Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

As read by the author

U.S. gov't blindly trusts the antivirus industry

As read by the author Rob Rosenberger, Vmyths co-founder
Sunday, 16 March 2003

NO COMEDY IN today's column, folks. I want to speak to all U.S. federal employees, military members, and contractors who use a government-issued PC.

Major U.S. anti­virus firms admit they gave cyber-small­pox tech­nology to Beijing for years while they de­prived Washing­ton of it.
You wouldn't trust them with the combi­na­tion to your GSA safe — yet you blindly trust them to pro­tect top secret govern­ment PCs.
"No comedy, Rob?" Don't worry. I sometimes work against muscle memory to keep myself flexible.

I try to catch White House flunky Howard Schmidt whenever he appears on CNN or C-SPAN. Oh, sure, he utters silly statements from time to time — but he strikes me as a breath of fresh air compared to the negligent man he used to call "boss." I'm an unabashed fan of Schmidt's and I ain't afraid to admit it. Call me crazy but I like the guy.

For example, Schmidt points out the threat of our "blind trust in software firms" in a city where trust creates an obstacle to success. He cites examples like the P-Tech Software/Al Qaeda Terrorism investigation and the JECC Software/Aum Shinrikyo Terrorism investigation.

The White House now runs commercials linking drug sales to terrorism. Schmidt works for the White House and he wants you to know software sales may fund terrorism, too. Indeed, Schmidt could make a very strong case against ... antivirus companies.

And I would agree with him. Let me explain.

The computer security industrial complex sells its products to the world and their global business plans run counter to U.S. national security. I don't make this claim lightly. Antivirus firms in particular follow no security theology. They release dangerous data/code to anybody they choose for any arbitrary reason.

For example, major U.S. antivirus firms such as Symantec & Network Associates admit they gave cyber-smallpox technology to Beijing for years while they deprived Washington of it.

And they'll go right on ignoring security with impunity. A global antivirus cartel grabbed us by the short & curlies a loooooong time ago and they've never loosened their grip. For example, Washington ironically pays those very same U.S. firms to defend beltway PCs from the threat of Beijing's computer viruses. What's wrong with this picture?

Schmidt's interviews & speeches point out the threat of our own blind trust in antivirus firms. Now, I'll admit he says "software firms," but this of course includes the antivirus industry. If you raised your right hand to defend the Constitution against all enemies (foreign or domestic), then you must open your eyes to this problem. You must open your eyes to the security industry's non-existent security theology.

To put it simply: you need to treat your government PC like you treat a GSA safe or a STU-III.


I DON'T MEAN how you treat the documents in the safe or the things you say during a call. I mean how you treat the safe or the phone itself.

Anti­virus firms want the CIA to feel per­fectly com­fortable using anti­virus soft­ware written by people the CIA would never trust.
They want the NSA, the FBI, the Penta­gon, and your net­work admini­stra­tor to feel per­fectly com­fortable with it, too.
What's wrong with this picture?
You can identify everyone who knows the combination to your GSA safe or who holds a key to your STU-III — but you don't know any of the antivirus employees over the years who at one time or another enjoyed full access to your for-official-use-only PC.

Some antivirus programmers carry passports from countries we don't like to associate with. One prominent U.S. virus expert will never hold a security clearance because of his ties to the Chinese national police. Experts in the antivirus cartel believe a prominent Russian member in their group has strong ties to the KGB. The cartel as a whole believes one Israeli antivirus firm bears strong ties to Moussad.

[Full disclosure: Wired magazine claims I've got ties to the CIA. I don't, but let's pretend I do. Who would you trust more? Me, or the guy with ties to the Chinese national police? Ah, but there's the rub! You blindly trust the other guy by default.]

Our enemies earn far more respect from the antivirus industry than we do. We know it for a fact and I don't make this claim lightly. Antivirus firms don't want our friendship — they just want our money. I quote myself from a telltale 2001 column:

NSA & CIA made it clear they wanted to join the inner sanctum of antivirus experts... The spooks in D.C. wanted to tap into the industry's massive knowledge base — but the industry declined. "We encourage you to give us any intelligence data you have," the industry mused, "but we need to sanitize our own data before we can give it to outsiders. It's just too sensitive."

"Besides," the experts continued, "each of our firms is a large multinational conglomerate. We don't want to look like a tool of the CIA. It's bad for business..." Then [the White House] learned the antivirus industry trades viruses with China. "Ouch." Antivirus firms aren't a tool of the CIA — they're a tool of the PRC! Bad for business, indeed.

You'll never let these people touch a GSA safe or a STU-III, but you'll blindly let their software protect your NIPRNET & SIPRNET computers. In fact, your agency will blindly throw money at them every time their software fails to protect your PC from a virus. What's wrong with this picture?

(Don't confuse "access" with "break-ins." Spies can access a GSA safe or a STU-III just by breaking a window. And know this: the antivirus industry evolved as a global cartel by no later than September 1999.)

If you raised your right hand to defend the U.S., then your security theology should include your government PC. If you watch Schmidt on CNN or C-SPAN, then you know he feels the same way I do. He wants America to overcome its blind trust in software firms. "Software firms" includes antivirus firms.


"BUT ROB!" YOU protest. "How can I, an individual, overcome the government's blind trust in antivirus firms? I don't control federal negotiations for their products and I can't even stop a network administrator from forcing it down my PC's throat at every bootup."

You — the govern­ment em­ployee, the mili­tary mem­ber, the con­trac­tor — must treat your IBM PC like you'd treat a GSA safe.
I don't mean how you treat the docu­ments in the safe. I mean how you treat the safe itself.
Believe it or not, you can help the government overcome its blind addiction to COTS antivirus software. You really can. First, though, you need to open your own eyes. Let me explain.

You see that PC sitting on (or under) your desk? I kid you not: the Pentagon recently declared it a "weapon system." By definition, then, DoD's security theology should include the PC. But it doesn't. The Pentagon should not protect a weapon system with software written by people they'd never trust. Yet they do.

Only in the antivirus industry — I repeat, only in the antivirus industry! — can you:

  1. declare the entire planet as your customer base;
  2. sell a product that routinely fails to do what you advertise it can do;
  3. rely on an addictive update model as your prime revenue stream;
  4. rely on a global media fetish as your prime marketing stream;
  5. configure your software so it deletes the important log files it creates;
  6. hire uncleared foreign nationals to write software that protects top secret computers;
  7. expect applause when you release hundreds of security patches for your product each year;
  8. ignore the blatant security flaws in your own product;
  9. exploit the blatant security flaws in your competitors' products;
  10. engage in industrial espionage without fear of a government crackdown;
  11. violate copyright laws and commit plagiarism with the blessing of your corporate legal counsel;
  12. curb technological innovation through the use of bribery and/or character assassination;
  13. refuse to alert your own customers to security threats discovered by your competitors;
  14. supply hostile enemies with the technology to destroy your own customers;
    AND MOST IMPORTANT OF ALL:
  15. make your customer-addicts feel perfectly comfortable with all of the above!
I don't make any of these claims lightly ... but I need to add two caveats for journalistic integrity. First: I insist antivirus firms sometimes use illegal means to acquire a competitor's virus library, though I've not yet documented it. (It would force me to reveal my sources.) Second: it doesn't violate my personal code of ethics when antivirus firms arm an oppressive communist regime for a possible cyber-war against the United States. (I explain why here.) Of course, my industry ethics don't apply to "U.S. federal employees, military members, and contractors who use a government-issued PC."

The antivirus industry wants everyone to feel perfectly comfortable when they do anything they wish for any reason they choose, especially if it threatens the very people who buy antivirus software. What's wrong with this picture?

Washing­ton may need to walk away from COTS anti­virus soft­ware for national security reasons. "Keep it, we don't trust it..."
They want every CIA employee to feel perfectly comfortable using antivirus software written by people the CIA would never trust. They want every NSA employee to feel perfectly comfortable with it, too. Same thing for every FBI employee. The antivirus industry wants every military contract negotiator to feel perfectly comfortable with it. They want every DoD CERT official and every network administrator to feel perfectly comfortable with it. They want every user to feel perfectly comfortable with it, too.

In a word: "everyone."

[continued in part 2]