Anti-virus products could detect the FBI's new spyware. But should they?
If just one anti-virus software product detects Magic Lantern, the game is over.
Exclusion as we know it could be redefined, however, with the advent of a program named Magic Lantern. As first reported by MSNBC, Magic Lantern is a program under development by the FBI that watches and records end-users' keystrokes. The goal is to catch the passphrase of an otherwise uncrackable cipher from a bad guy's system.
Magic Lantern clearly falls in the category of malicious software. Specifically, it's a Trojan horse, in the same class as Back Orifice and Sub Seven.
The FBI creating such a program shouldn't come as a shock. Three-letter agencies of all sorts make no bones of the fact that they must regularly do things that many would consider less than savory. To get to the bad guys, you sometimes have to become a bad guy. With the news of Magic Lantern, the public may now add "creation of software that would otherwise be considered malicious" to the list of nasty, yet supposedly necessary, work of the U.S. government.
But the anti-virus industry is directly affected by the FBI's move. Since the beginning, our job definition has been to protect end-users from attacks of computer viruses and other malicious software. With Magic Lantern, there is a possibility that we might be asked to look the other way.
Anticipating this, anti-virus firms are already forming their positions. Symantec has gone on the record as saying they would cooperate with the FBI, and give Magic Lantern immunity from detection. Sophos would not. McAfee's position depends on which report you read.
There is precedent for private companies voluntarily assisting the U.S. in national security matters -- as early as 1945, Western Union, RCA and ITT were routinely passing confidential international telegraph traffic to the government. But until now, the gift of assistance has generally been agreed upon on a case-by-case basis. Never before has the possibility of a wide-blanket government directive presented itself so quickly and forcefully.
If we avoid detecting the Magic Lantern program, law enforcement agencies stand a chance to retrieve effortlessly sensitive pieces of information from a bad guy's computer. At first glance it appears to be a noble idea.
But what would we lose in the process?
There is no clear ethical code of conduct to guide us in this. As I've argued before, advancements in computer software technology have outpaced the ability to devise an ethic de rigueur in the industry.
However, marketing forces can offer us a little clarity.
Governments around the world on many levels rely on "made in the USA" anti-virus software to protect critical infrastructure. Will the world continue to trust U.S.-based software if we purposely design flaws in the software at the request of our government?
International associations and alliances shift, after all, sometimes quickly and drastically. What if a country suddenly fell out of favor for allegedly performing a terrorist act? Now, just as suddenly, every computer in that country, with their backdoored anti-virus programs, is wide open to attack by the U.S.
However unlikely this scenario may be, the mere possibility would turn collusion with the FBI into the mark of Cain for the U.S. anti-virus industry. If U.S.-based companies are ultimately compelled by court order to work along with law enforcement agencies, the result would be the same, at least in the international market.
And, of course, Magic Lantern can not be made to work with limited cooperation. If just one anti-virus software product detects Magic Lantern, the game is over.
Due to the international nature of anti-virus software, it simply may not be possible for the anti-virus industry as a whole to lend the blind eye the FBI would like.
This is more than just an academic issue for me. As CEO of WildList Organization International, it's my job to collect malicious code sent in by WLO participants around the world. When two or more participants report the same virus, the virus is placed on our official list of viruses spotted "In the Wild." Likewise, Trojan horses are added to our official 'TrojanList'.
Certification agencies use data from WildList Organization International when testing anti-virus products. So if Magic Lantern were to show up on one of our lists, detection of it could become a litmus test for anti-virus product certification.
So what would I do? Since at least two WLO participants would have to spot Magic Lantern independently, i.e., fall under FBI surveillance, the odds are I'll never have to make that decision. But however noble the FBI's intentions, if WLO ever decided to purposely not list a program, then its effectiveness would be called into question forever. Absent legal compulsion, that won't happen on my watch.