Source code reviews: does Symantec have something to hide?

When Symantec chief executive Greg Clark decided this week to explain his company’s 2016 change of policy over allowing governments to review the source code of its software, was he not aware that his comments could be interpreted as Symantec having something to hide?

There has been much talk of encryption backdoors and source code inspection recently, with the most recent being the news that HPE allowed Russia to review the source code of ArcSight, software that is used by the US military.

Was Clark unaware of all this?

On Wednesday, The Wall Street Journal ran a story that hinted strongly that the Russian Government had gained access to the source code of Kaspersky Lab’s A-V products.

The report claimed the program had been modified into a tool for espionage and used to search for terms like “top secret”.

In a detailed interview, Clark told Reuters that while Symantec was willing to sell its products in any country, “that is a different thing than saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works’.”

Referring to source code, he said: “These are secrets, or things necessary to defend (software). It’s best kept that way.”

greg clark big

Greg Clark: “We just have taken a policy decision to say, ‘Any foreign government that wants to read our source code, the answer is no’.”

So does Symantec, an American company, have anything to hide? If Kaspersky, a Russian company, is accused of allowing Moscow to fiddle with its source code in order to spy on others, then could not Symantec be accused of having backdoors in its code that would help the American Government conduct espionage activities?

After all, installing anti-virus software on a computer is the equivalent of installing a rootkit – the software has carte blanche when it comes to file inspection and upload. It can do anything and everything, and the user has to rely on only one thing when he or she makes a choice as to which A-V to run – trust.

If Symantec does not allow other countries to inspect its code when asked, the likelihood of it doing business in those jurisdictions is likely to evaporate.

HPE allowed the inspection of the source code for ArcSight — which is now owned by British mainframe company Micro Focus — because it wanted to sell the product in Russia.

Another big American technology company, Microsoft, had to allow China to inspect the source code of Windows, a process that took two years, before it was allowed to craft a product — Windows 10 China Government Edition — that could be sold to the Chinese public sector.

A good deal of the paranoia over privacy has come in the wake of the revelations by Edward Snowden, a former NSA contractor, in June 2013, that the NSA was conducting blanket surveillance of all Americans – plus most of the rest of the world. Privacy has slowly come to figure more and more in the conversation of ordinary people.

Recent attacks by Western governments on encryption have not helped to boost public confidence about their intentions.

Foreign companies have grown wary about dealing with US corporations, fearful that having their data within the US will mean that it will be open slather for the NSA. And US companies have suffered as a result.

With this being the current situation, Symantec’s stance does not seem to make business sense.

Photos: courtesy Symantec

Leave a Reply