Forgot your password?
typodupeerror
Security Crime Government Your Rights Online

Antivirus Firms "Won't Co-operate" With PC-Hacking Dutch Police 97

Posted by timothy
from the talk-about-bad-pr dept.
nk497 writes "Dutch police are set to get the power to hack people's computers or install spyware as part of investigations — but antivirus experts say they won't help police reach their targets. Mikko Hypponen, chief research officer at F-Secure, said the Dutch bill could lead to antivirus firms being asked asked to cooperate with authorities to let an attack reach the target. So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request, and said his own firm wouldn't want to take part. Purely for business reasons, it doesn't make sense to fail to protect customers and let malware through 'regardless of the source.'"
This discussion has been archived. No new comments can be posted.

Antivirus Firms "Won't Co-operate" With PC-Hacking Dutch Police

Comments Filter:
  • by Anonymous Coward

    "So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request"
    That's because it's not law yet; once it's law, they will.

    • Re:"So far" (Score:5, Insightful)

      by Anonymous Coward on Saturday May 04, 2013 @04:12AM (#43627751)

      The problem is simple: if you can impersonate police malware, any and all protection is instantly voided.
      This is why it's a VERY, VERY bad idea.

      • Re:"So far" (Score:5, Interesting)

        by AK Marc (707885) on Saturday May 04, 2013 @04:30AM (#43627785)
        Still not hard with root. With a signed order by HR, I installed malware on an employee machine (he was violating just about every clause of the AUP). I had to load up the AV, set the malware to "approved" in the exception list, then install it. He never knew it was there, until he was fired for browsing porn on company time, and "working late" to impersonate young girls in chat rooms to pick-up men, essentially proof he was billing personal time to the company as overtime, as well as the multiple porn complaints we needed to address to prevent lawsuits. Captured the email addresses and passwords for his chatting accounts, things like hotteen14@aol/hotmail. But nobody ever logged into them, just proof that was all he was doing when alone late in the office (though, what was on his screen was known, nothing was known about what he was doing reading those emails or chats...)

        But the point is, for effective malware, you must disable the AV. When the AV has a known hole, everyone will pretend to be the police. Even if a huristics might cause an issue, once you have it on, you attack the AV first. I remember back in the 90's when AV was starting to mature, most of the "smarter" malware would attack the AV. Even if it couldn't disable it, it would run up CPU and cause false alarms to encourage the user to disable it. Causing holes, no matter how small, will allow someone in who shouldn't be in.
        • by Anonymous Coward

          " But nobody ever logged into them,"

          There is no way you know that. A good corporate security system wouldn't ever need to install spyware and collect those details to prove it's case.
          As administrator at my company, all I need to do is look at the Cyberoam logs.

          • by Anonymous Coward

            He(the guy doing the privacy violation) would have been breaking the law in almost any country.. their computers or not. it's not like they could put cameras in their wc booths if they suspected people to be wanking in there.

            Well they could, but there would be lawsuits to pay for filming people while wanking.

            • by AK Marc (707885)
              He would have been me, and why is it illegal for me to install spyware on my own computer? If that's the case, we can arrest everyone with a hacked computer to shut down botnets. It's a great plan, but putting millions of grandmothers in jail will probably not work.
          • by AK Marc (707885)

            There is no way you know that.

            Yes, there is. I did it. Personally. The report had the passwords scrubbed.

            A good corporate security system wouldn't ever need to install spyware and collect those details to prove it's case.

            So it's always collecting those details on everyone, rather than waiting for an issue and addressing problems on a more targeted basis? And that's better? I've worked in those places. It was a full-time job to exclude sites from the proxy, as so many popular sites handle caching poorly (often deliberately, to push their own CDN - Google, I'm looking at you).

        • Re:"So far" (Score:5, Informative)

          by gweihir (88907) on Saturday May 04, 2013 @07:27AM (#43628227)

          I have absolutely no problem with your example, as there the legitimate system administrator installs the spy-ware. What the article is talking about is hacking a system against the will of the legitimate system administrator and, consequentially, bypassing the AV software. An additional problem is that the police is routinely incompetent. In the case of the German "Bundestrojaner", it was found that all recovered copies had a hard-coded symmetric encryption key used to protect the installed backdoor. That means anybody with access to the malware (including all targets) had low-effort access to all the targets. That is just completely unacceptable. Even more unacceptable is that the police (at least in Germany) is not responsible for the damage they cause. If they by accident hack the wrong machine, they should both be liable for all damage and those negligent should be personally subject to criminal liability. Guess what, they are not. Even worse, if they find anything on this wrong machine, they can use it against the owner, even if they did not have permission to look in the first place. That is what a police-state looks like: Too much power and no responsibility for the police. This is the road to hell.

          • Guess what, they are not.

            You're assuming they can manage to keep their efforts within German or Dutch borders. If I find anyone interfering with my machines I will be pressing for a prosecution no matter who they are, even if that means police wandering outside of their jurisdiction. Ah the joys of trying to apply local laws to an international internet.

          • And that is why rkhunter, clamav, encrypted partitions including swap, well configured iptables and well defined policies are so important. I got nothing to hide and want to make it as hard as possible for the police to find that out just that. Even if they are allowed to try.

            Couple of weeks ago I went to buy a new laptop. At the shop I was immediately mugged by some MS employee telling me that windows was the best. I told him that I wanted to install Linux. He couldn't comprehend and I told him that it was
            • by Sabriel (134364)

              And that is why rkhunter, clamav, encrypted partitions including swap, well configured iptables and well defined policies are so important.

              Nice fucking product if you need third party software just to keep it secure.

              Did you see what you did there? :)

        • by hairyfeet (841228)

          You are 100% correct, it'll be the Sony rootkit all over again. Anybody here remember that? That was legit anti piracy software but once word got out about it every malware writer was using it as a backdoor into the system. We'll see the exact same thing in this case, it won't be a month before tests looking for the "bacon backdoor" will come standard with metasploit and any AV found to support the bacon backdoor will be worth less than nothing.

          At the end of the day you just can't give SOME rootkits a pass

      • by gmuslera (3436)
        If is a backdoor, then the antivirus itself is malware. If you don't want to be between a rock and a hard place, stay out the windows.
    • Re: (Score:3, Insightful)

      by doctor woot (2779597)

      "So far, Hypponen hasn't seen a single antivirus vendor cooperate with such a request"
      That's because it's not law yet; once it's law, they will.

      I sincerely doubt that. I'm sure more than a few of those asked to cooperate saw the marketing potential in possibly having one of the few AV services billed as "free from government malware!" Now that all that have been asked have refused, it'd take a death wish for a company to volunteer to be the black sheep.

      • All it takes is a secret national security letter to compel compliance. We don't know if there is some generic secret law that addresses the issue. Find a trained dog to sniff your network.

        • by RockDoctor (15477)

          All it takes is a secret national security letter to compel compliance.

          I'm going to hazard a guess that Kaspersky (headquarters : Moscow) and FSecure (headquarters : Helsinki) are going to be less than disturbed about a secret order from a foreign government requiring them to (secretly) do something that is likely to be very bad for their business, if not actually illegal. The most that the staff of the companies US offices can do (which would keep them personally in compliance with US law, probably) would

    • Re:"So far" (Score:5, Informative)

      by RDW (41497) on Saturday May 04, 2013 @05:32AM (#43627955)

      I can't believe most antivirus companies would turn a blind eye to the tools used by law enforcement agencies and national governments. They only do that if the malware is installed by someone _really_ important. Like Sony:

      http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601?currentPage=all [wired.com]

    • Re:"So far" (Score:4, Insightful)

      by craigminah (1885846) on Saturday May 04, 2013 @09:50AM (#43628791)
      The second a security company allows insecurities to exist NOBODY will use their software, nor should they. If a governmental agency wants to monitor its citizens they need to wiretap or do it some other way. It seems governments nowadays think they can do anything...
      • by johanw (1001493)

        The second a security company allows insecurities to exist NOBODY will use their software, nor should they. If a governmental agency wants to monitor its citizens they need to wiretap or do it some other way. It seems governments nowadays think they can do anything...

        Well, the story of the Sony rootkit suggests otherwise. And of course, although all kinds of usefull programs like cracks are labeled as "potentially unwanted program", spyware like the Ask.com toolbar or Google Chrome can still pass all virusscanners.

        • I think Sony lost a lot of credibility for their root kit. PUPs, toolbars, and anything made by Google :) that have the potential to exfiltrate data generally won't be caught by a virus scanner unless it has an outgoing firewall or it has marked the program itself to be suspect.
  • by Njovich (553857) on Saturday May 04, 2013 @04:05AM (#43627727)

    Aside from whitelisting executables, anti-virus products have about 0% chance of catching stuff that isn't distributed to hundreds of thousands of machines anyway. All they need to do is change their payloads and exploits sometimes. I doubt the police would even bother asking anti-virus makers.

    • by AHuxley (892839)
      Depends on the OS and the software. Some AV may offer a phone home option for helping with new "strange" data, some are passive software outgoing firewalls that might be easy to code around??
      Then you have packet analyser software.
      What can the police contract for? A preflight script check for the presence of an outgoing firewall? A list of more advanced behavioural analysis AV solutions?
      Try and keep up with EU, Russian, US AV vendors? Request a http://en.wikipedia.org/wiki/Magic_Lantern_(software) [wikipedia.org] fre
    • Most of the major AV software suites utilize some form of behavioral heuristics to detect unknown threats. I'm not saying it's 100%, but you'd be surprised how effective it can be if implemented right.

    • by jonbryce (703250)

      Anti-virus will often report if a program tries to edit /etc/hosts, change network settings or install new security certificates - the sort of thing you would need to do to implement a man-in-the-middle attack.

    • SO you don't think that the police want to keep track of hundreds of thousands of individuals?

  • Hmm (Score:3, Insightful)

    by BeTeK (2035870) on Saturday May 04, 2013 @04:11AM (#43627745)
    I think hacking has one big downside compared to traditional phone tapping. It is possible person being hacked can detect this and make counter measures against it OR even supply false information. For police standpoint I would consider information gained through hacking very unreliable.
  • ...firms being asked asked to cooperate ...

    I think you mean: ...firms being asked, and asked again to cooperate...

    • by mwvdlee (775178)

      It's more like the firms are being "asked" asked to cooperate.
      Kinda like how a robber "asks" asks you for money.

  • by Jah-Wren Ryel (80510) on Saturday May 04, 2013 @04:54AM (#43627861)

    You really can't draw any conclusions from what they SAY, only what they DO. It would be the kiss of death for them to say anything else.

    If they said they did cooperate, then anyone doing anything remotely suspect would use a different product making that cooperation useless. Meanwhile everybody worried about criminals exploiting the backdoor by impersonating the cop-ware would also switch to another product.

    The only way we will know is if someone notices cop-ware installed on their system and tests the antivirus software to see if it detects it - and then goes public with the results.

    • by Kjella (173770)

      The only way we will know is if someone notices cop-ware installed on their system and tests the antivirus software to see if it detects it - and then goes public with the results.

      So? Antivirus fails to identify malicious software all the time, the only way you'd have any hard evidence is if you proved that the detection code intentionally ignored it.

  • by Anonymous Coward

    That's hilarious. The antivirus gang doesn't have anything that works against targeted attacks anyway. The police isn't going to install the same malware that's on a million other machines on the suspects' computers to add them to a botnet, which is about the only thing any antivirus software can prevent, if the stars are aligned right.

    • It also depends on how the cops intend to get this malware onto someone's computer. Are they doing a little B&E escapade while you're away and stuffing it in locally? If so, that could be pretty hard to detect unless you have hidden cameras or you diligently check logs on a regular basis. Or is it some weak trick where they email the guy an with some pornoesque .exe attachment and cross their fingers, hoping he'll give it a double-click?

  • by Opportunist (166417) on Saturday May 04, 2013 @05:26AM (#43627933)

    It would not be long until some researcher gets a hold on it (if nobody else, maybe the CCC again after they did the same with the German version of the pest), examines it and publishes the details. And then, the whole thing is for /dev/null because not only does it become trivial to find it, it will also tip off everyone who was infected with it, doubling as a "the feds are closing in" warning.

  • by Nyder (754090) on Saturday May 04, 2013 @05:31AM (#43627951) Journal

    "Fuck tha Police"

  • by foobsr (693224) on Saturday May 04, 2013 @05:55AM (#43628009) Homepage Journal
    http://boingboing.net/2007/07/13/dea-agents-used-keyl.html [boingboing.net]

    Quote: "It seems that spyware and key loggers are far more advanced and commonplace today than they were six years ago, as are anti-spyware tools. I wonder if the FBI could seek a court order requiring an anti-spyware company not to report fedware (as in, fedware would be whitelisted if detected and the customer would not be alerted)." News from 2007.

    CC.

    • Re: (Score:3, Informative)

      by Seumas (6865)

      And don't forget the FBI doing things like requesting (and who knows what they're doing when they're not politely requesting) to send an email with a payload that would jack the customer's computer (in one case, an anonymous email account that they wanted to infect the owning computer so they could use the webcam/skype/etc to view the identify of the person using it -- and don't forget, doing that would circumvent encryption since you could gather data on the computer pre-encryption).

      http://gawker.com/judge [gawker.com]

    • Since many of the big name anti-virus companies aren't from the US. ESET is in the Slovak Republic. Kaspersky is in Russia. Bitdefender is in Romania. So they don't really take orders from the FBI. Now, they do have US offices, so they aren't 100% out of reach, however they could always decide to shut down their US office. You don't need a presence in the US to sell in the US, and indeed most of them sold their AV scanner prior to having a US office. At that point the US government could go and declare it i

  • by arbiter1 (1204146) on Saturday May 04, 2013 @07:45AM (#43628273)
    Reading over the parent story link of this, when such bill's are proposed they use Child Porn has the reason for needing such bill's. Almost every bill of this kinda that is excuse they give for needing it is to help prevent child porn. I mean Really? Is that the best they can come up with to push this kinda crap through? Part that really is concerning is "including those located in foreign countries". So they can hack someone in a completely different country with 0 problem? Um i doubt most countries would be fine with state sponsored hacking like this. No surprise that anti-virus firms won't allow this, if they did let this crap through would make people question what else is and what else could pose as such malware and skate by with the white-list.
    • by dissy (172727)

      Almost every bill of this kinda that is excuse they give for needing it is to help prevent child porn. I mean Really? Is that the best they can come up with to push this kinda crap through?

      It doesn't need to be the best they could claim, it just needs to be good enough to work. And unfortunately, it is.

      No politician wants the possibility of others claiming you aren't against child porn, or worse to claim your vote assisted child porn.
      You could very likely get a law passed allowing you to rape little children while video taping it, so long as you can spin anyone voting against you as not trying to prevent child porn.

      Nothing shuts down the brains of most people like the terms "child porn" and

      • Actually... you should see the politician who thought up this law. Whenever it is about IT (or something else he doesn't know about) He lowers his voice as to be more authoritative and starts droning on about CP. He does that trick every time again. It is quite annoying. Couple of month ago he wanted to make it illegal to keep your facebook passwd to yourself when in custody. And there he was on the telly again in his lowered voice: Well you see... Child pornography, you must know, can only be battled like
  • And that, kids, is the difference between being little Holland, and big United States.

  • by gnasher719 (869701) on Saturday May 04, 2013 @08:00AM (#43628319)
    Anti-virus software is sold by making promises to the buyer. For example, promises to protect their privacy. Anti-virus software that gave the police access to your computer, even if that was legal, would be in breach of the promises they made when they sold the software. That would be false advertising.

    Could you imagine millions of customers asking for their money back when anti-virus software that claims to protect their data intentionally doesn't protect it?
    • by kav2k (1545689)

      No, frankly, I cannot imagine millions of users with pitchforks and refund claims. I doubt this would motivate a lot of them.

    • What anti-virus software is sold with promises? afaik they come with huge disclaimers.

  • 'Good malware' is the stupidest idea ever.

  • There is no reason the av companies couldn't cooperate. The Dutch Police could sign their virus and that signature could be checked and then ignored in the anti-virus program. This refusal by the anti-virus corporations flies in the face of the wishes of the law makers, (ie. the police), and they should know that they would have never got to where they were without the permission of the authorities. They are biting the hand that feeds them and there may be consequences for not going along with what their to

  • by softcoder (252233) on Saturday May 04, 2013 @08:07PM (#43632057)

    so where were these anti virus folks when Sony was planting its virus?
    Not a single one of them reported it.

    I suspect that it is not principles but money that talks here.
    let the Dutch police pony up some cash and see if they get a different reaction.
    pgmer6809

  • it's still a lousy one, who is this guy proposing that? sounds worse than when they missed that pedophile and blamed it on the evil tor (which is probably the only option in the universe)
    did someone check the reality check on this before actually even thinking of asking to an antivirus company to 'maybe' let some attacks pass ?
    only the validated ones from the dutch superpolice force who can never ever be spoofed or imitated ofcourse ...
    as in please build a backdoor in your software by redesigning it for

Every young man should have a hobby: learning how to handle money is the best one. -- Jack Hurley

Working...