[Reader-list] McAfee Virus Software Opens Your Computer to Feds

Harsh Kapoor aiindex at mnet.fr
Fri Nov 30 05:28:53 IST 2001


Wired News
http://www.wired.com/news/privacy/0,1848,48648,00.html
Privacy Matters
2:00 p.m. Nov. 29, 2001 PST

'Lantern' Backdoor Flap Rages
By Declan McCullagh
8:25 a.m. Nov. 27, 2001 PST	 	 
WASHINGTON -- Network Associates has been snared in a web of 
accusations over whether it will place backdoors for the U.S. 
government in its security software.

Since Network Associates (NETA) makes popular security products, 
including McAfee anti-virus software and Pretty Good Privacy 
encryption software, reports of a special arrangement with the U.S. 
government have drawn protests and threats of a boycott.

The flap started last week, when news reports began to appear about 
an FBI project code-named "Magic Lantern." Details are sketchy, but 
Magic Lantern reportedly works by masquerading as an innocent e-mail 
attachment that will insert FBI spyware inside your computer.

In the past, the FBI has said publicly that agents have been 
flummoxed by suspects using encryption, something that software such 
as Magic Lantern could circumvent by secretly recording a passphrase 
and secret encryption key, then forwarding the confidential data to 
the feds.

An Associated Press article then reported that "at least one 
antivirus software company, McAfee Corp., contacted the FBI ... to 
ensure its software wouldn't inadvertently detect the bureau's 
snooping software and alert a criminal suspect."

Condemnation from security mavens was quick and fierce. Columnist 
Brett Glass echoed the Slashdot crowd when he said: "Network 
Associates has shown that it is willing to compromise its integrity 
by selling intentionally faulty products. For this reason, it is no 
longer appropriate or wise for those concerned about the security of 
their networks, systems or confidential data to use them."

Other security mavens pointed to free software projects such as 
openvirus.org as more trustworthy alternatives to Network Associates' 
McAfee anti-virus products, and GPG as a replacement for Network 
Associates' PGP encryption software.

The criticism raised a well-known point in security circles: Security 
software, including PGP and anti-virus products ware, is either 
looking out for your interests or those of the government. It can't 
do both.

But on Monday, Network Associates denied contacting the FBI.

In a statement released late in the day, a spokeswoman for the 
company made four points: "1. Network Associates/McAfee.com 
Corporation has not contacted the FBI, nor has the FBI contacted 
NAI/McAfee.com Corp. regarding Magic Lantern. 2. We do not expect the 
FBI to contact Network Associates/McAfee.com Corporation regarding 
Magic Lantern."

The statement continued: "3. Network Associates/McAfee.com Corp. is 
not going to speculate on Magic Lantern as it's (sic) existence has 
not even been confirmed by the FBI or any government agency. 4. 
Network Associates/McAfee.com Corporation does and will continue to 
comply with any and all U.S. laws and legislation."

Sharp-eyed critics pointed to the narrowness of Network Associates' 
denial: It did not rule out the possibility of conversations with the 
White House, the Justice Department or even conversations with the 
FBI about a product with identical capabilities that was not called 
Magic Lantern. Network Associates also did not pledge to reject 
future pleas from the FBI done in the absence of legislation making 
backdoors mandatory.
In an e-mail, Network Associates was asked to clarify with this 
question: "Can you assure ... that Network Associates/McAfee has not 
had any contact with any law enforcement or intelligence agencies or 
other government entities including Congress or the White House about 
Magic Lantern or a product with capabilities it is reported to have?"

Tony Thompson, a spokesman for the company, replied: "You are 
correct. We have not."

Thompson also rejected the possibility of any conversations with the 
government between Network Associates or other anti-virus vendors 
taking place informally through trade associations in Washington.

For his part, Ted Bridis, a veteran reporter for the Associated 
Press, says he stands by his story from last week that reported the 
link between the FBI and Network Associates.

Bridis wrote in an e-mail message Monday afternoon, "I stand by my 
reporting for the AP. This information came from a senior company 
officer. I won't identify this person in this post because I've been 
unable to reach this person by phone or e-mail since the flap 
erupted."

"I can't resolve what McAfee told me last week and today's 
contradictory statement except to note the critical public response 
against McAfee that emerged over the holiday weekend," Bridis added.

In a well-documented incident that was tried in court in New Jersey, 
the FBI sneaked into an alleged mobster's office to implant PGP 
password-sniffing software in his Windows computer. Since that 
approach requires physical breaking and entering, FBI agents seem to 
want to be able to bypass encryption without leaving their desks.

The feds have worked with technology companies in the past to insert 
backdoors for surveillance and eavesdropping.

To gain an export license, IBM's Lotus subsidiary weakened the 
encryption used in its Lotus Notes program so the U.S. government 
could readily penetrate it. (All versions of Notes use 64-bit keys, 
but export versions of Notes gave a portion of the key to the U.S. 
government, allowing federal agencies to decode Notes-encrypted files 
in real-time.)

In his 1982 book The Puzzle Palace, author James Bamford recounted 
how the National Security Agency's predecessor coerced Western Union, 
RCA, and ITT Communications to turn over telegraph traffic to the 
feds in 1945.

"Cooperation may be expected for the complete intercept coverage of 
this material," an internal agency memo said.

ITT and RCA gave the government full access, while Western Union 
limited the number of messages it handed over. The arrangement, 
according to Bamford, lasted at least two decades.

In 1995, The Baltimore Sun reported that for decades the NSA had 
rigged the encryption products of Crypto, a Swiss firm, so U.S. 
eavesdroppers could easily break their codes.

The six-part story, based on interviews with former employees and 
company documents, said Crypto sold its security products to some 120 
countries, including prime U.S. intelligence targets such as Iran, 
Iraq, Libya and Yugoslavia. Crypto disputed the allegation.


-- 



More information about the reader-list mailing list