Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
EU Privacy Technology

Spyware Is Running Amok in Europe, EU Lawmaker Warns (bloomberg.com) 40

Spyware such as Pegasus is being deployed by state-run organizations across the European Union to snoop on politicians and journalists with virtually no EU-level oversight, according to a draft report for the bloc's parliament. From a report: The document on the use of surveillance spyware released on Tuesday said citizens can "safely assume that all EU member states have purchased one or more commercial spyware products" such as Pegasus, developed by Israel-based NSO Group. But, "no meaningful European oversight is in place; not to curb the illegal use of powerful spyware against individuals, nor to monitor the trade in these digital goods," lawmaker Sophie in 't Veld, the report's author, said in a statement. The 159-page document focuses on the use of spyware based on investigations of journalists and civil society groups and the parliament's own research missions.
This discussion has been archived. No new comments can be posted.

Spyware Is Running Amok in Europe, EU Lawmaker Warns

Comments Filter:
  • by dargaud ( 518470 ) <slashdot2@gd a r gaud.net> on Tuesday November 08, 2022 @01:04PM (#63036119) Homepage
    Why don't Google and Apple and Microsoft and Co analyses those spyware and plug the holes in their software ? It looks like they should have operated for at most a month, but it's been years and now even low level officials are targeted.
    • Likely they do not have access to the software. That is a very closely guarded secret.
    • Re: (Score:1, Interesting)

      Their biggest customer pays them more than you do, and that customer is using these holes. If anything, their biggest customer is demanding they NOT do exactly what you suggest.
      • Probably true. Although needs evidence. One thing for sure the tech overlords play all sides. Example Microsoft and spam. "We have implemented a robust spam control system". Q. Where does tons of spam come from? A. Azure Cloud.
      • by dargaud ( 518470 )
        That may well be true, but when the holes are used by everybody against everybody, nobody wins and everybody loses.
  • I want to communicate with certain parties securely, using public internet assets for storage and transport.

    What's the best approach?

    At this time I use public email accounts that are shared by myself and the other party. We use drafts to communicate, messages are never sent (message are sent, but outside of private comms that are internal). Traffic accessing the account can be tracked, but not the internals (illegal content filters won't find things that aren't there).

    I saw this scenario in a movie once,

    • by serafean ( 4896143 ) on Tuesday November 08, 2022 @01:50PM (#63036273)

      Draft emails are fun, but no, the filters have gone through them, I can almost guarantee that...

      My choice:
      Bought a raspberry pi (or the equivalent thereof).
      Set up an XMPP server on it (ejabberd, but prosody is an equally good choice).
      Set up tor on it, create a tor hidden service for the XMPP server.
      Absolute must: set up TLS certificates for the XMPP server. It's a PITA, but the stream itself should be encrypted, and the cluster*** that is SSL is the only available thing.
      If you want to federate, you need to force the XMPP server to connect through tor. (haven't done that, I didn't federate that server)
      Check the server's logging preferences to log the bare minimum, and configure what lapse of history to store.

      On Android I use Conversations.im (+orbot for tor), with OMEMO always enabled, and the initial QR code key verification.

      Now, the tor part I only did for kicks as a PoC. My actual server is public facing.

      Or use Signal. Doesn't pass my smell test -- no 3rd party client possible -- but seems better than all alternatives I looked at.
      Actually Signal seems to be better than XMPP, as it doesn't need to store metadata in undelivered queues on its servers.

      • Set up an XMPP server on it (ejabberd, but prosody is an equally good choice).

        Silly question, why xmpp over IRC? the xmpp protocol is far more complex. The irc and/or bouncer connection is easily encrypted and if you want to be able to send messages while offline just have the front-end for everyone that they sign into be a bouncer.

        • because XMPP supports file transfers and A/V calls. Both p2p, if network configurations allows for it, but the server helps in case of NAT.
          It also has server side history which allows inter-client sync, and if you're completely offline, eventually you get all the messages.
          A specified e2e encryption scheme.
          A stateful roster on the server.

          Also once upon a time there existed a technology called "telepathy tubes" where your local text editor could collaborate with other text editors on different machines.
          That's

      • Thanks for the detailed explanation. I did say using the "public internet as transport and storage".

        And my comment on content filters was that I don't care about those, they can scan my stuff (nothing to see there).

        I'm looking lightweight but "good" security. I outlined my approach, I don't keep much secret (most public details I divulge are accurate, those that aren't allow me to know where someone learned something...).

        Regarding my few words, a friend of mine once said that he signed up for various thing

        • Once you leave unencrypted data on a remote machine, that data is gone, and considered given to the world. Aka - all security/privacy gone.

          > (nothing to see there)
          Until there is... That is a big and separate discussion.
          Good read: https://unixsheikh.com/article... [unixsheikh.com]

          > I'm looking lightweight but "good" security.
          Define better your threat vector.

          "good" security is defined by what you're trying to be secure from. Security from wolves isn't the same as from polar bears or mosquitos.
          Same goes for IT security

    • If that is on your own private email server and you use point-to-point encryption like wireguard, that would be pretty private. Otherwise signal app is currently considered quite private. If you have your own servers you could setup open source messaging servers like NextCloud talk or Prosody server software using XMPP protocol my peeps tell me is very tight.
  • by ickleberry ( 864871 ) <web@pineapple.vg> on Tuesday November 08, 2022 @01:16PM (#63036163) Homepage
    In the early 2000's I remember using various Win32 spyware removers that did such shocking things as showing banner ads and collecting your browsing habits in order for them to sell.

    Nowadays, most android/iOS freeware and the Windows operating system itself can be considered spyware. Spying has become normalised and that is not a good thing
    • by kurkosdr ( 2378710 ) on Tuesday November 08, 2022 @02:00PM (#63036303)
      The big difference is that spyware 1) is not disclosed and 2) doesn't have to honour applicable regulations such as the GDPR and 3) there is no limit to what data it will collect. So, no the Windows operating system itself cannot be considered spyware. All data collection it performs is disclosed, it has to honour applicable regulations in every country such as the GDPR, and won't try to steal your credit card's CVV number for the purpose of selling it to international crime rings. Please try to make sense.
  • Observant /. readers would know that this problem has already been solved. Scroll down just a bit further and you'll see that Greece has decided to ban the sale of it. No need to panic. Keep calm and carry on.
  • "Running amok" must be a technical term.

  • And one of those states is the US.
  • Blame the Operating System maker. Just how difficult can it be to not run an executable downloaded from an email attachment or clicking on a website

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...