Slashdot Mirror
Symantec CEO: Source Code Reviews Pose Unacceptable Risk (reuters.com)
In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
Either let nobody review the code, or let everybody in the world who wants to look at it review it. I rather suspect that crowdsourcing security reviews might actually make all code safer and more secure, if only because there WILL be friendly eyes going through it and proofreading the code.
access denied
“As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”
Yeah right and national security letters are a figment of my imagination...
Highly likely their software is shit and it's shit all the way down and they don't want you to know how shit it is.
It is unreviewed proprietary source code is what poses the most significant risk. Any government technology department that fails to do a source code review of a product before deployment is committing malpractice. If a vendor refuses to cooperate their product should be barred from competition.
about how much he believes in the security of his own software.
The best stuff is that which can stand up to peer review and intense scrutiny, yet retain its trust level.
Given a choice between a closed source super-secret-trust-us-its-secure platform or an open source peer-reviewed-I-dare-you-to-break-it one, guess which one I would prefer to go with ?
I've published the source code of my own products since about 1987. The difference between Symantec and me is that I give the source code to everyone, and I give them an incentive to read the code, because they can also redistribute and modify it, and put it to any use.
And of course a national entity that wants to enough, like the government of Russia, is going to get a look at the Symantec source code even if it means getting someone into a job there to do it. So, isn't Symantec just saying that their proprietary paradigm is a poor one from a security perspective?
Bruce Perens.
Guess they've not heard of IDA Pro.
Who gets a review?
USA, UK, NZ, AU, Canada?
Some of the more trusted NATO nations? All of NATO? Nations wishing to join NATO soon?
Some other nations? A China? Brazil? Japan?
Why would any nation buy into a security product they have not seen all the code to?
Other developers will just offer their products for review. How long before nations just say no review, no buy?
Domestic spying is now "Benign Information Gathering"
I imagine the backlash against Kaspersky, after it was found the Russian govt. was abusing security holes in its anti-virus software in order to hack computers which had it installed, is responsible for this. It seems plausible they found out about said holes due to the mandatory source-code reviews.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
There are zero day exploits in everything, including Linux, the most viewed open source.
"Given a choice between"....
That's really a false dychotomy here. Closed source THAT IS ONLY OPENED TO A KNOWN ATTACKER, is the 3rd option and its the one Symantec boss is saying is bad. And it is.
It's neither code viewed by many eyes, nor code kept as secret as possible, it's viewed by few eyes AND a lot of those eyes are from a known hacking group that's successfully undermine several democracies around the world.
I can't help think though that Russian hacking is just a symptom of a wider problem with this rogue state. Regime change is needed. Putin has become too much of a liability when he gets so cocky he starts to try to take down the big democracies in the west.
The real news here is most Symantec customers will be shocked when they find out they were allowing foreign governments code reviews in the first place.
Damn. I get most of my news on the internet from AC First Posts on slashdot.
If I was a government reviewing a security product like that, I wouldn't tell them about any vulnerabilities I find. They would be much more useful to use against all of their customers.
to merge without a pull request.
Or that software can be modified.
Step 1: US Company, Equifax allows personal ID data for 100's of millions of people to be stolen and nobody seems to care.
Step 2: US Government condemns Kaspersky Labs for potentially leaking information to the Russians. Thus destroying Kaspersky's US market.
Step 3: Symantec prohibits government source code reviews. Thus insuring an NSA backdoor.
So, no matter what you do, you are screwed.
There is clearly no such thing as Cyber Security.
Put your money on Molson beer.
It is a much better investment.
News that's hot. Naked and petrified.
"In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."
So either the CEO of Symantec is a security idiot, or he has a better reason he's not sharing.
And if he's claiming the reason for using Security Through Obscurity is to provide his customers with a stronger feeling of being secure, I do hope the masses aren't idiots and this backfires as spectacularly as it really should.
I work for the Department of Redundancy Department.
Reverse Kaspersky from Russia with love?
to a third world nation.
Then anyone can review it and probably won't be able to make any sense of it whatsoever. Unless they are fluent in spaghetti code. It's like a cheaper type of encryption.
Are there any non-anonymous Slashdot readers who will actually admit to using Symantec security software?
And I'm not counting the millions of people who got it on a new computer and can't figure out how to remove it !
CEO: "At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win"
Translation: our antivirus software is now spyware, and we don't want anybody to find out.
they put in for NSA.
You guys all misunderstood what they feared about. They are not afraid of foreign governments finding flaws in their software, they are afraid of foreign governments finding the NSA backdoors, and thus banning Symantec in their country. With the USA's example of banning Kaspersky, Symantec didn't even have any grounds to complain.
Why share source when fair chance could be leaked to hackers and / or competition with no business case. Open source might be ideal but many Companies make more money and potentially can make better products investing in development, support etc.. The CEO indicated there was not a good business case to share. His judgment but seems rational.
fine, if they want to see the code, show us yours. you want to sell in the USA - show us your code. easy peazy lemon squeezy.
NSA just kopy katted KGB! Quite the honor.
It's been too long I need some hot grits!
*NOT* allowing source codes reviews poses unacceptable risk. I guess I STILL won't be using Symantec products.
This is a hacked account, for which the owner can not be held responsible.
"Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products."
It wouldn't surprise me if the state security apparatus didn't already have access to Symantec code through their embedded agents.
It's been too long I need some hot grits!
Sharks with mother fucking lasers on their heads.
"no longer allowing" meaning they've already seen the source code. Not showing it to them a second time isn't going to change the fact that they've already seen it, and I seriously doubt incremental updates will change that much as most of the source code won't change much over time (assuming it's typical of most projects).
Not to buy symantic.
Not surprisingly, their products are among the least reliable on the market. Those who make such claims should not even work on the safety of a closet. Surely this is an additional reason not to buy their software and not to recommend it to customers.
Endpoint bug
The arrival of the year 2010 triggered a bug in Symantec Endpoint. Symantec reported that malware and intrusion protection updates with "a date greater than December 31, 2009 11:59pm [were] considered to be 'out of date.'" The company created and distributed a workaround for the issue.[68]
Scan evasion vulnerability
In March 2010, it was reported that Symantec AntiVirus and Symantec Client Security were prone to a vulnerability that might allow an attacker to bypass on-demand virus scanning, and permit malicious files to escape detection.[69][70][citation needed]
Denial-of-service attack vulnerabilities
In January 2011, multiple vulnerabilities in Symantec products that could be exploited by a denial-of-service attack, and thereby compromise a system, were reported. The products involved were Symantec AntiVirus Corporate Edition Server and Symantec System Center.[71]
The November 12, 2012 Vulnerability Bulletin of the United States Computer Emergency Readiness Team (US-CERT) reported the following vulnerability for older versions of Symantec's Antivirus system: "The decomposer engine in Symantec Endpoint Protection (SEP) 11.0, Symantec Endpoint Protection Small Business Edition 12.0, Symantec AntiVirus Corporate Edition (SAVCE) 10.x, and Symantec Scan Engine (SSE) before 5.2.8 does not properly perform bounds checks of the contents of CAB archives, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file."[72]
The problem relates to older versions of the systems and a patch is available. US-CERT rated the seriousness of this vulnerability as a 9.7 on a 10-point scale. The "decomposer engine" is a component of the scanning system that opens containers, such as compressed files, so that the scanner can evaluate the files within.[citation needed]
Scareware lawsuit
In January 2012, James Gross filed a lawsuit against Symantec for distributing fake scareware scanners that purportedly alerted users of issues with their computers. Gross claimed that after the scan, only some of the errors and problems were corrected, and he was prompted by the scanner to purchase a Symantec app to remove the rest. Gross claimed that he bought the app, but it did not speed up his computer or remove the detected viruses. He hired a digital forensics expert to back up this claim. Symantec denied the allegations and said that it would contest the case.[73] Symantec settled a $11 million fund (up to $9 to more than 1 million eligible customers representing the overpaid amount for the app) and the case was dismissed in court.[74][75]
Source code theft
On January 17, 2012, Symantec disclosed that its network had been hacked. A hacker known as "Yama Tough" had obtained the source code for some Symantec software by hacking an Indian government server.[76] Yama Tough released parts of the code, and threatened to release more. According to Chris Paden, a Symantec spokesman, the source code that was taken was for Enterprise products that were between five and six years old.[76]
On September 25, 2012, an affiliate of the hacker group Anonymous published source code from Norton Utilities.[77] Symantec confirmed that it was part of the code that had been stolen earlier, and that the leak included code for 2006 versions of Norton Utilities, pcAnywhere and Norton Antivirus.[77]
Verisign data breach
In February 2012, it was reported that Verisign's network and data had been hacked repeatedly in 2010, but that the breaches had not been disclosed publicly until they were noted in an SEC filing in October 2011.[78] Verisign did not provide information about whether the breach included its certificate authority business, which was acquired by Symantec in late 2010.[78] Oliver Lavery, Director of Security and Research for nCircle, asked rhetorically, "Can we trust any site using Verisign SSL certificates? Without more clarity, the logical answer is no."[79][80]
pcAnywhere exploit
On February 17, 2012
Critical Code Reviews lead to better code. Perform those thoroughly in house and you should pass any review with flying colors.
Usually the "Critical" bit together with preposterous egos is usually the problem within most organisations. Nobody dares to tell the guru he's wrong. And no manager is ever rewarded for solving difficult problems, unless they can't be circumvented with loads of babble.
I know.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Call their customer service sometime and you will lose all confidence.
Once you know how to read x86, everything is open source.
How can anyone prove that the source code they are reviewing is the actual product being used? What government has that kind of resources anyway?
"A plan fiendishly clever in its intricacies"- Homer Simpson
Imagine a state where a drug company said that it would refuse to allow government health organizations to examine all aspects of their products before approving of their sale.
There must be balance between security by obscurity and complete openness.
Greed is the root of all evil.
Lol, hatred runs strong in this one!
" merely watching how the pattern of memory accesses is generally enough to identify at least the class of algorithm used "
Oh come on, you think nobody has thought of that and doesn't game the algorithm to make a load of pointless and unnecessary memory accesses in order to fool anyone with a logic analyser sitting on the bus? These days the speed hit doing so is almost irrelevant.
I want to make clear, for the majority of software I am strongly of the opinion that perfect knowledge of the source code should not allow an attacker any advantage because the security properties are invariant to the implementation. For a trivial example, you can review the libOTR or TrueCrypt code all day, but the confidentiality of my encrypted volumes rests on the underlying cryptographic ciphers and my ability to keep the password a secret.
But I actually agree with Symantec that AV is a unique exception to this rule, and I justify that by looking at the relationship between the AV software and the threat against which it (allegedly) defends. Specifically, AV software is supposed to detect and quarantine executables running at the same level of privilege as the AV.
So it's essentially an arm's race, using the vagaries of the Windows NT process management as a battlefield. Malware tries to hit itself (from, e.g. EnumProcesses or other attempts to inspect it), AV tries to find it and, in the process, hide itself from malware that would disable or compromise it. In this context, knowing the exact method by which either side works is actually helpful -- and obscurity here (unlike virtually everywhere else) is actually security.
Note there is a weird overlap here between malware and anti-cheat-measures taken by games. In both cases, there is a user-level process that wishes to conceal itself from other software on the system that wishes to inspect/modify its behavior. In practice, any OS facility used for AV can similarly be used by a cheat program, especially if all the program wants to do is read information (like enemy locations in an FPS) from memory.
Jan '84 Macintosh is introduced with great success.
Sept '85 - MS releases excel for the Mac by convincing Jobs to share Mac's source code to properly integrate Excel into Mac.
Dec '87 - Windows 2.03 rolls out resembling Mac's GUI look and feel.
Mar '88 - Apple sues MS for copyright infringement.
Gates walks away from lawsuit unencumbered to become (off and on) the richest bastard in the world.
What could go wrong?
ALL source code of ALL software should be available to ALL parties for the asking at ANY time. You should be able to compile it to an exact byte-for-byte copy of the executable, and you should be able to modify it for your own personal use. Imagine Windows 10 with no 'telemetry', 'Cortana', forced updates, or any other component that invades your privacy or usurps your sovereign right to your own hardware. It would be a MUCH better world.
there's better solution for code review problem. give russians some few million lines of spaghetti derived from standard hello world -program. While it might not have the feeling of reading something useful, it'll keep government happy without exposing your valuable security holes to foreign powers.
Does it run linux?
Then yes, it needs to open sourced.
Not security related? Then I don't care.
Closed source either way? Well, I wont bother. Security related and closed source? Nope.jpg.
in fear CIA will use the gained knowledge to weaponize Symantec products for spying in the US and abroad
See subject: What's simpler to do to find bugs in code - step trace closed source in a debugger OR have the sourcecode itself?
* I'll answer for you - having the actual sourcecode (hence even YOUR OpenSORES argument plays against you here in fact... yes, it works BOTH ways & judging by what I've seen? Moreso AGAINST you & why? See below!)
(NO QUESTIONS ASKED)
Funny part is the OpenSORES movement (of which you are part of) always says "all those eyes on the sourcecode makes safer wares" well - I don't see it - you get bugs too (since much of who uses your code don't code themselves OR @ a level where they can identify those bugs). The bugs STILL occur & ARE EASIER TO SPOT when you have the sourcecode!
APK
P.S.=> Fuzzers & debuggers CAN find things but it's MUCH HARDER TO DO than having actual sourcecode to look @ it steptrace in a compiler (delinting alone is an example)... apk
...source code, the closely guarded inner workings of software...
I'm not feeling a whole lotta love for a technical "report" in which the author feels the need to explain what the term "source code" means. Just a hunch, but I'm guessing such a "report" isn't going to reveal too many worthwhile insights.