

ComputerCOP: Dubious 'Internet Safety Software' Police Distributed to Families - uptown
https://www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies

======
TehCorwiz
So, why is this not in malware databases? Seriously, shouldn't this be up
there with Conduit Search?

~~~
Rudism
In my previous job, I worked at an advertising company in the "downloadables"
department for a number of years. Basically we developed browser toolbars,
software installers, mobile apps, and other software all with the sole purpose
of gathering information about users in order to make money off them. We never
(to my knowledge) developed any actual keyloggers, but we would do other
equally insecure things with end users' data. For example, sending browser
cookies, registry values, files off the hard drive, etc. in plain text to
databases on our servers for later analysis.

Getting this kind of software through spyware screens in antivirus programs is
not too difficult. Some of the antivirus companies have automated processes by
which you can upload your binaries to them as false-positives and they'll
automatically whitelist them for you. Sometimes it requires a quick email or
phone call to the appropriate person at the antivirus company. Occasionally
you have to make changes (usually just adding more disclaimers to an already
ridiculously long EULA) in order to satisfy them and get on the whitelist. On
a few occasions we just had to pay some money to get whitelisted.

Some of the more inscrupulous antivirus companies would even take money to
bundle our now-whitelisted spyware applications in the installers for their
products (as a checked-by-default "also install" option).

My takeaway from my time in that industry is that antivirus and antispyware
software and companies are, by and large, just as bad as a lot of the spyware
and spyware producing companies that they claim to be protecting you from.
It's just a big circle jerk where the ultimate goal is to trick people into
generating revenue by installing software or seeing ads that nobody in their
right mind would ever actualy opt-in to.

~~~
TehCorwiz
Wow, yeah. I've heard about some of those techniques. I still think it's worth
it for the more...upstanding AV companies to blacklist stuff like this. Or at
least warn the user of its presence.

~~~
yuhong
I think some do, though often don't remove them by the default.

------
Zikes
A perfect example of how security theater can do more harm than good.

~~~
freehunter
And a good example of how a lack of technical knowledge is dangerous. Why
would they endorse a product if they weren't sure of it's effectiveness? These
are government agencies, and they have access to technical resources that
could verify the claims of the salesmen. Imagine firemen handing out smoke
detectors (like they often do) without verifying that they actually detect
smoke. It would be a catastrophe.

~~~
vodenspaw
Isn't the example more like: Firemen handing out smoke detectors that will
detect fires regardless if there is a fire or not?

Hmm... Give false positive enabling software to law enforcement that will be
disseminated to "Concerned Parents", then spend time investigating "Crimes
against children."

What is the rate of which this software has been used to investigate crimes?

Who designed and programmed this software?

~~~
Yen
More like, Firemen handing out smoke detectors that not only beep whether or
not there's smoke, but also occasionally light your house on fire.

~~~
roflc0ptic
Yes, this is the correct metaphor. It leaves users vulnerable to things the
cops are supposed to be trying to protect users from.

What's unclear is, do the cops get access to the keylogged information? Then
the metaphor gets silly. It's like... firefighters giving you a smoke detector
so they can spy on you in case you're setting fires, which also happens to
sometimes cause fires independently.

~~~
roflc0ptic
Oh, actually, I hadn't read far enough. It doesn't look like it sends it back
to the cops.

------
ars
People are often worried about plain text being intercepted by "hackers" in
flight, in email for example.

Other than WiFi and government agencies, is this really a realistic worry?

~~~
duozerk
If you're wired (ethernet): ARP poisoning to get your traffic to route through
the attacker, then listening there. Works beautifully on most if not all LANs.

Though even if it didn't, WiFi by itself would be concern enough: most if not
all the internet-equipped private homes have (often badly secured) WiFi, and
all public spaces (airports, schools & universities, restaurants & bars, etc.)
usually use key-less captive portal WiFi APs where listening in is even
easier.

So yes: traffic interception is a very legitimate worry IMHO. And as someone
said below, beyond those concerns, you could also be sniffed by techs working
at your ISP (and its peering partners) / Law Enforcement / etc.

------
cmdrfred
ATTENTION: IT IS 2014, THERE IS NO EXCUSE TO NOT USE CRYPTO ON ANYTHING
TRANSMITTED OVER THE PUBLIC INTERNET.

Sorry for the caps but seriously... come on.

------
Zigurd
If anti-virus, firewall, and intrusion-detection products are willing to
ignore something as hazardous, cheap-ass, and cheesy as this, think what a
visit from the FBI or NSA will convince them to do.

------
daveloyall
Consider [https://github.com/ComputerCOP-OpenRemover/ComputerCOP-
OpenR...](https://github.com/ComputerCOP-OpenRemover/ComputerCOP-OpenRemover)

You see what I did there? There isn't any code. :) But that can change very
quickly via pull requests, right?

Any recommendations? Is this the right way to solicit volunteers for a little
one-off project?

[edit: switched from personal repo to organization repo per feedback.]

~~~
daveloyall
Well, at least one downvote indicates that this is not the right way to
proceed.

How about a little feedback to go with that? Thank you in advance.

~~~
goblin89
(I didn't downvote.)

Think why would anyone be motivated to contribute to your repository, as
opposed to creating a new one from scratch under one's own username.

Imagine you got a first pull-request, with a Go app. Then another, with a
bunch of working Python scripts. Then yet another, providing a complete Python
app packaged on PyPI but somewhat broken. What will you do? It doesn't matter:
_x-1_ of _x_ people have just wasted their time writing code that will end up
under your GitHub username anyway.

Yes, it has to do with reputation management, too. You'd have a project under
your GitHub name written completely by other people. The way it works
currently, people will tend to see it as _your_ project. You'll be free to
claim it in your portfolios and resumes. Meanwhile, creating a GitHub
repository isn't a hard task, and your README contents is basically what
normally happens in one's head as one designs and writes the software.

In addition, and that's what may have actually caused the downvotes IMO,
there's something not enjoyable about the idea of stumbling across a bunch of
orders issued by a random person in writing to undefined audience, which you
unexpectedly find yourself part of, by virtue of reading those orders. Your
requirements, without any code, sure looked like such orders though.

It wouldn't be a problem be there a big name or much publicity associated with
your project (and the resulting network effect), but without that there's no
challenge and no meaningful payoff.

 __* __* __*

Things would be different if your repo had a well-thought-out skeleton
consisting of some (even if completely no-op) units and a (failing but
thorough) test suite, tied up to Travis CI and what not.

That would increase motivation as it would eliminate quite a bit of _actual_
friction associated with starting a new project.

Arguably one of the hardest parts would be already done—us lazy programmers
will be able to look at the units, the tests, and figure out how to make it
work. No need to even clone, just edit some files via GitHub web interface.

~~~
daveloyall
> Any way, two of three people have just wasted their time writing code

When I first imagined this project, I didn't picture it taking all day, from
start to finish. An uninstaller doesn't do much.

> The way it works currently, people will tend to see it as your project.

Hm. Hold on.

[https://github.com/ComputerCOP-OpenRemover/ComputerCOP-
OpenR...](https://github.com/ComputerCOP-OpenRemover/ComputerCOP-OpenRemover)

Yes?

> It wouldn't be a problem be there a big name or much publicity associated
> with that

My end goal is for my local police department to pass this uninstaller out to
citizens, in a similar manner to how they passed out the installer. That will
never happen without the support of a big name. I'm hoping the EFF will take
an interest (I've already put my name on their volunteer list some time ago).

> humans don't enjoy the idea of being given orders from [random] people. Your
> requirements sure looked that way, though.

...I'm sorry. :( I'll look back over the README for use of the imperative
voice. ...Honestly, I've heard this feedback once or twice before AFK and I
wasn't sure how to change then, either.

Thank you for your candid feedback, goblin89.

~~~
goblin89
> When I first imagined this project, I didn't picture it taking all day, from
> start to finish. An uninstaller doesn't do much.

That's part of the problem: drilling the problem down to atomic subtasks,
which is needed to estimate, is the actual hard part. With that part done it
would take little effort to complete the project, and contributors for further
improvement would be easy to find.

> [https://github.com/ComputerCOP-OpenRemover/ComputerCOP-
> OpenR...](https://github.com/ComputerCOP-OpenRemover/ComputerCOP-OpenR..).

That's better, but “Forked from…” small print doesn't escape anyone's
attention, and in any case this issue goes beyond GitHub service. You'd be a
‘founder’ of something without having done much for it (keep in mind I wrote
my comment before you added remover.go, and also I might be wrong about this
whole point too).

Sorry for calling you a random person, I was just trying to explain what I
felt when I opened the repo and took a look at it.

