Dear Brigade, here's the latest on Magic Lantern from Wired and an update from the Boston Globe. Also see, "DOJ's Already Monitoring Modems" at: http://www.wired.com/news/conflict/0,2100,48711,00.html FTC-Linda PS - If you are interested in privacy issues (biometrics; enumeration; government tracking; federal-global databases, etc.) you might want to subscribe to Scott McDonald's excellent email list. He is a good friend from Alabama who took over the webmastering job on my "Fight the Fingerprint" - http://www.networkusa.org/fingerprint.shtml - website when I moved up here to Virginia. To subscribe send message to: majordomo@efga.org and type "subscribe scan" in the BODY. You can contact Scott directly at: mcdonalds@airnet.net ---- From: "Diane Schreiber" To: Subject: "Magic Lantern" PLEASE READ THE WHOLE ARTICLE! The flap started last week, when news reports began to appear about an FBI project code-named "Magic Lantern." Details are sketchy, but Magic Lantern reportedly works by masquerading as an innocent e-mail attachment that will insert FBI spyware inside your computer. ------ Wired.Com - Nov. 27, 2001 'Lantern' Backdoor Flap Rages by Declan McCullagh WASHINGTON -- Network Associates has been snared in a web of accusations over whether it will place backdoors for the U.S. government in its security software. Since Network Associates (NETA) makes popular security products, including McAfee anti-virus software and Pretty Good Privacy encryption software, reports of a special arrangement with the U.S. government have drawn protests and threats of a boycott. The flap started last week, when news reports began to appear about an FBI project code-named "Magic Lantern." Details are sketchy, but Magic Lantern reportedly works by masquerading as an innocent e-mail attachment that will insert FBI spyware inside your computer. In the past, the FBI has said publicly that agents have been flummoxed by suspects using encryption, something that software such as Magic Lantern could circumvent by secretly recording a passphrase and secret encryption key, then forwarding the confidential data to the feds. An Associated Press article then reported that "at least one antivirus software company, McAfee Corp., contacted the FBI ... to ensure its software wouldn't inadvertently detect the bureau's snooping software and alert a criminal suspect." Condemnation from security mavens was quick and fierce. Columnist Brett Glass echoed the Slashdot crowd when he said: "Network Associates has shown that it is willing to compromise its integrity by selling intentionally faulty products. For this reason, it is no longer appropriate or wise for those concerned about the security of their networks, systems or confidential data to use them." Other security mavens pointed to free software projects such as openvirus.org as more trustworthy alternatives to Network Associates' McAfee anti-virus products, and GPG as a replacement for Network Associates' PGP encryption software. The criticism raised a well-known point in security circles: Security software, including PGP and anti-virus products ware, is either looking out for your interests or those of the government. It can't do both. But on Monday, Network Associates denied contacting the FBI. In a statement released late in the day, a spokeswoman for the company made four points: "1. Network Associates/McAfee.com Corporation has not contacted the FBI, nor has the FBI contacted NAI/McAfee.com Corp. regarding Magic Lantern. 2. We do not expect the FBI to contact Network Associates/McAfee.com Corporation regarding Magic Lantern." The statement continued: "3. Network Associates/McAfee.com Corp. is not going to speculate on Magic Lantern as it's (sic) existence has not even been confirmed by the FBI or any government agency. 4. Network Associates/McAfee.com Corporation does and will continue to comply with any and all U.S. laws and legislation." Sharp-eyed critics pointed to the narrowness of Network Associates' denial: It did not rule out the possibility of conversations with the White House, the Justice Department or even conversations with the FBI about a product with identical capabilities that was not called Magic Lantern. Network Associates also did not pledge to reject future pleas from the FBI done in the absence of legislation making backdoors mandatory. In an e-mail, Network Associates was asked to clarify with this question: "Can you assure ... that Network Associates/McAfee has not had any contact with any law enforcement or intelligence agencies or other government entities including Congress or the White House about Magic Lantern or a product with capabilities it is reported to have?" Tony Thompson, a spokesman for the company, replied: "You are correct. We have not." Thompson also rejected the possibility of any conversations with the government between Network Associates or other anti-virus vendors taking place informally through trade associations in Washington. For his part, Ted Bridis, a veteran reporter for the Associated Press, says he stands by his story from last week that reported the link between the FBI and Network Associates. Bridis wrote in an e-mail message Monday afternoon, "I stand by my reporting for the AP. This information came from a senior company officer. I won't identify this person in this post because I've been unable to reach this person by phone or e-mail since the flap erupted." "I can't resolve what McAfee told me last week and today's contradictory statement except to note the critical public response against McAfee that emerged over the holiday weekend," Bridis added. In a well-documented incident that was tried in court in New Jersey, the FBI sneaked into an alleged mobster's office to implant PGP password- sniffing software in his Windows computer. Since that approach requires physical breaking and entering, FBI agents seem to want to be able to bypass encryption without leaving their desks. The feds have worked with technology companies in the past to insert backdoors for surveillance and eavesdropping. To gain an export license, IBM's Lotus subsidiary weakened the encryption used in its Lotus Notes program so the U.S. government could readily penetrate it. (All versions of Notes use 64-bit keys, but export versions of Notes gave a portion of the key to the U.S. government, allowing federal agencies to decode Notes-encrypted files in real-time.) In his 1982 book The Puzzle Palace, author James Bamford recounted how the National Security Agency's predecessor coerced Western Union, RCA, and ITT Communications to turn over telegraph traffic to the feds in 1945. "Cooperation may be expected for the complete intercept coverage of this material," an internal agency memo said. ITT and RCA gave the government full access, while Western Union limited the number of messages it handed over. The arrangement, according to Bamford, lasted at least two decades. In 1995, The Baltimore Sun reported that for decades the NSA had rigged the encryption products of Crypto, a Swiss firm, so U.S. eavesdroppers could easily break their codes. The six-part story, based on interviews with former employees and company documents, said Crypto sold its security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia. Crypto disputed the allegation. http://www.wired.com ------- The Boston Globe - November 29, 2001 MILITARY-TECH COMPLEX by Hiawatha Bray In these perilous times, I'm glad the FBI is hard at work on new technologies to outwit terrorists and criminals. And while it's good to see corporate America rallying around to help, there's such a thing as being too supportive. I told you some months ago about the strange case of mobster Nicky Scarfo Jr., who stored encrypted records of putatively illegal activity on his computer. The FBI snuck into his office, planted a device that monitored his keystrokes, and used the data to ferret out the encryption password and read the documents. The case still lingers in the courts, but it illustrates the FBI's desperate problem. With high quality encryption software available to the world's crooks and crazies, electronic surveillance could soon become next to impossible. It's not enough to grab the bad guy's records; you must also grab the encryption keys he uses to protect the records, as the villain types them in. But it may not always be possible to get physical access to the computer. Hence the idea of a software program that works like those e-mail "Trojan horses" that have long plagued the Internet. You send the target an infected e-mail message, which quietly drops the spy program onto his machine. There it lurks, recording all the user's keystrokes. Eventually, the Trojan horse e-mails the intercepted data to a remote location. That is what the FBI is reportedly attempting with a program called Magic Lantern. The bureau won't discuss its efforts in detail but admits that it is "conducting extensive research in hopes of finding lawful means for court- authorized surveillance of criminals and terrorists in our high-tech environment." Fine with me. Techno-libertarians rightly howled when the feds tried to bar access to encryption software; now we must live with the consequences. The bad guys have encryption. The good guys must have counter-encryption tools. But who deputized Symantec Inc., the leading maker of antivirus software? According to a report on The Register, a British Internet site, Symantec executive Eric Chien said his firm would be willing to program its Norton Antivirus software so that it would not warn users about the presence of the FBI's snooping software. Symantec responded to my phone call with a bland statement that pledged to obey the laws of the land, but it did not deny Chien's remarks. The Associated Press reported that Network Associates Inc., makers of McAfee antivirus software, had adopted a similar policy. Network Associates officials now flatly deny it. Anyone can see why the FBI would want to cut a deal with computer security firms. Sooner or later, some computer-savvy crook would suspect something and go on a Trojan horse hunt. Having found the suspicious file, he'd send copies to the antivirus firms. In a week or two, they'd update their virus definition files. When their customers download the latest virus hit list, Magic Lantern is rendered useless - unless the antivirus guys have cut a deal with the government to let this Trojan Horse graze where it will. Maybe California-based Symantec thinks it's doing the patriotic thing by offering to play along. But another major antivirus firm, Sophos PLC of Abingdon, England, wants no part of the plan. "We haven't been approached by [the FBI]," says senior technology consultant Graham Cluley, "and if we had been approached, we probably wouldn't feel that it was a good idea." For one thing, Cluley doesn't entirely trust the FBI's technical prowess. He points out a humiliating incident in July, in which the agency's computer crime unit managed to get one of its own computers infected with the Sir Cam e-mail worm. Besides, Sophos sells its products around the world, and Cluley would like to keep it that way. If his company starts working hand-in-glove with American cops, he asks, what will he do when the government of Germany or Greece asks for a similar favor? Worse yet, what of his customers who fear American espionage? Would they knowingly use antivirus software that can be bypassed by the CIA? Not likely. In the end, there'll be a huge market for "pure" antivirus software, made by firms like Sophos that won't make deals with the cops. Nicky Scarfo and I will both line up to buy it. Magic Lantern will eventually be detected and defeated. And the antivirus companies that cooperate with the FBI will succeed only in savaging their own credibility. Hiawatha Bray can be reached by e-mail at bray@globe.com http://www.globe.com ------ end ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ T H E I N T E R N E T B R I G A D E Linda Muller - WebMaster 47671 Whirlpool Square, Potomac Falls, Virginia 20165 Email: linda@buchanan.org Web: http://www.buchanan.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ T H E B R I G A D E E M A I L L I S T To Subscribe/Unsubscribe send an email with: SUBSCRIBE BRIGADE - or - UNSUBSCRIBE BRIGADE in your message to: MAJORDOMO@BUCHANAN.ORG ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~