FC: More on Symantec, McAfee, loopholes, and espionage-enabled 'ware

Bill Stewart bill.stewart at pobox.com
Wed Dec 12 23:35:35 PST 2001 

I think the real answer lies at the intersection of
Annalee Newitz (another actually tech journalist besides Declan!:-)'s
answer and Adrian's.  Anti-virus software has two main techniques -
         - look for recognized bad stuff, and
         - look for suspicious changes to good stuff.
plus an anti-technique
         - look for recognized non-bad stuff if one of the previous
         techniques detects bad or suspicious activity.

If the targets of Magic Lantern don't suspect any virus-like problems
and report them to an anti-virus maker who can analyze its behaviour
and include it in the list of known bad stuff, Nothing Happens.
If the Magic Lantern authors are careful to cover up any changes
they make to important files so they don't look suspicious,
         "These aren't the viruses you're looking for.  Move along."
then they also duck the second detection technique.

The two obvious ways that the anti-virus companies could cooperate
with Evildoers, Federal or otherwise, are to actively not comply
with requests to include Evildoer things in their Bad Stuff lists
or to explicitly put recognizers for Evildoer stuff in the OK list.
But if the Feds and the Targets don't tell them what to look for,
then implicitly they usually would not be detected.

                         Bill Stewart


>Date: Tue, 11 Dec 2001 12:21:49 -0800 (PST)
>From: Annalee Newitz <brainsploitation at yahoo.com>
>Subject: symantec's new position
>To: declan at well.com
>
>(you can post this if you like)
>
>--- Declan McCullagh <declan at well.com> wrote:
> > We've now heard contradictory reports from both
> > Symantec and McAfee, though
> > I'm inclined to believe McAfee's public,
> > on-the-record statements.
>
>Declan, I've been interviewing "spokespeople" from
>Symantec (they don't like to give out their real
>names) about this issue for the past couple of weeks.
>I finally got one to go on record saying very
>specifically that "if a Symantec customer located a
>copy of the Magic Lantern trojan horse virus and gave
>us a copy, we would be obliged to filter for it with
>our anti-virus software." In other words, their new
>public position is that they will actively block
>FBI-authored viruses. Interesting, no?
>
>Annalee
>
>=====
>Annalee Newitz
>tech * pop * sex
>415.487.2559 - cell: 415.378.4498
>www.techsploitation.com
>
>**********
>
>From: Adrian Alcock <adrian_alcock at presence.com.au>
>To: "'declan at well.com'" <declan at well.com>
>Subject: RE: Symantec, McAfee backpedal furiously on espionage enabled-sof
>         tware
>Date: Wed, 12 Dec 2001 10:30:21 +1100
>
>Hi Declan.
>
>"Despite subsequent reports to the contrary, officials at
>Symantec Corp. (Nasdaq:SYMC - news) and Network Associates
>Inc. (Nasdaq:NETA - news) said they had no intention of
>voluntarily modifying their products to satisfy the
>FBI. Spokesmen at two other computer security companies,
>Japan-based Trend Micro Inc."
>
>They probably wouldn't have to modify their product to suit the FBI.  I
>don't use either Symantec's or NA's software, but I know that a Sophos
>installation requires extra files (called "virus identity files") for each
>new virus to be protected against.  Assuming that the same applies to McAfee
>and Norton, then we would be concerned if they didn't alter their product to
>identify the FBI's snoopware as it means they are doing nothing to identify,
>let alone act on the threat.
>
>Adrian

More information about the cypherpunks-legacy mailing list