Slashdot Mirror
Symantec Will Not Detect Magic Lantern
An anonymous reader contributes: "In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"
http://www.kaspersky.com/ . Russian. F-Prot is also an option...they're Finnish. If memory serves, there are also Israeli options for virus protection. It's a big world. Even the FBI can't nail down everything.
Knowledge is power. Knowledge shared is power multiplied.
most AV tools (including Symantec and McAfee) monitor program execution for anomolis behavior by unknown virii. would lantern be able to avoid being detected by that?
also, what about personal firewall programs? I use a Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to ads.x10.com.
Here, two things exist: the lantern has to find a way around the md5 and also find a way around "PGP wants to connect to [fbi-ip-address], allow it?" Getting through one or the other might prove difficult.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Just use non-US AV software. Norman is great., and there is no reason it should be affected by whatever the FBI decides to do.
Too bad for US AV companies having their software ruined by FBI.
One question comes to my mind, is the FBI stupid enough to try and use magic lantern on savvy people?
The Nicky Scarfo case seems to be the precedent for computer surveillance so far. Savy enough to use a computer, but I doubt he was any kind of virus hunting guru.
Would the FBI be willing to risk exposing the signature of magic lantern to the general public by using it on users more likely to know how to find it?
If the virus companies roll over and let the FBI sqeak by easily, they effectively help the FBI keep the honest people honest while people with enough incentive go about there wrong doings march on. As a bonus they leave a wide backdoor open in the protection that honest people rely on to protect their data from wrong-doers.
This idea is so great I bet that the brain surgeon behind it has at least 2-3 previous dot-bombs under their belt.
-- Button up, your ignorance is showing
the *nix enviroment hasn't yet been able to cultivate & propagate any really serious viruses yet
I suppose that worm that almost brought down the internet way back when wasn't really a serious virus because nobody lost their drive full of mp3/porn/quicken files. Unix has had plenty of time to cultivate serious viruses. It was just designed better than the platforms that have the widely publicized problems. Of course it still has holes, but they are harder to exploit becuase of the multiuser nature (most apps aren't run as root, so they don't propagate as easily or destroy as much data). Why do you think Mac and Windows are gravitating to unix beneath the GUI? The NT kernel has been implementing plenty of new stability and multiuser features that Unix has enjoyed for years, and Mac is Unix under the GUI, no pretense of innovation there.
Compare that to the first few entries in the wildlist
http://www.thehungersite.com
These utilities, when used together, would offer a defence, using a slightly different technique. Here, you'd be warned, the moment any intruder attempts to connect to your machine, OR your machine mysteriously attempts to connect to someone else. You also get the warning on when a file is changed.
(By relying on only one verifier, you're not quite so secure, but it was the best I could find in a short time. Apologies for that.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Don't be so sure. We have had UNIX worms and even VMS worms. Unlike the designers of UNIX, VMS started with a security architecture and actually recieved B2 certification rather than describing itself as 'B2 equivalent'.
At the other end of the scale the security architecture of MAC O/S has until a few months ago been stuck at the MSDOS level, lacking even protected memory, yet MAC viruses are none too common these days.
The significant factor is the proportion of the network population that uses a particular O/S. As with a biological infection there are definite inflection points that determine whether a virus spreads fast enough to cause an epidemic or a pandemic.
When the Wang Worm hit it could propagate because close to 100% of the computers on HEPNET were VMS systems. Equally the Moriss worm took out the Internet when the vast majority of nodes were UNIX boxes running sendmail.
The proportion of UNIX machines on the Internet today is probably close to critical mass for allowing a viral epidemic. The saving factor is not the design of the O/S, it is the variation between the O/S implementations. Anyone who thinks that sendmail is a lesser security risk than Outlook should read a few CERT advisories.
The separation of administrative privs is not actually significant when it comes to the propagation of email viruses. If that was the case Windows XP would solve the virus problem completely (it won't). The problem is that the boundary between code and data has been blurred. For some reason the people who felt they had to foist Java and Javascript winky-blinky features on the world had no clue when it came to security. (Don't get me started about the Java sandbox model, the code does not match the marketing hype, the implementation does not correspond to what I would regard as a sandbox design)
The other reason that UNIX boxes tend to be more secure is that the use of winky-blinky features is nowehere near as widespread. The proportion of terminally clueless users in the Windows world is (acording to my studies) approximately 92.931%, in the Linux world that figure is only 23.428%. So not only is the userbase smaller, the propability that a user sent the virus will execute the program and cause it to replicate is much smaller.
Again, look at biological models of propagation. x^n is a very big number if x > 1, it is a very small number if x Therefore the day that AOL ships AOL for Linux will be the day that Linux will start to get virus problems. It will have the active code to support winky-blinky features and thus be vulnerable to attack, it will introduce the terminally clueless into the Linux user base.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
'Hadn't thought of that option before. Of course, I will now. Probably not get any sleep for a few days, too.
"Prepare for the worst - hope for the best."
I'm sure you know this one already but,
Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Someone screaming for help is probable cause, but if I tell my wife not to let ANYONE in unless they have a warrant, then she won't let them in. I would expect no less from a hired security officer.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
windows hasn't been gravitating towards unix. NT's stability, multi-user, protection, etc. are based more on the VMS model than the unix model.
Magic Lantern doesn't do the Feds any good if it doesn't phone home from time to time, so there would be some network traffic.
Not true. I think one of the earlier posts about ML indicated that one mode of its operation allowed it to simply record keystrokes locally (hidden away in an OS registry or a "special" file of some sort, if we're talking about a closed-source implementation) and those recordings could then be recovered physically upon serving a warrant on the user.
Of course, the paranoid among us would do their best to determine where those recordings get kept and utilities would no doubt be written to clear or obfuscate those recordings. But my point is that the feds don't necessarily need it to generate any network traffic for ML to be a useful tool.