Forgot your password?
typodupeerror
Government Privacy Your Rights Online

FinSpy Commercial Spyware Abused By Governments 87

Posted by Soulskill
from the you-can-trust-us dept.
plover writes "The NY Times has a story about FinSpy, a commercial spyware package sold 'only for law enforcement purposes,' being used by governments to spy on dissidents, journalists, and others. Two U.S. computer experts, Morgan Marquis-Boire from Google, and Bill Marczak, a PhD student in Computer Science, have been tracking it down around the world. 'The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men said they discovered mobile versions of the spyware customized for all major mobile phones. But what made the software especially sophisticated was how well it avoided detection. Its creators specifically engineered it to elude antivirus software made by Kaspersky Lab, Symantec, F-Secure and others.'"
This discussion has been archived. No new comments can be posted.

FinSpy Commercial Spyware Abused By Governments

Comments Filter:
  • by JustAnotherIdiot (1980292) on Friday August 31, 2012 @11:03AM (#41190357)
    Seriously, you give an infant a toy, they're not going to listen to how you tell them to play with it.
    • by Tackhead (54550) on Friday August 31, 2012 @11:20AM (#41190541)

      "Whenever a controversial law is proposed, and its supporters, when confronted with an egregious abuse it would permit, use a phrase along the lines of 'Perhaps in theory, but the law would never be applied in that way' - they're lying. They intend to use the law that way as early and as often as possible.

      Meringuoid's Law [slashdot.org], Nov 24, 2005.

      Seriously, you give an infant a toy, they're not going to listen to how you tell them to play with it.

      Think of it from Dad's viewpoint: the Dad who buys his newborn son a new power drill and fishing gear, and a set of Lego Mindstorms for his first birthday. The kid may not be interested in carpentry, angling, or robotics, but Dad sure loves the excuse to go shopping!

    • by Anonymous Coward

      "The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes"...........

      Really? Like Sub7 used to do back in 1998?

    • by b00py (1647601)
      What fun would it be, then? I am curious as to how this works out with Antivirus groups/companies/researchers. My paranoia says there's definitely potential in having a government funded application purposely ignored by a antivirus companies engine (if company is based in the same country). Common sense says these will mostly be all "build and burn" jobs, constantly reshaping a needle for the haystack.
  • Paywall (Score:5, Insightful)

    by Anonymous Coward on Friday August 31, 2012 @11:06AM (#41190389)
    STOP linking to articles that are behind paywalls!
  • by Anonymous Coward on Friday August 31, 2012 @11:07AM (#41190393)

    Does it run on Linux?

    • Google around a bit, you'll see this mentioned. I have not yet found any information about what that attack vector is or how to defend against it, although I suspect that locking your system down with SELinux/AppArmor and using sandboxes to open attachments (even from people you trust -- what if their computer is infected?) will mitigate the threat somewhat.

      The moral of the story is this: dissidents should airgap any system they use for sensitive/secret material.
      • Re:Yes (Score:5, Insightful)

        by Loughla (2531696) on Friday August 31, 2012 @12:30PM (#41191457)

        The moral of the story is this: dissidents should airgap any system they use for sensitive/secret material.

        I genuinely do not understand how people don't get this. You want to push against the big boys? Assume they have tools you've never even imagined. It's just like sterilization in medicine. You don't know what the patient has, so you treat everything they touch like it's covered in plague. Diligence, children, diligence is the key to anonymity.

        Is it wrong that this exists? Probably. Are you naive for believing that these types of tools aren't used every day? Absolutely.

        • Re:Yes (Score:5, Informative)

          by girlintraining (1395911) on Friday August 31, 2012 @02:19PM (#41192807)

          I genuinely do not understand how people don't get this. You want to push against the big boys? Assume they have tools you've never even imagined. It's just like sterilization in medicine. You don't know what the patient has, so you treat everything they touch like it's covered in plague. Diligence, children, diligence is the key to anonymity.

          You say that like it's easy for anyone to pick up the tools of the trade. It isn't. There's tor, proxies, networking protocols, you need to understand RF fields, propagation, you need to be able to do an inventory of every electronic item you possess, you need to understand the differences between PKI and symetric key encryption, and how, if, and whether encryption provides plausible deniability or not. You need to understand Tempest -- how devices can radiate RF (and thus, information) on an otherwise perfectly secured system. You also need to understand how malware operates, how to detect it... and not only do you need all this understanding and technical expertise, but the equipment required to create a sterile lab environment from which to test, assemble, and validate your builds.

          Large corporations have problems getting this right because it's so complicated. Major world governments have screwed up. Actuall, all of them have. This is not just a simple matter of "spray and wipe down". Stop being so condescending, like it's just a simple matter. It's not -- not for you, not for them, not for anyone. And you can't go it alone. It's too complex for one person to navigate without making at least one mistake.

          • by Loughla (2531696)
            I wasn't trying to be condescending. I do apologize - the intertweb does not lend itself to tone interpretation. What I was implying is that when folks get busted, they are surprised. When a malware/spyware/happy-fun-go-go-timeware is discovered that has the ability to spy on you, people are surprised. What I was trying to say is that most people, reporters, rebels, dissidents, Joe down the street, VASTLY underestimate what is possible. For some reason most people WANT to believe that this is possible, but
            • Thanks for stepping up. It's rare to see that online. Unfortunately, condescending attitudes are a dime a dozen online. Things people would never say in person they do with gusto online, because they're small people in real life, and so they need to emotionally abuse strangers to feel better. Anyway, fair enough. I personally wish more IT professionals would do what I do. I have a homebrew install disc of winxp and win7 (all versions of each) that installs a slew of antivirus, antimalware, firewall, etc., o

              • by Loughla (2531696)

                I'm pretty well educated in on-line security, and my critical thinking skills have taught me how to avoid the bad people. I made a conscious choice to look at the things I do on-line, and realized that even if I'm being tracked, all 'they' are going to see is one really bored human who browses weird things. So, in my life, the inconvenience of many steps is outweighs the benefits for privacy (For example, I have a stupidly low bandwidth cap and obscenely high latency with my satellite internet connection, s

                • > 1. Why do you do that?

                  Because it's my civic responsibility to teach others how to be safe in a world they don't fully understand.

                  > 2. What type of people do you do that for?

                  Friends, family, and anyone that's a part of their social network, etc. A large part of it is referrals and reputation. People know me by reputation and my connections, and my willingness to teach.

                  > 3. What are the programs and in what order do they load (unless you get paid to do that. . . . then I understand if you don't wan

        • by s.petry (762400)

          The moral of the story is this: dissidents should airgap any system they use for sensitive/secret material.

          What about the Free journalists in countries like the USA where they should not be considered "dissidents"? Perhaps this was just an oversight on your part. In the USA, many Journalists are called dissidents by US Government Agencies (CIA/DHS/TSA) but that is not correct constitutionally.

          I genuinely do not understand how people don't get this. You want to push against the big boys? Assume they have tools you've never even imagined. It's just like sterilization in medicine. You don't know what the patient has, so you treat everything they touch like it's covered in plague. Diligence, children, diligence is the key to anonymity.

          Is it wrong that this exists? Probably. Are you naive for believing that these types of tools aren't used every day? Absolutely.

          As with my comment above, there is a danger in suggesting that _all_ journalists are dissidents, and that _any_ or _all_ Governments should be actively fighting against free journalism. In the last 50 years in the US, w

          • "What about the Free journalists in countries like the USA where they should not be considered "dissidents"? Perhaps this was just an oversight on your part. In the USA, many Journalists are called dissidents by US Government Agencies (CIA/DHS/TSA) but that is not correct constitutionally." - Silly hippie, free speech is one step away from godless communism and definitely an un-American activity.
            • by s.petry (762400)

              You should put a :) or something after your post so people don't think you are a peon working for an agenda and propagating such a Philosophy.

              Well, maybe you are.. hell, I don't know..

    • by awrowe (1110817)
      Runs on Android and iOS, so it would seem it works on some forms of *nix yeah. *blink*
    • Re: (Score:2, Informative)

      by Anonymous Coward

      According to there sales brochure, yes it runs on Linux and Mac

      http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf [wikileaks.org]

      • by Yvan256 (722131)

        That's it, I'm switching to Haiku. And if that doesn't work, I'm getting my CoCo3 from the attic.

  • Unpossible! (Score:4, Insightful)

    by Anonymous Coward on Friday August 31, 2012 @11:10AM (#41190425)
    Police abusing their authority and spying on the people they swore to protect? I'm shocked. Shocked!
  • sold 'only for law enforcement purposes,'

    Yea, sure. But presumably anyone can buy it (I didn't read the article for obvious reasons)

    • by jesseck (942036)

      sold 'only for law enforcement purposes,'

      Yea, sure. But presumably anyone can buy it (I didn't read the article for obvious reasons)

      You also need to realize... "law enforcement" is what it is being use for. Just because a "law" seems unjust to us doesn't make it less legal in another place. Dissidents are breaking their government's law, and as such, the software is only being use for "law enforcement".

      I don't agree with the abuse of this software, and it should be tightly regulated. However, the "law is in the eye of the beholder" (or pocketbooks of the rich), and it is that view that allows FinSpy's developers to sleep at night. T

      • Just imagine any such technology in the hands of the worst, most repressive government. That's the acid test.

  • Long time concern (Score:5, Insightful)

    by IndustrialComplex (975015) on Friday August 31, 2012 @11:15AM (#41190503)

    It has always concerned me the loopholes which you know are being abused.

    Sure, the government isn't 'legally' allowed to spy on citizens without following the Constitution. But that doesn't hold for 3rd Parties. Nor does it hold true for other governments.

    Oh the government didn't conduct the surveillance, it just purchased the already performed surveillance dataset from 'Private Investigation Company XYZ'. See, it was the private company that did the spying, not the government. The data wasn't only spy data, it was also available to be sold to marketing firms, so it isn't just a shell for the government, the government just happens to buy from them. A lot.

    I'm also really curious to know about the whole 'sharing' of intelligence data.

    Sure, our intelligence agencies aren't 'supposed' to spy on US citizens, but they can spy on UK citizens. And the UK agencies ARE spying on the US citizens. So when that data package from the UK agencies is shared with the US agencies, it's just a convenient benefit. The US agencies didn't technically do anything to perform the spying, they just benefit from it.

    I'm sure I'm being paranoid, but it doesn't even require maliciousness on behalf of the agencies. It just requires people who try really hard to do their jobs. Something that is technically legal can be immoral, unethical, evil, oppressive, and counter-productive... but technically legal is still legal.

    • by Type44Q (1233630)

      Sure, the government isn't 'legally' allowed to spy on citizens without following the Constitution. But that doesn't hold for 3rd Parties. Nor does it hold true for other governments.

      It hasn't held true for our own, either.

  • They just told Kaspersky Lab, Symantec, F-Secure and others to back off and let it through. Wouldn't be the first time.

  • ... that governments around the world are spying on their citizens... because... well... because they can. Also because a small number of unscrupulous IT companies keeps churning out digital tools that are made solely to spy on people. ---- IMHO this practice needs to stop. People should pay nnnn Dollar for smartphones and computer gear, and be safe in the knowledge that they are NOT spied on when they use these gadgets. -------- Its sad, just sad that governments, instead of being on the side of people, in
  • by Anonymous Coward

    So, we designed software to catch criminals.

    Other people have different laws that we do. Some of the things we declare to be legal, they consider to be crimes.

    You are surprised that the software we designed to catch our criminals also catches the people they declare to be criminals? Just because we think they are not criminals, somehow that gives you the right to be offended?

    If you want to be offended that other countries don't give their citizens the right to free speech and to protest, go ahead.

    But com

    • Because Mr LEO would never watch skype traffic between a husband and wife who are separated and missing each other.
      Or just between a couple of freaky horny teenagers.
      Because nobody would ever do such a thing, right?

  • In the guise of law enforcement, the govt can get their p0rn fix more readily.

    Laws Smaws!

  • How can I detect that I am infected with FinSpy !
    • by Anonymous Coward
      Late at night you will get a knock on your door...
  • by Penurious Penguin (2687307) on Friday August 31, 2012 @11:28AM (#41190669) Homepage Journal
    Two promotional videos of these pricks and their man-in-the-middle wares:
    http://www.youtube.com/watch?v=qc8i7C659FU&NR=1&feature=endscreen [youtube.com]
    https://www.youtube.com/watch?v=Dejw2G83Moo [youtube.com]
    The animation and general rascality of it always make me grin.
  • by interval1066 (668936) on Friday August 31, 2012 @11:45AM (#41190895) Homepage Journal
    Contractor/Vendor: "Here is a hammer. Its use for driving nails. YOU MAY NOT use it to murder people. Understand? No murdering."
    Government: "Ok. No murdering."

    Frankly, I don't see the problem.
    • by Anonymous Coward

      Contractor/Vendor: "Here is a hammer. Its use for driving nails. YOU MAY NOT use it to murder people. Understand? No murdering."
      Government: "Ok. No murdering."

      Citizen: "I have protection from self-incrimination."
      Government: Slams hammer on citizen's fingers. "You're lucky you're not dead."

  • by couchslug (175151) on Friday August 31, 2012 @11:48AM (#41190935)

    Let's mention ways around such threats:

    Boot from a live Linux CD/DVD (preferable as they are read-only, with some specialty exceptions) or USB key/CF card/other flash media.

    Do your business, and your "innocent" Windows drive is untouched. Surf only "wholesome" sites on Windows and create a convincing alternate identity.

    MAC spoofing is easy and there is plenty of info on it.

    • by Anonymous Coward

      There is no way to realistically prevent the USA government from tracking you on the internet if you are inside the USA. SSL doesn't matter.

      Only a VPN that doesn't use DNS for certificate validation with IPSec would be trusted.

      Folks will tell us to use Tor or a DNS tunneling solution to have privacy - they are leaving out critical information. Tor alone is not enough.

      Using MS-Windows on the internet is stupid. It doesn't matter which websites you visit. Even trusted websites are cracked or their ad networ

  • The internal microphone and camera of laptops can be too easily enabled (and silently without you knowing it). Typically you don't need them all the time anyway. There should be a clear on/off switch for them in every laptop, just like you have for WiFi.
    • To mute the microphone, an audio or mic jack is great. Just clip off the wire and voilà; a virtual analog off-switch. For the cam, there aint nothin' like ducktape or even better, an icepick.
      Also, there are hardly ever hardware switches for wifi or sound anymore -- and not for the last 5 years so far as I've observed. It's all software switches now, which as you might imagine, has caused compatibility issues here and there. Yep, I'm all for breaking the circuit directly, but the designers aren't :(
  • It's being used exactly as designed, not "abused." In most of these places "abusing" the software, spying on dissidents falls well within "law enforcement" as defined there. What, the creators expected it only to be used to enforce laws they agree with?

    And by the way, spying on dissidents is something the noble, enlightened U.S. Government does regularly---and it falls well within their legal "law enforcement" powers, too. Oh, you thought only the evil countries do that?

  • Citizens should be using this to keep tabs on their government. This use is covered by the 2nd Amendment.

  • There has to be some way to get this crap off a computer.

    • by fm6 (162816)

      You wish! Sometimes the only way to expunge malware is to wipe the disk and start over. I've had to do it myself a couple times.

  • I tried running it and got this error msg: Library MFC42.DLL (which is needed by "C:\\Program Files\\Software Informer\\softinfo.exe") not found ..
  • The latest upgrade of NortonMobile https://play.google.com/store/apps/details?id=com.symantec.mobilesecurity&hl=en [google.com] does the same. Its enough to scare anybody who has even the slightest idea what it means. Anti-virus vendors working on behalf of the Law?

Cobol programmers are down in the dumps.

Working...