[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Re: Magic Lantern reality check
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Die =DCberlegungen eines Anti-Viren-Software-Herstellers zu den =
Auswirkungen
von Magic Lantern,
Gruss, Myriam =20
'Magic Lantern' Rubs the Wrong Way
http://www.securityfocus.com/columnists/44
Anti-virus products could detect the FBI's new spyware. But should =
they?=20
By Shane Coursen
Dec 3 2001 1:01AM PT
The notion of programming anti-virus software to deliberately ignore a
particular program, despite malicious characteristics, is nothing new. =
Many
mainstream AV software packages have a built-in capability to ignore;
commonly referred to as "exclusion." Exclusion helps AV software avoid =
false
positives, helps to avoid unnecessarily scanning files that are too =
small to
carry any known virus, helps to ignore files that are marked as "known
clean," and has even helped an anti-virus company or two to avoid a =
lawsuit.
In short, exclusion is helpful because it necessarily helps a
processor-intensive application to run more efficiently.=20
Exclusion as we know it could be redefined, however, with the advent of =
a
program named Magic Lantern. As first reported by MSNBC, Magic Lantern =
is a
program under development by the FBI that watches and records =
end-users'
keystrokes. The goal is to catch the passphrase of an otherwise =
uncrackable
cipher from a bad guy's system.=20
Magic Lantern clearly falls in the category of malicious software.
Specifically, it's a Trojan horse, in the same class as Back Orifice =
and Sub
Seven.=20
The FBI creating such a program shouldn't come as a shock. Three-letter
agencies of all sorts make no bones of the fact that they must =
regularly do
things that many would consider less than savory. To get to the bad =
guys,
you sometimes have to become a bad guy. With the news of Magic Lantern, =
the
public may now add "creation of software that would otherwise be =
considered
malicious" to the list of nasty, yet supposedly necessary, work of the =
U.S.
government.=20
But the anti-virus industry is directly affected by the FBI's move. =
Since
the beginning, our job definition has been to protect end-users from =
attacks
of computer viruses and other malicious software. With Magic Lantern, =
there
is a possibility that we might be asked to look the other way.=20
Anticipating this, anti-virus firms are already forming their =
positions.
Symantec has gone on the record as saying they would cooperate with the =
FBI,
and give Magic Lantern immunity from detection. Sophos would not. =
McAfee's
position depends on which report you read.=20
There is precedent for private companies voluntarily assisting the U.S. =
in
national security matters -- as early as 1945, Western Union, RCA and =
ITT
were routinely passing confidential international telegraph traffic to =
the
government. But until now, the gift of assistance has generally been =
agreed
upon on a case-by-case basis. Never before has the possibility of a
wide-blanket government directive presented itself so quickly and
forcefully.=20
Game Over=20
If we avoid detecting the Magic Lantern program, law enforcement =
agencies
stand a chance to retrieve effortlessly sensitive pieces of information =
from
a bad guy's computer. At first glance it appears to be a noble idea.=20
But what would we lose in the process?=20
There is no clear ethical code of conduct to guide us in this. As I've
argued before, advancements in computer software technology have =
outpaced
the ability to devise an ethic de rigueur in the industry.=20
However, marketing forces can offer us a little clarity.=20
Governments around the world on many levels rely on "made in the USA"
anti-virus software to protect critical infrastructure. Will the world
continue to trust U.S.-based software if we purposely design flaws in =
the
software at the request of our government?=20
International associations and alliances shift, after all, sometimes =
quickly
and drastically. What if a country suddenly fell out of favor for =
allegedly
performing a terrorist act? Now, just as suddenly, every computer in =
that
country, with their backdoored anti-virus programs, is wide open to =
attack
by the U.S.=20
However unlikely this scenario may be, the mere possibility would turn
collusion with the FBI into the mark of Cain for the U.S. anti-virus
industry. If U.S.-based companies are ultimately compelled by court =
order to
work along with law enforcement agencies, the result would be the same, =
at
least in the international market.=20
And, of course, Magic Lantern can not be made to work with limited
cooperation. If just one anti-virus software product detects Magic =
Lantern,
the game is over.=20
Due to the international nature of anti-virus software, it simply may =
not be
possible for the anti-virus industry as a whole to lend the blind eye =
the
FBI would like.=20
This is more than just an academic issue for me. As CEO of WildList
Organization International, it's my job to collect malicious code sent =
in by
WLO participants around the world. When two or more participants report =
the
same virus, the virus is placed on our official list of viruses spotted =
"In
the Wild." Likewise, Trojan horses are added to our official =
'TrojanList'.=20
Certification agencies use data from WildList Organization =
International
when testing anti-virus products. So if Magic Lantern were to show up =
on one
of our lists, detection of it could become a litmus test for anti-virus
product certification.=20
So what would I do? Since at least two WLO participants would have to =
spot
Magic Lantern independently, i.e., fall under FBI surveillance, the =
odds are
I'll never have to make that decision. But however noble the FBI's
intentions, if WLO ever decided to purposely not list a program, then =
its
effectiveness would be called into question forever. Absent legal
compulsion, that won't happen on my watch.
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.