Are there no infosec folks on HN, or are they just lurking? There are about 3 worthwhile comments in this thread, and yes I do realize mine isn't contributing, but I would love to hear more on this subject from the knowledgeable.
> A hacker who goes by the name of 'Yama Tough' threatened Saturday
> to release next week the full source code for Symantec Corp's
> flagship Norton Antivirus software.
Unfortunately, Saturday could not be reached for comment but Friday and Sunday pledged support for the beleaguered day.
What's the proper grammar for this? It seems like a perfectly acceptable order for the words, but you're right that there's some flow missing. Commas surrounding 'Saturday' perhaps?
It's a better way to phrase it, certainly, but that wasn't my question. I've heard reporters use the original phrasing (i.e. "threatened Saturday"), so I consider it correct, just with incorrect punctuation. I was trying to figure out what the proper punctuation would be without changing the words.
This is part of a more general problem I have with being able to write the way I speak. I don't think I have terrible grammar when writing something relatively formal, in a "written tone" rather than a "spoken tone", but when I make comments on reddit or HN, I've noticed I have a general inability to also make my writing grammatically correct. I also use a lot of parentheses, because I tend to talk in tangents, and that's the only way I can really write it that makes sense.
The original and the version with the added preposition are both correct. If there were a real ambiguity you'd favor the preposition, but that isn't the case here.
and not currently running products: '"Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old," said Cris Paden, the company's senior manager for corporate communications.'
It'll still be interesting to see if there's any specific code/comments in there for the government-produced trojans/backdoors that are allowed through.
I wonder how companies protect their source code from leaking. Doesn't every programmer have access to the full source tree? Any disgruntled former programmer employee ought to be able to dump the source of a product for the public to see.
Companies like Microsoft and Google employ several hundred interns each summer... college students with little commitment to the company and access to the source code of real products. Kids! Yet it's not considered a problem.
> I wonder how companies protect their source code from leaking
The prospect of being bankrupted by a civil suit or thrown in prison is enough to stop most people.
> The prospect of being bankrupted by a civil suit or thrown in prison is enough to stop most people.
Yes, but... if you're good enough to be hired by these companies, leaking source code without being traced isn't going to be hard for you. I've thought about this before and I'm actually surprised it doesn't happen more often.
If you're working at these companies you also know they have lots of people like you who will be working to track down any trace of who leaked the code. Are you willing to risk going to prison then being legally banned from touching a PC when you get out?
Also, you have little to gain from doing it even if you don't get caught. It's probably much more cathartic to blast them in a blog post than it is to anonymously release source code of an outdated/discontinued product. Especially since source is only readable to x people and a blog is readable to y. With X<<y.
Back in 1989, some similarly "idealistic" folk released portions of Apple source code. At the time everyone wondered if this would be the end of Apples strategic advantage. The froup called itself Nu Prometheus and while they never released any other source the excesses that Apple took to (unsuccessfully?) track them down led almost directly to the creation of the EFF.
Not sure who wrote this but it seems fairly accurate to my memory of those days:
The reality though is that such source code is hardly ever a requirement to understanding or reverse engineering the underlying algorithm, and is likely already obsolete by the time it becomes public.
I've learned that this issue has a name: Data Loss Prevention. Indeed, companies may have data more sensitive of source code (customers' credit cards numbers, financial or medical information, etc.)
I met with the CEO of a small software company a few weeks ago and we discussed this. Operational security is a topic I've long been curious how software companies deal with. They have just thirty programming staff, so the operations are different from MS or other firms. He told me only three (very trusted and long-serving) staff have full access to the entire source code.
This is news because although you don't use the product, there are many people who do. Norton comes preloaded on a lot of machines, and there are plenty of non-power users who just maintain the status quo when they get a new machine. Norton also has significant brand recognition (I think they're one of two brands with major name recognition in this area for the average consumer - McAffe being the other), so there's a certain amount of "Nobody ever got fired for choosing IBM" Syndrome at play.
It's news because it could represent a critical vulnerability to these users. If the source is exposed and properly analyzed by sufficiently intelligent, yet malicious people, they could launch a zero-day on the antivirus software itself, leaving a system unprotected, and possibly silently unprotected. That's bad.
Oh cool… I've always wanted to know how that works. Right? No.
Anti-virus software is like drugs: they'll preload a little quality free thing on your new computer and then remind you (every two hours) when your 60-day trial has expired AND YOUR COMPUTER IS AT RISK OH NOES KABOOM!!! Then, they'll gladly charge you for that feeling of safety when no software can protect against human stupidity, which is the root cause of most virus infections.
In other news, the world has moved past Norton and you should get a Mac.
