Welcome to Diana's Blog

I blog about anything that interests me - my local area, things I've seen or heard on the news, politics and human rights, gardening, arts and crafts, poetry, photographs and general advice.

And, when you've finished reading, don't forget to leave a comment - I love hearing from people



Monday, 9 November 2009

Legally Compromised Computer Security

In my last blog, I ended by saying I would tell you what I had found out whilst I was researching Norton 360. To me what I discovered was a bit of a bombshell, but really, knowing the wily ways of the world, it should not have been all that surprising, especially having read the sort of books that Chomsky,




Jonathan Bloch have written.



I had innocently looked up Norton 360 Version 3.0 to compare it with Version 2.0 in Wikipedia, which was very helpful.

The next section was entitled "FBI cooperation". In a nutshell, they said that Symantec (Norton), in compliance with the FBI, had whitelisted Magic Lantern, a keylogger developed by the FBI, whose purpose was to obtain passwords to encrypted email, to assist with criminal investigations. Magic Lantern is deployed as an email attachment and when opened, a Trojan horse is installed on the suspect's computer which is activated when PGP encryption is used, which would normally be to increase the email security.

According to the Wiki article, Symantec and some other major antivirus vendors have rendered their own antivirus products incapable of detecting Magic Lantern, giving rise to further concerns that hackers too might be able to subvert the programme for unlawful purposes.

It is not clear whether the FBI is required to obtain a court order before gaining access in this way since the statement of the FBI spokesman Paul Bresson merely stated that "like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process". To me that does not sound 100% watertight, and it could well be open to subjective interpretation by anyone seeking to use such powers.

Opposing this intentional failure to guard against all malware, The view of Marc Maiffret, chief technical officer and co-founder of eEye Digital Security, was that customers pay for a service to protect them from all forms of malicious code and it is not up to his Security firm to do law enforcement's job for them and so they do not and will not make any exceptions for law enforcement malware or other tools.

And if the FBI has those powers, who else might have them? MI5? Metropolitan Police? And what about the police and spy services in other countries? There seems to be a bit of a moral dilemma here. What do others think?