The recent theft of Symantec’s flagship product, Symantec Endpoint Protection (SEP) version-whatever has the twitter-blogo-news-osphere in hyper-overdrive mode.  There’s lots of speculation about who the source was stolen from (right now seems like Indian military intel servers), who did it (credit claimed by a group called “Lords of Dharmaraja”), and what this means for Symantec and infosec in general.  But many of the talking points seem way off to me.

Attackers getting access to source isn’t, from a technology standpoint the big a deal that headlines want you to believe.  The first claim is that this is a huge blow to Symantec’s technology.  Now that their “secret sauce” is out there, big bad hackers will be able to have their way with SEP.  The biggest problem with this claim is that attackers worth their salt already have their way with SEP.  I have first-hand evidence that SEP is straightforward to bypass.  It’s a given in the infosec research community and has been for years.

Second, implicit in this claim is that having access to source code makes something less secure.  This isn’t true.  For example, the reason we have so much confidence in cryptographic algorithms like SHA256 is that they’re publically available, for experts to scrutinize over a long period of time.  Proprietary encryption has a long sad history of failure.  Just ask DVD Jon.  Also, ask industry wonks which is more secure, IE or Chrome.  You’ll likely get a belabored argument which neither side will win.  Now, I wouldn’t rule out that Symantec has done some silly things that they wouldn’t do if they thought the bad guys had their source, but this argument is mostly erroneous.  Yes, it’s bit harder to find flaws in software that’s binary.  But source code analysis is not the way most bugs are found.  There are a myriad of ways to find software flaws, including binary reverse engineering, automated analysis tools (fuzzers, static analysis and dynamic instrumentation, etc.).  That’s why QA folks have jobs.  Programmers are guaranteed to make mistakes, lots of them, and not all will be found by code reviews.

Another claim I find extremely ironic, and this one is made by Symantec to downplay the incident, is that this is no big deal since the source code is old.  To quote Symantec’s spokesman, Cris Paden, “We distributed 10 million new signatures in 2010 alone. That gives you an idea of how much these products have morphed since then, when you’re talking four and five years.”

Wow.  There’s just so much wrong with this it’s hard to know where to start.  First, if your large, mature commercial software product has largely been rewritten in the last five years, a) you’re likely doing something wrong and b) I don’t believe you.  Second, adding signatures to a database is not the same as modifying your product’s source code.  The code implements the scanning, and the signature database says what to look for.  Little if any code needs to change for new signatures.  Third, Paden appears to be bragging about one of the largest flaws in traditional antivirus software:  the huge number of signatures they have to look for.  How many of these 10 million new signatures are wrong?  Probabilistically quite a few.  Worse, do you think the signatures in this database comprehensively cover all of the malware out there?  Of course not.  All new malware bypasses signature a/v until it’s found, analyzed and signatures are generated.  Besides, there are well-known tools to evade traditional a/v by encoding (scrambling) existing known malware so that the signatures don’t match and the malware slips right by.  And that’s just one way to get by.

The basic problem with the premise, that this breach is a huge blow to Symantec’s antivirus technology, is that this technology was fundamentally flawed to start with.  Traditional a/v is often the punch line to bad jokes at security conferences.  There’s no particular need to mourn the loss of a little spilled a/v source code.

If, however, this gets a few more people to rethink their reliance on a/v for protection, then this could be one of the best things to happen to infosec in a long time.