Slashdot Mirror
Symantec Will Not Detect Magic Lantern
An anonymous reader contributes: "In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"
I'd rather not use AV software that was designed not to work. Of course, I run Linux so it's not really an issure for me...
this is getting old and so are you
blog
Anyway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours? :-)
Luck favors the prepared, darling.
So all the virii programmers need to do now is to emulate whatever key it's not picking up on and away they go!
-inno
this is not good for security. once they decide that they will let some through, that destroys all credibility IMHO. how can you trust that symantec and McAfee will detect other viri in the future if they won't hold consistent now just so the FBI can send a trojan to some one to get their passwords?
I am the Alpha and the Omega-3
perhaps it is time for an open source virus detection program with options for non standard updates...
I'm not a conspiracy nut, and I certainly don't have total trust, or total mistrust, of the government either.
But it isn't the idea of the FBI trying to use these tools that offends me. I expect them too, and I don't have anything to hide. But the issue of a company that I pay money for to help protect me to turn a blind eye to government intrusion is insane.
If I pay someone to give me security, I expect them to provide it against anyone who wants my information. Pure and simple. And I'm not worried about the "Oh, we won't check the FBI's version - but we would check variants."
Oh, that makes me feel *much* better. Imagine a cracker getting his fingers on the FBI software and using that on my systems. Gee, thanks for not checking that, Symantec.
Of course, you have to admit that Symantec and McAfee are in a bind. If they state they're going to detect the FBI software, then they're anti-government. If they don't, then they're aiding big brother. But considering that the United States was formed from a healthy distrust of our government (and that distrust has only proved to help us, thank you Hubert Hoover and your bra collection), I would rather have the security companies on my side and make my government work just a little harder to prove guilt. Or at least, that's what my tax dollars should be going to.
Of course, this is just my opinion. I could be wrong.
52 Weeks, 52 Religions with John Hummel
So they're not going to detect the original, but they WILL detect any hacker-modified clones?
What about Norton Firewall? Will it still detect unexpected outgoing connections? How can I expect it to reliably detect and permit FBI-approved software, but not hacker software with a similar MO?
Oh, maybe there'll be a hard-coded IP address in the outgoing connection -- now THERE'S a nice target for DDOS!
It's supposed to be completely automatic, but actually you have to press this button.
From the time a copy of this "Magic Lantern" is first discovered in the wild until an exact copy of the FBI-approved (and consequently undetectable) version is available via alt.hackers.maliscious is going to take what, twenty minutes?
Malda might as well start composing (and spellchecking) the headline now, because it's a sure bet he'll get to use it.
'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,'
That's a risky assumption.
'However we would detect modified versions that might be used by hackers.'
How do you know if a [cracker] is using an unmodified version on my PC and is watching me? You don't.
There is no such thing as an 'appropriate technical safeguard'; the way to defeat it simply has not been discovered yet.
GOBACK.
The FBI? Do anything illegal? Who would ever imagine that such a thing could happen?
<repressed_memory>
</repressed_memory>
Hmmm, I can't seem to think of any examples of how police spy powers have been abused in the past, can you?
Symantec are perfectly entitled to do whatever they want. If they want to sell crippled security software, it's their funeral ? Sophos has a more sensible attitude http://www.theregister.co.uk/content/55/23057.html , and better AV software anyway.
If US software companies want to sell crippleware in the interests of "patriotism" that's their business. There are plenty of companies willing to fill the gap.
http://rareformnewmedia.com/
How long until this little app ends up on a PC that is not on US soil? Will some foreign nation be able to make an offical-issue of this? It seems like the FBI might not be thinking this through.
... then again, there is Echelon.... apparently no one minds...
Not to mention what happened the last time the FBI decided to abuse it's powers in blatant and utter disregard for the consitutionally guaranteed rights of the American people.
COINTELPRO
And this time we're GIVING the government this power by agreeing to be spoon-fed this 'for our own good' and 'war on terrorism' bullshit.
I say no thank you. If there was a tracking device installed subcutaneously on every single American citizen in the country, and our borders were closed, THEN would you people feel safe?
El riesgo vive siempre!
I've yet to see the the "Is my phone tapped service(tm)" on ordinary phone lines. So why would any company trying to stay on the right side of the government be producing tools to aid potential criminals?
Maybe you HAVE seen the "Has my property been trespassed on service(tm)", or the "Can someone surveil me through my windows service"? People should have a right to protect their privacy and security without it being assumed that they are criminals, and companies should have a right to provide the tools to do so without being accused of abetting criminals.
Not all spies/intruders work for the FBI you know.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Assuming that this is a standardized attachment (ie the same size, etc.) it should be pretty easy for filters on the ISP or client to catch. Also, to my knowledge the only mail clients that can execute code w/o user intervention are M$ products. This narrows the people that can be affected alot.
Your analogy is, unfortunately, incomplete. Let's review:
In such a case, the following is expected to happen:
Now, in the case of Magic Lantern, the following *might* happen:
So, what's missing here? Simply enough, the agents did not have the consent of the court to infect your computer, and you've been deprived of the knowledge of what occured. This is the major issue here. I wouldn't want them poking inside my computers as much as the next guy, but if they're going to, I'd like to know when they're doing it, and they better have that bloody warrant in hand.
In Soviet Russia, Jesus asks: "What Would You Do?"
I like to program but I'm not a huge trojan nut but have the basic concept and idea on how these things work....
First off:
Everyone keeps talking about how it will just be a matter of time before a wild version of "green lantern" or something of the sort shows up in the wild....
Dude, if you have Green Lantern on your computer and you find out about it, you've got a lot more things to worry about then sharing it with the hacker / cracker community!
Second of all:
Who cares that the anti-virus software won't recognize it. They haven't detected half the viruses for years!
Heck, Just create your basic client server in c++ or whatever and you'll notice that it is not recognized by the software anyways..... I started to learn sockets and create client/server chats, remote access for work, etc. My anti-virus, anti-trojan software never picked up on it... only my Zone Alarm caught it.
www.slightlycrewed.com - Because aren't we all?
We're constantly aware of viruses bringing down networks and destroying data. It's considered a terrorist activity to write one.
You would think the government would be interested in closing all potential security holes. But now they want to run a roto-rooter straight through every firewall and defence, tell us just to pretend it doesn't exist, and assume that they won't disrupt the normal process of computer security.
I'd like to borrow a technique from the MPAA and RIAA, an irrational analogy. We might as well install FBI doors in our house. They'd all take the same key. We wouldn't be allowed to look at them or put any furniture in front of them. Eventually criminals would fashion a key to all of them and waltz in our door, steal our valuables and shoot us. But we wouldn't be allowed to defend ourself from anyone who came through that door.
A rebuttel from myself: In my heart of hearts I want the FBI to be aware of all sinister plots (which exist aplenty). I want them to be able keep us safe. I know the danger off coordinated terrorist attacks which are beyond scrutiny.
But I worry about unrestrained government, which can closely watch everyone without checks and balances.
I also think that trying to make a security hole which only the good guys can use, and the bad guys must ignore is a bit far-fetched.
These companies provide detection and removal services for widely-distributed and automatic attacks. That is to say, it's their job to clean up when someone releases a virus that spreads all over the place. They discover something spreading, and they make an update.
If the FBI is doing their job well, that's not the situation here. The way they've been describing this working is that they set it up to attack the particular person against whom they've obtained a warrent. It doesn't email itself to the target's addressbook, it doesn't attack random IPs, it doesn't try to infect floppies. That would be both illegal (since it could destroy the data of non-targets) and probably invalidate their evidence (since they don't have a warrent to investigate every individual in the US).
So a virus scanner shouldn't catch Magic Lantern, because it's not really a virus, in the sense that they're scanning for. It's an attack tool, which uses the methods often employed by viruses. Virus scanners don't fix security holes; they look for particular malicious and spreading code on your computer and clean it up. They won't stop Magic Lantern, they won't stop someone hijacking your passport account, and they won't stop even script kiddies breaking into your webserver, because their purpose and system design just aren't good for that.
So far I haven't heard of any IDS companies saying they will ignore ML, nor have I heard of any companies saying they won't fix security holes that ML uses. That's what would be significant.
I just wonder how a free software anti-virus lab would work
Easy- we fix the problem instead of treating the symptoms:
If there are exploits, they get fixed. So you would never have to worry about an email or webpage hijacking your machine.
And so long as you stick to source-available code (not necessarily the same as open-source) which has at least a moderate distribution, you dont have to worry about trojans.
The run-away virus problems you see in windows are a direct result of a closed source culture where all software is delivered and exchanged via inscrutable black-box binaries. A typical windows user thinks nothing of downloading a .exe file from an untrusted source then running it, whereas a typical unix user would get shivers just at the thought of doing so.
Virus scanner software is just a huge patchwork of duct tape that is fundamentally incapable of solving any problem- or providing any security.
(for example nimda: it had already done its damage by the time it was in the pattern files)
If an open-source system and philosophy were ta take hold of the desktop- an entire industry (virus scanning/recovery) would simply disappear.
Take apart this government NOW. Don't bother writing letters; in the current atmosphere nobody is listening to reason. The only legal means left to try is recall petitions. Recall every congressman who votes for this shit and for every senator who voted to confirm Ashcroft. I'm not real sure how it could be made to happen, but you might even try a run at the shrub. Whom to replace them with? The weakest, most ineffectual non-leaders you can find - with any luck they'll waffle and dither around and stab each other in the back continuously so that nothing ever gets done. Congress really works best that way.
The Constitution is the country. You can't defend one without defending the other.
Nothing to hide, eh? Well, Mr.... Paladin, is it? We have noted via our *camera oscura* that you are using a *proscribed system* called Linux. Disgusting name, really. You are aware, I trust, of the penalties for trafficking in *non-object* code? Did you know that the *un-good, un-binary* code for this disgusting piece of filth is freely traded on the *black network*? I thought not. And I'm sure you'll be happy to submit to a prophylactic *decontamination*.
You'll need to *happy-boot*, of course.
anarchy rules
A few things happened in the Microsoft world that made it pretty easy for viruses to spread that could not happen in the Linux world.
1) most people don't read their email while logged in as root. This is the number 1 reason why viruses easily spread in Windows systems is because in Windows, just about everything is done with an account that has full control over the system.
2) In Windows-land you generally run binary-only programs and you have no idea what the source looks like. Most programs in Linux come with the source code. You are not likely to run a binary only program in Linux unless you know for sure who its coming from.
So, to reiterate, viruses are executable programs. They need both permission to execute and a means of spreading themselves. Windows systems were already set up to allow these things to happen by default. Linux systems will never be set up that way, at least not on a widespread basis.
I don't think we will ever see problems as widespread and damaging such as Nimda or Sircam on Linux systems, no matter how popular Linux gets. Its just not designed to easily allow programs to be run, without someone explicity giving it permission. Even exploits of commonly used server programs are limited in the damage they can do, because most servers do not run as root. No, the virus writer has a much much harder job to do on Unix systems. Why bother when Windows is so much easier?
No, Thursday's out. How about never - is never good for you?
Would it be possible for Magic Lantern to be built into a closed source OS like Windows XP?
Hackers won't need to mod the program, just capture the data it pumps out. I can see this as THE hack. Once you can get Magic Lantern installed onto a system, just capture the data or intercept the packets. Since the hacked system won't detect Magic Lantern, you just need to write code capture the output. We'll see dozens of new viruses a day that capture this output. Sooner or later symantec will get tired of writing hundreds of updates a week trying to stop these intercept viruses while keeping the keylogger hidden.
As for firewalls, well this thing has got to send it's data somewhere, and once people figure out where it should be easy enough to detect and block or reroute to somewhere more fun.
I don't suppose it would actually send data all the way back to the FBI, probably to some machine sitting at the ISP. But if it were hardcoded, can you imagine the DDOS potential of just sending out the FBI logger as a VIRUS ITSELF?
-- If god wanted me to have a sig, he'd have given me a sense of humor.
This big brother, "homeland" crap has gone too far, and each of us should take action. The way to make a change is to change our government. I'm a Republican, but I'm not a Nazi. I don't care if the Democrats put Bert or Ernie up as a candidate --- I'm voting against Bush.