Free Phone + Bluetooth @T-Mobile.com
July 17, 2007 4:00 AM PDT
Will security firms detect police spyware?
Last modified: July 17, 2007 9:40 AM PDT
- Related Stories
-
Security firms on police spyware, in their own words
July 17, 2007 -
Security from A to Z: Spyware
November 27, 2006 -
Keylogger spying at work on the rise, survey says
May 16, 2006 -
BBC stories used as bait for IE exploit
March 30, 2006 -
Verbatim: Search firms surveyed on privacy
February 3, 2006 -
Google, Sun, others band to fight spyware, adware
January 24, 2006 -
New spyware claim against Sony BMG
December 21, 2005 -
Windows anti-spyware to come free of charge
February 15, 2005 -
CA slaps spyware label on Kazaa
November 26, 2004 -
House approves spyware legislation
October 5, 2004 -
Spyware cures may cause more harm than good
February 4, 2004 -
U.S. keeps PC surveillance under wraps
August 24, 2001 -
"Spyware" piggybacks on Napster rivals
May 14, 2001
In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger--call it fedware--to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police.
A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.
Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. (Click here for the verbatim responses to the survey.)
Because only two known criminal prosecutions in the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers, in part because recording keystrokes can bypass the increasingly common use of encryption to scramble communications and hard drives. Microsoft's Windows Vista and Apple's OS X include built-in encryption.
Some companies that responded to the survey were vehemently pro-privacy. "Our customers are paying us for a service, to protect them from all forms of malicious code," said Marc Maiffret, eEye Digital Security's co-founder and chief technology officer. "It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools." eEye sells Blink Personal for $25, which includes antivirus and antispyware features.
Others were more conciliatory. Check Point, which makes the popular ZoneAlarm utility, said it would offer federal police the "same courtesy" that it extends to legitimate third-party vendors that request to be whitelisted. A Check Point representative said, though, that the company had "never been" in that situation.
This isn't exactly a new question. After the last high-profile case in which federal agents turned to a key logger, some security companies allegedly volunteered to ignore fedware. The Associated Press reported in 2001 that "McAfee Corp. contacted the FBI... to ensure its software wouldn't inadvertently detect the bureau's snooping software." McAfee subsequently said the report was inaccurate.
Security firms on police spyware
Later that year, the FBI confirmed that it was creating spy software called "Magic Lantern" that would allow agents to inject keystroke loggers remotely through a virus without having physical access to the computer. (In both the recent Ecstasy case and the earlier key logging case involving an alleged mobster, federal agents obtained court orders authorizing them to break into buildings to install key loggers.)
Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds.
More recently, after the BBC reported last year on supposed talks between the British government and Microsoft, the software maker pledged not to build backdoors into Windows Vista's encryption functions.
See more CNET content tagged:
keylogger,
Check Point Software Technologies Ltd.,
eEye Digital Security,
agent,
keylogging
Personal for $25 is now the guaranteed choice for me and my
clients.
There's nothing like a security company that blatantly risks the
security of it's clients to allow policing of a system that has NO
boundaries' in tact.
Justin
Tech01.net
However the internet/computing world is only really just entering toddlership and it's up to all of you to make sure the balance within is the right one for you to trully move forward with the most confidence.
from any hacker, police or not. If you are running Windows, you're
asking for trouble.
2. Even if it is a policing agency (local cops, State, Feds, FBI, CIA, etc), there is nothing saying that they are engaged in authorized spying on your system. Matter of fact, they ALL have a very bad record of spying without authorization.
3. "You have the right to remain silent, anything you say can and will be used against you in a court of law." Spyware constitutes the de facto presence of the police in an interrogation setting without having first read you your Miranda Rights. You want to give up your rights?
4. Federal agencies have a bad track record of seizing and incarcerating people without due process of law. (post 9/11 and the Madrid Train Bombing come immediately to mind.) Wouldn't you at least like to have a bit of a warning that they were about to swoop down on you so you could at least tell your family or the news agencies that you were going to disappear into their hands?
One might have no problem with investigators installing spyware, and with anti-spyware vendors cooperating with them, if a court were issuing warrants on a case by case basis. I am confident that once the first case gets before a court, the courts will rule that such warrants are required. I am less hopeful that the courts will get an opportunity to rule.
towards a one world government and the global watchdog. Just
like the "War on Terror", they(the powers that be) begin their new
projects by saying that it's aimed at the bad guys. Eventually, the
Feds will be able to spy on anyone's computer--suspected criminal
or not.
This is just another big reason why we the People should be allowed to vote once a year in a BINDING national referendum and decide for ourselves, over and above any court, even the Supreme Court, whether we want our privacy invaded willy-nilly under any "well-meaning" pretense or not.
Funny this comes to light now. After reading the article, I immediately removed Window's messenger from my machine as it's been acting funny for the last two weeks, saying I've logged into another computer and must sign in again. Coupled with this Microsoft's refusal to answer the question as referenced in the article, I don't think I'll be chatting on the service any longer, nor using IE explorer at all.
Does anyone know what AVG's stand on this issue is yet?
M.L. Bushman
It wouldn't take much for a hacker to find policeware, exploit it, and render millions of computers vunerable to attack. And what's to stop a bad cop from using the "whitelisted" policeware to either 1) blackmail an individual, 2) use the fedware key logger to steal personal information?
It wasn't all that long ago a police officer was caught going into an establishment that sells alcohol after hours, and while off duty, begged the people working there to sell him aloholic beverages. There's bad cops everywhere.
From the other angle: "that would allow agents to inject keystrokes remotely through a virus without having physical access to a computer."
Viola. Incriminating evidence secretly injected and collected in one tidy package. Now that would solve a lot of pesky political problems, wouldn't it?
And now tell me that you can rule out that possibility with Bush, Cheney, and Gonzo running "Justice".
- WMDs that don't exist (all for going into Afghanistan, they asked for it)
-they didn't know that there are differences btwn Muslims
- NSA agent outted in the public (the law for that offence alone is death, b/c it is considered treason and it is, whoever leaked it)
- $1 trillion tax cut to the rich (I only got $250, woohoo)
- running private armies (security firms in Iraq and Afghanistan) who don't asnwer to anyone but money
- illegal wiretapping of citizen and residents without court order
- Jailing two border agents for shooting a Mexican drug dealer in the butt, no pardon for those two (and besides, when did it become a crime to defend your country against drug smuggler/killers/rappists
- Enron (remember Kay and Bush together, with Prez. hailing him and the company?), downt the tubes along with countless pensions and jobs.
- Rampant and careless outsourcing
- Secret energy talk meetings with Cheney and energy companies (and you wonder why you pay $3.99 per gallon?)
- Sending our GIs to combat without armor (first two years of humvees without adequate protection, even from small IEDs) should be considered treason.
= BIG ONE: ALLOWING, STILL (I DON'T CARE WHAT PARTY YOU ARE AND WHAT ARE YOUR ABORTION VIEWS) FOR SOCIAL SECURITY FUND TO BE USED AT WILL CONGRESS. THIS HAS BEEN THE FACT SINCE REAGAN WHEN THE LAW WAS CHANGED TO ALLOW DIPPING OFF FINGERS INTO SS FUND. BEFORE THAT IT WAS UNTOUCHABLE AS IT SHOULD BE, I DON'T WANT MY SS PAYING FOR A BRIDGE TO NOWHERE FOR 50 FOLKS AT HUNDREDS OF MILLIONS.
- Administration got the warning that 9/11 was going to happen but they were busy fishing and golfing.
- our car mileage hasn't improved since 70s (actually gone down for some studies) yet the administration insists on not imposing new standards. IT IS A FACT THAT U.S. CARS CANNOT BE SOLD ALMOST ANYWHERE IN THE DEVELOPED WORLD B/C OF OUR POOR MILEAGE/BIGGER POLLUTION. If you include Afghanistan and Iraq, then it would be two that allow our cars.
- Rushing back to DC to save Terri Schiavo, but we cannot get relief to Katrina victims for days and our lovery Condi was shopping for shoes while people were dying. AS A MATTER OF FACT WE CAN GET THE SUPPLIES AND DISASTER RELIEF HALF A WOLRD AWAY IN TWO DAYS (THINK OF THE TSUNAMI BACK IN THAT DECEMBER) BUT IT TOOK TWO WEEKS FOR KATRINA AREAS.
Wishy washy stuff:
- at first global warming is a myth and we pull out of Kyoto, now it's real and administration wants to lead. They lost their chance a long time ago.
and one more thing, "THE INTERNETS." They are using and making laws on techology stuff yet they have no idea about concepts (net neturality anyone?)
I could come up with a never ending list of crap but I simply don't have the time.
They all lied because the Patriot Act prohibits them from telling anyone about those activities. The law says there should be 'delayed notification', without defining the delay. So, maybe one day, they'll be allowed to say the truth, or not.
http://www.cdt.org/security/011019sneakandpeek.shtml
Get any one of a number of packet sniffers that run in promiscuous mode.
Turn on your main computer, type a bunch of stuff, look at where your computer is sending packets.
Most are wondering who, or who cares, but for American companies who have employees responsible for purchasing eEye products who are reading this, Harkat-Ul-Ansar is a known terrorist group according to the United States government. Ibrahim, is connected to the original World Trade Center bombings and is said to have cooperated with the FBI in ratting on other terrorists no-gooders. So what was Marc Maiffret then known as Chameleon (previously known as sn1per) of the moronic hacking group Masters of Downloading (not to be confused with Mark Abene?s MOD) doing taking money from a terrorist? According to Marc, he was ?at the wrong place at the wrong time?.
Now common sense and logic shows the argument of ?wrong place wrong time? but how could one have been at the wrong place, accepting money from the wrong people at the wrong time? I mean Marc, you were cashing a check. It didn?t slip into your pocket, it didn?t magically appear in your pocket. Now one could allude to this notion of Marc being innocent by saying something like; ?Maiffret was caught up in a sweep of an area? That might have worked but he was trying to cash a check from a known terrorist who was trying to buy satellite images.
Carrying on, everyone who took computer security seriously at the time began distancing themselves from Marc, he was kicked out of the security group rhino9 and it is likely he became an informant along with the guys at Attrition.org (we will elaborate on this in another posting.) For a little bit of ?true? underground hacking history, the kind of stuff you won?t see anywhere out of fear of federal intervention on behalf of ?cooperating witnesses/snitches?, let?s give a brief explanation of what had been happening in the late 90?s through early 2000 when Janet Reno was in office. The government was closing in on idiots (hackers), and turning them into snitches, nothing more and nothing less. One could have beautified this comment, but that is the bottom line clean cut truth of the matter.
Now let?s take a simple step back for a moment to ask oneself, has there ever been a time when someone?s house or business was raided by the Federal Bureau of Investigation and the person left untouched without being arrested? Do the simple mathematics here. Supposing two federal agents visited you, they would need a court order, they would need gas to get to your home, they would need substantial information, etc.. How much do you think it would cost? Let?s factor the salaries only. For whom shall we start with? The judge who gave permission to whom ever issued the warrant, the agents? supervisor? There is a lengthy process the federal agents had to go through, or at least there was at that time, when an agent had to go through to knock on someone?s door. In any case, if they were there, they were there to arrest you period. So why wasn?t he charged Sherlock? Why should he be charged with anything, it was a simple mistake the feds made right? Wait, they just came under suspicion and let them go because they had nothing! If you believe this, I have a Bridge for sale.
So the remaining question is; Does Marc and company have a backdoor in its products for the federal government? Is eEye Security nothing more than a method for the government to track which hackers have downloaded and are using eEye products and where they are coming from? Enquiring minds want to know. There was a little known fact about the late 90?s and early 2000?s and this part becomes foggy and hearsay. Rumormill at the time was the feds were building a ?hacker? database along with other now defamed idiot John Vranesevich.
The government?s notion then, was, when the federal government needed funding for another cybercrime center, they would pull a random name out of its database, and being they had evidence of hacks via way of attrition, they would either make an arrest a month, or convert the arrested hackers into snitches. Pretty interesting method of bringing up statistics in hopes of building a budget wouldn?t you say. So now that the cat comes out of the bag a decade later, many security professionals who were then ?on the scene? will begin to know the truth and nothing but the truth.
Mention of attrition? The definition of it was its intent, but moving on to Jericho since you asked for it, is he a government snitch. He too was raided by the feds. One can either take the same stance of it was a mistake, or do the math as well. Martin is a character in his own mind, so he will likely retort with a craftily written retort but before he does, perhaps he should take into account the power of an FOIA request. Jericho before you shoot off your mouth, ask yourself do you REALLY want the public to see who you really are? Should was also bring out good old Pete Shipley? Those on the scene with a clue already know you are a perverse idiot capable of bedding a cat if it stood still, would you care to have your information disclosed the FOIA way? We may or may not get to you guys in another post but for now, back to eEye and their secret backdoors.
This new information about the hacking days of the mid to late nineties and early millenium may overwhelm many in the security industry who may have thought these were good guys, friends. ?Hackers with a cause?. For those wondering if this is hyperbole, I implore you to Google information on Marc. While you?re at it, for those in the academic industrie, feel free to find someone in the United States government who can ask any federal agent the following questions: ?Has there ever been a time they?ve raided someone?s house without probably cause.?, ?How difficult would it be to obtain a warrant to raid someone?s home with guns drawn, and walk away without arresting the suspect they raided for, after solely speaking with him?.
You see Jericho (Brian Martin) and his cohorts at the website Attrition were at the time mining hacker information. They will swear they won?t do so but we know better. So how does Jericho tie into eEye? Simple, via way of Dale Coddington aka Punkis who works at eEye. Snitches of a feather flock together. See it worked like this, once upon a time there was #dc-stuff, no wait, some may not be ready for that. krystlia, malvu, Brian Martin along with Peter Shipley hacking the NYTimes as HFG. (don?t worry Martin, I believe the US has a statute of limitations). There shall be more to come in upcoming weeks. Until then, be careful of those so called old school hackers you look up to. Chances are they are nothing more than government rats.
http://marc.info/?l=bugtraq&m=90221103125889&w=2
http://en.wikipedia.org/wiki/Harkat-ul-Ansar
Magic Lantern was the virus that Clinton's administration invented. It is a key logger, monitors email and web usage, and all malware and security companies have to ignore it or face federal charges.
They were granted to us for our use, not by government, but by our creator. America is the first society in the history of mankind--and simultaneously the last--whose national charter officially recognizes this.
We then created government to protect our rights.
Here lately the problem is that the servant has taken over the house. We've got to get our once-legitimate government back.
- Build a better mousetrap...
-
by Impreza WRX
July 19, 2007 7:10 AM PDT
- ...and they will build a better mouse.
-
Reply to this comment
View
reply
-
-
See all 53 Comments >>To circumvent the whole silent keylogger thing all you need is a bootable Linux CD that you pop into the drive when you want to do that kind of stuff. This bypasses the main operating system and the spyware keylogger. Plus, by using a CD-R or DVD-R, you can not get your bootable Linux infected, someone would have to physically burn an infected copy and swap the real one for it.
Back to the drawing board!