Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Privacy Your Rights Online

Will Security Firms Detect Police Spyware? 269

Posted by kdawson
from the who-do-you-trust dept.
cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."
This discussion has been archived. No new comments can be posted.

Will Security Firms Detect Police Spyware?

Comments Filter:
  • Security (Score:2, Insightful)

    by Anonymous Coward
    "Tbireazrag ntrapvrf naq onpxqbbef va grpuabybtl cebqhpgf unir n ybat naq serdhragyl pynaqrfgvar eryngvbafuvc. Bar 1995 rkcbfr ol gur Onygvzber Fha qrfpevorq ubj gur Angvbany Frphevgl Ntrapl crefhnqrq n Fjvff svez, Pelcgb, gb ohvyq onpxqbbef vagb vgf rapelcgvba qrivprf. Va uvf 1982 obbx, Gur Chmmyr Cnynpr, nhgube Wnzrf Onzsbeq qrfpevorq ubj gur AFN'f cerqrprffbe va 1945 pbreprq Jrfgrea Havba, EPN naq VGG Pbzzhavpngvbaf gb ghea bire gryrtencu genssvp gb gur srqf."

    Jvgu Ohfu va bssvpr lbh pna bayl rkcrpg zber
    • Re:Security (Score:5, Informative)

      by Jugalator (259273) on Tuesday July 17, 2007 @06:47PM (#19894985) Journal
      Decoded because tinfoiling or making a point this way is just plain annoying... :-p

      "Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds."

      With Bush in office you can only expect more of the same.
    • What are the chances of success of a company specifically advertising that they don't overlook any spyware (including intelligence services spyware) from any country including US and making their business model on it?
    • Re: (Score:3, Funny)

      by muffen (321442)
      Hmm, I'm getting a bit worried here, I broke this encryption using my fingers, and if breaking encryption is illegal, my hands.. ehh... gotta run!
  • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday July 17, 2007 @05:07PM (#19893885)
    I don't trust any of them NOT to do whatever the cops/government want(s).

    Open Source all the way.
    • They don't need to turn a blind eye to policeware. The commercially available remote administration tools aren't in the databases.
    • Uhm no (Score:2, Interesting)

      by Cafe Alpha (891670)
      But it's not the source, it's the data.

      And publishing data or distributing which compromises investigations is probably a felony.

      So how would your open source system work? Would you openly publish how to recognize all of the government's spy software?
      • So how would your open source system work? Would you openly publish how to recognize all of the government's spy software?

        Nope. Just the opposite. Instead of searching for software that could be spying on you, the transparency means that you already know what is running and what it is doing.
        • Re: (Score:2, Interesting)

          by Eternauta3k (680157)

          ps ax | wc -l
          119
          So... in order to stay away from spyware, you have to know what those 119 processes do?
      • Re: (Score:2, Insightful)

        by misleb (129952)

        So how would your open source system work? Would you openly publish how to recognize all of the government's spy software?


        Sure, why not? Fight the power.

        -matthew
      • Re: (Score:2, Insightful)

        by iminplaya (723125)
        Would you openly publish how to recognize all of the government's spy software?

        Damn straight! Would I put my name on it? Hell, no!
    • by schwaang (667808) on Tuesday July 17, 2007 @05:20PM (#19894047)
      The question was "Have you ever received such a court order signed by a judge...".
      But if what they had received instead was a NSL, they would be under a gag provision (with *jail* as the penalty) to not mention anything about it.

      That's only in Amerika of course.
      • Re: (Score:2, Interesting)

        by UbuntuDupe (970646) *
        Isn't there necessarily a question that they *can* answer, though?

        "Have you been given a court order to let police spyware in?" --> Must say no because of a gag order.
        "Have you ever been in a position where the law required you to lie about questions related to your spyware activities?" --> ???
        • Re: (Score:2, Interesting)

          by Anonymous Coward
          Well, there's considerable debate about that kind of question [wikipedia.org]. Okay, it's not quite the same situation, but it's somewhat similar. I think the responses of some classic ST:TOS episodes [wikipedia.org] are probably appropriate. Something along the lines of "I'm not programmed to respond in that area", or perhaps a shower of sparks before the lawyer's head explodes.

          Most likely, they'd just say they are unable to answer. "Null" answers are always an option for lawyers.
        • by badfish99 (826052) on Wednesday July 18, 2007 @03:22AM (#19898209)
          A friend of mine once worked in a job that required him to have signed the Official Secrets Act (this was in the UK, many years ago). He told the the following story: I don't know whether it was true.

          Once you have signed the act, you are not allowed to reveal certain official secrets. He read the act and discovered that the fact that he had signed the act would be one of the official secrets that he was not allowed to reveal.
          So, whenever he was asked whether he had signed the act, he would say "under section x.y of the act, I am not allowed to tell you that". Everyone took this to mean "yes", and duly proceeded to reveal their various secrets to him. Of course, he had never signed the act.
          • Re: (Score:3, Informative)

            It's an amusing story, but of course it is not true. First, the Official Secrets Acts (1911 and 1989) are law, and is enforceable whether the person in question has signed anything or not, just like any other law. "Signing the Official Secrets Act" (or more properly, signing a statement acknowledging that they understand the provisions of the Act) is simply a way of impressing people and reminding them that loose lips sink ships. Second, the Act doesn't say anything about signing it, and of course nothin
      • Re: (Score:3, Informative)

        For the rest of you Googlers: National Security Letter [wikipedia.org]
      • by billsf (34378)
        That's only in Amerika of course.

        Get real. This can happen anywhere, so I will make the rare move in defense of America. There are lots of reasons to hate America but this is absurd. Enough said.
        • by schwaang (667808)
          For the record, I absolutely do not hate America, and have never said such. But I do hate the erosion of the liberties upon which it was founded. Every inch towards a police state, including gag orders and warrantless searches would fall in that category.
      • In which case a non-answer could actually be considered more honest than the truthful but misleading statement that they'd never received a court order.
        • Actually, rereading the article, I think National Security Letters were covered. They're not signed by a judge, so answering Yes to the following question:

          "Is it your policy to alert the user to the presence of any spyware or
          keystroke logger, even if it is installed by a police or intelligence
          agency in the absence of a lawful court order signed by a judge?"

          means that their software would still alert you.
      • Re: (Score:3, Interesting)

        The question was "Have you ever received such a court order signed by a judge...".
        But if what they had received instead was a NSL, they would be under a gag provision (with *jail* as the penalty) to not mention anything about it.


        So tell them to answer "no" until such time as their answer changes to "no comment"
    • by iamacat (583406)
      Indeed, why should you trust a private company (that too made up of former black hats) to be any more moral/law abiding than elected officials under public oversight? I think you should become as passionate about politics as you are about open source.
    • I don't trust any of them NOT to do whatever the cops/government want(s)

      This is an interesting point. I think I'm willing to trust a company depending upon its previous behavior in regard to court orders, etc, and their overall behavior as a corporate actor. For example, I don't have any reason not to trust AVG, so I'm going to trust them unless I see a reason not to.

      Microsoft on the other hand, I wouldn't trust as far as I can throw the entire set of Justice Dept. filings against them.

  • by Anonymous Coward on Tuesday July 17, 2007 @05:08PM (#19893905)
    I am going to send all my private messages by owl from now on.
  • note to self (Score:5, Informative)

    by timmarhy (659436) on Tuesday July 17, 2007 @05:09PM (#19893919)
    "Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested"

    never buy anything from check point.

    • Re: (Score:2, Flamebait)

      by kevin_conaway (585204)

      What if they have a court order? Do you not have a phone either?

      This whole article smells like FUD against the government. If they have a court order (with proper oversight), I don't see a problem with this

      • Re:note to self (Score:5, Insightful)

        by Danse (1026) on Tuesday July 17, 2007 @06:16PM (#19894657)

        If they have a court order (with proper oversight), I don't see a problem with this
        Read a newspaper in the last few years? Oversight is pretty much non-existent anymore.
      • by misleb (129952)
        Um, how can you have judicial oversight for a blanket whitelist?

        -matthew
      • Re:note to self (Score:5, Interesting)

        by statusbar (314703) <jeffk@statusbar.com> on Tuesday July 17, 2007 @06:21PM (#19894711) Homepage Journal
        All that needs to be done is for a hacker to find out what specific software is used by the police, and subvert it so that the hacker can use it to attack people while the spyware detector software purposely ignores it, thinking that it is from the police.

        --jeffk++
      • Re:note to self (Score:4, Insightful)

        by rtb61 (674572) on Tuesday July 17, 2007 @11:00PM (#19896927) Homepage
        Problem, easy, hmm, police spyware, the magic box solution, the code can't ever be copied and used for criminal purposes, less than honest law enforcement officers would never ever sell copies of the program for other people to use, never ever.

        Technically law enforcement is giving the code away free, to the very criminals we should be endeavouring to keep the code away from, all they have to do is find it and get a cracker to reverse engineer it.

        A back door is a back door is a back door, when you pay for security software you pay for a complete solution, not some thing that leaks like a sieve. Security companies either declare the holes in the package or they knowingly commit fraud about the security of the software that they are providing.

        Basically if the law enforcement want to poke their sticky beaks in, they need to whack in a bit of hardware and have the warrant to go along with it, software is just a bull shit lazy trap waiting to blow up in their and our faces.

    • Re: (Score:3, Insightful)

      by ArcherB (796902) *
      "Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested"

      never buy anything from check point.


      So I presume you are against the police using spyware as a tool in all circumstances?
      Would your opinion change if the Police had a warrant? What if asked your permission to "snoop" your notebook that was stolen from you a week before in an effort to recover it?

      Is this just limited to adware? If you daughter were kidnapped, would you protest them using her cel phone to track her
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        So I presume you are against the police using spyware as a tool in all circumstances? Would your opinion change if the Police had a warrant? What if asked your permission to "snoop" your notebook that was stolen from you a week before in an effort to recover it? I would rather have a backdoor entry to which only I have access to, or somebody else after I permit him to, for my laptop.. giving a free access to my property isnt something I am comfortable with.. if there is a warrant, then take my laptop and e
      • by stinerman (812158)

        So I presume you are against the police using spyware as a tool in all circumstances?

        Not at all so long as the proper warrants are issued.

        Would your opinion change if the Police had a warrant?

        See above.

        What if asked your permission to "snoop" your notebook that was stolen from you a week before in an effort to recover it?

        That sentence isn't grammatically correct, so I can't tell what you mean.

        Is this just limited to adware? If you daughter were kidnapped, would you protest them using her cel phone to track

      • Re:note to self (Score:5, Insightful)

        by evanbd (210358) on Tuesday July 17, 2007 @05:39PM (#19894253)

        Warrants should be required for the police to install the keylogger, and a court order or similar should be required for the AV program vendor to assist. If the necessary warrants and orders are in place, by all means, they ought to comply. But CheckPoint has said they don't feel a need to wait for such -- just the say-so of the police. That way lies abuse of power.

        • by ArcherB (796902) *
          Warrants should be required for the police to install the keylogger, and a court order or similar should be required for the AV program vendor to assist. If the necessary warrants and orders are in place, by all means, they ought to comply. But CheckPoint has said they don't feel a need to wait for such -- just the say-so of the police. That way lies abuse of power.ability to abuse, you end up with policemen walking a beat with little more than a whistle to do their jobs! The trick is to recognize the pote
          • by ArcherB (796902) *
            (damn preview!)
            Warrants should be required for the police to install the keylogger, and a court order or similar should be required for the AV program vendor to assist. If the necessary warrants and orders are in place, by all means, they ought to comply. But CheckPoint has said they don't feel a need to wait for such -- just the say-so of the police. That way lies abuse of power.

            I doubt that checkpoint can turn off features of its product on a particular set of machines after the product has been sold and
            • by Chris Burke (6130)
              I'm against abuses of power too, but anything can be used to abuse power. If you take away 100% of the ability to abuse, you end up with policemen walking a beat with little more than a whistle to do their jobs! The trick is to recognize the potential, demand oversight and employ extremely strict punishment to prevent abuse so the tools are allowed to be used in a legal manner.

              Yah, no kidding. That's why he said it was okay if they had a warrant, i.e. with court oversight. Those first two sentences compri
              • by ArcherB (796902) *
                Yah, no kidding. That's why he said it was okay if they had a warrant, i.e. with court oversight. Those first two sentences comprise nothing but a strawman.

                Here, I don't think you understood the post. I'll repost it here to save you the trouble of looking it back up. I'll even bold the important part for ya:

                I doubt that checkpoint can turn off features of its product on a particular set of machines after the product has been sold and installed. They either include the ability to check for law enforcement snooping or they don't unless checkpoint installs a back door that only they have access to, but then THEY become a spyware company!

                In other words, if checkpoint has their software check for whatever law enforcement agencies use, then is going to check for whatever law enforcement agencies use. The checkpoint's software has no wa

                • Exactly. We can probably make the reasonable assumption that the vendor goes with a cheap "solution", which is installing a backdoor into their software. Supposedly only the vendor will know the password or whatever authentication mechanism they use, but once you have a backdoor like that you've opened yourself up to the criminals too. And you have to trust that the vendor (including any disgruntled employees) will never allow access to anyone without a warrant.

                  I have no problem with law enforcement usin
            • Re: (Score:2, Insightful)

              If you take away 100% of the ability to abuse, you end up with policemen walking a beat with little more than a whistle to do their jobs!

              That's a real good indicator that we don't need so many policemen.

              Now if we could just do something about the part about having 1100 new, lobbyist driven laws every year maybe we could balance things out.

              The trick is to recognize the potential, demand oversight and employ extremely strict punishment to prevent abuse so the tools are allowed to be used in a legal manner.

              That's not a trick. It's utter and complete fantasy to think that the system won't be exploited at the oversight level, or that "extremely strict punishment" won't be selectively enforced.

            • Re:note to self (Score:5, Interesting)

              by HiThere (15173) <charleshixsnNO@SPAMearthlink.net> on Tuesday July 17, 2007 @07:03PM (#19895133)
              You *have* noticed what kind of oversight is being provided these days? When ANY is provided...

              Oversight essentially means they run back to the office and time-stamp a preprinted form. There's a little more involved than that, but not much. They get to choose the most pliable judge available...and there are some who are pretty pliable.

              The bizarre thing is that even THAT much oversight is seen as too much by those in charge of the snooping agencies. And it's not usually because of urgency. (As I recall they can get special exemptions for planting a bug on a target of opportunity...retroactive permission.)

              The current moral corruption of the police appears to extend all the way from the local level to the federal. (I hope your local police are still honest. If so, count yourself lucky...or uninformed.)

              This current level of corruption probably reaches back to Nixon's Imperial Presidency, and before him to FDR's centralization of the government. And before him, also. (Notice that it's not specific to any one party. What one party does, the other party rarely repeals.) With the removal of habeas corpus it's barely disguised any more. This *IS* a police state. So far it's a more humane one than most of it's predecessors, but it has the diagnostic features. Britain is, or appears to be headed, the same way.

              Probably this is because of two basic features:
              1) Population density makes it more difficult to control people, and
              2) The removal of a frontier means that if the powers that be get mad at you, there's no place to escape to.
              Ostensibly these two factors pull in opposite directions, but actually the freedom of the frontier had a back-transference that lead to greater liberty in the sessile population.

              What can be done? Solutions seem either difficult or undesirable. Either drastically decrease the population (H5N1 may attempt this solution), or create a new frontier (which must be reachable at least by the middle class, if not by the impoverished). Space travel appears too expensive for the foreseeable future. Ditto for under-sea colonies. And it has to be a meat-space frontier. Virtual realities don't have the same "getting out from under the thumb of an oppressive government" effect (except in fantasy...which isn't sufficient).

      • So I presume you are against the police using spyware as a tool in all circumstances? Would your opinion change if the Police had a warrant? What if asked your permission to "snoop" your notebook that was stolen from you a week before in an effort to recover it?

        No, not in all circumstances. That's just being ridiculous. I have no problem with police using spyware anymore than I have a problem with police doing wiretaps, once they have gotten the appropriate permission to do so. But that's really not what this is about.

        That said, commercial enterprises that are selling me security software to perform a certain task should not be making exceptions. Would you buy encryption software that had a "back door" so that the police could decrypt whatever you encrypted?

      • by msimm (580077) on Tuesday July 17, 2007 @05:55PM (#19894429) Homepage
        Some technologies are simply too easily abused. You want to check my system for criminal activity? Fine. Get a warrant and confiscate it. I don't think this is anti 5-0. This is checks and balances. There are tons of great people involved in law enforcement, but adding tools and acceptions like this is just taking another needless step down a slippery slope.

        We keep gleefully throwing away our rights in the name of what? Fear? That's bad rationale. Our founding fathers must be turning in their graves.
      • Re:note to self (Score:5, Insightful)

        by Copid (137416) on Tuesday July 17, 2007 @06:11PM (#19894583)
        I don't totally disagree in theory, but as I see it,the problem with this is similar to the problem with encryption key escrow: If there's a hole in the security for the "good guys" the "bad guys" will figure out how to exploit it. If the government has a way to get your encryption keys, even assuming that they're always on their best behavior, you can bet that a smart kid somewhere will figure out how to get your keys as well, and you can't assume that he'll be on his best behavior. Likewise, if you program a blind spot into a virus / malware scanner, I don't think it's unreasonable to bet that the same kid will figure out a way to make his malware look benign enough to slip through the same hole.

        It's a simple rule of security: If there's a low security path, the bad guys will take it. That's how they win. Assuming otherwise is silly.
      • Re: (Score:3, Insightful)

        by Bob9113 (14996)
        So I presume you are against the police using spyware as a tool in all circumstances?

        I am opposed to the police using my property to collect evidence against me. It is much akin to my support for the right to not self-incriminate. You want to use your stuff to conduct surveillance? Cool (as long as you have proper authority, etc). But my stuff is my stuff.

        Why is this important? Because in order for technology to take an increasing role in our personal lives, we must be able to trust our technology as much a
      • Re:note to self (Score:4, Insightful)

        by misleb (129952) on Tuesday July 17, 2007 @06:29PM (#19894785)

        So I presume you are against the police using spyware as a tool in all circumstances?


        This isn't about how and when police should use wiretaps. It is about companies ignoring their ethical obligation to detect any and all "spyware." Hence the note to self: "Never by anything from Checkpoint" They either can't be trusted to do the job you pay them to do.

        For an example of why this whitelisting is a problem regardless of whether or not individual wiretapping cases are legit: What if a criminal decides to utilize the police spyware? How hard can it be to take a machine has been "bugged" by the police, find the binary, and copy it for your own use... and do your dirty work undetected? All it takes is one clever hacker to dissect the police keylogger and distribute it amongst his friends....

        -matthew
      • by MrSteveSD (801820)
        Ignoring police software may open up a hole that other keyloggers can use.
      • by NMerriam (15122)

        never buy anything from check point.

        So I presume you are against the police using spyware as a tool in all circumstances?

        I don't know about the OP, but to me this has nothing to do with the police. I'm against using any antivirus or antispyware that has a built-in backdoor. It defeats the entire purpose of using such software -- all hackers/crackers would have to do is figure out what the "police code" is and they can distribute undetectable viruses all they like.

      • by un1xl0ser (575642)
        If I buy software, I expect the company to be loyal to me. If it detects malware it is not there to judge the intentions of the malware, simply report/quarantine/remove the malware. If it is not possible to detect, they should be forgiven. If they make a deal with law-enforcement agencies, it should be boycotted.

        What happens if the 'good' malware technology gets into the wrong hands? I'm sure that couldn't happpen.
      • Re:note to self (Score:4, Insightful)

        by mcpkaaos (449561) on Tuesday July 17, 2007 @09:59PM (#19896519)
        So I presume you are against the police using spyware as a tool in all circumstances?

        Yes, unless they have a proper warrant, legally issued by an actual judge. Refer to the 4th amendment.

        Would your opinion change if the Police had a warrant?

        A warrant means oversight. I'm fine with that. Again, refer to the 4th.

        If you daughter were kidnapped, would you protest them using her cel phone to track her?

        My only protest is that you are resorting to emotions instead of continuing intelligent debate. In any case, it's a clear non-sequitur (and poorly laid trap) and has no place in the discussion.
    • by billsf (34378)
      It may seem harsh, but I fully agree. This is a very serious slip and the company is likely to go out of business. The justification that 'you may need police protection' is seriously flawed. News of a security firm going to the police would most likely result in the firm going bust. This is a no win situation. Best advice: Don't talk.
  • by fishthegeek (943099) on Tuesday July 17, 2007 @05:13PM (#19893957) Journal
    I'm not normally given to conspiracies, but this is ridiculous. The fact that we're having this conversation means that at least someone is concerned about the possibility of Government key loggers not being detected, and if it's taken someone outside of gov't this long to discuss it then I feel certain that the gov't itself has been thinking about this for some time.

    These companies will cave to whatever law enforcement agency has jurisdiction for the investigation quicker than the last Harry Potter book hit the torrents. The only possible exception would be those AV companies that are immediately outside of the grasp of the agency involved. I don't even think that those companies are safe because their own governments would likely bear pressure to comply.
    • Re: (Score:3, Interesting)

      by dotpavan (829804)
      These companies will cave to whatever law enforcement agency has jurisdiction for the investigation quicker than the last Harry Potter book hit the torrents. The only possible exception would be those AV companies that are immediately outside of the grasp of the agency involved. I don't even think that those companies are safe because their own governments would likely bear pressure to comply.

      true, but they could atleast try, like Google refused to turn-in the search queries. I know, not every company is

    • by Penguinisto (415985) on Tuesday July 17, 2007 @05:56PM (#19894443) Journal
      Seriously - there's even a good reason why [wikipedia.org] MSFT doesn't really want to talk about it.

      /P

    • Re: (Score:3, Interesting)

      by secPM_MS (1081961)
      Please note that I know nothing whatsoever about Microsoft's activity in this area.

      The libertarian definition of government is an organization that claims a legal monopoly on violence in a region. No company or organization is going to long survive direct and focused government duress - its assets will be seized and its staff find themselves contemplating uncomfortable surroundings. That said, everyone should expect that organizations will comply with court orders / security directives (at lease once they

  • If they do whitelist gov't spyware, they will probably also lie about it.

    I think modern government wouldn't do its own spying, but would find a subcontractor.

  • by Pitawg (85077) on Tuesday July 17, 2007 @05:19PM (#19894035)
    As far as I am concerned, no company that white-lists "entities" is in security.

    White-listing processes/applications/files/data is not global, and is the only level for security. White-listing a company or organization is never an option. It is politics.
  • by Cafe Alpha (891670) on Tuesday July 17, 2007 @05:19PM (#19894043) Journal
    You'll notice that when asked about key loggers they started talking about methods of detection other than signature recognition. Kaspersky even mentioned that he wasn't talking about signature recognition which is the only reliable method.

    You can take this as a hint that none of the companies is distributing signatures of the programs that the government uses.
  • by MattW (97290) <matt@ender.com> on Tuesday July 17, 2007 @05:24PM (#19894089) Homepage
    If policeware gets a free pass to do things that, done by other parties, would be considered "malicious", then other malware will quickly begin to disguise itself as policeware to avoid detection.
    • Re: (Score:3, Insightful)

      by Howitzer86 (964585)
      That's not likely, as there isn't such a thing as a policeware flag. Instead, the federal government will contact the spyware removal companies and let them know that their super secret monitor worm/trogan/virus/whatever is not to be put within their databases.

      Sure, at some point someone may create a malicious program that pretends to be an established policeware program, but that would be big enough to create headlines... and it's reign would thus be short.
      • by Boogaroo (604901)
        Are you sure it would be short lived?
        Would media outlets be told not to report it in the name of "national security?"
  • I'd like to see them ask that question. After all, virus checkers see every file on your disk, every email you get and send, every IM chat. So it's a natural point of leverage for any kind of spying. Only the OS itself would be a better target.

    And it's even better than whitelisting, because you can do a blanket search of *everyone* using the virus checker for interesting keywords or known-enemy email addresses. Hey Poindexter, get on it!
  • by misleb (129952) on Tuesday July 17, 2007 @05:43PM (#19894301)
    This highlights the needs for more open source/public software. Whether it is voting machines or spyware scanners. Some things can't reliably be left to commercial vendors with closed source.

    -matthew
  • by syousef (465911) on Tuesday July 17, 2007 @05:52PM (#19894397) Journal
    1. Whitelist police spyware
    2. Crim gets hold of police spyware
    3. Crim gets pwns your machine, steals your identity and makes your life a living hell for the next 3 years or more.

    If you paid for a piece of anti-spyware and they leave a backdoor open like this, isn't that a case of negligence?
    • Re: (Score:3, Informative)

      by BUL2294 (1081735)
      I live in Chicago. Half the cops here are crooks, and the other half would never snitch on their crooked friends...

      So, yes, such white-listed malware is bound to get into the hands of crooks--especially if it's in the hands of cops.
  • If reputable companies do it, someone will write something to scan for them. Its not like there is only 1 company in business who has a 100% market share.
    • It sounded like the larger companies... MS, McAfee, Symantec... probably have had talks to Law Agencies, whether anything came of it or not.

      So, if you are doing unlawful things, don't rely on the Majors to scan for law-ware, use a lesser known company who hasn't had Discussions with The Man yet.

  • Sony Rootkit.... (Score:3, Informative)

    by Tuoqui (1091447) on Tuesday July 17, 2007 @05:55PM (#19894431) Journal
    Sounds like the Government is planning to implant a rootkit in every single computer or atleast leave a vulnerability/flaw in code (very easy to do with Vista since its so new) which will allow them to do so.

    Time for everyone to switch to Linux. The more eyeballs we can get on code the more likely someone isnt able to sneak shit like this in.
  • by cez (539085)
    What I'd like to see is a actual accounting of "whitelisted" programs, ones that have attained the appropriate certificate.
  • Oh, you don't have one. Policeware... DELETED!
  • -1, Moot (Score:5, Insightful)

    by StikyPad (445176) on Tuesday July 17, 2007 @06:11PM (#19894585) Homepage
    Unlike traditional malware, "policeware" would only be present on the target machine(s), rather than spread to any and every computer, so it's extremely unlikely that AV vendors would ever receive a sample. No sample means it would continue to go undetected, provided it was designed to go undetected in the first place.

    And how often do you look at the back of your computer [google.com]? How often do you think the average user does, or would even notice anything out of the ordinary if they were staring right at one? Sure, this is more difficult on a laptop since it would have to be opened, but it would also be even more discreet. I'm not aware of any products on the market for laptops, but I'm sure LE could commission one to be made, if necessary.

    The point is, it would be an incompetent department indeed which needed cooperation from AV suppliers to keep their surveillance methods discreet.
  • Once the malware is identified, it can be copied and manipulated to run on systems with impunity while it's being ignored by the AV software. It would be reckless to the point of being ineffective forever.
  • by BillGatesLoveChild (1046184) on Tuesday July 17, 2007 @07:13PM (#19895221) Journal
    Consider what happened with the SONY rootkit? Bruce Schneier (Cryptography and Security Expert) reported that Symantec and McAfee who both knew about the SONY rootkit did not add it to their signatures file. Apparently if SONY hacks your computer, that's fine with them! They only updated their files once SONY themselves had retracted the rootkit. http://www.schneier.com/blog/archives/2005/11/sony s_drm_rootk.html [schneier.com]

    If Symantec and McAfee will let SONY hack your PC, they'll let the government hack your PC.

    Can anyone recommend a virus scanner that looks after the customer rather than the virus companies one-day maybe potential business partners if they get lucky?
  • Brilliant! (Score:4, Insightful)

    by Deadplant (212273) on Tuesday July 17, 2007 @07:25PM (#19895321)
    1) AV companies whitelist trojan used by government agents.
    2) government agents install said trojan on all the bad-guys computers.

    So now all the known bad guys have copies of a trojan that is whitelisted by the AV software...
    What could possibly go wrong?
    That's exactly the level of intelligence I've come to expect from this government.

    Oh wait, maybe they'll copyright the the trojan so the bad guys can't copy it and use it on other computers...

    Any AV company that co-operates with such a plan is incompetent.
  • A company providing protection from keyloggers and other tools that are installed without the user's consent (malware) should not be making exceptions for anything that would otherwise be considered malware.

    This reminds me of the same arguments that were made for the "clipper chip". That is: "Encryption is OK as long as law enforcement has a back door". The non-technical amongst us would proclaim that "You're against Law Enforcement if you don't support some kind of key escrow service." Security tools t
  • by saikou (211301) on Tuesday July 17, 2007 @08:30PM (#19895825) Homepage
    Unless there's a world-wide conspiracy or a single supplier of "police spyware" in the world, Anti-Spyware products from other countries will not follow "don't detect us" order (and, I bet, there would be one or two posts with "would you look at that?!" notes, listing exactly what "please don't detect us" not says).
    Of course it also implies that gov-spyware is used in such mass quantities that at least one or more somewhat knowledgeable people find that something is wrong and involve anti-virus/spyware vendors.
    So... those who believe in world-wide conspiracy -- there is nothing to protect you (otherwise it wouldn't be ww-c ;) )
    Those who are paranoid -- use anti-virus/spyware kits from different countries. Kill everything suspicious (perhaps including one or two of those anti-virus programs that point at each other as a threat)
    Everyone else... panic for a week, then move on to the new threat/panic/book/movie :)
  • by TempeTerra (83076) on Tuesday July 17, 2007 @09:36PM (#19896351)
    A question. If a malware detector wants to avoid detecting government malware, would they need to explicitly whitelist it or merely fail to blacklist it?

    If they do whitelist government malware, is it possible to read the whitelist and extract the signatures of the whitelisted malware - and then search your system using a modified scanner and the signature they so thoughtfully provided?
  • What about tracking systems on cars that police install, or bugs in your home.

    is it legal to remove them if found? I would destroy them all, uninstall it etc. But is it legal to do so?
  • Generic test? (Score:4, Interesting)

    by wytcld (179112) on Tuesday July 17, 2007 @10:01PM (#19896531) Homepage
    Is there such a thing as a generic test for keyloggers? Perhaps some way to profile a known-clean system and then spot the difference in some aspect of performance if a keylogger is subsequently inserted? If the keylogger is rootkit-like it may be hard to spot in the small space of memory it would require. But wouldn't it usually introduce some slight delay in the speed of keyboard input getting to the intended program? Is there any way to test for that without the test program itself getting the same slightly-delayed input, with no way to measure when the key actually made contact? Can keyboard input be simulated in a way that would send it through any installed keylogger, and so reveal it?

    Alternately, the keylogger is most likely storing the logged keys either in clear or in isomorphic form to the input. So if you inserted your own keylogger into the system, what would it take to scan memory (and drives?) for matches on samples of what your own keylogger captures? Keyloggers aren't going to want to be burdened with heavy encryption to avoid this scanning, since that would add enough system load to make them more spottable by other means. Obviously you'd have to mask out the legitimate memory locations of, say, your word processor the input's going to - which would miss a keylogger patched into your word processor.

    Is anyone working on a way to harden systems against this whole category? (Yeah, key-logging dongles are yet another thing. Software insertion is the question I'm addressing.)
    • Re: (Score:3, Informative)

      by Opportunist (166417)
      The short answer is no. The long answer is more complicated.

      You can't determine jack by time consumption. First of all, the time a keylogger uses can be ignored. You can also not predict how the scheduling works, you might lose the focus just inside your checking routine and a heap of milliseconds is gone before your program gets its timeslice again. Not possible.

      You could generate keystrokes, but unless the keylogger somehow manipulates them (which would kinda defeat the purpose of being undetectable), you
  • by Opportunist (166417) on Wednesday July 18, 2007 @03:27AM (#19898231)
    I just hope the politicians (who invariably are usually the ones with the least knowledge of computers) come to their minds before the big desaster strikes.

    It's not so much an issue of security and anti-malware vendors. A "government trojan" has the potential to become a diplomatic desaster. I mean, ponder the consequences.

    Aside from the political problem that could rise when such a trojan is detected (and I deliberately don't write "if". "When" is the word of choice, because it will be detected, no matter whether AV vendors ignore it, because they must or because they want to 'help their country'), which can quickly destroy the rest of support a government has from its subjects, the foreign politics are much more endangered.

    Imagine the US writing a keylogging and content sniffing trojan. Said trojan is then issued to a potential suspect. Said suspect finds it and forwards it via spam mail to Chinese companies and government. There it's detected, dissected and analyzed, to find that it's a keylogger reporting to the NSA.

    Can you imagine the international implications?

    For European governments, the headaches get even worse. Kaspersky said they won't care (and I believe them. I mean, if I was in Russia and had the backing of the government there, I wouldn't care about "do not find" letters from some minor country in Europe either). European AV researchers will be in Den Hague immediately when a "you must not find" letter hits their desk, and sue for unfair competition situations. And then, the cat IS out of the box. Dead or alive.

    What governments around the world didn't get yet is that the success of trojans lies on their spreading. A trojan gets sent to a few thousand targets, a tenth of a percent of which actually click on it and infect themselves. The current very popular and successful form of infecting where you manipulate webpages to spread your malware is definitly out for targeted infections either, you'd have no control over who gets infected.

    So if you send your "targeted" trojan to a thousand suspects, only ONE of them on average will actually be infected. Compare that to the dangers of having that trojan in the "wrong hands" (see above), using such a trojan would be political suicide for any remotely democratic government.
    • Re: (Score:3, Insightful)

      by jimicus (737525)
      You're making an assumption: that malware would take the form of a simple executable, which the user has installed because they foolishly clicked on an email attachment.

      I can think of a few ways in which malware planted by a reasonably determined government could work with much lower risk of detection:
      • Hidden/undocumented APIs in commercial operating systems (note I didn't specify Windows) - will get 99% of suspects, and the police are well aware that there will always be a group that they have substantially
  • by Opportunist (166417) on Wednesday July 18, 2007 @04:09AM (#19898393)
    No, not for the crooks, but for security altogether. Let's take a look.

    Police comes forwards with a trojan that must not be detected. AV vendors heed the order and whitelist it.

    Now, I dunno if you know how malware is developed. Malware is routinely tested against the current AV tools. Simply because you want to create malware that is at least not immediately detected. So what's the best malware? Exactly: One that MUST NOT be detected. So what's the best base for the ultimate trojan? The police trojan. You only have to create a trojan that matches the whitelist signature of the fed trojan to be safe from detection.

    It's way easier than trying to match your malware against other software that's on a whitelist. That police trojan has to do essentially what you want to do: Infect a computer, install a keylogger, steal the user's passwords, sniff through his files. No "ordinary" software that could be whitelisted does that. Your chances to match your trojan against this piece of whitelisted shit are incredibly higher.

    So if I was a malware writer, I'd be waiting with anticipation for the feds to release it.
  • Irrelevant... (Score:3, Informative)

    by naChoZ (61273) on Wednesday July 18, 2007 @08:46AM (#19900103) Homepage Journal

    Since no one else has mentioned it...

    CALEA [wikipedia.org].

    When an isp gets a subpoena, they're required to be able to tap your internet traffic basically at a moment's notice. The law enforcement agency will then receive a full packet trace of literally every bit of your network traffic.

    Granted, this is meaningless on a stand-alone pc that's not connected to the internet, but the instances where they'll want to install gov't spyware on this type of system has got to be far, far less often.

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...