To transcend this industry’s boundaries and achieve wider fame and recognition is a rare feat for information security professionals. Aside from the likes of wartime hero and cryptographer Alan Turing, and a few founders of commercial security enterprises, household names are few and far between.
John McAfee, as founder of McAfee Inc, falls into that latter category – but his wider fame, or perhaps infamy, is attributable in part to a string of bizarre and widely-reported recent incidents in his personal life that sent him on the run in Central America following a murder investigation. McAfee has done little to downplay his bad boy, fugitive image, preferring to revel in the ludicrousness of the situation. His self-made ‘How to Uninstall McAfee Antivirus’ video casts him as some sort of information security Hugh Hefner, gun-toting, lighting cigarettes with dollar bills, surrounded by scantily-clad women, and snorting copious quantities of ‘bath salts’.
His continued high profile in the wider world is still a source of some concern to the security industry. Should this self-proclaimed ‘eccentric millionaire’ be carrying the torch of security into the public sphere? McAfee’s latter day personal shenanigans have overshadowed his role as a pioneer of antivirus, a technology that has touched the lives of everyone using a personal computer over the last few decades.
Moreover, his achievements in the industry, considered objectively, have earned him the right to have his opinions heard. Whether or not you like those opinions, or even agree they deserve an audience, the British-American entrepreneur is undoubtedly, for want of a better phrase, information security’s rock star.
It’s some surprise, therefore, when I meet the man for interview at Infosecurity Europe. He’s smartly dressed, softly spoken and unfailingly polite to all who drop by for a chat or selfie. Far from the unhinged individual he is sometimes portrayed as, McAfee comes across as a man who’s on top of things. Aged 70, and not looking bad for it, perhaps this dapper appearance signifies a man who has turned a corner. And he’s heavily involved in the industry again, leading his latest venture Future Tense Central, launched two years ago, and masterminding a range of new apps designed to put privacy back in the hands of users.
Indeed, a primary occupation of McAfee’s thoughts these days is what he regards as relentless corporate and government surveillance – a topic he speaks fiercely but eloquently on as we sit down to chat. In particular, he scorns applications that ask for excessive permissions, especially on smart mobile devices.
“Take, for example, Bible-reading applications – in America they’re very popular. At night you can say, ‘read to me Genesis Chapter Three’. That’s all it does. But every single one of them asks for permissions to read your emails, your text messages, to access your contacts, the camera and the microphone. It’s not that they’re trying to spy on you to get bad information, they just want to watch what you’re doing, what you’re buying, so they can use that information to sell you stuff. Given the fact that facility exists, hackers can enter. You are open to malicious use of those applications.”
The idea of seemingly innocuous applications opening up new threat avenues for data to leak out of is a profoundly troubling thought for security professionals. But, McAfee argues, this is not just a problem for the security world. It’s a societal problem, which requires a step-change in what we expect, and demand, of corporations and governments.
“First and foremost we have to take responsibility for our own lives – we can’t expect the government to keep us secure,” he says. “There is no magic button that you can push, if there is a burglar in your house, and a policeman will materialize. Protection is not something the government offers. We have to take responsibility for our own security before we can change the government.”
Such rhetoric, taken out of context, might sound like an extract from the NRA manifesto. (And, indeed, McAfee is seemingly attached to his firearms). But it’s emblematic of how seriously McAfee takes individual privacy and security that he sees it in such terms – a matter of life and death, if not for actual individuals, then for a way of life.
“We cannot make privacy extinct; our society cannot function without privacy. Every moment of every day when you meet someone you choose what to reveal. If we do not have that ability society will collapse. If everyone knows everything about every one of us, we will have chaos. We will have constant judgment and therefore constant conflict.”
Perhaps a prescient example of McAfee’s dystopian visions is the hack of online dating site AdultFriendFinder, which he cites as a particularly horrifying example of the breakdown of privacy. The service suffered a major breach in May, exposing the information of up to four million users. Aside from personally-identifiable information like email addresses, usernames, dates of birth, postcodes and IP addresses, sensitive details such as sexual orientation and predilections for extra-marital affairs were included in the mass of data stolen.
"A person is risking an entire life [by using technology]. We need to address this"
But perhaps the most intriguing of McAfee’s new projects is something he calls ‘social encryption’, for which he is partnering with “one of the founders of Napster and a gentleman who helped architect Grand Theft Auto.” Social encryption, he explains, “is based on the concept that shared knowledge is something that simply cannot be acquired by anyone. If you and I have a year’s worth of shared experience, no one can tap into that and get into the mind of what we have experienced. It’s a very sophisticated algorithm that has a layer of abstraction that is, I believe, completely impermeable. It cannot be broken into.”
That’s one big claim; indeed one that no security advocate would ever make lightly. McAfee agrees.
“I understand how bizarre that sounds. I’m the last person who [would say that]. If you have a switch on a microphone that turns it on, and it disconnects itself from the rest of the hardware, it cannot be tapped into. It is unbreakable. We now have enough sophistication in software to emulate that to extremely high degree.
“Say we want encrypted communication. If I said to you ‘Hey remember when Sally got drunk and threw up, in that place we were staying, and her fine?’. Encryption is then developed via communication based on the shared knowledge, and an algorithm is developed. There’s no information that was passed between us, other than Sally got drunk and threw up, so the out-of-band communication offers no information to anyone who is trying to snoop. Once the encryption algorithm is run it is virtually unbreakable. It has too many layers of abstraction and the entropy is so infinite that it would be years before we could get supercomputers able to hack into it even after two or three years of processing.”
It may sound bizarre and a bit obscure, but McAfee assures us the math is in place and has been verified by the usual authorities. Like everything in the wonderful and frightening world of John McAfee, it’s bound to arrive in style and grab attention. He’s back.
"I think there's more wrong than right in the security industry – because it's a business like anything and the purpose of business is to survive and make money"
“It’s a horrible thing. Can we not see what is happening? A person is risking an entire life [by using technology]. We need to address this. We need to address privacy first and foremost. When we lose [it], when the camera comes into our bedrooms and gets between the moments shared with those we love, then all is lost.”
When he says that this is a problem for ‘us’ to address, McAfee does not mean the security industry alone. In fact, the antivirus pioneer is deeply skeptical of the sector’s ability to look at the bigger picture: “I think there’s more wrong than right in the security industry – because it’s a business like anything and the purpose of business is to make money and survive. If you have a product you want to make an excuse for selling. We can’t do that anymore; it’s too risky.”
He highlights the aforementioned mobile devices as the great looming threat to corporations. Yet even as security vendors worldwide are busily developing solutions, such as containerization, targeted at protecting corporate mobile devices, McAfee suggests all such projects are in vain: “It will not work because people will not conform to the restrictions that are necessary for that.”
But stopping mobile devices entering the workplace is not going to work either, he says: “We have become so habituated to their convenience that people would just quit and go somewhere else. I think the world will eventually have two separate issues. You’ll come to work and you’ll have your pad and your mobile device and you can do what you want, and you’ll have no connection between that device and what you do at work. Without that there will be no security either for an individual or for a corporation.”
In the meantime, McAfee is working on solutions that aim to combat the threat of applications and utilities that collect, and therefore threaten to leak, large swathes of user data. Future Tense Central has launched a number of projects that target mobile security. One app, D-vasive, he argues is, “Probably the most secure application for mobile devices, which allows you to lock down your microphone, your camera, your Bluetooth, your Wi-Fi, so that no one can listen to you or watch you.”
He is also partnering with a company called Starxx, which he describes as offering “the most secure instant messaging platform for the enterprise that has ever existed.”
This feature was originally published in the Q3 2015 issue of Infosecurity – available free in print and digital formats to registered users