Hazards and Illegality of FBI's Magic Lantern

22 November 2001

These messages on the public safety hazards and possible illegality of the FBI "Magic Lantern" program of encryption cracking by covertly-installed software virus are from UK Crypto, a British mail list specializing in cryptography and computer security. Brian Gladman is a highly reputable computer security professional and former employee of the Ministry of Defence.

-----

From: "Brian Gladman" <brg@gladman.uk.net>
To: "UK Crypto Posting" <stevee+brg@slimy.greenend.org.uk>
Subject: Re: [Fwd: IP: FBI software cracks encryption wall]
Date: Thu, 22 Nov 2001 19:45:43 -0000

Quentin Campbell wrote:

> The use of tools to gain access to a target system to install trojans,
> key sniffers, etc, has been well covered on this list already. Brian
> Gladman for one has had a lot to say on the issue and its implications;
> for example in safety critical systems.

Yes, this is an issue that concerns me greatly.

While it is possible to be highly confident that a hardware sniffing device is truly passive and does not cause the state of a system to change, there can be no such guarantee for software based probes inserted into systems. Moreover, if such insertions were to be undertaken remotely via networks, it is not even possible to be certain that they would be applied to the intended target and only to this target.

Although it would be irresponsible to build a safety critical computer system that would be vulnerable to such interventions, this does not mean that such systems do not exist. In consequence, any government that allows its agencies to covertly modify computer systems owned and operated by others in order to meet their surveillance needs must consider the possibility that such actions might create serious safety hazards. It would be interesting to find out if such risks are recognised and controlled in the legislation introduced by those countries that allow these forms of surveillance.

I am not sure what the current legal position is in the UK but when I was in MOD (over 5 years ago now) the conclusion was that such actions would almost certainly be illegal if conducted outside a war situation. I hope that this still applies since any government that sanctions such actions by its employees and agencies is taking unquantifiable risks with public safety.

I think it would be useful to obtain a formal statement of UK Government policy on this issue. I would hence be grateful if our Home Office colleagues would document any circumstances in which it is legal for UK government (or public) agencies to covertly insert software into a computer system owned and operated in the UK by a private company or a private citizen. And what measures are required to ensure that a safety hazard is not created as a result.

I will pose this question formally in writing via my MP if they wish.

Brian Gladman

-----

From: DB
To: ukcrypto@chiark.greenend.org.uk
Subject: RE: [Fwd: IP: FBI software cracks encryption wall]
Date: Thu, 22 Nov 2001 20:02:06 -0000

The question of whether such tools also create security vulnerabilities in the target systems for others to exploit, is also interesting...

-----

Absolutely.

Brian

-----