[criley2]

You're intentionally conflating "basic code review" with "politically charged state actor performing code review", which are not the same thing.

Did they say they allow no audit or outside code review?

Or simply that political nation states who have intelligence agencies that actively subvert security solutions to compromise computers (the very things AV companies work to prevent) shouldn't have access to the very cookie pot they work to steal from?

Frankly, I have no idea why you'd let people review your source code who have a vested interest in finding exploits that they will use against people using your software.

[raesene9]

Usually companies allow source code review beccause they're trying to sell their solutions in the countries in question.

Look at it from the perspective of those countries

Symantec "hey buy all our security software it's super-great"

Foreign Gov. Customer: "sure can we check the source code first to see if there are any heinous security bugs or NSA backdoors"

Symantec "Oh gee no, allowing to you see the source code of products we want you or companies in your country to run might compromise it's security"

Foreign Gov. Customer: "..."

[PeterisP]

They're completely okay with that response. What they're worried about is that customers in U.S. government would consider their product more secure if they can ensure that the potential attackers in e.g. Russian government don't have access to that source code.

You can't please all customers if customer wants you to protect them from another potential customer of yours, you have to pick a side and stick to it.

[raesene9]

Well in this case it's not a big problem, as stated in the article Symantec didn't do much business in Russia.

However lets extrapolate and say what if the same thing were applied to Apple or Microsoft, who sell a very large amount of software to countries like China.

Should they forbid China access to their source code due to concerns from US customers.....

Would their shareholders be happy if they did? China is a large market, loss of access to that would be bad for a companies finacial health.

[criley2]

Symantec: "No, our code is audited professionally by the most reputable international firms along international standards of quality. You can review our audit reports and engage with the international body responsible for regulating audits to raise any concerns"

Foreign Gov. Customer: "But what I really want is for my tech spooks to scan pre-selected high value modules for already known and suspected zero day exploits for our own clandestine use"

Symantec: "...."

[raesene9]

What "interational body for regulating audits" would that be, I'm not aware of any such body...?

Also If Symantec won't trust their customers to that degree, why should a foreign government or their key industries trust symantec software?

If a US audit firm audits US software, why should an international government trust that there isn't a US backdoor in there? Or perhaps that the US audits have uncovered issues but instead of patching them they handed them to the NSA for later use in their TAO teams... (wannacry anyone?)

Obviously symantec are free to withdraw from a given market as they have here, but to suggest that trust is a one-way street seems well a bit unbalanced.

[criley2]

I do not personally believe in todays world that national security and software can be separated.

As an American, I certainly would not trust any non-American AV software.

I would assume that all AV made in another country is compromised by that countries government intelligence. That would be a safe assumption.

I would be safer user American AV as an American because despite what the anti-gov propaganda wants us to believe, it's far harder for the NSA to spy on Americans than non-Americans.

Regardless, this entire thread (and your post) seems to treat nation-state actors as inherently innocent, which is so blindly naive that it's difficult to rationally respond to.

But this is the nature of cyberwar. Damaging, effective, wide-spread--- and invisible and plausibly deniable.

Symantec giving source to Russia should be seen as a violation of American national security at this point, because it gives a hostile foreign government a blueprint to attack US networks.

[raesene9]

You've picked me up entirely incorrectly if you think I'm of the opinion that nation state actors are innocent.

My point is if the US treats foreign gov's as dangerous then those foreign gov's should treat the US as dangerous equally, including US software.

Given US software companies international sales volumes that's a massive existential threat to the US economy.

If China/Europ/Russia etc stop using US software products then what will happen to the profits of Microsoft/Google/Apple et al....

My other point was the apparent one-way nature of trust that I felt you were implying. that foreign gov's should trust US software whilst at the same time accepting those software companies do not trust them...

[yardie]

Well we all are citizens of one country or another. So what exactly does outside code review mean? American code can only be reviewed by American code reviewers?

Would you trust Chinese software that was only ever allowed to be reviewed by Chinese auditors?

[criley2]

Private firms earn their reputations by their behavior. We have international / multi-national / NGO's which can exist beyond the politics of the nation states they reside in.

You should trust a firm to review your code not based on their nationality, but based on a wide criteria.

Included in that criteria for me would whether or not the organization is committed to the work of subverting your software through intelligence operations.

But, that's just an end-around because all countries with markets worth selling in have intelligence agencies which subvert AV and other software for clandestine purposes, so all nation states are excluded.

W.r.t Chinese auditors, because of their oppressive and authoritarian government which goes so much further than western governments to control business and speech, and which has a much deeper history of subverting any control structure outside of the Communist Party, I would certainly treat their work as suspect by nature, but if there were a Chinese auditing firm renowned for its quality, privacy and separation from their government, I don't see why I wouldn't consider it.