Symantec comes out in swinging in bitter legal battle over security bug audit conspiracy claims

Symantec says the biz that accused it of conspiring with others to avoid independent security audits is "less than honest" and driven by a "thirst for profits."

"This is, at bottom, a case where one company’s thirst for profits has led it to brush aside the needs of its customers for more accurate testing of their computer security in order to support an opaque, inaccurate, and less-than-honest business model," Symantec argued [PDF] in a California court filing this week.

It argues that the legal action brought by independent software tester NSS Labs against Symantec in the US should be dismissed in its entirety because its claims "are entirely devoid of merit."

Those claims included that several security vendors – Symantec, CrowdStrike, ESET, and the Anti-Malware Testing Standards Organization (AMTSO) – not only knew of bugs in their code and had failed to act but that they were "actively conspiring to prevent independent testing that uncovers those product deficiencies."

NSS Labs sued the four organizations back in September in what it said was an effort to highlight bad practices in the security software field.

At the time, all four denied the allegations but this is the first time that those organizations have formally responded to the lawsuit. Each has filed its own response, every one calling for the lawsuit to be summarily dismissed, but Symantec's stands out as aggressively attacking NSS Labs.

It points out that NSS Labs runs two forms of test: a private one where it works with a vendor confidentially to identify and fix flaws in its product; and a public one where it tests a company's products without informing it and publishes the results publicly.

It only makes money from the former and, Symantec notes, "to do well in an NSS public test, it is important to pay NSS first for a private test. That is its business model."

But there's still flaws, right?

While that model is clearly far from ideal, NSS Labs claims that the reality is still that it identifies significant security flaws in software bought by businesses and individuals to protect themselves. As such, the companies' efforts to boycott NSS Labs altogether because it won't work with them to keep flaws under wraps is anti-consumer, the testing company claims.

Somewhat worryingly, none of the responses to NSS Labs lawsuit tackle this issue head on but instead claim that the company doesn't have a case because even if they had conspired, they wouldn't have broken the law.

"In the end, Defendants are simply alleged to have exercised their discretion not to cooperate with a firm whose way of doing business conflicted with their own understanding of what will best serve their customers," argued Symantec.

The other defendants claims that NSS Labs hasn't got any proof that they conspired against it.

CrowdStrike claims in its response [PDF] that NSS has not provided any plausible facts over the alleged boycott "namely (1) who conspired, (2) what they conspired to do, (3) when or where the conspiracy took place, (4) why the alleged conspirators conspired, i.e., the purpose of the alleged conspiracy, or (5) how they were to enforce the conspiracy."

And it uses its own tangled legal history with NSS Labs to argue that it had no need to conspire – it had already refused to work with the company over a previous argument after the tester "fraudulently accessed CrowdStrike’s proprietary and confidential software platform."

CrowdStrike had paid NSS for one of its private tests and was infuriated when the company subsequently said it would publish test results of the company's products. Crowdstrike filed an injunction to prevent the release of the results claiming that NSS had "failed to adhere to NSS’s own stated testing methodologies and that its testing exhibited severe quality control failures." It failed, but the legal battle continues.

NSS Labs "only insinuates a conspiracy and offers no facts to support one, particularly with respect to CrowdStrike," Crowdstrike argues.

It also claims that NSS is simply in it for the money: "The crux of NSS’s Complaint is that it would prefer a standard that better benefits NSS’s business model, such as by not requiring Testers to work with Vendors in a transparent way. This conflict with Vendors that want transparency does not render the Standard anticompetitive, however."

It notes: "Even if NSS’s quibbles were correct, it would need to do more to state a claim."

Trust as standard

And as for the Anti-Malware Testing Standards Organization (AMTSO) – whose standards the companies are using and which allows them to communicate in private and fix issues before they are made public – it argues [PDF] that it can't be sued for antitrust because the law says so.

"Under the Standards Development Organization Advancement Act of 2004 (SDOAA), 'the conduct of a standards development organization while engaged in standards development activity shall not be deemed illegal per se.' AMTSO is a standards development organization… Accordingly, AMTSO's conduct in developing the Standard cannot be deemed illegal per se."

Which may be true but is far from reassuring.

In terms of the whole public/private testing approach, AMTSO offers this as an explanation: "A useful analogy is the cross examination of witnesses. Federal courts require extensive witness disclosures in advance of testimony at trial, and many practitioners feel that these disclosures promote the truth-seeking purpose of cross examination.

"Some state courts provide for no witness disclosures whatsoever, and some practitioners would argue vehemently that trial by ambush is most effective. Both camps have a valid argument. But there is no valid argument for requiring witness disclosures of one party to a trial but not the other. In other words, the provision of information does not defeat the fairness of a trial (or a comparative test). But an undisclosed information disparity between litigants (or test subjects) does."

Or, in other words, no one likes that fact that NSS Labs doesn’t give vendors a heads-up about security holes they find in their products before publishing the results.

And so, you know, maybe we decided we didn't want to use them no more. Ain't nothing illegal about that, your honor. ®