Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy

Symantec Will Not Detect Magic Lantern 582

An anonymous reader contributes: "In this article on Declan McCullagh's Politech, Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.'"
This discussion has been archived. No new comments can be posted.

Symantec Will Not Detect Magic Lantern

Comments Filter:
  • by the_rev_matt ( 239420 ) <slashbot@revmattUMLAUT.com minus punct> on Wednesday November 28, 2001 @12:39PM (#2625274) Homepage
    I'd rather not use AV software that was designed not to work. Of course, I run Linux so it's not really an issure for me...
    • by babbage ( 61057 ) <cdevers@cis.usou ... minus herbivore> on Wednesday November 28, 2001 @01:07PM (#2625476) Homepage Journal
      ...until of course the first big cross platform or Linux only virus comes along and trashes your computer[s], which we all know is just a matter of time.

      Your OS is certainly more esoteric, but it has holes like all the rest of them do. Your immunity thus far isn't an indication that there are no holes -- there are always holes -- but that the *nix enviroment hasn't yet been able to cultivate & propagate any really serious viruses yet.

      One of two thing is likely to happen: Linux's popularity will crest & wane, and people will stop using it (unlikely, I hope :), or it will continue to get more popular, and as it does so it will provide an ever more appealing target for virus writers, licking their chops at all the complacency out there....

      • It is NOT only "a matter of time". If Linux programmers will ever get the idea to make Linux login as root by default, to write email clients that allow scripts to be executed without user's permission, to ship their OS without a firewall mechanism in place and to make the whole system a sitting duck to any running script via a conveniently accessible registry file, THEN you will start seeing viruses for Linux. But by then us security conscious people will have long since moved on to another more decent OS.
        • by babbage ( 61057 ) <cdevers@cis.usou ... minus herbivore> on Wednesday November 28, 2001 @01:43PM (#2625731) Homepage Journal
          Yeah. Sure. Just make sure you leave enough of whatever it is you're smoking in that pipe so that we can all get as addled as you are on this one.

          Mac OSX is becoming an interesting case study in Unix For The Masses. Default Linux is, as the Register recently noted, [from memory, can't find a link] "a paragon of Stalinistic control freakery", and that has made it more secure out of the box than the average WinME box, but more importantly it has also scared off millions, and rightly so. Apple's engineers knew well that if they wanted to bring this architecture to the masses -- the way the Gnome & KDE folks do -- then they'd have to encapsulate & hide as much of that control freakery as possible.

          And for the most part they've done a good job, but there have been some serious glitches, like programs that would launch themselves as root, or a broken iTunes installer that wiped out whole disk partitions because of one mistyped "rm" command in an installer script. Pay attention, you seething Linux hordes, because if you want to hit the big time then this is your future. You too will face these problems as the system matures & seeks out a wider audience.

          The only "secure" system is either (pick your punch line) the one that hasn't been built yet, or the one you bought a decade ago and still haven't plugged in yet. All of the others -- all of them -- have problems of one kind or another, and all of them always well. Welcome to real life, kids.

          • You know what the difference is between Linux and Mac OSX? Linux is written by control freaks. Fortunately, the fine folks who are working on the various parts of the Linux system differ from your average Slashdot sheep in that they care more about system security and less about "widespread Linux adoption". That's why you will never see such a thing as "insecure Linux".

            Yes, it's possible that Linux companies will eventually start putting out windows-ified Linux distros that will sacrifice security for ease of use to make it more appealing to the unwashed masses, but so what? Viruses work so well in Windows territory because there's Only One Windows, and everything works exactly the same on millions of computers. Look at all the different Linux distros from a virus writer's perspective and ask yourself if you could really write an effective virus and expect it to work the same on all of them. My answer is no. Not with the huge diversity of libraries and programs and kernel versions out there. What's a virus writer to do? Spread the virus as source file and ask the user to type ./configure? I guess you could do that, but you'd be the laughing stock of the virus writers' community, if there is such a thing.

            And if you're going to suggest that Linux will eventually standardize and everybody will use the same distro (or all distros will be functionally identical), and all the programs and libraries will reach stable versions updated only once every six months in service packs, then you obviously have no idea what you're talking about, which is what I would half expect from someone who says things like "welcome to real life, kids".


        • Er, no.


          If the average windows user were the average linux user, then you'd see viruses. They'd either have "Please insert root password here", use their own dictionary, or use the first program made for newbies (Think the AOL-Linux Distro).


          I used windows for many years, and still do use it at work and at home, and I've never been infected with a virus. I have downloaded over 40 gigs of files, including several execuables, and have never had any problems.


          The only additional "security" linux offers is user permissions, and even then, that is a rather fragile barrier, prone to user mistakes and security holes (think ramen worm). Plus, really, to propigate, a worm like the annoying worm wouldn't need root to spread, only an appropriate IM client.


          So, don't think Linux keeps you safe. Only good security practices and common sense keeps you safe.

        • by Zeinfeld ( 263942 ) on Wednesday November 28, 2001 @02:52PM (#2626218) Homepage
          It is NOT only "a matter of time". If Linux programmers will ever get the idea to make Linux login as root by default, to write email clients that allow scripts to be executed without user's permission, to ship their OS without a firewall mechanism in place and to make the whole system a sitting duck to any running script via a conveniently accessible registry file, THEN you will start seeing viruses for Linux. But by then us security conscious people will have long since moved on to another more decent OS.

          Don't be so sure. We have had UNIX worms and even VMS worms. Unlike the designers of UNIX, VMS started with a security architecture and actually recieved B2 certification rather than describing itself as 'B2 equivalent'.

          At the other end of the scale the security architecture of MAC O/S has until a few months ago been stuck at the MSDOS level, lacking even protected memory, yet MAC viruses are none too common these days.

          The significant factor is the proportion of the network population that uses a particular O/S. As with a biological infection there are definite inflection points that determine whether a virus spreads fast enough to cause an epidemic or a pandemic.

          When the Wang Worm hit it could propagate because close to 100% of the computers on HEPNET were VMS systems. Equally the Moriss worm took out the Internet when the vast majority of nodes were UNIX boxes running sendmail.

          The proportion of UNIX machines on the Internet today is probably close to critical mass for allowing a viral epidemic. The saving factor is not the design of the O/S, it is the variation between the O/S implementations. Anyone who thinks that sendmail is a lesser security risk than Outlook should read a few CERT advisories.

          The separation of administrative privs is not actually significant when it comes to the propagation of email viruses. If that was the case Windows XP would solve the virus problem completely (it won't). The problem is that the boundary between code and data has been blurred. For some reason the people who felt they had to foist Java and Javascript winky-blinky features on the world had no clue when it came to security. (Don't get me started about the Java sandbox model, the code does not match the marketing hype, the implementation does not correspond to what I would regard as a sandbox design)

          The other reason that UNIX boxes tend to be more secure is that the use of winky-blinky features is nowehere near as widespread. The proportion of terminally clueless users in the Windows world is (acording to my studies) approximately 92.931%, in the Linux world that figure is only 23.428%. So not only is the userbase smaller, the propability that a user sent the virus will execute the program and cause it to replicate is much smaller.

          Again, look at biological models of propagation. x^n is a very big number if x > 1, it is a very small number if x Therefore the day that AOL ships AOL for Linux will be the day that Linux will start to get virus problems. It will have the active code to support winky-blinky features and thus be vulnerable to attack, it will introduce the terminally clueless into the Linux user base.

      • the *nix enviroment hasn't yet been able to cultivate & propagate any really serious viruses yet

        I suppose that worm that almost brought down the internet way back when wasn't really a serious virus because nobody lost their drive full of mp3/porn/quicken files. Unix has had plenty of time to cultivate serious viruses. It was just designed better than the platforms that have the widely publicized problems. Of course it still has holes, but they are harder to exploit becuase of the multiuser nature (most apps aren't run as root, so they don't propagate as easily or destroy as much data). Why do you think Mac and Windows are gravitating to unix beneath the GUI? The NT kernel has been implementing plenty of new stability and multiuser features that Unix has enjoyed for years, and Mac is Unix under the GUI, no pretense of innovation there.
      • A few things happened in the Microsoft world that made it pretty easy for viruses to spread that could not happen in the Linux world.

        1) most people don't read their email while logged in as root. This is the number 1 reason why viruses easily spread in Windows systems is because in Windows, just about everything is done with an account that has full control over the system.

        2) In Windows-land you generally run binary-only programs and you have no idea what the source looks like. Most programs in Linux come with the source code. You are not likely to run a binary only program in Linux unless you know for sure who its coming from.

        So, to reiterate, viruses are executable programs. They need both permission to execute and a means of spreading themselves. Windows systems were already set up to allow these things to happen by default. Linux systems will never be set up that way, at least not on a widespread basis.

        I don't think we will ever see problems as widespread and damaging such as Nimda or Sircam on Linux systems, no matter how popular Linux gets. Its just not designed to easily allow programs to be run, without someone explicity giving it permission. Even exploits of commonly used server programs are limited in the damage they can do, because most servers do not run as root. No, the virus writer has a much much harder job to do on Unix systems. Why bother when Windows is so much easier?
  • by Nijika ( 525558 ) on Wednesday November 28, 2001 @12:40PM (#2625280) Homepage Journal
    Someone will just write something that in theory WILL detect Magic Lantern. We just have to wait for it. Who in the geek community would really sit back and WAIT for a virus software company to come up with a solution like that.

    Anyway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours? :-)

    • by czardonic ( 526710 ) on Wednesday November 28, 2001 @12:56PM (#2625391) Homepage
      yway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours?

      Here's why it IS your problem. If you think the FBI is going to limit their spying to Windows, you are pretty naive. Count on one of the following:

      They will find a way to make it work in every consumer OS.

      They will find some other way to acheive the same thing with other OSs.

      They will outlaw the use of an OS that can be used to evade law enforcement.

      • Probably the last one.

        Remember, Carnivore is written in VB.
      • by bfree ( 113420 ) on Wednesday November 28, 2001 @01:13PM (#2625514)
        Sometimes the UScentricities of /. just make me ROFL!

        All that is happening here is that
        • All non-US parties will purchase non-US anti-virus software losing the US anti-virus software produces $xxxxxxxxxx/annum and meaning the US software will have a smaller user base and be more likely to be less secure
        • Every US citizen will have to decide whether to break the law (cause I believe they will outlaw the use of anything which cannot be cracked by the FBI, including all the non-US anti-virus products) or to leave themselves vulnerable
        • The US will spend a massive amount of resources on trying to control this whole issue. The filtering of the Net would be an immediate requirement to try and find people who are using illegal software, or downloading it
        • MY OS will NEVER be vulnerable!! I will always, from some day about 3 years ago, use an OS which is Free where the code can be reviewed, modified and distributed. I can attach hooks into my TCP-IP stacks, network device drivers or any other level I wish to watch for the FBI (or anyone else) trying to track me (or gather any info) and block them at source, but I won't need to cause a 17 year old scandinavian will release a tool to do it for me which will be plastered over the non-US internet
        • The US is well on its way to writing itself out of the rest of the world, and whatever they believe they can't survive alone!

        Sometimes I honestly feel pity for Americans!
        • Sometimes the UScentricities of /. just make me ROFL!

          All that is happening here is that

          All non-US parties will purchase non-US anti-virus software losing the US anti-virus software produces $xxxxxxxxxx/annum and meaning the US software will have a smaller user base and be more likely to be less secure

          I think one of the main points of this arguement that you are missing is that all of these companies have said that they won't block Magic Lantern, but they haven't said that they're going to make a second English language version of their software that WILL detect it for countries like Canada, the UK, and Australia. They also haven't made any comments about whether or not versions of their software in other languages will have separate patches and virus detection lists that will detect Magic Lantern.

          Currently, I believe that all English-speaking countries are using the same versions of both Norton Antivirus and McAfee, and non-English-speaking countries are using the same virus block lists in those programs, but with a different language in the program's interface. With that in mind and both Norton Antivirus and McAfee not blocking Magic Lantern, there's a good chance that your non-US antivirus software won't detect Magic Lantern, either intentionally, unintentionally, or just for the sake of simplicity.

          If I were you, I wouldn't just laugh. Because there's a good chance that you're in the same boat as us, and thus going over the same privacy waterfall.

      • ``Here's why it IS your problem. If you think the FBI is going to limit their spying to Windows, you are pretty naive. Count on one of the following:

        - They will find a way to make it work in every consumer OS.

        - They will find some other way to acheive the same thing with other OSs.

        - They will outlaw the use of an OS that can be used to evade law enforcement.''

        Guess I'll have to move out of the US if they make it illegal for me to run tripwire, netstat, ps, (etc.) to detect the FBI's software having been planted on my computers. I use those (and more) on the systems I run at work and I'll take them off only when the company's legal department tells me to.

        Personally, I wouldn't have thought that the FBI would be thinking far enough ahead to consider infesting any systems that were running anything other than Windows. Maybe it's just me but I see IBM's ``server heist'' commercial and see the ``authorities'' brought in to investigate as FBI agents. And I wouldn't be all that surprised to hear a real one actually say ``What's a server?'' (My wife once said ``Oh, heck, they probably don't even know what an email is.'' when that commercial was on.) Just listen to some of the FBI's Carnivore apologists. Their computer literacy is, um, not what you'd like to see in someone who's making the sort of decisions that are being made regarding computers, networking, etc. It'd be funny if it weren't rather frightening.

    • But I suspect that Magic Lantern isn't going to be too easy to find in the wild... you can't characterize it if you don't have a copy available.
    • Anyway, I don't use Windows, so this is not my problem. Ask yourself; is it really yours? :-)

      I don't think it is useful to assume that you are safe because you are using Ye Sacred Linux. If a Linux version of the trojan were written, it could be installed in 3 ways (that I can see):
      • By exploiting known weaknesses - well, I guess Linux has a lot going for it on that one.
      • By user stupidity - Linux users in general are more security savvy than Windows users, but that is different from saying that using Linux is protecting you. Stupid Linux users can still install anna-kournikova.lantern.rpm if they want.
      • By physical intrusion - not many boxes can stand up to tech people with a warrant entering your house and installing the software

      But you're still right with most of your point. It's not my problem (because I don't live in USA) and it's not your problem (because you have not done anything to attract the attentions of the CIA/FBI/NSA/FDA/TLA have you)
      I really don't think they'll install it without cause - and even if they did, who's going to monitor keystrokes on every computer in America?

      Oh, for the stupidity example, I'm assuming that Magic Lantern wouldn't be sent to Linux users as source...
      • ``By physical intrusion - not many boxes can stand up to tech people with a warrant entering your house and installing the software''

        Um, would you continue using a system that had been tampered with in this way?

    • by jd ( 1658 ) <imipak&yahoo,com> on Wednesday November 28, 2001 @01:14PM (#2625522) Homepage Journal
      Use three intrusion detection programs, each using different cryptographic hashes, and each validating the other two.


      Such an arrangement would be next to impossible to compromise, as you would need to break all three programs within the check cycle of all three of them. Either that, or you need to break all three hashing algorithms, in such a way as to find a synonym in all three key spaces. Synonyms in a single key space are going to be common, simply because you're using fewer bits. Two coinciding synonyms will be very rare, and there's no guarantee that the software could be moulded into one. THREE coinciding synonyms will be so vanishingly rare that it wouldn't be worth anyone's while to search for one that's even remotely usable.


      There. Problem solved. And all it took was a bunch of Tripwire clones. And someone thought it was difficult?

      • Could you be a little more specific on how a technically unadept person like myself might implement such a solution on a win98 platform?
        • by jd ( 1658 ) <imipak&yahoo,com> on Wednesday November 28, 2001 @02:24PM (#2626041) Homepage Journal
          This is the collection of tools I would suggest, based on what is listed on Securityfocus [securityfocus.com], for Windows 95/98 machines. Look under Windows tools. If you can't find the software on the site given as it's home, you can pick a copy up from Securityfocus.


          These utilities, when used together, would offer a defence, using a slightly different technique. Here, you'd be warned, the moment any intruder attempts to connect to your machine, OR your machine mysteriously attempts to connect to someone else. You also get the warning on when a file is changed.


          (By relying on only one verifier, you're not quite so secure, but it was the best I could find in a short time. Apologies for that.)

  • Are you sure? (Score:3, Flamebait)

    by Sc00ter ( 99550 ) on Wednesday November 28, 2001 @12:41PM (#2625282) Homepage
    there seems to be news of the contrary:


    McAfee Ignoring Magic Lantern Is Bogus?

  • Nice ... (Score:2, Interesting)

    by BoyPlankton ( 93817 )
    It would be nice if they included some sort of guarantee that the FBI would need to get a warrant to prevent their product from detecting it. Maybe some sort of encryption scheme where the FBI would need to provide Symantec with a warrant to get the key to get around their product.
  • Has TREND issued a statement ? That's the product of choice around here anyways. But you can be assured this will impact any purchasing decision in the future.
  • Backdoor (Score:2, Insightful)

    by snevine ( 264453 )
    So all the virii programmers need to do now is to emulate whatever key it's not picking up on and away they go!

    -inno
  • not good...... (Score:2, Insightful)

    this is not good for security. once they decide that they will let some through, that destroys all credibility IMHO. how can you trust that symantec and McAfee will detect other viri in the future if they won't hold consistent now just so the FBI can send a trojan to some one to get their passwords?
  • opensource (Score:2, Insightful)

    by simpl3x ( 238301 )
    perhaps it is time for an open source virus detection program with options for non standard updates...
  • by boinger ( 4618 ) <boinger@FREEBSDfuck-you.org minus bsd> on Wednesday November 28, 2001 @12:44PM (#2625306) Homepage
    How's OpenAntiVirus [sourceforge.net] doing? How does it compare to the Big Two? - If it can't hold up, do "we" have any other viable options outside of McAfee and Symantec?
  • ahh .. and this idea brought to your buy the same people whom wanted the "Clipper Chip".

    But one would have to wonder ... Would a software program whos only goal is to find and exterminate this FBI, big brother, "virus" be considered illegal and be regarded as destruction of FBI property?
  • by Dark Paladin ( 116525 ) <jhummel&johnhummel,net> on Wednesday November 28, 2001 @12:46PM (#2625314) Homepage
    I'm not a conspiracy nut, and I certainly don't have total trust, or total mistrust, of the government either.

    But it isn't the idea of the FBI trying to use these tools that offends me. I expect them too, and I don't have anything to hide. But the issue of a company that I pay money for to help protect me to turn a blind eye to government intrusion is insane.

    If I pay someone to give me security, I expect them to provide it against anyone who wants my information. Pure and simple. And I'm not worried about the "Oh, we won't check the FBI's version - but we would check variants."

    Oh, that makes me feel *much* better. Imagine a cracker getting his fingers on the FBI software and using that on my systems. Gee, thanks for not checking that, Symantec.

    Of course, you have to admit that Symantec and McAfee are in a bind. If they state they're going to detect the FBI software, then they're anti-government. If they don't, then they're aiding big brother. But considering that the United States was formed from a healthy distrust of our government (and that distrust has only proved to help us, thank you Hubert Hoover and your bra collection), I would rather have the security companies on my side and make my government work just a little harder to prove guilt. Or at least, that's what my tax dollars should be going to.

    Of course, this is just my opinion. I could be wrong.
    • If I pay someone to give me security, I expect them to provide it against anyone who wants my information.

      So if you hire private security guards to protect your house, do you expect them to forcibly keep out the FBI when they have a warrant?

      • I`d expect them to give me a crafty phone call, yes. Wouldnt you? What are you paying them for? To keep most people out of your house?
      • I don't think your analogy is quite accurate. From what I gather, your analogy should be:

        So if you hire private security guards to protect your house, do you expect them to forcibly keep out the FBI even if they don't have a warrant?

        These companies are ignoring the FBI trojan altogether. They aren't requiring a warrant to ignore it.
        • So if you hire private security guards to protect your house, do you expect them to forcibly keep out the FBI even if they don't have a warrant?

          Actually, the warrant is irrelevent. I believe the FBI/police can enter your house if they perceive an immediate danger (like someone inside screaming for help).

          But to answer your question, yes, I expect a private security guard to get the hell out of the way if the police or FBI tell them to get the hell out of the way. You are not allowed to have private armies, sorry. If they don't have a warrant, then sue them after the fact.

      • I would if I didn't live in the USA.
      • I'd expect them to do what I paid them to do -- try to keep people out, and notify me of any (attempted or successful) security breaches. If FBI agents show up with a warrant, my guards (obviously) couldn't stop them but I *WOULD* expect them to keep me informed and witness what the stormtroopers did.

      • by j7953 ( 457666 ) on Wednesday November 28, 2001 @01:29PM (#2625626)
        So if you hire private security guards to protect your house, do you expect them to forcibly keep out the FBI when they have a warrant?

        This analogy doesn't work because if the FBI presents a warrant I already know they're searching my house.

        A more accurate analogy might be: What do you expect your security guards to do if they find out that your house is bugged? Should they not tell just because the bugs carry "FBI" labels?

    • Dude, I'm not afraid of the "Magic Lantern", I'm afraid of Icarus and Daedalus invading my computer and sending the info to the illuminati!

      Quick, we -must- destroy the Aquantis Hub!!!!
    • Its never about if your wrong or right, its about political views. Many people in the US seem to be blind to the reasons justice organizations go on holy crusades. Its either political or religious. Right or wrong is decided by the group that better lawyers.

      Your free to live in the USA as long as you have the same morals, if you don't its off to prison with you. Over a million people are in prison in the US for minor drug related charges, Over 2 million are on parole for minor drug offenses as "Position of marijuana"

      The moral majority in the US has passed laws to keep freedoms from you. They empower the jacked boot thugs to take everything you own, lock you away, and forget about your speedy trial. They can ruin your life, walk away and say "All in a days work, protecting the innocent..."

      Crime is murder, rape, arson, robbery, identify theft, violence and abuse...
      NOT backing up software, fair use, recording a tv show, downloading an mp3, having sex, smoking, erotica, fiction writing, speaking against the government, abortion and sexual orientation...

      At least they cant put me in prison for detecting a trojan, right?

      -
      The law, in its majestic equality, forbids the rich as well as the poor to sleep under bridges, to beg in the streets, and to steal bread. - Anatole France (1844 - 1924)
    • by Anonymous Coward

      I'm not a conspiracy nut, and I certainly don't have total trust, or total mistrust, of the government either.

      But it isn't the idea of the FBI trying to use these tools that offends me. I expect them too, and I don't have anything to hide. But the issue of a company that I pay money for to help protect me to turn a blind eye to government intrusion is insane.



      Fear not what you would have to hide now, but instead fear what you may have to hide in the future...

      I wish people would stop allowing invasions of their privacy because they have nothing to hide.. that's not the point. You have the luxury of saying that currently because the PEOPLE (read: YOU) and the GOVERNMENT coincide on your beliefs of what is "hideable". However, if these invasions of privacy keep occurring, it will become easier for the GOVERNMENTS "hideable" secrets to diverge from yours with a lessening ability to respond by the PEOPLE.

      Why must history endlessly repeat itself when it's all there for us to read about?
    • by OmegaDan ( 101255 ) on Wednesday November 28, 2001 @02:02PM (#2625873) Homepage
      Once someone catches magic lantern, we're just gonna have to pay 20$ for a magic lantern detector I already run Norton and Ad-Aware scanners, why not Lantern-Away? ... Hopefully Lavasoft (makers of ad-aware) will catch the thing and put it in their ad-aware scanner ...

      I have a better conspiracy theroy though ... The thing thats missing in all this is the delivery vector. *What if* norton/mcaffee *are* the delivery vectors? Think about it -- they're perfect. It would prolly only add a few hundred kbytes to the program ... Virus programs automatically call home for updates (nav 2002 calls home almost every day), in one of those updates why coulnd't it say "here's the newest copy of magic lantern, please install" :) And once its in, either ML itself *or* norton anti-virus can update ML with the newest evasion techniques etc etc ...
  • huh? (Score:5, Insightful)

    by new death barbie ( 240326 ) on Wednesday November 28, 2001 @12:46PM (#2625318)
    So they're not going to detect the original, but they WILL detect any hacker-modified clones?

    What about Norton Firewall? Will it still detect unexpected outgoing connections? How can I expect it to reliably detect and permit FBI-approved software, but not hacker software with a similar MO?

    Oh, maybe there'll be a hard-coded IP address in the outgoing connection -- now THERE'S a nice target for DDOS!
  • by Embedded Geek ( 532893 ) on Wednesday November 28, 2001 @12:47PM (#2625323) Homepage
    So, now it's a three way race to see who's smarter: To see if the (1)virus writers are smart enough to make it look like their stuff is (2)FBI to (3)AV developers.

    Eventually, I'm gonna need a scorecard to keep all this striaght.

  • Oh great, now we'll see a flood of virii designed to look like an FBI keylogger to antivirus software.

    At least under linux there's 'rpm -Va', assuming the hacker hasn't mucked your rpm database.

    --Bob

  • I can hardly wait (Score:5, Insightful)

    by r_j_prahad ( 309298 ) <r_j_prahadNO@SPAMhotmail.com> on Wednesday November 28, 2001 @12:49PM (#2625341)
    From the time a copy of this "Magic Lantern" is first discovered in the wild until an exact copy of the FBI-approved (and consequently undetectable) version is available via alt.hackers.maliscious is going to take what, twenty minutes?

    Malda might as well start composing (and spellchecking) the headline now, because it's a sure bet he'll get to use it.
    • One question comes to my mind, is the FBI stupid enough to try and use magic lantern on savvy people?

      The Nicky Scarfo case seems to be the precedent for computer surveillance so far. Savy enough to use a computer, but I doubt he was any kind of virus hunting guru.

      Would the FBI be willing to risk exposing the signature of magic lantern to the general public by using it on users more likely to know how to find it?

      If the virus companies roll over and let the FBI sqeak by easily, they effectively help the FBI keep the honest people honest while people with enough incentive go about there wrong doings march on. As a bonus they leave a wide backdoor open in the protection that honest people rely on to protect their data from wrong-doers.

      This idea is so great I bet that the brain surgeon behind it has at least 2-3 previous dot-bombs under their belt.
      • Savvy (Score:5, Interesting)

        by ucblockhead ( 63650 ) on Wednesday November 28, 2001 @02:09PM (#2625928) Homepage Journal
        It likely won't be long before someone writes something that automatically detects the attempt to install "Magic Lantern" and then turns on a "Magic Lantern" emulator that sends exactly whatever keystrokes the crook wants sent. Imagine the fun that could be had... A nasty crook could have fun implicating all sorts of innocent people in criminal activities.

    • by roystgnr ( 4015 ) <roy AT stogners DOT org> on Wednesday November 28, 2001 @03:32PM (#2626516) Homepage
      What does the FBI need to do to keep American computers secure from terrorists?

      Keep "Magic Lantern" out of the hands of criminals.

      How does "Magic Lantern" work?

      The FBI sends it to criminals.
  • What if... (Score:2, Insightful)

    by COBOL/MVS ( 196516 )
    'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,'

    That's a risky assumption.

    'However we would detect modified versions that might be used by hackers.'

    How do you know if a [cracker] is using an unmodified version on my PC and is watching me? You don't.

    There is no such thing as an 'appropriate technical safeguard'; the way to defeat it simply has not been discovered yet.
  • I've yet to see the the "Is my phone tapped service(tm)" on ordinary phone lines. So why would any company trying to stay on the right side of the government be producing tools to aid potential criminals?

    The other assumption people seem to be making is that the people who are being tapped in this way, will understand that they have been infected by a virus and then sending it off to the anti-virus companies or someone else clued up for analysis.
    - It would be a very stupid idea for the FBI to use it to spy on hackers..

    Jason
  • by MsGeek ( 162936 )
    http://www.kaspersky.com/ [kaspersky.com] . Russian. F-Prot is also an option...they're Finnish. If memory serves, there are also Israeli options for virus protection. It's a big world. Even the FBI can't nail down everything.
  • Re: a/v software (Score:5, Insightful)

    by blibbleblobble ( 526872 ) on Wednesday November 28, 2001 @12:52PM (#2625358)

    The FBI? Do anything illegal? Who would ever imagine that such a thing could happen?

    <repressed_memory>

    • Wiretaps of opposition politicians
    • Wiretaps of civil rights protestors
    • Wiretaps of those who voice dissent
    • Wiretaps of people unrelated to any crime investigation

    </repressed_memory>

    Hmmm, I can't seem to think of any examples of how police spy powers have been abused in the past, can you?

    • Not to mention what happened the last time the FBI decided to abuse it's powers in blatant and utter disregard for the consitutionally guaranteed rights of the American people.

      COINTELPRO [icdc.com]

      And this time we're GIVING the government this power by agreeing to be spoon-fed this 'for our own good' and 'war on terrorism' bullshit.

      I say no thank you. If there was a tracking device installed subcutaneously on every single American citizen in the country, and our borders were closed, THEN would you people feel safe?
  • by Medievalist ( 16032 ) on Wednesday November 28, 2001 @12:52PM (#2625361)


    Well, if the antivirus vendors are going to include a sufficiently detailed signature in their products for the FBI's virii, that should help anyone trying to build a detector.

    I'm sure somebody will try to build malware that impersonates this so-called "Magic Lantern" - I hope they call it "Magic Latrine" :^).

    But wouldn't it be nice to see a GPL'd program to detect the FBI's virus? Then, if I found it on my machine, I could stop the goverment-sponsored theft of my CPU cycles. Of course, I'd then call the FBI and offer to let them reinstall it given adequate monetary compensation - but that's just me, you might take some other action.

    --Charlie

  • by coolgeek ( 140561 ) on Wednesday November 28, 2001 @12:55PM (#2625381) Homepage
    Sorry for the -dash- of a conspiracy theory here, but I really wonder what the spooks have on these guys. The thought that McAfee, Symantec, et.al. could be implicated for obstructing an investigation is absurd. Well, maybe not with John Ashcroft-Hitler running the DoJ. Anyway, back to my point. Here's an opinion from a judge who upheld a citizens' right to use a radar detector:

    If government seeks to use clandestine and furtive methods to monitor citizen actions, it can ill afford to complain should the citizen insist on a method to effect his right to know he is under such surveillance.
    Judge Joseph Ryan, Superior Court, District of Columbia

    Granted, its only a district court, however it is a compelling opinion, and a brilliant interpretation of the Fourth Amendment. IR detection/imaging and monitoring utility bills have been tossed out on similar grounds. I wonder what AVP is going to choose... Perhaps this is a great opportunity for Free Software, I just wonder how a free software anti-virus lab would work. Anyway, end of my rant.

    • Its a non-problem (Score:3, Insightful)

      by Srin Tuar ( 147269 )

      I just wonder how a free software anti-virus lab would work


      Easy- we fix the problem instead of treating the symptoms:


      If there are exploits, they get fixed. So you would never have to worry about an email or webpage hijacking your machine.

      And so long as you stick to source-available code (not necessarily the same as open-source) which has at least a moderate distribution, you dont have to worry about trojans.

      The run-away virus problems you see in windows are a direct result of a closed source culture where all software is delivered and exchanged via inscrutable black-box binaries. A typical windows user thinks nothing of downloading a .exe file from an untrusted source then running it, whereas a typical unix user would get shivers just at the thought of doing so.

      Virus scanner software is just a huge patchwork of duct tape that is fundamentally incapable of solving any problem- or providing any security.

      (for example nimda: it had already done its damage by the time it was in the pattern files)

      If an open-source system and philosophy were ta take hold of the desktop- an entire industry (virus scanning/recovery) would simply disappear.

    • Oh i doubt that the FBI blackmailed Symantec and NAI to get this in. On the contrary:
      1. they're trying to retain the confidence of the middle-american software purchaser (both private and commercial) that would revolt* against them as "un-american" if they obstructed anything the FBI proposed.
      2. they'd probably face some sort of frivolous or trumped up charge of aiding terrorism or maybe even sedition if they'd announced plans to detect magic lantern. not that such a charge would stick (on appeal).
      [*]said middle-american probably doesn't understand the security implications of permitting a class of trojan software to do its work (not that i do, but i acknowledge it has the potential to be quite a problem). said middle-american would also dismiss the raising of any privacy or civil rights concerns with a hearty "NONE OF THAT MATTERS ANY MORE! WE'RE AT WAR NOW!" and probably a "don't bring any of that unamerican talk into my $location" or a "the FBI is on our side, they wouldn't do anything to hurt us." for good measure.
    • Simple.

      The CEO of symantec get's labled as a terrorist by Ashcroft.

      He can now be detained infinately without charges. His confinement is not public nor are his charges (if any).

      Life without parole without a trial or charges being filed. If he happens to be non citizen he can be tried by a military tribunal (AKA kangaroo court) and be sentenced to death.

      Would you react any differently?
  • just say no (Score:5, Insightful)

    by joss ( 1346 ) on Wednesday November 28, 2001 @12:56PM (#2625394) Homepage
    Symantec are perfectly entitled to do whatever they want. If they want to sell crippled security software, it's their funeral ? Sophos has a more sensible attitude http://www.theregister.co.uk/content/55/23057.html , and better AV software anyway.

    If US software companies want to sell crippleware in the interests of "patriotism" that's their business. There are plenty of companies willing to fill the gap.
  • by ENOENT ( 25325 ) on Wednesday November 28, 2001 @12:57PM (#2625395) Homepage Journal
    Will Symantec also ignore trojans produced by other nations' intelligence agencies? Someone should encourage some third-world countries to set up online membership signups for their intelligence agencies at a nominal fee. Crackers will then be able to continue to do what they do without breaking any laws.
  • by Splat ( 9175 ) on Wednesday November 28, 2001 @01:00PM (#2625416)
    Does anyone know the stance of non-US companies of anti-virus software on Magic Lantern? If a foreign product detects an FBI trojan horse will it then become illegal under some US law?
  • by jeffy124 ( 453342 ) on Wednesday November 28, 2001 @01:00PM (#2625417) Homepage Journal
    most AV tools (including Symantec and McAfee) monitor program execution for anomolis behavior by unknown virii. would lantern be able to avoid being detected by that?

    also, what about personal firewall programs? I use a Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to ads.x10.com.

    Here, two things exist: the lantern has to find a way around the md5 and also find a way around "PGP wants to connect to [fbi-ip-address], allow it?" Getting through one or the other might prove difficult.
  • why not have macafee and norton simply install FBI snitch-ware in its next update and cut out the middle-man?
  • If there is one lesson that IT history has taught us again & again, its that security through obscurity DOES NOT WORK. Somewhere along the line, this will be cracked by someone, and then these antivirus companies will be in some hot water.

    However, this will be good for companies besides NAI/Symantec, since it might give them an opportunity to appeal to the smaller, security-concerned windows users. Could be a veritable shot in the arm for them. If you are using Windows, might I recommend some Other [tucows.com] virus scanners?

    Also, not to turn this into an Anti-MS, Pro-Linux rant, but this is a perfect time to make the switch if you haven't already. None of this argument even applies to those running Linux. (except for those who have stock in those companies ;)
  • Ya know, this thing has gotten enough coverage in the media that criminals are going to be on the lookout for any attachments, even from family/friends/partners in crime.

    Most likely some researcher will post signatures from the file anyways, and somebody will create a detection utility just for the purpose of detecting this one "virus".
  • by SubtleNuance ( 184325 ) on Wednesday November 28, 2001 @01:06PM (#2625467) Journal
    How long until this little app ends up on a PC that is not on US soil? Will some foreign nation be able to make an offical-issue of this? It seems like the FBI might not be thinking this through.

    ... then again, there is Echelon [echelonwatch.org].... apparently no one minds...

  • The funny part... (Score:4, Interesting)

    by Lumpy ( 12016 ) on Wednesday November 28, 2001 @01:07PM (#2625471) Homepage
    This will only catch the dumb or the pedophiles.

    Are they writing this "virus" for BeOS? how about OS/2?

    What about a linux box running as only old a.out?

    I can think of at least 70 ways to make their "virus" not work on my machine. (I highly doubt that this "virus" will run on my Linux development box that uses a Hitachi SH4 processor)

    all this hubub about company X or software Z will or will not detect this virus app is pure marketing and hype. Noone who is really threatened by this could care as it is easily defeated from ever infecting the system by simply changing the archetecture...... Hey FBI, not everyone runs windows on Intel hardware.
  • Hmm... (Score:3, Funny)

    by drift factor ( 220568 ) on Wednesday November 28, 2001 @01:07PM (#2625473)
    This begs the question: Why isn't there an opensource antivirus project?
  • by cyba ( 25058 )
    Will copies being sold in Europe contain this "feature" too? I'm European and I don't trust US goverment at all.
  • by crimoid ( 27373 ) on Wednesday November 28, 2001 @01:16PM (#2625537)
    Assuming that this is a standardized attachment (ie the same size, etc.) it should be pretty easy for filters on the ISP or client to catch. Also, to my knowledge the only mail clients that can execute code w/o user intervention are M$ products. This narrows the people that can be affected alot.
  • by linuxrunner ( 225041 ) on Wednesday November 28, 2001 @01:23PM (#2625578)
    I like to program but I'm not a huge trojan nut but have the basic concept and idea on how these things work....

    First off:
    Everyone keeps talking about how it will just be a matter of time before a wild version of "green lantern" or something of the sort shows up in the wild....
    Dude, if you have Green Lantern on your computer and you find out about it, you've got a lot more things to worry about then sharing it with the hacker / cracker community!

    Second of all:
    Who cares that the anti-virus software won't recognize it. They haven't detected half the viruses for years!
    Heck, Just create your basic client server in c++ or whatever and you'll notice that it is not recognized by the software anyways..... I started to learn sockets and create client/server chats, remote access for work, etc. My anti-virus, anti-trojan software never picked up on it... only my Zone Alarm caught it.

  • A flawed concept (Score:2, Insightful)

    by TheoFish ( 139696 )
    We're constantly aware of viruses bringing down networks and destroying data. It's considered a terrorist activity to write one.

    You would think the government would be interested in closing all potential security holes. But now they want to run a roto-rooter straight through every firewall and defence, tell us just to pretend it doesn't exist, and assume that they won't disrupt the normal process of computer security.

    I'd like to borrow a technique from the MPAA and RIAA, an irrational analogy. We might as well install FBI doors in our house. They'd all take the same key. We wouldn't be allowed to look at them or put any furniture in front of them. Eventually criminals would fashion a key to all of them and waltz in our door, steal our valuables and shoot us. But we wouldn't be allowed to defend ourself from anyone who came through that door.

    A rebuttel from myself: In my heart of hearts I want the FBI to be aware of all sinister plots (which exist aplenty). I want them to be able keep us safe. I know the danger off coordinated terrorist attacks which are beyond scrutiny.

    But I worry about unrestrained government, which can closely watch everyone without checks and balances.

    I also think that trying to make a security hole which only the good guys can use, and the bad guys must ignore is a bit far-fetched.
  • Keystroke logging software has been around for quite a while. A simple search on Security Focus pulls up a number of programs which will perform the operation. Check out http://www.securityfocus.com/cgi-bin/products.pl?c at=191 for a sample list.

    Add to that even the most basic of Windows e-mail viruses and you'll recognize that this may already be installed and operational on existing machines. How many desktop users would even notice a little extra traffic now and then?

    I don't doubt that the FBI can already do this - what they are doing is slowly "leaking" the idea to the public and the press to see how citizens will react. The police/gov't can obtain anything they want by illegal means, it's just not admissible in court. That doesn't prevent them from using what they found and following those leads, then claiming "intuition" or "encryption cracking farms" as an excuse as to HOW they broke the encryption.

    Prior to 9/11, U.S. citizens would've fought the idea, but now many people feel that complacency will yield security. The FBI hopes that both the government and its citizens will allow this when, in reality we all recognize that it shows a blatant disregard for our constitutional rights.

    Just the $0.02 of the paranoid. Let me put my tin foil hat back on...

  • I am in Canada A (Score:2, Interesting)

    by VEGETA_GT ( 255721 )
    Lets see, I am betting within days, this Virus (that's what it is, the FBI can say what they want) ends up on say computers in Canada. What I want to know is what they well do to prevent non us computers from being infected. From what I have been reading, they are not doing a thing meaning even tho I am not in the US, they can still see what I am doing.

    Now her is how you prevent yourself from getting the virus.

    1 don't open he .exe on e mails, my friends never send me exe on e mail because they do the same thing I do, del it

    2 Use a firewall. Got a fire wall/dhcp running on a p120 Linux system. This means they would literally have to hack the firewall to get to my systems. Do they really have the time to hack my system that is non US

    3 Just don't run windows (or at least on the computers you ar doing bad things on).

    My 2 cents plus 2 more
  • I spent a lot of money in a anti-virus software to avoid that any kind of unawanted software is running in my so-called servers.

    I also was hoping to minimize the risk of having any kind of confidencial data stolen from my company.

    And now? how can I be sure that FBI won't steal my confidencial data (note: I know they won't use it, but still he can steal)

    I want my money back.

  • by iabervon ( 1971 ) on Wednesday November 28, 2001 @01:43PM (#2625733) Homepage Journal
    These companies provide detection and removal services for widely-distributed and automatic attacks. That is to say, it's their job to clean up when someone releases a virus that spreads all over the place. They discover something spreading, and they make an update.

    If the FBI is doing their job well, that's not the situation here. The way they've been describing this working is that they set it up to attack the particular person against whom they've obtained a warrent. It doesn't email itself to the target's addressbook, it doesn't attack random IPs, it doesn't try to infect floppies. That would be both illegal (since it could destroy the data of non-targets) and probably invalidate their evidence (since they don't have a warrent to investigate every individual in the US).

    So a virus scanner shouldn't catch Magic Lantern, because it's not really a virus, in the sense that they're scanning for. It's an attack tool, which uses the methods often employed by viruses. Virus scanners don't fix security holes; they look for particular malicious and spreading code on your computer and clean it up. They won't stop Magic Lantern, they won't stop someone hijacking your passport account, and they won't stop even script kiddies breaking into your webserver, because their purpose and system design just aren't good for that.

    So far I haven't heard of any IDS companies saying they will ignore ML, nor have I heard of any companies saying they won't fix security holes that ML uses. That's what would be significant.
  • So what? Here's what I have to say:
    1. Run an OS with a real security model. Like Unix(TM). There are no virii and scant few worms for and Unix variant, to my knowledge. What would it take to install this sort of keylogger on Solaris, Linux, BSD, etc.? Well, the ability to modify the kernel, if you want to do it right. You could always do it in userspace, but that's way obvious and would require root access or incredibly stupid users who don't notice an extra line in their .tcshrc file. So in other words, they'd have to root your box and/or probably physically remove the drive from the machine and toy with it before any sort of keylogging would take place. And this is before we bring encrypted filesystems into the equasion. A much larger undertaking than just attaching a rogue executable to some e-mail and waiting for the results to roll in.
    2. For those of you enslaved to other, inferior operating systems, I say let the market work its magic. So Symantec and McAfee refuse to detect this virus, okay. Clearly there's a great demand for something that will. Read the posts on this very board, for pete's sake. So the chances of some enterprising coder coming up with something that will detect they keylogger is pretty good, I'd say.

      OTOH, finding out exactly what the hell it looks like is pretty good. I'm sorry, paranoiacs, but the chances of this thing cropping up on Joe Public's computer seem pretty slim. You'd have to be associating with some rather sketchy people before you'd ever get a glimpse of this thing in action, it seems.

  • As soon as someone does get infected, someone will detect it. It has to send it somewhere, probably a simple IP. How long before someone hacks the crap out of that box(s). Or figures out how magic latern sends info back and starts just flooding it with, "hey FBI, you are a bunch of f***ing idiots.". Really this magic latern news is getting old, it is just a matter of time before the FBI realizes that this approach will not work. They are better off doing it a more legal way, case by case. If you first suspect someone, get a warrent, then you sniff their packets. If it's encrypted then you go the next route. But one at a time. Pay proffesional crackers, don't waste money on a cookie cutter solution that won't work three days after it is invented. I think most people don't need to worry unless they are doing illegal things in insecure ways, in and out of the internet.
  • What I don't get... (Score:3, Interesting)

    by jabber01 ( 225154 ) on Wednesday November 28, 2001 @01:50PM (#2625781)
    Why is this thing a Trojan?

    There would be no issue at all here if this program was something that had to be manually installed. If the FBI got a warrant to enter a suspect's home, install a 'tap' on his PC, and then retrieve the data, there would be no issue.

    Any criminal savvy enough to detect that sort of intrusion is also savvy enough to detect and subvert Magic Lantern. Hell, if I had something to hide, I'd keep it away from the networks, on an encrypted drive, wired to destroy the data if I failed to log in correctly - and I am NOT a criminal mastermind.

    All ML does, by being a Trojan, is get non-criminal technologists pissed off over civil rights and such.

    Sure, it may make the 'tap' easier to set up remotely (does it really? only with very ignorant criminals I think) and to pull data off as it's being generated, so that a logfile can't be easily found (but anyone with something to hide is likely to be sniffing their own packets anyway, no?).

    There's something else going on here. It could be about testing the waters for industry compliance to Federal backdoors (PGP anyone?). It could be to increase the anxiety level of technologically inept/newbie potential terrorists.

    The publicity level of this strikes me as a diversionary tactic, because the technological aspects of ML are surely defeatable (we can look at our own packets down to the bit after all) and the audacity of it (Big Brother factor) is sure to kill it.. The next step is to have each cell phone sold with a listening device that the FBI could turn on remotely. Even the technologically ignorant would not stand up for that, or for this.
  • by savaget ( 26702 ) on Wednesday November 28, 2001 @02:51PM (#2626208)
    Would it be possible for Magic Lantern to be built into a closed source OS like Windows XP?
    • by Embedded Geek ( 532893 ) on Wednesday November 28, 2001 @03:03PM (#2626294) Homepage
      I guess it could. From an engineering standpoint it would make more sense. The FBI need merely turn it on, not infect/install it themselves. If MS threw this bone to the DOJ, they might consider some quid pro quo on the antitrust front (not like they need to with the way things are going, though).

      'Hadn't thought of that option before. Of course, I will now. Probably not get any sleep for a few days, too.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...