Will Security Firms Detect Police Spyware? 269
cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."
note to self (Score:5, Informative)
never buy anything from check point.
TFA didn't ask about National Security Letters (Score:5, Informative)
But if what they had received instead was a NSL, they would be under a gag provision (with *jail* as the penalty) to not mention anything about it.
That's only in Amerika of course.
The importance of open source... (Score:3, Informative)
-matthew
Sony Rootkit.... (Score:3, Informative)
Time for everyone to switch to Linux. The more eyeballs we can get on code the more likely someone isnt able to sneak shit like this in.
Well, this isn't exactly new... (Score:5, Informative)
Re:TFA didn't ask about National Security Letters (Score:3, Informative)
Re:Police spyware used by the dark side? (Score:3, Informative)
So, yes, such white-listed malware is bound to get into the hands of crooks--especially if it's in the hands of cops.
Re:TFA didn't ask about National Security Letters (Score:5, Informative)
Re:Would you TRUST their answers if they said "no" (Score:3, Informative)
Of course, setting the permissions correctly is a PITA...and so is using a system so configured. But it's probably as secure as you can get, bar a disconnect from the internet.
Re:Security (Score:5, Informative)
"Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds."
With Bush in office you can only expect more of the same.
McAfee and Symantec dropped the ball (Score:5, Informative)
If Symantec and McAfee will let SONY hack your PC, they'll let the government hack your PC.
Can anyone recommend a virus scanner that looks after the customer rather than the virus companies one-day maybe potential business partners if they get lucky?
Re:Uhm no (Score:2, Informative)
Re:Security (Score:3, Informative)
Anyone that trusts AV vendors - especially foreign ones - not to imbed backdoors and spyware, or to whitelist their government's "tools" is a bit too trusting IMHO.
Bullshit (Score:1, Informative)
Call me stupid, but don't most virus/malware scanners use heuristics and other methods designed to detect methods of attack, rather than particular signatures attached to specific pieces of software? Scanners could work in two ways: find residue/signatures of specific pieces of problem software, then clean up/block that software. Or, in addition to signatures, detect methods problem software uses, such as scanning every port in order, using known methods to attempt to hide in memory, attempting to install without user confirmation, etc. If scanners use methods, not just signatures, then police designed software would be just as likely to be detected as any other new virus/malware.
I don't know a lot about this, but it seems to me that ever since viruses began to hide themselves in memory and polymorph on the harddrive, i.e. since 1994 or so, scanners have had to be more clever and have had to look for methods. They recognize types of behaviors and types of signatures which are known to correlate pretty well to virii and malware.
This possibility is confirmed by AVG's Fran Bosecker [TFA]: AVG detects methods not signatures. Therefore police malware would have to use novel methods to be undetectable.
And again, my assumption is confirmed, by Randy Drawas of Kaspersky Lab [TFA]: And again my view is confirmed, this time by Vlad Gorelik of Sana Security [TFA]: And, finally, my view is confirmed by Dan Hubbard of Websense [TFA]: If this is true, and police software is as likely to be picked up as any other malware, then the police require malware whitelisting to do their job. It is not moot.
The average policy agency, slowed down with bureaucratic molasses, will not be at the forefront of malware development. They will need whitelisting, OR methods that disable security software.
I'm shocked the parent got +5. Are there no technically competent
Re:Generic test? (Score:3, Informative)
You can't determine jack by time consumption. First of all, the time a keylogger uses can be ignored. You can also not predict how the scheduling works, you might lose the focus just inside your checking routine and a heap of milliseconds is gone before your program gets its timeslice again. Not possible.
You could generate keystrokes, but unless the keylogger somehow manipulates them (which would kinda defeat the purpose of being undetectable), you'd get what you send. Copying information leaves the original information unchanged.
Keyloggers are rather "lightweight". Windows offers its own API routines to faciliate it. And makes heavy use of them itself (for keyboard layout drivers).
What you could do is overwrite the system call for the keyboard hooking routine, so you'd know every time some program accesses it, then compare the programs using it to a list of "known good" programs and yell if a program not matching that list makes use of the API call. That works as long as the malware uses the API. If it goes ahead and comes with its own keyboard drivers, you'd also have to monitor what kind of beast is responsible for the raw keyboard input.
And when you're done with that all, you'll realize that it's not even a keylogger but just a BHO that copies all information you type into your IE, which uses completely different ways of stealing your information.
In other words, if you want to be safe from Windows malware, use a different system.
AS LUCK WOULD HAVE IT... (Score:3, Informative)
http://www.wired.com/politics/law/news/2007/07/fb
Re:TFA didn't ask about National Security Letters (Score:3, Informative)
Irrelevant... (Score:3, Informative)
Since no one else has mentioned it...
CALEA [wikipedia.org].
When an isp gets a subpoena, they're required to be able to tap your internet traffic basically at a moment's notice. The law enforcement agency will then receive a full packet trace of literally every bit of your network traffic.
Granted, this is meaningless on a stand-alone pc that's not connected to the internet, but the instances where they'll want to install gov't spyware on this type of system has got to be far, far less often.