July 17, 2007 4:13 AM PDT

Security firms on police spyware, in their own words

(continued from previous page)

Computer Associates

Response from Jessica Cassidy, a spokeswoman for Computer Associates, which makes software such as PestScan and CA Anti-Virus.

Question: Have you ever had any discussions with any government agency, not counting conversations related to a lawful court order signed by a judge, about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: No.

Question: Is it your policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency in the absence of a lawful court order signed by a judge?

Answer: The simple answer is yes. CA builds detections for all spyware and keystroke loggers that fail to pass our published scorecard criteria. Following is a link to our spyware scorecard.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: (Editor's note: No answer to the last question by Monday evening, although we didn't give CA that much time to respond to it.)

eEye

Response from Marc Maiffret, eEye Digital Security's co-founder and chief technology officer (who also has a regular podcast talking about security). eEye products include a network security scanner and a network traffic analyzer.

Question: Has eEye ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency?

Answer: eEye has never had any discussions with any government agencies about not detecting any sort of malware, including spyware, keystroke loggers, etc.

Question: Is it eEye's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?

Answer: Our customers are paying us for a service, to protect them from all forms of malicious code. It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools.

As soon as a company, like we have seen with McAfee, starts making exceptions to their protection products, they can no longer guarantee a sound and safe product for their customers. We will not play that game.

Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users?

Answer: No

Previous page | CONTINUED: Responses from IBM, Kaspersky Lab…
Page 1 | 2 | 3 | 4 | 5 | 6

See more CNET content tagged:
Check Point Software Technologies Ltd., security company, police, regulation, Grisoft

13 comments

Join the conversation!
Add your comment
Question
Considering all the warrantless domestic spying that has been going on combined with the gag orders that prevent companies from divulging that they have been cooperating with the government, what are the chances that you got a straight answer from anyone?

Even if they wanted to tell you?
Posted by rcrusoe (1305 comments )
Reply Link Flag
Response
That's a fair point. But it's only valid to the extent that cooperation can be kept secret. If a company cooperates with the FBI without a court order requiring them to do so, and they lie to us and are found out, it would be a public relations nightmare.

They could be found out in two obvious ways:

1. Court documents or documents obtained via FOIA or a whistleblower eventually confirm such cooperation.

2. Reverse-engineering of the software shows such cooperation.

So while you're correct as far as your point goes, it's still useful to get them on the record now.
Posted by declan00 (848 comments )
Link Flag
No answer?
If McAfee won't answer the question, I won't buy their products.

It takes a moron not to realize how failure to answer that question will be interperted
Posted by mikele11111 (166 comments )
Reply Link Flag
Check Point lost my business
"We do have a policy whereby legal, legitimate software programs from any third-party vendor can be "whitelisted" from detection upon request. We would afford law enforcement the same courtesy."

No program, legal, legitimate or otherwise that is installed on my computer without my knowledge should be "whitelisted". Looks like I'll be checking out Comodo Firewall now.
Posted by ballssalty (219 comments )
Reply Link Flag
Don't buy Antispyware from printer makers
They will kowtow like they did and documented at SeeingYellow
[dot] com
Posted by davez2006 (17 comments )
Reply Link Flag
The problem...
With any of the "security" companies are any company that provides any type of computer/data security that allows any type of intrusion from any person, company of law enforcement organization mandated by law or not through is that that leaves a very large hole in computer security and one that crooks and other not so nice companies, crime organizations, etc. would then be able to use. All one would have to do is design their "crookware" to look and work like one authorities use and presto your through with no way for the user to know or remove it.

Once this security hole is opened there is no point in buying any security software, using any security software and just using the internet becomes a threat too big to risk. Opening this kind of hole is a very good way to take computers and the internet back to the stone age.

We are already having problems with security programs that at best are only moderately useful. I have tested 5 different anti-virus programs and each one has reported problems that others did not. So how does one decide what to trust from the programs. If they had this hole in them then they are totally worthless and not worth the money or in the case of the free ones not worth the time to download.

This would be a very bad thing. Police and authorities in general need to work harder instead of sitting on their rears while opening the worlds computer systems up to major security risks.

Robert
Posted by Heebee Jeebies (632 comments )
Reply Link Flag
MCafee has a virus in their AV software
Answer: It is McAfee policy to not comment on our conversations with law enforcement.

There is a reason they do not want to comment. Several years ago, one of their updates CONTAINED a virus the FBI had them add to their AV software. THe FBI bragged about how they had caught someone using the updated AV software.
Posted by willdryden (271 comments )
Reply Link Flag
eEye terrorists
There?s something about the good old boys at eEye security that always keeps us on the Grey Hat security scene on our toes laughing at the poor idiotic souls who purchase eEye products. For those who aren?t familiar with eEye, we implore you to take a look at their ?Chief Hacking Officer? otherwise known as Marc Maiffret. They may want to look into his ties to Khalid Ibrahim of the Harkat-Ul-Ansar terrorist group.

Most are wondering who, or who cares, but for American companies who have employees responsible for purchasing eEye products who are reading this, Harkat-Ul-Ansar is a known terrorist group according to the United States government. Ibrahim, is connected to the original World Trade Center bombings and is said to have cooperated with the FBI in ratting on other terrorists no-gooders. So what was Marc Maiffret then known as Chameleon (previously known as sn1per) of the moronic hacking group Masters of Downloading (not to be confused with Mark Abene?s MOD) doing taking money from a terrorist? According to Marc, he was ?at the wrong place at the wrong time?.

Now common sense and logic shows the argument of ?wrong place wrong time? but how could one have been at the wrong place, accepting money from the wrong people at the wrong time? I mean Marc, you were cashing a check. It didn?t slip into your pocket, it didn?t magically appear in your pocket. Now one could allude to this notion of Marc being innocent by saying something like; ?Maiffret was caught up in a sweep of an area? That might have worked but he was trying to cash a check from a known terrorist who was trying to buy satellite images.

Carrying on, everyone who took computer security seriously at the time began distancing themselves from Marc, he was kicked out of the security group rhino9 and it is likely he became an informant along with the guys at Attrition.org (we will elaborate on this in another posting.) For a little bit of ?true? underground hacking history, the kind of stuff you won?t see anywhere out of fear of federal intervention on behalf of ?cooperating witnesses/snitches?, let?s give a brief explanation of what had been happening in the late 90?s through early 2000 when Janet Reno was in office. The government was closing in on idiots (hackers), and turning them into snitches, nothing more and nothing less. One could have beautified this comment, but that is the bottom line clean cut truth of the matter.

Now let?s take a simple step back for a moment to ask oneself, has there ever been a time when someone?s house or business was raided by the Federal Bureau of Investigation and the person left untouched without being arrested? Do the simple mathematics here. Supposing two federal agents visited you, they would need a court order, they would need gas to get to your home, they would need substantial information, etc.. How much do you think it would cost? Let?s factor the salaries only. For whom shall we start with? The judge who gave permission to whom ever issued the warrant, the agents? supervisor? There is a lengthy process the federal agents had to go through, or at least there was at that time, when an agent had to go through to knock on someone?s door. In any case, if they were there, they were there to arrest you period. So why wasn?t he charged Sherlock? Why should he be charged with anything, it was a simple mistake the feds made right? Wait, they just came under suspicion and let them go because they had nothing! If you believe this, I have a Bridge for sale.

So the remaining question is; Does Marc and company have a backdoor in its products for the federal government? Is eEye Security nothing more than a method for the government to track which hackers have downloaded and are using eEye products and where they are coming from? Enquiring minds want to know. There was a little known fact about the late 90?s and early 2000?s and this part becomes foggy and hearsay. Rumormill at the time was the feds were building a ?hacker? database along with other now defamed idiot John Vranesevich.

The government?s notion then, was, when the federal government needed funding for another cybercrime center, they would pull a random name out of its database, and being they had evidence of hacks via way of attrition, they would either make an arrest a month, or convert the arrested hackers into snitches. Pretty interesting method of bringing up statistics in hopes of building a budget wouldn?t you say. So now that the cat comes out of the bag a decade later, many security professionals who were then ?on the scene? will begin to know the truth and nothing but the truth.

Mention of attrition? The definition of it was its intent, but moving on to Jericho since you asked for it, is he a government snitch. He too was raided by the feds. One can either take the same stance of it was a mistake, or do the math as well. Martin is a character in his own mind, so he will likely retort with a craftily written retort but before he does, perhaps he should take into account the power of an FOIA request. Jericho before you shoot off your mouth, ask yourself do you REALLY want the public to see who you really are? Should was also bring out good old Pete Shipley? Those on the scene with a clue already know you are a perverse idiot capable of bedding a cat if it stood still, would you care to have your information disclosed the FOIA way? We may or may not get to you guys in another post but for now, back to eEye and their secret backdoors.

This new information about the hacking days of the mid to late nineties and early millenium may overwhelm many in the security industry who may have thought these were good guys, friends. ?Hackers with a cause?. For those wondering if this is hyperbole, I implore you to Google information on Marc. While you?re at it, for those in the academic industrie, feel free to find someone in the United States government who can ask any federal agent the following questions: ?Has there ever been a time they?ve raided someone?s house without probably cause.?, ?How difficult would it be to obtain a warrant to raid someone?s home with guns drawn, and walk away without arresting the suspect they raided for, after solely speaking with him?.

You see Jericho (Brian Martin) and his cohorts at the website Attrition were at the time mining hacker information. They will swear they won?t do so but we know better. So how does Jericho tie into eEye? Simple, via way of Dale Coddington aka Punkis who works at eEye. Snitches of a feather flock together. See it worked like this, once upon a time there was #dc-stuff, no wait, some may not be ready for that. krystlia, malvu, Brian Martin along with Peter Shipley hacking the NYTimes as HFG. (don?t worry Martin, I believe the US has a statute of limitations). There shall be more to come in upcoming weeks. Until then, be careful of those so called old school hackers you look up to. Chances are they are nothing more than government rats.

<a class="jive-link-external" href="http://marc.info/?l=bugtraq&#38;m=90221103125889&#38;w=2" target="_newWindow">http://marc.info/?l=bugtraq&#38;m=90221103125889&#38;w=2</a>
<a class="jive-link-external" href="http://en.wikipedia.org/wiki/Harkat-ul-Ansar" target="_newWindow">http://en.wikipedia.org/wiki/Harkat-ul-Ansar</a>
Posted by eni9ma (2 comments )
Reply Link Flag
Wow - tinfoil hat time.
Posted by ejevo (134 comments )
Link Flag
McAfee -- That's a "yes"
Not a very consumer friendly policy, especially if government agencies are on a fishing expeditions to harass and intimidate dissent by cookie baking anti-war grandmothers.
Posted by Xenu7-214951314497503184010868 (153 comments )
Reply Link Flag
Reality
Federal law would protect those vendors from lying. Are you aware that if a bank reports someone under a SAR (suspicious activity report) today, that even if a bank employee is subpoenaed in a civil or criminal case that they can legally say they did not file one for national security reasons. You can never be tried even by the the District Attorneys office. Here is the statute:

(k) Confidentiality of SARs. SARs are confidential. Any national bank or person subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR shall decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed, citing this section, applicable law (e.g., 31 U.S.C. 5318(g)), or both, and shall notify the OCC.

(l) Safe harbor. The safe harbor provision of 31 U.S.C. 5318(g), which exempts any financial institution that makes a disclosure of any possible violation of law or regulation from liability under any law or regulation of the United States, or any constitution, law, or regulation of any state or political subdivision, covers all reports of suspected or known criminal violations and suspicious activities to law enforcement and financial institution supervisory authorities, including supporting documentation, regardless of whether such reports are required to be filed pursuant to this section or are filed on a voluntary basis.


So, lets all understand, for national security reasons, we even have secret laws. I am sure that where the real invasion takes place is at places way beyond the operating system level. The so called 'ring zero' level of software that only the microprocessor manufacturer has access to would appear to be the real culprit area. McAfee and the other vendors communciate with MS. MS communicates to the processor via sw provided by the likes of Intel and AMD. Even if you ask Intel or AMD, I am sure they would say no and could LEGALLY say no even if it was a lie. At least that is my opinion. But lets get real, this would be for major stuff, it would have to involve the Fed and a lot of money. This is way outside of the league of local law enforcement.

I guess we all forgot about how the US military went into the first gulf war with their planes and the entire radar network in Iraq went down because we had control of the back door?
Posted by tall_david (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.