Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec CEO: Source Code Reviews Pose Unacceptable Risk (reuters.com)

Posted by BeauHD on from the security-risk dept.

In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.

19 of 172 comments (clear)

  1. Two Choices by sehlat · · Score: 5, Insightful

    Either let nobody review the code, or let everybody in the world who wants to look at it review it. I rather suspect that crowdsourcing security reviews might actually make all code safer and more secure, if only because there WILL be friendly eyes going through it and proofreading the code.

    1. Re:Two Choices by phantomfive · · Score: 4, Informative

      Good thing Symantec is secure and has no horrible remote exploits that give hackers top-level access to the system.

      Just say no to Symantec, it can only make your system worse (they had a solid C compiler back in the 90s though).

      --
      "First they came for the slanderers and i said nothing."
  2. The end of the article is laughable by Anonymous Coward · · Score: 5, Insightful

    “As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”

    Yeah right and national security letters are a figment of my imagination...

    1. Re:The end of the article is laughable by GumphMaster · · Score: 4, Funny

      They might be. Do you have evidence that they actually exist?

      --
      Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
  3. Wrong by Anonymous Coward · · Score: 5, Insightful

    It is unreviewed proprietary source code is what poses the most significant risk. Any government technology department that fails to do a source code review of a product before deployment is committing malpractice. If a vendor refuses to cooperate their product should be barred from competition.

  4. Says volumes by nehumanuscrede · · Score: 5, Insightful

    about how much he believes in the security of his own software.

    The best stuff is that which can stand up to peer review and intense scrutiny, yet retain its trust level.

    Given a choice between a closed source super-secret-trust-us-its-secure platform or an open source peer-reviewed-I-dare-you-to-break-it one, guess which one I would prefer to go with ?

    1. Re:Says volumes by blindseer · · Score: 3, Interesting

      Says volumes about how much he believes in the security of his own software.

      I worked on secure systems before. It was common to use well documented algorithms for encryption. The mathematics showed the encryption to be secure. The implementation would be trivial rewrites of the encryption, so not any different than anything open source. We'd pair the encryption we had with open source implementations to assure we did it correctly.

      One thing we could not do was reveal our code. In fact even mentioning which encryption we used was considered a security violation. This was done to deny an attacker as much information as possible for an attack. Sure, the code was likely very secure, but we weren't under any kind of obligation to give attackers anything that could make their life of snooping into the communications easier.

      There is still a possibility that someone might be able to prove the encryption we used was not as secure as previously believed. We'd still enjoy security by obscurity. The assumption was that if the encryption was flawed then attackers would still have to go through the effort to find out if we used the flawed encryption or not. This buys time to fix the problem.

      Most encryption is based on the idea of creating a key with enough bits that any brute force attack would have to try all the combinations to break. By keeping the algorithm a secret then we have effectively added a few more bits to the key. That adds that much more time to an attack.

      Then there is the matter of intellectual property and industrial espionage. By sharing the code with the government there is a possibility of something unique and valuable being revealed to a potential competitor to copy and sell, or possibly patent and claim infringement on the original authors. Maybe the rights to the code would hold up in court but that still means the expense of going to court.

      --
      I am armed because I am free. I am free because I am armed.
    2. Re:Says volumes by swillden · · Score: 5, Insightful

      By keeping the algorithm a secret then we have effectively added a few more bits to the key.

      You didn't, really.

      If the attacker has your binary, decompiling it is not hard. I don't even have to decompile it in most cases, merely watching how the pattern of memory accesses is generally enough to identify at least the class of algorithm used (there aren't that many), and examination of S boxes etc., tells the rest. And if the algorithm you used is remotely close to breakable -- by brute force or any other means -- then you're hosed.

      Obscurity is very foolish except in one case: security hardware which has internal storage, and can't practically be updated. A good example is a smart card chip. In that case, all you can do is do the best job you can on the software, and the best job you can do on the hardware (whose job is partly to deny the attacker access to your software), and then keep it secret. Assuming the hardware doesn't leak it, and you don't leak it, then the attacker can only blindly fuzz the device to look for vulnerabilities.

      In practice, though, smart card makers don't do that either. They do provide full details of hardware and software, including source code, to a couple of highly-capable test labs, who spend many months poring through all of it as well as fuzzing it, attempting physical penetration of the hardware and everything else they can think of.

      If your organization did that, hired multiple outside teams of extremely talented people to attack your implementation, and you kept the attacker away from the binary as well as the source, then perhaps you gained something from the obscurity. If not, you just fooled yourselves, and made your product weaker than it would have been if you had published the design and the source code for the world to beat on.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Oh, Really? by Bruce+Perens · · Score: 5, Insightful

    I've published the source code of my own products since about 1987. The difference between Symantec and me is that I give the source code to everyone, and I give them an incentive to read the code, because they can also redistribute and modify it, and put it to any use.

    And of course a national entity that wants to enough, like the government of Russia, is going to get a look at the Symantec source code even if it means getting someone into a job there to do it. So, isn't Symantec just saying that their proprietary paradigm is a poor one from a security perspective?

    --
    Bruce Perens.
    1. Re:Oh, Really? by Dantoo · · Score: 5, Funny

      I think the most significant thing about this story is that Bruce Perens still visits /.

      Err hi Bruce!

    2. Re:Oh, Really? by alvinrod · · Score: 3, Insightful

      That's a poor argument. It's hard to count the value of open source software because in many cases their is no charge. The world wouldn't be anywhere near where it is now if there were no Linux, Apache, or various other open source products that are used the world over if everyone were stuck buying some commercial product that wouldn't necessarily even be as good.

      A lot of developers of proprietary software still use open source tools. Both git and SVN are among the most popular version control systems and very little collaborative work could occur on the levels required today without tools like that. That developers can freely use and improve those tools just means that money can be spent elsewhere. How many billions would need to be spent if FOSS like that didn't exist?

    3. Re:Oh, Really? by freeze128 · · Score: 4, Funny

      With all due respect to Bruce... Who cares about Bruce Perens? I want to know what Peter Norton thinks of this!

  6. Good and bad nations? by AHuxley · · Score: 4, Insightful

    Who gets a review?
    USA, UK, NZ, AU, Canada?
    Some of the more trusted NATO nations? All of NATO? Nations wishing to join NATO soon?
    Some other nations? A China? Brazil? Japan?
    Why would any nation buy into a security product they have not seen all the code to?
    Other developers will just offer their products for review. How long before nations just say no review, no buy?

    --
    Domestic spying is now "Benign Information Gathering"
  7. Don't Waste Your Money by Anonymous Coward · · Score: 5, Interesting

    Step 1: US Company, Equifax allows personal ID data for 100's of millions of people to be stolen and nobody seems to care.

    Step 2: US Government condemns Kaspersky Labs for potentially leaking information to the Russians. Thus destroying Kaspersky's US market.

    Step 3: Symantec prohibits government source code reviews. Thus insuring an NSA backdoor.

    So, no matter what you do, you are screwed.
    There is clearly no such thing as Cyber Security.
    Put your money on Molson beer.
    It is a much better investment.

    1. Re:Don't Waste Your Money by sittingnut · · Score: 5, Insightful

      usa government (and its cronies) logic :
      kaspersky software finds (as it is supposed to) nsa's new malware in a nsa contractor's private computer. alerts hq, russian gov perhaps hears about it. kaspersky is a security threat.
      meanwhile symantec never finds any nsa malware. symantec wont let others examine its source. symantec is patriotic!

    2. Re: Don't Waste Your Money by sittingnut · · Score: 5, Insightful

      how come some low id Slashdot accounts are pushing the Kremlin line recently? Is it anything to do with a comment on the 20 year anniversary story saying these accounts are worth money or has the Slashdot database been hacked?

      may be "low id slashdot accounts" prefer openness, individual freedom, and critical thinking, over secrecy, "security"(as defined by deep state), and propaganda.

  8. Security through obscurity by v1 · · Score: 3, Informative

    "In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."

    So either the CEO of Symantec is a security idiot, or he has a better reason he's not sharing.

    And if he's claiming the reason for using Security Through Obscurity is to provide his customers with a stronger feeling of being secure, I do hope the masses aren't idiots and this backfires as spectacularly as it really should.

    --
    I work for the Department of Redundancy Department.
  9. Outsource the development by Kellamity · · Score: 4, Funny

    to a third world nation.

    Then anyone can review it and probably won't be able to make any sense of it whatsoever. Unless they are fluent in spaghetti code. It's like a cheaper type of encryption.

  10. Real risk is discovering the backdoors by Anonymous Coward · · Score: 3, Interesting

    they put in for NSA.

    You guys all misunderstood what they feared about. They are not afraid of foreign governments finding flaws in their software, they are afraid of foreign governments finding the NSA backdoors, and thus banning Symantec in their country. With the USA's example of banning Kaspersky, Symantec didn't even have any grounds to complain.