Will Security Firms Detect Police Spyware?

cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."

Uhm no

[Cafe Alpha]

But it's not the source, it's the data.

And publishing data or distributing which compromises investigations is probably a felony.

So how would your open source system work? Would you openly publish how to recognize all of the government's spy software?

The respondents weaseled

[Cafe Alpha]

You'll notice that when asked about key loggers they started talking about methods of detection other than signature recognition. Kaspersky even mentioned that he wasn't talking about signature recognition which is the only reliable method.

You can take this as a hint that none of the companies is distributing signatures of the programs that the government uses.

Re:Fastens buckle on tinfoil hat

[dotpavan]

These companies will cave to whatever law enforcement agency has jurisdiction for the investigation quicker than the last Harry Potter book hit the torrents. The only possible exception would be those AV companies that are immediately outside of the grasp of the agency involved. I don't even think that those companies are safe because their own governments would likely bear pressure to comply.

true, but they could atleast try, like Google refused to turn-in the search queries. I know, not every company is a mammoth like Google and cant afford the wrath of Govt., but an initial refusal (and later caving in under pressure) might put them in a better light than complying right at the first request..

what is also interesting is that MS *must have* caved in sometime in the past (from their refusal to answer), and Vista's inbuilt spyware/malware detection makes it more likely to snoop on its users.. privacy concerns explode!

Re:Undetectable Policeware = Undetectable Malware

[cstdenis]

Even easier, somebody can just modify the policeware to report to them instead of police. If the police and installing this on hacker computers, sooner or later a hacker will find it and exploit it.

Re:TFA didn't ask about National Security Letters

[UbuntuDupe]

Isn't there necessarily a question that they *can* answer, though?

"Have you been given a court order to let police spyware in?" --> Must say no because of a gag order.
"Have you ever been in a position where the law required you to lie about questions related to your spyware activities?" --> ???

Police spyware used by the dark side?

[syousef]

1. Whitelist police spyware
2. Crim gets hold of police spyware
3. Crim gets pwns your machine, steals your identity and makes your life a living hell for the next 3 years or more.

If you paid for a piece of anti-spyware and they leave a backdoor open like this, isn't that a case of negligence?

List of Whitelists PLEASE...

[cez]

What I'd like to see is a actual accounting of "whitelisted" programs, ones that have attained the appropriate certificate.

Re:The opposite.

[Eternauta3k]

ps ax | wc -l
119

So... in order to stay away from spyware, you have to know what those 119 processes do?

Re:note to self

[statusbar]

All that needs to be done is for a hacker to find out what specific software is used by the police, and subvert it so that the hacker can use it to attack people while the spyware detector software purposely ignores it, thinking that it is from the police.

--jeffk++

Re:TFA didn't ask about National Security Letters

[Anonymous Coward]

Well, there's considerable debate about that kind of question [wikipedia.org]. Okay, it's not quite the same situation, but it's somewhat similar. I think the responses of some classic ST:TOS episodes [wikipedia.org] are probably appropriate. Something along the lines of "I'm not programmed to respond in that area", or perhaps a shower of sparks before the lawyer's head explodes.

Most likely, they'd just say they are unable to answer. "Null" answers are always an option for lawyers.

Re:Fastens buckle on tinfoil hat

[secPM_MS]

Please note that I know nothing whatsoever about Microsoft's activity in this area.

The libertarian definition of government is an organization that claims a legal monopoly on violence in a region. No company or organization is going to long survive direct and focused government duress - its assets will be seized and its staff find themselves contemplating uncomfortable surroundings. That said, everyone should expect that organizations will comply with court orders / security directives (at lease once they have exhaused their appeals processes, if any). Privacy does not trump law.

Judge Learned Hand once admonished a new attorney with something along the following lines "Sir, this is a court of law. It is not a court of justice." Do not attempt to extrapolate your values to the law.

All nations have a need to conduct covert survelience. This may involve software, hardware, human intelligence, etc. It is reasonable to assume that they will make reasonable efforts to preserve these capabilities. Draw your own conclusions. Officials with a court warrant can covertly plant HW monitoring systems in target systems. Such attacks will compromise the system regardless of the OS.

Re:note to self

[HiThere]

You *have* noticed what kind of oversight is being provided these days? When ANY is provided...

Oversight essentially means they run back to the office and time-stamp a preprinted form. There's a little more involved than that, but not much. They get to choose the most pliable judge available...and there are some who are pretty pliable.

The bizarre thing is that even THAT much oversight is seen as too much by those in charge of the snooping agencies. And it's not usually because of urgency. (As I recall they can get special exemptions for planting a bug on a target of opportunity...retroactive permission.)

The current moral corruption of the police appears to extend all the way from the local level to the federal. (I hope your local police are still honest. If so, count yourself lucky...or uninformed.)

This current level of corruption probably reaches back to Nixon's Imperial Presidency, and before him to FDR's centralization of the government. And before him, also. (Notice that it's not specific to any one party. What one party does, the other party rarely repeals.) With the removal of habeas corpus it's barely disguised any more. This *IS* a police state. So far it's a more humane one than most of it's predecessors, but it has the diagnostic features. Britain is, or appears to be headed, the same way.

Probably this is because of two basic features:
1) Population density makes it more difficult to control people, and
2) The removal of a frontier means that if the powers that be get mad at you, there's no place to escape to.
Ostensibly these two factors pull in opposite directions, but actually the freedom of the frontier had a back-transference that lead to greater liberty in the sessile population.

What can be done? Solutions seem either difficult or undesirable. Either drastically decrease the population (H5N1 may attempt this solution), or create a new frontier (which must be reachable at least by the middle class, if not by the impoverished). Space travel appears too expensive for the foreseeable future. Ditto for under-sea colonies. And it has to be a meat-space frontier. Virtual realities don't have the same "getting out from under the thumb of an oppressive government" effect (except in fantasy...which isn't sufficient).

Why use foreign Anti-Spyware, of course

[saikou]

Unless there's a world-wide conspiracy or a single supplier of "police spyware" in the world, Anti-Spyware products from other countries will not follow "don't detect us" order (and, I bet, there would be one or two posts with "would you look at that?!" notes, listing exactly what "please don't detect us" not says).
Of course it also implies that gov-spyware is used in such mass quantities that at least one or more somewhat knowledgeable people find that something is wrong and involve anti-virus/spyware vendors.
So... those who believe in world-wide conspiracy -- there is nothing to protect you (otherwise it wouldn't be ww-c ;) )
Those who are paranoid -- use anti-virus/spyware kits from different countries. Kill everything suspicious (perhaps including one or two of those anti-virus programs that point at each other as a threat)
Everyone else... panic for a week, then move on to the new threat/panic/book/movie :)

Are whitelists readable?

[TempeTerra]

A question. If a malware detector wants to avoid detecting government malware, would they need to explicitly whitelist it or merely fail to blacklist it?

If they do whitelist government malware, is it possible to read the whitelist and extract the signatures of the whitelisted malware - and then search your system using a modified scanner and the signature they so thoughtfully provided?

Generic test?

[wytcld]

Is there such a thing as a generic test for keyloggers? Perhaps some way to profile a known-clean system and then spot the difference in some aspect of performance if a keylogger is subsequently inserted? If the keylogger is rootkit-like it may be hard to spot in the small space of memory it would require. But wouldn't it usually introduce some slight delay in the speed of keyboard input getting to the intended program? Is there any way to test for that without the test program itself getting the same slightly-delayed input, with no way to measure when the key actually made contact? Can keyboard input be simulated in a way that would send it through any installed keylogger, and so reveal it?

Alternately, the keylogger is most likely storing the logged keys either in clear or in isomorphic form to the input. So if you inserted your own keylogger into the system, what would it take to scan memory (and drives?) for matches on samples of what your own keylogger captures? Keyloggers aren't going to want to be burdened with heavy encryption to avoid this scanning, since that would add enough system load to make them more spottable by other means. Obviously you'd have to mask out the legitimate memory locations of, say, your word processor the input's going to - which would miss a keylogger patched into your word processor.

Is anyone working on a way to harden systems against this whole category? (Yeah, key-logging dongles are yet another thing. Software insertion is the question I'm addressing.)

What are the chances of...

[ls671]

What are the chances of success of a company specifically advertising that they don't overlook any spyware (including intelligence services spyware) from any country including US and making their business model on it?

Re:TFA didn't ask about National Security Letters

[gnu-generation-one]

The question was "Have you ever received such a court order signed by a judge...".
But if what they had received instead was a NSL, they would be under a gag provision (with *jail* as the penalty) to not mention anything about it.

So tell them to answer "no" until such time as their answer changes to "no comment"