This story appeared on Network World at

http://www.networkworld.com/columnists/2006/060506bradner.html

Anti-virus, etc.: Who is going to watch the watchers?

'Net Insider

By Scott Bradner, Network World, 06/05/06

If you are running a Windows computer and not using some sort of anti-virus package then you are likely not the one really running your computer. It is very likely that some hacker halfway around the world can do anything he wants to with “your” computer. In a Windows environment running anti-virus to protect the computer from worms and viruses is what is euphemistically called “a required option.” So what do you do when the very tool that is supposed to protect you from attacks turns out to be enabling them?

That is just what happened with two Symantec security products. On May 25, Symantec confirmed a report from eEye Digital Security that the Symantec Client Security and Symantec Anti-virus Corporate Edition products have a vulnerability that could “allow a remote or local attacker to execute arbitrary code with System level rights”. Symantec published a patch within a few days, far faster than Microsoft will get around to patching a Word vulnerability that was announced about the same time. (Microsoft almost always waits until its regularly scheduled monthly patch date to issue patches even if its customers are getting hurt by a vulnerability. Symantec, and many other vendors, do not show such a callous disregard for the safety of their customers.)

It makes a lot of sense for the bad guys to target a product like an anti-virus package considering the almost ubiquitous deployment from such a few players. A successful exploit will leave a lot of systems ripe for the picking.

This episode does bring up the age-old question in the security field: “Who will watch the watchers?” In this case it was an independent security company, one that has gotten rather good at ferreting out these sorts of things, but we cannot depend on having such a resource in all cases.

The same question pops to mind when reading the headlines of the past few weeks about the National Security Agency (NSA) and the secret equipment rooms in AT&T data centers. Who is going to make sure that the NSA is actually doing only what it almost says it is doing. I say “almost” because the information that the Bush administration lets out is far from precise about the NSA effort in this case as well as the case of looking for calling patterns (or whatever they are doing) with all the calling records some of the phone companies so kindly gave them.

Security expert Bruce Schneier explores this area in a very insightful May 18 column in Wired. The big-brother style communications world being brought to us by governments in the name of protecting us from terrorists or protecting children from the evils of the Internet is a world that would have been seen by the old East German Stasi as close to the ideal. Tie this world to the Internet from, for and by the phone companies, as the FCC seems to want, and you wind up with a nightmare I’d rather wake up from.

Disclaimer: “Harvard” and “nightmare” are related concepts in a few people’s minds, but the university did not express an opinion on watching watchers. I did.

Bradner is a consultant with Harvard University’s University Information Systems. He can be reached at sob@sobco.com.