Forgot your password?
typodupeerror
Mozilla Security

Finfisher Spyware Use By Governments Expanding, Masquerades as Firefox 108

Posted by Unknown Lamer
from the mozilla-will-eat-you dept.
nk497 writes "Mozilla has sent a cease-and-desist order to Gamma International, after it was revealed the controversial creator of spyware for governments was disguising itself as Firefox on PCs. 'We cannot abide a software company using our name to disguise online surveillance tools that can be — and in several cases actually have been — used by Gamma's customers to violate citizens' human rights and online privacy,' Mozilla said." DavidGilbert99 writes on the wider implications of the Citizen Lab report: "Governmental spying software has been in the news a lot in recent months and today Citizen Lab has revealed its latest findings, showing that one of the most prolific tools in use, Finfisher, is now in use in 36 countries around the world [beware the auto playing video ads with sound]." And, Voulnet adds "According to analysis and report by CitizenLab of the Gamma FinFisher trojan spyware used against dissidents in the middle east and around the world, the FinFisher codebase uses the LGPL GNU Multiple Precision Arithmetic Library, possibly without adhering to its distribution restrictions."
This discussion has been archived. No new comments can be posted.

Finfisher Spyware Use By Governments Expanding, Masquerades as Firefox

Comments Filter:
  • Sue, sue, sue (Score:5, Insightful)

    by furbyhater (969847) on Wednesday May 01, 2013 @08:52AM (#43599419)
    This scum must get sued into the ground. What a disgusting company.
    • Re:Sue, sue, sue (Score:5, Insightful)

      by IndustrialComplex (975015) on Wednesday May 01, 2013 @08:57AM (#43599463)

      If I were Mozilla, I certainly would. Whenever I hear of Firefox now, I'm going to associate the name with Malware and probably just use something else. Sure after thinking about it for a bit, I'll remember this story, but that first impression matters a lot when branding is concerned.

      Damage to their brand has certainly occured.

    • by Anonymous Coward

      Is the "harm" caused to Firefox's reputation worth any punitive damages? They don't sell Firefox and can't really claim loss of revenue. Maybe they can claim loss of donations to Mozilla?

      • Re:Sue, sue, sue (Score:5, Interesting)

        by furbyhater (969847) on Wednesday May 01, 2013 @09:05AM (#43599537)
        If I were Mozilla I'd look into suing for defamation, more specifically libel. If you have been libeled, you don't even need to prove damages, at least in the US, according to this website: http://www.wikihow.com/Sue-for-Defamation [wikihow.com]
      • Re:Sue, sue, sue (Score:5, Insightful)

        by rvw (755107) on Wednesday May 01, 2013 @09:08AM (#43599569)

        Is the "harm" caused to Firefox's reputation worth any punitive damages? They don't sell Firefox and can't really claim loss of revenue. Maybe they can claim loss of donations to Mozilla?

        Less downloads is less sponsoring from Google. But what does revenue have to do with this? Is this capitalistic brain washing that instructs you that you cannot do anything unless money is involved?

        • by rtb61 (674572)

          The Firefox brand has a perceived value, a value of identifying that product with that brand. It doesn't have to sell anything, it just has to have a 'goodwill' value associated with an identifiable brand. The fraudulent use of the brand, damages the goodwill associated with Firefox and enables a civil suit to be filed to protect and establish not just damages but punitive damages. As the abuse is particular egregious and threatens the perception of security of the products punitive damages could be quite

        • by hairyfeet (841228)

          No sadly he is just stating the truth, a company that "gives away" its product is just gonna have a harder time when it comes to damages VS a company that is charging a set dollar amount.

          We could sit here all day arguing about "commies vs money whores" but the simple fact is that FOSS companies? Really not setting any awards when it comes to damages and with a company like this if you don't damage the shit out of their wallets they'll just write it off as "the cost of doing business" and go on their merry

        • You can't sue for damages if there aren't any. I don't care if you think it shouldn't be that way, that is how it actually is. Civil court is largely for remedying economic damages. Like if you hire me to do work on your house, I cause damage, and then refuse to pay for it, that is what civil court would be for.

          So if I do something to you that is not illegal and causes you no economic harm, well you'll have trouble suing me (successfully) for it. There are cases and trademark infringement is one of them tha

          • No. (Score:5, Insightful)

            by Frosty Piss (770223) * on Wednesday May 01, 2013 @11:51AM (#43601045)

            You can't sue for damages if there aren't any.

            Simply because Firefox is free to download does not mean that Mozilla does not derive any income from Firefox. Mozilla does not run off donations from people like you and I, they provide a service to a number of companies that pay they many many millions of dollars.

            Loss is reputation results in fewer downloads results in a product association that is worth less to these companies.

      • Trademark law (Score:5, Insightful)

        by DrYak (748999) on Wednesday May 01, 2013 @09:14AM (#43599633) Homepage

        It's a clear trademark law violation.

        "Firefox" is a name owned and controller by Mozilla, and is used to clearly designate one specific product: the Firefox browser.
        Gamma are abusing the same name, Firefox, to masquerade their surveillance tool as a browser. They use the same name with intent to create confusion.

        This is not allowed by trademark law and is punishable. It's almost a textbook's case.

        About loss of revenue: Mozilla might not be selling copies of Firefox to end-users, they are still getting paid (by Google, among other) to produce it.

        If suddenly Firefox becomes knkown as a filthy malware (which is exactly what Gamma is doing, and which exactly against what trademark law was designed) Mozilla might lose revenue though from sponsors instead of end-users.

        • Who's law? Gamma is based in England.

        • by hairyfeet (841228)
          So they'll just switch the name to "foxfire" and most folks won't know the damned difference anyway.
          • Even if they swap a few letters around, this is clearly made on the sole purpose of creating confusion and make the victim think it's mozilla's firefox.
            That's exactly what trademark law was made against.

            If Microsoft can sue anything containing "Windows" in the name, if Bethesda can sue anything containing "Scrolls" in the name, if even Apple can sue everything whose name merely begins with lower case 'i' letter... Then Mozilla could certainly sue a company whose product is designed to make use think it's Fi

            • by hairyfeet (841228)

              Yeah but then you get into a whole nother problem...how much do you have to change to get away with it? I mean there are several bunches that legally have their own spinoffs of FF, Iceweasel by Debian, IceDragon by Comodo, hell there is Pale Moon that is just a guy that wanted an optimized FF and of course under GPL all of that is fine since they aren't using the trademarks, just the GPLed code.

              I mean courts have already said Apple can't own the letter "i" or be able to sue anybody who isn't in electronics

        • by tlhIngan (30335)

          About loss of revenue: Mozilla might not be selling copies of Firefox to end-users, they are still getting paid (by Google, among other) to produce it.

          Trademark damages are not limited to loss to revenue. They can also be determined by how much money is made by the infringer. Which can easily be treble. So while Mozilla might not have "lost" any money from this, the other company certainly benefited, and the role of the damage calculation Is to prohibit such behavior as it means a bigger company could willi

      • Breach of license, etc...?
    • Re:Sue, sue, sue (Score:4, Interesting)

      by erroneus (253617) on Wednesday May 01, 2013 @09:17AM (#43599657) Homepage

      I believe this company has already found itself on anonymous' radar. Watch out for fun on the horizon as I expect them to exploit the finfisher C&C servers for their own gain and to the embarassment of finfisher's customers.

    • I think they can do better than that.

      This is a product being used by governments to spy on citizens. Can you imagine what it would do to these investigations, legit or abusive, if the real Firefox were to pop-up a message on the screen of everyone being spied upon notifying them what's going on?

      We're not just talking about ruining the reputation of the spyware company, though that would be a bonus. We're talking about heads rolling of virtually anyone who employed these suckers, which in turn should me

    • by gmuslera (3436)
      Mozilla will lose. Probably government is one of the main clients of that company.
      • by Anonymous Coward

        They won't lose, if it's within the EU, the government(s) run the very real risk of the EU breathing down their necks and reigning them in if they do break European laws.

        Same cannot be said for the USA tho.

  • This is one of the big reasons for supporting open source applications - violations like this can be exposed without relying on a single central authority to uncover it and trusting that the central authority will not be beholden to other interests.

    Kudos to the firefox team!

    • Wrong interpretation (Score:5, Interesting)

      by DrYak (748999) on Wednesday May 01, 2013 @09:08AM (#43599575) Homepage

      The firefox part has nothing to do with "open source" or GPL violation.
      Gamma isn't using a single line of code from firefox.
      Instead they are abusing Mozilla's trademark.
      This is a simple classical violation of trademark law. (and a clear one).

      The LGPL violations are regarding some subcomponent used by finfisher, namely libGMP.

      • Thanks - I didn't mention licensing, sounds as though you read that into my comment.

        This is a violation of trust more than anything else.

        What this has to do with open source is that open source provides the means to identify impostors more readily - and the nicest thing is that there is a means to work around them without being required to use their "version".

        • by neonKow (1239288)

          How on earth does open source provide the means to identify imposters more readily? What central authority are you talking about? md5 will allow you to check that binary whether it's FOSS or not, and your eyeballs are pretty good at determining if another program is stealing a logo/name.

        • by Goaway (82658)

          Absolutely nothing in this case would change if Firefox were a closed-source app. No part of this has anything to do with open source.

        • by hairyfeet (841228)

          How EXACTLY does it do that? And do NOT say the "many eyes" myth as I can show how that one is a myth simply by using common sense and how many LOC you are talking about in your average distro. Hell have YOU done a code audit of FF, Gimp, LO, or any of the other applications that you use?

          While FOSS does have its benefits, the main one being that nobody can just abandon a program or force you to upgrade as long as some devs are willing to support it, see KDE Classic for example, finding malware? NOT one of t

      • by LoRdTAW (99712)

        "Gamma isn't using a single line of code from firefox.

        I am sure Darl McBride could fix that problem.

        • "Gamma isn't using a single line of code from firefox.

          I am sure Darl McBride could fix that problem.

          Kill that thought. Kill it with a heated spoon.

      • by Darinbob (1142669)

        Can you sue under LGPL if you're not a customer? Ie, the customer never requests a copy of the source code, therefore Gamma is not required to produce it, so no license violation?

        • under the GPL, making the source code available under some form is mandatory, no matter what.

          So Gamma is violating because there's no way to get the source code of their copyleft parts.

          In addition to that, the forensics using finfisher to spy are deploying it - thus distributing binaries, and should alsoprovide the parts of source code which are required by the license.

          Failure to do so would be a copyright violation:
          - Gamma can't copy libGMP without a license, and the license asks Gamma to provide some sour

          • by Darinbob (1142669)

            Yes but the point is that only a few people have the legal standing to sue over this, not just any interested third party. The customers who received the binaries for example could sue if they were not given the source code when asked (and you don't have to proactively distribute the sources). Presumably the customers of this product aren't going to sue, as it would expose them publicly as users of the software.

            Also there is a lot of assumption that there was a violation of license, but has anyone actuall

            • Presumably the customers of this product aren't going to sue, as it would expose them publicly as users of the software.

              But the victims got a copy of the binary (although against their will) but did not recieve anything clearly identifying the binary, contact information, licensing of free/libre opensource components nor source code. In fact everything is done to clearly identify the binary as something completely false and different - masquerading as Mozilla's Firefox (hence the trademark violation I mention above).
              Because Gamma tries to hide Finfisher from the victim, the victim isn't properly informed of her/his rights re

    • by dfghjk (711126)

      "This is one of the big reasons for supporting open source applications - violations like this can be exposed without relying on a single central authority to uncover it and trusting that the central authority will not be beholden to other interests."

      By "supporting open source applications" you must mean using their products for free, and by "without relying on a single central authority" you must mean relying on Mozilla as if it wasn't a single central authority. No doubt Mozilla is only "beholden" to you

  • by Shavano (2541114) on Wednesday May 01, 2013 @09:00AM (#43599487)
    How are they getting away with this in Great Britain?
    • yeah but with the NSA, we don't need lameness like this to get our online surveillance.
    • by SJHillman (1966756) on Wednesday May 01, 2013 @09:09AM (#43599581)

      Pshaw, it's only criminal if it isn't being used by the government. Don't you know nothing?

    • by GauteL (29207)

      How are they getting away with this in Great Britain?

      Using the tool may well be a criminal offence, but selling it isn't necessarily. And making it look like Firefox is Trademark violation, which is a Civil matter, not a criminal one.

      It took a while for Mozilla to hear about Gamma and put together a lawsuit. I don't see how this is any different in the US.

      • by Shavano (2541114)
        It's a trademark violation with regard to Mozilla. With regard to the people they get to use it/download it, it's fraud.
    • by niftydude (1745144) on Wednesday May 01, 2013 @09:24AM (#43599715)

      How are they getting away with this in Great Britain?

      Read the ibtimes link - the good old USA is one of the 36 countries.

      So, how are they getting away with this in the US?

  • by DrYak (748999) on Wednesday May 01, 2013 @09:06AM (#43599545) Homepage

    Mozilla's case is a very clear one. Although the software (the source code) is free and open, the trademark (the branding) *IS* NOT. (Hence all the IceWeasel and similar source builds). Gamma company is clearly using a name registered to Mozilla to masquerade itself, and abuse end-users' confusion to make them think it's a Mozilla registered product. That's almost the book case for which Trademark was designed.
    The only thing which could prevent Mozilla from winning at the court would be government meddling (although, this is likely as its a widely used *surveillance* tool :-( )

    In theory, Gamma should have negociated a trademark licensing deal (just as do Linux distribution which provide their own branding on top of Mozilla's. The Firefox which comes with opensuse isn't the exact binary which is available at mozilla.org, but they are allowed to package their build and still call it "Mozilla Firefox" because they obtained a permission).
    In practice, Mozilla will probably refuse to grant Gamma a license.

    The libGMP case is much more interesting: they copied code which don't belong to them. Either they are violating its license and breaking copyright law. Or, they'll have to abid to the license and make their surveillance tool end-user- (or should it be more properly called "end-victim"- ) modifiable. (Either the whole package if its GPL or at least the LGPL parts if there are only LGPL parts in Finfisher).
    Meaning that victims could without any restriction take-over finfisher by injecting their own libraries: it would end up completely legal and possible to tamper with a wiretapping device because the license of some part of it require the end-user to be able to customise them (in case of LGPL, or to customise the whole package in case of GPL).

    • by neonKow (1239288)

      I agree that Mozilla should have no problem stopping Gamma International from using their trademark, but I think you are wrong about the libGMP case. Using FOSS according to the license in no way makes your code more vulnerable to getting its libraries hijacked. It means appropriately releasing the parts of your own source code as FOSS. If your implementation is any good, it shouldn't be possible to tamper with the device.

    • by Anonymous Coward

      This is why they should have spoofed IE. Microsoft would have happily provided a license to allow this.

      • by drinkypoo (153816)

        This is why they should have spoofed IE. Microsoft would have happily provided a license to allow this.

        The goal was to mimic a piece of software that a user might intentionally install and run on their computer.

  • How? (Score:3, Interesting)

    by puddingebola (2036796) on Wednesday May 01, 2013 @09:06AM (#43599549) Journal
    I applaud Mozilla's decision to start legal action against them, but more importantly, how is it legal for this company to operate? Perhaps this is naïve, but how is it legal for a company to operate by providing surveillance software to governments? Does the State Department approve which nation's they can sell to?
    • The government doesn't care a whole hell of a lot if other governments are spying on their own citizens, as long as their espionage doesn't cross borders and spy on our stuff. All the better if our government has a backdoor into the software letting us spy on their citizens.

    • by caspy7 (117545)

      They haven't started legal action.

  • Remember... (Score:5, Funny)

    by Minwee (522556) <dcr@neverwhen.org> on Wednesday May 01, 2013 @10:03AM (#43600025) Homepage
    ...They didn't get Al Capone for murder, they got him for distributing LGPL code without attribution.
    • ...They didn't get Al Capone for murder, they got him for distributing LGPL code without attribution.

      Well, given the current state of legal systems, they simply went for the greater offense to prosecute (violating someone's IP, gosh!).

  • I'm going out on a limb here, I hope it doesn't break...

    As has been noted here, and is very obvious to those with any modicum of insight, the brand and trust value in FF has been greatly tarnished:
    Will the general public be more reticent to use FF?
    Will computer techs be less likely to reccommend FF to users?
    Will enterprises be less likely to use FF?
    I think the answer is yes on all counts.

    Gamma International(AKA major cunts) picked the obvious choice of "trusted" and "independent" browsers to s
  • "White Hats" versus "Black Hats" ? ? ?

    How about, evil is as evil does!

    There's an article in that rag owned by notorious dog killer, Blethens (the Seattle Times) describing "white hats" --- a most muddied description when it pertains to those who support the status quo, which is coding software to track everyone today!

    Narus [wikipedia.org], now a Boeing subsidiary, would describe themselves as "white hats" --- yet their DPI technology [wikipedia.org] (Deep Packet Inspection) has been used to track down, torture and murder pro-dem

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...