Re: FC: More on Symantec, McAfee, loopholes, and espionage-enabled 'ware

13 Dec 2001

      I think the real answer lies at the intersection of
Annalee Newitz (another actually tech journalist besides Declan!:-)'s
answer and Adrian's.  Anti-virus software has two main techniques -
         - look for recognized bad stuff, and
         - look for suspicious changes to good stuff.
plus an anti-technique
         - look for recognized non-bad stuff if one of the previous
         techniques detects bad or suspicious activity.

If the targets of Magic Lantern don't suspect any virus-like problems
and report them to an anti-virus maker who can analyze its behaviour
and include it in the list of known bad stuff, Nothing Happens.
If the Magic Lantern authors are careful to cover up any changes
they make to important files so they don't look suspicious,
         "These aren't the viruses you're looking for.  Move along."
then they also duck the second detection technique.

The two obvious ways that the anti-virus companies could cooperate
with Evildoers, Federal or otherwise, are to actively not comply
with requests to include Evildoer things in their Bad Stuff lists
or to explicitly put recognizers for Evildoer stuff in the OK list.
But if the Feds and the Targets don't tell them what to look for,
then implicitly they usually would not be detected.

                         Bill Stewart
...
Date: Tue, 11 Dec 2001 12:21:49 -0800 (PST)
From: Annalee Newitz 
Subject: symantec's new position
To: declan@well.com
(you can post this if you like)
--- Declan McCullagh  wrote:
...
We've now heard contradictory reports from both
Symantec and McAfee, though
I'm inclined to believe McAfee's public,
on-the-record statements.
Declan, I've been interviewing "spokespeople" from
Symantec (they don't like to give out their real
names) about this issue for the past couple of weeks.
I finally got one to go on record saying very
specifically that "if a Symantec customer located a
copy of the Magic Lantern trojan horse virus and gave
us a copy, we would be obliged to filter for it with
our anti-virus software." In other words, their new
public position is that they will actively block
FBI-authored viruses. Interesting, no?
Annalee
=====
Annalee Newitz
tech * pop * sex
415.487.2559 - cell: 415.378.4498
www.techsploitation.com
**********
From: Adrian Alcock 
To: "'declan@well.com'" 
Subject: RE: Symantec, McAfee backpedal furiously on espionage enabled-sof
        tware
Date: Wed, 12 Dec 2001 10:30:21 +1100
Hi Declan.
"Despite subsequent reports to the contrary, officials at
Symantec Corp. (Nasdaq:SYMC - news) and Network Associates
Inc. (Nasdaq:NETA - news) said they had no intention of
voluntarily modifying their products to satisfy the
FBI. Spokesmen at two other computer security companies,
Japan-based Trend Micro Inc."
They probably wouldn't have to modify their product to suit the FBI.  I
don't use either Symantec's or NA's software, but I know that a Sophos
installation requires extra files (called "virus identity files") for each
new virus to be protected against.  Assuming that the same applies to McAfee
and Norton, then we would be concerned if they didn't alter their product to
identify the FBI's snoopware as it means they are doing nothing to identify,
let alone act on the threat.
Adrian