Slashdot Mirror
Spyware for Corporate Espionage
therufus writes "Late in July, an e-mail that hit employee in-boxes at a British credit card and finance company carried a secret payload--spyware capable of recording confidential corporate data and sending it over the Net."
I'm surprised this post didn't find some way to blame Microsoft...
Most of my company's data already goes right to our competitors already. What with our fancy new wireless network. Check it out - SSID: linksys, no wep, no wpa...
Don't open Emails that you have no clue who they came from. This is just common sense.
Some enterprising cracker is going to encapsulate a key logger into a piece of spyware, it is going to have a logic bomb in it so it will self destruct (the purpose to gather info and then leave no trace) , it will record passwords and other info, and that info will be sent back to some third party possibly a hostile government.
/dev/null.
It's going to happen. Here's why it's troublesome and mod me down if you must but our operation has a blind allegiance to Redmond and the IM folks are not particularly bright. We have had network problems in the past. China has opted to bet the farm on Linux after seeing the Windows Source Code.
As one of the few Linux developers here, I fear a nightmare is coming. I would really welcome any ideas that anyone has about how we combat this or put our minds at ease.
Redmond related flames go to
Designing a spyware program: $153
Bulk emailing said program: $35
Obtaining thousands of credit card numbers: Priceless
Congrats for not putting any of your usual nonsense 2 cents into the people's news submissions... yet. Maybe getting married has some good side effects after all...
Dubbed the Consortium Of Anti-Spyware Technology Vendors and led by the creators of the popular Ad-Aware and Pest Patrol software programs, the group is trying to create standard definitions of "spyware," "adware" and other pests, and give best-practices recommendations to the companies that want to avoid being blocked by their software.(emphasis added)
Once again, the main technical problem lies with Windows. Spyware is just another form of malware, which takes advantage of defects in the operating system to gain access.
I would hope that the Consortium Of Anti-Spyware Technology Vendors would promote Linux, Mac and other operating systems that are better equipped to rebuff malware attacks.
Ruby on Rails Screencast
I work for a Fortune 500 financial institution. We have very stringent requirements for our customer information. For instance, if any bank manager decides to take any client information to work over the weekend, he/she must get approval from 25% of the clients that he will work on. This is according to FCC regulations especially if said bank manager is using a wireless router with Verizon.
We also frown upon expedient use of inter-office e-mail for non-productive purposes. We found that the best way to rationalize our procedures is to make the frequent example of an employee who refuses to follow the rules.
Another point where we emphasize data security is in the discardation process of obsolete hardware. We make sure that any media has been de-magnetized (in case of floppies and CDs), exposed to ultraviolet light in case of Hard disk drives, or combusted for tape media.
So far our security record has been 100% according to our internal auditing firm.
Which is nice.
maybe if more companies get hit by these things, more BIG companies, more pressure might be applied to help solve the problem, more tougher laws? Higher fines?
And it has to be more than the USA that makes these laws, we need Asia and Europe to follow and nail these people.
My question is about sneaks. There are software packages that sneak spyware onto systems currently, but little is published about how to prevent this from happening. New technology circumvents anti-spyware using .Net and other features that hide the programs running. Similar uses for .Net is used by Counterstrike hacks, for cheating.
My guess is that while we keep putting energy toward blocking spyware, and detecting it, the same energy is being put toward inventing it. Is this a battle between good and evil? It would seem so.
Generally, I run anti-spyware programs on a frequent basis, but is it enough? Likely not. A watchdog organization, at the governmental level, is required, not just a committee. Committees come and go, but their findings should go toward an ethical standards legal department, or some kind of funded watchdog that has a declaration of what an ethical software package is, and what crosses the line. Penalties involving more than fines are in order, too, or you get people who just want to break even or make some dough, but are willing to risk fines. Espionage is illegal. Maybe that law applies, but IANAL...
I'm not. This is the logical conclusion (Or beginning) to the "virus age" that we've been experiencing. And I think the articale is wrong in some respects, like their thinking that the script kiddies and such are long gone. They are still here, and are having nore effect than ever as they modify already dangerous viruses, making it harder to block and stop them. And tell me, when has broad ranging legislation really helped anyone? Untill it's proven effective, I will remain wary of anything of the sort.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
See? Bad things do happen to bad people!
don't allow outbound traffic, except specific ports to specific destinations, maybe? and use two factor authentication? three if you are absolutely paranoid?
I've seen similar procedures implemented in Healthcare as well, especially when it comes to cleaning up old drives.
Who the hell modded this as a troll?
I remember sending that one, ;D
-Tim Louden
I second that, it would not be too hard to either write the key logger or the logic bomb - for that matter it would not nessecary need to destroy the entire program, just anything that can be used to track back to the oginator. The biggest problem in preventing something such would be to control the vectors through which it could be introduced to the network (i.e. Users running e-mail attactments), because once the program is on the network the damage has been done.
Don't open Emails that you have no clue who they came from. This is just common sense
Come one, grow up, we're no longer 6 years old and there is no good reason why we should be forced to live in fear of our emails !!
If a email can do all kinds of bad stuff to your computer, it is the fault of the one who wrote the email software, period..
Don't try to blame the victim because he was simply using the software for what is it supposed to do ...
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
What steps can be taken to ensure that there isn't some rogue keylogger running on an OS X system?
Microsoft is now focussing on security, so there's no need to worry any more :-)
Since we're 110% confident that all those dedicated knowledgeable MS administrators will be keeping up-to-date with all the patches, and that with the new focus, MS software will soon be completely immune to viruses, who cares about any of this stuff ?
Simon.
[removes tongue from cheek]
Physicists get Hadrons!
The problem here is at several different levels. You can no longer expect nowadays to be protected by simply closing your doors to the outside world (ie. protecting your computer against outside attacks), but you also have to learn how to protect your computer from internal attacks. The risk of having a program already installed in your computer trying to access your data is quite higher these days than it was a few years ago, and for this very reason corporations should spend more time trying to develop encrypted systems for data storage and tighter policies aimed at improving their security systems.
It's also necessary to protect your data against your very own employees when they are not supposed to be able to see it. And I can say that often this is not the case.
Another important and necessary step is to instruct people using computers to work on security. And this is often not the case either.
Diego Rey
diegoT
As a sysadmin that has been dealing with security issues in financial and other corporate settings for well over a decade, I can tell you that the fear-factor on kiddies with their viruses starts to fade over time. However, what I've noticed happening is that people are coming to accept these relatively benign viruses, root-kits, etc as a fact of life, and they seem to be forgetting that where kiddie-hack-of-the-week can succede there WILL ALWAYS BE a small, but worrisome number of clueful people exploiting the opening.
Most often those people are insiders, so you have the added worry that things like firewalls are useless (do you sniff email for viruses on internal mail? do you have unpatched servers that only intenal users have access to?), and they may be able to convince others that you think you can trust to look the other way.
Security is one of those ugly balancing acts. Ultimately, it's a losing game because once a determined cracker with a clue sets their sights on you, you're done for. No amount of security is sufficient... really (yes, even a gasketted vault with armed guards CAN be cracked). The key is risk-vs-reward and always trying to make sure that some poor clueless bastard out there is an easier target than you.
Some enterprising cracker is going to encapsulate a key logger into a piece of spyware
That seems like alot of trouble to read your slashdot posts, when all they have to do is click on your username...
"If you think you have things under control, you're not going fast enough." --Mario Andretti
Well we know that a lot of these get around even secured networks because of the users. However, in most of these networks there is a competent admin who runs a firewall, but can't run ad-aware on every machine constantly (and if that were feasible, damage might already be done in one user session).
So here's my idea, which maybe is already done but if it is I'd like to hear more about it. Have the firewall maintain grey-listed domains/IP's, essentially running a quick spyware check on outgoing traffic. I don't think this would be a huge CPU load, as most traffic is incoming, not outgoing, in most offices. But I know I would like the routing machine in my office to send me a quick note if it suspects that IP 192.168.xxx.xxx has some spyware on it so I can check it out.
Seems like a simple enough idea... it wouldn't even have to be done real-time as by the time an admin got the note, real-time action could not be taken. But a router could use some spare CPU cycles to check its log's latest outgoing packets for at least some known activity.
Perhaps there is even a pattern of activity spyware reports through that a Bayesian-like filter would be able to catch and alert us of suspicious activity.
When we go home from work, we all know that despite how we have users that simply open email and click attachments like nuts no matter what we say. At the same time, these people have skills that our offices need. Perhaps this would be a good added layer of protection to prevent spyware form staying around long enough to cause damage.
The only thing more dangerous than a file named -rf is renaming it -rf\ /
Do you need to hide where it sends info. Couldn't you just get some software to send the info to, say, all hotmail addresses and then pick it up at your leisure? Sort of a reverse spam thing ...
Don't go to a brothel if you want to buy broth
Attacks like these raise an interesting question: Where are the good coporate spyware detection systems? I want to see a system that can be managed centrally and sends all spyware notifications to a centralized datatbase. McAfee and Symantec don't have anything worthwhile. Does anybody know of a system like this?
Learn Chinese?
The only thing that's news here is that someone caught it. God knows how much information is redistributed / modified this way (there are at least a dozen similar methods I can think of personally that any self-respecting spy, corporate or otherwise, must be using). That this one was caught just shows that people that aren't professionals are getting into the game.
I have the pessimistic view that anything you know that someone else knows must be public knowledge (certainly to any member of the public that cares to know). The trick is, if you know they know, how do minimize the damage from the notions of a "secret" or "confidentiality" becoming extinct?
God forbid we do develop telepathy like some sci-fi prophesied evolutionary advance.
At least for those with Windows boxes. My two favorites:
Spybot S&D It's free and it "innouculates." Regular updates too.
Spywareblaster. A little reduncancy, and it has a nice Flash killing tool as well.
Honorable mention:
Peer Guardian. In addition to RIAA IP address killing, it prevents loading of DoubleClick ads and snoopware. Regular blocklist updates, and IP addy's may be manually added.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Now all I have to do is figure out some way to get someone to execute that code....
*Yawn* So what? Idiots will always open email attachments from unknown recipients and ultimately execute some sort of hidden code on their machine mainly because they can't figure out how to turn that stuff off or stop clicking on everything they see. I'd love to blame M$ here, but it really is the techno-weenies that do it to themselves by pretending they know how to use a computer, yet no matter how many times they're told "don't open attachments" they do it anyway. I love it when the email software is set up to autoexecute this stuff by default so they don't even know about it. RTFM, people!
-gam
"In theory, theory and practice are the same; in practice, they are not."
I remember that MS was going to show some Far Eastern country some limited version of the Windows source, but was it really China? After arguing that the Windows source was a matter of US national security? And did it really come to pass that China actually got to see the source?
Hmmm....."Microsoft Gives National Security Secrets to Communist China" might make an interesting news item.....
Adherence to the truth is a form of disloyalty.
The interbnet is often compared to the wild west of mid-19th century USA. If they would simply let us apply Wild West Justice in such cases, after a couple were tracked down, 99.9% of this garbage would stop.
I think that China choose Linux not because of Windows source code but because Windows is the product of an American company.
But maybe I'm wrong.
Iraq: war to save the U
This is a great example of how to think like the enemy.
If you have a $300 lock on a $200 door surronded by $10 wall panel, what are going to take the sledgehammer to?
This also leads to another point, if you do security well and nothing happens, then no one knows, but you end up pissing every one off. If you do not do it right, no one is pissed until something happens, then everyone knows.
User obliteration is the only way that I know of to remove insecure nodes from a network.
Are you talking about the US Millitary? Siprnet is rather closely watched, computers are audited for unauthorized applications, people get in serious trouble for installing unauthorized software on a secure network machine. It isnt connected to the internet. Ever.
And if you're not talking about siprnet, then that machine/person/network just really isn't important enough to worry about - from a national security perspective.
meh.
In the security context, Kazaa is actually much more to blame than Microsoft. Kazaa installs New.Net and other intrusive applications that compromise the privacy of their users. It is true that Microsoft Media Player and Windows Update also collect data on the habits of the userbase, but AFAIK their software isn't quite so intrusive.
In the context of preserving intellectual property, Kazaa is to blame to some extent, but perhaps less so than Microsoft, Cisco, the phone companies and other infrastructure providers. Kazaa couldn't exist without a high-speed digital network with pervasive, ubiquitous connectivity. Kazaa is really only the "last mile" of a journey across a continent - because the infrastructure exists, destroying Napster and its derivatives simply causes the network to evolve a more rugged replacement - because the effort to evolve a new Napster is almost trivial.
In any case, Microsoft could do some very public things to improve security:
To date, Microsoft has done nothing more than some enthusiastic chest-thumping about security. They have not seriously engaged a solution, and they are losing sales as a consequence.
Vendors routinely give out free stuff at conferences, and one of the popular ones these days (actually halfway useful!) is a free 32mb USB key. And of course, every such key comes with plug-n-pray drivers so you can plug it in and start writing to it.
They could easily include some network code in the driver that sends every document you write on the key to the company that sold the device. Of course, obscure this process: send only during idle periods; encrypt the document; send the files to some anonymous file dump in Malaysia or something that's only known and accessible by the company...
Since these devices are routinely given freely to corporate representatives, this might net a high percentage of corporate documents, some of which might be valuable.
- David Stein
Computer over. Virus = very yes.
The advantage of completely wiping the key logger is that if you destroy the evidence that they've been hacked, they'll never raise their suspicions, and you're much more likely to get away with whatever you're going to use those passwords for.
Otherwise some administrator browses through someone's machine two months later, trying to figure out why it's so slow, and says "oh, shit..." - and then security clamps down like a {pick useful crude metaphor here}. It's far easier to slip in when noone's the wiser.
-Hentai [in vita non pacem est]
I've had really good luck with spybot s&d for removing Windows spyware/malware/adware, etc., but though it is freeware, I'd really like to use and support an Open Source removal tool - I want to see the source, etc. - in my co.'s environment. Is there such an animal?
"The basic tool for the manipulation of reality is the manipulation of words." - PK Dick
just try and install a keylogger program remotely via email on a Linux system... IT CANNOT BE DONE... and as soon as more people who make the decisions start to realise that MS-windows is hopelessly borked as a secure platform there'll be more companies switching.
I look forward to the day when only having ms-office and windows experience on your resume gets it tossed in the bin... the cluefull ones will now be looking for Linux and OpenOffice.org experience.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
We have had network problems in the past. China has opted to bet the farm on Linux after seeing the Windows Source Code.
Even worse, maybe China never intended to use Windows but just wanted the source so that they might discover more vulnerabilities.
The secret to your problem, isn't turning their requests down. But in a CYOA manouver, you get every request in writing, nothing less. Make copies and keep them off site. When the shit hits the fan (and it will), then you have backup against anything they may throw at you, including wrongful termination. They may not like that, but then again they shouldn't have any problems backing up their "bright ideas", now should they? After all this is the same group that has no problem with "just think of the company"[1] when it comes to asking you to sacrifice for them. Turn it one-eighty and make them sacrifice "for the company". After all we all are her to work, right?
[1] Big hint audiance, when it comes to playing this game. You must be able to use their words, and retoric against them, because they most certainly have no problem with doing the same to you. Pisses 'em off, but I'm here to work, not play mind games. Take it somewere else.
It had to be only a matter of time before dedicated individuals / groups took advantage of the plethora of spyware out there for criminal intent. The truly dedicated would write their own, natch.
Christ, William Gibson brought this up in Neuromancer back in what, 1982?
A Human Right
You can deduce an awful lot about classified matters if you can gather enough sensitive but unclassified data. Much as I despise Admiral Poindexter of Iran-Contra and DODs Total Information Awareness Program, he has quite rightly pointed out this problem in the past. But his proposed cure, which involves stopping the publication of some scientific research among other things, is likely worse than the disease.
FreeSpeech.org
The record companies have always been losing money to organized piracy rings. The only reason they're coming down so hard in the US and soon in Europe is because they managed to legislate themselves something other than civil remedies.
Oh, and IRC anyone? It'd be impossible to count the amt of warez/porn/music/games/... that has flowed through that system. Kazaa is just making it easier for the majority of people. Up till Napster, you mostly got your shit from that lucky bastard with a cable modem (unless you were that lucky bastard) and a working knowledge of the underground FTP and IRC scene.
[Fuck Beta]
o0t!
Well, I've had a couple of late nights and long days, is all I say in my defence...
I disagree...it is MUCH better to have the entire program destroyed and no trace left whatsoever that the key logger/trojan/whatever you want to call it was there. That way a post mortem could not determine whether a specific machine was compromised.
What would be scarier to you if you were in charge of machines with valuable data on them - a warning that said there was a potential breach, and check here, here and here to see if you were affected, or a warning that said there was a potential breach, however there is no way to determine whether you were affected or not? The latter situation certainly sounds scarier to me (if I acutally had anything that mattered on my PC)
to the MS Outlook virus-propagation problem.
It's simple - create an Outlook virus which emails a Windows activation-code cracking program to everyone in the victim's address book. Then the virus would redirect the user to the warez sites where they could download "free" copies of Windows.
I can just about guarantee that Microsoft would have a patch within days, if not hours. After that, auto-execute for email attachments would be a thing of the past.
The society for a thought-free internet welcomes you.
It might also make sense to standardize on a custom Knoppix OS, booted fresh each day. A hard drive could still be used for storage and settings.
The global economy is a great thing until you feel it locally.
Send your stolen information encrypted to a USENET group, and pick it up there. No connection traceable that way. And no one but you can read it. And out of the millions of messages...who else would know were to find it. Especially if you bounced it through some nym servers or mixmaster servers around the world a few times.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Yes, you can [deduce]. I agree with you 100% and, to an extent, that will always be a problem, especially in non-totalitarian societies. However, in that case, the spyware will have to remain in place undetected for long periods of time, forwarding large quantities of data to be analyzed. This greatly increases the risk of the spyware being discovered on any military network, siprnet or not. Not that it cannot be done, but those are exactly the kinds of traffic patterns that are monitored for, even on unclassified networks connected to the Internet.
meh.
But I thought that Siprnet was connected to the internet in the context the the transmissions over the interent? Granted a Siprnet computer cannot access the general internet and such associated websites and ect; however, it does need a means for communication between bases.
Misread: Anyone aware of Open Source Spyware? ::)
In this case, my counter would be that you know the vendor... or at least, you should know the vendor and at least trust them somewhat. If "unknown company X" gives me something with a burned disc or whatever I'm going to be a bit suspicious. If well-known/respected company Y gives it to me, I'm a bit more trusting.
The main differential is that virus writers are in many ways untracable and anonymous. Most of the people presenting at a conference should be traceable in some form, and thus accountable.
Lol, Half-life 2 had a problem as well.
I would rather suggest that you block all outbound traffic that is not destined to trusted servers. All dropped connections are logged for later analysis.
Of course there are scenarios in which this cannot be implemented. Also it's not a fool proof solution, as some of the spy/ad/malware may (will) use http proxy sending back the gatherred information.
-- Reality checks don't bounce.
I'm running a small business.
I need to read mails from unknown people, because those are... my new customers!
How about remove Outlook and Internet Explorer instead and installing a secure email infrastructure. I have never ever, not even once, felt the need to not open an email because it might be insecure.
Advocating not opening emails is even worse than running exploitware from Microsoft in the first place.
They should be writing definition files that detect and remove all spyware. Turn it on by default and make it optional to remove. In my opinion they are a much larger threat than viruses. Essentially, they're legal trojans.
Of course many AV companies are scared to do this becuase of ligitation, but a line has to be drawn somewhere. Not to mention the AV program itself might be spyware if it sends data home about the user. Even "anonymous" data should be considered spyware.
Also, how about certifications? A "TrustE" like program that certifies software would help somewhat.
their connected by dedicated links, not routed over the internet.
Siprnet is rather closely watched, computers are audited for unauthorized applications, people get in serious trouble for installing unauthorized software on a secure network machine. It isnt connected to the internet. Ever.
You sir, are either ignorant or full of it. Not only is SIPRNET connected to the regular net, so are other more highly classified networks. Don't believe me? Go ask anyone that has worked in a SCIF for more than a year how many times their MS systems (on the "secure" network") have gone down becuase of viruses.
There's a standard USB Storage interface, and every modern OS (i.e. everyone but SCO) comes with its own drivers for treating devices which use that interface like removable drives. There's no obvious reason for a USB storage device vendor to produce their own drivers (which would require installation, whereas the OS drivers should just work when you plug the device in); if you've actually seen one with custom drivers maybe you really should be suspicious.
I tried to e-mail to you, but I didn't get a reply...<bud-dum-dum> Thanks, I'm here all week.
For a while now, almost every e-mail worm sends out e-mail to addresses found in the victim's address book. In other words, a huge amount of viruses and worms are, or appear to be, coming from people that you know and trust.
Short of reviewing the Recieved: headers on every e-mail, you really have no clue who they came from, even if you think that you do. So which mails am I supposed to open again?
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
I don't know about other networks, but the classified network at LLNL is quite securly locked down. Seperate computers, seperate network. The cables don't even run through the same conduit. The computers have to be on opposite sides of the room. There are no floppy or CD drives on the secure network. The hard drives for any machine on the secure network go into the repositories (read: big strong safes) when not in ACTIVE use. Employees aren't allowed RF devices with batteries on the site (none of the new palms with RF in them) and cell phones are only permitted if the batteries are out and in a different pocket. These guys take security seriously. A lot more seriously than most corporations. I think many comments are by people who are criticizing from the outside. Perhaps some other arm of the government which runs unsecure networks, but these ones are cracked WAY down...
offtopic wrt main topic but, what about SCADA attacks?
PBS did an excellent show on CyberWarfare highlighting that it's the points of weakness where attacks are most likely to occur. Milnet, siprnet, etc may be secured but could any *western* city be without power for a period of 6 months? Think asymmetric not conventional and you can appreciate how real such threats are taken.
peterrenshaw ~ Another Scrappy Startup
http://www.microsoft.com/info/nareturns.htm?SD=GN& LN=EN-US&gssnb=1
What will ultraviolet do to a hard drive? I don't think this would be effective.
If you want to make a drive's data unrecoverable, open up the drive and remove the platters. Smash them into pieces, then incinerate. (Or at least get them up to a temperature where they lose their magnetic domains...)
Caveat Emptor is not a business model.
>It's going to happen. Here's why it's troublesome and mod me down if you must but
>our operation has a blind allegiance to Redmond and the IM folks are not
>particularly bright. We have had network problems in the past. China has opted to
>bet the farm on Linux after seeing the Windows Source Code.
Thank god that MS don't have anything like keyloggers hidden away in standard Windows DLLs, storing, compressing and then uploading a few k every day.
> As one of the few Linux developers here,
LOL!
Gator does not make AD-Aware. Lavasoft makes AD-Aware.
You might be thinking of Spyware Nuker, which was spun off of the company (Lions' Pride Enterprises) that made the "Yo Mama Osama" spyware.
Caveat Emptor is not a business model.
>Why do the corporate firewalls not block out-bound traffic to all ports but a select few HTTP/SSL
Even if you disable general-purpose Internet access so that malware can't connect to arbitrary servers and tunnel things over HTTP/SSL/etc., you've still got a problem. The malware could send specially coded requests which could be intercepted and decoded by a sniffer anywhere along the path. You would raise the bar for an attack, but at a terrible cost in functionality.
I might be either or both, but leave me out of it. As I was briefed (over 5 years ago, perhaps in today's carefree world, things are more lax), there existed no physical connection between The Internet and any SIPRNET connected machines. I did, however, notice a few SIPRNET machines with floppy and/or CDROM drives. One might just as easily speculate that the vector was sneakernet. The existence of virus outbreaks, then, does not prove a direct connection to the Net.
meh.
The scary part in all of this is that the average home user doesn't have a chance! Security is a hugely complex issue, that in a corporate environment needs an IT professional to at least provide some chance of preventing crack attempts.
What's the average home user going to do? Maybe it's time for a "Trusted Boot CD" for home users? Just take Knoppix and streamline it little more so people can at least do online banking in relative safety.
Enterprising crackers use Sub7 Enterprise Edition. :-). It is happening right now on a corporate PC near you.
That, and the fact that China can't control Microsoft, but will be able to control their very own officially sanctioned version of Linux.
(What, you think they've gotten all warm and fuzzy abou the GPL? What makes you think they won't keep their own source to themselves, and kink it a bit so it's not quite a no-brainer to replace StateOS with something downloaded -- assuming you got it through the Great Firewall?)
GPL only keeps software "free" if you have a government to enforce the license agreement under its own copyright law. The GPL can't keep code free from the government itself.
Where I worked, our secure computers never had viruses. Nor were they directly connected to the Internet; they used a physically separate network, with the cabling visually inspectable for their whole length.
So much for "just ask anyone".