Slashdot Mirror

AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."

jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."

A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. PGP Corporation, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? Update: 02/07 23:07 GMT by T : Here are three instant clarifications: PGP Corporation was misrendered as "Open PGP" in this paragraph; Veridis' command line product was inspired by PGP but independently created; its codebase is separate from NAI's version of PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.

They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market.

Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures.

The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.)

Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page).

Duncan Findlay writes "Network Associates Inc. has just acquired Deersoft, Inc., which is known by many as the creator of SpamAssassin Pro, the proprietary (Windows) version of the GPL/PAL licensed SpamAssassin (Mirrors: Eastern US, Europe). It seems that we may see parts of SpamAssassin under the McAfee name within 6 months. You can also read the story at Yahoo or at Reuters. Unfortunately, the SpamAssassin trademark was owned by Deersoft, so hypothetically, NAI could force us to call the Open Source project something else!"

ShaunC writes "CNet is reporting that Network Associates has just purchased a software company called Traxess, whose main product - DragNet - supposedly makes Carnivore look like a toy. DragNet is capable of monitoring everything from email to web, FTP sessions to IMs, even print jobs and VOIP conversations; sorting the protocols and logging it all to disk at gigabit speeds. One NAI exec envisions "the government using it to investigate employees and hackers." NAI has also issued a press release about DragNet."

ShaunC writes "CNet is reporting that Network Associates has just purchased a software company called Traxess, whose main product - DragNet - supposedly makes Carnivore look like a toy. DragNet is capable of monitoring everything from email to web, FTP sessions to IMs, even print jobs and VOIP conversations; sorting the protocols and logging it all to disk at gigabit speeds. One NAI exec envisions "the government using it to investigate employees and hackers." NAI has also issued a press release about DragNet."

lowy writes "PGP Corporation, the 'new company with a long history' today announced that it has received $14 Million in funding and acquired the PGP Desktop and Wireless encryption product lines from Network Associates, Inc." PGP Corporation issued five press releases today, but we'll forgive it because it actually has products to sell, promises to keep offering a freeware version, and is taking on tech support for existing customers. Also, the email from NAI to its customers follows.

August 19, 2002

Dear Customer,

Today we are pleased to announce that PGP Corporation, a newly formed, venture-funded security company, has acquired the PGP desktop encryption and wireless product lines from Network Associates. As you know, prior to placing the products into maintenance mode, we were actively looking for a buyer that would continue the development and support of the technology.

Network Associates has retained products developed using PGPsdk including McAfee E-Business Server for encrypted server-to-server file transfer, McAfee Desktop Firewall and McAfee VPN Client. These products will remain a part of Network Associates existing product portfolio and we will continue to develop them to meet your security needs. PGP Corporation has acquired PGPmail, PGPfile, PGPdisk, PGPwireless, PGPadmin and PGPkeyserver encryption software products for Win32 and Macintosh, PGPsdk encryption software development kit, and PGP Corporate Desktop for Macintosh.

In addition to the technology, PGP Corporation has acquired all worldwide customer license agreements and technical support obligations. To ensure a seamless transition, Network Associates will work with PGP Corporation to support PGP customers through October 26, 2002. PGP Corporation will contact you shortly with details on its plans and product direction.

We trust that you will have continued success with the PGP desktop and wireless encryption products through PGP Corporation. Network Associates appreciates your business and we value our continued relationship across our remaining product lines.

broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."

The sleaze has gotten out of hand; it's time to roast a group of 20 or so companies whose profits are directly linked to creating fear in their customers, who have to keep discovering new sources of fear to improve their bottom line - or in the absence of new discoveries, keep inventing new sources of fear. Yes, it's time to take on the anti-virus software vendors.

The latest "news" to come out of the AV industry is New Virus Infects Picture Files. McAfee put up their description and made sure to issue a wide-spread press release to stir up some interest. McAfee's spokesdrone fans the flames:

• "Potentially no file type could be safe."
  
  That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said.
  
  "Going forward, we may have to rethink about distributing JPGs."

Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code. An image file is just data to be displayed. The line between "data" and "code" is a little bit fuzzy - often particular characters or a particular file can be both data and code, depending on the context of how other code handles it. Or a particular file can include both data and code separately, like a Microsoft Word file that includes data (your text) and code (some macro designed to be executed by Word when the document is opened).

But for JPEGs there's a well-designed standard, and it doesn't include executing code of any sort. If a JPEG-handling program doesn't like the data it sees, it should just stop trying to display the image, not decide to start executing code from the image. JPEGs are mostly harmless.

McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code. What it comes down to is:

Once you're infected with a virus, the virus can set you up to be infected by other viruses.

No shit, Sherlock. Once you have enemy code running on your system, you're toast. A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone. But this isn't a new virus threat of any sort. It isn't a breakthrough. It's a consequence of being infected, not a new method of being infected.

Two weeks ago, we ran a story about a cross-platform virus. Like this one, it didn't really exist in the wild. Like this one, it was mainly a PR ploy (by Symantec, in that case). But we thought it had at least some minimal technical interest as a bit of code that would run under Windows or Linux.

McAfee and Symantec (and all the other AV vendors out there) are waging a PR war to "discover" ever more news-worthy viruses to defend against. To get maximum coverage, your new virus needs to do something unique or different -- make your computer turn green, or infect something previously uninfectable, or whatever it might be. Compare this to Klez, a very basic virus similar in most ways to viruses that have gone before, which is still out there looting and pillaging tens of thousands of computers every day, but isn't ideal for AV vendors because they don't have a monopoly on the cure.

The press is catching on, to some tiny extent at least, that most virus alerts are fictitious and just designed to drum up business for the vendors. But it's far easier to repurpose a vendor's press release and call it a story than to dig into real threats that exist on the Internet, and the causes of those threats. Today, like last year and the year before and five years ago, there are major email-borne virus threats out there. (There are still old-school viruses out there too, transmitted by sneaker-net or by downloading suspicious software, but email is clearly the way to go for the discriminating virus creator.) All the real email virus threats share a few distinguishing characteristics:

• They only affect Microsoft Windows. If you aren't running Windows, you are safe.
• They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email.
• They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has finally made some progress, after many years, in reducing the vulnerability of their flagship email programs. So if you have a recent or fully-updated version of these programs, you may not be as vulnerable as people running older versions. Nevertheless, this was (and still is, since so many people don't have recent or fully-updated versions) a primary vector.

And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.

McAfee, and Symantec, and everyone else involved in the anti-virus FUD business: lay off. I mean that literally, as in, "Lay off the people you employ for the purpose of drumming up new virus threats." Lay off the public relations people you employ to say things like, "We may have to rethink about distributing JPGs." Lay off the BS. There's a real market for your product, people who (for whatever reason) are using Windows and/or Outlook, and haven't received the half-hour training course necessary to avoid viruses. You can market to them based on your fast responses to real virus threats - you don't need to manufacture any more.

rick_campbell writes "CNN is carrying an article about Phil Zimmerman and the fact that Network Associates is dropping support for the commercial version of Pretty Good Privacy. The article includes a little bit of Phil's take on the situation, a little history and some discussion of why this happened and what alternatives exist."

Tomcat666 sends in: "The Register got some excerpts from an interview with Phil Zimmerman. He talks about how it might be possible to save PGP (Network Associates couldn't sell it, and will stop its development), OpenPGP and the future (industry-backed OpenPGP?)." A follow-up to our story yesterday about Network Associates mothballing PGP.

An Anonymous Coward writes: "Network Associates announced today that they are ceasing development of most of the PGP product line, including PGPMail and PGP Desktop Encryption software. This was apparently due to disappointing sales of the products. See the FAQ for more information on what's being killed and what's being kept." Another anonymous and unverified submitter says, "The entire PGP Business Unit was axed more or less wholesale. I guess selling encryption doesn't really make money. I worked there up until today and somewhere around 250 of the 300 employees were clipped."

Slashback brings you updates and additional notes on recent Slashdot stories. Tonight that means more on computers playing chess, on judges who don't like being monitored in the workplace (too bad!), and on the (less totally spectactular, still bad) cracking of 802-Errr, something.

Sargon Deep Fritz playing a person may be more cutting edge (and take a lot more processor power), but it seems like an awful lot of resources to spend on playing chess. Alex Bischoff writes: "From the February 1983 issue of "Your Computer", it's chess in 1 KB (for your brand-new ZX-81)."

But sir, even the judges are objecting! saulgood writes "the NY Times is carrying a further article here, about the revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work... that's right - Power to the People Baby!!! No justice, No peace..."

Take that -- no, please, take that. Bob Lee writes:

"I authored the open source program Code Red Vigilante. This is an open effort to inform the public about the dangers of the Code Red worms and to specifically notify the owners of infected machines ... Vigilante is featured on Incidents.org, OnJava.com, TheServerSide.com, and it will be on the ScreenSavers on TechTV on next Monday.

Not to put too fine a point on it ... Jeffrey Fanelli of Sniffer Technologies writes: "Just to clarify on your story, that intern didn't crack 802.11x, but WEP in a 802.11b environment. 802.11x is a recently developed standard extension to Radius and 802.11 to allow for dynamic keys to be generated per user session. 802.11x uses the same WEP RC4 encryption, but makes it far more difficult to crack given the fact that all nodes associated with a particular Access Point will have a unique session based KEY (a key which, I might add, the user of the Mobile Unit in question cannot themselves identify).

Network Associates today issued a press release stating that it "has been granted a full license by the U.S. Government to export its market-leading PGP encryption software, ending a decades-old ban on the export of strong encryption products." InfoWorld says export to countries like Cuba and Iraq is still forbidden, and more details are coming Wednesday. But: finally!

Woodie asks: "Hi,I'm wondering, after reading Dvorak's article on crackers , whether good intrustion detection software exists for Linux. He specifically mentions a product called "BlackICE" - which I checked out the details of - that sounds very interesting. What Linux alternatives are there? I'm not necessarily expecting an easy to use GUI; some kind background daemon that generates a usable log and that can be preconfigured to respond to certain "attacks" would be great. " How reliable are the results from various Intrusion Detection packages? Are these things worthwhile? Or would do-it-yourself monitors be a better choice?

Update: 11/03 11:58 by C : Jargon was also interested in Linux Intrusion Detection and was curious if there were Linux contenders to the likes of Cybercop Sting, and Mantrap"

Kathleen Ellis, editor of the Privacy News Portal, has written an excellent feature about how The President's Export Council Subcommittee on Encryption (PECSENC) has recommended dropping almost all export controls on strong crypto, and why it is unlikely that this group's recommendations will be acted on in any meaningful way. (More below)

White House Subcommittee Endorses Crypto Reform.
Will Someone Please Listen?
By Kathleen Ellis

Another shot was fired in one of the longest-lasting and most contentious battles regarding Internet policy last Wednesday, when a White House advisory subcommittee announced it has recommended that the Clinton Administration all but reverse its restrictive stance on the export of encryption products.

The President's Export Council Subcommittee on Encryption (PECSENC) was formed earlier this year by the White House to provide guidance in the U.S. Government's development of encryption policy, which has been the subject of heated debate. As many Slashdot readers already know, the government has insisted for years that liberalizing encryption export could cause serious problems for national security by giving terrorists and criminals access to the technology. Of course, net activists and industry folk assert that the right to privacy supercedes the wishes of any bureaucrat, and that terrorists and criminals can just as easily get their crypto from any other country that does not restrict cryptographic exports.

Critics of the Administration's policy had expected to gain little support through the subcommittee's recommendations. William Crowell, the subcommittee's chairman, is currently President and CEO of Cylink Corporation, an internet security firm, but previously served as Deputy Director for the National Security Agency. Several committee members also had ties to law enforcement or other government agencies; Stewart Baker, an attorney with the Washington-based Steptoe & Johnson, is former general counsel to the NSA and is a vocal opponent of loosening restrictions on encryption. Steve Walker is former president of Trusted Information Systems (now owned by Network Associates), a leading producer of key escrowed encryption products, which the FBI has lobbied to make mandatory even for domestic use.

Despite these ties, however, the subcommittee cited a need for the U.S. government to "recognize market realities" and reverse its course on encryption policy. Among its recommendations:

- License-Free Zones: Recognizing that the European Union is planning to drop all cryptographic export rules between member countries, the US should likewise identify a list of countries which do not pose any major terrorist threat, and allow encryption export (hardware and software products) without a license.

- On-Line Merchants: On-line merchants based in other countries will be added to the list of business types permitted to have encryption products exported to them from the US. Banks and a limited number of other financial institutions currently enjoy this license exception.

- Mass-market hardware and software: Mass-market products which utilize up to 128-bit key length triple DES will enjoy license exception. "The US government should recognize the difficulty of controlling mass-market products once they are allowed to be exported to even limited sectors".

The subcommittee also suggests eliminating cumbersome reporting requirements for manufacturers of encryption products, as well as removal of source code, cryptographic Application Programming Interfaces and devices such as encrypting routers from the list of restricted technologies.

So cypherpunks across the nation will soon be free to export their code at will? Subcommittee chairman William Crowell is hesitant to say yes. "The Administration will have its own ideas about which of these recommendations are implementable. Vice President Gore has said that the administration would consider additional liberalization over what they announced last year, so it was important to get these recommendations to the table while they were thinking about it". He expects that the administration will make further changes to its export policy based on the recommendations sometime in September.

There are other signs of change on the horizon regarding the government's attitude toward encryption. The successor to the current Data Encryption Standard algorithm, which will be used by the U.S. Government for a multitude of purposes, will be chosen by the National Institute of Standards and Technology with the next few months. Four out of the five Advanced Encryption Standard finalists were developed, at least in part, by cryptographers based overseas or holding foreign citizenships. The fact that such decisions could be made by NIST requires the acknowledgement, at least on some level, that good encryption can be produced in countries not affected by U.S. export law, and hence, can be made available around the world.

However, one prominent activist is still skeptical about the potential effect this announcement may actually have on U.S. policy. "This doesn't change policy, this is just yet another group that has come forward and said 'the U.S. policy is abysmal, it needs to be scrapped'" says David Banisar, Deputy Director of Privacy International, and co-author of "The Electronic Privacy Papers". "Many distinguished groups in the past have made similar recommendations...the Clinton Administration has thus far rejected any attempts to dramatically reform export control laws".

Banisar likened the potential influence of the PECSENC recommendations to those of a report published by the National Research Council in 1996. Much more conservative than the PECSENC subcommittee's suggestions, "Cryptography's Role In Securing the Information Society" was written by a committee comprised of government officials, representatives from the computing industry, and academics. The NRC committee's recommendation that 56-bit DES encryption took two years for the Bureau of Export Administration to implement, and many of the other valuable points in the report have never been implemented. The NRC report suggested that U.S. policy should take into account the "nonconfidentiality uses" encryption has to offer. U.S. policy still does not support the use of encryption for the purposes of authentication, which the committee identified as an "important crime-fighting measure". Indeed, one would think that the F.B.I. and the Department of Commerce would hasten to encourage the use of such technologies.

Banisar also expressed concerns about the provisions favoring online merchants. "The e-commerce exports have already been promised to online merchants...they will get what they want, which helps the Clinton Administration divide and conquer their opposition". Banisar stated that civil libertarians lost a powerful lobbying ally when banks were granted the same licensing exemptions now promised to entrepreneurs online. "When a wealthier group gets what they want, they stop fighting, and the everyday users get screwed."

It also seems that the recommendations do not go far enough to help the people who need encryption technology most. Barbara Simons is President of the Association for Computing Machinery and one of the members of the PECSENC committee. "It appears that the recommendations don't address the needs of people working for human rights in countries with repressive regimes," she says.

The human rights issue is a valid one within the debate on U.S. encryption policy. The American Association for the Advancement of Science's Cryptography, Scientific Freedom, and Human Rights program trains human rights workers to use encryption technology in countries like Guatemala and China, where oppressive governments have a way of making insurrectionists disappear. A letter from AAAS to the House or Representatives Committee on International relations states that "human rights activists are killed, tortured, disappeared and jailed for trying to expose horrendous abuses...[they] use encryption to protect themselves, the victims and eyewitnesses they are interviewing, and human rights colleagues around the world when they communicate sensitive information on grave abuses of human rights".

It would be wise and compassionate for the Clinton Administration to authorize a new class of license exceptions for human rights workers travelling into countries that don't fall under the "favored nations" exemptions for encryption exports. If national security were really a concern in these cases, they could add strict guidelines describing who the software could legally be distributed to within those countries. Unfortunately, PECSENC seems to have overlooked this important issue.

Despite these shortcomings, there are some definite gains to be made by following PECSENC's recommendations. Net activists will be keeping their fingers crossed when the White House reviews them next month. Progress has been far too slow in coming, and if there's ever been a time for our government to start making some positive decisions, this certainly is it.

Mike McCune writes "It's called " Remote Explorer" and it attacks Windows NT machines in administrator mode. It compresses programs so that they don't execute and encrypts data files. Network Associates calls it "cyberterrorism"." There's a lot of media hype about this one judging by the large number of submissions about it. Is this one serious?

Andrew Hagen writes "Network Associates, formerly McAfee, developer of PGP, has quietly rejoined the Key Recovery Alliance. Despite withdrawing from the group last December amid pointed concerns over the continued trustworthiness of PGP, NAI apparently rejoined the Key Recovery Alliance (KRA) three months later with their February 1998 acquisition of Trusted Information Systems, a founding member of the KRA. The KRA's major stated goal is creation of "a global infrastructure that supports recovery of encrypted information." NAI has sent me e-mail stating that they might or might not remain in the KRA, that "PGP products will not be affected," and that they have "no interest in enabling key escrow for government access." Network Associates is presently listed on the KRA membership roster. "