Will Security Firms Detect Police Spyware?

cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."

Security

[Anonymous Coward]

"Tbireazrag ntrapvrf naq onpxqbbef va grpuabybtl cebqhpgf unir n ybat naq serdhragyl pynaqrfgvar eryngvbafuvc. Bar 1995 rkcbfr ol gur Onygvzber Fha qrfpevorq ubj gur Angvbany Frphevgl Ntrapl crefhnqrq n Fjvff svez, Pelcgb, gb ohvyq onpxqbbef vagb vgf rapelcgvba qrivprf. Va uvf 1982 obbx, Gur Chmmyr Cnynpr, nhgube Wnzrf Onzsbeq qrfpevorq ubj gur AFN'f cerqrprffbe va 1945 pbreprq Jrfgrea Havba, EPN naq VGG Pbzzhavpngvbaf gb ghea bire gryrtencu genssvp gb gur srqf."

Jvgu Ohfu va bssvpr lbh pna bayl rkcrpg zber bs gur fnzr.

Would you TRUST their answers if they said "no"?

[khasim]

I don't trust any of them NOT to do whatever the cops/government want(s).

Open Source all the way.

Re:Would you TRUST their answers if they said "no"

[HomelessInLaJolla]

They don't need to turn a blind eye to policeware. The commercially available remote administration tools aren't in the databases.

Fastens buckle on tinfoil hat

[fishthegeek]

I'm not normally given to conspiracies, but this is ridiculous. The fact that we're having this conversation means that at least someone is concerned about the possibility of Government key loggers not being detected, and if it's taken someone outside of gov't this long to discuss it then I feel certain that the gov't itself has been thinking about this for some time.

These companies will cave to whatever law enforcement agency has jurisdiction for the investigation quicker than the last Harry Potter book hit the torrents. The only possible exception would be those AV companies that are immediately outside of the grasp of the agency involved. I don't even think that those companies are safe because their own governments would likely bear pressure to comply.

Whitelisting entities?

[Pitawg]

As far as I am concerned, no company that white-lists "entities" is in security.

White-listing processes/applications/files/data is not global, and is the only level for security. White-listing a company or organization is never an option. It is politics.

Re:note to self

[ArcherB]

"Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested"

never buy anything from check point.

So I presume you are against the police using spyware as a tool in all circumstances?
Would your opinion change if the Police had a warrant? What if asked your permission to "snoop" your notebook that was stolen from you a week before in an effort to recover it?

Is this just limited to adware? If you daughter were kidnapped, would you protest them using her cel phone to track her?

I know it's cool to be against the 5-0, but I feel you opinion may change once you need the police to protect you or give you justice when a crime has been committed against you.

Undetectable Policeware = Undetectable Malware

[MattW]

If policeware gets a free pass to do things that, done by other parties, would be considered "malicious", then other malware will quickly begin to disguise itself as policeware to avoid detection.

Re:note to self

[Anonymous Coward]

So I presume you are against the police using spyware as a tool in all circumstances? Would your opinion change if the Police had a warrant? What if asked your permission to "snoop" your notebook that was stolen from you a week before in an effort to recover it? I would rather have a backdoor entry to which only I have access to, or somebody else after I permit him to, for my laptop.. giving a free access to my property isnt something I am comfortable with.. if there is a warrant, then take my laptop and examine it.

Well that's funny...

[Anonymous Coward]

Because the software can then be captured by the hackers then used on the government systems, which will have their own software used against them.

This is exactly like the key-to-the-city thing. If that key gets stolen...

In the end, it won't work. Government is a business providing a service at the barrel of a gun and as we've seen countless time, the free market never choses the violent solution.

Re:Undetectable Policeware = Undetectable Malware

[Howitzer86]

That's not likely, as there isn't such a thing as a policeware flag. Instead, the federal government will contact the spyware removal companies and let them know that their super secret monitor worm/trogan/virus/whatever is not to be put within their databases.

Sure, at some point someone may create a malicious program that pretends to be an established policeware program, but that would be big enough to create headlines... and it's reign would thus be short.

Re:note to self

[evanbd]

Warrants should be required for the police to install the keylogger, and a court order or similar should be required for the AV program vendor to assist. If the necessary warrants and orders are in place, by all means, they ought to comply. But CheckPoint has said they don't feel a need to wait for such -- just the say-so of the police. That way lies abuse of power.

Re:Uhm no

[misleb]

So how would your open source system work? Would you openly publish how to recognize all of the government's spy software?

Sure, why not? Fight the power.

-matthew

Don't play stupid..

[msimm]

Some technologies are simply too easily abused. You want to check my system for criminal activity? Fine. Get a warrant and confiscate it. I don't think this is anti 5-0. This is checks and balances. There are tons of great people involved in law enforcement, but adding tools and acceptions like this is just taking another needless step down a slippery slope.

We keep gleefully throwing away our rights in the name of what? Fear? That's bad rationale. Our founding fathers must be turning in their graves.

Re:note to self

[Copid]

I don't totally disagree in theory, but as I see it,the problem with this is similar to the problem with encryption key escrow: If there's a hole in the security for the "good guys" the "bad guys" will figure out how to exploit it. If the government has a way to get your encryption keys, even assuming that they're always on their best behavior, you can bet that a smart kid somewhere will figure out how to get your keys as well, and you can't assume that he'll be on his best behavior. Likewise, if you program a blind spot into a virus / malware scanner, I don't think it's unreasonable to bet that the same kid will figure out a way to make his malware look benign enough to slip through the same hole.

It's a simple rule of security: If there's a low security path, the bad guys will take it. That's how they win. Assuming otherwise is silly.

-1, Moot

[StikyPad]

Unlike traditional malware, "policeware" would only be present on the target machine(s), rather than spread to any and every computer, so it's extremely unlikely that AV vendors would ever receive a sample. No sample means it would continue to go undetected, provided it was designed to go undetected in the first place.

And how often do you look at the back of your computer [google.com]? How often do you think the average user does, or would even notice anything out of the ordinary if they were staring right at one? Sure, this is more difficult on a laptop since it would have to be opened, but it would also be even more discreet. I'm not aware of any products on the market for laptops, but I'm sure LE could commission one to be made, if necessary.

The point is, it would be an incompetent department indeed which needed cooperation from AV suppliers to keep their surveillance methods discreet.

Re:note to self

[Danse]

If they have a court order (with proper oversight), I don't see a problem with this

Read a newspaper in the last few years? Oversight is pretty much non-existent anymore.

Re:note to self

[Bob9113]

So I presume you are against the police using spyware as a tool in all circumstances?

I am opposed to the police using my property to collect evidence against me. It is much akin to my support for the right to not self-incriminate. You want to use your stuff to conduct surveillance? Cool (as long as you have proper authority, etc). But my stuff is my stuff.

Why is this important? Because in order for technology to take an increasing role in our personal lives, we must be able to trust our technology as much as we trust ourselves. Technology takes on a hostile role towards us (as in the case DRM, spyware, botnets, etc) creates a barrier of distrust between us and the technology. It will forestall the merging of mind and machine. That is contrary to our best interest as a species.

Re:note to self

[misleb]

So I presume you are against the police using spyware as a tool in all circumstances?

This isn't about how and when police should use wiretaps. It is about companies ignoring their ethical obligation to detect any and all "spyware." Hence the note to self: "Never by anything from Checkpoint" They either can't be trusted to do the job you pay them to do.

For an example of why this whitelisting is a problem regardless of whether or not individual wiretapping cases are legit: What if a criminal decides to utilize the police spyware? How hard can it be to take a machine has been "bugged" by the police, find the binary, and copy it for your own use... and do your dirty work undetected? All it takes is one clever hacker to dissect the police keylogger and distribute it amongst his friends....

-matthew

Re:note to self

[HomelessInLaJolla]

If you take away 100% of the ability to abuse, you end up with policemen walking a beat with little more than a whistle to do their jobs!

That's a real good indicator that we don't need so many policemen.

Now if we could just do something about the part about having 1100 new, lobbyist driven laws every year maybe we could balance things out.

The trick is to recognize the potential, demand oversight and employ extremely strict punishment to prevent abuse so the tools are allowed to be used in a legal manner.

That's not a trick. It's utter and complete fantasy to think that the system won't be exploited at the oversight level, or that "extremely strict punishment" won't be selectively enforced.

Re:note to self

[HiThere]

Besides, if they'll whitelist the police, they'll whitelist Sony...as many did.

Re:Don't play stupid..

[BVis]

(Disclaimer: I work for a company that has an anti-spyware product, and I'm basically the guy that decides what gets listed and what doesn't.)

I'd like to know what rights you think have been thrown away?

When a company whose product I've paid for decides that they want to decrease my access to due process (by whitelisting software for law enforcement WITHOUT a warrant, just on the LEO's say-so) my fourth amendment rights have been violated.

With a warrant/court order? Sure, I'd expect any reputable company to comply, to the extent possible/practical. Trouble is, with a (largely) fingerprint-based system, depending on how sophisticated your update procedure is, it may not be possible to whitelist something after it's been installed in the field. That, and it's nearly impossible to distinguish between a keylogger installed by the FBI and one installed by someone who wants to steal your credit card number.

I can tell you that on a personal level, if I was asked to decide whether or not to remove something at the request of law enforcement in such a situation, the critical factor would be the existence of a court order. I would resign before I removed something in order to circumvent due process.

Brilliant!

[Deadplant]

1) AV companies whitelist trojan used by government agents.
2) government agents install said trojan on all the bad-guys computers.

So now all the known bad guys have copies of a trojan that is whitelisted by the AV software...
What could possibly go wrong?
That's exactly the level of intelligence I've come to expect from this government.

Oh wait, maybe they'll copyright the the trojan so the bad guys can't copy it and use it on other computers...

Any AV company that co-operates with such a plan is incompetent.

Re:Uhm no

[iminplaya]

Would you openly publish how to recognize all of the government's spy software?

Damn straight! Would I put my name on it? Hell, no!

Except: The police Won't protect you

[Anonymous Coward]

"once you need the police to protect you"

They just won't. I kept having a guy park in my driveway at night to sleep. I called the police repeatedly, they refused to do anything. They kept asking if he was doing anything "threatening".

So I went down to the guy with a baseball bat, told him if he showed up again I would do my best impression of Babe Ruth with him having a close seat. He left and hasn't been back since. What good are the cops. Ultimately, you have to defend your own property yourself because the cops don't want to deal with it. I guess they're too busy beating skateboarders asses and confiscating cars because they thought there was drugs in them (snigger).

So please spare me the tales of how the cops are here to serve and protect. It's complete bullshit.

Re:note to self

[mcpkaaos]

So I presume you are against the police using spyware as a tool in all circumstances?

Yes, unless they have a proper warrant, legally issued by an actual judge. Refer to the 4th amendment.

Would your opinion change if the Police had a warrant?

A warrant means oversight. I'm fine with that. Again, refer to the 4th.

If you daughter were kidnapped, would you protest them using her cel phone to track her?

My only protest is that you are resorting to emotions instead of continuing intelligent debate. In any case, it's a clear non-sequitur (and poorly laid trap) and has no place in the discussion.

Re:note to self

[rtb61]

Problem, easy, hmm, police spyware, the magic box solution, the code can't ever be copied and used for criminal purposes, less than honest law enforcement officers would never ever sell copies of the program for other people to use, never ever.

Technically law enforcement is giving the code away free, to the very criminals we should be endeavouring to keep the code away from, all they have to do is find it and get a cracker to reverse engineer it.

A back door is a back door is a back door, when you pay for security software you pay for a complete solution, not some thing that leaks like a sieve. Security companies either declare the holes in the package or they knowingly commit fraud about the security of the software that they are providing.

Basically if the law enforcement want to poke their sticky beaks in, they need to whack in a bit of hardware and have the warrant to go along with it, software is just a bull shit lazy trap waiting to blow up in their and our faces.

Let's be sensible here

[Opportunist]

I just hope the politicians (who invariably are usually the ones with the least knowledge of computers) come to their minds before the big desaster strikes.

It's not so much an issue of security and anti-malware vendors. A "government trojan" has the potential to become a diplomatic desaster. I mean, ponder the consequences.

Aside from the political problem that could rise when such a trojan is detected (and I deliberately don't write "if". "When" is the word of choice, because it will be detected, no matter whether AV vendors ignore it, because they must or because they want to 'help their country'), which can quickly destroy the rest of support a government has from its subjects, the foreign politics are much more endangered.

Imagine the US writing a keylogging and content sniffing trojan. Said trojan is then issued to a potential suspect. Said suspect finds it and forwards it via spam mail to Chinese companies and government. There it's detected, dissected and analyzed, to find that it's a keylogger reporting to the NSA.

Can you imagine the international implications?

For European governments, the headaches get even worse. Kaspersky said they won't care (and I believe them. I mean, if I was in Russia and had the backing of the government there, I wouldn't care about "do not find" letters from some minor country in Europe either). European AV researchers will be in Den Hague immediately when a "you must not find" letter hits their desk, and sue for unfair competition situations. And then, the cat IS out of the box. Dead or alive.

What governments around the world didn't get yet is that the success of trojans lies on their spreading. A trojan gets sent to a few thousand targets, a tenth of a percent of which actually click on it and infect themselves. The current very popular and successful form of infecting where you manipulate webpages to spread your malware is definitly out for targeted infections either, you'd have no control over who gets infected.

So if you send your "targeted" trojan to a thousand suspects, only ONE of them on average will actually be infected. Compare that to the dangers of having that trojan in the "wrong hands" (see above), using such a trojan would be political suicide for any remotely democratic government.

Whitelisting malware is dangerous!

[Opportunist]

No, not for the crooks, but for security altogether. Let's take a look.

Police comes forwards with a trojan that must not be detected. AV vendors heed the order and whitelist it.

Now, I dunno if you know how malware is developed. Malware is routinely tested against the current AV tools. Simply because you want to create malware that is at least not immediately detected. So what's the best malware? Exactly: One that MUST NOT be detected. So what's the best base for the ultimate trojan? The police trojan. You only have to create a trojan that matches the whitelist signature of the fed trojan to be safe from detection.

It's way easier than trying to match your malware against other software that's on a whitelist. That police trojan has to do essentially what you want to do: Infect a computer, install a keylogger, steal the user's passwords, sniff through his files. No "ordinary" software that could be whitelisted does that. Your chances to match your trojan against this piece of whitelisted shit are incredibly higher.

So if I was a malware writer, I'd be waiting with anticipation for the feds to release it.

Re:Let's be sensible here

[jimicus]

You're making an assumption: that malware would take the form of a simple executable, which the user has installed because they foolishly clicked on an email attachment.

I can think of a few ways in which malware planted by a reasonably determined government could work with much lower risk of detection:

• Hidden/undocumented APIs in commercial operating systems (note I didn't specify Windows) - will get 99% of suspects, and the police are well aware that there will always be a group that they have substantially less hope of catching.
  
• Backdoor built into the OS at the factory. It's always been there, why should it be a concern to AV which generally looks for changes? For best results, "disappear" the development team once they've completed their work.
  
• Backdoor in hardware - something like this [keyghost.com], but etched into the silicon of the keyboard controller rather than a separate piece of hardware. Good luck detecting that without an electron microscope and substantial knowledge of IC design.
  
• Backdoor is digitally signed - perhaps using this key [wikipedia.org] - there's a pretty strong chance that most AV software will silently ignore anything that's digitally signed with a known key.
  

Of course, most of these are a lot of hassle when it's substantially easier, cheaper and lower risk to simply do things the old-fashioned way - bug telephones and ISPs, put pressure on people who are somehow connected with the people you're investigating. Sooner or later you're going to have to gather evidence in a fashion similar to this anyway, because the question will arise in court - did you follow lawful procedures to get the evidence?

Re:The opposite.

[mikiN]

Ideally, yes. Also, you should know which ps it is that you're running (this is very important, in more than one way!). If it is procps 3.2.7 built from Debian source, you'll know that there are 118 processes (the top line consists of headings).

In any case, it's a good idea to not just know what those processes are but what source (yep, also more than one meaning) they come from.

If you consider remote exploits, it is also a good idea to look at

netstat -p

and know what those ports are, why they are open and what processes are using them.

There are many terrible, bad, good and excellent rootkit and virus scanners, firewalls and IDSes out there to help you with this.