FC: McAfee broadens denial: No contact with government of any sort

From: Declan McCullagh (declanat_private)
Date: Tue Nov 27 2001 - 10:17:16 PST

  • Next message: Declan McCullagh: "FC: Dmitry Sklyarov prosecution update: Hearing set for early 2002"

    Here's an email exchange I had with Tony Thompson (Tony_Thompsonat_private, 
    408 346-3696), a spokesman for McAfee/Network Associates. I asked him:
    
    >My followup question is: Is Network Associates/McAfee aware of any other
    >companies or organizations that have had any contact of any sort with the
    >FBI or other law enforcement or intelligence agencies regarding Magic
    >Lantern or a product with capabilities it is reported to have? How about
    >trade associations to which NAI/McAfee belongs? How about broadening the
    >question to include any government agency or contractor or affiliate?
    
    Tony replied:
    
    >No, we are not.
    
    I added:
    
    >Tony, thanks, much obliged. I just noticed my question didn't include you
    >folks directly. Can you assure me that Network Associates/McAfee has not
    >had any contact with any law enforcement or intelligence agencies or other
    >government entities including Congress or the White House about Magic
    >Lantern or a product with capabilities it is reported to have?
    
    Tony replied:
    >You are correct.  We have not.
    
    He didn't say anything I left out -- that's the entirety of his answers.
    
    Background:
    http://www.politechbot.com/cgi-bin/politech.cgi?name=mcafee
    
    Summary:
    http://www.wired.com/news/conflict/0,2100,48648,00.html
    
    -Declan
    
    ***********
    
    To: Marisa_Lewisat_private
    cc: politechat_private, tbridisat_private, declanat_private
    Cc: ahat_private, gnuat_private
    Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort
    Date: Mon, 26 Nov 2001 15:43:03 -0800
    From: John Gilmore <gnuat_private>
    
    Hi Marisa, speaking for McAfee.  Your answer makes me wonder about how
    your company seems to be interpreting US the law.  And you forgot the
    most important point, which is serving your customers; I can see why
    they might worry.
    
     > 4.  Network Associates/McAfee.com Corporation does and will continue to
     > comply with any and all U.S. laws and legislation.
    
    It is not illegal in the US for a software product to report that
    software has been inserted secretly into a system, even if the
    secretly inserted software was from the FBI under a wiretap warrant.
    If you believe otherwise, show me what provision of law would be violated.
    
    In your list of points for the press, you forgot the most important
    point:
    
      5.  Network Associates/McAfee.com anti-virus products will continue to
      protect our customers' computers from *any* program that intrudes into
      their system against the desires or without the knowledge of our customer.
    
    Will your European customers be able to detect official US spyware,
    since US law has no force in Europe, but your US customers be denied
    that capability?  Will your US customers be able to detect European
    governments' spyware?  When the French government installs spyware on
    US machines at Chrysler, Ford and GM, for Renault's benefit, will you
    be protecting these companies -- or looking the other way?  When
    Palestinian activists acquire the US and French spyware (from their
    own computers that were infected by wiretappers from the US and
    France), then install it on Japanese computers and use it to wreak
    havoc on the Japanese financial markets, will your product be lying to
    its Japanese customers?  Would you be liable if so?  Legally, or
    merely in the public mind?  Would you have thereby become a supporter
    of terrorism?
    
    If the company decides that your company's software will lie about the
    presence of "legitimate" spyware from "legitimate" countries'
    governments, what will you do when such countries change governments?
    Would your software now be protecting Poles from old USSR spyware, but
    not from more modern Russian spyware?  If the State of Arizona decides
    to write their own spyware, can they get it onto your protected list
    too?  How about the City of Berkeley, or the Bay Area Water Quality
    Management District?  Will whoever hijacks an election in Latin
    America be able to slide with impunity into any computer worldwide,
    after a short discussion with your company to have their spyware added
    to the "legitimate" list?  When the PRI lost the Mexican election,
    would your next release suddenly reveal the extent of PRI spying on
    its opposition?  Would your software protect Democratic Party HQ
    from Richard Nixon's "plumbers"?  Before or after the impeachment?
    
    As soon as your company steps away from "We protect our customers
    against *everybody* else", you are in a morass whose depth you
    do not suspect.
    
             John Gilmore
             (a former stockholder of PGP Inc, acquired by Network Associates)
    
    ***********
    
    From: Richard M. Smith [mailto:rmsat_private]
    Sent: Monday, November 26, 2001 8:36 AM
    To: politechat_private
    Cc: pressat_private; InvestorRelationsat_private
    Subject: RE: McAfee sides with FBI against customers on "Magic Lantern"
    
    Declan,
    
    Anti-virus (AV) software typically use file signatures to detect viruses
    and Trojan horses.  For this scheme to work to detect Magic Lantern, an
    AV company like McAfee would need a copy of the FBI's software.  I
    seriously doubt that the FBI is going to be giving out samples of their
    software for anyone to look at any time soon.
    
    It will be interesting to see if the Magic Lantern becomes publicly
    available anyway.  I bet there is going to be a lot of people looking
    for it.
    
    On a related note, about 2 years ago I informally floated the idea that
    AV companies should be looking to see if customers are running software
    with known security holes.  The same AV engine which looks for viruses
    can easily locate broken software.  My idea got a very luke-warm
    reception.  It seems that the AV companies were real reluctant to point
    fingers at other software companies like Microsoft.
    
    Richard M. Smith
    http://www.computerbytesman.com
    
    ***********
    
    Date: Mon, 26 Nov 2001 15:48:37 -0600 (CST)
    From: Boris Kupershmidt <bkupershat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort
    
    Read carefully, this very Clintonesque quasi-denial
    doesn't deny the report.
      1)"McAfee Corp., contacted the FBI on Wednesday to ensure its software
    wouldn't inadvertently detect the bureau's snooping software and alert a
    criminal suspect." This is the AP report.
      2)The company says:
      1.  Network Associates/McAfee.com Corporation has not contacted the FBI,
    nor has the FBI contacted NAI/McAfee.com Corp., regarding Magic Lantern.
                                                     ~~~~~~~~~~~~~~~~~~~~~~~
      2.  We do not expect the FBI to contact Network Associates/McAfee.com
      Corporation regarding Magic Lantern.
                            ~~~~~~~~~~~~~
      3.  Network Associates/McAfee.com Corp. is not going to speculate on
    Magic Lantern as it's existence has not even been confirmed by the FBI or any
    ~~~~~~~~~~~~~~
      government agency.
    
    In other words, nothing is said or denied about anything that is not
    Magic Lantern.
      The report is thus likely to be true.
      The company is now actively lying, provided we agree what the
    meaning of "is" is.
    
      4.  Network Associates/McAfee.com Corporation does and will continue to
      comply with any and all U.S. laws and legislation.
    
    So, the company has chosen sides, with the government against
    its customers.
    
      Cheers, Boris.
    
    ***********
    
    Date: Mon, 26 Nov 2001 13:32:42 -0800
    From: "G. Armour Van Horn" <vanhornat_private>
    To: declanat_private
    CC: brettat_private, pressat_private, InvestorRelationsat_private
    Subject: Re: FC: McAfee sides with FBI against customers on "Magic Lantern"
    
    Greetings:
    
    While hardly as influential a force in the marketplace as Declan or Brett, I do
    consult with a modest set of clients and assist with ongoing support for their
    networks. In that capacity I probably have been responsible directly for two or
    three new licenses for the McAfee antivirus program every month for the 
    last few
    years. I reached the conclusion that your product did a thorough job and was
    easy enough to use for the end users, most of whom are real estate agents with
    no real interest in becoming system administrators. When asked, or when an
    infection prompted us to act, I would install your product.
    
    As of last Wednesday, this tiny trickle of new business ended. To be trusted on
    systems I work with any intrusion-detection product must perform as advertised
    without any exceptions. Your virus scanner must detect and remove infections
    caused by malicious individuals, your own company, other software vendors, or
    any government on earth.
    
    Unless you can assure me that your program will not be crippled in this regard,
    and I am concerned both with the direct intrusion of governments and the risk
    that others will slide through whatever back door you might open for a
    government or commercial entity, there will not only be no additional
    installations but I will strongly recommend that my clients upgrade to a more
    reliable product at the end of the current license.
    
    G. Armour Van Horn
    Freeland, Washington
    
    ***********
    
    Date: Tue, 27 Nov 2001 01:26:54 -0500
    To: declanat_private
    From: "Robert L. Ellis" <rellis@internet-attorneys.com>
    Subject: Translation of German article
    
    ----------
    
    McAfee denies report about cooperation with FBI
    
    A spokesperson of the McAfee parent company Network Associates has denied 
    reports in the Washington Post according to which McAfee supposedly offered 
    to not indicate the presence of' the FBI snooping tool Magic Lantern 
    through its anti-virus software.  Network Associates spokesperson Alexander 
    Wegner explained to heise online that such a report in the Washington Post 
    did not correspond with the truth, [and that] it could not be determined 
    who had spoken with the paper.
    
    Magic Lantern -- according to an MSNBC report last week citing 
    well-informed sources -- is supposed to expand the email surveillance by 
    the controversial snooping program Carnivore.  The program is supposed to 
    be surreptitiously delivered to the unknowing user via email where it 
    installs a key logger that become active if encryption software is 
    activated on the target PC.   The Washington Post had reported [that] "at 
    least one anti-virus firm, McAfee," had contacted the FBI in order to 
    ensure that the firm's anti-virus software would not "mistakenly" detect 
    the snooping trojan [software] and thus warn criminals of the surveillance.
    
    Wagner sharply denied this description:  "We are not interested in what the 
    FBI does," he stated to heise online.  "We write software which detects 
    malicious code.  If a trojan or a virus is present on the system, it will 
    be reported.  McAfee makes no exceptions."
    
    ***********
    
    Date: Mon, 26 Nov 2001 21:10:36 -0600
    To: declanat_private
    From: "Randal J. King" <rjkingat_private>
    Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any
       sort
    
    >From: "Lewis, Marisa" <Marisa_Lewisat_private>
    >To: "'Declan McCullagh'" <declanat_private>
    >  <snip>
    >4.  Network Associates/McAfee.com Corporation does and will continue to
    >comply with any and all U.S. laws and legislation.
    
    Simple enough.  Congress rules that Magic Lantern is part and parcel of the 
    provisions of homeland security and requires A/V manufacturers to 
    explicitly exclude its detection.
    
    Sounds like NAI (a) either anticipates this or (b) is sending a message on 
    how this can get done.
    
    Question:  If such a law were to hit the books, would I be in violation for 
    writing my own personal detection software and installing it?  What if I 
    gave it to a few thousand friends free of charge?
    
    Anyone ready to go back to pulse dialing and O26 keypunch cards?
    
    -- Randy King
    
    ***********
    
    Date: Tue, 27 Nov 2001 11:24:59 +1100
    From: Nathan Cochrane <ncochraneat_private>
    Reply-To: ncochraneat_private
    Organization: The Age newspaper
    To: declanat_private
    Subject: Re: FC: McAfee replies -- by denying any FBI contacts of any sort
    
    It's like Asimov's three laws of robotics.
    
    So if the US Government tells McAfee to pass the scan, McAfee will.
    
    ***********
    
    Date: Mon, 26 Nov 2001 17:52:12 -0600 (CST)
    From: Zippy <sjdyerat_private>
    To: Marisa_Lewisat_private
    cc: declanat_private
    Subject: Re: FC: Has McAfee sided with FBI on "Magic Lantern" detection?
    
    How about actually giving us a clear statement that NAI will not--not now,
    nor in the the future--engineer its software to overlook inconvenient
    government mischief? If the below is true, your German colleagues have had
    no such problem in doing so. What gives?
    
    ***********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 10:55:08 PST