-Caveat Lector-
http://eeng.net/CS/blogs/smileycoyote/archive/2007/07/29/572.aspx[1]
DO ANTIVIRUS APPS IGNORE US GOVERNMENT SPYWARE?
Declan McCullagh, CNET News.com[2]
18 July 2007 08:18 AM
COMPANIES THAT PRODUCE SECURITY SOFTWARE MAY SOON BE IGNORING
CERTAIN SPYWARE, AND POTENTIALLY EVEN INFECTING THEIR CUSTOMERS
THROUGH AUTO UPDATES, UNDER ORDERS FROM US GOVERNMENT AGENCIES.
In the case decided earlier this month by the 9th US Circuit Court
of Appeals, federal agents used spyware with a keystroke logger --
call it fedware -- to record the typing of a suspected Ecstasy
manufacturer who used encryption to thwart the police.
A CNET News.com survey of 13 leading antispyware vendors[3] found
that not one company acknowledged cooperating unofficially with
government agencies. Some, however, indicated that they would not
alert customers to the presence of fedware if they were ordered by a
court to remain quiet.
Most of the companies surveyed, which covered the range from tiny
firms to Symantec and IBM, said they never had received such a court
order. The full list of companies surveyed: AVG/Grisoft, Computer
Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft,
Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee
and Microsoft flatly declined to answer that question.
Because only two known criminal prosecutions in the United States
involve police use of key loggers, important legal rules remain
unsettled. But key logger makers say that police and investigative
agencies are frequent customers, in part because recording keystrokes
can bypass the increasingly common use of encryption to scramble
communications and hard drives.
Some companies that responded to the survey were vehemently
pro-privacy. "Our customers are paying us for a service, to protect
them from all forms of malicious code," said Marc Maiffret, eEye
Digital Security's co-founder and chief technology officer. "It is not
up to us to do law enforcement's job for them so we do not, and will
not, make any exceptions for law enforcement malware or other tools."
eEye sells Blink Personal for US$25, which includes antivirus and
antispyware features.
Others were more conciliatory. Check Point, which makes the popular
ZoneAlarm utility, said it would offer federal police the "same
courtesy" that it extends to legitimate third-party vendors that
request to be whitelisted. A Check Point representative said, though,
that the company had "never been" in that situation.
This isn't exactly a new question. After the last high-profile case
in which federal agents turned to a key logger, some security
companies allegedly volunteered to ignore fedware. The Associated
Press reported in 2001 that "McAfee contacted the FBI... to ensure its
software wouldn't inadvertently detect the bureau's snooping
software." McAfee subsequently said the report was inaccurate.
Later that year, the FBI confirmed that it was creating spy
software called "Magic Lantern" that would allow agents to inject
keystroke loggers remotely through a virus without having physical
access to the computer. (In both the recent Ecstasy case and the
earlier key logging case involving an alleged mobster, federal agents
obtained court orders authorising them to break into buildings to
install key loggers.)
Government agencies and backdoors in technology products have a
long and frequently clandestine relationship. One 1995 expose by the
Baltimore Sun described how the National Security Agency persuaded a
Swiss firm, Crypto, to build backdoors into its encryption devices.
In his 1982 book, The Puzzle Palace, author James Bamford described
how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT
Communications to turn over telegraph traffic to the feds.
More recently, after the BBC reported last year on supposed talks
between the British government and Microsoft, the software maker
pledged not to build backdoors into Windows Vista's encryption
functions.
Even if the FBI, the Drug Enforcement Administration or other
federal police haven't tried to compel security companies to whitelist
fedware, security experts predict that such a court order is just a
matter of time.
What remains unclear, however, is whether police have the legal
authority to do so under current law. "The government would be pushing
the boundaries of the law if it attempted to obtain such an order,"
said Kevin Bankston, an attorney with the Electronic Frontier
Foundation who has litigated wiretapping cases. "There's simply no
precedent for this sort of thing."
One possibility is a section of the Wiretap Act that says courts
can "direct that a provider of wire or electronic communication
service, landlord, custodian or other person" to help with electronic
surveillance.
"There is some breadth in that language that is of concern and that
the Justice Department may attempt to exploit," Bankston said.
In theory, government agencies could even seek a court order
requiring security companies to deliver spyware to their customers as
part of an auto-update feature. Most modern security companies,
including operating system makers such as Microsoft and Apple, offer
regular patches and bug fixes. Although it would be technically
tricky, it would be possible to send an infected update to a customer
if the vendor were ordered to do so.
When asked if it had ever received such a court order, Microsoft
demurred. "Microsoft frequently has confidential conversations with
both customers and government agencies and does not comment on those
conversations," a company representative said. Of the 13 companies
surveyed, McAfee was the other company that declined to answer. (Two
others could not be reached as of Tuesday morning.)
Some security companies refused to reply to the initial version of
our survey, which broadly asked about fedware whitelisting. In
response, we revised the question to ask if they would alert a
customer to the presence of keystroke loggers installed by a police or
intelligence agency "in the absence of a lawful court order signed by
a judge."
Cris Paden, Symantec's manger of corporate public relations,
initially declined to reply. "There are legitimate reasons for not
giving blanket guarantees--one of those is a court order," he said at
first. "There are extenuating circumstances and grey issues."
But after we altered the question, Paden replied: "Barring a court
order to cooperate with law enforcement authorities, Symantec would
definitely alert our customers to the presence of any malicious code
or programs that we detect on their systems." He added that Symantec
had "absolutely not" received any such a court order.
One danger with whitelisting fedware is that it creates a
potentially serious vulnerability in security software. If a malicious
vendor of spyware were clever enough to mimic the whitelisted
government spyware, it would also go undetected.
But if fedware becomes more common, savvy criminals could simply
turn to open-source software that's less likely to have backdoors for
police. ClamAV and OpenAntiVirus.org both offer open-source security
software, and it's also possible to boot off of a CD-ROM and inspect
the hard drive for malicious tampering.
At the moment, at least, there aren't any industry standards about
detecting fedware. "CSIA does not currently have a position on this
issue nor has the issue ever been addressed by its board of
directors," said Tim Bennett, president of the Cyber Security Industry
Alliance.
SOURCE: ZD NET
*
Juxtaposeur
http://eeng.net/CS/blogs/smileycoyote/
http://www.myspace.com/decompartmentalized
Links:
------
[1] http://eeng.net/CS/blogs/smileycoyote/archive/2007/07/29/572.aspx
[2] mailto:[EMAIL PROTECTED]
[3]
http://www.zdnet.com.au/insight/security/soa/Security-vendor-survey-Will-they-side-with-the-government-/0,139023764,339280166,00.htm
www.ctrl.org
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substanceânot soap-boxingâplease! These are
sordid matters and 'conspiracy theory'âwith its many half-truths, mis-
directions and outright fraudsâis used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://www.mail-archive.com/ctrl@listserv.aol.com/
<A HREF="http://www.mail-archive.com/ctrl@listserv.aol.com/">ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om