Symantec AV source compromised and the questions it raises

[William Arbaugh <warbaugh () gmail com>]

Security Week ran a story that Symantec's AV source was obtained (and soon to be released) via a compromise of an 
Indian Military Intelligence server. 
http://www.securityweek.com/symantec-investigating-possible-theft-norton-av-source-code

Symantec issued a statement that the compromise and eventual release of the source does not place customers at risk 
since the source is 4+ years old.   http://www.facebook.com/Symantec/posts/10150465997682876

Really? I guess they don't reuse code across product generations like most vendors. 
http://www.neowin.net/news/windows-has-a-17-year-old-un-patched-vulnerability

The interesting question, however, is to whom in the Indian government did Symantec provide the source? I understand 
that major corporations provide source to a number of governments for a variety of reasons- mostly for sales and export 
approval. But did Symantec give it to the Indian Military Intelligence, or did the Indian intel community obtain it 
from another part of the Indian government? If the later, then any source provided to the Indian government is in 
Indian intel's hands. Sadly, we'll likely never know the answer.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave