Tech & Work

Controlling high-risk software: Going after the vendors is not the answer

Well, now that CyberSpy Software doesn't promote RemoteSpy (a remote keylogger) as super-secret software and doesn't provide directions on how to use it as such, all is well in the legal realm. What a bunch of nonsense.

Well, now that CyberSpy Software doesn't promote RemoteSpy (a remote keylogger) as super-secret software and doesn't provide directions on how to use it as such, all is well in the legal realm.   What a bunch of… nonsense.

CyberSpy Software had been unable to sell its RemoteSpy application since Nov. 6, when a court granted a request for an injunction after a complaint by the U.S. Federal Trade Commission (FTC).

The FTC alleges CyberSpy marketed RemoteSpy by giving detailed instructions on how to install the program on computers and surreptitiously collect data. A trial is scheduled for June 15 in U.S. District Court for the Middle District of Florida in Orlando.

The new injunction bars CyberSpy from suggesting the program can be secretly installed or that keyloggers can be passed on as innocuous programs.

Source: Court Allows Spyware Program to Go Back on Sale, PC World, 8 December 2008

My problem isn't with CyberSpy selling the software.  There are legal, forensics applications for it.  I don't even have a problem with CyberSpy telling others how to surreptitiously collect evidence in a manner consistent with local, state, and federal law.  In fact, CyberSpy warns customers that certain uses of RemoteSpy might be illegal.  My problem is with the legal system spending time on blocking a small supplier of remote keylogger software (less than 4 percent of the market) because it had the audacity to post its own set of instructions.

First, it only takes passing knowledge of computer networking and remote access to install and operate this kind of software.  Not having directions is a very minor inconvenience for black hats or forensics investigators but a big omission for parents tracking family PC use (although there are better applications for controlling family use of the Web.)

Second, software keyloggers are available across the Internet.  And what about hardware keyloggers?  You can pick up a small device capable of storing 2,000 pages of typed text for less than $50.  Is the FTC going after all these vendors as well?  Many have instructions online.

The only way to stop illegal use of these products, both hardware and software, is to ban their sale and use.  Banning sales and instructional material is a weak option.  Neither the FTC nor the Federal courts have control over off-shore sites to which sales and information pages would inevitably move.

In my opinion, the only real way to stem the illegal use of keyloggers is enforcement of existing laws, laws which govern privacy and theft.  But this is also problematic.  As long as there is demand for these products, and they are readily available from a large number of sites (including free offerings), the battle against their use would be similar to our war on drugs.  And we know how well that's gone over the years.

Although we should not give up on enforcement, it isn't enough.  We have to rely on and encourage user responsibility for what ends up on their computers.  Simply installing anti-virus software doesn't go far enough in today's computing environment.  Both individual users and organizations must continue to take steps to protect themselves all unwanted entities—both human and bit-collections—floating around the Web, implemented by insiders, or sent through unknown holes in our perimeters.  Instead of whacking vendors one at a time, maybe the FTC should encourage Congress and the administration to actually do something useful in terms of monitoring, enforcement, and helping SOHOs, SMBs, and personal users deploy the right defenses, including:

  • Web filtering (e.g., WebSense and OpenDNS)
  • Intrusion and extrusion detection, both on the network and the desktop
  • Implementation of a desktop security suite which includes anti-virus, anti-malware, personal firewall, and anti-phishing
  • Securely configuring wireless networks
  • Configuring SOHO and SMB routers and firewalls to block everything but what is necessary to do business (assuming SOHO networks even have a router/firewall between the cable modem and the business network)
  • User awareness of poor computer security behavior

To be fair, the FTC has done a good job posting helpful information on its Web site, but there is still much to do.

Do you agree?


Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox