OK, folks, I hear that John McAfee claims to have invented cyber security. (I don't know; he has blocked me.)
Gather 'round the fire, kids, for a short story, because I was around at the time.
Gather 'round the fire, kids, for a short story, because I was around at the time.
Of course, John didn't invent cyber security. It existed long before there were computer viruses. The names of the inventors of the login prompt and the file access rights are probably lost in the mists of time.
It might be surprising to many, but John didn't invent the anti-virus program, either. The idea is immediately obvious to anyone who sees an infected program - write a program to repair (disinfect) it, and many did.
I did it in 1988 but I definitely wasn't the first. Alan Solomon did it in 1986, I think (@gcluley?). Joe Hirst did it even before that. (Man, his disassemblies of viruses were great!) Fred Cohen advocated the use of integrity checkers against viruses in 1984.
Ross Greenberg made an access control program (FluShot) in 1987.
I first heard of McAfee Associates and the anti-virus program SCAN in 1989.
So, what did McAfee invent? A couple of things.
I first heard of McAfee Associates and the anti-virus program SCAN in 1989.
So, what did McAfee invent? A couple of things.
First, he invented the bulk virus scanner. Before him, we would make a separate program for each virus, or for a handful of viruses, or one program trying to solve the virus issue completely (by monitoring access to infectable objects).
He made an effort to produce a single program that could only detect (removal was done by a separate program) every single virus known to him.
Second, he invented overhyping the issue, scaring people (he single-handedly started the Michelangelo virus scare; look it up), and convincing them to pay him for his program.
Now let me tell you a few things about his competence in security matters, which wasn't any better back then than it is now.
Originally, his scanner did a dumb scan for scan strings (sequences of bytes) that were taken from the known viruses. (Basically, a binary grep. But even grep was smart in comparison.) Problem is, even with only a few known viruses, this tends to be very slow.
So, he sped it up by reading only small parts from the beginning and the end of the file - because a virus can't be anywhere else in the file, right?
Well, of course it can be. Even one of the first viruses, Lehigh, hides itself in an area normally containing zeroes of the file it infects (COMMAND.COM).
But just following the entry point and checking what's there (instead of doing a dumb scan of even just portions of the file) was too complicated for John to figure out, at least initially.
Then, there was the matter of preserving the integrity of his software. You see, there were no digital signatures at the time (RSA was still patented) and his software was distributed as "shareware".
This means that everybody was free to copy it around but if they liked it and used it, they were honor-bound to buy a license for it.
But what if a bad guy took a copy of the software and modified it to do something bad? Clearly, some form of ensuring its integrity was needed.
But what if a bad guy took a copy of the software and modified it to do something bad? Clearly, some form of ensuring its integrity was needed.
McAfee's "solution" was to include in the package another program, called VALIDATE, which took an arbitrary file (e.g., his virus scanner) and computed some kind of hash of it. The hash was then recorded in the documentation.
So, the recipients of the package could repeat the procedure and check that the generated hash matched the one listed in the docs.
Do you see a problem with this approach yet? Hold my beer, we're far from finished.
Do you see a problem with this approach yet? Hold my beer, we're far from finished.
You see, the "hash" wasn't a cryptographic hash. (To be honest, MD4 wasn't invented yet.) It was a CRC-16. Any of you who know anything about cryptography are probably rolling on the floor laughing at this point.
You see, not only CRC hashes aren't cryptogaphically secure, but a 16-bit hash of *any* kind could be brute-forced on a single PC even in those distant times.
When this was pointed out to John, he, in a stroke of genius, decided to "solve" the issue by making the program output *two* different CRC-16 hashes. Surely that can't be broken! Checkmate, hackers.
Of course, anyone who knows the first thing about cryptography is laughing even louder at this point. You see, forging two CRC-16s simultaneously is no harder than forging a single CRC, the generator polynomial of which is a multiple of the generator polynomials of the two CRCs.
And since the two generator polynomials McAfee used weren't even relatively prime (i.e., they had a common factor), the level of "security" his CRCs provided wasn't even 32 bits - it was only 31 bits.
But all this didn't matter at all, because nobody in their right mind would bother forging CRCs when a much easier attack existed. Remember, the "correct" result of the CRCs was listed in the documentation.
So, the Bulgarian virus author known as "The Dark Avenger" took his program, modified it to spread virus instead, and then modified the documentation to list the CRCs of the modified program instead. Voila.
Anyway. Back then John McAfee was the same technically incompetent schmuck that he is now. It's not age or drugs that have damaged him - he has always been this way.
Nowadays McAfee Anti-Virus is one of the best anti-virus products around. But John McAfee deserves none of the credit. His anti-virus was crap. It sucked at detection, it sucked at identification, and it sucked at disinfection.
In the mid-90s John was kicked out of McAfee Associates (or he resigned, depending on who you ask), the company threw away his shitty product and bought Dr. Solomon's Anti-Virus Toolkit - one of the best anti-virus products in the world at the time.
End of story.
End of story.
