
A Hacker Has Wiped a Spyware Company’s Servers - petethomas
https://motherboard.vice.com/en_us/article/3k7a5k/hacker-wipes-spyware-retina-x-flexispy
======
falcolas
This is one of those cases where I probably should feel bad for the company
being repeatedly hacked to the point of being ripe for being shut down, but I
just can't muster the will right now.

If you are in the business of collecting data without users' explicit
permission, and can't protect that data from being accessed or deleted, you
shoudln't be in business.

~~~
JumpCrisscross
I wish they had done one more thing: notified everyone on whose devices this
software was installed. If someone put this on my phone without my knowledge,
I would want to know. (I would also almost certainly sue.)

~~~
lighttower
Yes. I want to see that happen also. But I want to separate the part of me who
wants to see fireworks from the "right thing to do" I think we need to think
through the technicalities of notifying the hacked people, would they even
know what to do with your email? Would they consider it spam or phishing and
just delete it l? Assuming you're successful, what societal fallout could
result? I don't know the answers to these questions. Ultimately it's similar
to emailing the partners of the users of Ashley Madison and sending the user
profiles to them. What's the intended outcome?

~~~
falcolas
> What's the intended outcome?

Punitive action against the company who collected the data and lost control of
it.

Punitive penalties are typically just a monetary fine above and beyond
damages, but exposing just how badly they screwed up to the public at large
should provide a good financial penalty in addition to doing a public good (a
reminder of how much "private" data is not actually private).

------
andrewflnr
They stored the master key to their entire data store in a publicly
distributed app?

> ...we have been taking steps to enhance our data security measures. Sharing
> details of security measures could only serve to potentially compromise
> those efforts.

Maybe they used ROT13 on the API key _twice_ this time!

~~~
kuschku
This is a common issue, and many apps do this mistake.

Another common mistake is having /.git/ available on the domain itself, often
with PHP sites or backend-less SPAs this is common, giving full access to the
source, including those API keys. Even major sites do this – The Hill until
recently had their git repo, including API tokens and access keys for
everything, publicly available.

~~~
bshacklett
It should be mentioned that none of that should ever make its way into a Git
repo in the first place. If a secret is committed to Git, it's compromised,
period. Suck it up and generate a new secret.

~~~
smoyer
Agreed ... use a pre-commit hook to scan your repository for high-entropy
strings before they are forever enshrined in your history
([https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)).

~~~
tachyoff
To be fair, though, history can be rewritten, albeit sometimes with some
difficulty.

~~~
ameliaquining
If a secret has _ever_ been in Git then you probably can't know where it's
been copied to and should treat it as likely to have been leaked.

------
nodesocket
How is this even possible that a 3rd party application can intercept all text
messages, call history, and photos and still get published to the Android Play
Store? Ins't Google supposed to be reviewing the apps?

~~~
nitrogen
As a regular Android user, I'll say that Android's permission model is simply
awful.

There's no way (in stock) to return blank data, so apps will simply shut down
or silently malfunction if you refuse permissions.

The grouping of permissions lumps "can portscan your network" and "run hidden
in the background when your phone boots" under "Other", which you can't
disable.

J2ME had a more refined security model back in 2006.

~~~
smoyer
There are so many applications I'd love to install but ... why do they insist
on asking for permissions that they simply don't need for their stated
functionality. <sarcasm>Of course you want your SSH terminal to have ties to
the social networks</sarcasm>.

~~~
tachyoff
“I just logged into my server! <Share on FB><Tweet this>”

Yeah, that’s frustrating. Mobile app permissions are a gross nightmare.

------
stryk
> " Friday morning, after the hacker told us he had deleted much of Retina-X’s
> data, the company again said it had not been hacked. "

I have to admit that, despite all the seriousness of the actual SPYware this
obviously terrible company sells, that one sentence brightened up my normal
depressing morning experience of reading the weekday morning news on the
Internet. That's just funny.

~~~
twohlix_
I think this is a great example of the saying "There are two types of
companies: those who have been hacked, and those who know they've been hacked"

~~~
megy
And those who will lie about it no matter what happens.

------
Thriptic
I'm always amazed that people feel the need to utilize these products. People
are aware that trust is the bedrock layer of relationships right? The minute
someone installs this product, their relationship with the person they are
monitoring is already over, they just don't know it yet.

~~~
sosborn
I get what you are saying, but there can be legal/financial concerns attached
to these things.

~~~
Thriptic
Monitoring usage of a corporate issue piece of equipment is very different
than using it against a private individual without their knowledge

~~~
sosborn
My point is that if they can catch a significant other cheating, the divorce
settlement equation can change significantly.

------
quadrangle
This is a good case of vigilante justice, but vigilantism is problematic in
general. We should probably be formally outlawing the sort of practices these
companies have and also putting in place far stronger real privacy measures
for _all_ data-collecting companies. Until (if ever) the law catches up,
vigilantism will be better than nothing.

~~~
CodeWriter23
We already have such laws in the US. Two-party consent wiretapping laws at the
state level and the Computer Fraud and Abuse Act at the Federal Level.

~~~
quadrangle
I don't know exactly the legal details, but over the past several years
"privacy policies" have evolved into some sort of "data use policies" (with no
privacy to speak of) and the norm is to use terms on apps to basically give
companies access to the most invasive and abusive stuff, and we don't see the
legal system doing anything to stop this, as long as it isn't directly in
medical or legal contexts…

~~~
CodeWriter23
Agreeing to surrender your privacy, even when through a clickwrap agreement
that is subject to change without notice is very different from installing
spyware on someone else’s phone.

------
Nicksil
It seems there's an attempt to quell customer discussion via locking such a
thread on their forum[0]. A particularly upset customer's remarks[1].

[0]
[https://forums.flightsimlabs.com/index.php?/topic/16236-furt...](https://forums.flightsimlabs.com/index.php?/topic/16236-further-
information-request-please/)

[1]
[https://forums.flightsimlabs.com/index.php?/topic/16236-furt...](https://forums.flightsimlabs.com/index.php?/topic/16236-further-
information-request-please/&tab=comments#comment-123979)

~~~
jlgaddis
FYI, you posted your comment on the wrong thread.

~~~
Nicksil
Oh man, you're absolutely right. Doesn't look like I can delete it, either.

Very sorry, everyone! I had one too many tabs open it seems.

------
JumpCrisscross
Does anyone maintain a list of such software vendors? Not much we can do if
they’re overseas. But I’m curious about exploring the limits of their
liability if they’re based in the United States or Europe.

------
erikrothoff
I'm torn by a lot of things here. The validity of the claims in the article,
the correctness of the hacker to simply delete data, but also the
"stalkerware" as described by the article. Surely there's got to be a better
way of dealing with this atrocious software? How can it be legal in the first
place?

~~~
JustSomeNobody
The software may not be illegal, but particular uses of the software are. I
think[0] I prefer it that way less we go down a slippery slope of deciding
what software should be legal vs illegal.

[0] And do please try and convince me if I should think differently about
this.

~~~
JumpCrisscross
> _The software may not be illegal, but particular uses of the software are_

If you profit from selling software that is predominantly used for illegal
purposes, or in the course of illegal activities, and you know it; you should
be liable. Not put in jail. Not shut down. Just commercially liable.

This is a conservative test (commercial sale, predominantly illegal use, and
wilfulness) and a conservative solution. In the long run, however, it balances
commercial incentives with broader social ones.

~~~
HarryHirsch
We put thieves into prison because if theft were common it would increase
distrust, society as a whole has an interest to fight theft, _and_ we permit
victims to sue the for restitution. In the same way society has a reason to
put strict limits on surveillance.

There's the other problem: what damages can someone with a spy app on their
phone ask for? There is no monetery value, they can at most ask for relief,
that's not much of an incentive to stop.

~~~
JumpCrisscross
> _We put thieves in prison...In the same way society has a reason to put
> strict limits on surveillance_

On one hand, we have a stylised burglar. On the other, a stylised lockpicking
tool maker. The former is illegal; the latter is more complicated.

I am conservative about expanding the scope of the law. You criminalise
surveillance apps in one decade and in the next, a security researcher
disclosing a bug gets bitten.

> _what damages can someone with a spy app on their phone ask for?_

If someone snooped on my phone without my permission, they would see a lot of
confidential client information. They may also see my and my loved ones’
protected health information. Finally, they will have sought and procured
illicit access to my device, which is itself illegal. Lots of potential
monetary damage in there, if only in legal time to ensure everyone who needs
to be notified gets notified.

~~~
HarryHirsch
We've decided that privacy and freedom from surveillance is highly valued and
deserving protection.

The target audience of that company is teenagers of helicopter parents.
Whatever they have on their phones isn't privileged or valuable information,
so the civil damages approach doesn't work too well. Some may have (against
all advice) nudes on them, but I'd rather not wait until those are available
to the public, and even then only those whose nudies escaped can sue.

The law needs to project the notion that privacy is valued, because it is
highly valued. The only idea that I can come up with is to restrict
availability of spyware. Others may have better suggestions.

~~~
caf
My suggestion is to require spyware like this to put up an obvious indication
on the screen of the device that spyware is active on it.

That still allows parents and employees, the supposed target audience, to use
the software for its alleged intended purpose, but renders it useless for the
illegal use cases.

------
tmnvix
> “Retina-X Studios is committed to protecting the privacy of its users...”

That's rich. The 'users' in this case are not necessarily the people with this
appalling software installed on their device.

------
roflchoppa
Damn PB way to be a thug about it; now this is hacking, not that bs marketing
term.

------
LordKano
Not all heroes wear capes.

------
trisimix
Righteous

------
jim_dow_jones
I see no reason to praise the hacker. He destroyed a legitimate company's
private data for no purpose other than his flawed moral reasoning. The company
provides a way for parents to monitor their children and other legitimate
business practices. Obviously, the software can be used for nefarious purposes
but so can almost any other software. U.S. representatives and senators try to
ban encryption using the same exact flawed reasoning.

~~~
HarryHirsch
I see a legitimate business opportunity, a phone walking service. You collect
the children's phones and take them to the mall, the library or wherever
teenagers go these days, and meanwhile the kids can enjoy life without
parental surveillance.

You do wonder what the 24-hour panopticon does to adolescents' mental health
and to the health of the parent-child relationship.

~~~
keithpeter
Of course the walkers would have to check the facebook status every 5 minutes
and post cupcake pictures to instagram at least once to maintain a credible
profile.

