"We’re allowing a whole new level of intelligence in the networks...We can take a copy of everything coming through our switch and dump it off to the FBI."
November 20, 2011 9:45 AM   Subscribe

The Surveillance Catalog: Where Governments Get Their Spying Tools The Wall Street Journal has obtained a "trove" of documents from the secretive retail market in surveillance technology sold to world governments, and has created a searchable database for your enjoyment. "Among the most controversial technologies on display at the conference were essentially computer-hacking tools to enable government agents to break into people's computers and cellphones, log their keystrokes and access their data..." E.g., FinFisher installs malware by sending fake software updates for Blackberry and other devices; VUPEN's Exploits for Law Enforcement Agencies "aim to deliver exclusive exploit codes for undisclosed vulnerabilities" in software from Microsoft, Apple and others.

In interviews in Dubai, executives at several companies said they were aware their products could be abused by authoritarian regimes but they can't control their use after a sale. "This is the dilemma," said Klaus Mochalski, co-founder of ipoque, a German company specializing in deep-packet inspection, a powerful technology that analyzes Internet traffic. "It's like a knife. You can always cut vegetables but you can also kill your neighbor." He referred to it as "a constant moral, ethical dilemma we have."
posted by mediareport (37 comments total) 34 users marked this as a favorite
Is this in the: "I'd tell you but then I'd have to kill you." territory?
posted by a shrill fucking shitstripe at 9:54 AM on November 20, 2011 [1 favorite]

I would say it's more like a gun, in that you can use it for good, to defend people, or evil, to hurt people. These exploits don't have any legitimate use ("cut vegetables") beyond obtaining information without permission; the only question is what is done with the information.
posted by vogon_poet at 9:55 AM on November 20, 2011 [1 favorite]

"a constant moral, ethical dilemma we" pat on the head like a whiny child as we stand in line at the bank to make yet another multi-million dollar deposit.
posted by seanmpuckett at 9:59 AM on November 20, 2011 [5 favorites]

Is that frog boiled yet?
posted by Trurl at 10:46 AM on November 20, 2011 [4 favorites]

Don't be blinded by the slick glossies. This industry is chock full of snake oil and outright thieves. Their target audience is overly credulous.

The inclusion of just plain off-the-shelf network management utilities and devices in the collection is a nice touch. Surveillance, network management, whoever has the budget, they're glad for your money. Of course these products are the best value in there.

Something tells me this test device will do what it's supposed to, while this expensive toy is a great way to sell some gullible "end users" software you picked up off packetstorm.
posted by graftole at 10:56 AM on November 20, 2011 [7 favorites]

So VUPEN only sells its exploits to law enforcement agencies in friendly countries. Guess that means there's no chance their program will get out of their control and be used by anyone else. Yessir, no chance at all.

Reading about stuff like this always makes me think of Brin's Transparent Society. More and more it seems like we're heading for his worst case option where the "good guys" and the "bad guys" both have total access to our information, but we have no access to theirs. Joe average is an open book to anyone with the right access or technology, but anyone powerful or smart is totally opaque to the rest of the world.
posted by Kevin Street at 10:57 AM on November 20, 2011 [8 favorites]

I'm wondering how FinFisher gets around the fact that updates should be signed. Do they compromise they signer as well as the ISP?
posted by Leon at 11:12 AM on November 20, 2011

The same tools are available to Joe Average, assuming Joe Average is willing to spend some money. An older case-in-point: VulnDisco.

There you go, unpatched exploits (working in a proven attack framework) from a VUPEN competitor. All yours for a nominal fee.

The "we only sell to the good guys" message is marketing strategy to create a perception of exclusivity.
posted by graftole at 11:14 AM on November 20, 2011

The same tools are available to Joe Average

Well, minus the satellite access stuff, no? I agree there's not a lot new here in terms of the technology being used, but the look inside the surveillance trade show world and the pitches being used seemed interesting enough to link.
posted by mediareport at 11:17 AM on November 20, 2011

Quick, lets send them the infodump only from the grey
posted by infini at 11:19 AM on November 20, 2011

BTW, the firewire thing that gets around passwords? I've written a tool that does it. It was really simple, too. Maybe 200 lines of code. It would need to be tweaked for each OS update, though. That would be the tedious part.
posted by ryanrs at 11:34 AM on November 20, 2011

Well, minus the satellite access stuff, no?

The satellite test equipment I linked, just most any other spectrum analyzer equipment, is available to you as well. It's not cheap by any means, but it's out there. That's the equipment that by-and-large does what it says, it just happens to also have uses for surveillance/countersurveillance. In my experience, it's also the least marked-up to the "exclusive" market.

When you start seeing the exaggerated claims, the magical hand-waving, and other red flags, you can be pretty sure it's preying on the credulousness of the target market. It's *very* much in the same vein as the $0.75 near-field detection circuits that are sold as $500 "bug detectors" to the customers of "spy shops".
posted by graftole at 11:40 AM on November 20, 2011 [4 favorites]

I thought governments just asked companies like RIM for their records and they just handed them over. Why the need for the software?
posted by dazed_one at 11:52 AM on November 20, 2011 [1 favorite]

Things have changed. The Emperor is wearing his invisible cloak, and we are the naked ones...
posted by Oyéah at 12:24 PM on November 20, 2011 [1 favorite]

The Wall Fucking Street Journal is 'leaking' this? Is this Murdock's way of reminding us proles that the Government has us by the nuts while the Corporations have the Government by the nuts?
posted by oneswellfoop at 1:23 PM on November 20, 2011 [1 favorite]

"Undisclosed vulnerabilities" in Apple, MS, etc. software--"vulnerabilities" as in, say, back doors put in deliberately for authorities to use?
posted by manguero at 1:32 PM on November 20, 2011 [3 favorites]

graftole I think is right on the money. oneswellfoop, thanks for posting the reminder that the WSJ is owned by Murdoch, it saves me the trouble of having to.
posted by JHarris at 1:49 PM on November 20, 2011 [1 favorite]

manguero: given the current grey market in vulnerabilities that seem to be bought by either the government or companies such as these that provide 'weaponized' capabilities it seems that back doors aren't being used.

oneswellfoop: can't we all cheer for a bit of investigative reporting (it's increasingly rare these days)? I sincerely believe that Murdoch is interested in retaining the credibility of the WSJ (he bought it for its reputation and influence, I would imagine) and to do so he needs to let some real reporting go on there (sometimes).
posted by el io at 1:52 PM on November 20, 2011 [1 favorite]

el io, the shameful way Rupert Murdoch's publications and channels reacted to the phone hacking scandal cast doubt on News Corp's entire operation. The sole time a light was cast into the dark corners of the Murdock empire we saw that it was filled to the brim with roaches. Until the next time such a light is cast, we have no reason to believe the roaches aren't still there -- it's not like they've called in pest control.
posted by JHarris at 2:06 PM on November 20, 2011 [1 favorite]

filled to the brim with roaches...

Welp, thanks for that bit of nightmare fuel. Ugh.
posted by His thoughts were red thoughts at 2:51 PM on November 20, 2011 [1 favorite]

By which I mean that you have an evocative turn of phrase, JHarris. I agree with your point.
posted by His thoughts were red thoughts at 2:52 PM on November 20, 2011 [1 favorite]

He referred to it as "a constant moral, ethical dilemma we have."

Some companies keep the dilemma locked in a little box that's kept at the back of a shelf in the cupboard where the office cleaning supplies are kept. Every now and then a member of staff goes into the cupboard for some whiteboard cleaner or maybe some paper towels, and they see the box and think what the...oh, yeah, that. And they pick it up, give it a little shake so they can hear the dilemma moving inside, and then they put it back and when they go back out into the office they say 'we've still got that moral, ethical dilemma you know', and everyone puts their serious face on for a moment. Then someone's chair makes a farting noise, and everyone laughs and gets on with business.
posted by reynir at 2:53 PM on November 20, 2011 [7 favorites]

Sorry if I'm kinda derailing (it's what I do), but these days I consider it EXTREMELY important to "Consider the Source" on every piece of "Investigative Reporting" I encounter (scare quotes very intentional), and the WSJ has been seriously influenced by the Murdock Rot since its acquisition. Maybe this is a case of keeping up its reputation while serving other purposes too. It's too damn hard to avoid such suspicions on everything within that Evil Empire; I barely avoided it for the Arrested Development revival.
posted by oneswellfoop at 2:59 PM on November 20, 2011 [1 favorite]

Interesting, I hadn't known that FinFisher provides fake updates like that.

I recently wrote a post about how making cryptography software kosher for Apple's App Store makes that software far less secure, dealing with the Covert Browser Tor implementation specifically.

We should however ask the same question about the various Linux software distributions : Does any Linux or BSD distribution require that stable packages be signed by independent authorities physically located in several jurisdictions?
posted by jeffburdges at 4:26 PM on November 20, 2011

Murdoch has the largest intelligence gathering organization in the world and has recently been taken to task for his surveillance activities. To me, it looks like he is feeling a little lonely in the spotlight and it trying to bring in a few more warm bodies to keep him company.
posted by psycho-alchemy at 5:18 PM on November 20, 2011 [3 favorites]

I'd imagine many western nation have more embassy personal in many countries than Murdoch has reporters, psycho-alchemy. Also, the NSA claims it employs half the mathematicians in the U.S., although maybe you could argue about who they consider a mathematician vs. who industry considers a mathematician. Are all A.I. software developers mathematicians?
posted by jeffburdges at 6:17 PM on November 20, 2011

For what it's worth, the WSJ's reporting staff has generally had a good reputation that's relatively free of the stink from the bile being spewed by the paper's editorial pages. I don't think that's changed much post-Murdoch; a pal attributes it to the need of business readers for solid reporting instead of bullshit spin. I seem to recall Greenwald making a similar point about WSJ reporting usually being pretty good stuff.

So while I'm a big fan of 'consider the source'-style skepticism, there's nothing about this story that's pinging my MURDOCH PLANTED THIS radar.
posted by mediareport at 7:59 PM on November 20, 2011

Okay, I am almost in the position of defending Murdoch (thanks a ton, metafilter!). But not quite.

Yes, the media empire he controls is all sorts of bad for all sorts of reasons. But do we discard every Harper-Collins publication because he taints it? Not really.

Similarly the reporting done by these WSJ reporters in the past seems quite reasonable.

They seem to cover the tech beat, privacy and computer security issues. I hope reporters continue to cover the growing surveillance business.

I would hope that such reporting starts to engage the public in questions regarding the appropriate export of oppression technologies. US companies are profiting from the squashing of dissent around the world; is this something that is appropriate?

I'll save my (great) disdain for Rupert's empire for other threads.
posted by el io at 8:01 PM on November 20, 2011

If the government decides to monitor my computer activity and keystrokes, they are sure going to have to sift through a hell of a lot of porn.
posted by Leisure_Muffin at 8:01 PM on November 20, 2011 [4 favorites]

I'd assume they enjoy the porn, breaking your disk encryption probably makes perfectly ordinary porn much more exciting, certainly the TSA makes due.
posted by jeffburdges at 8:15 PM on November 20, 2011

Well I hope they monitor mine, since so much of my work concerns with increasing my understanding of how the poor manage with so little under harsh conditions in uncertain environments.
posted by infini at 8:47 PM on November 20, 2011 [1 favorite]

Man, their spy catalog sucks. They don't even have X-Ray Specs, which were widely available from another catalog.

Oh Miss Swenson, I'm sorry now but I wasn't then. I actually did purchase X-Ray Specs from the manufacturer, through the helpful intermediary of the Johnson Smith Catalog, and while the other boys joked about the features you concealed under that tight sweater, I alone, thanks to my spy device, had actually glimpsed those secrets.
posted by twoleftfeet at 12:16 AM on November 21, 2011 [1 favorite]

Yes, the media empire he controls is all sorts of bad for all sorts of reasons. But do we discard every Harper-Collins publication because he taints it? Not really.

Don't discard. Instead, be ready to recognize, and check sources.
posted by JHarris at 12:29 AM on November 21, 2011

Secretive retail market, my ass.
posted by IAmBroom at 8:00 AM on November 21, 2011

Wall Street Jounral?

posted by kcds at 5:45 AM on November 22, 2011

Who Watches the Watchers?
posted by jeffburdges at 12:08 PM on November 28, 2011

« Older On a Throne Made of Vanishing Ink   |   RIP Gary Garcia Newer »

This thread has been archived and is closed to new comments