Symantec CEO: Source Code Reviews Pose Unacceptable Risk

In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.

Two Choices

[sehlat]

Either let nobody review the code, or let everybody in the world who wants to look at it review it. I rather suspect that crowdsourcing security reviews might actually make all code safer and more secure, if only because there WILL be friendly eyes going through it and proofreading the code.

Re:Two Choices

[phantomfive]

Good thing Symantec is secure and has no horrible remote exploits that give hackers top-level access to the system.

Just say no to Symantec, it can only make your system worse (they had a solid C compiler back in the 90s though).

Re:Two Choices

No, like everything else Symantec, that compiler was acquired, not developed by them. Again, like everything Symantec, they then proceeded to run it into the ground.

Re:Two Choices

[Wootery]

like everything Symantec, they then proceeded to run it into the ground.

On the upside, they would have been able to run it really fast.

Re:Two Choices

[Voyager529]

Just say no to Symantec, it can only make your system worse

Sadly, being "good" and "effective" are seldom requirements for 'checkbox compliance'. I went through this with a law firm recently that was trying to upgrade everything to meet the requirements the bank had in order to do business with them. The bank didn't explicitly say they required Symantec, but a whole lot of their workstation requirements were conveniently default (or basically-default) policies Symantec has. Being a fan of ESET due to it being actually-effective, I pitched it to the client. The client trusts my recommendations and was willing to pay more for ESET, but needed the bank to sign off on it. Again, the bank didn't *require* Symantec, they were just "more familiar with it" and "considered it the best option"...at which point, going with ESET would have likely caused more political issues. Half the machines in the office needed to have their RAM upgraded to run with any meaningful level of performance after installing Symantec on them, but it makes the banks happy, which was why they preferred it, and I really can't fault them.

After all, even for the banks, "secure systems" aren't nearly as important as "compliant systems".

Re:Two Choices

[mysidia]

We'll be safer against the COMMON bad actor that just finds a simple bug that STANDARD REVIEW would detect.
And less safe against bad actors that have highly-advanced specialized technical knowledge to find subtle bugs that everyone else is going to miss (Although these highly-advanced technical actors with a lot of money to spend could likely be able to reverse-engineer the entire product in their search for potential bugs).

Re:Two Choices

[phantomfive]

what makes ESET so great?

The end of the article is laughable

“As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”

Yeah right and national security letters are a figment of my imagination...

Re:The end of the article is laughable

[GumphMaster]

They might be. Do you have evidence that they actually exist?

Re:The end of the article is laughable

[Maritz]

To be fair the NSA has oversight from FISA courts.

Dear Leader Putin, on the other hand, does whatever the fuck he likes. And if you don't like it, you can have a nice cup of polonium tea.

Re:The end of the article is laughable

[Gr8Apes]

We actually do - look at the reports presented by MS or Google of how many they get, offered in ranges.

Right...

Highly likely their software is shit and it's shit all the way down and they don't want you to know how shit it is.

Re:Right...

[schleimkeim]

Highly likely their software is shit

Highly likely? Installing symantec is like giving your computer AIDS. That has always been a general rule in IT.

Wrong

It is unreviewed proprietary source code is what poses the most significant risk. Any government technology department that fails to do a source code review of a product before deployment is committing malpractice. If a vendor refuses to cooperate their product should be barred from competition.

Re:Wrong

[BlueCoder]

Not wrong.

There is potential for a security leak because all software is notorious for the fact that as more people work on code the more bugs are potentially included. There is legitimate concern of governments including the US of abusing this. It is far better to allow individual independent specific companies on behalf of countries to review code.

Far easier to vet a company and monitor it than a country.

Says volumes

[nehumanuscrede]

about how much he believes in the security of his own software.

The best stuff is that which can stand up to peer review and intense scrutiny, yet retain its trust level.

Given a choice between a closed source super-secret-trust-us-its-secure platform or an open source peer-reviewed-I-dare-you-to-break-it one, guess which one I would prefer to go with ?

Re:Says volumes

[blindseer]

Says volumes about how much he believes in the security of his own software.

I worked on secure systems before. It was common to use well documented algorithms for encryption. The mathematics showed the encryption to be secure. The implementation would be trivial rewrites of the encryption, so not any different than anything open source. We'd pair the encryption we had with open source implementations to assure we did it correctly.

One thing we could not do was reveal our code. In fact even mentioning which encryption we used was considered a security violation. This was done to deny an attacker as much information as possible for an attack. Sure, the code was likely very secure, but we weren't under any kind of obligation to give attackers anything that could make their life of snooping into the communications easier.

There is still a possibility that someone might be able to prove the encryption we used was not as secure as previously believed. We'd still enjoy security by obscurity. The assumption was that if the encryption was flawed then attackers would still have to go through the effort to find out if we used the flawed encryption or not. This buys time to fix the problem.

Most encryption is based on the idea of creating a key with enough bits that any brute force attack would have to try all the combinations to break. By keeping the algorithm a secret then we have effectively added a few more bits to the key. That adds that much more time to an attack.

Then there is the matter of intellectual property and industrial espionage. By sharing the code with the government there is a possibility of something unique and valuable being revealed to a potential competitor to copy and sell, or possibly patent and claim infringement on the original authors. Maybe the rights to the code would hold up in court but that still means the expense of going to court.

Re:Says volumes

[swillden]

By keeping the algorithm a secret then we have effectively added a few more bits to the key.

You didn't, really.

If the attacker has your binary, decompiling it is not hard. I don't even have to decompile it in most cases, merely watching how the pattern of memory accesses is generally enough to identify at least the class of algorithm used (there aren't that many), and examination of S boxes etc., tells the rest. And if the algorithm you used is remotely close to breakable -- by brute force or any other means -- then you're hosed.

Obscurity is very foolish except in one case: security hardware which has internal storage, and can't practically be updated. A good example is a smart card chip. In that case, all you can do is do the best job you can on the software, and the best job you can do on the hardware (whose job is partly to deny the attacker access to your software), and then keep it secret. Assuming the hardware doesn't leak it, and you don't leak it, then the attacker can only blindly fuzz the device to look for vulnerabilities.

In practice, though, smart card makers don't do that either. They do provide full details of hardware and software, including source code, to a couple of highly-capable test labs, who spend many months poring through all of it as well as fuzzing it, attempting physical penetration of the hardware and everything else they can think of.

If your organization did that, hired multiple outside teams of extremely talented people to attack your implementation, and you kept the attacker away from the binary as well as the source, then perhaps you gained something from the obscurity. If not, you just fooled yourselves, and made your product weaker than it would have been if you had published the design and the source code for the world to beat on.

Re:Says volumes

[blindseer]

The systems I was referring to did in fact have sealed boxes where if tampering was detected the memory was wiped. The communications the devices were meant to protect would still be down an unsecured wire or transmitted by radio. If the encryption used was known then that means much less resources would be needed to break it, brute force or otherwise.

More generally though by keeping code secret, even on publicly available software, you'd be forcing a state funded actor to put the resources to decompiling the code. The code would then have to be examined for vulnerabilities. By handing over the original code there's much more information to work with. There would be comments, variable names, and so many other clues that make it readable and therefore much easier to look for a vulnerability. Sure, they'll still have the code either way but there's no obligation to hand it over on a silver platter.

Re:Says volumes

[sabbede]

How about this:

The Russian government tries to break into US companies all the time.

Symantec protects many US companies.

Letting them read the code for the software that protects their targets might not be a good idea.

Re:Says volumes

[houghi]

By keeping the algorithm a secret then we have effectively added a few more bits to the key.

You didn't, really.

To make it easier: it is like saying that you are more secure, because you run SSH on port 2222 instead of 22.
Harder to hack does not mean it is more secure. The hill is steeper, but just as high.

Re:Says volumes

[swillden]

The systems I was referring to did in fact have sealed boxes where if tampering was detected the memory was wiped.

Then the obscurity wasn't *completely* pointless. But still mostly pointless. If your algorithm is broken, "adding a few bits" is extremely unlikely to make any difference. If it's not broken, then adding a few bits makes no difference... and by keeping it secret you're running the risk that you have serious flaws that you don't know about, which could completely destroy the security. Bad idea.

More generally though by keeping code secret, even on publicly available software, you'd be forcing a state funded actor to put the resources to decompiling the code.

Which takes seconds.

The code would then have to be examined for vulnerabilities. By handing over the original code there's much more information to work with.

A little, sure. Enough to matter? Not at all. I work with a lot of people who do reverse engineering for a living. Not having source slows them down very, very little.

Also, I note that you did not confirm that your organization had outside penetration testing done. That right there proves that your organization doesn't know how to write secure software. Please tell me what hardware we're talking about so I can avoid it.

Re:Says volumes

[blindseer]

Also, I note that you did not confirm that your organization had outside penetration testing done. That right there proves that your organization doesn't know how to write secure software. Please tell me what hardware we're talking about so I can avoid it.

I can assure you that the organization I worked for does know how to write secure software. You cannot buy these devices as they were built for a specific use and even saying the name of the project might be a security violation. I was not knowledgeable of all the design and testing involved because everything was need to know. I had general ideas on their ultimate use, the cases they were put in, the kind of wire or radio used, and so on. I know that there were tamper switches on the cases because those signal lines had to be handled. I didn't know everything about the hardware just like the people that designed the cases didn't know everything about the software. After we were done with our own internal testing everything was handed over to the customer for their own testing. It's quite possible there was penetration testing but no one thought I needed to know. I could say a lot about what was done but you don't need to know.

The point is, and you admit to it, that not having the source code will slow down an attack. We can debate how much but knowing it will slow down an attack is sufficient to go through the effort of keeping certain design choices secret.

Re:Says volumes

[swillden]

I can assure you that the organization I worked for does know how to write secure software.

Maybe, but I'm skeptical.

The point is, and you admit to it, that not having the source code will slow down an attack.

Trivially.

We can debate how much but knowing it will slow down an attack is sufficient to go through the effort of keeping certain design choices secret.

No. That is not enough to justify reliance on secrecy. There has to be some other reason, or it's just self-deception.

Oh, Really?

[Bruce+Perens]

I've published the source code of my own products since about 1987. The difference between Symantec and me is that I give the source code to everyone, and I give them an incentive to read the code, because they can also redistribute and modify it, and put it to any use.

And of course a national entity that wants to enough, like the government of Russia, is going to get a look at the Symantec source code even if it means getting someone into a job there to do it. So, isn't Symantec just saying that their proprietary paradigm is a poor one from a security perspective?

Re:Oh, Really?

[Dantoo]

I think the most significant thing about this story is that Bruce Perens still visits /.

Err hi Bruce!

Re:Oh, Really?

[alvinrod]

That's a poor argument. It's hard to count the value of open source software because in many cases their is no charge. The world wouldn't be anywhere near where it is now if there were no Linux, Apache, or various other open source products that are used the world over if everyone were stuck buying some commercial product that wouldn't necessarily even be as good.

A lot of developers of proprietary software still use open source tools. Both git and SVN are among the most popular version control systems and very little collaborative work could occur on the levels required today without tools like that. That developers can freely use and improve those tools just means that money can be spent elsewhere. How many billions would need to be spent if FOSS like that didn't exist?

Re:Oh, Really?

[swb]

While I agree with you philosophically, I think in terms of an AV program on Windows you're dealing with a unique set of vulnerabilities and a black hat state organization would want to know every detection technique and evasion detection trick they could. It's kind of a fundamentally insecure environment to begin with.

Re:Oh, Really?

[freeze128]

With all due respect to Bruce... Who cares about Bruce Perens? I want to know what Peter Norton thinks of this!

Re: Oh, Really?

[F.Ultra]

So by that logic we should pay even less attention to you.

Re:Oh, Really?

[Nite_Hawk]

He comes out of the woodwork pretty regularly for security related articles. :)

Good and bad nations?

[AHuxley]

Who gets a review?
USA, UK, NZ, AU, Canada?
Some of the more trusted NATO nations? All of NATO? Nations wishing to join NATO soon?
Some other nations? A China? Brazil? Japan?
Why would any nation buy into a security product they have not seen all the code to?
Other developers will just offer their products for review. How long before nations just say no review, no buy?

Kaspersky Fallout

[mentil]

I imagine the backlash against Kaspersky, after it was found the Russian govt. was abusing security holes in its anti-virus software in order to hack computers which had it installed, is responsible for this. It seems plausible they found out about said holes due to the mandatory source-code reviews.

Re:Kaspersky Fallout

[drinkypoo]

If I were using my imagination here, I'd imagine that the unacceptable risk is that someone will figure out that they're distributing malware on behalf of their host state.

Breaking News: Water is Wet

[mike2006]

The real news here is most Symantec customers will be shocked when they find out they were allowing foreign governments code reviews in the first place.

Re:AC No Longer Allowing Slashdot to Review Frst P

Damn. I get most of my news on the internet from AC First Posts on slashdot.

Fair enough

[viperidaenz]

If I was a government reviewing a security product like that, I wouldn't tell them about any vulnerabilities I find. They would be much more useful to use against all of their customers.

Don't Waste Your Money

Step 1: US Company, Equifax allows personal ID data for 100's of millions of people to be stolen and nobody seems to care.

Step 2: US Government condemns Kaspersky Labs for potentially leaking information to the Russians. Thus destroying Kaspersky's US market.

Step 3: Symantec prohibits government source code reviews. Thus insuring an NSA backdoor.

So, no matter what you do, you are screwed.
There is clearly no such thing as Cyber Security.
Put your money on Molson beer.
It is a much better investment.

Re:Don't Waste Your Money

Step 3: Symantec prohibits government source code reviews. Thus insuring an NSA backdoor.

There's the problem right there.
An insurance company selling software.
Which ensures there is an NSA backdoor.

Re:Don't Waste Your Money

[sittingnut]

usa government (and its cronies) logic :
kaspersky software finds (as it is supposed to) nsa's new malware in a nsa contractor's private computer. alerts hq, russian gov perhaps hears about it. kaspersky is a security threat.
meanwhile symantec never finds any nsa malware. symantec wont let others examine its source. symantec is patriotic!

Re: Don't Waste Your Money

[sittingnut]

how come some low id Slashdot accounts are pushing the Kremlin line recently? Is it anything to do with a comment on the 20 year anniversary story saying these accounts are worth money or has the Slashdot database been hacked?

may be "low id slashdot accounts" prefer openness, individual freedom, and critical thinking, over secrecy, "security"(as defined by deep state), and propaganda.

Re: Don't Waste Your Money

[rxmd]

how come some low id Slashdot accounts are pushing the Kremlin line recently? Is it anything to do with a comment on the 20 year anniversary story saying these accounts are worth money or has the Slashdot database been hacked?

may be "low id slashdot accounts" prefer openness, individual freedom, and critical thinking, over secrecy, "security"(as defined by deep state), and propaganda.

If you prefer openness, individual freedom, and critical thinking, then Russia is not where you should be looking.

In fact, "secrecy, "security"(as defined by deep state), and propaganda" is at least as characteristic of Russia than of pretty much all Western countries. (I'm saying this as a non-Russian who speaks Russian fluently and has spent the last ten years working in 11 out of 15 CIS states.) Russia is also at least as much driven by capitalism and corporate greed and has greater social inequality. If you're disappointed with what's going on in your country, fix your own country instead of getting your inspiration from one that is even worse.

Re: Don't Waste Your Money

[houghi]

In Belgium they used to say "If you are young and you are not a socialist(*), you have no heart. If you are old and you are not a capitalist(**), you have no head."
It seems that this is reversed now.

(*) Meaning that social things matter more than money
(**) Meaning financial stability is more important

Re: Don't Waste Your Money

[temcat]

As a Russian, I can attest to that. It doesn't mean, however, that everything popular media and government agencies tell you about Russia this and Russia that is true and not propaganda and fearmongering—or sometimes a complete nothingburger, even if true to a large extent, like with the elections. Just the fact that they could do this or that bad thing (and I can say that pretty much everything is possible with the current gang in power here), doesn't mean they actually have, unless you can show some credible proof and explanation.

Re: Don't Waste Your Money

[Gr8Apes]

...everything popular media and government agencies tell you about Russia this and Russia that is true and not propaganda and fearmongering—or sometimes a complete nothingburger, even if true to a large extent, like with the elections. Just the fact that they could do this or that bad thing (and I can say that pretty much everything is possible with the current gang in power here), doesn't mean they actually have, unless you can show some credible proof and explanation.

I believe the proof you're seeking is at least partially provided by Facebook and Google's ad sales. Russian sources spent significant funds to direct ads to attempt to influence voters in specific battleground states. That's a pretty significant smoking gun, given all the other circumstantial evidence already reported regarding Russian activities.

Re: Don't Waste Your Money

[EndlessNameless]

How come that with a mishmash of hearsay and "expert" opinion people pretend to know documents were stolen?

If his computer held classified information, no one outside the government is ever going to touch it again. If they are investigating an adversary's cyberattack, the government is never going to publicly disclose its methods, tools, or findings. That is all going to be classified too.

I seriously doubt anyone with first-hand knowledge will be talking about it; this isn't the kind of issue where an attack of conscience will lead someone to cross the line.

The public will never be told the details, so the closest we can get is expert speculation.

Re: Don't Waste Your Money

[Gr8Apes]

The young definitely seem to be on the socialist path. That's not all bad, nor all good. Unfettered capitalism has led to some of the largest swindles ever seen. Even medieval kings didn't successfully gather as much power as some capitalists, because their economies were directly tied to their power. Capitalists have no such ties, destroying a country's economy has no negative bearing on their wealth if they can plunder the target country's wealth.

Given technological progress, adoption of some ideas of socialism are inevitable, as is further regulation of capitalism.

Re: Don't Waste Your Money

[Kludge]

how come some low id Slashdot accounts are pushing the Kremlin line recently?

I think you are confusing "pushing the Kremlin line" with "not believing everything that the NSA feeds us".
Those who have been around a long time know that Kaspersky has been a top notch computer security company for a long time. We also know that the NSA has been trying to hack everyone for a long time.
Of course we know that the Kremlin is trying to hack everyone too, but we are not going to quickly abandon our years of experience.

Re: Don't Waste Your Money

[temcat]

What I gathered from the info on the ad sales is that the spending was pretty minuscule compared to the general level of spending on the electoral informational activities, more than half of the ads were run after the elections, and the ads themselves were of a bi-partisan nature (with their content coming originally from Americans themselves), so you cannot even say how exactly Russia tried to influence the elections (meaning, whether there was a definite electoral result they tried to achieve). So, to me, it looks like it's pretty insignificant to the extent it's true.

In addition, not every kind of influence on the elections is even bad. I for one would welcome any attempts, including by foreign players, to influence the 2018 presidential elections in Russia by publishing info on the shady business of Putin and his clique. It just has to be true.

Re: Don't Waste Your Money

[temcat]

Well, can't say about others, but I personally do like this word. It may even be that I learned it from the discussions of US elections. In addition to what I have already listed above, the scope and significance of this meddling are indeed nothing compared to the fraud that the Russian elections on most levels are now. RT is really a bigger and more general threat to you on the propaganda front than those ads.

Re: Don't Waste Your Money

[Kiaser+Zohsay]

I wouldn't call 88000 low.

Re:Don't Waste Your Money

[cyberchondriac]

Step 1: US Company, Equifax allows personal ID data for 100's of millions of people to be stolen and nobody seems to care.

Nobody seems to care? It's been all over the news, in every form of media; it's been a huge deal.
They're under criminal investigation by the DoJ for possible insider trading, and there's a criminal investigation into the hack itself by the FBI.
Those things just take time. Protesting and rioting in the streets won't help anything, and that's getting a bit overused lately anyway. And, this may finally spell the end of using SSNs for all kinds of identification purposes, which would be a significant step in the right direction.

Re: Don't Waste Your Money

[merky1]

I like to think its more of an experience thing. IE - we've seen so many of these conspiracy theories that the current Russia fever seems way out of touch.

Somehow low effort trolling and phishing campaigns are somehow becoming hacks. And they are massively diverting money and attention away from the real crimes. Podesta gave his password to a foreign agent. That affects a single person. Someone stole VA/OPM/Equifax data on millions of Americans. Yet we are see nothing happening, going to happen, or any changes whatsoever.

Re: Don't Waste Your Money

[Hal_Porter]

It's weird how the Republicans and Democrats have swapped sides over this.

E.g. back in 2012 Mitt Romney said that Russia was the biggest threat to the US and the Democrats mocked him for still living in the Cold War era.

Then in 2013 Snowden fled to Russia and probably to a job with Russian intelligence. The consensus on slashdot was that was fine and he needed to get away from the NSA so he could continue to leak. Even though Putin made it clear that he could not continue to leak, at least not publicly

https://www.cbsnews.com/news/p...

Putin, who hosted a summit of gas-exporting nations in Moscow that included leaders from Venezuela, Bolivia and Iran, said he doesn't know if any of those attending could offer Snowden shelter.

"If he wants to go somewhere and there are those who would take him, he is welcome to do that," Putin said. "If he wants to stay here, there is one condition: he must stop his activities aimed at inflicting damage to our American partners, no matter how strange it may sound on my lips."

Which makes him a Russian spy, not a whistleblower.

Back then I said

https://yro.slashdot.org/comme...

If you look at WWII Anglo American SIGINT like breaking the Enigma code was absolutely vital to the war effort and saved the UK from defeat. As China moves towards parity with the West and confronts Japan over the Senkakus it's not impossible the US may find itself in a similar situation. In the long run it's not impossible that Russia will threaten the Ukraine militarily - after all it did more than threaten Georgia.

And in fact having a major SIGINT advantage over Russia and China is likely to act as a deterrent on them doing something like this. Conversely Snowden visiting both and telling them the US's capabilities is likely to make them think they're the ones with the advantage.

The only reason you'd think Snowden did the right thing is if you think the US is the sole source of evil in the world and Russia and China are both governed by people who act robotically in the best interests of humanity eschewing any personal gain. How likely is it really that the people who govern the US are the only ones vulnerable to corruption and the far less open political systems of Russia and China magically produce incorruptible leaders?

I'd say as bad as the US's politicians are the openness of the system means they are likely a lot less bad than those in China or Russia. In which case I'd rather the US has the SIGINT advantage. Snowden did exactly the wrong thing in taking US secrets to Russia and China and the Guardian is wrong to publish US secrets.

And was called an 'NSA shill'.

However now Slashdot is suddenly full of people saying that Russia hacked the election, presenting no evidence for that and calling anyone who disagrees a 'Russia shill'.

Re: Don't Waste Your Money

[HiThere]

Proof of what?

If you want to claim that it's proof that Russia interfered with the US elections, you've got a point. If you want to claim it's proof that Facebook acted above the law and isn't being punished, you've got a point. If you want to claim that Facebook are unpatriotic villians, you've got a point.

If you want to claim it as proof of something else, you need to connect the dots. There's no obvious connection to Kapersky. (I speculate about connections, but different ones than you appear to be suggesting...though I can't really tell, as your insinuations are too unfocused. And not based on Facebook, but rather on the fact that a Russian company is subject to the Russian government.)

Re:Don't Waste Your Money

[higuita]

Or simply drop windows and all their closed source software with unknown number of security problems and backdoors and use open source OS (linux, *bsd, MenuetOS, TempleOS , whatever) and software

Many people do not agree with RMS (Richard Stallman), but times proves that he is still right

Security through obscurity

[v1]

"In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."

So either the CEO of Symantec is a security idiot, or he has a better reason he's not sharing.

And if he's claiming the reason for using Security Through Obscurity is to provide his customers with a stronger feeling of being secure, I do hope the masses aren't idiots and this backfires as spectacularly as it really should.

Re:Security through obscurity

You're creating a Steadman. The software is adequately complex to assume that there are vulnerabilities. Giving access to a hostile actor accelerates the discovery. Without aerospace grade engineering and prices, you can't create software without defects. It's still remarkably hard with the 20:+ price differential for DO-178 style processes. To claim that security through obscurity is bad is a deliberate deception by presuming t that its the only security measure. Its a helpful layer.

So is this a

[ChoGGi]

Reverse Kaspersky from Russia with love?

Outsource the development

[Kellamity]

to a third world nation.

Then anyone can review it and probably won't be able to make any sense of it whatsoever. Unless they are fluent in spaghetti code. It's like a cheaper type of encryption.

Real risk is discovering the backdoors

they put in for NSA.

You guys all misunderstood what they feared about. They are not afraid of foreign governments finding flaws in their software, they are afraid of foreign governments finding the NSA backdoors, and thus banning Symantec in their country. With the USA's example of banning Kaspersky, Symantec didn't even have any grounds to complain.

Cost benefit

[spinitch]

Why share source when fair chance could be leaked to hackers and / or competition with no business case. Open source might be ideal but many Companies make more money and potentially can make better products investing in development, support etc.. The CEO indicated there was not a good business case to share. His judgment but seems rational.

Re:Cost benefit

[Swave+An+deBwoner]

Almost all AV these days uses more than simple known code fingerprints; additionally they use, e.g., heuristic scanning. Probably the fingerprints are not the concern because anybody who buys the product gets a copy of the fingerprints in a file. Probably it's exposing potential flaws in the scanner logic that is the concern.

Backwards

[uvajed_ekil]

*NOT* allowing source codes reviews poses unacceptable risk. I guess I STILL won't be using Symantec products.

Symantec don't allow governments access to source

[najajomo]

"Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products."

It wouldn't surprise me if the state security apparatus didn't already have access to Symantec code through their embedded agents.

Just another reason

[geekprime]

Not to buy symantic.

Security through obscurity

[axettone]

Not surprisingly, their products are among the least reliable on the market. Those who make such claims should not even work on the safety of a closet. Surely this is an additional reason not to buy their software and not to recommend it to customers.

Critical Code Reviews

[SpaghettiPattern]

Critical Code Reviews lead to better code. Perform those thoroughly in house and you should pass any review with flying colors.

Usually the "Critical" bit together with preposterous egos is usually the problem within most organisations. Nobody dares to tell the guru he's wrong. And no manager is ever rewarded for solving difficult problems, unless they can't be circumvented with loads of babble.

I know.

"risk of losing customer confidence"

[entropy01]

Call their customer service sometime and you will lose all confidence.

Re:The only thing Symantec sells is FUD.

[Maritz]

I think any company who shows their source code to russian intelligence for any reason needs their fucking head examined.

We're talking the very definition of 'bad faith actor' here. Get a fucking mind. Get your business elsewhere.

Reviewing source code means nothing

[acoustix]

How can anyone prove that the source code they are reviewing is the actual product being used? What government has that kind of resources anyway?

More reason to be careful with Symantec Products

[TomGreenhaw]

Imagine a state where a drug company said that it would refuse to allow government health organizations to examine all aspects of their products before approving of their sale.

There must be balance between security by obscurity and complete openness.

Memory accesses?

[Viol8]

" merely watching how the pattern of memory accesses is generally enough to identify at least the class of algorithm used "

Oh come on, you think nobody has thought of that and doesn't game the algorithm to make a load of pointless and unnecessary memory accesses in order to fool anyone with a logic analyser sitting on the bus? These days the speed hit doing so is almost irrelevant.

Re:Memory accesses?

[swillden]

Oh come on, you think nobody has thought of that and doesn't game the algorithm to make a load of pointless and unnecessary memory accesses in order to fool anyone with a logic analyser sitting on the bus? These days the speed hit doing so is almost irrelevant.

The speed hit is not irrelevant. Performance is still a significant challenge for many applications, even on desktop and server class machines -- and definitely for mobile and embedded.

And it wouldn't matter much anyway. Worst case (and very unlikely) it might make the attacker have to bother with decompiling.

Re:Memory accesses?

[Viol8]

You can't decompile the binary if you can't get to it - if its encrypted in firmware and taking the lid off the chip destroys it.

Re:Memory accesses?

[swillden]

You can't decompile the binary if you can't get to it - if its encrypted in firmware and taking the lid off the chip destroys it.

In that case, and if it's not feasible to patch it, and if you've really done your due diligence (pen testing), then secrecy might make sense. But, really, it's the "not feasible to patch it" that is the reason for and justification of secrecy, not the rest.

Nit: if the firmware is inaccessible, there's no reason to encrypt it. Unless you have another even more secure component inside which holds the decryption key? And there's no point in that unless that other more secure component not only decrypts the firmware but also plays some other more crucial role in the secure operation, meaning it is your true trust boundary.

Also note that it's never completely inaccessible. You can raise the bar, make penetration very expensive, but you cannot make it impossible. Therefore, unless you have some constraint that makes reactive security (patching) impossible to exercise in a timely fashion, you should get as much scrutiny of your design and implementation as possible and fix all of the vulnerabilities found, quickly. Even if it's inside "secure" hardware.

Antivirus software is a huge exception . . .

[Wrath0fb0b]

I want to make clear, for the majority of software I am strongly of the opinion that perfect knowledge of the source code should not allow an attacker any advantage because the security properties are invariant to the implementation. For a trivial example, you can review the libOTR or TrueCrypt code all day, but the confidentiality of my encrypted volumes rests on the underlying cryptographic ciphers and my ability to keep the password a secret.

But I actually agree with Symantec that AV is a unique exception to this rule, and I justify that by looking at the relationship between the AV software and the threat against which it (allegedly) defends. Specifically, AV software is supposed to detect and quarantine executables running at the same level of privilege as the AV.

So it's essentially an arm's race, using the vagaries of the Windows NT process management as a battlefield. Malware tries to hit itself (from, e.g. EnumProcesses or other attempts to inspect it), AV tries to find it and, in the process, hide itself from malware that would disable or compromise it. In this context, knowing the exact method by which either side works is actually helpful -- and obscurity here (unlike virtually everywhere else) is actually security.

Note there is a weird overlap here between malware and anti-cheat-measures taken by games. In both cases, there is a user-level process that wishes to conceal itself from other software on the system that wishes to inspect/modify its behavior. In practice, any OS facility used for AV can similarly be used by a cheat program, especially if all the program wants to do is read information (like enemy locations in an FPS) from memory.

Re: False dychotomy

[Type44Q]

You think we can't tell that you're replying to your own posts?? Idiot.

Re:False dychotomy

[david_thornley]

That idiot in the White House can't be controlled. He's an equal-opportunity loose 16"/50 cannon, except for his hate for Obama and those who don't worship him. Other people have made that mistake. It's similar to what the German right wing thought about Hitler in 1933, except that Hitler had ideas and was generally quite competent (unfortunately).