My adventures with John McAfee

As you may have heard, antivirus pioneer John McAfee has become a fugitive from justice. Now wanted for murder in his adopted home of Belize, he has been accused of manufacturing drugs and consorting with criminals and underage girls, if we’re to believe a feature article on Gizmodo. It’s a bizarre story, particularly for me, since McAfee played a key role in my early career.

In the late 1980s, I got to know McAfee. I sought him out because widely published tales of his adventures fighting computer viruses inspired me. McAfee was the first recognizable face of the antivirus industry, a bold entrepreneur who became a multimillionaire by creating a single executable that could scan for and clean multiple computer viruses at once. He’s a big part of why I decided to make my career in the computer security industry.

[ Sit back and relax as Robert X. Cringely recounts true tales of tech execs gone wild, including the aforementioned McAfee. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

Getting the bug

Back then, as a teenager, I read Ross Greenberg’s book “Flu-Shot,” which detailed Greenberg’s cat-and-mouse game with hackers — and ultimately the development of his highly successful Virex-PC antivirus program. I was hooked. I decided that I, too, wanted to fight hackers and malware, although at the time I didn’t program and knew almost nothing about computers.

I started hanging around computer virus discussion lists on an early precursor of the Internet known as FidoNet. McAfee, nearly a national hero at the time, occasionally participated in the discussions. I wanted to learn more about viruses, so I wrote McAfee asking if I could have some to play with.

McAfee quickly said no, explaining he couldn’t send me viruses because he couldn’t be sure I wouldn’t do bad things with them. On the other hand, if I sent him some new computer viruses, it would be proof that I could already spread them if I chose to — and he would let me participate in a small, private world where different computer virus experts exchanged malware and discussed what they did. He also suggested that I learn assembly language so that I could disassemble any viruses coming my way.

I took those marching orders seriously. I started reading every book I could on PC internals, including “The Peter Norton Programmer’s Guide to the IBM PC.” In about two weeks, I knew enough assembly language to take apart small programs that I downloaded from FidoNet. But I still didn’t have any viruses.

Exchanging malware with McAfee A few weeks later I heard about a large national company that had been attacked by the viruses Pakistani Brain, Jerusalem, Cascade, and Lehigh. I called to offer my assistance. After all, the research I had done made me a computer virus “expert,” just without any real experience (I saw no reason to bring that up). Pretty soon I was sitting in a large corporate boardroom with an executive vice president, her staff, and official-looking NDA documents I had recently printed out. Mostly I remember quaking in my seat as I bluffed my way through the meeting.

I was exhilarated when the company handed me my first infected floppy disk. I promised to take a look at the virus and notify the group if I found a known variant. They mentioned that the local university was also fighting computer viruses, so an hour later I showed up there. Within the span of a few hours, I had 10 new computer viruses in my hot little hands.

Thrilled, I headed back home, uploaded my viruses to McAfee, and asked to become one of the computer virus insiders. To my surprise, McAfee took my virus samples and said no once again. He still couldn’t trust me. Defiantly, I typed something that said to the effect that either he could work with me or I would become one of the best antivirus researchers in the world without him.

Truth be told, I was a clueless 19-year-old with more dreams than talent. It was all bravado. But strangely, my healthy ego must have reminded McAfee of himself because he relented and brought me into his fold. I could send newly found viruses his way, and he would submit virus samples to me for analysis.

Of course, my only “payment” was gaining entrance to a specialized world that few people on the outside could comprehend, much less participate in. But I was fighting the bad guys just as I had hoped. By day, I was a boring certified public accountant, but in my spare time I talked to some of the smartest computer people around the world, disassembled viruses, and worked with the world’s best-known computer virus hunter, John McAfee. I was in heaven.

I disassembled and researched viruses for the newly lunched PC Antivirus Research Foundation and passed along relevant findings to McAfee. At first the work was easy. New viruses came in at the rate of a few per month, but the numbers steadily increased until we were getting dozens a day. My “hobby” was taking up more hours than my full-time job. It was a passionate obsession. I left my job as an accountant to become a dedicated computer security expert.

Dueling experts By this time, John was running his own company, McAfee Associates, which would go on to make him an industry figure — a rich one, at that. I asked for a job. Unfortunately, he said no yet again. I was upset because of all the free time I spent helping him, but this time my bravado did not win out; he already had a very talented team of programmers and virus analyzers. Still, we parted as friendly acquaintances and would correspond with each other when the need arose.

In March 1992, Newsweek magazine did an article on the Michelangelo virus, which was erasing hard drive data and causing panic around the world. It included quotes from both McAfee and me. During the same period, I had learned about a new polymorphic encryption engine for viruses called Dark Avenger’s Mutating Engine (DAME). It was capable of producing viruses that were nearly impossible to identify accurately. Actually, infected file copies could be identified, but it took such twists and turns to do so that the false-positive rate was unacceptably high. This was not something McAfee wanted the world to know.

I had told the Newsweek reporter that instead of the world worrying about Michelangelo virus that we should be more worried about DAME, and I shared the new challenges. The reporter called John to confirm, and she later told me he became very upset that someone had revealed this secret. He wanted to know her source, but she never named me.

Years later a freelance journalist asked me to confirm whether or not John McAfee had ever paid for people to write computer viruses. I said no, but that if my memory served me correctly, John had once offered to pay for people to send him computer viruses (so he could collect signatures for his new VirusScan program), and unexpectedly, people had written new viruses and sent them to him for payment. John never did make the payments and retracted the ask.

The reporter printed this statement from me at the same time that John McAfee gave over the reins of McAfee Associates to Bill Larson, the new CEO and lawyer. Larson renamed the company to Network Associates, which didn’t like the negative press from the quoted statement (“John McAfee paid for computer viruses”). Suddenly, I was threatened by Network Associate lawyers to retract my statements or be sued.

I had saved my old FidoNet chats with John McAfee and protected them with a PGP encryption key. Unfortunately, I learned that 5.25-inch disks stored in the trunk of your car won’t be reliable after a few years. They were full of disk errors and refuse to decrypt. I emailed John McAfee, explaining what was happening, and he basically told me good luck, he didn’t have anything to do with that company anymore. Without any evidence and under the threat of a lawsuit, I retracted my statements. It was a terrible embarrassment, for both me and the journalist.

A bizarre ending But the strangest part of knowing McAfee was the time he wanted me to help start an AIDS-free sex club. I still remember how excited he was about his new, brilliant idea. Membership required a fee and an AIDS test. If the test came back negative, you were given a membership card, which you could then take to organized member parties, have lots of casual sex, and not worry about catching the virus.

John wanted me to set a club up on the East Coast while he set one up on the West Coast. I started to get more and more urgent emails from him about the matter. His continued conversations and excitement about the club weirded me out, and I stop answering his emails. He was obviously a smart guy, but way more eccentric than I could handle. I ceased communicating with him entirely.

As proof that the computer security industry is smaller than it seems, I eventually ended up working for Network Associates (formerly known as McAfee Associates), when it bought the company Foundstone, where I worked as an instructor and penetration tester. By the time I became an official McAfee employee, Larson had just resigned as CEO amid an accounting scandal involving hundreds of millions of dollars in revenue fraud.

So that’s my history with John McAfee. Some of the personality traits I’ve read in the articles today bring to mind my interactions with him long ago. I had thought he’d become an eccentric millionaire flying ultralight airplanes in the desert. Now he’s a “person of interest” in the murder of an American in Belize. I am surprised, of course, but given his bizarre behavior toward the end of my association with him, not entirely shocked.

This story, “My adventures with John McAfee,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.