[NYTr] Do antivirus apps ignore US government spyware?

[nytr at olm.blythe-systems.com]

sent by Mark Graffis

C|Net News - Jul 28, 2007
http://www.zdnet.com.au/news/security/soa/Do-antivirus-apps-ignore-US-government-spyware-/0,130061744,339280165,00.htm


Do antivirus apps ignore US government spyware?

by Declan McCullagh, CNET News.com

Companies that produce security software may soon be ignoring certain
spyware, and potentially even infecting their customers through auto
updates, under orders from US government agencies.

In the case decided earlier this month by the 9th US Circuit Court of
Appeals, federal agents used spyware with a keystroke logger -- call it
fedware -- to record the typing of a suspected Ecstasy manufacturer who
used encryption to thwart the police.

A CNET News.com survey of 13 leading antispyware vendors found that not
one company acknowledged cooperating unofficially with government
agencies. Some, however, indicated that they would not alert customers
to the presence of fedware if they were ordered by a court to remain
quiet.

Most of the companies surveyed, which covered the range from tiny firms
to Symantec and IBM, said they never had received such a court order.
The full list of companies surveyed: AVG/Grisoft, Computer Associates,
Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana
Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and
Microsoft flatly declined to answer that question.

Because only two known criminal prosecutions in the United States
involve police use of key loggers, important legal rules remain
unsettled. But key logger makers say that police and investigative
agencies are frequent customers, in part because recording keystrokes
can bypass the increasingly common use of encryption to scramble
communications and hard drives.

Some companies that responded to the survey were vehemently
pro-privacy. "Our customers are paying us for a service, to protect
them from all forms of malicious code," said Marc Maiffret, eEye
Digital Security's co-founder and chief technology officer. "It is not
up to us to do law enforcement's job for them so we do not, and will
not, make any exceptions for law enforcement malware or other tools."
eEye sells Blink Personal for US$25, which includes antivirus and
antispyware features.

Others were more conciliatory. Check Point, which makes the popular
ZoneAlarm utility, said it would offer federal police the "same
courtesy" that it extends to legitimate third-party vendors that
request to be whitelisted. A Check Point representative said, though,
that the company had "never been" in that situation.

This isn't exactly a new question. After the last high-profile case in
which federal agents turned to a key logger, some security companies
allegedly volunteered to ignore fedware. The Associated Press reported
in 2001 that "McAfee contacted the FBI... to ensure its software
wouldn't inadvertently detect the bureau's snooping software." McAfee
subsequently said the report was inaccurate.

Later that year, the FBI confirmed that it was creating spy software
called "Magic Lantern" that would allow agents to inject keystroke
loggers remotely through a virus without having physical access to the
computer. (In both the recent Ecstasy case and the earlier key logging
case involving an alleged mobster, federal agents obtained court orders
authorising them to break into buildings to install key loggers.)

Government agencies and backdoors in technology products have a long and
frequently clandestine relationship. One 1995 expose by the Baltimore
Sun described how the National Security Agency persuaded a Swiss firm,
Crypto, to build backdoors into its encryption devices.

In his 1982 book, The Puzzle Palace, author James Bamford described how
the NSA's predecessor in 1945 coerced Western Union, RCA and ITT
Communications to turn over telegraph traffic to the feds.

More recently, after the BBC reported last year on supposed talks
between the British government and Microsoft, the software maker
pledged not to build backdoors into Windows Vista's encryption
functions.

Even if the FBI, the Drug Enforcement Administration or other federal
police haven't tried to compel security companies to whitelist fedware,
security experts predict that such a court order is just a matter of
time.

What remains unclear, however, is whether police have the legal
authority to do so under current law. "The government would be pushing
the boundaries of the law if it attempted to obtain such an order,"
said Kevin Bankston, an attorney with the Electronic Frontier
Foundation who has litigated wiretapping cases. "There's simply no
precedent for this sort of thing."

One possibility is a section of the Wiretap Act that says courts can
"direct that a provider of wire or electronic communication service,
landlord, custodian or other person" to help with electronic
surveillance.

"There is some breadth in that language that is of concern and that the
Justice Department may attempt to exploit," Bankston said.

In theory, government agencies could even seek a court order requiring
security companies to deliver spyware to their customers as part of an
auto-update feature. Most modern security companies, including operating
system makers such as Microsoft and Apple, offer regular patches and bug
fixes. Although it would be technically tricky, it would be possible to
send an infected update to a customer if the vendor were ordered to do
so.

When asked if it had ever received such a court order, Microsoft
demurred. "Microsoft frequently has confidential conversations with
both customers and government agencies and does not comment on those
conversations," a company representative said. Of the 13 companies
surveyed, McAfee was the other company that declined to answer. (Two
others could not be reached as of Tuesday morning.)

Some security companies refused to reply to the initial version of our
survey, which broadly asked about fedware whitelisting. In response, we
revised the question to ask if they would alert a customer to the
presence of keystroke loggers installed by a police or intelligence
agency "in the absence of a lawful court order signed by a judge."

Cris Paden, Symantec's manger of corporate public relations, initially
declined to reply. "There are legitimate reasons for not giving blanket
guarantees--one of those is a court order," he said at first. "There are
extenuating circumstances and grey issues."

But after we altered the question, Paden replied: "Barring a court
order to cooperate with law enforcement authorities, Symantec would
definitely alert our customers to the presence of any malicious code or
programs that we detect on their systems." He added that Symantec had
"absolutely not" received any such a court order.

One danger with whitelisting fedware is that it creates a potentially
serious vulnerability in security software. If a malicious vendor of
spyware were clever enough to mimic the whitelisted government spyware,
it would also go undetected.

But if fedware becomes more common, savvy criminals could simply turn to
open-source software that's less likely to have backdoors for police.
ClamAV and OpenAntiVirus.org both offer open-source security software,
and it's also possible to boot off of a CD-ROM and inspect the hard
drive for malicious tampering.

At the moment, at least, there aren't any industry standards about
detecting fedware. "CSIA does not currently have a position on this
issue nor has the issue ever been addressed by its board of directors,"
said Tim Bennett, president of the Cyber Security Industry Alliance.

Copyright ) 2007 CNET Networks, Inc.