Interesting People mailing list archives
IP: 'Lantern' Backdoor Flap Rages
From: David Farber <dave () farber net>
Date: Tue, 27 Nov 2001 20:02:16 -0500
http://www.wired.com/news/conflict/0,2100,48648,00.html?tw=wn20011127 'Lantern' Backdoor Flap Rages By Declan McCullagh 8:25 a.m. Nov. 27, 2001 PST WASHINGTON -- Network Associates has been snared in a web of accusations over whether it will place backdoors for the U.S. government in its security software. Since Network Associates (NETA) makes popular security products, including McAfee anti-virus software and Pretty Good Privacy encryption software, reports of a special arrangement with the U.S. government have drawn protests and threats of a boycott. The flap started last week, when news reports began to appear about an FBI project code-named "Magic Lantern." Details are sketchy, but Magic Lantern reportedly works by masquerading as an innocent e-mail attachment that will insert FBI spyware inside your computer. See also: Discuss this story on Plastic.com Senator Backs Off Backdoors Geeks Gather to Back Crypto Congress Mulls Stiff Crypto Laws Conflict 2001: Fresh Perspectives Keep an eye on Privacy Matters In the past, the FBI has said publicly that agents have been flummoxed by suspects using encryption, something that software such as Magic Lantern could circumvent by secretly recording a passphrase and secret encryption key, then forwarding the confidential data to the feds. An Associated Press article then reported that "at least one antivirus software company, McAfee Corp., contacted the FBI ... to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect." Condemnation from security mavens was quick and fierce. Columnist Brett Glass echoed the Slashdot crowd when he said: "Network Associates has shown that it is willing to compromise its integrity by selling intentionally faulty products. For this reason, it is no longer appropriate or wise for those concerned about the security of their networks, systems or confidential data to use them." Other security mavens pointed to free software projects such as openvirus.org as more trustworthy alternatives to Network Associates' McAfee anti-virus products, and GPG as a replacement for Network Associates' PGP encryption software. The criticism raised a well-known point in security circles: Security software, including PGP and anti-virus products ware, is either looking out for your interests or those of the government. It can't do both. But on Monday, Network Associates denied contacting the FBI. In a statement released late in the day, a spokeswoman for the company made four points: "1. Network Associates/McAfee.com Corporation has not contacted the FBI, nor has the FBI contacted NAI/McAfee.com Corp. regarding Magic Lantern. 2. We do not expect the FBI to contact Network Associates/McAfee.com Corporation regarding Magic Lantern." The statement continued: "3. Network Associates/McAfee.com Corp. is not going to speculate on Magic Lantern as it's (sic) existence has not even been confirmed by the FBI or any government agency. 4. Network Associates/McAfee.com Corporation does and will continue to comply with any and all U.S. laws and legislation." Sharp-eyed critics pointed to the narrowness of Network Associates' denial: It did not rule out the possibility of conversations with the White House, the Justice Department or even conversations with the FBI about a product with identical capabilities that was not called Magic Lantern. Network Associates also did not pledge to reject future pleas from the FBI done in the absence of legislation making backdoors mandatory. In an e-mail, Network Associates was asked to clarify with this question: "Can you assure ... that Network Associates/McAfee has not had any contact with any law enforcement or intelligence agencies or other government entities including Congress or the White House about Magic Lantern or a product with capabilities it is reported to have?" Tony Thompson, a spokesman for the company, replied: "You are correct. We have not." Thompson also rejected the possibility of any conversations with the government between Network Associates or other anti-virus vendors taking place informally through trade associations in Washington. For his part, Ted Bridis, a veteran reporter for the Associated Press, says he stands by his story from last week that reported the link between the FBI and Network Associates. Bridis wrote in an e-mail message Monday afternoon, "I stand by my reporting for the AP. This information came from a senior company officer. I won't identify this person in this post because I've been unable to reach this person by phone or e-mail since the flap erupted." "I can't resolve what McAfee told me last week and today's contradictory statement except to note the critical public response against McAfee that emerged over the holiday weekend," Bridis added. In a well-documented incident that was tried in court in New Jersey, the FBI sneaked into an alleged mobster's office to implant PGP password-sniffing software in his Windows computer. Since that approach requires physical breaking and entering, FBI agents seem to want to be able to bypass encryption without leaving their desks. The feds have worked with technology companies in the past to insert backdoors for surveillance and eavesdropping. To gain an export license, IBM's Lotus subsidiary weakened the encryption used in its Lotus Notes program so the U.S. government could readily penetrate it. (All versions of Notes use 64-bit keys, but export versions of Notes gave a portion of the key to the U.S. government, allowing federal agencies to decode Notes-encrypted files in real-time.) In his 1982 book The Puzzle Palace, author James Bamford recounted how the National Security Agency's predecessor coerced Western Union, RCA, and ITT Communications to turn over telegraph traffic to the feds in 1945. "Cooperation may be expected for the complete intercept coverage of this material," an internal agency memo said. ITT and RCA gave the government full access, while Western Union limited the number of messages it handed over. The arrangement, according to Bamford, lasted at least two decades. In 1995, The Baltimore Sun reported that for decades the NSA had rigged the encryption products of Crypto, a Swiss firm, so U.S. eavesdroppers could easily break their codes. The six-part story, based on interviews with former employees and company documents, said Crypto sold its security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia. Crypto disputed the allegation. -- ----------------- R. A. Hettinga <mailto: rah () ibuc com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ============ To UNSUBSCRIBE from the ignition-point list, send email to: majordomo () theveryfew net In the body of the message, include only the line: unsubscribe ignition-point <your address>
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: 'Lantern' Backdoor Flap Rages David Farber (Nov 27)