I think the real answer lies at the intersection of Annalee Newitz (another actually tech journalist besides Declan!:-)'s answer and Adrian's. Anti-virus software has two main techniques - - look for recognized bad stuff, and - look for suspicious changes to good stuff. plus an anti-technique - look for recognized non-bad stuff if one of the previous techniques detects bad or suspicious activity. If the targets of Magic Lantern don't suspect any virus-like problems and report them to an anti-virus maker who can analyze its behaviour and include it in the list of known bad stuff, Nothing Happens. If the Magic Lantern authors are careful to cover up any changes they make to important files so they don't look suspicious, "These aren't the viruses you're looking for. Move along." then they also duck the second detection technique. The two obvious ways that the anti-virus companies could cooperate with Evildoers, Federal or otherwise, are to actively not comply with requests to include Evildoer things in their Bad Stuff lists or to explicitly put recognizers for Evildoer stuff in the OK list. But if the Feds and the Targets don't tell them what to look for, then implicitly they usually would not be detected. Bill Stewart
Date: Tue, 11 Dec 2001 12:21:49 -0800 (PST) From: Annalee Newitz <brainsploitation@yahoo.com> Subject: symantec's new position To: declan@well.com
(you can post this if you like)
--- Declan McCullagh <declan@well.com> wrote:
We've now heard contradictory reports from both Symantec and McAfee, though I'm inclined to believe McAfee's public, on-the-record statements.
Declan, I've been interviewing "spokespeople" from Symantec (they don't like to give out their real names) about this issue for the past couple of weeks. I finally got one to go on record saying very specifically that "if a Symantec customer located a copy of the Magic Lantern trojan horse virus and gave us a copy, we would be obliged to filter for it with our anti-virus software." In other words, their new public position is that they will actively block FBI-authored viruses. Interesting, no?
Annalee
===== Annalee Newitz tech * pop * sex 415.487.2559 - cell: 415.378.4498 www.techsploitation.com
**********
From: Adrian Alcock <adrian_alcock@presence.com.au> To: "'declan@well.com'" <declan@well.com> Subject: RE: Symantec, McAfee backpedal furiously on espionage enabled-sof tware Date: Wed, 12 Dec 2001 10:30:21 +1100
Hi Declan.
"Despite subsequent reports to the contrary, officials at Symantec Corp. (Nasdaq:SYMC - news) and Network Associates Inc. (Nasdaq:NETA - news) said they had no intention of voluntarily modifying their products to satisfy the FBI. Spokesmen at two other computer security companies, Japan-based Trend Micro Inc."
They probably wouldn't have to modify their product to suit the FBI. I don't use either Symantec's or NA's software, but I know that a Sophos installation requires extra files (called "virus identity files") for each new virus to be protected against. Assuming that the same applies to McAfee and Norton, then we would be concerned if they didn't alter their product to identify the FBI's snoopware as it means they are doing nothing to identify, let alone act on the threat.
Adrian