[ISN] U.S. gov't blindly trusts the antivirus industry

From: InfoSec News (isnat_private)
Date: Tue Mar 18 2003 - 23:03:19 PST

  • Next message: InfoSec News: "[ISN] DEF CON Announcement: CFP, Media now on line!"

    http://vmyths.com/rant.cfm?id=562&page=4
    
    by Rob Rosenberger
    03/16/03 
    
    NO COMEDY IN today's column, folks. I want to speak to all U.S. 
    federal employees, military members, and contractors who use a 
    government-issued PC.
    
    "No comedy, Rob?" Don't worry. I sometimes work against muscle memory 
    to keep myself flexible.
    
    I try to catch White House flunky Howard Schmidt whenever he appears 
    on CNN or C-SPAN. Oh, sure, he utters silly statements from time to 
    time -- but he strikes me as a breath of fresh air compared to the 
    negligent man he used to call "boss." I'm an unabashed fan of 
    Schmidt's and I ain't afraid to admit it. Call me crazy but I like the 
    guy.
    
    For example, Schmidt points out the threat of our "blind trust in 
    software firms" in a city where trust creates an obstacle to success. 
    He cites examples like the P-Tech Software/Al Qaeda Terrorism 
    investigation and the JECC Software/Aum Shinrikyo Terrorism 
    investigation.
    
    The White House now runs commercials linking drug sales to terrorism. 
    Schmidt works for the White House and he wants you to know software 
    sales may fund terrorism, too. Indeed, Schmidt could make a very 
    strong case against ... antivirus companies.
    
    And I would agree with him. Let me explain.
    
    The computer security industrial complex sells its products to the 
    world and their global business plans run counter to U.S. national 
    security. I don't make this claim lightly. Antivirus firms in 
    particular follow no security theology. They release dangerous 
    data/code to anybody they choose for any arbitrary reason.
    
    For example, major U.S. antivirus firms such as Symantec & Network 
    Associates admit they gave cyber-smallpox technology to Beijing for 
    years while they deprived Washington of it.
    
    And they'll go right on ignoring security with impunity. A global 
    antivirus cartel grabbed us by the short & curlies a loooooong time 
    ago and they've never loosened their grip. For example, Washington 
    ironically pays those very same U.S. firms to defend beltway PCs from 
    the threat of Beijing's computer viruses. What's wrong with this 
    picture?
    
    Schmidt's interviews & speeches point out the threat of our own blind 
    trust in antivirus firms. Now, I'll admit he says "software firms," 
    but this of course includes the antivirus industry. If you raised your 
    right hand to defend the Constitution against all enemies (foreign or 
    domestic), then you must open your eyes to this problem. You must open 
    your eyes to the security industry's non-existent security theology.
    
    To put it simply: you need to treat your government PC like you treat 
    a GSA safe or a STU-III.
    
    I DON'T MEAN how you treat the documents in the safe or the things you 
    say during a call. I mean how you treat the safe or the phone itself.
    
    You can identify everyone who knows the combination to your GSA safe 
    or who holds a key to your STU-III -- but you don't know any of the 
    antivirus employees over the years who at one time or another enjoyed 
    full access to your for-official-use-only PC.
    
    Some antivirus programmers carry passports from countries we don't 
    like to associate with. One prominent U.S. virus expert will never 
    hold a security clearance because of his ties to the Chinese national 
    police. Experts in the antivirus cartel believe a prominent Russian 
    member in their group has strong ties to the KGB. The cartel as a 
    whole believes one Israeli antivirus firm bears strong ties to 
    Moussad.
    
    [Full disclosure: Wired magazine claims I've got ties to the CIA. I 
    don't, but let's pretend I do. Who would you trust more? Me, or the 
    guy with ties to the Chinese national police? Ah, but there's the rub! 
    You blindly trust the other guy by default.]
    
    Our enemies earn far more respect from the antivirus industry than we 
    do. We know it for a fact and I don't make this claim lightly. 
    Antivirus firms don't want our friendship -- they just want our money. 
    I quote myself from a telltale 2001 column: 
    
     NSA & CIA made it clear they wanted to join the inner sanctum of 
     antivirus experts... The spooks in D.C. wanted to tap into the 
     industry's massive knowledge base -- but the industry declined. 
     "We encourage you to give us any intelligence data you have," the 
     industry mused, "but we need to sanitize our own data before we 
     can give it to outsiders. It's just too sensitive."
    
     "Besides," the experts continued, "each of our firms is a large 
     multinational conglomerate. We don't want to look like a tool of the 
     CIA. It's bad for business..." Then [the White House] learned the 
     antivirus industry trades viruses with China. "Ouch." Antivirus firms 
     aren't a tool of the CIA -- they're a tool of the PRC! Bad for 
     business, indeed. 
    
    You'll never let these people touch a GSA safe or a STU-III, but 
    you'll blindly let their software protect your NIPRNET & SIPRNET 
    computers. In fact, your agency will blindly throw money at them every 
    time their software fails to protect your PC from a virus. What's 
    wrong with this picture?
    
    (Don't confuse "access" with "break-ins." Spies can access a GSA safe 
    or a STU-III just by breaking a window. And know this: the antivirus 
    industry evolved as a global cartel by no later than September 1999.)
    
    If you raised your right hand to defend the U.S., then your security 
    theology should include your government PC. If you watch Schmidt on 
    CNN or C-SPAN, then you know he feels the same way I do. He wants 
    America to overcome its blind trust in software firms. "Software 
    firms" includes antivirus firms.
    
    "BUT ROB!" YOU protest. "How can I, an individual, overcome the 
    government's blind trust in antivirus firms? I don't control federal 
    negotiations for their products and I can't even stop a network 
    administrator from forcing it down my PC's throat at every bootup."
    
    Believe it or not, you can help the government overcome its blind 
    addiction to COTS antivirus software. You really can. First, though, 
    you need to open your own eyes. Let me explain.
    
    You see that PC sitting on (or under) your desk? I kid you not: the 
    Pentagon recently declared it a "weapon system." By definition, then, 
    DoD's security theology should include the PC. But it doesn't. The 
    Pentagon should not protect a weapon system with software written by 
    people they'd never trust. Yet they do.
    
    Only in the antivirus industry -- I repeat, only in the antivirus 
    industry! -- can you: 
    
    1.  declare the entire planet as your customer base; 
    
    2.  sell a product that routinely fails to do what you advertise it 
        can do; 
    
    3.  rely on an addictive update model as your prime revenue stream; 
    
    4.  rely on a global media fetish as your prime marketing stream; 
    
    5.  configure your software so it deletes the important log files it 
        creates; 
    
    6.  hire uncleared foreign nationals to write software that protects 
        top secret computers; 
    
    7.  expect applause when you release hundreds of security patches for 
        your product each year; 
    
    8.  ignore the blatant security flaws in your own product; 
    
    9.  exploit the blatant security flaws in your competitors' products; 
    
    10. engage in industrial espionage without fear of a government 
        crackdown; 
    
    11. violate copyright laws and commit plagiarism with the blessing of 
        your corporate legal counsel; 
    
    12. curb technological innovation through the use of bribery and/or 
        character assassination; 
    
    13. refuse to alert your own customers to security threats discovered 
        by your competitors; 
    
    14. supply hostile enemies with the technology to destroy your own 
        customers; 
    
        AND MOST IMPORTANT OF ALL: 
    
    15. make your customer-addicts feel perfectly comfortable with all of 
        the above! 
    
    I don't make any of these claims lightly ... but I need to add two 
    caveats for journalistic integrity. First: I insist antivirus firms 
    sometimes use illegal means to acquire a competitor's virus library, 
    though I've not yet documented it. (It would force me to reveal my 
    sources.) Second: it doesn't violate my personal code of ethics when 
    antivirus firms arm an oppressive communist regime for a possible 
    cyber-war against the United States. (I explain why here.) Of course, 
    my industry ethics don't apply to "U.S. federal employees, military 
    members, and contractors who use a government-issued PC."
    
    The antivirus industry wants everyone to feel perfectly comfortable 
    when they do anything they wish for any reason they choose, especially 
    if it threatens the very people who buy antivirus software. What's 
    wrong with this picture?
    
    They want every CIA employee to feel perfectly comfortable using 
    antivirus software written by people the CIA would never trust. They 
    want every NSA employee to feel perfectly comfortable with it, too. 
    Same thing for every FBI employee. The antivirus industry wants every 
    military contract negotiator to feel perfectly comfortable with it. 
    They want every DoD CERT official and every network administrator to 
    feel perfectly comfortable with it. They want every user to feel 
    perfectly comfortable with it, too.
    
    In a word: "everyone."
    
    [Continued in part 2]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 01:34:09 PST