Symantec may have tried to bribe hackers, but definitely betrayed its own customers
Symantec might have tried to bribe hackers, or been extorted by them, but still failed its customers
It looks like Symantec was right to tell customers last month to quit using its wildly popular pcAnywhere remote-access product, though it went so far as to try to buy off the Indian hackers who stole it before giving up hope of keeping it offline.
It's not clear who took the source code for pcAnywhere and other Symantec products in 2006, but it was posted to Pastebin early this morning by the same group whose threat to release the code prompted Symantec to admit the hack in December and put a moratorium on the use of pcAnywhere Jan. 24.
The Lords of Dharmaraja (LoD) are Mumbai-based affiliate of Anonymous, which announced the release on Twitter under the AnonymousIRC and YourAnonNews Anon news channels.
The Lords posted only a snippet of the code on Pastebin, but added a link to ThePirateBay, onto which they loaded the whole pcAnywhere source code file as a torrent available to anyone. By this morning several users had already promised to re-post and redistribute it.
The Pastebin posts lacked the braggadocious commentary of most Anonymous releases, especially those coming from #AntiSec, an operation launched by the late, unlamented LulzSec splinter group that terrified Corporate America with its hacks last summer and horrified the rest of the Internet with its painfully stilted revolutionary rhetoric.
Anon sympathizer OpCensorThis made up for the lack somewhat with a tweet that read "Symantec right now" and linked to a YouTube video of a crying baby.
$50,000, but was it bribery or extortion?
First they lied about being hacked in 2006. Then they didn't tell anyone about the hack or vulnerabilities for years. And now they're bribing? – AnonymousSabu, Twitter, Feb. 6
Catching a major vendor in a lie about their own security problems was a great enough source of Lulz for most Anonymi, but the story got better this morning:
YamaTough, the LoD who actually held the Symantec source code, posted a string of emails that appear to be an attempt by Symantec to negotiate the return of its code, including the offer of $50,000 paid to YamaTough and the LoD.
A Symantec spokesman released a statement saying the hackers had tried to extort the money from Symantec and that even discussing the payoff was part of an investigation involving a law-enforcement agency Symantec won't name.
YourAnonNews announced the revelation with a tweet reading "Symantec tried to bribe hackers not to release their source code. Don't they know you can't bribe an idea?"
That led to a host of retweets, posts and comment from sympathizers laughing it up over the image of Symantec offering payoffs to hackers.
It also led to a list of tough questions from commenters who said the full text of the email exchange made it look more like YamaTough and the LoD were extorting money from Symantec rather than being offered a bribe.
Tell me again why holding source code for ransom is a noble idea that can't be besmirched?
"You can't bribe an idea," AnonymousSabu tweeted, which is true.
You can bribe hackers who have the idea. Extorting money from corporations afraid of being hacked or DDOSed has been a lucrative business for quite a lot of hackers for years.
Whether that was the case with Symantec isn't clear, like a lot of things aren't clear.
Anonymous – at least those speaking publicly to represent some faction of the whole group – are too high-minded and idealistic to consider selling their ideals for a quick bribe.
They paint themselves and Anonymous as freedom fighters opposing dictators, censors, manipulative, controlling corporations and anyone else putting a foot on the neck of the little guy.
They have quite a record to back up that image, too: attacks on the governments of Libya, Egypt, Syria, attacks in defense of WikiLeaks and Bradley Manning, attacks on police department and FBI web sites to interrupt investigations of Anonymous itself. Even a long taped conversation between U.S. and U.K. hacker-hunters that was posted last week.
Anonymous as a group makes a good case for its ideals and idealism. That's no guarantee individual members or splinter groups don't use their skills and reputation to steal or extort money from potential victims, though.
One of the most frequent accusations by more established hackers against the LulzSec sKids was that they talked a good game ideologically, but also made money under the table by allowing themselves to be bribed off target or hitting targets that promised a direct payout.
It's not clear from the stories Symantec and LoD tell which was the culprit in any code-for-money exchange that might have been negotiated.
Given the clandestine nature required of Anonymous by its goals and methods it's not easy to tell who among the Guy Fawkes-masked horde is a full-time idealist and who wanders into the shadows for money to pay the bills.
Dirty hands on both sides, but Symantec's fault is incomparably greater
This situation is particularly odd, considering the length of time between the attack and posting of the source code.
Why did YamaTough and the LoD wait six years to reveal that they had the code? If they got it from someone else, why did he or she not go public?
If Symantec had already paid off whoever stole the code, and YamaTough was just trying to renew the payoff, why did Symantec seem not to know what source code the hackers actually had?
Whatever the real story, neither Symantec nor the LoD end up looking good.
While YamaTough and the LoD simply look a little shady, however, which you have to expect of hackers, Symantec comes off looking naïve, foolish and ignorant about the risks it faces.
Not knowing for six years what was stolen, not admitting anything when you do know and then trying to minimize the impact of that knowledge by pooh-poohing the risk of having the source code for a remote-access product in the hands of a hacker's collective?
That's not just amateurish, it's clumsy, deceptive and negligent.
Denying a risk and hiding it from customers is bad enough for software developers in most lines of work.
In security there's no room for it. Hiding the scale of a hacking risk directly contravenes the trust a security company's customers put in it. It is the most direct form of betrayal – promising to protect customers and then hiding the fact that you're not doing it.
It's possible YamaTough and the LoD were looking for a bribe when they threatened to release Symantec source code. I don't know that to be true, but it's certainly possible.
Symantec's guilt isn't in question, however.
Given the chance to be honest and supportive of its customers, to add to the protection it had already promised to provide by offering timely information on how they could protect themselves from Symantec's security failure, Symantec chose to protect itself.
So Symantec was right in saying customers should protect themselves by not using pcAnywhere anymore, to protect themselves from Anonymous.
It just forgot the rest of the warning: that customers should also stop using Symantec's other security, antivirus and backup products as well, to protect themselves from Symantec.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.