Antivirus Firms "Won't Co-operate" With PC-Hacking Dutch Police

nk497 writes "Dutch police are set to get the power to hack people's computers or install spyware as part of investigations — but antivirus experts say they won't help police reach their targets. Mikko Hypponen, chief research officer at F-Secure, said the Dutch bill could lead to antivirus firms being asked asked to cooperate with authorities to let an attack reach the target. So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request, and said his own firm wouldn't want to take part. Purely for business reasons, it doesn't make sense to fail to protect customers and let malware through 'regardless of the source.'"

Re:

[Cenan]

I would like to see you try. Mind telling us where you're going to roam the streets with your bat and your homies?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fast turtle]

Then you better be wearing a vest as my Desert Eagle .50 caliber will take care of idiots like you. "Do You Feel Lucky?" and with my glasses recording, it's a slam dunk that it'll be a justified killing. Oh btw: don't even think about trying it in Texas as the courts have recognized the defence "He Needed Killing" though with Texas law, more then likely the Prosecution will award the shooter a medal for helping clean the gene pool.

Re:

[BitZtream]

Realistically ... Your desert eagle is going to worthless to you and become MINE when you're laying face down drowning in the blood pouring out the the back of your skull since I walked up behind you and you never saw me coming.

Get a clue, your gun doesn't make you invincible, just arrogant and cocky.

"So far"

[Anonymous Coward]

"So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request"
That's because it's not law yet; once it's law, they will.

Re:"So far"

[Anonymous Coward]

The problem is simple: if you can impersonate police malware, any and all protection is instantly voided.
This is why it's a VERY, VERY bad idea.

Re:"So far"

[AK Marc]

Still not hard with root. With a signed order by HR, I installed malware on an employee machine (he was violating just about every clause of the AUP). I had to load up the AV, set the malware to "approved" in the exception list, then install it. He never knew it was there, until he was fired for browsing porn on company time, and "working late" to impersonate young girls in chat rooms to pick-up men, essentially proof he was billing personal time to the company as overtime, as well as the multiple porn complaints we needed to address to prevent lawsuits. Captured the email addresses and passwords for his chatting accounts, things like hotteen14@aol/hotmail. But nobody ever logged into them, just proof that was all he was doing when alone late in the office (though, what was on his screen was known, nothing was known about what he was doing reading those emails or chats...)

But the point is, for effective malware, you must disable the AV. When the AV has a known hole, everyone will pretend to be the police. Even if a huristics might cause an issue, once you have it on, you attack the AV first. I remember back in the 90's when AV was starting to mature, most of the "smarter" malware would attack the AV. Even if it couldn't disable it, it would run up CPU and cause false alarms to encourage the user to disable it. Causing holes, no matter how small, will allow someone in who shouldn't be in.

Re:

[Anonymous Coward]

" But nobody ever logged into them,"

There is no way you know that. A good corporate security system wouldn't ever need to install spyware and collect those details to prove it's case.
As administrator at my company, all I need to do is look at the Cyberoam logs.

Re:

[Anonymous Coward]

He(the guy doing the privacy violation) would have been breaking the law in almost any country.. their computers or not. it's not like they could put cameras in their wc booths if they suspected people to be wanking in there.

Well they could, but there would be lawsuits to pay for filming people while wanking.

Re:

[Damouze]

Relieving yourself (as in 'number one' and 'number two') is also a very personal thing. It is nobody's business but your own.

Re:

[SuricouRaven]

Which is why some schools have moved to open-to-the-corridoor facilities - the only privacy is in the cubicles themselves. The toilets have traditionally been the one place in a school where neither cameras not teachers may venture, and thus the place to go for bullying, gossip and dealing drugs.

Re:

[AK Marc]

He would have been me, and why is it illegal for me to install spyware on my own computer? If that's the case, we can arrest everyone with a hacked computer to shut down botnets. It's a great plan, but putting millions of grandmothers in jail will probably not work.

Re:

[AK Marc]

There is no way you know that.

Yes, there is. I did it. Personally. The report had the passwords scrubbed.

A good corporate security system wouldn't ever need to install spyware and collect those details to prove it's case.

So it's always collecting those details on everyone, rather than waiting for an issue and addressing problems on a more targeted basis? And that's better? I've worked in those places. It was a full-time job to exclude sites from the proxy, as so many popular sites handle caching poorly (often deliberately, to push their own CDN - Google, I'm looking at you).

Re:"So far"

[gweihir]

I have absolutely no problem with your example, as there the legitimate system administrator installs the spy-ware. What the article is talking about is hacking a system against the will of the legitimate system administrator and, consequentially, bypassing the AV software. An additional problem is that the police is routinely incompetent. In the case of the German "Bundestrojaner", it was found that all recovered copies had a hard-coded symmetric encryption key used to protect the installed backdoor. That means anybody with access to the malware (including all targets) had low-effort access to all the targets. That is just completely unacceptable. Even more unacceptable is that the police (at least in Germany) is not responsible for the damage they cause. If they by accident hack the wrong machine, they should both be liable for all damage and those negligent should be personally subject to criminal liability. Guess what, they are not. Even worse, if they find anything on this wrong machine, they can use it against the owner, even if they did not have permission to look in the first place. That is what a police-state looks like: Too much power and no responsibility for the police. This is the road to hell.

Re:

[Intrepid imaginaut]

Guess what, they are not.

You're assuming they can manage to keep their efforts within German or Dutch borders. If I find anyone interfering with my machines I will be pressing for a prosecution no matter who they are, even if that means police wandering outside of their jurisdiction. Ah the joys of trying to apply local laws to an international internet.

Re:

[Razgorov Prikazka]

And that is why rkhunter, clamav, encrypted partitions including swap, well configured iptables and well defined policies are so important. I got nothing to hide and want to make it as hard as possible for the police to find that out just that. Even if they are allowed to try.

Couple of weeks ago I went to buy a new laptop. At the shop I was immediately mugged by some MS employee telling me that windows was the best. I told him that I wanted to install Linux. He couldn't comprehend and I told him that it was

Re:

[Sabriel]

And that is why rkhunter, clamav, encrypted partitions including swap, well configured iptables and well defined policies are so important.

Nice fucking product if you need third party software just to keep it secure.

Did you see what you did there? :)

Re:"So far"

[AK Marc]

A signed order from the owner of the computer to install software on that computer does absolve me of all legal risk.

Re:

[AK Marc]

How do I suck at my job if I'm hired after there's no such package, then during the period where I'm trying to get such a thing pushed through, this incident happens?

Oh, I should never take a job unless the A/C thinks they are already perfect. If they were, they'd likely not need me. No jobs for anyone.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gmuslera]

If is a backdoor, then the antivirus itself is malware. If you don't want to be between a rock and a hard place, stay out the windows.

Re:

[doctor woot]

"So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request"
That's because it's not law yet; once it's law, they will.

I sincerely doubt that. I'm sure more than a few of those asked to cooperate saw the marketing potential in possibly having one of the few AV services billed as "free from government malware!" Now that all that have been asked have refused, it'd take a death wish for a company to volunteer to be the black sheep.

Re:

[fustakrakich]

All it takes is a secret national security letter to compel compliance. We don't know if there is some generic secret law that addresses the issue. Find a trained dog to sniff your network.

Re:

[RockDoctor]

All it takes is a secret national security letter to compel compliance.

I'm going to hazard a guess that Kaspersky (headquarters : Moscow) and FSecure (headquarters : Helsinki) are going to be less than disturbed about a secret order from a foreign government requiring them to (secretly) do something that is likely to be very bad for their business, if not actually illegal. The most that the staff of the companies US offices can do (which would keep them personally in compliance with US law, probably) would

Re:"So far"

[RDW]

I can't believe most antivirus companies would turn a blind eye to the tools used by law enforcement agencies and national governments. They only do that if the malware is installed by someone _really_ important. Like Sony:

http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601?currentPage=all [wired.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[johanw]

The second a security company allows insecurities to exist NOBODY will use their software, nor should they. If a governmental agency wants to monitor its citizens they need to wiretap or do it some other way. It seems governments nowadays think they can do anything...

Well, the story of the Sony rootkit suggests otherwise. And of course, although all kinds of usefull programs like cracks are labeled as "potentially unwanted program", spyware like the Ask.com toolbar or Google Chrome can still pass all virusscanners.

Re:

[account_deleted]

Comment removed based on user account deletion

who cares

[Njovich]

Aside from whitelisting executables, anti-virus products have about 0% chance of catching stuff that isn't distributed to hundreds of thousands of machines anyway. All they need to do is change their payloads and exploits sometimes. I doubt the police would even bother asking anti-virus makers.

Re:

[AHuxley]

Depends on the OS and the software. Some AV may offer a phone home option for helping with new "strange" data, some are passive software outgoing firewalls that might be easy to code around??
Then you have packet analyser software.
What can the police contract for? A preflight script check for the presence of an outgoing firewall? A list of more advanced behavioural analysis AV solutions?
Try and keep up with EU, Russian, US AV vendors? Request a http://en.wikipedia.org/wiki/Magic_Lantern_(software) [wikipedia.org] fre

Maybe true 15 years ago, but not today...

[Gordo_1]

Most of the major AV software suites utilize some form of behavioral heuristics to detect unknown threats. I'm not saying it's 100%, but you'd be surprised how effective it can be if implemented right.

Re:

[SuricouRaven]

And risk getting caught when the AV company puts out an update altering their detection. Not just embarassing - it could compromise an ongoing investigation when the suspect learns their computer is being monitored. Or worse, from the perspective of the police, it could lead to their abuse of the technology in fishing expeditions may be exposed to the public and get someone fired.

Re:

[AHuxley]

Interesting BA, would this be done at the adsl exchange/digital loop level? Or at the ISP? A small computer/server to inject on one users net use 24/7?
Would the end user note a jump in ping on say the first hop or is it effortless wrt to any slowness now?
Thanks :)

Re:

[jonbryce]

Anti-virus will often report if a program tries to edit /etc/hosts, change network settings or install new security certificates - the sort of thing you would need to do to implement a man-in-the-middle attack.

Re:

[wisnoskij]

SO you don't think that the police want to keep track of hundreds of thousands of individuals?

Hmm

[BeTeK]

I think hacking has one big downside compared to traditional phone tapping. It is possible person being hacked can detect this and make counter measures against it OR even supply false information. For police standpoint I would consider information gained through hacking very unreliable.

That's not how you say it...

[VortexCortex]

...firms being asked asked to cooperate ...

I think you mean: ...firms being asked, and asked again to cooperate...

Re:

[mwvdlee]

It's more like the firms are being "asked" asked to cooperate.
Kinda like how a robber "asks" asks you for money.

Of Course That's What They Would Say

[Jah-Wren Ryel]

You really can't draw any conclusions from what they SAY, only what they DO. It would be the kiss of death for them to say anything else.

If they said they did cooperate, then anyone doing anything remotely suspect would use a different product making that cooperation useless. Meanwhile everybody worried about criminals exploiting the backdoor by impersonating the cop-ware would also switch to another product.

The only way we will know is if someone notices cop-ware installed on their system and tests the antivirus software to see if it detects it - and then goes public with the results.

Re:

[Kjella]

The only way we will know is if someone notices cop-ware installed on their system and tests the antivirus software to see if it detects it - and then goes public with the results.

So? Antivirus fails to identify malicious software all the time, the only way you'd have any hard evidence is if you proved that the detection code intentionally ignored it.

Like they have a chance

[Anonymous Coward]

That's hilarious. The antivirus gang doesn't have anything that works against targeted attacks anyway. The police isn't going to install the same malware that's on a million other machines on the suspects' computers to add them to a botnet, which is about the only thing any antivirus software can prevent, if the stars are aligned right.

Re:

[StillAnonymous]

It also depends on how the cops intend to get this malware onto someone's computer. Are they doing a little B&E escapade while you're away and stuffing it in locally? If so, that could be pretty hard to detect unless you have hidden cameras or you diligently check logs on a regular basis. Or is it some weak trick where they email the guy an with some pornoesque .exe attachment and cross their fingers, hoping he'll give it a double-click?

Even if they did comply

[Opportunist]

It would not be long until some researcher gets a hold on it (if nobody else, maybe the CCC again after they did the same with the German version of the pest), examines it and publishes the details. And then, the whole thing is for /dev/null because not only does it become trivial to find it, it will also tip off everyone who was infected with it, doubling as a "the feds are closing in" warning.

N.W.A. said it best...

[Nyder]

"Fuck tha Police"

Fedware

[foobsr]

http://boingboing.net/2007/07/13/dea-agents-used-keyl.html [boingboing.net]

Quote: "It seems that spyware and key loggers are far more advanced and commonplace today than they were six years ago, as are anti-spyware tools. I wonder if the FBI could seek a court order requiring an anti-spyware company not to report fedware (as in, fedware would be whitelisted if detected and the customer would not be alerted)." News from 2007.

CC.

Re:

[Seumas]

And don't forget the FBI doing things like requesting (and who knows what they're doing when they're not politely requesting) to send an email with a payload that would jack the customer's computer (in one case, an anonymous email account that they wanted to infect the owning computer so they could use the webcam/skype/etc to view the identify of the person using it -- and don't forget, doing that would circumvent encryption since you could gather data on the computer pre-encryption).

http://gawker.com/judge [gawker.com]

That would be hard

[Sycraft-fu]

Since many of the big name anti-virus companies aren't from the US. ESET is in the Slovak Republic. Kaspersky is in Russia. Bitdefender is in Romania. So they don't really take orders from the FBI. Now, they do have US offices, so they aren't 100% out of reach, however they could always decide to shut down their US office. You don't need a presence in the US to sell in the US, and indeed most of them sold their AV scanner prior to having a US office. At that point the US government could go and declare it i

its funny

[arbiter1]

Reading over the parent story link of this, when such bill's are proposed they use Child Porn has the reason for needing such bill's. Almost every bill of this kinda that is excuse they give for needing it is to help prevent child porn. I mean Really? Is that the best they can come up with to push this kinda crap through? Part that really is concerning is "including those located in foreign countries". So they can hack someone in a completely different country with 0 problem? Um i doubt most countries would be fine with state sponsored hacking like this. No surprise that anti-virus firms won't allow this, if they did let this crap through would make people question what else is and what else could pose as such malware and skate by with the white-list.

Re:

[dissy]

Almost every bill of this kinda that is excuse they give for needing it is to help prevent child porn. I mean Really? Is that the best they can come up with to push this kinda crap through?

It doesn't need to be the best they could claim, it just needs to be good enough to work. And unfortunately, it is.

No politician wants the possibility of others claiming you aren't against child porn, or worse to claim your vote assisted child porn.
You could very likely get a law passed allowing you to rape little children while video taping it, so long as you can spin anyone voting against you as not trying to prevent child porn.

Nothing shuts down the brains of most people like the terms "child porn" and

Re:

[Razgorov Prikazka]

Actually... you should see the politician who thought up this law. Whenever it is about IT (or something else he doesn't know about) He lowers his voice as to be more authoritative and starts droning on about CP. He does that trick every time again. It is quite annoying. Couple of month ago he wanted to make it illegal to keep your facebook passwd to yourself when in custody. And there he was on the telly again in his lowered voice: Well you see... Child pornography, you must know, can only be battled like

geopolitical reality

[argStyopa]

And that, kids, is the difference between being little Holland, and big United States.

I'd see some lawsuits coming

[gnasher719]

Anti-virus software is sold by making promises to the buyer. For example, promises to protect their privacy. Anti-virus software that gave the police access to your computer, even if that was legal, would be in breach of the promises they made when they sold the software. That would be false advertising.

Could you imagine millions of customers asking for their money back when anti-virus software that claims to protect their data intentionally doesn't protect it?

Re:

[kav2k]

No, frankly, I cannot imagine millions of users with pitchforks and refund claims. I doubt this would motivate a lot of them.

Re:

[El_Muerte_TDS]

What anti-virus software is sold with promises? afaik they come with huge disclaimers.

I agree

[bytesex]

'Good malware' is the stupidest idea ever.

The police could use a digital signature

[Time_Ngler]

There is no reason the av companies couldn't cooperate. The Dutch Police could sign their virus and that signature could be checked and then ignored in the anti-virus program. This refusal by the anti-virus corporations flies in the face of the wishes of the law makers, (ie. the police), and they should know that they would have never got to where they were without the permission of the authorities. They are biting the hand that feeds them and there may be consequences for not going along with what their to

Re:

[Time_Ngler]

They will probably come for you before they come for me. I'm just reassuring the powers that be that I am an honest and would not ever be involved in anything that might be considered wrongdoing. You, on the other hand, are making waves, and that can get in the way of progress and the happiness and security of everybody.

Sony vs Dutch Police. Money Talks.

[softcoder]

so where were these anti virus folks when Sony was planting its virus?
Not a single one of them reported it.

I suspect that it is not principles but money that talks here.
let the Dutch police pony up some cash and see if they get a different reaction.
pgmer6809

so it's not a may fools joke then?

[KingBenny]

it's still a lousy one, who is this guy proposing that? sounds worse than when they missed that pedophile and blamed it on the evil tor (which is probably the only option in the universe)
did someone check the reality check on this before actually even thinking of asking to an antivirus company to 'maybe' let some attacks pass ?
only the validated ones from the dutch superpolice force who can never ever be spoofed or imitated ofcourse ...
as in please build a backdoor in your software by redesigning it for