EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
|  Whitelisting keyloggers for law enforcement
Criminal suspects may no longer depend on their anti-malware applications to detect certain keyloggers and other snoopware. Of course, it depends on the company providing the applications. The article is an interesting read.
said by article :
A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.
Link here.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Oh, this should generate an interesting discussion.
I want to go back and read that article more carefully and then think about it for a bit before posting anything substantive.
Good topic, EGeezer.
--
Regards,
Joseph V. Morris |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to EGeezer
Egeezer beat me to it by a few minutes, so here's a variation of what I was going to post.
The use of spyware by law enforcement (or other government agencies) came to public attention in 2001 when the FBI acknowledged planting a trojan on a computer used by an alleged gangster. At the time the FBI refused even to say whether their "Magic Lantern" was a hardware or software device, but Wikipedia now says it was software.
More recently a decision by the 9th Circuit Court of Appeals held that FBI use of a keylogger to defeat a suspect's use of encryption was permitted.
Today's Cnet story has some interesting answers from some of the companies. One company for example, said it would always detect "malware", implicitly leaving open the possibility that it would whitelist police-ware by classifying it as other than malware. And Microsoft refused to deny that it has been asked to deliver infected updates to particular customers. |
|
garys_2k
join:2004-05-07
Farmington, MI | reply to EGeezer
Hence the interest in an open source spyware finding application. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to EGeezer
So the bad guys should be able to take advantage of applications that can protect them, but law enforcement should not be able to counteract that? Is that what this article is trying to imply?
Ummm, I don't think so.
Criminal suspects may no longer depend on their anti-malware applications to detect certain keyloggers and other snoopware......
Good. As criminals become more and more tech saavy, so must law enforcement.
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~
|
|
angussf
Premium
join:2002-01-11
Tucson, AZ
| reply to swhx7
said by swhx7  :... One company for example, said it would always detect "malware", implicitly leaving open the possibility that it would whitelist police-ware by classifying it as other than malware. And Microsoft refused to deny that it has been asked to deliver infected updates to particular customers. Reminds me of Thompson's "Trusting Trust" paper -- if you haven't written the OS and the compilers yourself from scratch, you can't trust them. Original paper is here: ACM Classic: Reflections on Trusting Trust
»www.acm.org/classics/sep95/ Here's a one-paragraph summary from Inside risks: Reflections on trusting trust revisited »www.spinellis.gr/pubs/jrnl/2003-···ns2.html
Security is often described as a weak-link phenomenon. Ken Thompson in his 1983 Turing Award Lecture [3] described how a compiler could be modified to plant a Trojan horse into the system's login authentication program so that it would accept a known password. In addition, the C compiler could be altered to propagate this change when it was recompiled from its (unmodified) source code. The system Thompson described was seriously compromised and could never be trusted: even a recompilation from clean source code would yield a Trojaned compiler and login program. If you're truly paranoid, don't use Windows or OS X or .... |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
 ·EarthLink
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Rants, Raves, and ..
1 edit | reply to EGeezer
The different answers from software vendors to the same questions are quite interesting: »news.zdnet.com/2100-1009_22-6196···l?tag=nl
quote:
Question: Is it Check Point's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?
Answer: Our goal is to detect malicious software. ZoneAlarm does so by detecting certain behaviors (such as keystroke logging) and alerting the user. We do have a policy whereby legal, legitimate software programs from any third-party vendor can be "whitelisted" from detection upon request. We would afford law enforcement the same courtesy.
quote:
Question: Is it eEye's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency?
Answer: Our customers are paying us for a service, to protect them from all forms of malicious code. It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools.
As soon as a company, like we have seen with McAfee, starts making exceptions to their protection products, they can no longer guarantee a sound and safe product for their customers. We will not play that game.
One would think that, if the companies providing the free access to your computer for law enforcement believe they're doing the right thing, they'd be upfront about it in their product descriptions. I bet they're not. Absent a warrant, consumers should have an honest choice about involuntarily testifying against themselves when using their own computer.
--
Sure, that'll work.. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to La Luna
said by La Luna :Ummm, I don't think so. In the event that Hillary becomes our next president and decides it would be a good thing to spy on republicans (including you) would it be acceptible or unacceptible to you if your AS which you trust decided you didn't have a need to know about Big Sissy's spyware app?
--
The Gospel of Supply Side Jesus |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| reply to La Luna
So the bad guys should be able to take advantage of applications that can protect them, but law enforcement should not be able to counteract that? Is that what this article is trying to imply? For the FBI to install spyware is one thing. I would expect them to do that.
For an anti-spyware outfit to silently ignore spyware that it finds - sorry, but that's dishonest. It means that the anti-spyware outfit is deliberately misrepresenting what its product does.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.4 |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to angussf
said by angussf :Reminds me of Thompson's "Trusting Trust" paper -- if you haven't written the OS and the compilers yourself from scratch, you can't trust them. Original paper is here: ACM Classic: Reflections on Trusting Trust
»www.acm.org/classics/sep95/ * * * If you're truly paranoid, don't use Windows or OS X or ....
The OS, apps, compilers - and what about the hardware?
Actually, there are degrees of trust. As Schneier might say, you need only a degree of confidence proportional to the risk.
In the case of anti-malware programs, it is now known that they have this conflict of interest, so one's reliance on them has to be qualified. It's always been known they catch only a percentage of malware; now one must take into consideration also that they may be whitelisting some spyware that users might wish they would blacklist.
Similarly with Windows and other closed-source-ware, I think the only rational conclusion is that it can be trusted to a certain degree and no further. What that degree is may vary. |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to hpguru
@La Luna and hpguru:
I don't know that LL is a Republican - or that HC would or wouldn't do certain things, or that Republicans are worse about this sort of thing than Democrats (the Bush lot notwithstanding). But I agree with the point, which can be put in a less political way: powers of secret spying are always abused. Even from the old-tech days of J.Edgar Hoover, law enforcement was spying on citizens (e.g. civil rights people in the 1960s, Nixon critics in the 1970s) to further political agendas rather than to protect anyone from crime.
Of course this is in addition to the legitimate police activities where there is suspicion of real crime. But if we assume with naive idealism that the police are always the good guys, abuses will be even worse than they already are. Regulation so strict that it makes law enforcement complain of limitations is the only thing that keeps us safe from a police state. |
|
madrhino
join:2004-07-03 | reply to EGeezer
Is there anyone above the age of 7 who doesn't live in fantasyland who truly believes this isn't already being done?Anyone?
--
Get Verizon FIOS,The Anti-DIOS |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
1 edit | reply to EGeezer
Okay, I'm going back to the original post here (ignoring responses already posted). I think we need to establish some common ground as to just what the hell we're talking about here and I suspect that many people reading this thread have only the vaguest idea as to what they are. So, this is sort of a FAQ (and subject to subsequent modification). If you have objections, modifications, or extensions, go ahead and post them in this thread and I'll try to edit this response as (I see) appropriate.
Do keyloggers exist?
Oh, most assuredly; they've been around probably twenty years or more.
What, exactly, do they do?
• In their original (classical) form, keyloggers recorded every keystroke made by any (specified) user on a computer.
• Some keyloggers take this a bit further and record mouse movements also (especially since the advent of GUIs).
• And some even capture screen shots from time to time (which is why SpyCop, at least at one point, classified SnagIt as a potential keylogger, since it could be programmed to do just this).
• Indeed, a current-day keylogger could well be designed to capture any input to a specific computer, including via any input mechanism (which includes the LAN or WAN).
And please note: Any application that is capable of recording end-user actions (and perhaps producing a workable script to reproduce these actions) is technically a keylogger. This includes 'recorders' deliberately installed by the end-user.
Rather obviously, this can create some rather large log files and one of the issues that keyloggers then need to address is just how to regurgitate the captured information, especially if not done on an extremely regular basis. (More on this shortly.)
How are they implemented?
Keyloggers can be implemented in software (memory-resident, of course) or in hardware. In order to serve their intended purpose, either implementation must use relatively low-level hooks into the operating system in order to capture inputs prior to any possible encryption attempts (which might also be done in hardware, I might note). In passing, software implementations are (relatively) easy to detect; hardware implementations (to the best of my knowledge) are far more difficult.
How are they installed on a particular machine?
• Hardware implementations require physical access to the machine itself, with appropriate access rights to install any requisite new hardware/software.
• With appropriate access rights, software implementations can obviously be installed from a floppy, CD, DVD, or any memory card reader.
• Similarly, and again with appropriate access rights, it's possible that a keylogger could be installed on one machine from another machine on the same LAN. Please note that this possibility also includes remote processes that are running on the remote LAN PC.
• Similarly, and again with appropriate access rights, it's possible that a keylogger could be installed on one machine from a remote machine elsewhere on the Internet. We'd probably tend to call this a Trojan loader application and expect that our anti-virus/anti-spyware utilities (running memory-resident, of course) would pick up such an attempt. But, technically speaking, there's no distinction between this and the LAN-based installation.
• Passive surveillance -- this is a rather exotic implementation requiring electromagnetic surveillance of the targeted PC; indeed, this is what Government-specified TEMPEST requirements are designed to prevent on high-security PCs and applications running on them.
How do they report?
Not terribly surprisingly, reporting can be a mirror image of any of the installation procedures described above.
• The log files can be manually downloaded from the target PC, given appropriate access rights to the outputs available from that PC.
• They can be automatically or manually downloaded to another PC on the LAN, given appropriate access rights.
• They can be automatically or manually downloaded to another PC on the Internet, given appropriate access rights.
• With a hardware implementation of a keylogger, it's actually possible to transmit the log files (over relatively short distances) upon demand or even in real-time.
• In the passive surveillance mode, the activities are downloaded -- by definition -- in real-time.
Who can get a keylogger?
In one sense, just about anybody:
• End-users can buy retail keyloggers from any number of sources. Last time I checked, there were even freeware versions.
• Businesses and Government agencies can often acquire specialized versions of keyloggers necessary for their own monitoring of usage of their own PCs (and this may be for specific desktop PCs, all PCs on a corporate LAN, or even laptops provided by the company or used for remote communication to corporate resources).
• Law Enforcement and Intelligence Agencies often rely on more esoteric keyloggers that also provide the forensic audit trails necessary for their purposes. These may be bought from specialized sources or developed in-house and are typically not available to ordinary customers.
• And, yep, from the last item, blackhats may 'roll their own' versions to serve their own purposes. For the most part, we're not talking about hackers here so much as about criminals interested in financial gains for their own purposes.
[Above edited, extended below]
Who uses them -- more to the point, for what?
• End-users often use 'recorders' to record a set of actions that they expect to need to repeat frequently in the future. There's nothing untoward about this kind of application, but -- technically -- these are keyloggers. Most of these are freeware or commercial applications intended expressly for this purpose and will automatically generate reusable scripts.
• Individuals can acquire and (surreptitiously) install commercially available or freeware keyloggers to monitor the activities of others -- specifically children, spouses, and 'significant others' on PCs of interest to them. The ethics (and ultimate desirability) of doing this are a subject for discussion in a separate thread (and there are already many in this Forum).
• Businesses and Government Agencies would primarily use keylogger applications only available to them (and not the general public) to monitor whether the use of PCs that they own (or allow access to their internal networks) are being used in a manner commensurate with published protocols. This functionality can be misused, as I'm sure many of you are aware.
• Law Enforcement and Intelligence Agencies would (I should hope) use keyloggers from sources that service only such organizations with an established 'need to know' in the investigation of potential criminal or intelligence activities. I would like to believe that such keyloggers are only used in accordance with appropriate statutory guidelines -- but I'm not too sure about this at the moment.
• Hackers (traditional sense) would be voyeurs, in my opinion who are primarily interested in being aware of the activities of individuals who are often completely unknown to them (well, at least initially!). Hackers would most likely rely on either obscure freeware keylogger applications or actually write their own.
• Criminals want money. They'll take your financial information, your financial activities, your passwords (be you an individual or an organization) and use them for their own financial reward. In this context (at least to me) any terrorist organization using a keylogger is a criminal enterprise.
• ISPs could conceivable use keyloggers as part of their software installation when you subscribe. The point of this (and the legality) is arguable; the ethics are not. If this happens to you, find another ISP.
• Industrial Spies are looking for industrial secrets that can be turned into money (albeit most likely for someone else). They'll use whatever keyloggers they can find that they think are likely to be undetectable, but they're really primarily interested in business PCs (and the associated networks) and PCs that employees may use to communicate remotely to business LANs. To some, this is a special case of "Criminals", even though the applicable laws may not see it that way.
Who creates keyloggers?
Oh, all sorts of individuals and organizations. The real distinction is: for what purpose and to whom do they make their products available?
• Recorders are ostensibly designed for perfectly legitimate use. (Of course, there's no guarantee that this is how they will actually be used once acquired.)
• Freeware keyloggers are primarily intended for legitimate (at least in the eyes of the developer) use.
• Blackhat keyloggers are almost invariably designed for purposes that at least border on illegal intent.
• Businesses and Government Agencies may write custom keyloggers, at least intended for perfectly legitimate uses within their own organizations.
• Law Enforcement and Intelligence Agencies may also write custom keyloggers, again at least ostensibly intended for perfectly legal purposes. (Whether they end up being used that way remains open to debate.)
• Commercially developed keyloggers -- and this is where I think the real bone of contention lies in this thread.
Some commercial developers are oriented towards
• End-users and individuals primarily
• Commercial and business organizations
• Law Enforcement/Intelligence Agencies
and sell exclusively to these market sectors.
Unfortunately, some commercial developers make products that they are willing to sell to anyone (no questions asked) regardless of whether or not they fit into only one of the above categories. And, at least in my opinion, these are the organizations and applications to which we should address ourselves primarily in this thread.
Is Subversion Possible?
Yes, it certainly is -- and this specifically includes those software products developed exclusively by or for the use of Law Enforcement and Intelligence Agencies.
--
Regards,
Joseph V. Morris |
|
microserf
@cgocable.net
| reply to La Luna
said by La Luna :So the bad guys should be able to take advantage of applications that can protect them, but law enforcement should not be able to counteract that? Is that what this article is trying to imply? No. At best (worst?), the article implies that some retail security software available for purchase world wide is not performing as advertised. For everyone. It does, however, directly state this:
"One danger with whitelisting fedware is that it creates a potentially serious vulnerability in security software. If a malicious vendor of spyware were clever enough to mimic the whitelisted government spyware, it would also go undetected."
said by La Luna :Criminal suspects may no longer depend on their anti-malware applications to detect certain keyloggers and other snoopware...... Good. As criminals become more and more tech saavy, so must law enforcement. Careful. You've gone and convicted someone without due process  . A suspect is not normally compelled to provide an encryption key as doing so usually proves knowledge and control of the material in question. A key logger (like all other "taps" and monitoring) removes suspect cooperation from the legal equation and, essentially, adds self-incrimination.
All I'm saying is extreme caution is necessary. |
|
microserf
@cgocable.net
| reply to jvmorris
said by jvmorris : What, exactly, do they do?• In their original (classical) form, keyloggers recorded every keystroke made by any (specified) user on a computer. • Some keyloggers take this a bit further and record mouse movements also (especially since the advent of GUIs). • And some even capture screen shots from time to time (which is why SpyCop, at least at one point, classified SnagIt as a potential keylogger, since it could be programmed to do just this). • Indeed, a current-day keylogger could well be designed to capture any input to a specific computer, including via any input mechanism (which includes the LAN or WAN). I tried to tell 'em:
»Keyloggers: How they work and how to detect them
(in a brief excursion using a subject-based anon name...I try to keep it to one name so that it's easy to direct ire and flame  ). |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to jvmorris
Updated and extended my post above. If you've read it earlier, might be a good idea to read it again.
And now, I'm (almost) ready to talk about EGeezer's original post.
--
Regards,
Joseph V. Morris |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA | reply to microserf
Why not just register? It would give your posts a great deal more credibility and, quite frankly, it can be done without compromising your identity.
--
Regards,
Joseph V. Morris |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
·Comcast
| reply to La Luna
said by La Luna :So the bad guys should be able to take advantage of applications that can protect them, but law enforcement should not be able to counteract that? Is that what this article is trying to imply? Ummm, I don't think so. Criminal suspects may no longer depend on their anti-malware applications to detect certain keyloggers and other snoopware......Good. As criminals become more and more tech saavy, so must law enforcement. And the key quote from the anti-spyware companies was that they would only do this if ORDERED to do so by a court.
--
--
Internet News
My BLOG
My Web Page |
|
antispy2007
| reply to EGeezer
So what happens if you have a anti-keylogger/anti-virus/anti-malware not produced in the good ol' US of A and is therefore out of the reach of king Bush? |
|
OZO
Premium
join:2003-01-17
| reply to EGeezer
With that kind of policy there is nothing I can see that will stop them form installing their own keyloggers or any other spyware stuff on customers' computers.
I think it's important to know the list of companies with that kind of policy. People should know 'the heroes'... So far it's:
•Check Point
•McAfee
who else?
--
Keep it simple, it'll become complex by itself... |
|
