Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Slams Door On Sale of Spyware

Posted by kdawson on from the mother-may-i-install dept.

coondoggie writes "The Federal Trade Commission yesterday had a US District Court issue a temporary restraining order halting the sale of RemoteSpy keylogger spyware. According to the FTC's complaint, RemoteSpy spyware was sold to clients who would then secretly monitor unsuspecting consumers' computers. The defendants provided RemoteSpy clients with detailed instructions explaining how to disguise the spyware as an innocuous file, such as a photo, attached to an email."

36 of 51 comments (clear)

  1. BO by negRo_slim · · Score: 1

    Back Orifice anyone?

    Bane of ICQ 98b users everywhere!

    --
    On the Oregon Cost born and raised, On the beach is where I spent most of my days
    1. Re:BO by negRo_slim · · Score: 4, Informative

      Finding TFA severely lacking, might I recommend a more informative article from, Ars Technica.

      --
      On the Oregon Cost born and raised, On the beach is where I spent most of my days
  2. Re:but why? by Meshach · · Score: 1

    Because they didn't disclose what they were doing.

    FMI please RTFA

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
  3. Time Frame by cjfs · · Score: 1

    As much as the FTC deserves an "A" for effort, however, the timeline of the case is an excellent example of how poorly equipped the government is when it comes to addressing this type of problem. The brief states that RemoteSpy has been available since "at least August 2005.

    It hardly seems worth the effort if this time frame is typical. You'd hope any spyware scanner worth using would have picked it up 20x faster.

    1. Re:Time Frame by MrNaz · · Score: 1

      To have had a greater effect, the court should have ordered that their hands be held in the door when it was being slammed.

      --
      I hate printers.
    2. Re:Time Frame by TubeSteak · · Score: 1

      You'd hope any spyware scanner worth using would have picked it up 20x faster.

      Not all anti-virus and malware scanners will include commercial products in their database.

      --
      [Fuck Beta]
      o0t!
    3. Re:Time Frame by novalogic · · Score: 1

      You'd hope any spyware scanner worth using would have picked it up 20x faster.

      Not all anti-virus and malware scanners will include commercial products in their database.

      Unless of course the commercial product in question is a Windows system file...

      --
      --
  4. This is good. by Surreal+Puppet · · Score: 4, Insightful

    But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software). People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476

    "The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."

    This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.

    1. Re:This is good. by BountyX · · Score: 2, Interesting

      Credit card numbers are sold for 15$ a pop on irc. Social security numbers can run from 2-10 bucks. Now imagine stealing a backup tape with 15 million records...

      --
      Trying to install linux on my microwave, but keep getting a kernel panic...
  5. Re:but why? by pseudonomous · · Score: 5, Insightful

    Ultimately, hopefully, the issue which will get the defendants in trouble will not be that they sold the keylogger software OR that they provided tutorials on how to trojan it into unwitting victims computers, but rather that THEY stored illegally obtained software on THIER server. Otherwise, this sets a dangerous precident where someone decides that software which potentially has valid uses, is declared illegal. (It's convoluted but you can imagine a case where someone might have a legitimate use for using keylogger software) It's like the whole "right to bear arms thing", just becuase someone shoots his neighbor doesn't mean guns should be illegal. (they should be, IMO, but this isn't the reason)

  6. Useless Trash by www.blogLinux.org · · Score: 1

    If the television show Cheaters is ok, then surely this should be ok.

  7. Re:but why? by Roland+Piquepaille · · Score: 1

    I think their problem is that they should have sold it under the guise of a computer security assessment tool or something, and not outright say it's for spying on people. It's like those countless micro-camera that are sold to "monitor babies", when in reality everybody knows they're bought by peeping toms who plant them in ladies bathrooms

  8. Re:but why? by Surreal+Puppet · · Score: 1

    I honestly don't think you could pass of something this simple as a pen-test tool. You could probably pass it off as a pure remote administration utility. But this would require you to add lots of extraneous functionality that would seriously confuse the intended market, and you couldn't market it to them directly either (I guess this could work anyway if you could incite some really strange grassroots campaign.) On the upside, if the virus engines wouldn't recognize it, you wouldn't have to include signature-evading code (polymorphism, packing...).

  9. Re:but why? by moteyalpha · · Score: 3, Interesting

    Well I am seeing a paradox here because the NSA designs and creates tools like this and makes manuals to explain how to use it. Now they can say they are using it for a legal purpose, however if the mere fact of having something that could be used in a sneaky way is illegal then they would be guilty of possessing a criminal artifact. If creating the stuff is illegal, whoever contracts with a government agency to produce this stuff is criminal by this strict an interpretation. It seems to imply that a citizen can commit a crime and a bureaucrat cannot.

  10. Good intentions and all that... by TapeCutter · · Score: 1

    "...if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream."

    I don't want to rob you of your dreams (or take away your pipe :), but the road to software hell is paved with legal definitions of the term "spyware".

    --
    And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    1. Re:Good intentions and all that... by Surreal+Puppet · · Score: 1

      I totally meant to type "malware", but my head is muddled from a sleepless night. Spyware is of course only a part of the problem.

    2. Re:Good intentions and all that... by TapeCutter · · Score: 2, Informative

      Ok, so "spyware" is a type of "malware", so define "malware"? - Can you see where I am going? - What is the magic algorithim that determines if an application is "malware"?

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    3. Re:Good intentions and all that... by Anonymous Coward · · Score: 1, Funny

      So Vista is malware? ...sorry, too easy...

    4. Re:Good intentions and all that... by Surreal+Puppet · · Score: 1

      The thing with spyware is that it's included in legitimate apps, typically, and the user has to click through an EULA. Also, all software sold with the intended purpouse of large-scale crime have to be explicitly designed for the fraud in question (code for capturing credit card numbers and passwords from browser sessions/committing various forms of DDOS attacks for example.) The purpose of the software is obvious from it's construction (which conveniently also sets it apart from how commercial pen testing tools are constructed, which have no need for the above features, not to mention how they are marketed.) Relatively benign hacking software not explicitly designed for large-scale economic crime (phearbot, phatbot, poison ivy) would certainly slip under the pen-test or remote administration heading while actually being used in a very large amount of semi-skilled targeted attacks, but on the other hand these are not at all as dangerous given the assumption that the attacker simply acts as a passive consumer that cannot modify the tools he has bought (which is the load-bearing point of first post), and that the crimes we are looking to prevent are DDOS/data encryption extortion and large-scale credit card fraud.

    5. Re:Good intentions and all that... by blueskies · · Score: 1

      What is the magic algorithm that determines of a freedom fighter is a terrorist?

      Anyway, if you are really interesting in learning people are trying to come up with useful definitions that allow us to make the internet safer: http://www.antispywarecoalition.org/documents/definitions.htm

      Labeling software correctly, ie: letting consumers make their own decisions, means we don't need the legal system to get involved except where stuff is fraudulently mislabeled.

      You want to write malware, fin

  11. Re:but why? by Surreal+Puppet · · Score: 3, Interesting

    You mean like the catch-all German "hacker program" law, that has had the entire security industry up in arms? The one where you could in theory get arrested for possessing a copy of NMap?
    www.schneier.com/blog/archives/2007/08/new_german_hack.html

  12. Re:but why? by KDR_11k · · Score: 1

    They could simply classify it as a war weapon and limit it to govt agencies...

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  13. Other legal purposes by Anonymous Coward · · Score: 1, Insightful

    Almost all software has legal use to some extent.
    I am a small company owner. I have 5 employees and provide them with computers. I have told them that their computer use is monitored and bought this software to ensure I could perform that task. It does.

    My computers are for my company to make money, not their personal use. No personal email. No day-trading. No on-line banking and definitely no gaming. Do that stuff on your own computer and own time. I've had to discipline employees for personal use before and expect to do it again. My rules matter.

    1. Re:Other legal purposes by Lord+Bitman · · Score: 1

      Well, your rules don't /matter/, but I see your point.

      --
      -- 'The' Lord and Master Bitman On High, Master Of All
    2. Re:Other legal purposes by NewWorldDan · · Score: 1

      Right, and I don't think the sale of this should be blocked. On the other hand, I think these clowns should be prosecuted for knowingly and willingly aiding and abetting any number of felonies, and most of their customers should be prosecuted as well. This is a program primarily used for criminal purposes and those criminal acts should be prosecuted.

  14. Valid REason for HAving KeyLogger by wizzerking · · Score: 2, Informative

    I am a software developer for some companies, and we have included as part of the test installation keylogger software, as well as mouse clicking software, because with out this log of information we found that humans have no clue as to the path that was used to create a problem in the software. So this a very very legitimate use of the keylogger software, and mouse clicking software when the tester, is running our program. Other times I have used keylogger, and mouse clicking software on a customer's computer just to diagnose an issue the customer was having, and found that some one on the cleaning crew was using the computers as a gaming network, the company was unaware of this activity until I installed this invisible software on their computers with their permission. When everything settled down, then I was paid to remove the keylogger, and mousing logging software.

    1. Re:Valid REason for HAving KeyLogger by Aoet_325 · · Score: 1

      from time to time I run a keylogger on my own systems. It's been pretty useful for going back and figuring out exactly what I was doing last week, it provides a quick way to find some comment I made or a website I was at before, etc.

      It helps that I spend a lot of time at a command line as well, but I have even left notes to myself by typing anywhere that will accept text, and then clearing the text out.

      It's also nice to be able to know exactly when someone else was on my system and what exactly they were doing (although that doesn't come up too often and I let people who may want to use my system know that they are being logged first!)

      keyloggers are just another type of tool.

    2. Re:Valid REason for HAving KeyLogger by stephanruby · · Score: 1

      When everything settled down, then I was paid to remove the keylogger, and mousing logging software.

      This sounds like a great strategy to make sure you get paid. Don't ask for money upfront, only ask for money after the keylogger is installed.

  15. Come on, community! by 77Punker · · Score: 1

    Time for OSS to step up to the plate and make a GPL equivalent!

  16. use, not possession by bugi · · Score: 1

    It's the use to which it's put.

    Consider by analogy a crowbar. It could be used to force open someone's window or someone's head, both illegal; but it could also be used to pry off the hubcap of one's own car, an operation legal in most jurisdictions.

    Let's see, legal ethical use of spyware... Hmm, that's a tough one for a civil libertarian. Logging your underage kid's IRC sessions in case you later need to find out where she's run off to meet her 40 year old "friend"?

  17. Re:but why? by skroops · · Score: 1

    charged with posessing a criminal artifact? The police get to have cool toys because they are police, and if they have to break in they will. Think slimjims, boltcutters etc. There is no conflict here.

  18. Re:but why? by Ihmhi · · Score: 1

    Oh come on, it's just spyware, not encryption.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  19. About time. by sarysa · · Score: 1

    I consider myself a moderate libertarian. This is why it's only "moderate". I honestly do think this kind of software should be illegal; in fact I thought it WAS. In my opinion, no one has a legitimate reason to spy on someone else's computing habits, parents included. If you break down privacy you break down society, there's things you just don't want to know about other people, and said other people just as much do not want you to know about them.

    And please, don't compare this to gun rights. Guns as self defense are a deterrent, but spy software doesn't work that way. You can't deter spying against you with spy software. People are still going to have spy software and use it, but it should be as difficult to use as possible, and victims should have legal defense against it if they discover the culprit.

    By the way, I understand the fine line between VPN type software and spy software when it comes to functionality, so I understand the hurdles when it comes to illegalizing spy software. I'm just stating my opinion.

    --
    Charisma is the measure of someone's ability to lie with a straight face.
  20. This leads to an interesting question by BitterOak · · Score: 1

    How easy is it to detect and/or delete keylogger software? Does anyone know if the popular anti-virus software out there will detect it?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  21. Re:but why? by Loki_1929 · · Score: 1

    It seems to imply that a citizen can commit a crime and a bureaucrat cannot.

    Sort of like when police officers fly down the road at 40mph+ higher than the speed limit, change lanes without signalling, run stop signs, cut people off, tailgate people on the highway, and generally drive like the biggest bunch of suicidal assholes the road has ever seen but will pull over the rest of us for stepping even slightly out of line without a second thought?

    Sorry, I just spend a lot of time on highways, so it just really bugs me.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
  22. What about law enforcement? by Adrian+Lopez · · Score: 1

    Does this mean that companies which develop keylogging software for law enforcement use are breaking the law? No? Didn't think so.

    It shouldn't be illegal to write this kind of software, but it should be illegal to install it without either the owner's consent or a proper warrant.

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."