81 comments

[ 2.8 ms ] story [ 181 ms ] thread
How is blackmailing to not release data something Anonymous would want?
Because of course everything _else_ Anonymous has done is totally legal, above board, and not at all disreputable.
Just $50k?
Yeah seriously, their turnover in 2010 was $6 Billion. I mean if your gonna take all that risk ask for a least $50 million.
It was just for one product, pcAnywhere.
Yes but there are probably lots of code blocks that are used throughout their entire software line. Like how they establish secure connections between the client software and the update server.
Still, the code is worthless for anyone if your product is secure. And I would imagine that product by security company would be secure.

Antivirus software might be something different as you might learn how to trick it. But "remote desktop"? It doesn't require any "security by obscurity".

The source is still pretty valuable to a competitor right?
I would say no. Although I might be mistaken as I don't know what exactly is the application capable of. But from the brief description I think it doesn't contain any magic; something that competitor would love to see. The only benefit I see for competitors is the bad press.
Not if Symantec has any proof that they've touched it. You're legally screwed if you touch this code thanks to any combination of patents, trade secrets, or even good old-fashioned copyright violation (just because the source is out there doesn't mean you can use it).
"..product by security company would be secure"

By this logic, wouldn't you also expect the storage of the source code to be secured?

In my mind, security implies all forms; physical, logical, in-transit, at rest, etc

> By this logic, wouldn't you also expect the storage of the source code to be secured?

No, developers have to have access to the code and they can just steal it. And this wasn't even the case. If I read correctly, the code was leaked by 3rd party (some India state agency) which had it for some sort of security review.

> Still, the code is worthless for anyone if your product is secure. And I would imagine that product by security company would be secure.

Actually they had known vulnerabilities, but they didn't think it worth their time to fix them until their code was to be released.

http://www.symantec.com/theme.jsp?themeid=anonymous-code-cla...

> On Friday, January 27, 2012, Symantec released a patch that eliminates known vulnerabilities affecting customers using pcAnywhere 12.0 and pcAnywhere 12.1.

Poorly worded that's all, after all, you can't fix unknown vulnerabilities.
Bit trickier to send or receive that through channels like Liberty Reserve.
This will set a bad precedent for such things (unless it is orchestrated as a sting operation).

If genuine, it would be interesting to know the primary motivation -- does Symantec not want the world to see its source because it is afraid its competition will steal its ideas ("our source code is full of awesome ideas") or its source code is pretty bad, sloppy, with backdoors for Uncle Sam that will pretty much shame the company ("our source code is awful and we'll be embarrassed if it was revealed").

IME this ALWAYS ends up with jail, when figures are present it is usually already a cop negotiating.
I'm pretty sure the "let's send you $1000 over Paypal as a sign of good faith" was a trap.

Looks like the hackers didn't fall for it.

Giving in to not quite what they're being asked to do and trying to buy time does smell like 5-0. If I were them I'd release it at the first signs of stalling and then move on to blackmailing the next company, who will know better than to contact police and just pay the 50K.
Both probably. Also patent trolls ("Using a for loop to sequentially read the bytes of a file" and what not).

Finally, I suspect at least part of the reason is that the source code contains a number of heuristics that, if known, are easier to circumvent for malware developers.

The first sentence opens with "As a part of a sting operation..."
> users of its remote-access suite PCAnywhere may face a "slightly increased security risk."

Back doors seem distinctly possible. I'll bet there is some seriously poor crypto in there, too.

This is software that is designed to find viruses and malware. The authors of viruses and malware would be interested in seeing the source code and seeing how to get around it.
This makes Symantec look a lot worse than "Anonymous" IMO. Symantec is supposedly a reputable computer software company. The fact that they have to resort to legal means to secure their own source code is not a positive indication that they do a good job.
So you'd prefer illegal means? I'm not sure I understand your comment.
No, I believe he refers to technical means. Meaning being able to prevent the leak.
Right, so that's what I originally thought, but they are two separate problems.

Yes, of course it would be ideal to prevent the leak in the first place - being a security company and having your sourcecode stolen is not exactly ideal, nor does it reflect very well on your ability to achieve the express purpose of your company.

HOWEVER, what's done is done, and given this source code has been stolen, I would on balance prefer Symantec to retrieve the code/neutralize the threat through legal means, rather than acting as "hax0rz" themselves. Whether or not this approach will work is a third debate - you'd hope this was, as suggested, a ploy by law enforcement working with Symantec, but I feel like it would reflect far worse on the company if they took an underhand approach to the situation. It's damage limitation at this point, and for a company so integrated with non-tech companies and individuals a legal approach seems a far more sensible option.

> The fact that they have to resort to legal means to secure their own source code is not a positive indication that they do a good job.

Really?

So if I, a supposedly reputable citizen have to resort to calling the police after my house is broken into that reflects poorly on me?

Symantec may have doen things that reflect poorly on them, but I don't think calling the police in is one of them. That's what you are supposed to do.

Remember that pretty much every tech company has had some of their code broken into, whether it's microsoft's OS, to Google's Chinese gmail back doors to oracle's db leak.

>So if I, a supposedly reputable citizen have to resort to calling the police after my house is broken into that reflects poorly on me?

No, if you as the CEO of ADT had to call the police after a home break-in, that would reflect poorly on you. Symantec is not a "reputable citizen", they're a security vendor. It's not the fact that they called the police, it's the fact that calling the police was necessary at all.

> No, if you as the CEO of ADT had to call the police after a home break-in

Really?

That's a really silly point of view. Break ins happen at the most secure places, and a police report is required to collect any insurance.

Calling the police is not only the smart thing to do, it's also the right thing to do.

What can they do? All it takes is one employee and a flash drive to leak the source code anonymously. Considering the value of a 0-day exploit on the open market, I'm sure that an interested party could find some low-level junior developer to bribe to steal the source code. And here we are today.
But that isn't what happened. They were owned, multiple times, and have admitted that this was stolen during a hacking incident that they didn't investigate previously.
one of the article's comments links to pastebin that appears to be the source code already posted - as of last night
Is the code so embarrassing? If I wouldn't avoid them already, I would do so now.
The source was leaked last night: http://thepiratebay.se/torrent/7014253/Symantec_s_pcAnywhere...

Has anyone heard of an official response from Symantec?

Now that the code is available I wonder if the product will get better. Although I'd imagine any community that tries to form around it might get smacked down with a lawsuit. It'd be interesting to allow one to develop though.
I doubt anyone will attempt to form a community around 3rd party builds/modifications to it. Malware authors will look for vulnerabilities, and curious people might study it (though you should be extremely cautious about doing so)
At this point Symantec has probably come to the conclusion that their source code is compromised. I don't think it’s possible for them to assume that anon won't use the source for themselves. The whole thing is a sting operation. If it wasn’t then Symantec’s future is dependent on an agreement that has no way of being verified. Anon probably knows this too and there just having a laugh.
So what's the legal environment around downloading the now-leaked source? I have to say I'm pretty curious about the code quality and possible backdoors...

Are there even protections for the press in this case? Or is every who pulls this torrent guilty of receiving stolen property or something along those lines.

Excuse my ignorance, but frankly I'd like to poke around.

You'll likely be labeled a terrorist and not be able to board an aeroplane... at least in the USA.

Edit: I meant this to be humorous, though it may not be far from the truth. If Symantec values its source code above a certain dollar amount, I'm sure it would be a federal offense in America to download this code. This is how Kevin Mitnick became a federal fugitive... it was simply based on the dollar amount of the source code he possessed.

You can't be convicted of a crime without evidence. It's pretty easy to obtain public content and look at it without leaving behind any evidence. Tor, full disk encryption, and anonymous remailers are your friend.
How did the source code end up on servers not belonging to Symantec?
I feel like episodes like this give Anonymous a bad name...[ sic ;) ]....not that their name/reputation is so stellar in the first place.

But this isn't Hacktivism or whatnot. This is pure outright theft and extortion. It's not "fight the man" or "prevent censorship" or even WikiLeaks-style "information wants to be free".

It's profit-motivated organized crime syndicates trying to extract some $$ from a company. They hacked Symantec because the virus-writers of the world want to be able to write more viruses so they can infect more machines and create more botnets and send more spam and/or do more phishing...and make more money. That's it.

It's frustrating because part of the problem with a group like Anonymous is that you don't get to declare who is and who isn't a part (by definition).

I suppose human nature is human nature - in the real world or online, the same scenarios play out time and time again....

Indeed, anarchy is a double edged sword. Anyone can do anything they like under the "Anonymous" name and no one can say "hey, they don't speak for us".
Actually they could, assuming that "they" exist as a single coherent entity that sets policy etc. Even without exposing their identities. All they would need to do is set up a pgp key which all official anonymous press releases would need to be signed with, end of story.

That they don't do this is evidence to me that they're perfectly happy to have random acts of digital crime attributed to them.

when is it Anonymous and when is it just anonymous?
You're Anonymous if you say you're Anonymous, and anybody can do that. It's as simple as that.
I am actually surprised that there hasn't been more intelligence service activity in order to paint Anonymous in a bad light..

It would be pretty easy to just sabotage some infra structure element that people depend on, attribute it to Anonymous and create a massive public outcry for tougher legislation in the virtual environment.

I think it's due to two factors:

First, I still think the FBI (and other such deeply hierarchical organizations) are fundamentally unable to comprehend something like Anonymous on its full scale. They can't fathom the concept of a working collective that defines itself merely by willful association.

Second, this could backfire so fucking hard, even the FBI knows better. Seeing how often they've been embarrassed by Anonymous in the past, I don't think they are willing to take the risk of such an operation, only to have them exposed by the very people they tried to sabotage.

Thirdly, they're doing a good enough job at it themselves.
It seems that the service agencies are indeed stuck in that hierarchical system, but they seem to be trying to break out of this occasionally. Didn't even one of them offer some rewards for intelligence related gadget hacking projects etc?

Plus the backslash. I don't know. First it would force Anonymous into some form of "yeah we are Anonymous but this wasn't us" defense - something that is very difficult to argue when the premise of the collective is that everybody can be a member. And second most targets so far seemed to be somewhat low-key with relatively lax security in place.

Watch out, there will be people who will point out that this isn't theft, because Symantec still has it's copy - and they are technically correct. And the following discussion if this is morally equivalent to theft will never end.
I don't think it's theft. It definitely is extortion.
If so, isn't it also extortion when people say "If Hollywood doesn't release their content the way I want them to (cheaper and without DRM), I'm going to continue to pirate it"?
Yup, it's straight up theft. This shows the corrupt side of hacktivists, i guess.
I agree that it is an extortion and other crimes. But the motivation as you describe it implies that Symantec provides some useful services (protection from viruses, phishing) and it is not clear that it is the case.

Symantec might be the target for PR (its products are supposed to protect others but it can't protect itself) and 50000 other reasons.

It is not self-evident that an antivirus provides enough benefit to outweigh its disadvantages (resource-hog, false-positives (intentional?), can't detect all attacks). In short security theater is not security.

Of cause it doesn't make the crime any less.

I've always found a lot of correlations between Anonymous and Al Qaeda. Not because of terrorism or exploding vans but because both are relatively unorganized collectives who appear much scarier than they are because independent operators/cells will claim they are flying under the group's banner, leading to headlines like "Anonymous Hacks Symantec".

The media eats up the concept of an organized global conspiracy group so it works out for everyone; the media makes money, the independent operators have a convenient, catch-all banner to fly under and the collective gets publicity for their cause.

Funny you should say that, I always saw anons as CIA.
@AnonymousFlorida says "Anonymous NEVER asked for money"

Really?

"How much do you consider ENOUGH to pay us in order to work all the issues out"

"we shall give you our account number within the LR system and you send money from your LR acct to ours"

Considering these snippets from the email exchange, what am I not understanding about the claim that they did not ask for money?

I direct your attention to the name of the "organization"...
They are probably both stringing each other along and playing a game to see what the other side does. This is might be not unlike the HBGary incident.

If Anon are at least mildly intelligent they'll figure out this is a sting operation. Slowly trickling in money then following it to the source is most likely an FBI setup.

Now Anon could keep playing this and accept money but provide some random bank account just to see what Symantec does.

Actually, to think about it, their best possible exit out of this is to ask this money to be sent to a charity, or a foundation. For example, "Donate $50k immediately to EFF and we'll promise we'll erase the source files".

But then going by their previous patterns they'll probably release the source anyway.

I don't know, but if this is an FBI sting they are not very ingenious. "We'll give you money in the course of 3 months as continuous payments... you'll have to provide proof you deleted files.. really?". A 10 year old can figure out what this is. Kind of disappointed at the quality of their work (and our tax money's use).

These people need to be found and they need to go to jail for a very, very long time. The best possible response from the hacker community is to help dig these people out of their caves and turn them in.

Why?

Because this represents yet one more step towards the criminalization of the Internet. And this provides yet more fuel for politicians to get behind nonsense like SOPA. Keep this up and the Internet as you know it today will not be for long. There is no possible good outcome from these kinds of actions.

Either we police our own ranks or they will do it for us. The difference is that politicians will use a sledge-hammer for surgery rather than a scalpel. Be the scalpel.

I find the downvotes interesting. It seems that some in the HN community are OK with crime and intellectual property theft. Sad.
I know nothing about antivirus software, but isn't security software supposed to be open? Otherwise, it's just security through obscurity. It sounds to me like Symantec just wants to hide all their vulnerabilities.
There is a large market for antivirus software - obviously Symantec is one of the biggest - but there are trade secrets in how their heuristics engines work and other secrets that give them a possible competitive edge.
Seems to me like they would also get a competitive edge by ignoring the expensive antivirus programming and just sending the occasional false alert to the user to make them think their software is actually doing something. When they get a real virus: "Well, we can't catch all of them, sorry. Go ahead and pay for an update, that might fix it."

How would you even know, unless you saw the source code?

Aside from the difficulty in uncovering the truth, I think this would be a clear example of criminal fraud. It would take a pretty large effort to cover up something like this, as well (disgruntled ex-employees would be hugely incentivized to speak to prosecutors).

So while you probably wouldn't know via technical means, my gut feeling is that a conspiracy in a company that large would quickly surface.

I agree. My point was that you don't know what they're doing. It probably isn't as bad as "nothing at all", but you can't say where along the spectrum between that and "rock solid" they actually lie without taking a peek under the hood. Which is why I'm a proponent of free and open-source software wherever possible, especially for security applications.
Exactly. I've been saying this time and time again in the past: you cannot trust proprietary software for security, full stop.

As you point out, it's security through obscurity (which we all know isn't really security), but what's more, you can never know if there is a backdoor in proprietary software, or if it's actually doing what it's supposed to do (and not less, or more - like logging your activity or listening in on your traffic).

I know nothing about antivirus software, but isn't security software supposed to be open?

This is antivirus software, a specific sub genre of security software. Historically, the most popular such packages have not been open.

You are not expected to trust them not to have backdoors any more that you are expected to trust any other vendor (say, Microsoft). What you are expected to do is trust that it catches virus and third party spyware. Which, supposedly, it does, and people have been using it for ages.

Even if it was open, you would need to have it in binary form to run it, so you either need to know to compile it yourself and check the code first (not an option for 99.9999999 of the users) or trust the party that compiled it for you. And then you need to check again for every virus definition and engine update downloaded.

Better just trust the vendor and use it closed source...

5 year old code poses a security threat to PCAnywhere users? All the more reason to not use any of their products. Source code should never pose a security risk.
Perhaps – but it's certainly the case that if one wanted to find an exploit, it would likely be easier with the source code in hand.

Now, this isn't an argument against open-source software – much to the contrary, in fact, because, I'd argue, OSS has, by virtue of being developed in the open, had much more opportunity for bugs to be seen by contributors and by those looking to crack/exploit it. As exploits are found, they get patched. Closed source, code, on the other hand, faces a lot of catch-up when its code is released into the wild.

I'd argue that's a bit like what happens to one's immune system if it's not regularly challenged (particularly as a child). Frequent exposure to pathogens tends to make one's immune system better, whereas living in a bubble only works as long as nobody lets you out.

Also, as much as codebases change, many parts stay the same, so yes, 5 year old code may well still be similar to currently shipping code that unexploited/unpatched issues may well still exist.

I understand your immune system analogy but it isn't really accurate. Symantec is a billion dollar international corporation which markets itself as being security oriented. They should be doing rigorous security testing, including 3rd party code review. They should be paying the best of the best to crack their code. If their not they're doing it wrong.
In theory this could make their product even more secure, assuming whatever exploits are found are reported back to them.

It would be interesting if Semantec would do something like start a bounty for reporting exploits. But of course that would be promoting use of their source code which I'm sure they would never do.

AnonymousFlorida's side of the story:

- in 2006, anon members steal Symantec source for the lulz

- Symantec contacts the FBI and sets up a pretty transparent attempt to sting those responsible

- Anonymous punishes Symantec for the sting attempt, after some internal debate, by releasing the source as a torrent

Has the ring of truth to it, IMHO.

Has anyone on here even looked at the source code?
Yamatough demanded that Symantec transfer the money via Liberty Reserve, a payment processor based in San Jose, Costa Rica. But Thomas appears reluctant, calling it "more complicated than we expected." Thomas instead suggests using PayPal to transmit a $1,000 test as "a sign of good faith." Yamatough rejects that offer, saying, "Do not send us any money (we do not use paypal period)

Could someone comment on how it is possible to use Liberty Reserve to receive money anonymously?

The stakes are really high for getting caught, and receiving the money is the weakest point for the hackers. So I'm curious why Liberty Reserve is the payment processor of choice for these cyber-criminals.