Full Disclosure mailing list archives
Re: National Database of Variants with Fixes-non-vendor specific
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 12 Aug 2004 12:36:00 +1200
John Hall wrote:
I admit that I only read the first five articles and skimmed the next five, but *none* of the articles I looked at claimed the FBI even admitted they had such a virus in hand and they didn't even come close to saying the FBI ordered any of the anti-virus vendors to not detect their keystroke logging trojan. The more recent articles all seem to state that all of the AV vendors repudiated early reports that they might choose to not detect a "Magic Lantern" virus.
In a nutshell, and from memory, after some discussion of Magic Lantern and much media attention to the notion, some journo asked a staffer at a very large US-based AV company (though this chap was, I think, based at one of their European offices at the time) if his company would omit detection of Magic Lantern if the FBI asked it to. AV chap says something like "we'd have to consider such a request" and is reported as saying "we would agree to omit detection". Another large US AV company staffer, put on the spot by (I think) a different reporter, drilling for second AV's position after first was reported, said much the same thing as the chap from the rival AV, and was reported more or less correctly. Several non-US AV developers immediately jumped to maximize the PR benefit of being able to say _to the world_ that they would never bow to such governmental pressure regardless of which government or agency it came from. The two large US AV developers very quickly started extracting feet from mouths and made very firm statements to the same effect as their competitors.
... It would be suicide for them to make such a decision, ...
Yes...
... since once the "signature" they used to detect and ignore the virus was known, other even less scrupulous virus writers could possibly use it to cloak *their* viruses.
...but not for that reason. Think about it... First, most (if not all) products should be able to write an absolute water-tight exclusion rule -- think something like "if file MD5 is <value> skip reporting detection" but don't think it is necessarily implemented quite like that (there are major performance and overhead issues if every file has to be fully MD5'ed...). Second, imagine the AV'ers did exclude detection of Magic Lantern and the FBI started using it with impunity from AV detection. How long would it be before copies of Magic Lantern were available to the Black Hats and being used (with impunity) for their nefarious purposes? As your AV would not detect it, you would never know the answer to that question. That is why most folk should be concerned at the idea that their AV might deliberately omit detection of something whose functionality the AV's users would normally expect to be detected.
While I don't believe the government always (or even often) has my best interests in mind, I do know that our collective interests usually coincide for the most part. Of course, the devil is always in the details.
Yep, and the collective interest of typical computer users ensures the AV companies will not buckle to such requests (well, with the possible exception of "in China" where the government sets standards AV products have to match to get a licence to be sold). Of course, that doesn't mean the FBI cannot use something like (the reputed) Magic Lantern, but it does mean that if they do, they need to be very smart about it to ensure that they stay ahead of the AV industry's detection of it...
I hope you have your tinfoil hat firmly mounted and calibrated.
Screwed it up to make a play-toy for the dog years ago...
Thanks for the links though. It's fun to see a poorly conceived government fantasy get crucified in the press.
Pity it didn't work for the DMCA and its relatives... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: National Database of Variants with Fixes-non-vendor specific Clairmont, Jan M (Aug 10)
- RE: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific Rainer Duffner (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific Nick FitzGerald (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific Nick FitzGerald (Aug 11)
- RE: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 10)
- <Possible follow-ups>
- RE: National Database of Variants with Fixes-non-vendor specific mjcarter (Aug 10)
- RE: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 11)