Anonymous released email exchanges between a member and Symantec yesterday, revealing that the security firm offered them $50,000 in exchange for destroying the source code of pcAnywhere and Norton Antivirus tools, believed to have been obtained by hackers after breaking into servers of the Indian Military Intelligence in 2006.
The deal fell through after extended discussions about payment through Liberty Reserve bank in Costa Rica and issues with receiving the proof of code they requested. The source code for Symantec’s pcAnywhere has now been released through Pirate Bay.
The email communications published on Pastebin by Anonymous detail a Symantec employee, Sam Thomas, negotiating with YamaTough under the umbrella of Anonymous out of a Venezuelan email address last month. In them the security company offered the hacker substantial money to not release the code, and state they never publicly had it.
"We will pay you $50,000.00 USD total," the email from Sam Thomas read. "However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain."
A Symantec spokesperson released a statement via email to CNet last night with their side of the story:
"In January, an individual claiming to be part of the Anonymous group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession […] Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide."
In an interview with Forbes, Symantec spokesperson Cris Paden stated that the employee in the emails was in fact a law enforcement agent, who was pretending to pursue the negotiation in order to trace the hacker. "No money was exchanged, and there was never going to be any money exchanged. It was all an effort to gather information for the investigation," Paden said.
Symantec released an update to its pcAnywhere software on January 30, after previously advising customers not to use it until the patch had been released. The firm has stated that due to the age of the source code, it poses no real threat to customers even if the full blueprint is released.