By Annalee Newitz

LATE ONE OCTOBER night, four feds showed up at Rob Rosenberger's door, just to have a "conversation." Eventually they revealed the purpose of their visit: they wanted Rosenberger to censor a column he had posted on his Web site. Or else.

Rosenberger is the editor of Vmyths.com, a Web site devoted to "the truth about computer virus myths and hoaxes." Earlier that day Rosenberger had posted a column on his site that he said "caused embarrassment" to a large "ambulance-chasing" corporation that sells antivirus software to consumers fearful of cyberterrorist threats.

Rosenberger's visitors, who had been tipped off by the antivirus company in question, ordered him to remove the column for "national security reasons." Unfortunately Rosenberger had no choice but to do as he was told: years ago he'd signed a "classified information non-disclosure agreement" with the government. Rosenberger is in the Air Force reserves and says this security document "applies to all active and reserve military personnel who hold a security clearance. I signed it years ago as a routine military matter."

Replacing the offending column with a sarcastic account of the experience, Rosenberger wrote, "Yes yes yes, I know embarrassment shouldn't justify national security protection, but things changed in the computer security world on 11 September. Our country needs action right now, not criticism. Or at least that's what I hear. America cannot afford to lose any more faith in the antivirus industry."

His wry comments go to the heart of troubling questions about whether the war on terrorism is strengthening a longtime collusion between Silicon Valley corporations and the defense industry. In the past few weeks it's become clear that antivirus vendors – security companies that sell software designed to protect computers from hostile code on the Internet – have much to gain from Bush's war on terrorism and its attendant social hysteria.

While most tech companies are tanking in the wartime economy, Silicon Valley's biggest antivirus software vendors, Symantec and Network Associates, are enjoying a booming business. Both companies' stock prices doubled in value after Sept. 11. And as Vmyths editor Rosenberger discovered, antivirus vendors won't hesitate to call in the feds to protect their corporate interests – and to maintain their "trustworthy" image in the eyes of consumers.

But antivirus companies can't have it both ways. When it comes to computer security, government interests nearly always run counter to citizen interests. Nothing demonstrates this digital-era homily better than a recent controversy over how antivirus vendors are responding to the Federal Bureau of Investigation's "spy virus" Magic Lantern.

Magic Lantern files

MSNBC reported in late November that the FBI was working on an "Enhanced Carnivore Project" – which would boost the potency of the FBI's newly launched antiterrorist Internet surveillance device known as Carnivore – that included a Trojan horse "spy virus" called Magic Lantern. This virus, whose existence the FBI has now confirmed, could be e-mailed to people the government suspected were terrorists. Once the computer was infected, the virus would install "keystroke logging" software similar to the kind used by hackers for years, and most recently used by the FBI last year to bust Nicodemo "Little Nicky" Scarfo for organized crime.

Keystroke-logging software is one of the most powerful kinds of computer surveillance because it keeps a log of every single keystroke suspects make on their keyboard and thus is ideal for collecting passwords that will unlock whatever crypto they have in use. This extends the powers of Carnivore immeasurably, since Carnivore is easily defeated by free, easily found encryption software like PGP (www.pgp.com).

The difference between Magic Lantern and traditional keystroke-logging software is that it can be installed remotely – in this case, via an e-mail virus. In the Scarfo case, FBI agents had to break into their suspect's house to install the software. With Magic Lantern, all the feds would have to do is send out a virus and later confiscate their suspect's computer to break any crypto he or she used.

Shortly after MSNBC reported the Magic Lantern project, Symantec (manufacturer of Norton AntiVirus) and Network Associates (manufacturer of McAfee VirusScan), issued contradictory reports about whether they were cooperating with the feds by allowing Magic Lantern to pass through the filters on their antivirus software. Anonymous insiders at both companies said execs were in talks with the feds; execs denied it.

If antivirus vendors did create a Magic Lantern "loophole," it could spell doom for consumers of the software. As security consultant Len Sassaman explained, antivirus software works by identifying a virus's unique "fingerprint." Hackers familiar with Magic Lantern could create viruses with a similar fingerprint and use the Magic Lantern loophole to disseminate their own malignant code unchecked.

Representatives of Symantec and Network Associates have admitted that their credibility with the buying public would be damaged if they were meeting with representatives of the government to discuss Magic Lantern. The real story, according to both companies, is that they never met with the feds and that they would never deliberately create "loopholes" in their antivirus programs. Michael Callahan, director of product marketing for McAfee, told the Bay Guardian, "We wouldn't do anything to not catch [Magic Lantern]. We're not going to compromise, because as soon as you say we'll let this through but not other things, you're in trouble. Virus protection is all the time."

A spokesperson for Symantec was even more firm in his denial: "We will not alter our software. We would protect against the virus if we did come across a copy of it."

Even if the connection between government interests and major antivirus vendors remains unclear, one fact is undeniable: both Symantec and Network Associates have made a killing on Wall Street. Symantec, in fact, was just added to the Nasdaq 100, an elite list of the most highly valued companies for 2002. At the same time, these companies and others like them are cozying up to the government, selling their product lines as weapons in the fight against what Rosenberger calls "Osama bin Virus" – the threat of cyberterrorism.

Of course, it's impossible to say whether the 75 percent jump in sales on a Network Associates product called VirusScan (retailing for $39.95) over the past few months is a result of the public's fears of Net-based terrorism or just a heightened awareness of viral threats in the wake of the Code Red worm and the Nimda virus scare last summer. "Our buyers say more people are aware that these kinds of threats can occur, but how they came to that realization is complicated and involves many factors," a Network Associates representative from its consumer division said.

A representative from the Norton division at Symantec refused to speculate about whether the specter of terrorism had fueled surging sales and stock prices. "We have reported outstanding sales in the consumer space, but we are not willing to make any connections or assumptions with regard to Sept. 11," she said. By the same token, consumers may never know whether there's a connection between the brisk sales of Norton AntiVirus ($49.95) and a late-night visit from the feds.

Viral fear

It's not surprising that consumers are more afraid of viral threats than ever before. Rodney Thayer, CTO of Declarator, a Sunnyvale firm that sets up secure network directory systems for its customers, said that he finds that his customers are more fearful of security threats online than they used to be. "People used to say that my attitudes about maintaining tight computer security were paranoid, and I don't hear that anymore," he noted.

The irony is that the widespread paranoia about terrorist-initiated computer threats is nearly groundless. Based on what investigators have learned about the computer habits of the terrorists responsible for the Sept. 11 disaster, they were hardly technical geniuses. The terrorists were using Hotmail, one of the most insecure e-mail programs you can get. And there is no evidence they used any forms of cryptography or intended to launch "cyberattacks" like viruses.

Fears of terrorist viruses may be overblown, but it's crucial to understand that computer viruses in general are getting more virulent, and computer users should be taking appropriate security measures. Yet "appropriate measures" doesn't always mean buying products from big companies like Symantec. Many people in the software-development community worry that consumers are becoming so afraid of a nonexistent cyberterrorist threat that they will rush to buy the most easily available off-the-shelf security products, like Norton AntiVirus. It's very possible, however, that such products won't protect them adequately – especially if there's a chance that major antivirus vendors are being protected from criticism by the government.

Luckily, there is evidence that corporate competition is keeping the antivirus vendors somewhat honest, despite possible government intervention. For example, after computer-security company Sophos.com announced two weeks ago that it would make a concerted effort to detect the Magic Lantern virus, both Symantec and Network Associates made their first strong statements about not putting "spy loopholes" in their antivirus software.

The open source and free software communities are also responding to virus paranoia by trying to protect consumers. Howard Fuhs is a computer-security expert in Germany who is also a developer with the grassroots, open source Open Anti-Virus Project (www.openantivirus.org), a free resource for people who want to use noncorporate, internationally authored tools to protect against viruses. He explained to the Bay Guardian that he considers it "absolutely normal" that large antivirus vendors are saying contradictory things about their relationships with the government because "tomorrow they might want to sell their products to the U.S. government, so they are saying things that their potential customers want to hear."

Fuhs added that the situation in the United States right now reminds him of what happened recently in China with antivirus vendors. "The Chinese government only allowed antivirus products to be distributed to governmental agencies when the virus collection database that the product is based on was also the property of the Chinese government," he said. In other words, the software only filtered out viruses that the government selected. "Most major companies complied with that rule because they didn't want to lose the Chinese government as a customer," Fuhs said.

Silicon Valley, with its historical connection to defense-industry contracts in the 1950s, is hardly a stranger to government collusion. These days it's not unusual for federal agents to expect cooperation on surveillance matters from Internet service providers, Web proxy services that make Web surfers anonymous, and even community Web sites like Craigslist.

Consumers need to realize that just because a company claims to protect them, it doesn't mean they are safe. As Declarator's Thayer said, large corporations like Network Associates are "not promoting a solution [to the virus problem]; they're just trying to make money."