So, it seems the NSW police here in Australia are a customer and use this.
Ignore for a moment whether it's a good or bad thing that police use tools like these. What I want to know is, what happens once they "get their guy", so to speak.
Does the malware stay on that computer forever, violating the privacy of family members, or other users of the computer should it be sold on and not wiped correctly? What happens if it's not the correct person?
Basically, why are the police spying? To me, that raises some ethical questions and makes me feel that the police will handle things like this in a very ham-fisted way, like they usually do with technology. Worrying.
(I'm also in NSW)-- The list of "support requests" on the customers page suggests that the tools are used only in accordance with duly-issued warrants. Access would need to be removed once the purpose of the warrant had been fulfilled, but we may never know whether they get that right in practice. Ben Grubb has collated some background information on the operation of those laws.[1]
I have not looked at the materials but I suspect most or all Western countries using this toolkit are using it for specific investigations where warrants have been issued.
I personally have no qualms with the FBI planting malware as just another form of surveillance (if they have a warrant to search your home and tap your phone, why shouldn't they be able to get a warrant to monitor your computer?). The problem with Gamma Group, and what I suspect is one of the core reasons for this leak, is that they happily sell their product to extremely oppressive regimes and give them personal support, knowing full well that the tools are being used to spy on and find dissidents, protesters, and political opponents.
There is a weird "Us and Them" vibe from your comment.
Is the US/Australia/Uk's treatment of Julian Assange (as an example) not count as "oppressive regimes" and "...dissidents, protesters, and political opponents."?
How is that different to <insert country you were thinking of when you wrote "oppressive regimes"> ?
(I ask honestly, not rhetorically)
I'd wager that the difference is that your chances in the US, Australia, or the UK that a bunch of thugs kicks in your door at three am, grabs you and disappears you forever are a whole lot smaller than in some of the real oppressive countries.
I'm not claiming that everything is perfect in those western countries, but compared to them there are some truly evil regimes around in countries where absolutely no checks and balances exists to rein abuse in.
While this may get me down-voted into oblivion, since the author may be easily one of the most hated people in the tech world, I recommend Evgeny Morozovs "The Net Delusion" which is a quite insightful take on the abuse of tech by oppressive regimes.
It depends. Countries like the US are ruthless to those whom they consider enemies of the state or traitors, but let's be honest, the qualifications to be an enemy of the state are much higher in the US than they are in a country like Tunisia, Pakistan, or Iran. The FBI is not going to plant malware on your computer just because you say "fuck Obama" or are planning a protest, but this could very well happen in many oppressive countries.
The US treats certain people very unethically, including Assange, but in these cases it's more a sense of vengeance for having our top secret dirty laundry aired, compared to simply disagreeing with or disliking the government. We still have a long way to go to, but the freedom to express yourself is simply a lot higher in most Western European and North American countries.
"I have not looked at the materials but I suspect most or all Western countries using this toolkit are using it for specific investigations where warrants have been issued."
If you take a look at the actual licensing by countries, you will see my suspicions are indeed confirmed. The support tickets issued by Australian law enforcement, for example, mention that use is only permitted through warrants and even specifically states their reporting and documentation requirements.
>Our Warrants authorize the use of the the FF intrusion capability as well as the individual modules that are used. At the conclusion of a warrant there is a requirement that a report is made on every date / time each module captures information. For example, if a key logger captures data at 1pm 2/1/2013 we need to report this to our legal system. This time/date is important for reporting procedures as there is a requirement to record every instance a module is used. Is there some way of just extracting the time/date and module name to a report?
This does not constitute unethical use of this software. This is simply a way of placing a "wire tap" on a computing device.
If I were the company writing this, I'd include a remote uninstall command that left as few traces as possible, and encourage its use. It lowers the probability of discovery.
Since law enforcement typically wants convictions, it could be a selling point to prompt for uninstall when a warrant expires.
Hmm, I'm not sure if that's Gmail detecting an infected file. I'm pretty sure Gmail just blocks .exe and .bat files altogether (even in .zip archives).
If I were to download this, I'd do it with some masking tape over my webcam, booted from Kali Linux, inside a Windows VM from a library or coffee shop.
what people always seem to forget is that it's not the webcam but the microphone that presents the greatest privacy risk.
if you tape it off, it'll just lower the volume (and possibly dampen higher frequencies, but you just need 300-3800Hz for voice).
additionally (outside the coffee shop scenario you describe here), what's a webcam do? ok, it'll see your face. chances are they already know your identity. maybe it'll catch one second of your underwear, big deal. now compare to a microphone, much less data, but it picks up every conversation in the room, regardless if they're "in view". much worse.
Different people have different rankings of what they consider to be a privacy risk. From recent news, we know that some people are very much into distributing personal images made by other people and kept in what was presumed to be private storage. We also know that some people enjoy manipulating images, including sometimes to torment those who have been photographed. Audio manipulation is less disturbing.
Consider also that some people have computers in line of sight of where they have sex, and an illicitly captured video recording of sex without sound is more often thought of as a privacy intrusion than an audio recording without video of the same ... as the noise from my neighbors might attest.
Would you do that on a laptop hard drive partition or on a clean drive? Would you use that drive after formatting it? I think that physically breaking the connection between the camera and microphone and the laptop would be a good idea.
These periodic reminders that Internet isn't a safe place and that anyone might be spying on us probably makes a lot of people learn about security, come up with better passwords, hesitate before downloading unknown software and so on.
When people get their identities stolen, or lose all the money from their bank accounts, this might be regarded as "random" events, in the same way that most people won't get mugged and when it happens it's because of "randomly" being in the wrong place at the wrong time. But more people have experience dealing with the government, and though they believe that criminals aren't interested in them they know that the government might be, and thus the government is seen as a more tangible threat.
Is it possible that governmental surveillance is on average a good thing, since it raises people's awareness and makes them protect themselves more? Having enough money in your bank account to buy food is, after all, a more basic need in Maslow's hierarchy than not having copies of your e-mail conversations in a government database.
I doubt its advanced, their customer list doesn't include well established players like China, Russia and the USA. In fact, this might be the cheapest militarized malware you can get. The only way to go cheaper is to use a TeamViewer RAT.
It might not be the most advanced out there, but I wouldn't belittle the surveillance ability of countries like Pakistan, Qatar, Bahrain, and South Africa.
I didn't see any zips. Though zip is not the only vector one should be concerned with. For downloadable files, handle with extreme care. Exploration of the database content however is static and i'm sure the Internet will thank you if you parse and compile a list of interesting patterns you find from it.
It will phone home. Don't do it unless it's disconnected from the network. It might also try to spread the infection through other attack vectors, like bluetooth, or trying to break out of the VM.
More likely it would self-destruct to avoid analysis or detection, this is well documented behavior of a number of more sophisticated pieces of malware.
Those zips are encrypted, that's why. I have included links to the unencrypted results [1,2], with ~80% detection rate. Notable green checkmark by Microsoft, perhaps FinFisher made extra sure to not get caught by Microsoft's heuristics?
Malware vendors usually use these services to test their load. They wouldn't release anything that would get detected on day 0. And I think antivirus vendors do more in-house analysis only if there are reasons to - such as votes from users, or other AVs detecting the sample.
I know many love to consider Snowden and Assange "heroes", but I think these two are people we should think outside the box on. Are they acting in the interest of everyone, themselves, or another party? The releases, interviews, and otherwise that get released seem very scripted and controlled. The propaganda machine is skilled and there may be unseen benefits to these leaks.
The releases are outside Snowden's control now. He carefully gave a dump of information to two newspapers. Those newspapers control the flow of the information now, and they obviously want to maximise the benefit to themselves by releasing the information in controlled manner.
You're deliberately trying to discredit a person who made available proof that the surveillance machine is out of control.
While everyone else is dissecting the information and trying to digest it and working on solutions to the surveillance problem; you're obsessed with the messenger.
Well, I'd agree with you, but the way you phrased it made me feel uneasy. Are you saying that source criticism in journalism is overrated, or that Assange should be an exception to the rules?
This is the Internet. Isn't there enough room here for discussions about both the message and the messenger? Or is it that when the message gets strong or important enough, the messenger gets irrelevant in comparison?
What has the message to do with the messenger, in this case?
Sure we should be skeptical to all sources - media, individuals, government. Isn't this common sense?
The presented information, however, stands on its own, no matter who the person who delivered them represents.
What exactly would we gain from discussing the messenger?
Would that move anything forward?
What if we found out Snowden was paid by some russian agency. What exactly would that change? Would the guys at Stellar say "Oh, the russians paid him? Everyone stop changing passwords and re-issuing certificates, guys, everything's fine; he got paid by the russians", and the slides with router passwords would suddenly disappear from the face of earth?
I hope it's the language barrier and I'm failing to understand your point.
You're probably correct that it's the language barrier. The message has very little to do with the messenger, and I can't see who's claimed otherwise.
The difference seems to be about whether we SHOULD discuss the messenger. Assange still has the power to decide what to publish, and maybe more importantly when to publish it. Everyone who has a message to convey will wait for the right time to do so. This is true for political statements, for press releases, for when you ask your girlfriend to marry you or for when you tell your parents that you failed an exam. It would be silly not to accept that Assange cares about timing.
A discussion about the messenger shouldn't be seen as a dicussion about the truthfulness of the message. For example: The Russian government accused the Ukrainian government of being fascists, and one of their excuses for entering Crimea was that they needed to protect the Crimean Tatars from these fascists. But the Tatars are pro-Ukrainian, and many of them fled when the Russians took control. Those who remained are being harassed, and there are Tatars who were even denied re-entry to Crimea after having traveled to Ukraine. Sure, there are far-right extremists in Ukraine. Of course there are. But the Russians didn't want to admit that the phenomenon is far more prevalent in Russia. Knowledge of the messenger helps us to put all of this into a context.
All I'm saying is that we should be generous enough not to censor discussions just because we're not interested in them. In this case, it means discussions about both the message and the messenger. When combined, the outcomes will provide us with even more information. Ad hominem arguments like "you're obsessed with the messenger" are designed to silence one of these discussions.
>A discussion about the messenger shouldn't be seen as a dicussion about the truthfulness of the message.
If it isn't seen as a discussion about the truthfulness of the message, it should be seen as completely worthless gossip. Why would I be discussing Snowden as a person if I don't know him personally and I don't dispute the truth of his disclosures? Can't we pick a prettier celebrity to discuss to no particular end?
The only purpose in gossiping about people who disclose information which nobody seriously disputes is to confuse the simple-minded.
> Everyone stop changing passwords and re-issuing certificates, guys, everything's fine; he got paid by the russians", and the slides with router passwords would suddenly disappear from the face of earth?
No, but surely such a discovery should alter how we interpret the message, right? Suddenly, it's impossible to discern something that US government is doing to its citizens vs/ something than an enemy of the US wants you to believe.
I really don't understand why Assange and Snowden are getting such a pass. If anything, their motivations and the source of what they are releasing should be scrutinized ten times as much as any previous whistle blower or journalist.
Information doesn't necessarily stand on its own. Credibility, ethics, and trust are all important aspects and the public should always be prepared to question the messengers.
Think of everyday life. Ever been told only half the story? Been around gossip? Ever played the game 'telephone'? In all of these, you are receiving information, but the motivations and morals of the messenger can affect the impact and reaction to a message.
I do not follow what you mean by discretize, could you elaborate?
I'm merely trying to explain it's worthwhile to consider Snowden isn't acting in our best interest. Imagine Snowden's supervisor comes to him and says: "You're going on an extended special mission abroad. Leak these documents to some journalists. Act like you're trying to shed light on what's going on by playing the victim card. The goal is...."?
Per the leaks, solutions to the surveillance problem are limited and likely won't become something proliferated through the masses due to cost, availability, usability, or some combination of the three. We're talking about eliminating hardware-level vulnerabilities, not patching software. And even when and if we do fix these vulnerabilities, what's to stop them from doing it again? All it takes is threatening the life of the company or individuals involved in the development process.
I disagree. Solutions can involve broadening technical security awareness and education, not only for experts, but for the great masses. Suddenly, people who wouldn't have done it otherwise, are installing PGP, guided by well-designed step-by-step-instructions which haven't existed before Snowden. This is per se a Good Thing.
Awareness leads to more people trying to exploit things previously thought to be at least very improbable to break. Discussions about Crypto-Quines, VM-breakouts, you name it, are suddenly on the rise, at least in my perception (which has since sharpened significantly, and I'm not even in the least involved in security)
Better tools are developed to prevent goto fail;s. Other people fork OpenSSL, sunset SHA1, visit security-related conferences or donate money, you name it. This is a slow process, but things are definitively moving forward.
But again, you're avoiding to answer the question: What a difference would it make if your scenario would be true? Would it negate that mass surveillance exists? Of course not. But that's what's important here, that's what's being worked on by people.
It's one thing to be a classical "we can't win anyway" naysayer, but is's a completely different thing to try to pull an ad hominem derailment, so the question arises: Who are you working for? What if your supervisor came to you telling you "Try to find something about Snowden we can use against him and his findings. A way to discredit him, maybe find someone who went to school with him who can make a fool out of him; maybe try to pull an assange-like sexual assault case on him, anything", what would you do?
Like Julian Assange repurposing wikileaks donations into the Julian Assange sexual assault defense fund?
Whatever you may think of the allegations, it has become extremely blurry as what the money donated to wikileaks' operation is actually used for, seeing as how Julian Assange wasn't supposed to be wikileaks.
Since his "sexual assault" allegations were, in essence, an orchestrated smear campaign to discredit him and by extension Wikileaks, and the health of the former depends on the latter, I see absolutely no problem here.
By Saturday morning, 21 August, journalists were asking Assange for a reaction. At 9.15am, he tweeted: "We were warned to expect 'dirty tricks'. Now we have the first one." The following day, he tweeted: "Reminder: US intelligence planned to destroy WikiLeaks as far back as 2008."
Ignore for a moment whether it's a good or bad thing that police use tools like these. What I want to know is, what happens once they "get their guy", so to speak.
Does the malware stay on that computer forever, violating the privacy of family members, or other users of the computer should it be sold on and not wiped correctly? What happens if it's not the correct person?
Basically, why are the police spying? To me, that raises some ethical questions and makes me feel that the police will handle things like this in a very ham-fisted way, like they usually do with technology. Worrying.