Re: National Database of Variants with Fixes-non-vendor specific

[Nick FitzGerald <nick () virus-l demon co uk>]

John Hall wrote:

> I admit that I only read the first five articles and skimmed the next
> five, but *none* of the articles I looked at claimed the FBI even
> admitted they had such a virus in hand and they didn't even come
> close to saying the FBI ordered any of the anti-virus vendors to not
> detect their keystroke logging trojan.  The more recent articles all
> seem to state that all of the AV vendors repudiated early reports that
> they might choose to not detect a "Magic Lantern" virus.  

In a nutshell, and from memory, after some discussion of Magic Lantern 
and much media attention to the notion, some journo asked a staffer at 
a very large US-based AV company (though this chap was, I think, based 
at one of their European offices at the time) if his company would omit 
detection of Magic Lantern if the FBI asked it to.  AV chap says 
something like "we'd have to consider such a request" and is reported 
as saying "we would agree to omit detection".  Another large US AV 
company staffer, put on the spot by (I think) a different reporter, 
drilling for second AV's position after first was reported, said much 
the same thing as the chap from the rival AV, and was reported more or 
less correctly.  Several non-US AV developers immediately jumped to 
maximize the PR benefit of being able to say _to the world_ that they 
would never bow to such governmental pressure regardless of which 
government or agency it came from.  The two large US AV developers very 
quickly started extracting feet from mouths and made very firm 
statements to the same effect as their competitors.

> ...  It would be
> suicide for them to make such a decision, ...

Yes...

> ... since once the "signature"
> they used to detect and ignore the virus was known, other even less
> scrupulous virus writers could possibly use it to cloak *their* viruses.

...but not for that reason.

Think about it...

First, most (if not all) products should be able to write an absolute 
water-tight exclusion rule -- think something like "if file MD5 is 
<value> skip reporting detection" but don't think it is necessarily 
implemented quite like that (there are major performance and overhead 
issues if every file has to be fully MD5'ed...).

Second, imagine the AV'ers did exclude detection of Magic Lantern and 
the FBI started using it with impunity from AV detection.  How long 
would it be before copies of Magic Lantern were available to the Black 
Hats and being used (with impunity) for their nefarious purposes?  As 
your AV would not detect it, you would never know the answer to that 
question.  That is why most folk should be concerned at the idea that 
their AV might deliberately omit detection of something whose 
functionality the AV's users would normally expect to be detected.

> While I don't believe the government always (or even often) has my
> best interests in mind, I do know that our collective interests
> usually coincide for the most part.  Of course, the devil is always
> in the details.

Yep, and the collective interest of typical computer users ensures the 
AV companies will not buckle to such requests (well, with the possible 
exception of "in China" where the government sets standards AV products 
have to match to get a licence to be sold).  Of course, that doesn't 
mean the FBI cannot use something like (the reputed) Magic Lantern, but 
it does mean that if they do, they need to be very smart about it to 
ensure that they stay ahead of the AV industry's detection of it...

> I hope you have your tinfoil hat firmly mounted and calibrated.

Screwed it up to make a play-toy for the dog years ago...

> Thanks for the links though.  It's fun to see a poorly conceived
> government fantasy get crucified in the press.

Pity it didn't work for the DMCA and its relatives...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html