|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[ISN] U.S. gov't blindly trusts the antivirus industry
From: InfoSec News (isn
c4i.org)
Date: Wed Mar 19 2003 - 01:03:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
http://vmyths.com/rant.cfm?id=562&page=4
by Rob Rosenberger
03/16/03
NO COMEDY IN today's column, folks. I want to speak to all U.S.
federal employees, military members, and contractors who use a
government-issued PC.
"No comedy, Rob?" Don't worry. I sometimes work against muscle memory
to keep myself flexible.
I try to catch White House flunky Howard Schmidt whenever he appears
on CNN or C-SPAN. Oh, sure, he utters silly statements from time to
time -- but he strikes me as a breath of fresh air compared to the
negligent man he used to call "boss." I'm an unabashed fan of
Schmidt's and I ain't afraid to admit it. Call me crazy but I like the
guy.
For example, Schmidt points out the threat of our "blind trust in
software firms" in a city where trust creates an obstacle to success.
He cites examples like the P-Tech Software/Al Qaeda Terrorism
investigation and the JECC Software/Aum Shinrikyo Terrorism
investigation.
The White House now runs commercials linking drug sales to terrorism.
Schmidt works for the White House and he wants you to know software
sales may fund terrorism, too. Indeed, Schmidt could make a very
strong case against ... antivirus companies.
And I would agree with him. Let me explain.
The computer security industrial complex sells its products to the
world and their global business plans run counter to U.S. national
security. I don't make this claim lightly. Antivirus firms in
particular follow no security theology. They release dangerous
data/code to anybody they choose for any arbitrary reason.
For example, major U.S. antivirus firms such as Symantec & Network
Associates admit they gave cyber-smallpox technology to Beijing for
years while they deprived Washington of it.
And they'll go right on ignoring security with impunity. A global
antivirus cartel grabbed us by the short & curlies a loooooong time
ago and they've never loosened their grip. For example, Washington
ironically pays those very same U.S. firms to defend beltway PCs from
the threat of Beijing's computer viruses. What's wrong with this
picture?
Schmidt's interviews & speeches point out the threat of our own blind
trust in antivirus firms. Now, I'll admit he says "software firms,"
but this of course includes the antivirus industry. If you raised your
right hand to defend the Constitution against all enemies (foreign or
domestic), then you must open your eyes to this problem. You must open
your eyes to the security industry's non-existent security theology.
To put it simply: you need to treat your government PC like you treat
a GSA safe or a STU-III.
I DON'T MEAN how you treat the documents in the safe or the things you
say during a call. I mean how you treat the safe or the phone itself.
You can identify everyone who knows the combination to your GSA safe
or who holds a key to your STU-III -- but you don't know any of the
antivirus employees over the years who at one time or another enjoyed
full access to your for-official-use-only PC.
Some antivirus programmers carry passports from countries we don't
like to associate with. One prominent U.S. virus expert will never
hold a security clearance because of his ties to the Chinese national
police. Experts in the antivirus cartel believe a prominent Russian
member in their group has strong ties to the KGB. The cartel as a
whole believes one Israeli antivirus firm bears strong ties to
Moussad.
[Full disclosure: Wired magazine claims I've got ties to the CIA. I
don't, but let's pretend I do. Who would you trust more? Me, or the
guy with ties to the Chinese national police? Ah, but there's the rub!
You blindly trust the other guy by default.]
Our enemies earn far more respect from the antivirus industry than we
do. We know it for a fact and I don't make this claim lightly.
Antivirus firms don't want our friendship -- they just want our money.
I quote myself from a telltale 2001 column:
NSA & CIA made it clear they wanted to join the inner sanctum of
antivirus experts... The spooks in D.C. wanted to tap into the
industry's massive knowledge base -- but the industry declined.
"We encourage you to give us any intelligence data you have," the
industry mused, "but we need to sanitize our own data before we
can give it to outsiders. It's just too sensitive."
"Besides," the experts continued, "each of our firms is a large
multinational conglomerate. We don't want to look like a tool of the
CIA. It's bad for business..." Then [the White House] learned the
antivirus industry trades viruses with China. "Ouch." Antivirus firms
aren't a tool of the CIA -- they're a tool of the PRC! Bad for
business, indeed.
You'll never let these people touch a GSA safe or a STU-III, but
you'll blindly let their software protect your NIPRNET & SIPRNET
computers. In fact, your agency will blindly throw money at them every
time their software fails to protect your PC from a virus. What's
wrong with this picture?
(Don't confuse "access" with "break-ins." Spies can access a GSA safe
or a STU-III just by breaking a window. And know this: the antivirus
industry evolved as a global cartel by no later than September 1999.)
If you raised your right hand to defend the U.S., then your security
theology should include your government PC. If you watch Schmidt on
CNN or C-SPAN, then you know he feels the same way I do. He wants
America to overcome its blind trust in software firms. "Software
firms" includes antivirus firms.
"BUT ROB!" YOU protest. "How can I, an individual, overcome the
government's blind trust in antivirus firms? I don't control federal
negotiations for their products and I can't even stop a network
administrator from forcing it down my PC's throat at every bootup."
Believe it or not, you can help the government overcome its blind
addiction to COTS antivirus software. You really can. First, though,
you need to open your own eyes. Let me explain.
You see that PC sitting on (or under) your desk? I kid you not: the
Pentagon recently declared it a "weapon system." By definition, then,
DoD's security theology should include the PC. But it doesn't. The
Pentagon should not protect a weapon system with software written by
people they'd never trust. Yet they do.
Only in the antivirus industry -- I repeat, only in the antivirus
industry! -- can you:
1. declare the entire planet as your customer base;
2. sell a product that routinely fails to do what you advertise it
can do;
3. rely on an addictive update model as your prime revenue stream;
4. rely on a global media fetish as your prime marketing stream;
5. configure your software so it deletes the important log files it
creates;
6. hire uncleared foreign nationals to write software that protects
top secret computers;
7. expect applause when you release hundreds of security patches for
your product each year;
8. ignore the blatant security flaws in your own product;
9. exploit the blatant security flaws in your competitors' products;
10. engage in industrial espionage without fear of a government
crackdown;
11. violate copyright laws and commit plagiarism with the blessing of
your corporate legal counsel;
12. curb technological innovation through the use of bribery and/or
character assassination;
13. refuse to alert your own customers to security threats discovered
by your competitors;
14. supply hostile enemies with the technology to destroy your own
customers;
AND MOST IMPORTANT OF ALL:
15. make your customer-addicts feel perfectly comfortable with all of
the above!
I don't make any of these claims lightly ... but I need to add two
caveats for journalistic integrity. First: I insist antivirus firms
sometimes use illegal means to acquire a competitor's virus library,
though I've not yet documented it. (It would force me to reveal my
sources.) Second: it doesn't violate my personal code of ethics when
antivirus firms arm an oppressive communist regime for a possible
cyber-war against the United States. (I explain why here.) Of course,
my industry ethics don't apply to "U.S. federal employees, military
members, and contractors who use a government-issued PC."
The antivirus industry wants everyone to feel perfectly comfortable
when they do anything they wish for any reason they choose, especially
if it threatens the very people who buy antivirus software. What's
wrong with this picture?
They want every CIA employee to feel perfectly comfortable using
antivirus software written by people the CIA would never trust. They
want every NSA employee to feel perfectly comfortable with it, too.
Same thing for every FBI employee. The antivirus industry wants every
military contract negotiator to feel perfectly comfortable with it.
They want every DoD CERT official and every network administrator to
feel perfectly comfortable with it. They want every user to feel
perfectly comfortable with it, too.
In a word: "everyone."
[Continued in part 2]
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]