IP: 'Lantern' Backdoor Flap Rages

[David Farber <dave () farber net>]

> http://www.wired.com/news/conflict/0,2100,48648,00.html?tw=wn20011127
>
> 'Lantern' Backdoor Flap Rages
> By Declan McCullagh
>
> 8:25 a.m. Nov. 27, 2001 PST
>
> WASHINGTON -- Network Associates has been snared in a web of accusations
> over whether it will place backdoors for the U.S. government in its
> security software.
>
> Since Network Associates (NETA) makes popular security products, including
> McAfee anti-virus software and Pretty Good Privacy encryption software,
> reports of a special arrangement with the U.S. government have drawn
> protests and threats of a boycott.
>
> The flap started last week, when news reports began to appear about an FBI
> project code-named "Magic Lantern." Details are sketchy, but Magic Lantern
> reportedly works by masquerading as an innocent e-mail attachment that will
> insert FBI spyware inside your computer.
> See also:
> Discuss this story on Plastic.com
> Senator Backs Off Backdoors
> Geeks Gather to Back Crypto
> Congress Mulls Stiff Crypto Laws
> Conflict 2001: Fresh Perspectives
> Keep an eye on Privacy Matters
>
>
> In the past, the FBI has said publicly that agents have been flummoxed by
> suspects using encryption, something that software such as Magic Lantern
> could circumvent by secretly recording a passphrase and secret encryption
> key, then forwarding the confidential data to the feds.
>
> An Associated Press article then reported that "at least one antivirus
> software company, McAfee Corp., contacted the FBI ... to ensure its
> software wouldn't inadvertently detect the bureau's snooping software and
> alert a criminal suspect."
>
> Condemnation from security mavens was quick and fierce. Columnist Brett
> Glass echoed the Slashdot crowd when he said: "Network Associates has shown
> that it is willing to compromise its integrity by selling intentionally
> faulty products. For this reason, it is no longer appropriate or wise for
> those concerned about the security of their networks, systems or
> confidential data to use them."
>
> Other security mavens pointed to free software projects such as
> openvirus.org as more trustworthy alternatives to Network Associates'
> McAfee anti-virus products, and GPG as a replacement for Network
> Associates' PGP encryption software.
>
> The criticism raised a well-known point in security circles: Security
> software, including PGP and anti-virus products ware, is either looking out
> for your interests or those of the government. It can't do both.
>
> But on Monday, Network Associates denied contacting the FBI.
>
> In a statement released late in the day, a spokeswoman for the company made
> four points: "1. Network Associates/McAfee.com Corporation has not
> contacted the FBI, nor has the FBI contacted NAI/McAfee.com Corp. regarding
> Magic Lantern. 2. We do not expect the FBI to contact Network
> Associates/McAfee.com Corporation regarding Magic Lantern."
>
> The statement continued: "3. Network Associates/McAfee.com Corp. is not
> going to speculate on Magic Lantern as it's (sic) existence has not even
> been confirmed by the FBI or any government agency. 4. Network
> Associates/McAfee.com Corporation does and will continue to comply with any
> and all U.S. laws and legislation."
>
> Sharp-eyed critics pointed to the narrowness of Network Associates' denial:
> It did not rule out the possibility of conversations with the White House,
> the Justice Department or even conversations with the FBI about a product
> with identical capabilities that was not called Magic Lantern. Network
> Associates also did not pledge to reject future pleas from the FBI done in
> the absence of legislation making backdoors mandatory.
>
> In an e-mail, Network Associates was asked to clarify with this question:
> "Can you assure ... that Network Associates/McAfee has not had any contact
> with any law enforcement or intelligence agencies or other government
> entities including Congress or the White House about Magic Lantern or a
> product with capabilities it is reported to have?"
>
> Tony Thompson, a spokesman for the company, replied: "You are correct. We
> have not."
>
> Thompson also rejected the possibility of any conversations with the
> government between Network Associates or other anti-virus vendors taking
> place informally through trade associations in Washington.
>
> For his part, Ted Bridis, a veteran reporter for the Associated Press, says
> he stands by his story from last week that reported the link between the
> FBI and Network Associates.
>
> Bridis wrote in an e-mail message Monday afternoon, "I stand by my
> reporting for the AP. This information came from a senior company officer.
> I won't identify this person in this post because I've been unable to reach
> this person by phone or e-mail since the flap erupted."
>
> "I can't resolve what McAfee told me last week and today's contradictory
> statement except to note the critical public response against McAfee that
> emerged over the holiday weekend," Bridis added.
>
> In a well-documented incident that was tried in court in New Jersey, the
> FBI sneaked into an alleged mobster's office to implant PGP
> password-sniffing software in his Windows computer. Since that approach
> requires physical breaking and entering, FBI agents seem to want to be able
> to bypass encryption without leaving their desks.
>
> The feds have worked with technology companies in the past to insert
> backdoors for surveillance and eavesdropping.
>
> To gain an export license, IBM's Lotus subsidiary weakened the encryption
> used in its Lotus Notes program so the U.S. government could readily
> penetrate it. (All versions of Notes use 64-bit keys, but export versions
> of Notes gave a portion of the key to the U.S. government, allowing federal
> agencies to decode Notes-encrypted files in real-time.)
>
> In his 1982 book The Puzzle Palace, author James Bamford recounted how the
> National Security Agency's predecessor coerced Western Union, RCA, and ITT
> Communications to turn over telegraph traffic to the feds in 1945.
>
> "Cooperation may be expected for the complete intercept coverage of this
> material," an internal agency memo said.
>
> ITT and RCA gave the government full access, while Western Union limited
> the number of messages it handed over. The arrangement, according to
> Bamford, lasted at least two decades.
>
> In 1995, The Baltimore Sun reported that for decades the NSA had rigged the
> encryption products of Crypto, a Swiss firm, so U.S. eavesdroppers could
> easily break their codes.
>
> The six-part story, based on interviews with former employees and company
> documents, said Crypto sold its security products to some 120 countries,
> including prime U.S. intelligence targets such as Iran, Iraq, Libya and
> Yugoslavia. Crypto disputed the allegation.
>
>
> --
> -----------------
> R. A. Hettinga <mailto: rah () ibuc com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> ============
> To UNSUBSCRIBE from the ignition-point list, send email to:
> majordomo () theveryfew net
> In the body of the message, include only the line:
> unsubscribe ignition-point <your address>


For archives see:
http://www.interesting-people.org/archives/interesting-people/