Anonymous as a group makes a good case for its ideals and idealism. That's no guarantee individual members or splinter groups don't use their skills and reputation to steal or extort money from potential victims, though.
One of the most frequent accusations by more established hackers against the LulzSec sKids was that they talked a good game ideologically, but also made money under the table by allowing themselves to be bribed off target or hitting targets that promised a direct payout.
It's not clear from the stories Symantec and LoD tell which was the culprit in any code-for-money exchange that might have been negotiated.
Given the clandestine nature required of Anonymous by its goals and methods it's not easy to tell who among the Guy Fawkes-masked horde is a full-time idealist and who wanders into the shadows for money to pay the bills.
Dirty hands on both sides, but Symantec's fault is incomparably greater
This situation is particularly odd, considering the length of time between the attack and posting of the source code.
Why did YamaTough and the LoD wait six years to reveal that they had the code? If they got it from someone else, why did he or she not go public?
If Symantec had already paid off whoever stole the code, and YamaTough was just trying to renew the payoff, why did Symantec seem not to know what source code the hackers actually had?
Whatever the real story, neither Symantec nor the LoD end up looking good.
While YamaTough and the LoD simply look a little shady, however, which you have to expect of hackers, Symantec comes off looking naïve, foolish and ignorant about the risks it faces.
Not knowing for six years what was stolen, not admitting anything when you do know and then trying to minimize the impact of that knowledge by pooh-poohing the risk of having the source code for a remote-access product in the hands of a hacker's collective?
That's not just amateurish, it's clumsy, deceptive and negligent.
Denying a risk and hiding it from customers is bad enough for software developers in most lines of work.
In security there's no room for it. Hiding the scale of a hacking risk directly contravenes the trust a security company's customers put in it. It is the most direct form of betrayal – promising to protect customers and then hiding the fact that you're not doing it.
It's possible YamaTough and the LoD were looking for a bribe when they threatened to release Symantec source code. I don't know that to be true, but it's certainly possible.