In June 2012, the FBI arrested Michael "xVisceral" Hogue at his home in Tucson, Arizona and charged him with selling "malware that allows cybercriminals to take over and control, remotely, the operations of an infected computer."
First of all, I don't condone this behavior, and using such software for "ratting" should obviously be illegal, but is it really illegal to sell this type of software (or any malware)?
It seems incredibly dangerous to make software illegal based on it's potential illegal uses.
I recall a controversy about a "hacking tools" law in Germany a few years ago, but never in the US. What law would this fall under, if any?
If you sell software with features that could only reasonably used for illegal activitities, such as sending you the creditcard number someone is entering, then: a resounding YES! Also if you advertise features for illegal use, even if they could be used for legal things.
That's beside the point. There are plenty of valid uses for other things which would have been criminalized such as Metasploit and Core Impact. Not to mention that such things as writing PoC code to validate vulnerabilities would have been right out of the question.
I accept what your point which I take to be that a law or regulation that attempted a narrow definition of tools thought to be for criminal purposes would still criminalise legitimate activities. It is the activity that should be against the law, not possession of the software.
I was just wondering what the law used in this case was.
A lot of activities are incredibly hard to actually catch someone in the act of, and incredibly hard to actually get hard proof of. Possession, on the other hand, is a strong correlation and proof of itself. The reasonableness of this correlation is what draws the line between whether or not possession is illegal, and that's going to be subjective.
It's really easy to forget that the first and foremost reason we defend privacy isn't because its breach is icky. It's because illegality is sometimes the right thing to do. However, usually it's not. This is a natural contradiction that makes writing law difficult.
ACME kitchen knives: great for chopping onions and murder sprees.
Yes that is tongue-in-cheek but there is an equivalence here in that the consumer decides how the product will be used. I do agree that advertising use for illegal activity should be quashed (does that impinge on free-speech?).
It could be argued that free speech necessarily has limitations. Depending on where you are in the world, this involves hate speech and incitation to violence.
I would readily agree that distributing (especially SELLING) tools with the expressly stated purpose of criminal use should be punishable. That being said, the same tools are likely useful for legitimate purposes. Heck, I could see an argument for Back Orifice being useful in that one would really like to be assured that their network's egress filtering would raise flags when BO traffic is on the wire. This brings up another important point--these tools are always useful for people who are writing protection and mitigation against the tools' methods.
Selling kitchen knives, and giving tips and instruction on where to stab to inflict maximum damage: I'd be very surprised if you're not legally liable for the actions of the third party. But, IANAL.
EDIT: as for free speech, the "imminent lawless action" [1] test is AFAIK the current standard in the US. I'm sure there's case law around this that I'm not familiar with, but I'd argue giving killing tips is likely to incite "imminent lawless action" in the knife analogy.
In this case the specific software we're talking about had a feature whose specific purpose was to detect someone entering a credit card number, screenshot it and upload the image to an FTP server:
'In further MSN chats with the FBI, the person alleged to be Hogue answered a question about whether the Blackshades software would automatically conduct key logging or whether it had to be initiated manually. "It auto does, and you can download from all at once, or scan for keywords or digits," came the reply. "And if it detects a credit card is being entered, it can send screenshots to FTP and you can scan for digits that are 16 in a row :P"'
It also had as a feature to encrypt a users files and pop up a ransom notice:
'Blackshades went beyond DarkComet in its support for features that were likely to result in illegality, such as the "File Hijacker" that could encrypt a victim's key files and then pop up a "ransomware" message demanding payment into a remote bank account in order to free the files. (A note attached to this feature said: "However, one thing to put in mind: This feature was made for educational purposes only.")'
In general, even tools that are quite clearly intended for illegal uses seems to be ok. But this one took it much further.
I think it depends on the generality of the software.
Obviously a general purpose remote desktop program has a lot of more legitimate uses that something designed specifically to find CC numbers.
Thing is , you could make a CC sniffing program and then realise "hmm, this might be difficult to defend in court" so you generalise it to something that simply looks for arbitrary strings of numbers. Of course the fact that 90% of your users happen to enter "16" into the box is not your fault.
The generalised program might have useful side effects as a result, but it is no less dangerous than the more specific program.
I'd be curious to find out as well. It's a very fine line between a luhn10 checker, and a luhn10 sniffer--the law's wording would need to be very precise to avoid criminalizing legitimate business software.
(Section 251 Making, selling, or distributing or possessing software for committing crime)
[1] "liable to imprisonment for a term not exceeding 2 years"
[2] The requirement is "the sole or principal use of which he or she knows to be the commission of a crime". However, gaining unauthorised or unlawful access to a computer system is a crime meaning exploits qualify.
This sounds mostly reasonable at first glance. I'd have to dig a lot more into how it's played out in practice to have a fully-valid opinion, of course.
The one thing you mention that worries me, though, is dropping 0day. Would this include full disclosure? Would this include developing an 0day as part of a pentest? How does this affect things even as far reaching as responsible/coordinated disclosure? If a law makes doing the right (let's use open disclosure, whether full and immediate or coordinated and timed just to mean "right" while selling 0days for ostensibly criminal purposes as "wrong" for the sake of this conversation) thing as difficult (or even more difficult) to do than the wrong thing, then the law will only bolster the black market.
These are open questions which have never been resolved since section 251 was introduced in 2003. Note that this is NZ law only and I am not sure of the situation internationally.
"Although most cases of legitimate have been covered, not all have. Section 251 does potentially raise some interesting issues around concepts that many security professionals are supportive of, the sharing of information and full disclosure..."
"On the face of it, such criticisms may be justified. Whether or not the Amendment Act will actually have this effect will only become clear through the passage of time. In this regard, “good” users of such information may have to rely (tentatively) on the police's discretion whether or not to prosecute a particular case."
Most likely this will lead to official certification and registration of pen testers like locksmiths and alarm system installers are required to have in some states..
Yeah, this is pretty likely. It's a dangerous road to go down, however, as regulatory bodies can be far from impartial.
It's a difficult issue to properly address. I think the right method to go about it is to punish actions, rather than possession of tools. On some level, simply having the ability to write software makes one suspect, if you start scrutinizing tools. Actions (compromising boxes and running exploits without permission of the owner of the host, advertising explicitly criminal use of software) are easy enough to define, and it's easier to define an exclusive list of "bad" actions, than to come up with generalizable rules.
Have you heard of someone being arrested and charged with possession of drug paraphernalia?
Drug paraphernalia could be coffee filters, aluminum foil, a pipe, roach clips. These are all things that are totally legal to purchase yet you can be charged with a crime for having them. To avoid it, you have to avoid being suspected of drug use or being added to the local 'most wanted' list.
In Sweden, running a service is deemed illegal if the majority usage is of an illegal nature. The appeal court explicitly wrote this in their decision regarding the pirate bay case, in answer to a question regarding search engines like Google. For evidence, they refereed to the screen shots of top 100 charts made by the - since employed by MPAA - investigator.
I always wondered what that would mean to an email service, since the primary form of email can easily be illegal spam/scams. I would also be careful if I ever contributed to projects like nmap, because how can I prove what the primary usage of such program is? Could it be defined that I was performing a service if I contributed code?
1) It is not the software that is illegal, it is the selling of it as your quote clearly shows.
2) If the software has no other purpose than to commit crimes, then yes, the selling of that software should be illegal. It is selling a tool whose sole purpose is to facilitate criminal activity.
I don't trust the courts to determine which software "has no other purpose than to commit crimes". As I point out in another comment, penetration testers could argue that they'd legitimately need to use nearly any software used by hackers, including stuff like Metasploit. Someone else also points out it could potentially inhibit people disclosing vulnerabilities.
Antivirus is much less effective than most people believe. The problem is that the AV is "entrenched" and the malware is "mobile"
Malware authors can simply tweak or repack their code until the AV engines don't detect it anymore.
Getting around behavioral detection is harder, but possible. If malware is privileged it becomes an arms race of who can hook lowest and who can disable who.
Agreed, I don't bother with AV software for myself anymore the performance penalty and nagging isn't worth it.
I tend to notice a correlation between people who have problems with malware/spyware/crapware and people who have AV software installed and it's the opposite of what you might expect. Perhaps people who install it get a false sense of security?
AV software tends to be either ineffective in that it doesn't detect a lot of actual malware or it is constantly generating a lot of false positives which people just learn to ignore "Tracking cookie detected! Your life is in danger!".
I think this is a necessity to justify AV to the masses. They have to find lots of "threats" to a) keep your average user scared into renewing every year and b) impress the owner that the application is so thorough. Look at this! it found all these cookies that could harm me! This software rocks!
> "Tracking cookie detected! Your life is in danger!"
That's the difference between Microsoft Security Essentials and commercial AV software. One is designed to just make the more OS secure, the other also needs to advertise its presence and appear to be "doing something".
Also, apparently it was relaunched in 2010 and soon after their site was hacked[1], they also lost their source code - ahaha. No backups, 2010. Christ.
I have been saying this for a long time... what we are really seeing in "web 2.0" is actually average folks catching up to what geeks have been doing for a long time, it's only on a much larger scale now but almost all you see nowadays has already been there and done before.
"Amanda todd", in canada died because of these ratters.
They are rotten people who do this to innocent girls,they bullied her to death. This same(dark,whatever )service will be used to make these girls slaves for pornography on cam....it must stop,
its being used by human traffickers, who will threaten her and than make her real computer slave.
This needs to stop, we are better human race than this.
Am I alone in feeling uncomfortable at the article's consistent use of "slaves"? This is very different from slavery, and if it's the perpetrators' term then it seems like buying into their worldview.
The master/slave terminology has a history in technological circles, typically being used to describe situations where one device is used to control another device. It actually predates computers; you can find examples in mechanical and hydraulic machinery going much further back.
As far as that context goes, the term is accurate for what RATs do: the hacker's "master" device can be used to control what the "slave" machines do. I assume that this is the context in which these people are using those terms. But it is, admittedly, somewhat jarring for people unfamiliar with that context.
While the technical meaning may be part of why they are using it, I think they are clearly using it mostly for its connotation related to controlling a person.
It's true that it has history in technological circles, but the politically correct wording appears to now be "primary" and "secondary". Interestingly, in 2003:
"Los Angeles officials have asked that manufacturers, suppliers and contractors stop using the terms "master" and "slave" on computer equipment, saying such terms are unacceptable and offensive." [1].
It most likely derives from "master/slave" relationships like client/server. "Slave" is chosen since makes adolescent boys feel like they have power. The author is merely using the community's terminology.
I went and read the forum in question. It's full of nontechnical people who are obviously teenagers. It reminds me a lot of video game forums I used to visit, with gaudy image signatures and all, except here the competition is to collect (and trade) the best "slaves" and spy on them. My guess is that these people started out with video game cheats and, without anything better to do or anyone to stop them, it spiralled into this.
One interesting tidbit is that people seem to often post stories of interactions with their "slaves". It usually involves them trying to seem powerful and scary, but at the same time there's an undertone of wanting to connect with the people that they spy on. For instance, after one guy intentionally outs himself by posting on his "slave's" facebook profile, he chats with her and keeps trying to convince her (in a threatening way) to skype him so that he can show her how to install an antivirus. There are also a lot of interactions of the "put a shoe on your head and hold this sign and I'll stop hacking you" variety.
Edit: Also, don't miss that bit at the end about the RAT software author quitting in part because of the Syrian government's use of his software against rebels. Scary stuff.
They want to interact with them because they feel alone and this is as far as their ability to handle social interactions go.
It used to be that such people would eventually develop the skills to interact with adult society, but hey why do all that work when you can just put a hacked copy of Sims 3 on pirate bay.
It makes me want to counter hack them (which wouldn't be very difficult) but I won't, because it would be illegal (and would potentially cause harm to third party).
They want to interact with them because the 'slaves' are above their social position. It's the only way they have to interact, if you can call it interacting, with that 'hot girl from facebook' who wouldn't give them a look in real
It's that same reason most forum posters go crazy when a girl posts.
> without anything better to do or anyone to stop them, it spiralled into this
Surely the basis for not being evil, is to not do bad things to other people by the command of your conscience?
I understand that the majority of the offenders are likely children, and I hope that most of them will remember themselves doing this with feelings of shame for a very long time, because these sort of acts are not merely pranks. They may affect their targets in seriously negative ways.
I was just trying to give interesting details, not so much to excuse or accuse. I just meant that, from the tone of discussion and my general impression of the people, that's how I assume that they wound up there. I imagine that it also has to do with amateur porn (not all of which is obviously released with consent) and reality TV making voyeurism a familiar thing.
I guess I mostly think of them as dumb and immoral, but I do think that it's evil to have those kinds of interactions with people. I don't understand why people consented to holding up signs that said "pwned by...." - to me, that looks like bullying.
Actually, I guess I do kind of understand. I got prank called regularly on high school, and that felt pretty terrible. But I tried to along with it in the hope of defusing it amicably, and it took me a long time to admit that I was a victim and go to a third party to make it stop (the equivalent here would be to reinstall windows).
I think it's a bit presumptuous to say the "gateway activity" if you will, to ratting innocent people was video game cheats. There are plenty of websites that use this forum style. There are plenty of bored people in the world.
That's just internet version of peeping your neighbors through binoculars and leaving them shit on the doorstep to mess with them.
Obnoxious, insensitive, but evil? Like axis of evil - evil? Like evil marketing practices of pharmaceutical companies - evil? Nah. Just kids ... of any age. They were bothered by making little kid cry. Can't be that evil.
What about discovering that you, a young girl, have been seen naked on your webcam? Can you imagine what that can do to the mind of a child/young adult? Imagine all the troubles that can bring to a human mind, and imagine if that mind can already be a little troubled.
I say pure evil. Like holocaust evil, just at a smaller scale.
Honestly (and maybe obviously) I just mentioned "holocaust" because of the "not axis of evil -evil". Of course a bully is not comparable to a genocidal regime...
But a moronic teenager potentially messing with another teenagers lives forever (Amanda Todd like), in a systematic and industrialized manner, just for laughs or some sociopath self-power acertion (not for science, not for profit, not for educational purposes) kinda reminds some nazi pseudo-doctor from the holocaust.
I think it's a bit much to compare this, but to be fare you're misquoting and leaving out the "at a smaller scale". It is most definitely sociopathic though.
What about peeping plus mind torture, bullying, public humiliation, blackmail,...
The (exclusively) peepers are probably just teenagers. The evil ones are those who don't do it for quick, funny sexual purposes.
The evil ones are those who do it for the fun of torturing the "slaves".
The evil ones are those who use the collected material for profit (or silly cyber-cred) at the expense of a young girl's mind.
In western society, they are not equivalent but are related and intersectional, esp. considering this kind of peeping is about sexual coercion and violence against women and girls, a kind of violence that gets backed up by society and its institutions.
This is inside your home. It's betrayal and an invasion of privacy, it's an active hack, it records audio and video and the peeper is sharing the audio and video with the world.
It's a order of magnitude worse than looking in through a gap in someone's curtains.
I disagree. Not everyone has an easy relationship with computers and technology. These sort of acts have the potential to seriously disturb some people that have been forced to use the Internet to get by in modern life, but do not have a full grasp of what it is and how it works.
How would you feel if this was done to your Grandmother?
Pretty much same way as if someone would peep at my Grandmother disturbing her and left something disturbing on her doorstep or teased her any other way.
Actually I'd feel bit better because in computer scenario I would know what to do help her.
By the age of 14 you are supposed to have a developed enough sense of morality to understand that this is very bad. I don't think this is an acceptable excuse.
Who are these mythical 14 year old boys that are supposed to have developed 'enough' of a sense of morality? To paraphrase The Virgin Suicides: obviously Dr., you never were a 14 year old boy.
I was one of those mythical 14-year-old boys that knew better than to spy on girls by hacking their webcam. I don't know why so many people assume that boys are stupid at age 14 but I can assure that is not the case in general.
That's just a stupid Americanism.[1] You don't need to do a bunch of wrong things to learn what's wrong. You learn what's right and wrong because your parents tell you what's right and wrong, and society and school socializes you to teach you what's right and wrong. If you get to 14 and need to scare someone like this to learn what's right and wrong, you're either defective or your parents and teachers have failed at their jobs. More likely, you know it's wrong and you just don't care.
[1] I'm an American and love America, but we elevate apologizing for bad things kids do (because we don't have the stomach to properly discipline them) to an art form.
"we elevate apologizing for bad things kids do (because we don't have the stomach to properly discipline them) to an art form."
Conversely, the US seems fond of trying kids as adults when they cross some or other threshold of crime. As an outside observer it seems an odd contradiction.
This might be somewhat ranty and unprofessional, but I have to say it
You learn what's wrong from your parents, and your teachers, and society. I'd like to disagree with you on that point. Yes, you get ideas passed down to your by others, but if you do not bother to examine them and act blindly on the premise that these things must be right, because others told you, without putting any deliberation into the truth of these moral dictates, then...how to get this across without seeming as angry and ranty as I am? Because things like this viscerally disgust me. My parent taught me they didn't care (or couldn't), my school taught me I was in the wrong place, and my peers taught me that I was scum. And I didn't act on those morals, or I wouldn't be writing this paragraph, nor living, nor breathing. Of course, this didn't last forever. I recovered, and I learned how to deal with people. But what you just said, that I...I was defective for not leaving a place that obviously didn't welcome me, the implication that I should have crossed hades, that's worse than telling me to "go die", because you said it with moral righteousness.
Now I know you're talking about 14 year olds that spy on girls, and I don't think that's morally right either, but your explanation of why it isn't, it's just...wrong somehow.
Firstof, they're not defective. Don't even say a child is broken. Misunderstood? Maybe. Misled? Maybe. But not broken nor defective nor hopeless. Because when you take a child, filled with expectations and hope, trying to make sense of the things that happen in the world, and you tell them they're broken, you're killing them. Yes, some might recover from it, just as someone shot might survive, but you and I agree that shooting a kid is still a pretty bad thing to do, no matter whether they survive or not, right? So don't do it.
Ok, so after I've vented some of my anger, and proably shared way to personal details with everyone on here, back to business. Society is a pretty bad measuring stick for morals. Define the "average morals" to be the reference point, and Schindler becomes the most amoral man in the third reich. You see how this averaging is a pretty bad idea, right? Ok. Then to the disciplining thing. There's a difference between teaching something to your kids, and threatening them to do something. Teaching leads to moral understanding and a moral code. Threats will only teach that might is right, and the only thing holding together morals is violence. I think this worldview does point towards why religious people often ask atheist why they don't think the world will collapse into anarchy without the concept of a hell. Because hell is violence as the foundation of morals. If you want to affect any of those kids, go out and teach them why it's wrong instead of threatening to hit them if they do it again.
TL;DR: As a past victim of social ostracism, post makes me angry. Average morals are a bad idea. Disciplining kids will lead to obedience from threat, not to morals. Teaching will. So go teach
I can tell there's a lot of thought and a lot of emotion behind that, I just wanted to say one thing - discipline, as instilled by parents or whoever else, doesn't have to come at the point of force.
And if a child is 14 years old and pulling the stuff mentioned in the article, I'm sorry but they are defective. Maybe the sort of defective that can be fixed, but they are committing actual heinous crimes against other people. These are not the actions of kids filled with expectation and hope, these are the actions of little psychopaths with no empathy, and they need to be stopped.
When you subtract the technological component, these things become bad pranks. My fathers generation used to search paper bins for porn and spy on the girls locker room, and these kids are scaping your laptop for porn and spy on girls through their webcams. Whilst I get that these things are slightly different, using technology as an excuse to blow an action all our of proportion is not a wise thing to do. We honestly should know that because we work with technology. See, a murder is a murder whether it was done with bare hands or with a guided rocket. Theft is theft, whether it is through snatching your wallet or hacking your bank data. So when kids do things they used to do in very similar ways the did in the past, with the only variable changing being technology, it'd be foolish to call them heinous criminals, or psychopaths with no empathy.
At least that's my stand on the issue.
Recording audio and video of people in their homes and then sharing it over the net, using it as leverage to get the victims to do things, harassing them in their homes...
This in no way equivalent to sneaking a look into the girl's locker rooms or rummaging through a bin for discarded porn! It's harassment, it's invasion of privacy and it's downright evil. That's before we even get into computer hacking.
You're right the tools don't matter in the slightest, but you completely miss the scale of the crimes. To throw it back at you - just because these kids are sat behind their computers at home doesn't make it any less heinous, or lessen the effects on the victims.
> I'd like to disagree with you on that point. Yes, you get ideas passed down to your by others, but if you do not bother to examine them and act blindly on the premise that these things must be right, because others told you, without putting any deliberation into the truth of these moral dictates...
Statistically speaking, as a 14 year old you're not going to come to any earth shattering conclusions in morality that your parents, society, school, teachers, etc, have overlooked. Critical examination is an important life skill, but so is accepting that adults have a lot of insight into the world that you don't, and that society can teach you a lot without your having to learn things the hard way.
> My parent taught me they didn't care (or couldn't), my school taught me I was in the wrong place, and my peers taught me that I was scum.
Nothing about what I said is meant to assert that parents, teachers, etc, always say or do the right things. I'm necessarily speaking in generalities. I don't think your average teenager doing this kind of thing can raise the defense that their parents and teachers didn't teach them right from wrong. Some parents are terrible at being parents, and don't love and support their kids while also teaching them. But we're speaking in generalities here.
> Firstof, they're not defective. Don't even say a child is broken
A 14 year old is not a child. Not fully an adult, but not a child either. Respecting peoples' privacy should be well within the wheelhouse of your average teenager. And some people are broken. There is a bell curve of ability to function in society, and some people are X number of standard deviations away from the mean in a wrong way. It's unfortunate, but there is no point in not calling a spade a spade.
> Society is a pretty bad measuring stick for morals.
On average, society is a pretty good measuring stick for morals. There's all sorts of things you shouldn't do, that people don't do, because society tells them not to. There is a difference between blindingly accepting things like racisim, because in some contexts it is socially accepted, and acknowledging that even that same society still teaches you not to kick animals or kick little girls in the shins. Contemporary social understanding is a great starting point for your own moral framework, and one which you should lean on more heavily as a child and a teenager until your rationality and experience develop sufficiently to better analyze the world around you.
> Then to the disciplining thing. There's a difference between teaching something to your kids, and threatening them to do something.
Children are not adults. They are not capable of the rational thought of adults. They can be taught, but they cannot always be taught.
Right now, my 3 month old doesn't realize that I continue to exist when she can't see me. From 3 months to 3 years to 13 years, children and teenagers are still partially formed, their faculties of reason not fully in place. Your toddler isn't going to understand your reasoning with her, and while your teenager will usually do so, at the end of the day, sometimes the only thing they will understand is punishment.
> I don't think your average teenager doing this kind of thing can raise the defense that their parents and teachers didn't teach them right from wrong.
You are talking not about the "average teenager" but about the "average teenager doing this kind of thing", yes?
One is a very tiny fraction of the other.
I think, looking at the tiny fraction, it is way more likely that (lack of) guidance by the parents/teachers/society is to blame than the kid being inherently "bad".
Especially since kids with developmental problems, that maybe have trouble developing their own moral compass, can still be raised with proper values, given the right environment. The converse (bad environment+neurotypical kid) however, is very likely to result in bad behaviour.
edit I am NOT trying to excuse any of this behaviour btw. Just saying that environment is a huge factor. And speaking from just over a year's experience teaching kids (computer stuff) roughly this age (a bit younger, 8-12 usually), quite a few of them have impressively well-developed moral compasses :) And the ones that are a bit more .. rowdy, I meet most of their parents at the end of the day, and I do notice some "patterns" (it's none of my business of course and I try to not judge, but little things like some make their kids thank me for helping them this afternoon--absolutely unnecessary for me of course, but it's still a signifier for caring about their upbringing and manners, etc)
Minors or adults, this is a startling demonstration of psychopathy. It's one thing to spread fear for profit, it's a whole 'nother ball game to do it for fun.
Psychopathy? I think it's more likely an excess of free time and puberty boosting testosterone in young men. These are just inquisitive, snooping horny teenagers.
They're not just doing garden-variety spying - they're deliberating trying to cause fear in their subjects by broadcasting their own presence.
There's a pretty big difference between a peeping tom, and a peeping tom who then mails you pictures taken through your window. One has no sense of boundaries, the other is taking glee in others' suffering and fear.
I'm a lot more concerned about the latter group - the lack of empathy is disturbing.
This is the equivalent of saying 'boys will be boys'. Dismissing this kind of sexual coercion and spying as just natural behavior is hugely sexist and insulting to men and boys everywhere, let alone encourages this kind of treatment of women.
Or bored teenagers from some suburban hell-hole with nothing better to do, that haven't developed any sense of morality yet, and think this is just fun.
They could be kicked all day and have their glasses broken (metaphorically speaking) at school.
These poor guys where born in the wrong countries, here they are poor slobs forced to illegally install shifty software to watch their 'slaves'. Had they been born in China, Egypt, or any of the number of countries with strict internet monitoring they could now be employed by the state monitoring dissidents. There is still hope for them, if they do good in college the NSA may still hire them.
Really? And why would the NSA be interested in the services of simple scammers? These are not hackers, crackers or anyone with sophisticated skills. They're just scamming people into installing what is essentially a pimped-out VNC server. I bet there even aren't any exploits involved in getting access to the features that they use, just standard APIs.
All in all, I doubt the NSA (or any TLA) would hire them.
I noticed the article said they use the VNC feature and the Device Manager and My Computer Properties window to find hardware info like serial numbers. I've heard of that forum before, I think 90% of the community found it by typing "how to hack" into google, and the other 10% are profiting in some way.
The NSA wants mathematicians to work on cryptanalysis and cryptosystems. These ratters seem pretty far from having any skills whatsoever if they need a book to help them get John and Jane Q. Averageuser to run their malware.
That's what I was thinking. I've had skript kiddies who (probably automatically) broke into computers I ran in some form or another, usually no harm done. The idea of the government handing out national security letters all over the place, gagging ISPs, Google, whoever from even saying they'd been searched in past years, on top of the NSA monitoring, Room 641A split cables to everywhere - that is what freaks me out, not some random pervert who might hack a webcam and see me browsing HN in my bathrobe. When I was a young man, the president was having his reelection committee flunkies break into the Democratic party headquarters to bug it, and if those political shenanigans have gone on, you can imagine the bugging and monitoring of people like Martin Luther King Jr., Fred Hampton, and the anti-war people who were monitored back then and who Michael Moore shows are still under surveillance in Fahrenheit 9/11. The dangerous anti-war hippies in Peace Fresno.
Could anyone comment about this issue in mobile devices? On Desktop one can get suspicious when the LED of the Webcam blinks but on Mobile Phones, the camera is a completely silent watcher. And it is shocking to imagine how we carry around our mobile devices everywhere compared to desktops and laptops.
Ooh, and mobile phones have less security-concious users and often no AV software. Seems like a major oversight.
On that note, Japanese law requires cameraphones sold there to always make a loud shutter sound upon taking a picture, to prevent voyeurism etc. This is why the Nintendo 3DS handheld console's shutter sound can't be silenced.
Yes, a led that lights up does sound pretty suspicious to you and me, but if you don't know anything about computers and you see it on all the time it becomes natural. The same phenomena as clicking 'yes' and 'ok' buttons without reading anything.
Breaking news: people do immoral shit on the internet.
Luckily you can read all about it on arstechnica, including lots of voyeuristic photos you can look at "for research".
Hopefully in the future when all users can install trusted root certificates and only run software that is signed by a descendent we won't have this bullshit.
Besides, there are enough legitimate uses for webcam viewing software that you could just take a regular signed program and configure it in a deceptive manner. Modern web-browsers allow camera access without additional software, for example.
I'm all for software being signed as a matter of routine but this is not something that it would help.
They cannot, but they can revoke certificates from malware developers after the fact. And requiring a developer program would vastly reduce the number teenagers tricking people into installing a thing. Allowing self-signed roots would let more technical users manage their own security and install their own apps.
A solution to configuration files is to include them in what is signed or not allow your software to have the webcam on without also showing a window explaining what is happening and a button to turn it off. Modern web browsers typically ask for permission to use the webcam beforehand, and you can always close that page.
I guess there would still be shenanigans with signed binaries but there would be far fewer than what is going on here.
There is a middle ground. OS X default configuration only allows software to run if it is signed by a developer, unless you right-click on the application and select "open" through the contextual menu, in which case you are presented with the option to override it.
I like this, and I am a software developer.
(Windows has something like this too. I don't remember the details.)
I hate OS X's implementation. They need to allow third-party CA's.
I don't want to choose between what Apple allows developers to do and "fuck it let it run free and do whatever it likes". Nor do I want the global choice in System Preferences to be between developers that paid $100 to Apple this year and Wild West.
Signed software doesn't matter when it comes to the most common methods of execution: Java, Flash, PDF exploits, Flash objects embedded in Microsoft Word documents currently bypass the sandboxing in both Word and Adobe Flash.
Signing does matter. Those may still be exploitable to run arbitrary code, but you cannot write code to disk that will get executed on start-up. The victim would have to open the same PDF every time they use their computer.
"Users can pick whatever CA they trust or whatever CA their technical friends and family recommends they trust."
Which means you'll wind up with the situation we have with TLS: hundreds of CAs, all trusted by default, most not even remotely trustworthy. Users will have no idea about these CAs and so the CAs will never have to worry about being loose with certificates.
I sure hope we'd be smarter about it this time. I envision something more like the average user chooses from, i.e., Canonical and Microsoft, while a more technical user would choose one of those and also install his own self-signed root as a CA.
So you would have one or a group of companies gain full control over what programs are allowed to be installed on your operating system?
You believe an amateur software developer should have to pay to get her app signed by a CA before she is able to distribute it? That someone else gets a say over whether or not a person can build an application?
And what if that CA gets popped? What if that CA makes a mistake? Do you furthermore think that even semi-technical people will think about these things enough to pick individual CAs?
There are a dozen problems with what you're saying, and I think you know it. What I really wonder is why you're coming into this conversation at such an intellectually dishonest angle, like you've never seen the arguments for/against what you're proposing before.
1. A company you trust is acceptable as a CA. Nowhere did I say it had to be a company. I said users pick the CA's they trust.
2. If they want to distribute it with that CA. Nowhere did I say CA's must require payments. Yes a CA gets a say in who they will verify. That's the point.
3. If the CA gets "popped" or makes a mistake you remove them from your trust list. I don't expect regular people to know how to do this, but they could ask someone they know.
4. You didn't even read my arguments, you are attacking things I didn't say, so you are being intellectually dishonest, not I.
I think I see your point, but I wonder if this idealized scenario would be achievable in practice anytime soon, and if it's worth the current issues to try for it.
sadly, every time we move towards this, people start screaming about "palladium" and "dee-arr-ehm" and "but then I won't be able to install Snarling Sealion!"
The users at hackforums are terribly incompetent. These kids all run their command and control center on their local computer. The RAT has one (or several) free dns name(s) embedded and the user keeps updating those with his home ip to receive connections from them.
How hard would it be to launch an investigation into this ip address once you find it out? Would filing John Doe lawsuit allow you to do discovery on those ip addresses? Does 'an ip address is not a person' prevent you from further investigating who the actual person was?
Not hard at all. Almost certainly. You should be able to get a warrent and these kids will crack when start talking about juvie at that point an ip address isn't a person doesn't really matter because a confession is (mostly) admissible in court.
In the linked PDF in the article written by the FBI agent the IP address is used as a piece of evidence in addition to other evidence like emails with addresses and names, so I guess the answer is yes.
The root of the problem here is that 1. A lot (most) people do not have any security enabled on their PCs (logged in as admin at all times) 2. Majority of software installs require admin privileges by default.
Of course, the guilty party here is the software developers that are unwilling to do anything about the status quo. Also the vendors, Microsofts, Apples and Redhats.
These days it is getting even more common and acceptable to install binary packages on a system as root and often in unattended manner (OS and package "updates", pray-and-run RPM installs, etc).
More so, there used to be some hope in this area by Apple, where you would just copy an app to install, w/o being an admin. Now even Apple is moving to store apps where every install seems to want an admin.
Linux and Windows people have been always lost in that regard: MSI and RPM/whatnot have always been unquestioned standard (Linux people, however, have a choice to not install software as root and build it locally when necessary).
Until this (admin installs) changes, we are going to have to deal with malware. Fixing this would not solve all the issues, but would help a lot.
In the meantime, enjoy your PC owned by some teenagers overseas.
> Until this (admin installs) changes, we are going to have to deal with malware. Fixing this would not solve all the issues, but would help a lot.
This is a hopelessly misguided argument. Could you maybe explain your reasoning a bit?
The argument for requiring admin rights to install is that the binaries are not user infectable. Now whether or not this leads to other problems is a different matter, but I don't see how making binaries user writeable on a box which receives automatic updates is going to make everything more secure...
The reasoning is simple: if no random third parties ever get full control of your machine, than most likely the OS is going to stay intact (with the exception of possible local privilege escalation exploits).
If the OS is intact, the job of checking whether a user environment is compromised is easy and actually doable (as opposed to the case of trying to find malware on a compromised OS).
If, in addition, a user account has limited privileges (which it should of course), then even when compromised the chances of malware being able to do a lot are a lot less. For instance, turning off a webcam light being a root is probably easy, otherwise probably not. Setting up a server, listening for incoming connections and punching a hole in local firewall as root is available, but as a regular user is not.
Stop giving admin rights to your computer to random people (install software as an admin) and live much happier. As an additional benefit, there's never a situation 'I installed this and now computer is messed up, because Joe-the-dev ran "rm -f " with a wrong path as a parameter'.
I don't agree at all: I think that apps should be installed as admin and auto-updated. I don't follow any of your arguments that installing things as non-admin are more secure.
It's more secure because you don't have to delegate admin access to random people to install the software. Any of these "RAT kits", I guarantee you, requires admin access to the system at one point or another, be it during the install, by explicitly asking for admin password, or implicitly by using the fact that most users are logged in as admin.
I remember a few years ago the Privacy Commissioner of Canada was going all out on Google for capturing data from open wifi connections, which Google promptly deleted. It was a huge story for the Privacy Office, and to me it felt like the story was being exploited to boost the profile of the Office--they made it sound like a much bigger deal than it actually was. Now, here is an issue that I think is a much bigger problem, and has been going on for a long time with very little word from the Privacy Commissioner.
Why hasn't the Commissioner gone after Microsoft in the same way they went after Google? This is caused by a fundamental flaw in Microsoft's products, and I don't think having to purchase and install security software should be the solution. Fix the software itself.
Good article. I always check my iMac and MacBook LEDs. Can never be too careful. Sometimes I wonder if the Internet is all Travis Bickles doing pull-ups and yelling at their monitor in the dark. There are some desperate and lonely people out there.
http://cnp-keythai.com/speaker-mesh
Windows 7 may be more secure than XP but that doesn't make it immune to this type of infection.
The "OS" column in this screen shot[1] from the article has a number of "Windows 7" victims.
Aren't most of the screenshots of what you are seeing the script kiddies computer point of view?
There were only ~3 screenshots that show the victims OS GUI. OSX usage is what, 8%? .92.92.92 = 78% chance? I hope you're not taking the article as evidence that you are 'safe' on your choice of OS.
The first time I ever felt that my privacy was violated on a computer I was a using NeXT slab.
Which is why I hate laptops on which you cannot physically block the webcam. Laptops used to have a little slider that could cover the webcam but nowadays they don't anymore!?
I love my MacBook and MacBook Pro but... I'm putting a little piece of paper on the webcam "just in case".
Oh and the difference between nowadays and BO in the 90's is that nowadays virtually everybody who has a laptop has a webcam. That's quite a big difference.
The green light next to the webcam will come on when the camera is in use on MacBooks. It is programmed to come on at the hardware layer so unless somebody has physical access to your MacBook then it will always come on.
It's true the light will come on, but that doesn't mean it's impossible to get away with surreptitious monitoring. Remember the controversy in 2010 in the Lower Merion School District?
I taped a piece of paper over my webcam and then cut out the middle. I slide a second piece of paper into the "cup" this makes to block the camera, but can easily remove it if I want to actually use the webcam.
I have had some success with aluminum foil (the kind you might want to use in a kitchen) -- place that over the webcam lense and then use whateever tape you want to use to hold it in place.
First of all, I don't condone this behavior, and using such software for "ratting" should obviously be illegal, but is it really illegal to sell this type of software (or any malware)?
It seems incredibly dangerous to make software illegal based on it's potential illegal uses.
I recall a controversy about a "hacking tools" law in Germany a few years ago, but never in the US. What law would this fall under, if any?