Stealing Source Code

Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's involvement in something sinister, but most likely Symantec's biggest problem is public embarrassment.

Posted on January 9, 2012 at 12:55 PM • 36 Comments

Comments

dbCooperJanuary 9, 2012 1:11 PM

Related to the theft is this article, which I posted earlier on the "squid" comments.....

Hackers Expose India's Backdoor Intercept Program

http://www.securityweek.com/...

Contains such nuggets as: "Security and privacy researcher Christopher Soghoian commented, “Due to export control [requirements], NSA (and until 2010, Commerce Dept) have source code for all US made enterprise security/communications products...”

Posted by: dbCooper at January 9, 2012 10:51 AM

bcsJanuary 9, 2012 1:34 PM

It's an irony that the modern theory of information security holds that you should assume the enemy has access to everything but the keys. In other words, the most valuable secret is a number you pick out of a hat.

SixDaysJanuary 9, 2012 2:02 PM

When I studied IT security a couple of years ago, the Swedish branch of Symantec sent their head-honcho Joakim von Braun to our class.

He started with something along the lines "Let's not discuss symantec/norton antivirus, it sucks, I know.". We all thought it was hilarious.

And I think your conclusion is the right one, that their code is more likely to be crap than anything else.

Marc EspieJanuary 9, 2012 2:07 PM

"Security thru obscurity".

If that code is their anti-virus stuff, that might be bad. At least up to now, virus writers who wanted to go under the radar had to either reverse-engineer symantec products, or run lots of tests.
Well, the entry barrier got lower.

Considering how many bad design decisions have to happen in an OS for the user to REQUIRE an anti-virus, I won't cry too much over it.

f0xikJanuary 9, 2012 2:12 PM

crap or not, the corporate version of Symantec antivirus was one of the few manageable antiviruses back in the day (and may be still is).

it's installed on a lot of PCs in corporate networks that might be targeted now.

first Kaspersky, then ESET, now Symantec. so, somebody is up to something.

wumpusJanuary 9, 2012 2:28 PM

@Marc Espie : Considering how many bad design decisions have to happen in an OS for the user to REQUIRE an anti-virus, I won't cry too much over it.

You might have to re-think what you mean when you say "OS". It seems that any program that can read and write files (or up/download networked data), and can evaluate such data in a Turing-complete way can require either good design or an anti-virus.

Most modern browsers seem to meet the "OS" and "bad design" criteria. Pretty much as a requirement of current webpage standards (maybe I'm just thinking of extensions).

GrantJanuary 9, 2012 2:33 PM

And in addition to their antivirus, Symantec also owns the whole PGP Corp line of products.

MartinJanuary 9, 2012 4:06 PM

I'm not a native English speaker, but German. In German the words to steal (stehlen) and theft (Diebstahl) imply, that the legitimate owner of the good in question does not have access anymore. A typical example would be a purse. If the theft happens with use of violence or violent threat, we talk about robbery (Raub). In this case, illegitimate users of the victims servers managed to copy (kopieren) data, which is neither theft nor robbery, at least in the German language. Doesn't this apply to English, too?

NickJanuary 9, 2012 4:15 PM

Surely it makes it a lot easier for the bad guys to come up with a trojaned version that does more complex "bad stuff" while still appearing to do the right thing...

Nick PJanuary 9, 2012 4:56 PM

@ Nick

"Surely it makes it a lot easier for the bad guys to come up with a trojaned version that does more complex "bad stuff" while still appearing to do the right thing..."

That sounds like the best thing to do, aside from selling 0-days on the black market.

DougJanuary 9, 2012 5:09 PM

Martin: Dictionary definition: Stole: to take (the property of another or others) without permission or right, especially secretly or by force.

Intellectual property is property.

On to my main point though, I agree that someone may find vulnerabilities in the source code, but that's not a big deal. The bigger question is if someone can go through the source code and find out why it's so darn piggish, buggy, and slow :-). Now that would be a BIG deal.

MarkHJanuary 9, 2012 7:28 PM

@Doug et al.

It is a common usage (originating, I believe, from owners of intellectual property) to use some form of the words "steal" and "thief" to refer to the use of intellectual property without authorization. And Bruce in his post followed this usage.

"Steal" (and for the same reason, "thief") is not very appropriate to this meaning, as a couple of commenters observed here. These are emotionally-charge spin words intended by owners of intellectual property to elicit sympathy to their cause.

If a car is parked in the owner's garage, it will be generally accepted -- at least for law enforcement purposes! -- that it is not stolen property.

Try this thought experiment: a copyrighted work is duplicated in a state that is not party to a treaty of copyright recognition with the state (or group of states) in which the work was copyrighted. Certainly, this is an instance of unauthorized copying. No law has been broken in the state where the copy was made, and though other states may claim some sort of extraterritorial jurisdiction, there is in fact none that is bound to be respected.

What did the intellectual property owner lose in this situation? Was anything stolen? Was anything lost at all? I suggest that the answers to these questions are at least debatable.

Rational discussion is best supported by calling things what they are (unauthorized copying, or unlawful copying as the case may be). I try to use language that accurately denotes, in preference to language that is designedly polemical.

kashmarekJanuary 9, 2012 9:46 PM

It seems that public embarassment is the thing they work hardest at to avoid or protect from being the target of. Now, if they would only work that hard at producing a product of value and protect that product, public embarassment would be the least of their worries. The same applies to "state secrets".

ApJanuary 10, 2012 2:30 AM

Seems to me antivirus software is the least of the concerns here. Things Symantec owns:
Backup software
Corporate security suites
PGP
Versign's old certificate business

Seems to me there are one or two pieces of this that the source code leaking might be of concern, especially as it relates to security auditing or possible algorithm exposure. Did they say what the code in question was related to?

GuSJanuary 10, 2012 5:14 AM

Obtaining a copy of the source code (possibly in an illegal way) may or may not reveal vulnerabilities in the code, or it's design.

But reading the developers comments in the source code may be very interesting reading.

As a software developer, I can tell a couple of things:

It is very common, and in a professional context required, to include comments in your source code. Most developers do.

Bad comments (very common) explains what the code does. The comments then assume that the reader of the source code doesn't understand the sour code. They are bad because if you're a C developer, you should understand C code. (Apply to your language of choice.)

Good comments (less common) explain why the code does something. Such as: To workaround a limitation in hardware or in the current codes design. To work around flaws in a sister application. Or because the manager required us to do it this way. (The last example more common that what you'd like to think.)

Good comments also point out weaknesses that should be dealt with "when time and money so allow" (oh, how common). In this case, they will also typically include proposed improvements to the same weaknesses.


My point is that known weaknesses will typically be indicated in the comments in the source code, but will typically not make their way into the distributed piece of software. Which is why the source code can reveal known weaknesses in clear-text in a straight-forward way.

LinkTheValiantJanuary 10, 2012 9:05 AM

Gus's post regarding comments in the code is probably the biggest reason to be concerned over this whole thing. The potential for weaknesses to be handed over in clear text far outweighs other concerns.

Well, that's assuming the developers know what they're doing, of course. There could be some question about that, given how badly Symantec AV misuses system resources.

Rational discussion is best supported by calling things what they are (unauthorized copying, or unlawful copying as the case may be). I try to use language that accurately denotes, in preference to language that is designedly polemical.

I wouldn't be so harsh. The use of "steal" in this context gets across the point that they were unauthorized to obtain the code. It is the wrong word, but in this day and age, using the correct terminology in media is a sure way to get your standard reader to go "wut?" and move on without reading. (Not that the readers of this blog would be likely to do that, but Mr. Schneier doesn't always write for this audience.)

Not to mention, the phrase "unauthorizedly copied" is ridiculously unwieldy.

I do not condone the intellectual property overlords, but to assert that a common usage is intended as emotional spin is a reach. There is no other single word in common usage that succinctly describes this action

Clive RobinsonJanuary 10, 2012 9:51 AM

@ LinkTheValient,

I do not condone the intellectual property overlords, but to assert that a common usage is intended as emotional spin is a reach. There is no other single word in common usage that succinctly describes this action

Err I would contend the oposit of what you say in all three respects.

Firstly I do support the notion of IP and the IP originators (not holders) right to apply some method of getting recognition and recompense. However I do recognise that the current ways of dealing with IP by having to "asign to a holder" are very very wrong and are being exploited by many organisations unjustifiably.

Secondly I think the charge of "spin" by the IP Holders is more than justified, the act of theft is by most definitions stealing an object. For instance if I take the van Gough "sunflowers" painting I'm certainly taking an object of (percieved) value. However if I photograph it, what have I taken? I've certainly not removed the physical object so I've not denied the owner the possession of that object. Further the artist is long dead so I'm not denying the IP originator any of their rights and privileges pertaining to the creation of the object.

Likewise if I take a photograph of the outside of your house from the public highway what have I taken? what have I denied you?

Thus what have I stolen? the majority of law relating to theft pertains to "loss" in most jurisdictions, thus if you cannot demonstrate a real loss the law does not apply. What lawyers are good at though is sowing confusion and conflation in peoples heads to their advantage, and I would say this is exactly what they try to do with words like "Piracy", "theft", "stealing", etc.

Thirdly your final contention that "there is no other single word" is fairly obviously not true the simple word "copying" says very accuratly what the person is doing, and importantly it describes the action not the motivation by either the person or others nor does it convey any emotion to others.

So if IP holders (not the originators) want to claim somebody is a thief, let them explain clearly accuratly and unemotionaly what they belive the preson has done and then show a very clear and real loss by measures that can be agreed by all. So far I've yet to see any IP Holders do this to a reasonabl level...

abadideaJanuary 10, 2012 10:18 AM

As someone who does binary analysis for a LIVING, I can assure you that any vulnerability it's possible to discover in the source code can also be discovered in the installed binaries. All the source code does is increase the number of people competent to do this a bit.

Although as noted, the comments may have something embarrassing or sensitive in them.

cipherpunkJanuary 10, 2012 10:35 AM

This is an issue that has occurred in the gaming industry plenty - and some of the top companies that have been on the receiving end of this of course took proper action to avoid this problem long ago; simple action as implementing an isolated sub-net within their respective organizations to support all development and code repositories. I guess companies are always willing to tradeoff the security of their assets for the convenience of access. Unfortunately this is something that is going to continue to make headlines...

LinkTheValiantJanuary 10, 2012 2:03 PM

My apologies for dragging this off-topic. Rather than derail the thread with multiple responses, Mr. Robinson, I will merely say this: "Exploit a server vulnerability and make unauthorized copies" is much more of a mouthful than "steal from a server". Asking the general public (or, good luck, the media) to use long terms for precision's sake is a failed battle. I do not support the current system of IP, but I do not feel threatened by a word. It means about as much as the correct styling of GNU/Linux: It matters for the courtroom, but in the newspaper it can do what it pleases.

simple action as implementing an isolated sub-net within their respective organizations to support all development and code repositories.

Which would have done exactly nothing in this instance, since the unauthorized access was on a third-party server. All the good systems in the world don't do squat when you hand your data to someone else who can't be trusted to maintain equal standards.

But hmm, that doesn't sound at all familiar, like a rising computing trend in the last couple of years. . .

BOB!!January 10, 2012 3:41 PM

@Clive - saying that "copying" accurately describes what the hackers did is simply not true. If I break into your house and take a photograph of your possessions, it is true that I haven't stolen anything. But it follows from what you said that it would be an accurate characterization to say that I "photographed your possessions" and leave it at that. Or, for a somewhat more accurate analogy; what if I brought a photocopier with me when I broke into your house and photocopied your unpublished manuscript? Would you then say "copied" is an accurate characterization of what I did?

There is no single-word accurate characterization of what the hackers did. But "stole" is much closer to an accurate characterization than "copied" since "copy" contains no element of it being unauthorized. Especially since the copying that took places has arguably reduced the value of Symantec's original, else why would Bruce even think it worthy of mention.

PJanuary 10, 2012 4:19 PM

I reported to Symantec several years ago bugs (user input able to cause command execution) in the CGI scripts that form part of a Veritas package but in response I've never been told they've acted on this.

Clive RobinsonJanuary 10, 2012 5:14 PM

@ LinkTheValient, BOB,

The original stated intent was,

There is no other single word in common usage that succinctly describes this action.

So a single word, the title of this blog page is

Stealing Source Code

Gaining access by whatever means was not included in the argument.

But if you wish to use law from the physical world to further argue about access then you will find in many juresdictions gaining access into somebodies home is not a criminal act but the civil act (tort) of tresspass. It only becomes subject to prosecution under criminal law when some loss is incurred such as "Breaking and Entry" the crime is "breaking" that is commiting damage to the property, the "entry" qualifies it from other forms of damage.

So in effect under the old physical laws no crime was commited just the tort of "trespass" and the act of copying some or all of the content of the server which define a "work" weather derived or otherwise.

However what has happened is people have tried using physical world laws for information world problems. As we have found to our cost the physical world laws have mapped badly onto the non physical information world in a lot worse way than trying to put a left boot backwards on a right foot. The lobyists then got involved and new laws introduced for the non physical information world have by and large been over reaching, over draconian and worse mainly compleatly ineffective.

This is in the main actualy due to the "underlying assumptions" of the legal system based on "physical ideals" which in the minds of the legislators are axiomatic. Untill they stop this aberrant behaviour we will end up with truckloads more bad law paid for out of "campaign contributions" "consulting contracts" and other sleaze.

Oh by the way this mistaken belief of "physical maps onto informational" is prevelant in security, if you care to sit down and think about it (or look up my past posts on the subject) you will find that in reality the physical world is a subset not a superset of the information world. And this means that "informational maps onto physical". That is a security solution that works correctly in the informational world will apply with minor modification onto the physical world but most security that works in the physical world even with major modification will not work in the informational world.

SlackJanuary 11, 2012 5:04 AM

Clive, do you harbour any plans to author a treatise/book/blog on security design, or indeed, any other topic? It would be nice to have a source for "The Gospel According to St Clive" that is not spread across the scattered comments pages of several blogs. I'm sure others will have asked you the same question, but there's no harm in repeating a good question. :)

N.B. I do hope your health remains in good order.

Clive RobinsonJanuary 11, 2012 6:22 AM

@ Slack,

Clive, do you harbour any plans to author a treatise/book/blog on security design, or indeed any other topic

I started writing a series of pamphlets for my son a few years ago, to be a sort of "self learning" document. Due in the main to the vagaries of the UK educational system where teaching fundementals is considered unnecessary dur to "market forces"....

Unlike other books/guides/pamphlets I've written for teaching/training people, I've not realy thought about writing one for "general publication" because of the amount of extra effort involved.

Most general publication books contain as little as 10% new knowledge / ideas, the rest of the book is designed to catch edge cases that less experianced readers are in danger of getting hung up on Which is why pamphlets and standing there fielding questions is more efficient at getting the audiance/students up and running.

As for a blog no, I've been asked before but the answer is still the same, the amount of work involved stopping attacks, defacement, and dealing with those wishing to abuse the blog for their own ends is large. Also actually hunting around for "new and original" articals to post about is again a lot of work, which is why I post the more interesting or down right quirky things I come across on the Friday Squid page here.

As for my health, thank you for asking, sadly the news is, I'm currently confined to bed with a temp of 38.4C awaiting to see what effects the drugs have on it. So if the above is not making to much sense blaim it on whatever ails me currently. Or the sight of a nurses ankles ;-)

What happens in Vegas stays in InfraguardJanuary 11, 2012 2:25 PM

probably code whitewashed and e-sanded from any revealing backdoors, I'm just kidding... or am I?

Clive RobinsonJanuary 11, 2012 3:19 PM

There appears to be a new twist to this...

It has been claimed that the source code was copied from a Government server in India. Which also had information copied from a US Government server on it as well as some documents purporting to come from the Indian Intelligence Service...

We have the US war hawks going on about China-APT, will they now go on about Indian-APT?

http://infosecisland.com/blogview/19309-Exclusive-Indian-Intelligence-Infiltrated-US-Government-Networks.html

GregJanuary 11, 2012 3:22 PM

We're a Symantec AV customer for our Enterprise, and I find it interesting that Symantec chose to specify "consumer" products and risk, instead of "consumer and business".

Richard HJanuary 12, 2012 9:27 AM

@Martin You're correct, at least under English law, where theft is defined by the first sentence of the Theft Act 1968: "A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and ‘theft’ and ‘steal’ shall be construed accordingly", which goes on to explain the five tests:

  • dishonestly

  • appropriates

  • property

  • belonging to another

  • with the intention of permanently depriving

If it doesn't satisfy those 5 tests it isn't theft.

SlackJanuary 12, 2012 12:30 PM

Clive, my thanks for the considered and detailed reply while both sickly and beset on all sides by naked ankles. I saw a lady's knee once and could only type long strings of the letter "n" for a month.
I confess to feeling a little disappointed in your answer, but on the other hand, zookeepers have long known that hiding treats around the enclosure does wonders for keeping the animals amused and engaged in their environment. Bruce really should pay you a commission. :)

averrosJanuary 14, 2012 4:00 AM

@ Doug: "Intellectual property is property."

Except that it is not. Property is perpetual, scarce (i.e. the quantity of things is limited), and is universally recognized in all human cultures; the very notion of property predates governments.

"Intellectual property" is temporary, not scarce (i.e. can be reproduced infinitely), and is a very recent idea, utterly dependent on governments for its existence.

In fact, this term is a perfect example of newspeak - a deliberate use of words to mean something completely different in order to prevent meaningful discussion and understanding.

In fact, the notions of property rights and "intellectual property rights" are logically incompatible. You can't have "intellectual property" without violating real property rights, and vice versa.

The real meaning of "intellectual property" is "temporary transferable monopoly grant". Use it instead of "property" if you want people to take your arguments seriously.

averrosJanuary 14, 2012 4:05 AM

Why does anybody think that leakage of Symantec's snake oil is a big deal? The dirty secret of the AV industry is that most current malware *is not* detected by their products. The stuff the signature-based AV products detect is usually lame, relatively harmless, and mostly long-forgotten viruses. The real professional malware easily slips through unnoticed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..