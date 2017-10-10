Symantec CEO: Source Code Reviews Pose Unacceptable Risk (reuters.com) 38
In an exclusive report from Reuters, Symantec's CEO says it is no longer allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products. From the report: Tech companies have been under increasing pressure to allow the Russian government to examine source code, the closely guarded inner workings of software, in exchange for approvals to sell products in Russia. Symantec's decision highlights a growing tension for U.S. technology companies that must weigh their role as protectors of U.S. cybersecurity as they pursue business with some of Washington's adversaries, including Russia and China, according to security experts. While Symantec once allowed the reviews, Clark said that he now sees the security threats as too great. At a time of increased nation-state hacking, Symantec concluded the risk of losing customer confidence by allowing reviews was not worth the business the company could win, he said.
Either let nobody review the code, or let everybody in the world who wants to look at it review it. I rather suspect that crowdsourcing security reviews might actually make all code safer and more secure, if only because there WILL be friendly eyes going through it and proofreading the code.
Step 1: US Company, Equifax allows personal ID data for 100's of millions of people to be stolen and nobody seems to care.
Step 2: US Government condemns Kaspersky Labs for potentially leaking information to the Russians. Thus destroying Kaspersky's US market.
Step 3: Symantec prohibits government source code reviews. Thus insuring an NSA backdoor.
So, no matter what you do, you are screwed.
There is clearly no such thing as Cyber Security.
Put your money on Molson beer.
It is a much better investment.
“As a vendor here in the United States,” Clark said, “we are headquartered in a country where it is OK to say no.”
Yeah right and national security letters are a figment of my imagination...
Highly likely their software is shit and it's shit all the way down and they don't want you to know how shit it is.
It is unreviewed proprietary source code is what poses the most significant risk. Any government technology department that fails to do a source code review of a product before deployment is committing malpractice. If a vendor refuses to cooperate their product should be barred from competition.
about how much he believes in the security of his own software.
The best stuff is that which can stand up to peer review and intense scrutiny, yet retain its trust level.
Given a choice between a closed source super-secret-trust-us-its-secure platform or an open source peer-reviewed-I-dare-you-to-break-it one, guess which one I would prefer to go with ?
Says volumes about how much he believes in the security of his own software.
I worked on secure systems before. It was common to use well documented algorithms for encryption. The mathematics showed the encryption to be secure. The implementation would be trivial rewrites of the encryption, so not any different than anything open source. We'd pair the encryption we had with open source implementations to assure we did it correctly.
I've published the source code of my own products since about 1987. The difference between Symantec and me is that I give the source code to everyone, and I give them an incentive to read the code, because they can also redistribute and modify it, and put it to any use.
And of course a national entity that wants to enough, like the government of Russia, is going to get a look at the Symantec source code even if it means getting someone into a job there to do it. So, isn't Symantec just saying that their proprietary paradigm is a poor one from a security perspective?
While I agree with you philosophically, I think in terms of an AV program on Windows you're dealing with a unique set of vulnerabilities and a black hat state organization would want to know every detection technique and evasion detection trick they could. It's kind of a fundamentally insecure environment to begin with.
USA, UK, NZ, AU, Canada?
Some of the more trusted NATO nations? All of NATO? Nations wishing to join NATO soon?
Some other nations? A China? Brazil? Japan?
Why would any nation buy into a security product they have not seen all the code to?
Other developers will just offer their products for review. How long before nations just say no review, no buy?
I imagine the backlash against Kaspersky, after it was found the Russian govt. was abusing security holes in its anti-virus software in order to hack computers which had it installed, is responsible for this. It seems plausible they found out about said holes due to the mandatory source-code reviews.
If I was a government reviewing a security product like that, I wouldn't tell them about any vulnerabilities I find. They would be much more useful to use against all of their customers.
"In security engineering, security through obscurity [wikipedia.org] (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."
So either the CEO of Symantec is a security idiot, or he has a better reason he's not sharing.
And if he's claiming the reason for using Security Through Obscurity is to provide his customers with a stronger feeling of being secure, I do hope the masses aren't idiots and this backfires as spectacularly as it really should.
Reverse Kaspersky from Russia with love?
to a third world nation.
Then anyone can review it and probably won't be able to make any sense of it whatsoever. Unless they are fluent in spaghetti code. It's like a cheaper type of encryption.
