Mozilla to FinSpy: stop disguising your "lawful interception" spyware as Firefox

Discuss

14 Responses to “Mozilla to FinSpy: stop disguising your "lawful interception" spyware as Firefox”

  1. WD says:

    Go Mozilla!

    Masquerading spyware as benign open-source software is disgusting.

  2. thompson says:

    Seeing dirtbags like this operate out of a western democracy is ridiculous.  It’d be great seeing these people have to actually live under the regimes they’re backing.

  3. EH says:

    I’d like to see them release a detection tool and cause real problems for these companies and governments. “Genuine Firefox.”

    • fuzzyfuzzyfungus says:

      You don’t want to jump into the deep end of that particular pool.

      The big AV players, with the substantial paying customer bases and whatnot, are(at best) ‘barely holding the line’ against generic opportunistic money-grubbing viruses and trojans. They are functionally useless against the ‘advanced persistent threats’ and customized payloads that everybody goes on about these days.

      The situation with state-sponsored attackware is probably incrementally worse because it’s mostly used as a targeted-and-customized payload against targets, and because some AV vendors probably whistle innocently and look the other way when it shows up.

      If the Mozilla Foundation devoted 100% of its resources to the problem, they’d probably still only reach the ‘providing some detections, and some false sense of security, for a fairly small number of people’ stage, which isn’t terribly useful.

      Malware detection is a Hard problem.

      • SoItBegins says:

         It doesn’t have to be malware detection— just Firefox detection (to check that it’s real). A careful use of hashing would be a first step…

        • fuzzyfuzzyfungus says:

          FinSpy, to the best of my knowledge, doesn’t act like firefox, it’s a piece of spyware that runs in the background and grabs data system-wide, it merely (in some variants) includes various bits of metadata that are designed to make the process it runs as look like an instance of Firefox.

          While validating the integrity of the browser is always nice(since there is a class of malware that hooks in there, since it’s a relatively soft target and also something that a lot of fun data passes through), Firefox would check out as, and be, 100% authentic on a system infected with FinSpy(in fact, things would be even worse because the existence of a firefox-related process would be a lot more plausible).

  4. hugh crawford says:

    Microsoft has been claiming that Internet Explorer is Mozilla for ever. 

    • fuzzyfuzzyfungus says:

      Given that UA strings are very well known within the relevant circles, it’s hard to see that as ‘deceptive’ for trademark purposes.

      Perhaps more importantly: Going down the path that “UA strings are under legal obligations” would be a…bit of a phyrric victory. So, Microsoft changes from “Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1″ to “It’s IE 10, take it and like it”, and UA spoofing is now a violation of the CFAA…

      • dragonfrog says:

        Well, the claim that IE 6 is compatible with anything whatsoever is demonstrably false, at any rate.

        • fuzzyfuzzyfungus says:

          Except, of course, an alarming number of wildly expensive enterprise intranet portals, the poor bastards…

          This is why Windows 2277: Brainstem Premium Edition, will still have an IE6 compatibility mode.

  5. fuzzyfuzzyfungus says:

    It’s a bit sad; but this might actually be the most illegal part of what Gamma is doing.

    Selling dangerous tools to known malefactors is, if done suitably professionally, apparently legal.

    Trademark violations, though? Intellectual Property is Serious Business…

    I’d be delighted to see Gamma go down, of course; but the fact that trademark violations are probably less legal than hunting down dissidents is… dispiriting.

  6. Ben Hutchings says:

    They appear to be copyright violators too – including GNU MP without providing notice to users of their rights under GNU LGPL.

  7. howaboutthisdangit says:

    I’ll bet Gamma would throw down a cease-and-desist real fast if someone released software that identified itself as FinSpy.

Leave a Reply