Submit a link Features Reviews Podcasts Video Forums More ▾

Spyware increasingly a part of domestic violence

Australian Simon Gittany murdered his girlfriend, Lisa Harnum, after an abusive relationship that involved his surveillance of her electronic communications using off-the-shelf spyware marketed for purposes ranging from keeping your kids safe to spotting dishonest employees. As Rachel Olding writes in The Age, surveillance technology is increasingly a factor in domestic violence, offering abusive partners new, thoroughgoing ways of invading their spouses' privacy and controlling them.

The spyware industry relies upon computers -- laptops, mobile devices, and soon, cars and TVs and thermostats -- being insecure. In this, it has the same goals as the NSA and GCHQ, whose BULLRUN/EDGEHILL program sought to weaken the security of widely used operating systems, algorithms and programs. Every weakness created at taxpayer expense was a weakness that spyware vendors could exploit for their products.

Likewise, the entertainment industry wants devices that are capable of running code that users can't terminate or inspect, so that they can stop you from killing the programs that stop you from saving Netflix streams, running unapproved apps, or hooking unapproved devices to your cable box.

And Ratters, the creeps who hijack peoples' webcams in order to spy on them and blackmail them into sexual performances, also want computers that can run code that users can't stop. And so do identity thieves, who want to run keyloggers on your computer to get your banking passwords. And so do cops, who want new powers to insert malware into criminals' computers.

There are a lot of ways to slice the political spectrum -- left/right, authoritarian/anti-authoritarian, centralist/decentralist. But increasingly, the 21st century is being defined by the split between people who think your computer should do what you tell it, and people who think that you can't be trusted to control your own computer, and so they should be able to run code on it against your will, without your knowledge, and to your detriment.

Pick a side.

Spyware's role in domestic violence [Rachel Olding/The Age]

(via Geek Feminism)

Malware-Industrial Complex: how the trade in software bugs is weaponizing insecurity

Here's a must-read story from Tech Review about the thriving trade in "zero-day exploits" -- critical software bugs that are sold off to military contractors to be integrated into offensive malware, rather than reported to the manufacturer for repair. The stuff built with zero-days -- network appliances that can snoop on a whole country, even supposedly secure conversations; viruses that can hijack the camera and microphone on your phone or laptop; and more -- are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder. The US government is encouraging this market by participating actively in it, even as it makes a lot of noise about "cyber-defense."

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”

The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it “provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

Welcome to the Malware-Industrial Complex [Tom Simonite/MIT Technology Review]

(via O'Reilly Radar)