IT Employment

Controlling high-risk software: Going after the vendors is not the answer

Well, now that CyberSpy Software doesn't promote RemoteSpy (a remote keylogger) as super-secret software and doesn't provide directions on how to use it as such, all is well in the legal realm. What a bunch of nonsense.

Well, now that CyberSpy Software doesn’t promote RemoteSpy (a remote keylogger) as super-secret software and doesn’t provide directions on how to use it as such, all is well in the legal realm.   What a bunch of… nonsense.

CyberSpy Software had been unable to sell its RemoteSpy application since Nov. 6, when a court granted a request for an injunction after a complaint by the U.S. Federal Trade Commission (FTC).

The FTC alleges CyberSpy marketed RemoteSpy by giving detailed instructions on how to install the program on computers and surreptitiously collect data. A trial is scheduled for June 15 in U.S. District Court for the Middle District of Florida in Orlando.

The new injunction bars CyberSpy from suggesting the program can be secretly installed or that keyloggers can be passed on as innocuous programs.

Source: Court Allows Spyware Program to Go Back on Sale, PC World, 8 December 2008

My problem isn’t with CyberSpy selling the software.  There are legal, forensics applications for it.  I don’t even have a problem with CyberSpy telling others how to surreptitiously collect evidence in a manner consistent with local, state, and federal law.  In fact, CyberSpy warns customers that certain uses of RemoteSpy might be illegal.  My problem is with the legal system spending time on blocking a small supplier of remote keylogger software (less than 4 percent of the market) because it had the audacity to post its own set of instructions.

First, it only takes passing knowledge of computer networking and remote access to install and operate this kind of software.  Not having directions is a very minor inconvenience for black hats or forensics investigators but a big omission for parents tracking family PC use (although there are better applications for controlling family use of the Web.)

Second, software keyloggers are available across the Internet.  And what about hardware keyloggers?  You can pick up a small device capable of storing 2,000 pages of typed text for less than $50.  Is the FTC going after all these vendors as well?  Many have instructions online.

The only way to stop illegal use of these products, both hardware and software, is to ban their sale and use.  Banning sales and instructional material is a weak option.  Neither the FTC nor the Federal courts have control over off-shore sites to which sales and information pages would inevitably move.

In my opinion, the only real way to stem the illegal use of keyloggers is enforcement of existing laws, laws which govern privacy and theft.  But this is also problematic.  As long as there is demand for these products, and they are readily available from a large number of sites (including free offerings), the battle against their use would be similar to our war on drugs.  And we know how well that’s gone over the years.

Although we should not give up on enforcement, it isn’t enough.  We have to rely on and encourage user responsibility for what ends up on their computers.  Simply installing anti-virus software doesn’t go far enough in today’s computing environment.  Both individual users and organizations must continue to take steps to protect themselves all unwanted entities--both human and bit-collections--floating around the Web, implemented by insiders, or sent through unknown holes in our perimeters.  Instead of whacking vendors one at a time, maybe the FTC should encourage Congress and the administration to actually do something useful in terms of monitoring, enforcement, and helping SOHOs, SMBs, and personal users deploy the right defenses, including:

  • Web filtering (e.g., WebSense and OpenDNS)
  • Intrusion and extrusion detection, both on the network and the desktop
  • Implementation of a desktop security suite which includes anti-virus, anti-malware, personal firewall, and anti-phishing
  • Securely configuring wireless networks
  • Configuring SOHO and SMB routers and firewalls to block everything but what is necessary to do business (assuming SOHO networks even have a router/firewall between the cable modem and the business network)
  • User awareness of poor computer security behavior

To be fair, the FTC has done a good job posting helpful information on its Web site, but there is still much to do.

Do you agree?

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

9 comments
jdclyde
jdclyde

If its primary use is to perform an illegal task, such as carrying a "slimjim" around in your car, then it should be regulated. If you are not in a towing business and get caught with a slimjim in your car, there will be hell to pay. Not having looked at the software or they way it was marketed, I won't venture on if this case should or shouldn't have been shut down. I know I personally used "Spector" a few years back, on my own machine, with VERY satisfying and LEGAL results. A difference, it was not a "remote" software.

pjboyles
pjboyles

The FTC was not stopping them from selling software, they objected to them posting instructions on how to commit a crime. That is the actionable item. You appear to have missed the point of the action or deliberately twisted the information to write a position article. Installing software on a system for which you do not have permission to install software is a crime (unless you have a warrent). Helping someone makes you an accessory.

apotheon
apotheon

"[i]If its primary use is to perform an illegal task, such as carrying a 'slimjim' around in your car, then it should be regulated. If you are not in a towing business and get caught with a slimjim in your car, there will be hell to pay.[/i]" A slimjim is just an inanimate object. I don't much like the implication of what you said at all. Think about it for a moment: Would you really want it to be illegal for you to have an application vulnerability scanner if you aren't some kind of "licensed" IT security professional? I, for one, find following in the footsteps of countries like Germany that way a chilling proposition. Let's keep security tools -- both for cars and computers -- free.

apotheon
apotheon

Maybe Tom edited the article after you first saw it -- I don't know. What I do know is that, by the time I got to it at least, he had definitely noted that the company was in trouble because of the fact it posted instructions on the Web. I don't agree with your analysis of his writing at all.

Tom Olzak
Tom Olzak

I didn't miss the point. The FTC went after a small part of the problem because they posted instructions. Again, that's nonsense. Kill the instructions at the software site, they'll simply pop up somewhere else on the Web. Further, I wrote removing the instructions will not stop those who use the software for nefarious purposes. They know how to use it or will easily figure it out. This was, in my opinion, a waste of the FTC's time.

robo_dev
robo_dev

that anytime you try to 'ban something' or make it illegal, the real-world consequences are seldom in alignment with the intent of the law, and enforcement/prosecution becomes arbitrary, problematic, and unfair. The issue is that almost any software and hardware can be used for illegal purposes, so where do you draw the line? The biggest issue is that the criminal justice system does typically does not have the expertise to deal with issues of this type...therefore prosecution is likely to arbitrary and heavy handed. And there are jurisdiction issues.....if the US law forbids such a tool, then the company moves to Canada, and they're all set, eh?

ssirvin
ssirvin

No inanimate object should be illegal to possess (including handguns). I read about people charged with possession of "burglary tools" (hammer, crowbar, or whatever) I have these objects, but it is the way they are used that are legal or illegal. It always seemed to me to be a way to throw another charge at someone, or to legitimize an otherwise baseless arrest.

apotheon
apotheon

You're exactly right about those problems, to say nothing of the ethical problems of banning things that, in and of themselves, have no ethical character -- which means you're imposing limits on what people may do with their own persons and belongings. "[i]where do you draw the line?[/i]" I know that's a rhetorical question, but I'll provide the correct answer (of which I'm sure you're aware) anyway: You don't. The line should not be drawn on such matters.

hivert_jp_usa
hivert_jp_usa

I woud like to see more people thinking like you. That would be more like " freedom " and real justice jean