Symantec source code breach saga continues

Filed Under: Data loss, Featured, Law & order

Two weeks ago, we wrote about the wrangle between Indian cybercrew The Lords of Dhamaraja and Symantec, in which the theft of some of Symantec's source code was revealed.

At the time, Infosec Island, which describes itself as an "online community, infosec portal and a social network all-in-one," quoted a Symantec spokesman as saying:

Symantec can confirm that a segment of its source code has been accessed. Symantec's own network was not breached, but rather that of a third party entity.

The newswires are again abuzz with updates to this story, with Infosec Island now saying that Reuters is saying that:

Symantec is now asserting that the company was hacked in 2006 and source code for several of their leading commercial and enterprise products was stolen.

(I guess that makes this an article in which Naked Security is saying that Infosec Island is saying that Reuters is saying that Symantec is asserting that this was, after all, a break-in on its own network.)

So, with all this 'he-said-she-said' going on, why am I writing this?

The reason is that I've already had a couple of enquiries wondering what I think of all of this.

Am I secretly gloating that a competitor got breached? Am I ready to start pointing fingers? Whose side am I on?

And here are the answers: No, Yes, the Good Guys.

No, I am not gloating that a competitor got breached. I'm sure Symantec is kicking itself that this happened. The company doesn't need me to put the boot in too.

Yes, I am pointing fingers - at the crooks. Not at "the hackers"; at the crooks. That's what they are. This is a cybercrime. Symantec is the victim.

And I'm on Symantec's side in that I hope the company can work out what happened, collect some usable evidence, and help law enforcement to identify, locate, charge, prosecute and convict those responsible.

I accept that's unlikely. But it's not impossible. So let's live in hope.

By the way, if ever you're tempted to look at stolen source code, my recommendation is: don't do it. Here are my reasons:

* If you're interested in learning from source code, there's plenty of good open source software which you can study freely and lawfully.

* Great lumps of five-year-old commercial source code aren't, for the most part, terribly interesting. Granted, you'll probably find a couple of comic comments, and perhaps even an AWOOGAH! or two. That's about as riveting as it gets.

* It's unlawfully acquired. You wouldn't knowingly buy a stolen car. So don't grab stolen code.

As one reader, Collective Grooves, commented on our earlier article:

It appears that Symantec is being used as a pawn in the hackers' chess game to make their point, which is very unfortunate.

Nicely said.


, , , , , , ,

You might like

6 Responses to Symantec source code breach saga continues

  1. NerdyJo3 · 1320 days ago

    Now the real question on everyone's mind is how many "AWOOGAH!" comments are there in the source code for Sophos endpoint?

  2. Sharpear · 1320 days ago

    I have never really liked symantec. It might just be related to the AV home edition being so horrible; no wait it misses viruses even in business environments. Some of their other products are ok, but what do you expect when they are a jack of all trades and a master of none.

    Again another company trying to hide their flaws because it would have been a great impact to the company at the time, and I guess it still is. My issue is when you lie about something it makes you and your company look bad, because you try to hide the facts that will eventually come out, and it only discredits you. I don't doubt that the report on symantec's breech is true. Do you trust them securing your network, when they can't secure their own?

    • anon · 1320 days ago

      Another thing you need to ask is this: If they were breached in 2006, and we are just hearing about it *now*. Then what else has happened that they are not being completely forthcoming with? This is not to say anything *has* happened. It's just the silence about this supposed "incident" is deafening.

  3. bobbob · 1320 days ago

    Western firms were pegged by the hackers as being used for spying. This is all well and fine to most people until they are told they were spying on US citizens and others involved in foreign matters. While you cannot directly blame a firm for its tools being misused most of the time there is more and more evidence of corps like Apple and Symantec lining up to do dirty deeds against anyone for a price as long as they get assurances it complies with any law, just or not. The high levels of corruption in various govts and cooperation with for-profit entities to spy and work against citizens of various nations ensures that even if it complies with every law possible to the letter, the deals still feel immoral and wrong.

    I would not even be lightly supporting these entites as they will be enveloped by holy fire until their organizations are purged of all treasonous employees or destroyed totally. Abandon ship or be burned by the disinfecting rays of the sun.

  4. Jason · 1320 days ago

    One of the many reasons we chose Sophos over Symantec security products... Symantec is just too big to keep nimble and in front of threats - the software is bloated, their support is outsources or at the minimum in ESL call centers, and the prices are expensive as hell for what you get.

    Upgrades are a nightmare, maintenance is even worse... nope, no love lost here.

  5. Nanette · 1318 days ago

    I think you guys are relly cool, to have such a good attitude towards Symantic.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog