
Symantec CEO says source code reviews by foreign states pose unacceptable risk - ohjeez
http://www.reuters.com/article/us-usa-cyber-russia-symantec/exclusive-symantec-ceo-says-source-code-reviews-pose-unacceptable-risk-idUSKBN1CF2SB
======
rdslw
Yeah, sure. Thats the company which according to Google (March) has a huge
mess in own nest of Certification Authority resulting in google chrome
removing their certs: [https://arstechnica.com/information-
technology/2017/03/googl...](https://arstechnica.com/information-
technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-
issuing-30000-https-certs/)

~~~
micaksica
This. I would trust most non-security tech CEOs to give better security advice
than the executives at Symantec.

~~~
nwatson
The Symantec CEO has been in that position only since Symantec acquired Blue
Coat last year, where they were CEO previously. The Symantec CA happened well
before their current term.

~~~
pgeorgi
Blue Coat. Has problems with foreign governments being unfriendly?

I guess what goes around comes around: [http://surveillance.rsf.org/en/blue-
coat-2/](http://surveillance.rsf.org/en/blue-coat-2/)

~~~
hetspookjee
What a fantastic website is that! To add to your point: Amazing how skewed
ones morals can be if they believe they're doing the right thing by providing
those countries these kinds of tools.

~~~
axonic
More reasons "trust us" isn't acceptable anymore.

[https://en.m.wikipedia.org/wiki/Unethical_human_experimentat...](https://en.m.wikipedia.org/wiki/Unethical_human_experimentation_in_the_United_States)

------
nobodyorother
So they're basically admitting that their antivirus tools aren't secure enough
to handle a basic code review?

Yup, totally makes me want to buy copies.

"No, guys, security by obscurity totally works in this one case! Because it's
us! Come on, you trust us right?"

~~~
macspoofing
To play devil's advocate, they may not be worried about vulnerabilities in
their code but rather vulnerabilities in their method of virus detection, the
same way Google doesn't share details about their search algorithm partly so
it isn't gamed by spammers. Actually this is common in software that is meant
to protect against sophisticated attackers. Blizzard and Valve used to have
periodic mass bans but they would never say what exact action triggered a ban.
In fact you would get no information and the ban itself may have come months
after some hack was used so that crackers wouldn't know what specifically
triggered it.

~~~
TruthSHIFT
Somebody please reply to this. Both this comment and the above comment seem
reasonable. I don't know what to believe!

~~~
raesene9
For me Worrying about "vulnerabilities in their virus detection method" seems
unlikely.

We're talking about downloadable software here, not a cloud service like
google. Once a hostile nation state has access to your binaries (as they would
with an installed product like A-V) they can just fuzz the A-V detection
method to find bypasses.

Heck that's what pentesters and red teamers do on a regular basis, A-V bypass
is a common thing in that world, so if people at that level can do it you can
bet that nation state actors can do it.

~~~
tedivm
Yeah, when I worked at Malwarebytes we did not really care about this issue.
If people are doing to download it they are going to reverse engineer it.

We also did third party security audits on a regular basis, but still wouldn't
be comfortable allowing that to be done with other countries. Purely my own
opinion here, but my concern wouldn't be a security one so much as an
intellectual property one- it's pretty well known that other governments
(China, Russia) have strong links to their commercial sectors and little
regard for IP protection.

------
thg
> “As a vendor here in the United States,” Clark said, “we are headquartered
> in a country where it is OK to say no.”

Until the government comes knocking and can demand pretty much everything with
your only option being a secret court that always sides with the government
anyway.

Is it too much tinfoil to think that this isn't so much about "putting
security over sales" than it is about "making sure that NSA backdoor remains
hidden"?

~~~
radicaldreamer
Just ask the former Qwest CEO about saying “no”.

~~~
macsj200
Could you elaborate?

~~~
acqq
2013:

[http://www.businessinsider.com/the-story-of-joseph-
nacchio-a...](http://www.businessinsider.com/the-story-of-joseph-nacchio-and-
the-nsa-2013-6?IR=T)

"Only One Big Telecom CEO Refused To Cave To The NSA ... And He's Been In Jail
For 4 Years"

2015:

[https://www.forbes.com/sites/janetnovack/2015/05/01/u-s-
avoi...](https://www.forbes.com/sites/janetnovack/2015/05/01/u-s-avoids-trial-
on-ex-qwest-ceos-nsa-claims-with-18-million-tax-refund-deal/#3ba6e73e705e)

"the government has avoided a trial in which the 65-year-old former executive
planned to air what he says was his refusal, in 2001, to allow Qwest to
participate in a National Security Agency program he believed was illegal."

2016:

[http://fullmeasure.news/news/politics/encryption-
battle](http://fullmeasure.news/news/politics/encryption-battle)

~~~
CamelCaseName
I think it's unfair not to clarify that he went to jail for insider trading.

He believes that that the government only brought the action against him
because he refused to divulge user data, but he is in jail because of insider
trading.

~~~
acqq
Some details from the last link:

"the NSA proposition to Qwest was nearly seven months before 9/11, according
to Nacchio."

"In a bizarre twist, the judge in Nacchio's case, Edward Nottingham, was soon
embroiled in scandal, accused of soliciting prostitutes and allegedly asking
one to lie to investigators. He resigned and apologized, but wasn't
prosecuted."

"Nacchio's conviction was overturned on appeal in a decision that found Judge
Nottingham made key errors.

But the government got the conviction reinstated by a split judges' panel."

------
exabrial
Anti-virus products are a huge security risk.

~~~
rdtsc
Some might think it is joke, but it is dead serious:

[https://googleprojectzero.blogspot.com/2016/06/how-to-
compro...](https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-
enterprise-endpoint.html)

Unfortunately running an anti-virus is an overly broad requirement in some
industries to pass certifications and audits. It's one of the cases where
"security" mandates and requirements leads to insecurity.

~~~
matart
Insurance company made us all install anti virus software

~~~
pmiller2
They didn't make you do anything. They either refused to insure you or would
raise your rate if you didn't.

~~~
rdtsc
No they didn't hold a gun to their heads, pretty sure. I think it's pretty
clear they made it a condition of not dropping them or not raising their
premiums.

~~~
paulddraper
Eh. Holding a gun to your head doesn't _make_ you do anything.

You either do what they want or die. Your choice.

------
ihsw2
The article decries balkanization of tech services but it noticeably omits a
middle path -- offering consulting services for open source software.

Surely, in this aspect, it stands to reason that this section of the tech
services industry is more robust in the face of such an encroachment. The only
losers in such a situation are the likes of Symantec, whom claim secrecy and
obfuscation are a feature rather than a bug.

~~~
codedokode
It would make more sence to make the code open source but not free - anyone
can see but nobody can use the code.

~~~
arkona
And how would you enforce that? What would prevent anyone with access to the
code from building it and using it? I don't see any way except maybe stripping
the code of significant parts

~~~
jononor
You could keep the virus fingerprint database outside the codebase. Customers
would then pay for access (and updates) to the fingerprints.

The fingerprints have to be some sorts of data, like regular expressions or
other limited instruction set which can only parse the incoming file and not
communicate with outside world.

The company could automatically release fingerprints into the open after a
time, say 6 months.

~~~
arkona
So... stripping the code of significant parts

This seems like a pretty good business model idea though!

------
zekevermillion
I would think all serious clients would want to review the source code of any
security critical software that they intend to use. However, there could be
some argument that allowing only selected clients (Russia) to review the
source, while denying the larger security community access to source, does
pose a risk. Of course Symantec does not, surely, intend to imply that its
code should be published.

------
Feniks
Meanwhile my own government in it's infinite stupidity is storing confidential
tax records on US owned clouds. Apparently they haven't revised their 1950s
policy that the Americans are the good guys.

Say what you want about Russians but they know how the game is played. And
they are good at it too.

------
statictype
Do you need to access source code in order to analyze software for backdoors?
Shouldn't you be looking directly at the compiled machine code?

There's no guarantee that the source code you are looking at matches the
binaries that are being distributed isn't it?

~~~
JumpCrisscross
> _There 's no guarantee that the source code you are looking at matches the
> binaries that are being distributed isn't it?_

Couldn't one compile from source and then compare blobs?

~~~
detaro
I wonder how many commercial code bases/products can do that. Certainly an
interesting proposal for verification purposes like this, but e.g. the recent
Debian efforts show that it is not trivial.

~~~
JumpCrisscross
> _the recent Debian efforts show that it is not trivial_

Is there a link on this you recommend?

~~~
leni536
[https://wiki.debian.org/ReproducibleBuilds](https://wiki.debian.org/ReproducibleBuilds)

------
aneutron
I think there are two points to consider:

1) From a security point of view, put yourself in the shoes of the other
states. The NSA and its friends have a well proven history of backdoors and
state-sponsored malware. From the Stuxnet/Flame family to the backdoors that
were found on the hard-drivers malware (Story was on HN recently, I'll try to
find it). So it is very normal, and as a matter of fact I'd say it's abnormal
for a government to take a security product that holds administrative rights
on the computer, without first inspecting its code to verify for backdoors.
There is no such thing as a better state. I read on the comments "politically
charged states". Well from the point of view of a Russian, the US is a
politically charged state. Keep it relative ladies and gentelmen.

2) I've read people complaining about how "the way they scan"/"the way they do
the detection" will be compromised. The way the AV software works IN GENERAL
doesn't differ from one another. From a binary of the software one can
identify with "relative ease" (for threat actors who are sponsored by
governments), when the unpacking happens, decompression happens, sandboxing,
hashing blocks, etc. As for the parts that are unique to the AV, for example
watchdog parts and heuristics, these can also be reverse-engineered or just
obteined through classical spying etc.

So all in all, source code reviews are, in my opinion, a very necessary thing.
Because frankly if a simple source code review is going to fundamentally break
your AV software, there has to be something wrong with that product. Because
setting aside the government looking at the source code, hundreds of devs have
already looked at it.

------
syshum
I have always found this fear over "foreign states" to be a bit odd. Sure if
you are a International Company, or a US Government Contractor it might be a
concern but for me a Natural Born US Citizen that rarely if ever travels
abroad and never to the nations of China or Russia I have limited reasons to
fear those nation states, sure they could steal my ID and cause me some
momentary financial harm but the US government is empowered to put me in a
cage, physically harm me or even kill me. With the state of the Legal System,
and massive amounts laws and regulations that can be used to literally arrest
anyone at any time I have much much more to fear from the US government
obtaining my information than I do from the Russian or Chinese Governments

I am missing some key piece of information? Why is Symantec willing to allow
the US Government to review the code bot not "foreign" states? What makes the
US Government the pinnacle of virtue and honor?

------
Crespyl
It's interesting that Symantec claims to be denying governments the ability to
review code for the safety of their end-users, but won't allow those same end-
users the ability to review the code for themselves.

~~~
josephmosby
In many cases those governments _are_ the end users. They're buying the same
licenses as run-of-the-mill businesses.

Furthermore, if you said "well, private users only can review the code," then
every government is just going to ask its code reviewers to independently
purchase private licenses. There's no way to keep government users out of
source code reviews unless you totally block code reviews whole cloth.

------
codedokode
Without code review, how can a government make sure that the product doesn't
contain backdoors?

> These are secrets, or things necessary to defend

Backdoors from NSA?

~~~
srcmap
Learn from Israel - hack Kaspersky and do the code review from inside. :-)

------
microcolonel
Run ClamAV instead, it's built to be run continuously, on sensitive servers,
handling untrusted data sent directly over email.

~~~
codedokode
Is it comparable to commercial AV solutions? Can it intercept network traffic,
run executables in a sandbox, use heuristics for detecting new viruses?

~~~
reiichiroh
ClamAV's detection ability is really a joke.

~~~
StudentStuff
Its 94% as good as the best AV, so not too bad.

~~~
KekDemaga
The truth is all AV is pretty bad.

------
AnimalMuppet
They're not so arrogant about their code being bulletproof that they're
willing to hand it to an adversary and say, "Sure, knock yourself out - see if
you can find any holes"? Yeah, I'm not sure that I see a problem here.

~~~
Johnny555
If Symantec considers the government to be an adversary, then why are they
trying to court them as a customer?

From the article:

 _Tech companies have been under increasing pressure to allow the Russian
government to examine source code, the closely guarded inner workings of
software, in exchange for approvals to sell products in Russia._

~~~
GauntletWizard
Customers are often your adversaries. In fact, it's almost entirely the case -
They're looking to extract concessions, get cheaper goods and services, etc.
The customer has incentive to bleed as much as they can from the seller, and
the seller also has incentive to bleed as much as they can from the customer.
Cooperation despite adversarial relationship is the great benefit of
capitalism, but doesn't mean you can ignore the adversity.

There's also a very different mode to their relationships. Symantec is selling
to the Russian government - bureaucracies, and it's selling black boxes.
Russia is trying to leverage it, to give it advantage in a different mode -
Intelligence. Both Symantec and the Russian intelligence agencies are in the
infosec business. It's not that uncommon for businesses to do business despite
competing in some areas - Samsung was a core iPhone supplier despite also
making phones.

------
louithethrid
Taking the hiss out of the snakeoil, wouldn't they?

------
5ilv3r
Welp, He's straight up lying. Source code would not be their actual virus
definitions which are binary patterns, so screw these guys.

------
gatmne
I'm sure that properly run foreign states consider unauditable software an
unacceptable security risk as well. Between this nonsense and symantec's
history of security mishaps, I'll be making sure to avoid this company from
now on. I'll also recommend against dealing with them if asked.

Ridiculous.

------
askvictor
The article doesn't say anything about blocking foreign states specifically;
they are blocking all code reviews (the US doesn't generally require them
however, at least on the record); perhaps update the title?

I'd assume the US govt is as much as risk as any other.

------
thewhitetulip
Right, just trust the US govt to do the morally right thing.

------
ringaroundthetx
protip: Nevada requires the source code of all the video casino games.

Easier target than a nation state.

This practice is fundamentally flawed.

------
thinkMOAR
The irony.. Installing Symantec software, they pose an unacceptable risk.

------
yCloser
poor NSA... Now they surely won't be able to obtain the source code

------
partycoder
Colluded people like to fight in public.

------
macsj200
The enemy knows the system.

------
evan_
_Foreign Government_ code reviews, not code reviews in general.

~~~
dang
Added above. Thanks!

