Slashdot Mirror
Symantec Will Not Detect Magic Lantern
An anonymous reader contributes: "In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"
Anyway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours? :-)
Luck favors the prepared, darling.
How's OpenAntiVirus doing? How does it compare to the Big Two? - If it can't hold up, do "we" have any other viable options outside of McAfee and Symantec?
Send your friends messages of love at fuck-you.org
I'm not a conspiracy nut, and I certainly don't have total trust, or total mistrust, of the government either.
But it isn't the idea of the FBI trying to use these tools that offends me. I expect them too, and I don't have anything to hide. But the issue of a company that I pay money for to help protect me to turn a blind eye to government intrusion is insane.
If I pay someone to give me security, I expect them to provide it against anyone who wants my information. Pure and simple. And I'm not worried about the "Oh, we won't check the FBI's version - but we would check variants."
Oh, that makes me feel *much* better. Imagine a cracker getting his fingers on the FBI software and using that on my systems. Gee, thanks for not checking that, Symantec.
Of course, you have to admit that Symantec and McAfee are in a bind. If they state they're going to detect the FBI software, then they're anti-government. If they don't, then they're aiding big brother. But considering that the United States was formed from a healthy distrust of our government (and that distrust has only proved to help us, thank you Hubert Hoover and your bra collection), I would rather have the security companies on my side and make my government work just a little harder to prove guilt. Or at least, that's what my tax dollars should be going to.
Of course, this is just my opinion. I could be wrong.
52 Weeks, 52 Religions with John Hummel
So they're not going to detect the original, but they WILL detect any hacker-modified clones?
What about Norton Firewall? Will it still detect unexpected outgoing connections? How can I expect it to reliably detect and permit FBI-approved software, but not hacker software with a similar MO?
Oh, maybe there'll be a hard-coded IP address in the outgoing connection -- now THERE'S a nice target for DDOS!
It's supposed to be completely automatic, but actually you have to press this button.
Eventually, I'm gonna need a scorecard to keep all this striaght.
"Prepare for the worst - hope for the best."
From the time a copy of this "Magic Lantern" is first discovered in the wild until an exact copy of the FBI-approved (and consequently undetectable) version is available via alt.hackers.maliscious is going to take what, twenty minutes?
Malda might as well start composing (and spellchecking) the headline now, because it's a sure bet he'll get to use it.
The FBI? Do anything illegal? Who would ever imagine that such a thing could happen?
<repressed_memory>
</repressed_memory>
Hmmm, I can't seem to think of any examples of how police spy powers have been abused in the past, can you?
Well, if the antivirus vendors are going to include a sufficiently detailed signature in their products for the FBI's virii, that should help anyone trying to build a detector.
I'm sure somebody will try to build malware that impersonates this so-called "Magic Lantern" - I hope they call it "Magic Latrine" :^).
But wouldn't it be nice to see a GPL'd program to detect the FBI's virus? Then, if I found it on my machine, I could stop the goverment-sponsored theft of my CPU cycles. Of course, I'd then call the FBI and offer to let them reinstall it given adequate monetary compensation - but that's just me, you might take some other action.
--Charlie
If government seeks to use clandestine and furtive methods to monitor citizen actions, it can ill afford to complain should the citizen insist on a method to effect his right to know he is under such surveillance.
Judge Joseph Ryan, Superior Court, District of Columbia
Granted, its only a district court, however it is a compelling opinion, and a brilliant interpretation of the Fourth Amendment. IR detection/imaging and monitoring utility bills have been tossed out on similar grounds. I wonder what AVP is going to choose... Perhaps this is a great opportunity for Free Software, I just wonder how a free software anti-virus lab would work. Anyway, end of my rant.
cat
Symantec are perfectly entitled to do whatever they want. If they want to sell crippled security software, it's their funeral ? Sophos has a more sensible attitude http://www.theregister.co.uk/content/55/23057.html , and better AV software anyway.
If US software companies want to sell crippleware in the interests of "patriotism" that's their business. There are plenty of companies willing to fill the gap.
http://rareformnewmedia.com/
Will Symantec also ignore trojans produced by other nations' intelligence agencies? Someone should encourage some third-world countries to set up online membership signups for their intelligence agencies at a nominal fee. Crackers will then be able to continue to do what they do without breaking any laws.
That's "Mr. Soulless Automaton" to you, Bub.
Does anyone know the stance of non-US companies of anti-virus software on Magic Lantern? If a foreign product detects an FBI trojan horse will it then become illegal under some US law?
most AV tools (including Symantec and McAfee) monitor program execution for anomolis behavior by unknown virii. would lantern be able to avoid being detected by that?
also, what about personal firewall programs? I use a Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to ads.x10.com.
Here, two things exist: the lantern has to find a way around the md5 and also find a way around "PGP wants to connect to [fbi-ip-address], allow it?" Getting through one or the other might prove difficult.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
How long until this little app ends up on a PC that is not on US soil? Will some foreign nation be able to make an offical-issue of this? It seems like the FBI might not be thinking this through.
... then again, there is Echelon.... apparently no one minds...
This will only catch the dumb or the pedophiles.
Are they writing this "virus" for BeOS? how about OS/2?
What about a linux box running as only old a.out?
I can think of at least 70 ways to make their "virus" not work on my machine. (I highly doubt that this "virus" will run on my Linux development box that uses a Hitachi SH4 processor)
all this hubub about company X or software Z will or will not detect this virus app is pure marketing and hype. Noone who is really threatened by this could care as it is easily defeated from ever infecting the system by simply changing the archetecture...... Hey FBI, not everyone runs windows on Intel hardware.
Do not look at laser with remaining good eye.
Your OS is certainly more esoteric, but it has holes like all the rest of them do. Your immunity thus far isn't an indication that there are no holes -- there are always holes -- but that the *nix enviroment hasn't yet been able to cultivate & propagate any really serious viruses yet.
One of two thing is likely to happen: Linux's popularity will crest & wane, and people will stop using it (unlikely, I hope :), or it will continue to get more popular, and as it does so it will provide an ever more appealing target for virus writers, licking their chops at all the complacency out there....
DO NOT LEAVE IT IS NOT REAL
Such an arrangement would be next to impossible to compromise, as you would need to break all three programs within the check cycle of all three of them. Either that, or you need to break all three hashing algorithms, in such a way as to find a synonym in all three key spaces. Synonyms in a single key space are going to be common, simply because you're using fewer bits. Two coinciding synonyms will be very rare, and there's no guarantee that the software could be moulded into one. THREE coinciding synonyms will be so vanishingly rare that it wouldn't be worth anyone's while to search for one that's even remotely usable.
There. Problem solved. And all it took was a bunch of Tripwire clones. And someone thought it was difficult?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Whould you complain if they didn't protect your system from government hackers in China? In France? Working for the UN? These are government agents and if you're systems weren't protected from them from security that you bought then you'd be really pissed. You pay for security companies to protect you. Your analogy of the security gaurd is flawed. A security guard will stop a Federal agent and verify his search warrent and then see to it that the warrent is not executed incorrectly. He's there to protect your stuff and your rights. He'll also notify you the police were there, why they were there and what occured. Electronic security companies are breaking the trust of the person who bought the software. One would expect that the software prevents all intrusions. If it does not then the software is flawed. Allowing back doors is considered bad software design, I don't see how this situation changes the rules of software design.
Government agencies have no reason to "crack" a system, if they're really interested they can get a search warrent and examine the system. The search and ceasure laws were designed to put all government investigative action in public view. Secret searches cannot be justified. If there is no good way to get the passwords for the keys, then the government is SOL. So they don't have one piece of evidence, I hope that the evidence that they do have would be more than just bits on a hard drive.
Mac OSX is becoming an interesting case study in Unix For The Masses. Default Linux is, as the Register recently noted, [from memory, can't find a link] "a paragon of Stalinistic control freakery", and that has made it more secure out of the box than the average WinME box, but more importantly it has also scared off millions, and rightly so. Apple's engineers knew well that if they wanted to bring this architecture to the masses -- the way the Gnome & KDE folks do -- then they'd have to encapsulate & hide as much of that control freakery as possible.
And for the most part they've done a good job, but there have been some serious glitches, like programs that would launch themselves as root, or a broken iTunes installer that wiped out whole disk partitions because of one mistyped "rm" command in an installer script. Pay attention, you seething Linux hordes, because if you want to hit the big time then this is your future. You too will face these problems as the system matures & seeks out a wider audience.
The only "secure" system is either (pick your punch line) the one that hasn't been built yet, or the one you bought a decade ago and still haven't plugged in yet. All of the others -- all of them -- have problems of one kind or another, and all of them always well. Welcome to real life, kids.
DO NOT LEAVE IT IS NOT REAL
These companies provide detection and removal services for widely-distributed and automatic attacks. That is to say, it's their job to clean up when someone releases a virus that spreads all over the place. They discover something spreading, and they make an update.
If the FBI is doing their job well, that's not the situation here. The way they've been describing this working is that they set it up to attack the particular person against whom they've obtained a warrent. It doesn't email itself to the target's addressbook, it doesn't attack random IPs, it doesn't try to infect floppies. That would be both illegal (since it could destroy the data of non-targets) and probably invalidate their evidence (since they don't have a warrent to investigate every individual in the US).
So a virus scanner shouldn't catch Magic Lantern, because it's not really a virus, in the sense that they're scanning for. It's an attack tool, which uses the methods often employed by viruses. Virus scanners don't fix security holes; they look for particular malicious and spreading code on your computer and clean it up. They won't stop Magic Lantern, they won't stop someone hijacking your passport account, and they won't stop even script kiddies breaking into your webserver, because their purpose and system design just aren't good for that.
So far I haven't heard of any IDS companies saying they will ignore ML, nor have I heard of any companies saying they won't fix security holes that ML uses. That's what would be significant.
The cake is a pie
Would it be possible for Magic Lantern to be built into a closed source OS like Windows XP?
Don't be so sure. We have had UNIX worms and even VMS worms. Unlike the designers of UNIX, VMS started with a security architecture and actually recieved B2 certification rather than describing itself as 'B2 equivalent'.
At the other end of the scale the security architecture of MAC O/S has until a few months ago been stuck at the MSDOS level, lacking even protected memory, yet MAC viruses are none too common these days.
The significant factor is the proportion of the network population that uses a particular O/S. As with a biological infection there are definite inflection points that determine whether a virus spreads fast enough to cause an epidemic or a pandemic.
When the Wang Worm hit it could propagate because close to 100% of the computers on HEPNET were VMS systems. Equally the Moriss worm took out the Internet when the vast majority of nodes were UNIX boxes running sendmail.
The proportion of UNIX machines on the Internet today is probably close to critical mass for allowing a viral epidemic. The saving factor is not the design of the O/S, it is the variation between the O/S implementations. Anyone who thinks that sendmail is a lesser security risk than Outlook should read a few CERT advisories.
The separation of administrative privs is not actually significant when it comes to the propagation of email viruses. If that was the case Windows XP would solve the virus problem completely (it won't). The problem is that the boundary between code and data has been blurred. For some reason the people who felt they had to foist Java and Javascript winky-blinky features on the world had no clue when it came to security. (Don't get me started about the Java sandbox model, the code does not match the marketing hype, the implementation does not correspond to what I would regard as a sandbox design)
The other reason that UNIX boxes tend to be more secure is that the use of winky-blinky features is nowehere near as widespread. The proportion of terminally clueless users in the Windows world is (acording to my studies) approximately 92.931%, in the Linux world that figure is only 23.428%. So not only is the userbase smaller, the propability that a user sent the virus will execute the program and cause it to replicate is much smaller.
Again, look at biological models of propagation. x^n is a very big number if x > 1, it is a very small number if x Therefore the day that AOL ships AOL for Linux will be the day that Linux will start to get virus problems. It will have the active code to support winky-blinky features and thus be vulnerable to attack, it will introduce the terminally clueless into the Linux user base.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
What does the FBI need to do to keep American computers secure from terrorists?
Keep "Magic Lantern" out of the hands of criminals.
How does "Magic Lantern" work?
The FBI sends it to criminals.