Symantec slammed over Slammer

— 11:00 AM on February 14, 2003 has a disturbing article about the aftermath of the Slammer worm, and more specifically Symantec's involvement. The article claims that Symantec identified the worm and its effects hours before everyone else, and then did... nothing. Well, that's not fair. They did share the information, it's just that they only shared it with those who subscribed to its private security service. What they didn't do, according to the article, was let everyone else know, "[withholding] information . . . for hours after spotting it."

The article is rife with community criticism of Symantec, including one quote that suggests if the assertions are true, Symantec is "just as responsible for the damages done by the worm as the author." But are the assertions true?

I'm hardly a fan of Symantec (in fact, I've taken to substituting the word "Norton" for the word "suck" in IM conversations, as in "Oh, man, one of our servers just crashed." "Really? NORTON." It's fun, you should try it. UPS is a good alternative.) but going over the times in the article, this just doesn't seem to add up to much. Here are some quotes to illustrate my point:

  • "Within 10 minutes of debuting at 5:30 a.m. (UTC) Jan. 25 (9:30 p.m. PST, Jan. 24). . . " the worm did bad things, yadda yadda yadda.
  • "According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers 'at approximately 9 p.m. PST on Friday, Jan. 24.'"
  • "Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."

OK, so let's review here. The worm "debuted" at 9:30 p.m. PST. Of course, it's likely that it was released into the wild sometime before that, and just took a little while to get bad enough for people to notice it. The alternative is that Symantec knew about the worm before it was in the wild, and then called attention to this fact by sending out a private security release before the worm was a threat, which would be awfully stupid. I'll go ahead and give them the benefit of the doubt on this one.

So the worm came out around 9:30 p.m. PST, and Symantec sent their release at around 9:00 p.m. PST. Meanwhile, "the rest of the Internet" noticed the worm at a little past midnight EST. EST is three hours ahead of PST, so 9:00PM PST is 12:00AM EST, and "approximately 9 p.m. PST" is within spitting distance of "shortly after midnight EST."

Of course one could argue the intent was still there, but with the exact release time of the worm in question, it's just as easy to suppose that Symantec was preparing a public release of some sort, but got scooped by "the rest of the Internet" and chucked it.

Perhaps I'm missing something, but I don't think so. Still, Symantec probably does deserve some trouble: They wrote that insidious piece of code that takes up tens of megabytes of hard drive space, megabytes of RAM, and a fair chunk of CPU cycles and Internet bandwidth. Damn you, Norton Anti-Virus!

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.