Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] National Database of Variants with Fixes-non-vendor specific
From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Wed Aug 11 2004 - 19:36:00 CDT
John Hall wrote:
> I admit that I only read the first five articles and skimmed the next
> five, but *none* of the articles I looked at claimed the FBI even
> admitted they had such a virus in hand and they didn't even come
> close to saying the FBI ordered any of the anti-virus vendors to not
> detect their keystroke logging trojan. The more recent articles all
> seem to state that all of the AV vendors repudiated early reports that
> they might choose to not detect a "Magic Lantern" virus.
In a nutshell, and from memory, after some discussion of Magic Lantern
and much media attention to the notion, some journo asked a staffer at
a very large US-based AV company (though this chap was, I think, based
at one of their European offices at the time) if his company would omit
detection of Magic Lantern if the FBI asked it to. AV chap says
something like "we'd have to consider such a request" and is reported
as saying "we would agree to omit detection". Another large US AV
company staffer, put on the spot by (I think) a different reporter,
drilling for second AV's position after first was reported, said much
the same thing as the chap from the rival AV, and was reported more or
less correctly. Several non-US AV developers immediately jumped to
maximize the PR benefit of being able to say _to the world_ that they
would never bow to such governmental pressure regardless of which
government or agency it came from. The two large US AV developers very
quickly started extracting feet from mouths and made very firm
statements to the same effect as their competitors.
> ... It would be
> suicide for them to make such a decision, ...
> ... since once the "signature"
> they used to detect and ignore the virus was known, other even less
> scrupulous virus writers could possibly use it to cloak *their* viruses.
...but not for that reason.
Think about it...
First, most (if not all) products should be able to write an absolute
water-tight exclusion rule -- think something like "if file MD5 is
<value> skip reporting detection" but don't think it is necessarily
implemented quite like that (there are major performance and overhead
issues if every file has to be fully MD5'ed...).
Second, imagine the AV'ers did exclude detection of Magic Lantern and
the FBI started using it with impunity from AV detection. How long
would it be before copies of Magic Lantern were available to the Black
Hats and being used (with impunity) for their nefarious purposes? As
your AV would not detect it, you would never know the answer to that
question. That is why most folk should be concerned at the idea that
their AV might deliberately omit detection of something whose
functionality the AV's users would normally expect to be detected.
> While I don't believe the government always (or even often) has my
> best interests in mind, I do know that our collective interests
> usually coincide for the most part. Of course, the devil is always
> in the details.
Yep, and the collective interest of typical computer users ensures the
AV companies will not buckle to such requests (well, with the possible
exception of "in China" where the government sets standards AV products
have to match to get a licence to be sold). Of course, that doesn't
mean the FBI cannot use something like (the reputed) Magic Lantern, but
it does mean that if they do, they need to be very smart about it to
ensure that they stay ahead of the AV industry's detection of it...
> I hope you have your tinfoil hat firmly mounted and calibrated.
Screwed it up to make a play-toy for the dog years ago...
> Thanks for the links though. It's fun to see a poorly conceived
> government fantasy get crucified in the press.
Pity it didn't work for the DMCA and its relatives...
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.