John McAfee created the antivirus world. Can he reinvent it too? (Q&A)
LAS VEGAS—”Plug it in, and watch.” That’s how John McAfee envisions users of Sentinel, a Roku-size early intrusion detection device he and Eric J. Anderson are developing, will test it.
Sentinel, they say, physically plugs into your network and detects threats as they happen. And eventually, it may be become a replacement for antivirus software.
The pair sat down with me for more than an hour to discuss the state of computer security and privacy. In part 1 of our wide-ranging Q&A, we discussed the cybersecurity policies of Hillary Clinton and Donald Trump, the state of the election, and the challenges of accurately attributing hacks, such as the alleged attempts by Russian hackers to influence the outcome of the U.S. election McAfee has dropped out of.
Through his new company, John McAfee Global Technologies, formerly called MGT Capital Investments, McAfee has acquired the rights to develop Anderson’s decentralized file-sharing encryption software, Demonsaw. He has also made Anderson, known in hacker circles as Eijah, its chief technology officer.
“We don’t log, we don’t collect data, we don’t mine. We’re trying to approach cybersecurity in a different way.” — Eric Anderson, CTO, MGT Capital Investments
Not surprisingly for leaders of a new company, McAfee and Anderson are long on vision but short on actual product, and they are hesitant to reveal many details of their plans. They plan to release an enterprise edition of Demonsaw named Clear Skies in the first quarter of 2017.
McAfee remains a stormy figure in computer security, for his international exploits as a fugitive in a Belize murder case as much as his attempts to gain attention through news headlines. Anderson, by contrast, appears to have garnered goodwill from the hacker community for putting his career on the line to develop Demonsaw into usable security software. (He left his software development job at Rockstar Games to work full-time on Demonsaw.)
As Anderson continues developing a free version of Demonsaw for consumers, he is building business-centered features such as router federation into Clear Skies. Federation here means a Facebook-like network of people connecting to each other, but through a decentralized platform of Clear Skies and not Facebook’s central servers.
Additional features—including file synchronization, audio and video chat, direct person-to-person messaging, screen sharing, a method of securing otherwise insecure networks called SOCKS5 proxy, a Dark Web-like Onion Router competitor, and even a way to make Bitcoin more secure, Anderson says—will be phased in over time, and incorporated in a rapid-release cycle similar to Chrome and Firefox.
What follows is an edited transcript of our conversation.
Isn’t the premise of modern antivirus that they’re all-in-one security programs?
McAfee: It’s still largely based on the old paradigm of, “We’ve got to find the malware.” I invented that paradigm, which worked fine for 15 years. It doesn’t work anymore.
Dude, if you’ve got the malware there, you’re screwed already.
So what should consumers be doing to protect themselves on their computers?
McAfee: Right now, there’s nothing you can do, other than get help, once your computer is infected.
We’re working on a consumer product that can plug into your router, and hopefully in a few months, we’ll have it. But people need to accept that they are their own worst enemies, when it comes to cybersecurity.
Is this your phone? Do you have any apps on it?
Yep. One of them is recording us right now.
McAfee: That’s fine. Do you know where it came from?
I could look it up.
McAfee: So you don’t know if it was built by a criminal or some subsidiary of Apple. Who knows? And if you have app on there, it’s probably OK. If you’ve got two, your chances of being OK are cut in half. If you’ve got 10, you knock it down to 10 percent. If you’ve got 20, I can guarantee you that your phone is being monitored by somebody because there are few apps that do not ask for permissions that they do not need.
“My job is to structure things in a fashion that keeps you from screwing yourself without giving you a sense of paranoia about us screwing you. How more simple can it get? You plug it in, there’s no configuration, and it transmits nothing under every normal circumstance.” — John McAfee, CEO, MGT Capital Investments
Example: A Bible-reading app. Turn off the lights, and it reads to you out loud with a synthesized voice. What does it require? Access to the keyboard so it knows what you want it to read. Access to your speaker so it could speak to you. Access to your emails, your contacts, your microphone, your camera, your Wi-Fi.
That stuff is all in the contract—nothing illegal. The terms that you agreed to are 400 pages long. You have agreed to allow the app publishers to read your email and even to make calls from your phone, for which you might have to pay, without telling you.
How many of these problems come from the software supply chain of open-source libraries?
McAfee: If I were to accept 1,000 apps per year to my app store, I’d get 25 programmers, put them in a corner, and say, “Everything that comes through, you guys check it out.” What about 250,000 apps?
It’s really on consumers to read the agreements. But software publishers know that we’re not going to read them, and we’re not going to say, “No, I don’t agree to these terms,” because once you do that, it says, “Sorry, I’m not running.”
So it always comes down to problem 1: how do we protect you from you?
Well, we can’t protect you from every app that you download. It’s up to the user to either educate himself or demand a piece of software that’s going to look at the app and say, “This app is asking for permissions to read my emails.” It should look through and ask, “Does it, in fact, need permission to read my emails? The app’s purpose is to speak to you at night in a synthesized voice. Hey dude, listen, before you hit the Yes, I want to tell you something: This app is asking for 19 permissions that it does not need.”
And this is the problem that your company is looking to solve?
McAfee: Yes, of course it is! It’s among many we’re attempting to solve.
Anderson: Protecting people isn’t the only issue at stake. And we need to empower people to be their own authority.
Take back control, believe in yourself, believe in the right to share. That’s been my mantra the last few years. You are intelligent, you are powerful, you don’t need companies to protect you. And that’s the truth.
When it comes down to usable products that are going to change people’s lives, which is what I presume your goal is, what are you guys doing?
Anderson: One of the goals is to put the individual first. And we don’t necessarily mean just private citizens or individual consumers, but also businesses made up of people like you that have their personal and corporate privacy needs. We need to take a stance in everything we do, and put the individual and his or her privacy first.
We don’t log, we don’t collect data, we don’t mine. We’re trying to approach cybersecurity in a different way. What would I want a cybersecurity company to do, if I were the consumer? How would I want to be treated? How would I want my personal information to be captured and stored? What rights should I want? What responsibility and accountability should I expect of the company?
“We can make an enterprise-level product that doesn’t capture information and store it and mine it and fail to protect it. And we can provide the same level of service and convenience as the Dropboxes in the clouds of today.” — Eric Anderson
Privacy is important now—bigger than ever before, and it’s getting even more and more important. And if we put the individual first, we will be successful on all other fronts.
There have been plenty of efforts in tech to put individuals first that are no longer functioning. What products are you looking to make, and what do you think people are going to want to use?
Anderson: No. 1, it’s taking back control of our personal data. If you look at all the problems we have with cybersecurity in the world, with respect to hacking, and vulnerabilities, and information leakage, and lack of accountability, and the OPM hack, and all the worry and paranoia right now around cybersecurity, it all deals with somebody leaking or getting access or exposing or handing over or backdooring our personal information. It all deals with a bad person or unauthorized person who got access to my data.
Where was that data? It was on somebody else’s servers. What happened? Incompetence, failure to patch, third-party agreement went awry, Edward Snowden. All these things can come into play.
What if, instead of trying to solve the symptoms, we got stronger corporate agreements? What if instead of solving the symptoms, we solved the root problem?
The problem is, we’re giving our personal data over. Is it not possible that we, in 2016, at DefCon, surrounded by the smartest hackers and programmers and makers in the entire world, can devise technological solutions in products and platforms to provide the same level of service and convenience that we get today, through the cloud, in a way that doesn’t require handing over our personal information and trust to entities?
I believe we can. John believes we can. It’s harder to make software that way. It’s damn harder. But if we put the extra effort in, it’s possible. I proved that with Demonsaw. It’s possible to write a cloudless infrastructure where you don’t have to give over information. And we could do it at the enterprise level. We are doing it with Clear Skies.
We can make an enterprise-level product that doesn’t capture information and store it and mine it and fail to protect it. And we can provide the same level of service and convenience as the Dropboxes in the clouds of today.
If we can also take that to the home, you’ll be able to take back control of your data and protect yourself in a way that’s easy and convenient and simple. You won’t have to have a math degree to use our products.
A lot of companies out there promise to protect your data. We’ve seen time and again that these companies fail on those promises.
McAfee: If they’re promising you the moon, then sure. But what we’re promising you is that we’ll be able to tell you, within a few milliseconds, if somebody is sniffing your system. At that point, boom, it’s up to you.
How does the detection work?
McAfee: If you have $5 billion, I’ll tell you.
So you’re not ready to talk about it.
McAfee: We’re never going to talk about it. We have encased our product in a way that you can not break into it without destroying our firmware.
What about vetting your products?
McAfee: You can vet it by plugging it in and seeing if it works. Let’s say we have a headache pill, and you ask, “How does it work, neurologically?” Just take the pill! If your headache goes away, then we don’t have to convince you. If your headache doesn’t go away, then buy a competing product.
This is the same thing that happened early on in the antivirus business. If I tell you how we’re doing this, and you publish it, the hackers are going to go, “Ahhh, because that happened,” over and over and over.
So no, I’m not going to tell you. I’m not going to tell anybody.
Anderson: I had a similar problem with Demonsaw, which is not fully open source. I’ve been very transparent why it’s not: I’m giving it away for free, I didn’t even get donations, I’ve never made a dime off of it, and I’ve self-funded it from my Rockstar Games bonuses. I’ve been very open about that. I’ve open-sourced what I could, but I didn’t open-source it fully because I needed to maintain the IP to build out a business app that I could monetize.
I’ve taken a lot of slack for that, though a lot of people respect that. There are a lot of ways to verify that I’m not calling home to the NSA, and I’m not doing anything malicious.
People have sandboxed Demonsaw, looked at TCP dumps, looked at network transmissions. Every time I release something, the people who love me, respect me, are still double-checking it and are reverifying it. I’m not offended by that. I admire them, and I respect them more because of that. They’re taking personal responsibility and accountability, and they’re standing up.
“[W]e’ve gone from a paradigm of selling software for money to selling software for information. Information is the commodity of exchange in today’s software world.” — John McAfee
So how are you going to get everyone to trust you?
McAfee: What we will tell you is this: It’s a purely passive product, with one exception: If there is an anomaly, it will send the anomalous packet and where it came from to our servers. How hard is it to test that?
Plug it in, and watch. Is it actually transmitting anything? No, it’s not. Then you do some penetration test, but all it sends is that packet. Is that hard to test? That’s all there is. It’s doing nothing that could possibly harm you under any circumstances. It’s listening, and only transmitting when an anomaly occurs. And if you can prove otherwise, you’re living in a different universe.
My job is to structure things in a fashion that keeps you from screwing yourself without giving you a sense of paranoia about us screwing you. How more simple can it get? You plug it in, there’s no configuration, and it transmits nothing under every normal circumstance.
How do you ensure that an inadvertent flaw in your code doesn’t wind up defeating the purpose of the product?
Anderson: We’re going to do third-party audits. The Demonsaw code 3.0 will be audited by a respectable party. The full source code will be available to that third party under a proper NDA. All of our source code that we make will have third-party audits. I don’t have the names of the companies, and even if I did, I couldn’t reveal them right now.
McAfee: That only applies to the code that runs on a general-purpose operating system, where you can’t actually do something. It doesn’t apply to any passive product that we develop. Because if the product is indeed passive, by definition, it cannot do anything other than the one function we told you about.
Anderson: Third-party audits are going to become a core requirement for any of our software. So with the lack of the entire code base being open-sourced, it’s not going to be possible for a publicly traded company to release all of its code open source. What we will do is provide product versions directed at the consumer that will not have ads, and not require them to pay at the individual level to as much degree as we can, and still make a profit.
A lot of the security community has attempted to create standards that software vendors can agree to in order to produce safe and effective software, right?
McAfee: Has it worked? It isn’t working! My point is, who cares? If 10,000 people a year are using the product, and none of them are having or have had any problems, and they all say, “Seems to work,” isn’t that better than, “This is vetted and completely safe and ready to go,” and the Russians break in and steal all of your good bits?
Apple is now doing a bug bounty. This stands as proof, if there ever was, that having a third party look at your code is a good idea. Having independent researchers and hackers look at code has been beneficial, no?
McAfee: What is the purpose of the design of the fundamental operating system? It’s to provide access to applications that know where you are, what you’re buying, who you’re with, who your contacts have been, what your emails may look like, what color that shirt that you bought last week was—everything about you.
We have an operating system designed to allow people to spy on you, steal from you, or do what they want. And you’re talking about vetted applications? The problem is not that.
The problem is, we’ve gone from a paradigm of selling software for money to selling software for information. Information is the commodity of exchange in today’s software world. We have to change this paradigm.