Finfisher Spyware Use By Governments Expanding, Masquerades as Firefox

← Back to Stories (view on slashdot.org)

Finfisher Spyware Use By Governments Expanding, Masquerades as Firefox

Posted by Unknown on Wednesday May 1, 2013 @12:47AM from the mozilla-will-eat-you dept.

nk497 writes "Mozilla has sent a cease-and-desist order to Gamma International, after it was revealed the controversial creator of spyware for governments was disguising itself as Firefox on PCs. 'We cannot abide a software company using our name to disguise online surveillance tools that can be — and in several cases actually have been — used by Gamma's customers to violate citizens' human rights and online privacy,' Mozilla said." DavidGilbert99 writes on the wider implications of the Citizen Lab report: "Governmental spying software has been in the news a lot in recent months and today Citizen Lab has revealed its latest findings, showing that one of the most prolific tools in use, Finfisher, is now in use in 36 countries around the world [beware the auto playing video ads with sound]." And, Voulnet adds "According to analysis and report by CitizenLab of the Gamma FinFisher trojan spyware used against dissidents in the middle east and around the world, the FinFisher codebase uses the LGPL GNU Multiple Precision Arithmetic Library, possibly without adhering to its distribution restrictions."

30 of 108 comments (clear)

Min score:

Reason:

Sort:

Sue, sue, sue by furbyhater · 2013-05-01 00:52 · Score: 5, Insightful

This scum must get sued into the ground. What a disgusting company.
1. Re:Sue, sue, sue by IndustrialComplex · 2013-05-01 00:57 · Score: 5, Insightful
  
  If I were Mozilla, I certainly would. Whenever I hear of Firefox now, I'm going to associate the name with Malware and probably just use something else. Sure after thinking about it for a bit, I'll remember this story, but that first impression matters a lot when branding is concerned.
  Damage to their brand has certainly occured.
  
  --
  Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
2. Re:Sue, sue, sue by furbyhater · 2013-05-01 01:05 · Score: 4, Interesting
  
  If I were Mozilla I'd look into suing for defamation, more specifically libel. If you have been libeled, you don't even need to prove damages, at least in the US, according to this website: http://www.wikihow.com/Sue-for-Defamation
3. Re:Sue, sue, sue by rvw · 2013-05-01 01:08 · Score: 4, Insightful
  
  Is the "harm" caused to Firefox's reputation worth any punitive damages? They don't sell Firefox and can't really claim loss of revenue. Maybe they can claim loss of donations to Mozilla?
  Less downloads is less sponsoring from Google. But what does revenue have to do with this? Is this capitalistic brain washing that instructs you that you cannot do anything unless money is involved?
4. Re:Sue, sue, sue by erroneus · 2013-05-01 01:17 · Score: 3, Interesting
  
  I believe this company has already found itself on anonymous' radar. Watch out for fun on the horizon as I expect them to exploit the finfisher C&C servers for their own gain and to the embarassment of finfisher's customers.
5. Re:Sue, sue, sue by rtb61 · 2013-05-01 01:56 · Score: 2
  
  The Firefox brand has a perceived value, a value of identifying that product with that brand. It doesn't have to sell anything, it just has to have a 'goodwill' value associated with an identifiable brand. The fraudulent use of the brand, damages the goodwill associated with Firefox and enables a civil suit to be filed to protect and establish not just damages but punitive damages. As the abuse is particular egregious and threatens the perception of security of the products punitive damages could be quite high as a multiple of goodwill damage.
  
  --
  Chaos - everything, everywhere, everywhen
6. Re:Sue, sue, sue by hairyfeet · 2013-05-01 02:20 · Score: 2
  
  No sadly he is just stating the truth, a company that "gives away" its product is just gonna have a harder time when it comes to damages VS a company that is charging a set dollar amount.
  We could sit here all day arguing about "commies vs money whores" but the simple fact is that FOSS companies? Really not setting any awards when it comes to damages and with a company like this if you don't damage the shit out of their wallets they'll just write it off as "the cost of doing business" and go on their merry way.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
7. Re:Sue, sue, sue by ArcadeMan · 2013-05-01 03:42 · Score: 3, Funny
  
  I guess you don't use a web browser and you send mail to a daemon?
  Not only that, but I sign all my emails with "In God we trust" just to piss off the daemon.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
8. Re:Sue, sue, sue by squiggleslash · 2013-05-01 04:09 · Score: 2
  
  I think they can do better than that.
  This is a product being used by governments to spy on citizens. Can you imagine what it would do to these investigations, legit or abusive, if the real Firefox were to pop-up a message on the screen of everyone being spied upon notifying them what's going on?
  We're not just talking about ruining the reputation of the spyware company, though that would be a bonus. We're talking about heads rolling of virtually anyone who employed these suckers, which in turn should mean just a little more care is taken in future.
  Firefox needs to be altered to detect the presence of the spyware, and warn those being spied upon. If it actually destroys a legitimate investigation, then so much the better.
  
  --
  You are not alone. This is not normal. None of this is normal.
9. Re:Sue, sue, sue by BitterOak · 2013-05-01 09:19 · Score: 2
  
  You know malware is effective when you see retards posting things like this. Absolutely nothing wrong with the real Firefox and yet he wants to avoid using it for no good reason.
  Actually, there's a very good reason. As you say, there's nothing wrong with the REAL Firefox, but there's a piece of Malware disguising itself as Firefox. How can you be sure you have the real one? Since this product is in use by governments, they probably have the ability to redirect connections to mozzila.org to their own server. So how can you be sure you're using the real Firefox? (Actually, that is a serious questions. As a "Firefox" user, I'd be interested to know if there's a utility I can run that will let me know if my Firefox is legit or not.)
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
10. Re:Sue, sue, sue by L4t3r4lu5 · 2013-05-01 21:20 · Score: 2
  
  Hash of the executable. You'll need to obtain both a hash calculator and the hash result itself, presumably over an out-of-country VPN / over Tor.
  
  </tinfoilhat>
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
victory for open source by one_who_uses_unix · 2013-05-01 00:57 · Score: 2

This is one of the big reasons for supporting open source applications - violations like this can be exposed without relying on a single central authority to uncover it and trusting that the central authority will not be beholden to other interests.
Kudos to the firefox team!

--
KK4SFV
In the USA, that's criminal. by __aaltlg1547 · 2013-05-01 01:00 · Score: 2

How are they getting away with this in Great Britain?
1. Re:In the USA, that's criminal. by SJHillman · 2013-05-01 01:09 · Score: 3, Funny
  
  Pshaw, it's only criminal if it isn't being used by the government. Don't you know nothing?
2. Re:In the USA, that's criminal. by GauteL · 2013-05-01 01:20 · Score: 2
  
  How are they getting away with this in Great Britain?
  Using the tool may well be a criminal offence, but selling it isn't necessarily. And making it look like Firefox is Trademark violation, which is a Civil matter, not a criminal one.
  It took a while for Mozilla to hear about Gamma and put together a lawsuit. I don't see how this is any different in the US.
3. Re:In the USA, that's criminal. by niftydude · 2013-05-01 01:24 · Score: 3, Informative
  
  How are they getting away with this in Great Britain?
  Read the ibtimes link - the good old USA is one of the 36 countries.
  
  So, how are they getting away with this in the US?
  
  --
  You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
Trademark ; Copyright by DrYak · 2013-05-01 01:06 · Score: 5, Insightful

Mozilla's case is a very clear one. Although the software (the source code) is free and open, the trademark (the branding) *IS* NOT. (Hence all the IceWeasel and similar source builds). Gamma company is clearly using a name registered to Mozilla to masquerade itself, and abuse end-users' confusion to make them think it's a Mozilla registered product. That's almost the book case for which Trademark was designed.
The only thing which could prevent Mozilla from winning at the court would be government meddling (although, this is likely as its a widely used *surveillance* tool :-( )
In theory, Gamma should have negociated a trademark licensing deal (just as do Linux distribution which provide their own branding on top of Mozilla's. The Firefox which comes with opensuse isn't the exact binary which is available at mozilla.org, but they are allowed to package their build and still call it "Mozilla Firefox" because they obtained a permission).
In practice, Mozilla will probably refuse to grant Gamma a license.
The libGMP case is much more interesting: they copied code which don't belong to them. Either they are violating its license and breaking copyright law. Or, they'll have to abid to the license and make their surveillance tool end-user- (or should it be more properly called "end-victim"- ) modifiable. (Either the whole package if its GPL or at least the LGPL parts if there are only LGPL parts in Finfisher).
Meaning that victims could without any restriction take-over finfisher by injecting their own libraries: it would end up completely legal and possible to tamper with a wiretapping device because the license of some part of it require the end-user to be able to customise them (in case of LGPL, or to customise the whole package in case of GPL).

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Trademark ; Copyright by drinkypoo · 2013-05-01 05:52 · Score: 2
  
  This is why they should have spoofed IE. Microsoft would have happily provided a license to allow this.
  The goal was to mimic a piece of software that a user might intentionally install and run on their computer.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How? by puddingebola · 2013-05-01 01:06 · Score: 3, Interesting

I applaud Mozilla's decision to start legal action against them, but more importantly, how is it legal for this company to operate? Perhaps this is naïve, but how is it legal for a company to operate by providing surveillance software to governments? Does the State Department approve which nation's they can sell to?
Wrong interpretation by DrYak · 2013-05-01 01:08 · Score: 4, Interesting

The firefox part has nothing to do with "open source" or GPL violation.
Gamma isn't using a single line of code from firefox.
Instead they are abusing Mozilla's trademark.
This is a simple classical violation of trademark law. (and a clear one).
The LGPL violations are regarding some subcomponent used by finfisher, namely libGMP.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Wrong interpretation by LoRdTAW · 2013-05-01 03:29 · Score: 2
  
  "Gamma isn't using a single line of code from firefox.
  I am sure Darl McBride could fix that problem.
2. Re:Wrong interpretation by hairyfeet · 2013-05-01 05:46 · Score: 2
  
  How EXACTLY does it do that? And do NOT say the "many eyes" myth as I can show how that one is a myth simply by using common sense and how many LOC you are talking about in your average distro. Hell have YOU done a code audit of FF, Gimp, LO, or any of the other applications that you use?
  While FOSS does have its benefits, the main one being that nobody can just abandon a program or force you to upgrade as long as some devs are willing to support it, see KDE Classic for example, finding malware? NOT one of the benefits. Hell we are talking about government spying programs, not script kiddies, so one look at the entries in the obfuscated C contest should show you that your average programmer wouldn't find the shit unless they were specifically told it was there, so just saying that "because the code is out there SOMEBODY has to have done an audit" means exactly jack and squat.>
  5 will get you 10 a good 80%+ of the code that goes into your average distro hasn't been looked at by anybody but the programmers themselves, see that infected Quake 3 that sat on damned near every repo for a year and a half or the KDE screensaver bug where it turned out a large chunk of the KDE screensavers hosted at places like KDELook were infected with malware, nobody looked at any of that code for ages and if somebody hadn't looked at their firewall and noticed weird activity (no different than they would have done with non FOSS programs) those would still be infecting folks to this day, it was only AFTER somebody caught the activity that the code was checked for malware. To my knowledge there has never been malware found by just looking at the source code, at least I've never heard of it.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Trademark law by DrYak · 2013-05-01 01:14 · Score: 5, Insightful

It's a clear trademark law violation.
"Firefox" is a name owned and controller by Mozilla, and is used to clearly designate one specific product: the Firefox browser.
Gamma are abusing the same name, Firefox, to masquerade their surveillance tool as a browser. They use the same name with intent to create confusion.
This is not allowed by trademark law and is punishable. It's almost a textbook's case.
About loss of revenue: Mozilla might not be selling copies of Firefox to end-users, they are still getting paid (by Google, among other) to produce it.
If suddenly Firefox becomes knkown as a filthy malware (which is exactly what Gamma is doing, and which exactly against what trademark law was designed) Mozilla might lose revenue though from sponsors instead of end-users.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1. Re:Trademark law by NatasRevol · 2013-05-01 01:32 · Score: 2
  
  Who's law? Gamma is based in England.
  
  --
  There are two types of people in the world: Those who crave closure
2. Re:Trademark law by NatasRevol · 2013-05-01 01:48 · Score: 3, Funny
  
  Dammit, I knew I shouldn't have read TFA.
  
  --
  There are two types of people in the world: Those who crave closure
3. Re:Trademark law by tlhIngan · 2013-05-01 03:54 · Score: 2
  
  About loss of revenue: Mozilla might not be selling copies of Firefox to end-users, they are still getting paid (by Google, among other) to produce it.
  Trademark damages are not limited to loss to revenue. They can also be determined by how much money is made by the infringer. Which can easily be treble. So while Mozilla might not have "lost" any money from this, the other company certainly benefited, and the role of the damage calculation Is to prohibit such behavior as it means a bigger company could willingly violate trademarks and write it off as cost of business. The whole goal is not just to make the infringed whole, but to make it unprofitable to infringe.
4. Re:Trademark law by Darinbob · 2013-05-01 08:35 · Score: 2
  
  Reading the TFA never ends up well in the long run.
Remember... by Minwee · 2013-05-01 02:03 · Score: 5, Funny

...They didn't get Al Capone for murder, they got him for distributing LGPL code without attribution.
Welcome to the civil court system by Sycraft-fu · 2013-05-01 03:16 · Score: 2

You can't sue for damages if there aren't any. I don't care if you think it shouldn't be that way, that is how it actually is. Civil court is largely for remedying economic damages. Like if you hire me to do work on your house, I cause damage, and then refuse to pay for it, that is what civil court would be for.
So if I do something to you that is not illegal and causes you no economic harm, well you'll have trouble suing me (successfully) for it. There are cases and trademark infringement is one of them that there is no need to show harm, but not all that many.
So maybe less bitching about capitalism form you, more learning about the court system. Asking if something has done enough harm to warrant damages is a real issue for civil cases. That is how it works, regardless of if you like it or not.
No. by Frosty+Piss · 2013-05-01 03:51 · Score: 4, Insightful

You can't sue for damages if there aren't any.
Simply because Firefox is free to download does not mean that Mozilla does not derive any income from Firefox. Mozilla does not run off donations from people like you and I, they provide a service to a number of companies that pay they many many millions of dollars.
Loss is reputation results in fewer downloads results in a product association that is worth less to these companies.

--
If you want news from today, you have to come back tomorrow.