaf?