Slashdot Mirror
McAfee Will Ignore FBI Spyware
Drew writes: "The Washington Post is reporting on the FBI's new spyware called 'Magic Lantern.' According to their article, 'At least one antivirus software company, McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect.' It is ridiculous that the software companies that are supposed to help us protect computers purposefully leave in loopholes for the FBI to operate their spyware."
Now anyone can craft their virii to look like the FBI's brood and avoid detection alltogether.
Fabulous, I hope everyone feels safer already.
--
WHO ATE MY BREAKFAST PANTS?
Uhh...why not hack McAffe to find the signature it's looking for?
The point is, these aren't loopholes for the FBI. McAfee will ignore this loophole, and that will allow CRACKERS to get into your system. This program, which is intended to prevent people from getting into your computer, will happily ignore all cracking that takes place through the same loopholes as this so-called Magic Lantern.
Oh well... Next time, use OpenBSD.
Arrggghh!
OK, I really need to get this off my chest here.
How will this affect copies of software sold countries outside the US? Will my AV software end up crippled and able to be exploited by those who have reverse engineered the "FBI Friendly" code?
Why is this acceptable? Because the good old US Government wishes to remove the much-lauded freedom of its citizens, the rest of the world also loses those freedoms. Will McAfee for example really bother to have a US-only version with the FBI-lover code in it, and remove that code from all other versions? Even if they say they have, how will we know???
Grrrrrrrrr....
Prisoner #655321
Is anyone else wondering whether this means that it would soon be mandatory for software that is used in the US to have exploitable security flaws in order to better catch terrorists?
For those that would point out that convincing someone to click on an attachment is social engineering and not really an exploit, I'd like to point out that there are mechanisms that can be put in place both at by the OS or the mail reader to make things like clicking attachments less dangerous (automatically running attachments as a user with minimal privileges is one of them). But given that the FBI is relying on OSes not to make doing this easy would applications or OSes that tend towards security start to face the same stigma and negative association that encryption has faced since the events of 9-11?
no need to be root just to monitor the user...
It just may be that the FBI's so-called "Magic Lantern" is a classic magician's trick. They are telling the whole world that this Magic Lantern is a technology that will seek out and destroy every dangerous criminal on the face of the planet. They're marketing it as an unbeatable technology that works on EVERY SINGLE COMPUTER IN THE WORLD (that is, every one that's running Windows). They're causing lusers to think that there really is some kind of crimefighting technology when it's really nothing more than a bug which allows crackers to compromise Windows.
Then, the criminals who are trying to avoid the FBI see this and talk to someone who understands computers. That person tells them how to patch their system to remove the vulnerability.
Here's where the classic trick takes place. The criminal thinks he's immune from the Lantern, so he goes on with business as usual. He writes down his drug trafficking records or whatever, and then the FBI goes in behind his back, using some other system that nobody knows about, and gets the information.
I'm not saying this is what's going on. On the contrary--government people are really stupid, and even more so when it comes to computers. But I'm saying this is a possibility, and I'll try not to discount the FBI's intelligence just yet.
Oh well.
wonder if this "Magic Lantern" has been ported to Linux. I tend to think not ... so for now my bet would be Windows only.
That's a hell of a bet to make if you're a criminal. There are a reasonable number of remote-root exploits for Linux, and it's possible that they're may be unknown ones out there.
I mean, Christ, the FBI isn't that stupid, I'm sure they have the resources to port software to different platforms, even if they need a totally new codebase.
autopr0n is like, down and stuff.
A user account might be all that needs to be compromised. You don't need root access to read your mail, and you don't need root to make IP connections. And with facilities like cron the trojan could make sure it was always running.
... like assuming the virus checker uses md5 ...
For all you know, it uses a simple 8-bit checksum.
We need to protect ourselves vigorously from crime. However, creating secret agencies who are able to commit crimes themselves is not the way to protect ourselves.
Already there is a serious problem with people committing some destructive act and claiming it was done by the CIA or other U.S. government secret agency. There is no good defense against this, because people worldwide know that the U.S. government secret agencies routinely break the law. How could it be proven that the FBI, CIA, or NSA, or some other secret agency didn't do a particular crime?
The U.S. FBI, CIA, and NSA are now worldwide surveillance agencies. They are supported by Americans who are not allowed to know how much of their money is spent on surveillance. United States citizens are not allowed to know what the U.S. government secret agencies are doing, so they don't know if the agencies are doing things they would now support.
The people who work for the FBI are often not smart people. They don't realize that trust is absolutely necessary in a democracy. They have often in the past not shown understanding of the other needs of democracy. They have often acted like secret police. They often believe in killing or other ways of being destructive as a way of curing some ill in society.
Now they will be attacking computers like the criminals. They will say that they are doing it only to solve crimes, but it is socially impossible to control this kind of thing. Once the principle is established that a secret agency can break the law, there is in practice no limit to what some people in that agency might feel "justified" in doing. Consider your own experience. When has the boss had complete knowledge and complete control over the actions of employees? Never. A company's only good policy is to hire open and honest people and to encourage honesty and genuine caring.
The FBI's influence will mean that the U.S. taxpayer's money will become a powerful force in preserving security holes, instead of closing them. Generally, this kind of software has had holes of its own. You may be attacked by a cracker exploiting a security hole created by FBI software. Governments will detect FBI snooping software and feed the FBI erroneous information.
This is all support for people who like snooping and sneaking. It is not actually a way to reduce crime. It is for adults who like to treat the whole world as a video game. It is for the kind of people who think of themselves as James Bond, who like the idea of being able to kill other people legally.
How U.S. government policy contributed to terrorism: What should be the Response to Violence?
Bush's education improvements were
Makes you wonder what the real reason was behind Microsoft's settlement....could part of the terms have been to disclose "unknown" security holes to the FBI for use with their Magic Lantern spyware? Conspiracy theory is fun :) Big brother is watching....
Well, I'm seeing a completely different issue here, beyond other people being able to craft virii exploiting the same holes that this Magic Lantern does. (Although I'm assuming that as security holes get patched, Magic Lantern will ultimately refer to a family of virii rather than any single virus; it's going to make McAfee's job of trying to explicitly exclude it from virus searches all the more ridiculous)
The thing that occurs to me is that, back when I was an easily amused kid I used to capture computer viruses, dissect them and study them. If Magic Lantern is genuinely going to be an effective way to retreive data -- and if it's a virus designed by a team of top-level professionals, which it is likely to be, then it should be so -- then how long a matter of time is it going to be before everyone and his mad bastard cousin starts to make copies of this virus and mutate it for their own ends? This seems like it would quickly become a valuable corporate espionage tool, and then a personal espionage tool, and then just a total disaster area.
The problem with this is, if they design a powerful cracking tool which by its nature must be primarily built out of code resident on the target's machine, it's only a brief matter of time before such software and any upgrades thereof enter the mainstream of black-hat equipment.
Frankly, I'm not looking forward to script kiddies with tools like this...
Remember Cringley's columnabout Microsoft wanting to replace TCP/IP with their own protocols? Imagine a requirement that American's only use software that the FBI can get at- and if that software ran on proprietary Microsoft protocols, the government could force American ISPs to block the older protocols that only criminals need anyway. Given that George Bush will likely be elected if he can drag on his "war on terrorism" until 2004 (Americans always re-elect wartime preisdents.), that leaves us with seven more years of a federal government supports Microsoft, supports John Ashscroft's assault on the freedoms provided by our constitution, and is not afraid of the political ramifications of extreme actions.
I think we all have a reason to be paranoid...
I'm tired of this almost religious reverence for our government that seems to have taken hold lately. Yes, well intentioned and in some cases genuinely brave and courageous; some agents with the FBI undoubtably deserve our gratitude and respect. However, collectively, the FBI has worked diligently to strip away and corrupt the freedoms and principals that make America a great country. For that my friend, they collectively deserve and receive my utmost contempt and scorn.
How can anyone trust anything NAI produces anymore?
I doubt very many people with a clue did even before this. But at that time their rather powerfull marketing machine was able to keep the $$$ rolling in from joe blows buying computers with the software pre-installed and computer "hobbyists" who think they know what they are doing and recommend software like McAffee and NAV and so on because the names are well known.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
Gee, and you wonder why Phil Zimmerman, the creator of PGP, left NAI, aka McAfee? He saw what NAI was turning into. http://web.mit.edu/prz/ All users, even Linux users, could get this new FBI ML virus if software companies are forced to include it on their CDs. Remember, the FBI is reading these messages.
This same question came up with Back Office vs. Back Orifice. Because Microsoft was a "respectable" company (and because it costs money), antivirus companies decided that Back Office was a legit remote network administration tool. However, when the "hacker group" cult of the dead cow released Back Orifice, the antivirus vendors decided that, even though Back Office could do everything that Back Orifice did, because it was free and not released by a corporation it should be classified as a trojan.
So, besides magic lantern, you could have the SMS part of Back Office installed, too. And with its weak encryption, it's a greater security risk than BO2K.
More BO2k docs and info
HIV Crosses Species Barrier... into Muppets