

$50,000 to keep Symantec source code private - tonyrice
http://www.zdnet.com/news/hackers-50000-to-keep-symantec-source-code-private/6342977

======
nlh
I feel like episodes like this give Anonymous a bad name...[ sic ;) ]....not
that their name/reputation is so stellar in the first place.

But this isn't Hacktivism or whatnot. This is pure outright theft and
extortion. It's not "fight the man" or "prevent censorship" or even WikiLeaks-
style "information wants to be free".

It's profit-motivated organized crime syndicates trying to extract some $$
from a company. They hacked Symantec because the virus-writers of the world
want to be able to write more viruses so they can infect more machines and
create more botnets and send more spam and/or do more phishing...and make more
money. That's it.

It's frustrating because part of the problem with a group like Anonymous is
that you don't get to declare who is and who isn't a part (by definition).

I suppose human nature is human nature - in the real world or online, the same
scenarios play out time and time again....

~~~
JS_startup
I've always found a lot of correlations between Anonymous and Al Qaeda. Not
because of terrorism or exploding vans but because both are relatively
unorganized collectives who appear much scarier than they are because
independent operators/cells will claim they are flying under the group's
banner, leading to headlines like "Anonymous Hacks Symantec".

The media eats up the concept of an organized global conspiracy group so it
works out for everyone; the media makes money, the independent operators have
a convenient, catch-all banner to fly under and the collective gets publicity
for their cause.

~~~
nyar
Funny you should say that, I always saw anons as CIA.

------
darxius
The source was leaked last night:
[http://thepiratebay.se/torrent/7014253/Symantec_s_pcAnywhere...](http://thepiratebay.se/torrent/7014253/Symantec_s_pcAnywhere_Leaked_Source_Code)

Has anyone heard of an official response from Symantec?

~~~
fossuser
Now that the code is available I wonder if the product will get better.
Although I'd imagine any community that tries to form around it might get
smacked down with a lawsuit. It'd be interesting to allow one to develop
though.

~~~
tlrobinson
I doubt anyone will attempt to form a community around 3rd party
builds/modifications to it. Malware authors will look for vulnerabilities, and
curious people might study it (though you should be extremely cautious about
doing so)

------
djtriptych
So what's the legal environment around downloading the now-leaked source? I
have to say I'm pretty curious about the code quality and possible
backdoors...

Are there even protections for the press in this case? Or is every who pulls
this torrent guilty of receiving stolen property or something along those
lines.

Excuse my ignorance, but frankly I'd like to poke around.

~~~
jrockway
You can't be convicted of a crime without evidence. It's pretty easy to obtain
public content and look at it without leaving behind any evidence. Tor, full
disk encryption, and anonymous remailers are your friend.

------
DanielStraight
According to this source, Symantec's reply was law enforcement posing as
Symantec:

[http://blogs.computerworld.com/19695/antisec_leaks_symantec_...](http://blogs.computerworld.com/19695/antisec_leaks_symantec_pcanywhere_source_code_after_50k_extortion_not_paid)

------
drcube
I know nothing about antivirus software, but isn't security software supposed
to be open? Otherwise, it's just security through obscurity. It sounds to me
like Symantec just wants to hide all their vulnerabilities.

~~~
elliottcarlson
There is a large market for antivirus software - obviously Symantec is one of
the biggest - but there are trade secrets in how their heuristics engines work
and other secrets that give them a possible competitive edge.

~~~
drcube
Seems to me like they would also get a competitive edge by ignoring the
expensive antivirus programming and just sending the occasional false alert to
the user to make them think their software is actually doing something. When
they get a real virus: "Well, we can't catch all of them, sorry. Go ahead and
pay for an update, that might fix it."

How would you even know, unless you saw the source code?

~~~
Travis
Aside from the difficulty in uncovering the truth, I think this would be a
clear example of criminal fraud. It would take a pretty large effort to cover
up something like this, as well (disgruntled ex-employees would be hugely
incentivized to speak to prosecutors).

So while you probably wouldn't know via technical means, my gut feeling is
that a conspiracy in a company that large would quickly surface.

~~~
drcube
I agree. My point was that you don't know _what_ they're doing. It probably
isn't as bad as "nothing at all", but you can't say where along the spectrum
between that and "rock solid" they actually lie without taking a peek under
the hood. Which is why I'm a proponent of free and open-source software
wherever possible, especially for security applications.

------
feralchimp
AnonymousFlorida's side of the story:

\- in 2006, anon members steal Symantec source for the lulz

\- Symantec contacts the FBI and sets up a pretty transparent attempt to sting
those responsible

\- Anonymous punishes Symantec for the sting attempt, after some internal
debate, by releasing the source as a torrent

Has the ring of truth to it, IMHO.

------
rdtsc
This will set a bad precedent for such things (unless it is orchestrated as a
sting operation).

If genuine, it would be interesting to know the primary motivation -- does
Symantec not want the world to see its source because it is afraid its
competition will steal its ideas ("our source code is full of awesome ideas")
or its source code is pretty bad, sloppy, with backdoors for Uncle Sam that
will pretty much shame the company ("our source code is awful and we'll be
embarrassed if it was revealed").

~~~
DevX101
I'm pretty sure the "let's send you $1000 over Paypal as a sign of good faith"
was a trap.

Looks like the hackers didn't fall for it.

~~~
stef25
Giving in to not quite what they're being asked to do and trying to buy time
does smell like 5-0. If I were them I'd release it at the first signs of
stalling and then move on to blackmailing the next company, who will know
better than to contact police and just pay the 50K.

------
driverdan
5 year old code poses a security threat to PCAnywhere users? All the more
reason to not use any of their products. Source code should never pose a
security risk.

~~~
incongruity
Perhaps – but it's certainly the case that if one wanted to find an exploit,
it would likely be easier with the source code in hand.

Now, this isn't an argument against open-source software – much to the
contrary, in fact, because, I'd argue, OSS has, by virtue of being developed
in the open, had much more opportunity for bugs to be seen by contributors and
by those looking to crack/exploit it. As exploits are found, they get patched.
Closed source, code, on the other hand, faces a lot of catch-up when its code
is released into the wild.

I'd argue that's a bit like what happens to one's immune system if it's not
regularly challenged (particularly as a child). Frequent exposure to pathogens
tends to make one's immune system better, whereas living in a bubble only
works as long as nobody lets you out.

Also, as much as codebases change, many parts stay the same, so yes, 5 year
old code may well still be similar to currently shipping code that
unexploited/unpatched issues may well still exist.

~~~
driverdan
I understand your immune system analogy but it isn't really accurate. Symantec
is a billion dollar international corporation which markets itself as being
security oriented. They should be doing rigorous security testing, including
3rd party code review. They should be paying the best of the best to crack
their code. If their not they're doing it wrong.

------
joedev
@AnonymousFlorida says "Anonymous NEVER asked for money"

Really?

"How much do you consider ENOUGH to pay us in order to work all the issues
out"

"we shall give you our account number within the LR system and you send money
from your LR acct to ours"

Considering these snippets from the email exchange, what am I not
understanding about the claim that they did not ask for money?

~~~
rdtsc
They are probably both stringing each other along and playing a game to see
what the other side does. This is might be not unlike the HBGary incident.

If Anon are at least mildly intelligent they'll figure out this is a sting
operation. Slowly trickling in money then following it to the source is most
likely an FBI setup.

Now Anon could keep playing this and accept money but provide some random bank
account just to see what Symantec does.

Actually, to think about it, their best possible exit out of this is to ask
this money to be sent to a charity, or a foundation. For example, "Donate $50k
immediately to EFF and we'll promise we'll erase the source files".

But then going by their previous patterns they'll probably release the source
anyway.

I don't know, but if this is an FBI sting they are not very ingenious. "We'll
give you money in the course of 3 months as continuous payments... you'll have
to provide proof you deleted files.. really?". A 10 year old can figure out
what this is. Kind of disappointed at the quality of their work (and our tax
money's use).

------
zalew
<http://hackerne.ws/item?id=3560533> original submission, not zdnetted

------
bravura
_Yamatough demanded that Symantec transfer the money via Liberty Reserve, a
payment processor based in San Jose, Costa Rica. But Thomas appears reluctant,
calling it "more complicated than we expected." Thomas instead suggests using
PayPal to transmit a $1,000 test as "a sign of good faith." Yamatough rejects
that offer, saying, "Do not send us any money (we do not use paypal period)_

Could someone comment on how it is possible to use Liberty Reserve to receive
money anonymously?

The stakes are really high for getting caught, and receiving the money is the
weakest point for the hackers. So I'm curious why Liberty Reserve is the
payment processor of choice for these cyber-criminals.

------
Ctech237
At this point Symantec has probably come to the conclusion that their source
code is compromised. I don't think it’s possible for them to assume that anon
won't use the source for themselves. The whole thing is a sting operation. If
it wasn’t then Symantec’s future is dependent on an agreement that has no way
of being verified. Anon probably knows this too and there just having a laugh.

------
chrisledet
Just $50k?

~~~
Ctech237
Yeah seriously, their turnover in 2010 was $6 Billion. I mean if your gonna
take all that risk ask for a least $50 million.

~~~
rplnt
It was just for one product, pcAnywhere.

~~~
Ctech237
Yes but there are probably lots of code blocks that are used throughout their
entire software line. Like how they establish secure connections between the
client software and the update server.

~~~
rplnt
Still, the code is worthless for anyone if your product is secure. And I would
imagine that product by security company would be secure.

Antivirus software might be something different as you might learn how to
trick it. But "remote desktop"? It doesn't require any "security by
obscurity".

~~~
djtriptych
The source is still pretty valuable to a competitor right?

~~~
rplnt
I would say no. Although I might be mistaken as I don't know what exactly is
the application capable of. But from the brief description I think it doesn't
contain any magic; something that competitor would love to see. The only
benefit I see for competitors is the bad press.

------
aledalgrande
Anonymous say it was Symantec trying to bribe them.

[https://twitter.com/#!/YourAnonNews/status/16689812134180454...](https://twitter.com/#!/YourAnonNews/status/166898121341804544)

------
mrlinx
How is blackmailing to not release data something Anonymous would want?

~~~
TylerE
Because of course everything _else_ Anonymous has done is totally legal, above
board, and not at all disreputable.

------
jshowa
Has anyone on here even looked at the source code?

------
danvideo
one of the article's comments links to pastebin that appears to be the source
code already posted - as of last night

------
Tichy
Is the code so embarrassing? If I wouldn't avoid them already, I would do so
now.

------
recursive
This makes Symantec look a lot worse than "Anonymous" IMO. Symantec is
supposedly a reputable computer software company. The fact that they have to
resort to legal means to secure their own source code is not a positive
indication that they do a good job.

~~~
chollida1
> The fact that they have to resort to legal means to secure their own source
> code is not a positive indication that they do a good job.

Really?

So if I, a supposedly reputable citizen have to resort to calling the police
after my house is broken into that reflects poorly on me?

Symantec may have doen things that reflect poorly on them, but I don't think
calling the police in is one of them. That's what you are supposed to do.

Remember that pretty much every tech company has had some of their code broken
into, whether it's microsoft's OS, to Google's Chinese gmail back doors to
oracle's db leak.

~~~
freehunter
>So if I, a supposedly reputable citizen have to resort to calling the police
after my house is broken into that reflects poorly on me?

No, if you as the CEO of ADT had to call the police after a home break-in,
that would reflect poorly on you. Symantec is not a "reputable citizen",
they're a security vendor. It's not the fact that they called the police, it's
the fact that calling the police was necessary at all.

~~~
chollida1
> No, if you as the CEO of ADT had to call the police after a home break-in

Really?

That's a really silly point of view. Break ins happen at the most secure
places, and a police report is required to collect any insurance.

Calling the police is not only the smart thing to do, it's also the right
thing to do.

------
stef25
How did the source code end up on servers not belonging to Symantec?

------
robomartin
These people need to be found and they need to go to jail for a very, very
long time. The best possible response from the hacker community is to help dig
these people out of their caves and turn them in.

Why?

Because this represents yet one more step towards the criminalization of the
Internet. And this provides yet more fuel for politicians to get behind
nonsense like SOPA. Keep this up and the Internet as you know it today will
not be for long. There is no possible good outcome from these kinds of
actions.

Either we police our own ranks or they will do it for us. The difference is
that politicians will use a sledge-hammer for surgery rather than a scalpel.
Be the scalpel.

~~~
robomartin
I find the downvotes interesting. It seems that some in the HN community are
OK with crime and intellectual property theft. Sad.

