Court Slams Door On Sale of Spyware

coondoggie writes "The Federal Trade Commission yesterday had a US District Court issue a temporary restraining order halting the sale of RemoteSpy keylogger spyware. According to the FTC's complaint, RemoteSpy spyware was sold to clients who would then secretly monitor unsuspecting consumers' computers. The defendants provided RemoteSpy clients with detailed instructions explaining how to disguise the spyware as an innocuous file, such as a photo, attached to an email."

but why?

How is that illegal to sell?

Re:but why?

[Meshach]

Because they didn't disclose what they were doing.

FMI please RTFA

Re:but why?

[pseudonomous]

Ultimately, hopefully, the issue which will get the defendants in trouble will not be that they sold the keylogger software OR that they provided tutorials on how to trojan it into unwitting victims computers, but rather that THEY stored illegally obtained software on THIER server. Otherwise, this sets a dangerous precident where someone decides that software which potentially has valid uses, is declared illegal. (It's convoluted but you can imagine a case where someone might have a legitimate use for using keylogger software) It's like the whole "right to bear arms thing", just becuase someone shoots his neighbor doesn't mean guns should be illegal. (they should be, IMO, but this isn't the reason)

Re:but why?

[Roland+Piquepaille]

I think their problem is that they should have sold it under the guise of a computer security assessment tool or something, and not outright say it's for spying on people. It's like those countless micro-camera that are sold to "monitor babies", when in reality everybody knows they're bought by peeping toms who plant them in ladies bathrooms

Re:but why?

[Surreal+Puppet]

I honestly don't think you could pass of something this simple as a pen-test tool. You could probably pass it off as a pure remote administration utility. But this would require you to add lots of extraneous functionality that would seriously confuse the intended market, and you couldn't market it to them directly either (I guess this could work anyway if you could incite some really strange grassroots campaign.) On the upside, if the virus engines wouldn't recognize it, you wouldn't have to include signature-evading code (polymorphism, packing...).

Re:but why?

[Thanshin]

Lady: "Why is there a big pink bear in this dressroom?"
Bear: "Shut up and take off your clothes already."

Re:but why?

[moteyalpha]

Well I am seeing a paradox here because the NSA designs and creates tools like this and makes manuals to explain how to use it. Now they can say they are using it for a legal purpose, however if the mere fact of having something that could be used in a sneaky way is illegal then they would be guilty of possessing a criminal artifact. If creating the stuff is illegal, whoever contracts with a government agency to produce this stuff is criminal by this strict an interpretation. It seems to imply that a citizen can commit a crime and a bureaucrat cannot.

Re:but why?

[Surreal+Puppet]

You mean like the catch-all German "hacker program" law, that has had the entire security industry up in arms? The one where you could in theory get arrested for possessing a copy of NMap?
www.schneier.com/blog/archives/2007/08/new_german_hack.html

Re:but why?

It's like those countless micro-camera that are sold to "monitor babies", when in reality everybody knows they're bought by peeping toms who plant them in ladies bathrooms

Maybe they are being up front about the cameras and the "i" is just a typo.

Re:but why?

[KDR_11k]

They could simply classify it as a war weapon and limit it to govt agencies...

Re:but why?

[skroops]

charged with posessing a criminal artifact? The police get to have cool toys because they are police, and if they have to break in they will. Think slimjims, boltcutters etc. There is no conflict here.

Re:but why?

Ultimately, hopefully, the issue which will get the defendants in trouble will not be that they sold the keylogger software OR that they provided tutorials on how to trojan it into unwitting victims computers, but rather that THEY stored illegally obtained software on THIER server. Otherwise, this sets a dangerous precident where someone decides that software which potentially has valid uses, is declared illegal.

The "issue", described right at the top of TFA, was that they sold this software along with instructions on how to hide it on a 3rd party's computer without that 3rd party's knowledge or consent. You are worrying about something that doesn't exist - a legitimate use for illegal activity.

If you do not own the computer, it should be illegal to install software that runs surveillance on the person who does own the computer without that person's consent. The Federal Trade Commission and the US District Court evidently agree.

If you want to run software like that on your own computer or if you own a business and want it installed on all company computers, there is no problem assuming you've told the employees about it. It is not possible for you to spy on yourself without your consent, so there is no issue.

Not only did this company design, promote, sell and support a tool specifically designed to break the law, they went on to explain exactly how to use it to break the law as well as how to hide it from the victim while they do it. No need to worry about setting a precedent here. That sort of activity has long since been declared to be illegal.

Re:but why?

[Ihmhi]

Oh come on, it's just spyware, not encryption.

Re:but why?

Otherwise, this sets a dangerous precident where someone decides that software which potentially has valid uses, is declared illegal.

Oh, you mean like P2P software, password crackers, keygens, port scanners, CD burners, DVD rippers, MP3 rippers, viruses, encryption, etc.?

Too late!

Re:but why?

[Loki_1929]

It seems to imply that a citizen can commit a crime and a bureaucrat cannot.

Sort of like when police officers fly down the road at 40mph+ higher than the speed limit, change lanes without signalling, run stop signs, cut people off, tailgate people on the highway, and generally drive like the biggest bunch of suicidal assholes the road has ever seen but will pull over the rest of us for stepping even slightly out of line without a second thought?

Sorry, I just spend a lot of time on highways, so it just really bugs me.

BO

[negRo_slim]

Back Orifice anyone?

Bane of ICQ 98b users everywhere!

Re:BO

[negRo_slim]

Finding TFA severely lacking, might I recommend a more informative article from, Ars Technica.

Re:BO

Back Orifice anyone?
 
Thanks, but I'm really not into goatse.cx.

Time Frame

[cjfs]

As much as the FTC deserves an "A" for effort, however, the timeline of the case is an excellent example of how poorly equipped the government is when it comes to addressing this type of problem. The brief states that RemoteSpy has been available since "at least August 2005.

It hardly seems worth the effort if this time frame is typical. You'd hope any spyware scanner worth using would have picked it up 20x faster.

Re:Time Frame

[MrNaz]

To have had a greater effect, the court should have ordered that their hands be held in the door when it was being slammed.

Re:Time Frame

[TubeSteak]

You'd hope any spyware scanner worth using would have picked it up 20x faster.

Not all anti-virus and malware scanners will include commercial products in their database.

Re:Time Frame

[novalogic]

You'd hope any spyware scanner worth using would have picked it up 20x faster.

Not all anti-virus and malware scanners will include commercial products in their database.

Unless of course the commercial product in question is a Windows system file...

This is good.

[Surreal+Puppet]

But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software). People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476

"The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."

This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.

Re:This is good.

[BountyX]

Credit card numbers are sold for 15$ a pop on irc. Social security numbers can run from 2-10 bucks. Now imagine stealing a backup tape with 15 million records...

Re:This is good.

[theArtificial]

http://blogs.zdnet.com/security/?p=2084Credit cards fetch around $2-3 a piece. Surprisingly WOW accounts go for $10+ USD.

Useless Trash

[www.blogLinux.org]

If the television show Cheaters is ok, then surely this should be ok.

Good intentions and all that...

[TapeCutter]

"...if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream."

I don't want to rob you of your dreams (or take away your pipe :), but the road to software hell is paved with legal definitions of the term "spyware".

Re:Good intentions and all that...

[Surreal+Puppet]

I totally meant to type "malware", but my head is muddled from a sleepless night. Spyware is of course only a part of the problem.

Re:Good intentions and all that...

[TapeCutter]

Ok, so "spyware" is a type of "malware", so define "malware"? - Can you see where I am going? - What is the magic algorithim that determines if an application is "malware"?

Re:Good intentions and all that...

[amnezick]

Oh come on. that's easy: if it's there doing something useless/bad for you/your system then it's malware.

Re:Good intentions and all that...

So Vista is malware? ...sorry, too easy...

Re:Good intentions and all that...

[Surreal+Puppet]

The thing with spyware is that it's included in legitimate apps, typically, and the user has to click through an EULA. Also, all software sold with the intended purpouse of large-scale crime have to be explicitly designed for the fraud in question (code for capturing credit card numbers and passwords from browser sessions/committing various forms of DDOS attacks for example.) The purpose of the software is obvious from it's construction (which conveniently also sets it apart from how commercial pen testing tools are constructed, which have no need for the above features, not to mention how they are marketed.) Relatively benign hacking software not explicitly designed for large-scale economic crime (phearbot, phatbot, poison ivy) would certainly slip under the pen-test or remote administration heading while actually being used in a very large amount of semi-skilled targeted attacks, but on the other hand these are not at all as dangerous given the assumption that the attacker simply acts as a passive consumer that cannot modify the tools he has bought (which is the load-bearing point of first post), and that the crimes we are looking to prevent are DDOS/data encryption extortion and large-scale credit card fraud.

Re:Good intentions and all that...

[blueskies]

What is the magic algorithm that determines of a freedom fighter is a terrorist?

Anyway, if you are really interesting in learning people are trying to come up with useful definitions that allow us to make the internet safer: http://www.antispywarecoalition.org/documents/definitions.htm

Labeling software correctly, ie: letting consumers make their own decisions, means we don't need the legal system to get involved except where stuff is fraudulently mislabeled.

You want to write malware, fin

Other legal purposes

Almost all software has legal use to some extent.
I am a small company owner. I have 5 employees and provide them with computers. I have told them that their computer use is monitored and bought this software to ensure I could perform that task. It does.

My computers are for my company to make money, not their personal use. No personal email. No day-trading. No on-line banking and definitely no gaming. Do that stuff on your own computer and own time. I've had to discipline employees for personal use before and expect to do it again. My rules matter.

Re:Other legal purposes

[Lord+Bitman]

Well, your rules don't /matter/, but I see your point.

Re:Other legal purposes

[NewWorldDan]

Right, and I don't think the sale of this should be blocked. On the other hand, I think these clowns should be prosecuted for knowingly and willingly aiding and abetting any number of felonies, and most of their customers should be prosecuted as well. This is a program primarily used for criminal purposes and those criminal acts should be prosecuted.

Re:Other legal purposes

I am a small company owner. I have 5 employees and provide them with computers. I have told them that their computer use is monitored and bought this software to ensure I could perform that task. It does.

The point there is that you own those computers. Short of setting fire to it, you can do pretty much whatever you like to your own property.

This keylogger company wasn't marketing their software to you. They were marketing it to the people who would like to sneak it onto your computer to steal your bank account passwords and explaining how to hide it from you while they did it.

Focus on root causes instead of symptoms

It would be nice to see antivistus software
become unneccesary by solving the root causes to security flaws in their system and their code instead of pushing thirdparty antisoftware out of the market by providing antivirus software for free.

Instead of trying to patch the security related symptoms like virusses etc, microsoft would be far more succesful to solve the root causes that lead to those symptoms. To that cause Microsoft should do something about their bugs, security architecture and other exploitable flaws.

Microsoft has proved throughout history not solving bugs or other security related issues, partly because of their interest to push new product versions into the market. So that said, it is not a very promissing story to the customer.

Independent third parties has more interest in solving security related symptoms, and they are more effective at it because it's their core business.

If Microsoft would be able to get a monopoly on antivirus software by providing this software or free, we all would lose.

Instead of having a laserlike focus on core business and being very good at it, Microsoft continuosly seeks to have a monopoly of mediocracy by having no core business.

Despite Microsofts succes pushing thirdparty software business out of the market, fortunately the open software community will only thrive even more with high quality solutions which make Microsofts mediocre products obsolete.

Sony?

Is Sony next to get smacked down by the courts? And what other major corporations are in line for a similar smackdown?

RemoteSpy spyware...on consumers' computers

[one_in_a_milli0n]

Now say that 10 times in a row!

Valid REason for HAving KeyLogger

[wizzerking]

I am a software developer for some companies, and we have included as part of the test installation keylogger software, as well as mouse clicking software, because with out this log of information we found that humans have no clue as to the path that was used to create a problem in the software. So this a very very legitimate use of the keylogger software, and mouse clicking software when the tester, is running our program. Other times I have used keylogger, and mouse clicking software on a customer's computer just to diagnose an issue the customer was having, and found that some one on the cleaning crew was using the computers as a gaming network, the company was unaware of this activity until I installed this invisible software on their computers with their permission. When everything settled down, then I was paid to remove the keylogger, and mousing logging software.

Re:Valid REason for HAving KeyLogger

[Aoet_325]

from time to time I run a keylogger on my own systems. It's been pretty useful for going back and figuring out exactly what I was doing last week, it provides a quick way to find some comment I made or a website I was at before, etc.

It helps that I spend a lot of time at a command line as well, but I have even left notes to myself by typing anywhere that will accept text, and then clearing the text out.

It's also nice to be able to know exactly when someone else was on my system and what exactly they were doing (although that doesn't come up too often and I let people who may want to use my system know that they are being logged first!)

keyloggers are just another type of tool.

Re:Valid REason for HAving KeyLogger

[stephanruby]

When everything settled down, then I was paid to remove the keylogger, and mousing logging software.

This sounds like a great strategy to make sure you get paid. Don't ask for money upfront, only ask for money after the keylogger is installed.

Come on, community!

[77Punker]

Time for OSS to step up to the plate and make a GPL equivalent!

use, not possession

[bugi]

It's the use to which it's put.

Consider by analogy a crowbar. It could be used to force open someone's window or someone's head, both illegal; but it could also be used to pry off the hubcap of one's own car, an operation legal in most jurisdictions.

Let's see, legal ethical use of spyware... Hmm, that's a tough one for a civil libertarian. Logging your underage kid's IRC sessions in case you later need to find out where she's run off to meet her 40 year old "friend"?

Re:use, not possession

It's not legal to sell a crowbar with direction on how to use it to commit a crime like burglary or murder. Sure we can't eliminate all spyware, because it has some legal uses, but we can eliminate people who sell it where the use is clearly intended to be illegal. If you read the details, that's the case here.

Not for you, citizen!

Duh. Don't they know the best and only way to sell snooping software is to the government, via large contracts?

About time.

[sarysa]

I consider myself a moderate libertarian. This is why it's only "moderate". I honestly do think this kind of software should be illegal; in fact I thought it WAS. In my opinion, no one has a legitimate reason to spy on someone else's computing habits, parents included. If you break down privacy you break down society, there's things you just don't want to know about other people, and said other people just as much do not want you to know about them.

And please, don't compare this to gun rights. Guns as self defense are a deterrent, but spy software doesn't work that way. You can't deter spying against you with spy software. People are still going to have spy software and use it, but it should be as difficult to use as possible, and victims should have legal defense against it if they discover the culprit.

By the way, I understand the fine line between VPN type software and spy software when it comes to functionality, so I understand the hurdles when it comes to illegalizing spy software. I'm just stating my opinion.

This leads to an interesting question

[BitterOak]

How easy is it to detect and/or delete keylogger software? Does anyone know if the popular anti-virus software out there will detect it?

Re:This is good.... if regulated

Personally I think anyone who wants to own a gun should be allowed to do so (with some sane limits: prior felonies, legally declared unstable, etc)

So for keyloggers, and similar spyware, everyone who wants this stuff should be subjected to a similar background check and documented as owning it.... and these records should be public.

A commercial software package that performs such tasks should be uniquely "fingerprinted" in a manner that is NON-TRIVIAL to defeat, and installation should require a physical key.

Further the resulting logs should be encrypted in a manner that only possesion of the physical key can decrypt.

Anyone who is found to produce such tools that don't conform should be prosecuted. In much the same way that manufacturing munitions without a government permit/license is prosecuted.

IMO such tools ARE munitions.

As for malware... anything that performs a spyware-like function that is unlicensed/uncontrolled by law.... is malware, and should also be considered a munition.

IMO, In a virtual world ANY application that *deliberately* disrupts the correct operation, or compromises the security, of a system, is a munition.

On second thought any such regulation should also apply to anti-malware applications too.

~HS

What about law enforcement?

[Adrian+Lopez]

Does this mean that companies which develop keylogging software for law enforcement use are breaking the law? No? Didn't think so.

It shouldn't be illegal to write this kind of software, but it should be illegal to install it without either the owner's consent or a proper warrant.