28 November 2001
Date: Wed, 28 Nov 2001 08:00:20 -0500
To: politech@politechbot.com
From: Declan McCullagh <declan@well.com>
Subject: FC: Symantec pledges to acquiese to FBI backdoor demands
Symantec sells security software including:
Norton Antivirus
Symantec Intruder Alert
Symantec NetProwler 3.5
Symantec AntiVirus Enterprise Edition
Symantec AntiVirus Command Line Scanner 1.0
Symantec Desktop Firewall 2.0
Symantec Enterprise Firewall 6.5
Symantec Enterprise VPN 6.5
Symantec Enterprise Security Manager 5.5
Symantec NetRecon 3.5
*********
Date: Wed, 28 Nov 2001 12:47:21 +0100
To: declan@well.com
From: Maurice Wessling <maurice@bof.nl>
Subject: Symantec will not detect Magic Lantern
http://www.theregister.co.uk/content/55/23057.html
Eric Chien, chief researcher at Symantec's antivirus research lab, said that provided a hypothetical keystroke logging tool was used only by the FBI, then Symantec would avoid updating its antivirus tools to detect such a Trojan. The security firm is yet to hear back from the FBI on its enquiries about Magic Lantern but it already has a policy on the matter.
"If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it - we wouldn't detect it," said Chien. "However we would detect modified versions that might be used by hackers."
*********
Date: Wed, 28 Nov 2001 00:57:28 -0500
To: politech@politechbot.com
From: red <red@isr.net>
Subject: FC: McAfee broadens denial: No contact with government of any
sort
Cc: declan@well.com, tbridis@ap.org
Declan, et al.
I believe it to be impossible that McAfee would build-in some sort of mechanism that would enable an authority to remotely allow keystroke logging. Not because this would technically be inconceivable - I believe it is, and I believe it is done as well -, but merely because of the international ramifications such construct would bring along. NAI, and McAfee.com certainly look forward to a more prosperous financial year. And they do their best to accomplish that. This company simply cannot afford under its new leadership to see its overseas competition (as F-Secure, Sophos and others) eat away their international market share. If McAfee.com/NAI would entertain what was said, this would be quite possibly the end of the company, as their international revenue would halt almost instantly. The impact would be felt in all NAI products. And then with so many a.v. manufacturers, they'd still only cover those who'd agreed to do this. The possibility of an embarrassing leak would be a federal disaster.
Come to mind that none of the foreign owned a.v.'s would go along. Although it might be seen that way by some, this would not be a "home land" security issue, sec. It would impact almost all foreign nations. E.g. the EU would start stripping Mr. Mueller's pants down so fast, he even wouldn't have known he has 'em on. There's under the current EU regime (after the first Echelon raid) no-one willing to accept another candid U.S. camera trick. Not even the U.K. would accept it. And mix in that you also need to row-up all network intrusion vendors. And I simply do not see guys like Marcus Ranum (Network Flight Recorder) and Christopher Klaus (Internet Security Systems), just to name my personal pick of the crop, agree with compromising their product lines and future international sales.
To top it off, look at this from the user side as well. A program like SurfinShield (Finjan) or Agnitum's Tauscan will take care of almost ANY Trojan. And, it would be a good idea to start using Evidence Eliminator (the latest version is here: http://www.evidence-eliminator.com/go.shtml?A660528 ) made by a real neat Brit, Andy Churchill, who deserves to be complemented for his efforts to contribute relentlessly to protect privacy of computer use.
On MagicLantern. MagicLantern, according to my reliable sources is a derivative of the D.I.R.T. program (see http://www.codexdatasystems.com/ for details)[Also, http://cryptome.org/dirty-secrets2.htm]. A by no means for the experienced network administrator unbeatable, but nevertheless nifty pack of sleuth goodies, which do exactly what is promised: remote keystroke logging. Codexdatasystems provides the software free of charge to law enforcement, so it's beyond the likely stage that the FBI didn't study it, and hence after some de-compilation made it more tailor-made, so to speak. You'd be utterly surprised to learn what can be done and seen if you mix in the latest version of Network Observations, and use remote installed nodes. By the way, Jack Valenti ( the movie mogul ) attempted to legally incorporate DIRT applications in the latest digital music trivia battle. Not too long ago I saw a remark from John Young passing by, mentioning this. [http://cryptome.org/riaa-secret.htm]
with regards / stringing along
Jack
Jack Ryan, PhD
research editor
Internet Security Review
*********
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at
http://www.mccullagh.org/
To subscribe to Politech:
http://www.politechbot.com/info/subscribe.html
This message is archived at
http://www.politechbot.com/
-------------------------------------------------------------------------
Date: Tue, 27 Nov 2001 13:17:16 -0500 To: politech@politechbot.com From: Declan McCullagh <declan@well.com> Subject: FC: McAfee broadens denial: No contact with government of any sort Here's an email exchange I had with Tony Thompson (Tony_Thompson@nai.com, 408 346-3696), a spokesman for McAfee/Network Associates. I asked him: >My followup question is: Is Network Associates/McAfee aware of any other >companies or organizations that have had any contact of any sort with the >FBI or other law enforcement or intelligence agencies regarding Magic >Lantern or a product with capabilities it is reported to have? How about >trade associations to which NAI/McAfee belongs? How about broadening the >question to include any government agency or contractor or affiliate? Tony replied: >No, we are not. I added: >Tony, thanks, much obliged. I just noticed my question didn't include you >folks directly. Can you assure me that Network Associates/McAfee has not >had any contact with any law enforcement or intelligence agencies or other >government entities including Congress or the White House about Magic >Lantern or a product with capabilities it is reported to have? Tony replied: >You are correct. We have not. He didn't say anything I left out -- that's the entirety of his answers. Background: http://www.politechbot.com/cgi-bin/politech.cgi?name=mcafee Summary: http://www.wired.com/news/conflict/0,2100,48648,00.html -Declan *********** To: Marisa_Lewis@mcafee.com cc: politech@politechbot.com, tbridis@ap.org, declan@well.com Cc: ah@well.com, gnu@toad.com Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort Date: Mon, 26 Nov 2001 15:43:03 -0800 From: John Gilmore <gnu@toad.com> Hi Marisa, speaking for McAfee. Your answer makes me wonder about how your company seems to be interpreting US the law. And you forgot the most important point, which is serving your customers; I can see why they might worry. > 4. Network Associates/McAfee.com Corporation does and will continue to > comply with any and all U.S. laws and legislation. It is not illegal in the US for a software product to report that software has been inserted secretly into a system, even if the secretly inserted software was from the FBI under a wiretap warrant. If you believe otherwise, show me what provision of law would be violated. In your list of points for the press, you forgot the most important point: 5. Network Associates/McAfee.com anti-virus products will continue to protect our customers' computers from *any* program that intrudes into their system against the desires or without the knowledge of our customer. Will your European customers be able to detect official US spyware, since US law has no force in Europe, but your US customers be denied that capability? Will your US customers be able to detect European governments' spyware? When the French government installs spyware on US machines at Chrysler, Ford and GM, for Renault's benefit, will you be protecting these companies -- or looking the other way? When Palestinian activists acquire the US and French spyware (from their own computers that were infected by wiretappers from the US and France), then install it on Japanese computers and use it to wreak havoc on the Japanese financial markets, will your product be lying to its Japanese customers? Would you be liable if so? Legally, or merely in the public mind? Would you have thereby become a supporter of terrorism? If the company decides that your company's software will lie about the presence of "legitimate" spyware from "legitimate" countries' governments, what will you do when such countries change governments? Would your software now be protecting Poles from old USSR spyware, but not from more modern Russian spyware? If the State of Arizona decides to write their own spyware, can they get it onto your protected list too? How about the City of Berkeley, or the Bay Area Water Quality Management District? Will whoever hijacks an election in Latin America be able to slide with impunity into any computer worldwide, after a short discussion with your company to have their spyware added to the "legitimate" list? When the PRI lost the Mexican election, would your next release suddenly reveal the extent of PRI spying on its opposition? Would your software protect Democratic Party HQ from Richard Nixon's "plumbers"? Before or after the impeachment? As soon as your company steps away from "We protect our customers against *everybody* else", you are in a morass whose depth you do not suspect. John Gilmore (a former stockholder of PGP Inc, acquired by Network Associates) *********** From: Richard M. Smith [mailto:rms@computerbytesman.com] Sent: Monday, November 26, 2001 8:36 AM To: politech@politechbot.com Cc: press@mcafee.com; InvestorRelations@mcafee.com Subject: RE: McAfee sides with FBI against customers on "Magic Lantern" Declan, Anti-virus (AV) software typically use file signatures to detect viruses and Trojan horses. For this scheme to work to detect Magic Lantern, an AV company like McAfee would need a copy of the FBI's software. I seriously doubt that the FBI is going to be giving out samples of their software for anyone to look at any time soon. It will be interesting to see if the Magic Lantern becomes publicly available anyway. I bet there is going to be a lot of people looking for it. On a related note, about 2 years ago I informally floated the idea that AV companies should be looking to see if customers are running software with known security holes. The same AV engine which looks for viruses can easily locate broken software. My idea got a very luke-warm reception. It seems that the AV companies were real reluctant to point fingers at other software companies like Microsoft. Richard M. Smith http://www.computerbytesman.com *********** Date: Mon, 26 Nov 2001 15:48:37 -0600 (CST) From: Boris Kupershmidt <bkupersh@utsi.edu> To: Declan McCullagh <declan@well.com> Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort Read carefully, this very Clintonesque quasi-denial doesn't deny the report. 1)"McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect." This is the AP report. 2)The company says: 1. Network Associates/McAfee.com Corporation has not contacted the FBI, nor has the FBI contacted NAI/McAfee.com Corp., regarding Magic Lantern. ~~~~~~~~~~~~~~~~~~~~~~~ 2. We do not expect the FBI to contact Network Associates/McAfee.com Corporation regarding Magic Lantern. ~~~~~~~~~~~~~ 3. Network Associates/McAfee.com Corp. is not going to speculate on Magic Lantern as it's existence has not even been confirmed by the FBI or any ~~~~~~~~~~~~~~ government agency. In other words, nothing is said or denied about anything that is not Magic Lantern. The report is thus likely to be true. The company is now actively lying, provided we agree what the meaning of "is" is. 4. Network Associates/McAfee.com Corporation does and will continue to comply with any and all U.S. laws and legislation. So, the company has chosen sides, with the government against its customers. Cheers, Boris. *********** Date: Mon, 26 Nov 2001 13:32:42 -0800 From: "G. Armour Van Horn" <vanhorn@whidbey.com> To: declan@well.com CC: brett@lariat.org, press@mcafee.com, InvestorRelations@mcafee.com Subject: Re: FC: McAfee sides with FBI against customers on "Magic Lantern" Greetings: While hardly as influential a force in the marketplace as Declan or Brett, I do consult with a modest set of clients and assist with ongoing support for their networks. In that capacity I probably have been responsible directly for two or three new licenses for the McAfee antivirus program every month for the last few years. I reached the conclusion that your product did a thorough job and was easy enough to use for the end users, most of whom are real estate agents with no real interest in becoming system administrators. When asked, or when an infection prompted us to act, I would install your product. As of last Wednesday, this tiny trickle of new business ended. To be trusted on systems I work with any intrusion-detection product must perform as advertised without any exceptions. Your virus scanner must detect and remove infections caused by malicious individuals, your own company, other software vendors, or any government on earth. Unless you can assure me that your program will not be crippled in this regard, and I am concerned both with the direct intrusion of governments and the risk that others will slide through whatever back door you might open for a government or commercial entity, there will not only be no additional installations but I will strongly recommend that my clients upgrade to a more reliable product at the end of the current license. G. Armour Van Horn Freeland, Washington *********** Date: Tue, 27 Nov 2001 01:26:54 -0500 To: declan@well.com From: "Robert L. Ellis" <rellis@internet-attorneys.com> Subject: Translation of German article ---------- McAfee denies report about cooperation with FBI A spokesperson of the McAfee parent company Network Associates has denied reports in the Washington Post according to which McAfee supposedly offered to not indicate the presence of' the FBI snooping tool Magic Lantern through its anti-virus software. Network Associates spokesperson Alexander Wegner explained to heise online that such a report in the Washington Post did not correspond with the truth, [and that] it could not be determined who had spoken with the paper. Magic Lantern -- according to an MSNBC report last week citing well-informed sources -- is supposed to expand the email surveillance by the controversial snooping program Carnivore. The program is supposed to be surreptitiously delivered to the unknowing user via email where it installs a key logger that become active if encryption software is activated on the target PC. The Washington Post had reported [that] "at least one anti-virus firm, McAfee," had contacted the FBI in order to ensure that the firm's anti-virus software would not "mistakenly" detect the snooping trojan [software] and thus warn criminals of the surveillance. Wagner sharply denied this description: "We are not interested in what the FBI does," he stated to heise online. "We write software which detects malicious code. If a trojan or a virus is present on the system, it will be reported. McAfee makes no exceptions." *********** Date: Mon, 26 Nov 2001 21:10:36 -0600 To: declan@well.com From: "Randal J. King" <rjking@vtechnology.com> Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort >From: "Lewis, Marisa" <Marisa_Lewis@mcafee.com> >To: "'Declan McCullagh'" <declan@well.com> > <snip> >4. Network Associates/McAfee.com Corporation does and will continue to >comply with any and all U.S. laws and legislation. Simple enough. Congress rules that Magic Lantern is part and parcel of the provisions of homeland security and requires A/V manufacturers to explicitly exclude its detection. Sounds like NAI (a) either anticipates this or (b) is sending a message on how this can get done. Question: If such a law were to hit the books, would I be in violation for writing my own personal detection software and installing it? What if I gave it to a few thousand friends free of charge? Anyone ready to go back to pulse dialing and O26 keypunch cards? -- Randy King *********** Date: Tue, 27 Nov 2001 11:24:59 +1100 From: Nathan Cochrane <ncochrane@theage.fairfax.com.au> Reply-To: ncochrane@theage.fairfax.com.au Organization: The Age newspaper To: declan@well.com Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort It's like Asimov's three laws of robotics. So if the US Government tells McAfee to pass the scan, McAfee will. *********** Date: Mon, 26 Nov 2001 17:52:12 -0600 (CST) From: Zippy <sjdyer@cs.twsu.edu> To: Marisa_Lewis@mcafee.com cc: declan@well.com Subject: Re: FC: Has McAfee sided with FBI on "Magic Lantern" detection? How about actually giving us a clear statement that NAI will not--not now, nor in the the future--engineer its software to overlook inconvenient government mischief? If the below is true, your German colleagues have had no such problem in doing so. What gives? *********** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------