Symantec Looks Into Claims of Stolen Source Code 116
wiredmikey writes "A group of hackers claim to have stolen source code for Symantec's Norton Antivirus software. The group is operating under the name Dharmaraja, and claims it found the data after compromising Indian military intelligence servers. So far it's unclear if the claims are a significant threat, as the information posted thus far by the hackers includes a document dated April 28, 1999, that Symantec describes as defining the application programming interface (API) for the virus Definition Generation Service. However, a second post entitled 'Norton AV source code file list' includes a list of file names reputedly contained within Norton AntiVirus source code package. Symantec said it is still in the process of analyzing the data in the second post."
Update: 01/06 07:05 GMT by S : In a post to their Facebook page, Symantec has now said some of their source code was indeed accessed, but it was four or five years old.
Symantec released a more up to date statement... (Score:5, Informative)
...on Facebook (yeah, I dunno). http://www.facebook.com/Symantec/posts/10150465997682876
Re:Why does the Indian military have the source??? (Score:5, Informative)
Wow, so the Indian military works with major US vendors like Norton to spy on their own people (and I assume other countries people since it will be the same source????)
I assume they have the source code so they can insert extra bits and dispatch spyware the next time Norton auto-updates?
You get an auto-update, they get a spyware app into your PC. Is that it?
I don't think the scandal here is that the source code was stolen, it is a scandal that Norton cooperates will military spyware!!
Wow, +4 already? The tinfoils must be up and about today.
Believe it or not, most major software vendors have licenses and policies in place (e.g., Microsoft [microsoft.com]) to allow sensitive institutions (governments, defense contractors, etc) access to their source code. The primary reason is actually the opposite of what you say. Customers such as the Indian government want to be able to see what's actually in the code before they agree to buy and install it on their own systems and network.
Think of it as the 1% always getting to run open-source software because they have the clout to demand it (and under strict a NDA).
Occupy Microsoft!
Re:Why does the Indian military have the source??? (Score:5, Informative)
Wow... so many assumptions in one post.
Don't you think the Indian military needs anti-virus software? Don't you think they would need to examine the source code before running software from an American company on potentially sensitive systems? And don't you think Symantec would give it to them to secure the contract?
Re:Why does the Indian military have the source??? (Score:5, Informative)
Actually, they probably want to audit the code for backdoors and other security vulnerabilities before deploying the software on their systems. A whole bunch of governments got snookered when Cryto AG [wikipedia.org] sold closed-source encryption software with a backdoor that allowed the US government to easily break their communications. In particular, the NSA was rumored to have backdoored Crypto AG systems since the fifties, allowing the US government to spy on communications from such warm and fuzzy countries as Iran.
A little perspective (Score:2, Informative)
A lot of Symantec haters out there. Funny
Lets put some things in to perspective here.
1. Norton is a consumer product. SEP is the enterprise product - Two very different products with very different code and both have been re-written a couple of years ago. (Works a lot better than before and is less "bloated")
2. I would very much doubt that a government defense organization would be purchasing a consumer product like Norton.
3. The segments of code found are from SAV (last rolled out apporximatley 5 years ago and does not exist anymore ) and SEP 11 (released 4 years ago and is no longer sold as SEP 12.1 is the current version and this was re-written to include new technology)