Earlier this month an Indian hacking group published source code for two of Symantec\u2019s enterprise security programs, which the company claimed was stolen from a third-party source. Tuesday the plot thickened to a point of near-total confusion as Symantec admitted A) it was their network that was hacked, B) a lot of other code \u2013 including Norton Antivirus \u2013 got stolen, and C) it all happened in 2006.\n\tIt now turns out that not only was code was stolen for enterprise security programs Endpoint Protection 11.0 and Antivirus 10.2, but also Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.\n\tThe company says the code was taken in a previously unreported 2006 infiltration of its systems. Not to worry, though. Symantec has assured the world that that the code is old and thus cannot hurt us. \u201cDue to the age of the exposed source code \u2026 Symantec customers \u2013 including those running Norton products \u2013 should not be in any increased danger of cyber attacks resulting from this incident.\u201d\n\tOthers beg to differ. Not just any others but John Viega who used to work at McAffee as CTO and VP of engineering for the software-as-a-service business unit and before that was McAfee\u2019s chief security architect.\n\t\u201cThe fact of the matter is it\u2019s highly unlikely that Symantec completely rebuilt its AV product in six years and deployed a new, ground-up version to all of its customers \u2013 especially when trying to maintain compatibility with old signatures,\u201d says Viega, now executive vice president of products and engineering at Perimeter E-Security. \u201cIf there is any lingering code from the 2006 version at all, there is significant risk of a security threat by people accessing the source code. The unfortunate reality is that security flaws can stay in products for decades without detection, despite frequent security reviews and product enhancements.\u201d\n\tViega calls Symantec\u2019s explanation for the events \u201cimplausible\u201d and it\u2019s hard for anyone to argue with that. If the company\u2019s account is true it means that either the company didn\u2019t know about the break-in for six years or it knew about the break-in but didn\u2019t know what got taken. Either version is more believable than what we\u2019ve been told and raise even more questions about the security company\u2019s own security and trustworthiness.