[Reader-list] McAfee Virus Software Opens Your Computer to Feds
Harsh Kapoor
aiindex at mnet.fr
Fri Nov 30 05:28:53 IST 2001
Wired News
http://www.wired.com/news/privacy/0,1848,48648,00.html
Privacy Matters
2:00 p.m. Nov. 29, 2001 PST
'Lantern' Backdoor Flap Rages
By Declan McCullagh
8:25 a.m. Nov. 27, 2001 PST
WASHINGTON -- Network Associates has been snared in a web of
accusations over whether it will place backdoors for the U.S.
government in its security software.
Since Network Associates (NETA) makes popular security products,
including McAfee anti-virus software and Pretty Good Privacy
encryption software, reports of a special arrangement with the U.S.
government have drawn protests and threats of a boycott.
The flap started last week, when news reports began to appear about
an FBI project code-named "Magic Lantern." Details are sketchy, but
Magic Lantern reportedly works by masquerading as an innocent e-mail
attachment that will insert FBI spyware inside your computer.
In the past, the FBI has said publicly that agents have been
flummoxed by suspects using encryption, something that software such
as Magic Lantern could circumvent by secretly recording a passphrase
and secret encryption key, then forwarding the confidential data to
the feds.
An Associated Press article then reported that "at least one
antivirus software company, McAfee Corp., contacted the FBI ... to
ensure its software wouldn't inadvertently detect the bureau's
snooping software and alert a criminal suspect."
Condemnation from security mavens was quick and fierce. Columnist
Brett Glass echoed the Slashdot crowd when he said: "Network
Associates has shown that it is willing to compromise its integrity
by selling intentionally faulty products. For this reason, it is no
longer appropriate or wise for those concerned about the security of
their networks, systems or confidential data to use them."
Other security mavens pointed to free software projects such as
openvirus.org as more trustworthy alternatives to Network Associates'
McAfee anti-virus products, and GPG as a replacement for Network
Associates' PGP encryption software.
The criticism raised a well-known point in security circles: Security
software, including PGP and anti-virus products ware, is either
looking out for your interests or those of the government. It can't
do both.
But on Monday, Network Associates denied contacting the FBI.
In a statement released late in the day, a spokeswoman for the
company made four points: "1. Network Associates/McAfee.com
Corporation has not contacted the FBI, nor has the FBI contacted
NAI/McAfee.com Corp. regarding Magic Lantern. 2. We do not expect the
FBI to contact Network Associates/McAfee.com Corporation regarding
Magic Lantern."
The statement continued: "3. Network Associates/McAfee.com Corp. is
not going to speculate on Magic Lantern as it's (sic) existence has
not even been confirmed by the FBI or any government agency. 4.
Network Associates/McAfee.com Corporation does and will continue to
comply with any and all U.S. laws and legislation."
Sharp-eyed critics pointed to the narrowness of Network Associates'
denial: It did not rule out the possibility of conversations with the
White House, the Justice Department or even conversations with the
FBI about a product with identical capabilities that was not called
Magic Lantern. Network Associates also did not pledge to reject
future pleas from the FBI done in the absence of legislation making
backdoors mandatory.
In an e-mail, Network Associates was asked to clarify with this
question: "Can you assure ... that Network Associates/McAfee has not
had any contact with any law enforcement or intelligence agencies or
other government entities including Congress or the White House about
Magic Lantern or a product with capabilities it is reported to have?"
Tony Thompson, a spokesman for the company, replied: "You are
correct. We have not."
Thompson also rejected the possibility of any conversations with the
government between Network Associates or other anti-virus vendors
taking place informally through trade associations in Washington.
For his part, Ted Bridis, a veteran reporter for the Associated
Press, says he stands by his story from last week that reported the
link between the FBI and Network Associates.
Bridis wrote in an e-mail message Monday afternoon, "I stand by my
reporting for the AP. This information came from a senior company
officer. I won't identify this person in this post because I've been
unable to reach this person by phone or e-mail since the flap
erupted."
"I can't resolve what McAfee told me last week and today's
contradictory statement except to note the critical public response
against McAfee that emerged over the holiday weekend," Bridis added.
In a well-documented incident that was tried in court in New Jersey,
the FBI sneaked into an alleged mobster's office to implant PGP
password-sniffing software in his Windows computer. Since that
approach requires physical breaking and entering, FBI agents seem to
want to be able to bypass encryption without leaving their desks.
The feds have worked with technology companies in the past to insert
backdoors for surveillance and eavesdropping.
To gain an export license, IBM's Lotus subsidiary weakened the
encryption used in its Lotus Notes program so the U.S. government
could readily penetrate it. (All versions of Notes use 64-bit keys,
but export versions of Notes gave a portion of the key to the U.S.
government, allowing federal agencies to decode Notes-encrypted files
in real-time.)
In his 1982 book The Puzzle Palace, author James Bamford recounted
how the National Security Agency's predecessor coerced Western Union,
RCA, and ITT Communications to turn over telegraph traffic to the
feds in 1945.
"Cooperation may be expected for the complete intercept coverage of
this material," an internal agency memo said.
ITT and RCA gave the government full access, while Western Union
limited the number of messages it handed over. The arrangement,
according to Bamford, lasted at least two decades.
In 1995, The Baltimore Sun reported that for decades the NSA had
rigged the encryption products of Crypto, a Swiss firm, so U.S.
eavesdroppers could easily break their codes.
The six-part story, based on interviews with former employees and
company documents, said Crypto sold its security products to some 120
countries, including prime U.S. intelligence targets such as Iran,
Iraq, Libya and Yugoslavia. Crypto disputed the allegation.
--
More information about the reader-list
mailing list