Truth About Computer Security Hysteria
Stop arguing over Symantecs
Monday, 24 November 1997
IT CAME AS no shock to the antivirus world when Symantec sued McAfee in April 1997 for alleged copyright infringement. Industry watchers didn't pay much heed because ... well, because those two vendors fight all the time. Just another chapter in the Hatfield-McCoy saga, everyone thought.
McAfee typically wins these battles — and wins them easily. But not this time. The normally placid Symantec switched to an anything-goes fighting style, using its well-oiled propaganda machine to fight McAfee in the media as well as the courtroom. This change in tactics caught industry watchers (including myself) off-guard.
THE STORY ACTUALLY begins in 1996 with what seems like an unrelated event. A company called Trio Systems discovered Symantec illegally used its C-Index/II code in various products. Caught with its pants down in a copyright violation, Symantec asked to negotiate a license ex post facto. Trio readily accepted.
As part of the agreement, "Symantec represented and warranted that it had used C-Index/II only in [Norton Administrator for Networks and Norton Desktop Administrator]." Symantec also "expressly agreed" in the license "that any use by it of C-Index/II in any other software program would constitute intentional infringement of Plaintiff's copyright."
Also in 1996, McAfee launched a media assault against Symantec for what it called "false and misleading advertising." McAfee's press release demanded no less than a worldwide recall of Norton AntiVirus. Symantec issued a rather wimpy response to this attack. (Score a victory for McAfee.)
Trio Systems surfaced again in February 1997 when they revoked Symantec's license under the "bad faith" clause. According to the lawsuit they later filed:
20. In February, 1997, Plaintiff discovered that Symantec had blatantly lied about its use of C-Index/II. Plaintiff discovered that Norton Utilities, Norton Your Eyes Only and pcAnywhere, all important Symantec software programs, incorporated copyrighted portions of C-Index/II. Each of these three programs is a pre-existing software product of Symantec that is not covered by the Replacement License Agreement. None of these programs was developed for NAS, has the required NAS functionality, or was derived from NAN or NDA. By using C-Index/II in each of these programs without license or permission from Plaintiff, Symantec is intentionally and willfully infringing Plaintiff's copyright.
21. On February 26, 1997, Plaintiff gave notice to Symantec that it had materially breached the Replacement License Agreement and was willfully infringing Trio's copyright in C-Index/II. On the basis of Symantec's deception and material breach of the Replacement License Agreement, Plaintiff elected to terminate the Replacement License Agreement and notified Symantec that it must cease and desist from further use of Trio's copyrighted software. To date, Symantec has refused to comply and continues to manufacture, sell and distribute software programs that contain unauthorized copies of Trio's C-Index/II software.
34. Symantec has in the past copied and infringed upon, is presently copying and infringing upon, and is threatening in the future to continue copying and infringing upon, Plaintiff's copyrights to C-Index/II. Plaintiff is informed and believes, and on that basis alleges, that C-Index/II unlawfully appears in the following Symantec software products, among others: (1) Norton Utilities, (2) Norton Your Eyes Only and (3) pcAnywhere.
35. Unless this Court restrains Symantec from further commission of said acts, Plaintiff will suffer irreparable injury for which Plaintiff will be without an adequate remedy at law. Plaintiff is, therefore, entitled to a temporary restraining order, preliminary injunction and permanent injunction restraining Symantec, its officers, directors, agents, employees, affiliates and subsidiaries, and all persons acting in concert with them, from engaging in further acts in violation of the copyright laws.
The bad-faith license revocation came at an extremely critical time for Symantec. They'd just signed a letter of intent to sell their 85-employee Networking Business Unit to Hewlett-Packard, but expanding violations of Trio's copyrights threatened to kill the deal. Amazingly, Symantec somehow convinced them to negotiate another after-the-fact license as a favor to Hewlett-Packard. (Trio modified its lawsuit to let HP off the hook.)
Adding to Symantec's grief in early 1997, McAfee's researchers discovered an obscure security flaw in the Norton Utilities package. Instead of notifying Symantec, McAfee chose to notify only the media. They even wrote a blatant demonstration program so Windows Sources magazine could include it as part of a fear-inducing online story — another effective media assault against Symantec.
Symantec felt McAfee should have notified them instead of helping the media write scary stories about a trivial flaw. Product manager Tom Andrus told Associated Press: "we were taken aback that they would go to the press, create something akin to a virus and then basically show the world how to do that." Symantec also berated Windows Sources for providing McAfee's code to any malicious hacker who wanted it.
Editors pulled McAfee's blatant demo from the Windows Sources website the next day. Symantec quickly released a software patch to calm the nerves of frightened customers — and distributed an extremely polite press release announcing the patch. (Score another victory for McAfee.)
Trio revoked its licenses because Symantec lied — but Symantec somehow convinced them to negotiate another after-the-fact license.
Symantec goes on the offensive
SYMANTEC STRUCK BACK on 23 April with an eye-popping press release perfectly timed to damage McAfee's quarterly earnings call. Symantec accused them of "stealing code" and demanded a U.S. recall of McAfee's PC Medic software. (The "vital code" in question amounted to 30 lines.) They also filed suit to garnish all profits from the sale of PC Medic.
McAfee — for reasons still unclear — chose to lay low. They issued no related press release and filed no related counter-suit.
Symantec struck again on 21 July with another perfectly timed media attack, damaging McAfee's next quarterly earnings call. A blistering press release claimed they discovered "copyright infringement" (101 lines of code this time) in VirusScan. McAfee followed the next day with a press release announcing a counter-suit for "defamation, business interference, [and] contempt of court."
McAfee vice president Peter Watkins figured the two firms would battle in court over Symantec's claims. He paid for a "clean-room rewrite" because it would cost less in the long run to discard 131 lines of disputed code. Symantec might exploit it as a "tacit admission of guilt," but Watkins' decision offered McAfee a tactical legal advantage.
McAfee chose to lay low for reasons still unclear. They didn't even issue a press release.
Symantec Japan joins the fight
Symantec's Japanese division joined the fracas the same day McAfee announced its counter-suit. A 22 July press release — intended neither for U.S. nor European distribution — trumpeted how Symantec won its copyright infringement lawsuit against McAfee. In it, Symantec proclaimed:
Symantec Won A Trademark Infringement Lawsuit
...After filing the lawsuit, a McAfee employee confirmed that a McAfee software programmer retrieved ... Norton CrashGuard from Symantec's website and [used part of it] in McAfee's software... Enrique Salem, [Symantec's chief technology officer], says "...we are happy because the court ruled in our favor and McAfee confirmed that it stole [the software]."
According to McAfee, Symantec's Japanese division issued a different press release on 25 July which also said they won the lawsuit. McAfee — again for reasons unknown — remained quiet in the U.S. & Europe regarding this event.
Speaking in an interview, Watkins said his people burned up the phone lines trying to get Symantec to retract their statements. "They stalled" for a week and continued to send press releases to anyone who would read them. McAfee finally ordered its lawyer in Tokyo to file a cease & desist lawsuit to make Symantec stop lying.
Symantec continued to promote its untrue claims for another two weeks. They finally appeared in court on 12 August with a "correction notice," and McAfee's lawyer confirmed the offending press releases disappeared from Symantec's website the night before.
Given these new developments, "the judge suggested either withdrawal of our [lawsuit] or a negotiation and settlement between the parties" if the correction notice itself needed correcting. "It has become difficult to maintain [the lawsuit]," the lawyer notified McAfee, because "its aim was substantially achieved, and we will have to withdraw it eventually." McAfee could still sue for libel & defamation, though.
McAfee announced "record earnings" on 7/21/97, yet their stock value plunged the next day when Symantec issued its inflammatory press releases in both the U.S. and Japan. (Chart obtained from Quote.com)
It gets worse for McAfee
ON 21 AUGUST, McAfee issued a press release announcing their flagship product "does not use alleged Symantec code." Also of importance, they declared the code in question actually resides "in the public domain," meaning anyone can use it for free. (McAfee's claims remain unsubstantiated.)
Watkins decided the company would acknowledge a faux pas in the 21 August press release. It admitted "that a recently hired ex-Symantec employee... may have had [intellectual property belonging to Symantec]... None of his research has been used in VirusScan or any McAfee product."
Watkins included this information because he didn't want Symantec to disclose it first as media bait. It didn't help — Symantec countered with an inflammatory press release (issued the same day) claiming McAfee "admitted that its products contain code misappropriated from Symantec ... From the wording of McAfee's press release, it appears that McAfee employees may have [also] engaged in illegal destruction of evidence relevant to the ongoing dispute."
Watkins didn't expect to see such a wild press release on his desk when he returned to work the next morning. Reporters around the world latched onto Symantec's tirade, writing stories with headlines making it sound like McAfee pled guilty in court. (Many of these "breaking stories" in reality plagiarized Symantec's press release.)
The next day, McAfee distributed an eye-popping press release of its own announcing a $1 billion lawsuit for defamation & trade libel. "McAfee's suit is in response to the latest press release from Symantec which blatantly lies about the facts of on-going litigation between the companies. The most egrious [sic] lie in Symantec's latest release ... is that McAfee has admitted copying code. McAfee has never admitted it has ever used copied code."
Stories filed by Dow Jones News Service say both companies' stocks dropped in value when Wall Street caught wind of it.
McAfee and Symantec victorious?
Lawyers for the companies apparently settled the Japanese case a few days later. Symantec formally apologized for its press releases; McAfee dropped its cease & desist lawsuit. Both firms declared victory on 28 August, each issuing a press release only two paragraphs long:
Symantec made only a token effort to notify people who received false press releases.
- McAfee's victory press release claims Symantec "admitted to lying about its pending litigation with McAfee and
issued a public apology... As a result of Symantec's retraction, McAfee honorably dropped its defamation suit in
Japan. McAfee still has a $1 billion defamation suit against Symantec in the U.S."
- Symantec's victory press release says McAfee "unilaterally dropped its suit against Symantec in Japan... 'We are
pleased at McAfee's withdrawal of the Japanese action,' said Enrique Salem, Symantec's Vice President and Chief
Technical Officer. 'We can now focus our attention more clearly on the real issue here, which is McAfee's copying of
Symantec's code.' "
McAfee says Symantec "admitted to lying," but this claim remains unsubstantiated. The original "correction notice" Symantec submitted for judicial review merely apologized for their "error."
Symantec's press release, on the other hand, turns an obvious setback into an amazing-sounding victory. It does not describe the lawsuit in question. It does not mention any apology to McAfee. And the "unilateral" adjective makes it sound like McAfee dropped a frivolous case.
Symantec's website spotlighted the "McAfee confirms" and "McAfee drops suit" press releases for a number of weeks. (Snapshot taken 17 Sep 97).
Symantec fires another volley
Symantec slapped McAfee in the face again on 22 September with yet another press release. This time, they announced a judicial order forcing McAfee to "preserve evidence" in the case. "The judge also ordered McAfee to make available to Symantec all computer hard disks in all research groups in which that employee worked, to refrain from making any changes to any of those disks, and to respond to Symantec's discovery requests on an expedited basis."
Newsbytes reporter Bob Woods filed a newswire about Symantec's claims on the morning of its release. He noted "McAfee officials did not make themselves available for comment to Newsbytes by the early edition deadline." McAfee's spokeswoman returned his call a little too late — and Woods filed a different newswire the next morning:
McAfee Associates [NASDAQ:MCAF] told Newsbytes Monday afternoon that facts detailed in a press release issued by Symantec Corp. [NASDAQ:MCAF] [sic] early Monday morning actually took place a month ago, although the release seemed to indicate that the actions just took place.
In the release, Symantec said a magistrate judge ordered McAfee Associates to "preserve evidence" in the copyright infringement case Symantec filed against its anti-virus rival. Symantec also said the judge ordered McAfee to produce computer disks that may be involved with the case.
McAfee spokesperson Jennifer Keavney told Newsbytes that her company handed over evidence in the case last August, including computers that "had been attached to" an employee's home computer that contained code McAfee claims was from a public source. But Keavney said a court denied Symantec's recent request for access to additional computers....
The judicial order seems to back McAfee's claims. The first paragraph says Symantec filed "an ex parte motion" to which McAfee "filed an opposition to this motion and Symantec filed a reply. Having reviewed and considered all documents submitted by the parties..."
Popgun-wielding McAfee fires back
McAFEE FINALLY RETALIATED on 23 September with a press release titled "McAfee Market Dominance Prompts Symantec Dirty Tricks":
A history of lost market share, slow growth, and poor product execution, has led Symantec (NASDAQ: SYMC) to embark on a campaign of meritless legal actions and false press releases in an attempt to slow McAfee Associates' (NASDAQ: MCAF) industry leading growth. Symantec's most recent action — a news release which once again failed to accurately portray a court ruling — is just the latest attempt by Symantec to mask business, market share and product failures.
Symantec claimed this court ruling as a victory when in fact the court adopted McAfee's proposal and denied Symantec's primary request. This is just the latest in a string of falsehoods Symantec has distributed about ongoing litigation between the companies. Other ridiculous examples of Symantec untruths abound...
This press release probably did little to improve McAfee's media image. Three computer industry reporters dismissed it as typical spin control. "I like McAfee," one admitted, but "I probably wouldn't read this thing beyond the first sentence."
Déjà vu: McAfee and Symantec victorious
Reuters reporter Josephine Ng filed an interesting newswire from Singapore on 2 October titled "Symantec sees favourable result in suits." Asked about an upcoming pre-trial hearing, Salem predicted the judge would order McAfee to stop shipping products containing disputed code.
Lawyers faced each other on 3 October (in the U.S. this time) at a pre-trial hearing watched closely by the media. Judge Ronald Whyte denied Symantec's request for a nationwide product recall, but he did authorize a temporary injunction on McAfee's use of disputed code as Salem had predicted to Reuters.
However, new product versions already contained clean-room code thanks to Watkins' tactical decision. The injunction amounted to nothing. McAfee filed a typical motion asking for a summary dismissal of the case. Judge Whyte refused.
Symantec tacked another accusation onto the lawsuit, this time accusing McAfee of stealing "trade secrets." They also wanted to dispute the "cleanliness" of McAfee's rewritten code but the judge told them to file a separate pre-trial motion. Speaking later in an interview, Watkins said he would swallow the cost of another clean-room rewrite if necessary.
Once again, both firms declared victory after the pre-trial hearing:
Once again, both companies declared victory.
- McAfee's victory press release said they "will not be prevented from shipping current versions of VirusScan or
PC Medic... The court also refused a Symantec request to require that previous versions of VirusScan and PC Medic be
- Symantec's victory press release (again just two paragraphs long) says it won "an injunction which forbids
McAfee... from shipping products that contain code copied from Symantec. The order also requires McAfee to notify
distributors that customers who purchase versions of PC Medic that contain the Symantec code must be upgraded."
Symantec temporarily avoids the media
SYMANTEC QUIETED DOWN after 9 October — possibly due to media pressure created by this investigative report. A sidebar titled "Rosenberger's prediction" said readers should "expect Symantec to issue an important anti-McAfee press release on, or just before, 20 Oct 97, the scheduled date for McAfee's next quarterly earnings call."
Symantec proved the prediction wrong. They quietly executed important legal maneuvers during this timeframe:
- 15 October: Symantec filed a typical motion to summarily dismiss the $1 billion
defamation lawsuit. A court will hear arguments on 13 January.
- 17 October: on the last business day before McAfee's earnings call, Symantec amended its
lawsuit to demand a nationwide recall of VirusScan & PC Medic if they win the case.
- 20 October: Symantec requested an immediate recall of VirusScan & PC Medic because
"the 'clean room' development of the replacement code was not adequate, and that the code in the current
version of PC Medic 97 is in fact derived from [Symantec's] Crashguard." A court will hear arguments on
No one asked about Symantec's lawsuit during the 20 October earnings call. Grateful McAfee executives didn't mention it, either.
Symantec filed another motion two days later to dismiss the $1 billion defamation lawsuit, calling it "an improper attempt to prevent Symantec from commenting publically [sic] on Symantec's copyright and trade secret suit against McAfee." (A court will hear these arguments as well on 13 January.) Symantec again decided not to issue a press release.
Symantec finally launched an attack on 24 October called "The Facts Behind Symantec's Litigation." This time, they offered scanned images of documents related to their case.
Symantec didn't attack McAfee's third quarterly earnings call in a row. They waited until four days after the call took place. (Snapshot taken 25 Oct 97).
Who actually owns the disputed code?
SYMANTEC HAS NOT proven it owns the 131 lines of disputed code despite their adamant claims to the contrary. The 6 October judicial proclamation says "there is nothing overt in the code that indicates who wrote the code and [Symantec's expert witness] does not know who at Symantec wrote the code," if anyone.
The judge offered Symantec a pre-trial presumption of ownership. A jury may ultimately rule on the matter if it goes to trial. "With a few limited exceptions," Judge Whyte declared, "a plaintiff need only show a reasonable likelihood of success on its copyright infringement claim to support a grant of a preliminary injunction."
The 'First Code Block' (30 lines)
Symantec has not proven it owns the disputed code despite adamant claims to the contrary.
Symantec gleefully quotes the injunction's statement that "McAfee admits that one of its programmers incorporated the 'First Code Block' into PC Medic." To reiterate: the judge did not establish Symantec's ownership of this code. McAfee admitted copying the code from another source and will need to prove Symantec doesn't actually own it.
The 'Second Code Block' (101 lines)
According to McAfee, one of their employees "did not copy the disputed code [while employed at] Symantec but instead obtained it from a website during an Internet search." Yet they produced no evidence to support their claim. Judge Whyte stated the obvious in his injunction: "even if [the employee] obtained the code from a website, however, this alone does not establish that his use of the code did not infringe Symantec's copyright."
"Based on the evidence presented," Judge Whyte continued, "the court finds that Symantec has sufficiently demonstrated that [McAfee's employee] had access to" Symantec's copy of the Second Code Block, thereby justifying a temporary injunction.
Symantec's claim of "irreparable harm"
Symantec pleaded for a nationwide recall of PC Medic because disputed code in previous versions caused "irreparable harm." Judge Whyte refused: "it is difficult to see how Symantec was irreparably harmed as a result of [the disputed code] being included... The harm to Symantec of some McAfee distributors still having the offending version on their shelves is de minimis, particularly if McAfee provides notice to those distributors to advise future buyers to be sure to upgrade the programs."
Symantec filed another pre-trial motion for a nationwide recall, this time claiming PC Medic "is in fact derived from [Symantec's] Crashguard." The court will hear arguments on 19 December.
IT SEEMS IRONIC for Symantec to sue McAfee over copyright infringement and theft of trade secrets when they still need to settle a case against them alleging copyright infringement and deceptive practices. Still, you can chalk up an incredibly one-sided media victory for Symantec.
The court merely assumes Symantec owns 131 lines of disputed code before the real trial begins. Even if McAfee can't prove someone else owns it, they still claim it "is not proprietary to Symantec." But McAfee faces an uphill battle if they rely on this argument: Judge Whyte warned "Symantec has shown that it is likely to prevail on its claim that the First and Second Code Blocks are protectable [i.e. copyrightable] expressions."
McAfee faces other hurdles as well. Symantec made only a token effort to notify people who received false press releases last July. More preliminary hearings take place in December & January; the actual trial may start next September. Symantec shows no signs of giving up this fight — and McAfee knows it can only "win" by forcing a draw.
These important questions remain unanswered:
Stay tuned for further developments in the Hatfield-McCoy feud...
Chalk up an incredibly one-side media victory for Symantec.
- Taken from court papers supplied by the law firm representing Trio Systems. They declined to discuss the case.
(Return to where you left off.)
- Taken from court papers supplied by the law firm representing Trio Systems. (Return to
where you left off.)
- Translated by a Japanese immigrant, not versed in computers, who read a mediocre fax copy of Symantec's press
release as a personal favor. A nearly identical translation from McAfee's Tokyo law firm reads as follows:
"...After the suit was filed, a McAfee representative admitted that a McAfee software engineer had
downloaded the code routine ... from a Symantec web site and incorporated it into the McAfee product. Enrique
Salem, Symantec's chief technology officer states that 'At this point in the investigation, we are happy that
our lawsuit was upheld (approved) and that McAfee admitted stealing [the code].' "
(Return to where you left off.)
- Quoted from legal papers supplied by McAfee. (Return to where you left off.)
- Taken from legal papers supplied by McAfee. (Return to where you left off.)
- A source (reliability unknown) with ties to McAfee says the company almost highlighted this investigative
report in its press release — but dropped the idea because an
unflattering link appears in the second paragraph.
(Return to where you left off.)
- Two of them read previous versions of this investigative report before they read McAfee's press release.
(Return to where you left off.)
- Symantec probably did this to (1) stem the tide of reporters who ask for copies of legal documents and (2) offer
legal documents showing Symantec in a good light. If McAfee follows suit, they'll do it for the same reasons.
(Return to where you left off.)
- Quoted from legal papers supplied by Symantec. (Return to where you left off.)