Home > All, Politics, Security Issues > Bits of Freedom seeks clarity from the AV industry on collusion with law enforcement

Bits of Freedom seeks clarity from the AV industry on collusion with law enforcement

November 7, 2013 Leave a comment Go to comments

On 25 September I posed the question: Is the anti-virus industry in bed with the NSA? Now Bits of Freedom, a Dutch digital rights group, has asked the same question in a letter signed by more than 25 civil rights groups and individuals (including Bruce Schneier, EDRi and EFF).

On 25 October it wrote to more than a dozen of the world’s leading anti-virus companies asking four specific questions:

1. Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?

2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?

3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?

4. Could you clarify how you would respond to such a request in the future?

With the greatest respect, this is a pointless exercise; the companies will deny any collusion with law enforcement to subvert their products whether they have or not. And they may have, or they may not.

I have no idea whether there is collusion between AV and law enforcement. Every single member of the AV industry I have spoken to denies it absolutely – and I believe them. There really are some great, learned, honest and honourable guys in the AV industry. But the NSA says it doesn’t break the law; and I absolutely do not believe them.

We know that the NSA hacks into third-party computers and installs malware. We know that it is the AV industry’s job to detect and neutralise such malware. We therefore know that the NSA will not want the AV industry to do that to their own malware.

It would be easy enough to defeat AV engines to get onto a computer; but it is less easy to stay hidden for any length of time after that. But we know that state-sponsored malware remains undetected for years. How does it do that? The easiest way would be to subvert the seek and destroy software that hunts it.

So, given the amount of time and resources that the NSA has spent on subverting what gets in its way – such as encryption – is it reasonable to believe that it hasn’t spent similar effort on neutralizing the AV industry?

I don’t know the answer; and it doesn’t matter who in the AV industry tells me, nor in what regard I hold them, nor how many times they tell me, I still will not know.

And that, perhaps, is the very worst thing that the NSA has done. It has destroyed trust in the internet, and has destroyed trust in anything to do with the internet. For that the NSA cannot – and must not – ever be forgiven.

Categories: All, Politics, Security Issues
  1. November 7, 2013 at 5:03 pm

    Just to throw my £0.02 worth in.

    In over 20 years of working for different anti-virus companies, i never once experienced or heard of pressure being put on us by government agencies not to detect a piece of malware.

    I think it would be a daft idea anyway for a number of reasons.

    For instance, would secret services really trust the (multinational) staff of anti-virus labs to keep schtum about what they were deliberately not detecting? And wouldn’t each lab need a sample of the malware in question to make sure that they don’t accidentally add detection for it if a customer reports it? And just what *would* an anti-virus vendor say to a customer (who is spied upon) who sends in a piece of suspected malware, and asks what the file does?

    Here’s a statement I wrote about this issue from 2001, expressing Sophos’s view on the issue:
    http://www.sophos.com/en-us/press-office/press-releases/2001/11/va_magiclantern.aspx

    But your final point is an interesting one. How does state-sponsored malware manage to avoid detection for so long if the vendors aren’t in cahoots?

    One fact I can share with you is that it’s surprising just how many computers are still *woefully* underprotected, or fail to run any security software at all. For instance, the MyDoom virus continues to be spammed out from infected computers across the internet, every single day – *ten* whole years after it was first seen, and long after every anti-virus on the planet added detection for it.

    Poor security in the first place might help some assist some of these attacks, as – surely – does human error and bad decision-making by staff.

    That’s not to say that anti-virus software doesn’t have faults and flaws as well, because it invariably does.

    Like

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s