McAfee Will Ignore FBI Spyware

Drew writes: "The Washington Post is reporting on the FBI's new spyware called 'Magic Lantern.' According to their article, 'At least one antivirus software company, McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect.' It is ridiculous that the software companies that are supposed to help us protect computers purposefully leave in loopholes for the FBI to operate their spyware."

Re:McAffee

[rice_burners_suck]

The problem, in my opinion, is that sales of McAfee's products will NOT drop because of this. You're forgetting that 99% of the people who buy that product do so because of FUD--Fear, Uncertainty, and Doubt. These are people who do not understand computers, viruses, bugs, worms and all kinds of other "marketing" names. They buy McAfee because it will prevent "hackers" (who should be called "crackers") from entering their system and causing their CPU to melt. These people will say, "Well of course McAfee shouldn't detect the FBI's crimefighting behavior." They simply don't know that this is a loophole for crackers (the "hackers" they're afraid of) to take advantage of. And they'll never consider that a possibility.

THAT is the problem with things like this. Just wait a few more days and we'll probably get a Slashdot story about a press release by the FBI telling of a new "technology" (a 4KB program that plugs this loophole) that empowers criminals to rub the Magic Lantern and make a wish that the FBI will leave them alone.

Here's McAfee's contact page

[Anonymous+DWord]

In case you want to shout at them about how you'll not buy any more of their products. Maybe if McAfee understands how stupid this is, they'll change their minds (hahaha, right).

http://www.mcafee.com/aboutus/contact_us.asp?

McAfee.com Corporate Headquarters
McAfee.com
535 Oakmead Parkway
Sunnyvale, CA 94085
USA

Telephone: (408) 992-8100
Fax: (408) 720-8450

Interesting Situation

[gibara]

This creates an interesting situation. As I understand it, virus detection programs use:

1) signatures -specific byte patterns which are searched for in files, and

2) heuristics - in this case algorithms which seek unlikely looking data to determine whether the user should be alerted to a possible intrusion attempt.

McAfee can of course omit signatures for this 'Magic Lantern' (ML) software from their database. However, in the case of the heuristics, avoiding user notification of ML requires either:

a) a weakening of the heuristic(s), presumably to such an extent that other viruses may penetrate the system or

b) the presence of a special signature in the McAfee software which (on recognizing ML) can 'override' the heuristic

Case (b) is interesting. If McAfee do this with a simple byte pattern search this will immediately provide viruses with a neat little 'binary tag' which permits them to evade McAfee's software

The alternative must be to use a cryptographic hash which can be used to identify ML but which cannot be readily forged by other virus code. Using this checksum technique also demands that the ML 'payload' remain unchanged. Very restrictive for code which needs to be stealthy.

But the most important side-effect of both of these techniques - and any others McAfee might choose to use, would be that it provides an easy route for developers to produce software which can check for ML.

In other words, McAfee cannot both provide useful levels of virus detection and avoid alerting the user to Magic Lantern without giving other developers a blueprint to locate it.