Court Slams Door On Sale of Spyware

coondoggie writes "The Federal Trade Commission yesterday had a US District Court issue a temporary restraining order halting the sale of RemoteSpy keylogger spyware. According to the FTC's complaint, RemoteSpy spyware was sold to clients who would then secretly monitor unsuspecting consumers' computers. The defendants provided RemoteSpy clients with detailed instructions explaining how to disguise the spyware as an innocuous file, such as a photo, attached to an email."

Re:

[Meshach]

Because they didn't disclose what they were doing.

FMI please RTFA

Re:but why?

[pseudonomous]

Ultimately, hopefully, the issue which will get the defendants in trouble will not be that they sold the keylogger software OR that they provided tutorials on how to trojan it into unwitting victims computers, but rather that THEY stored illegally obtained software on THIER server. Otherwise, this sets a dangerous precident where someone decides that software which potentially has valid uses, is declared illegal. (It's convoluted but you can imagine a case where someone might have a legitimate use for using keylogger software) It's like the whole "right to bear arms thing", just becuase someone shoots his neighbor doesn't mean guns should be illegal. (they should be, IMO, but this isn't the reason)

Re:but why?

[moteyalpha]

Well I am seeing a paradox here because the NSA designs and creates tools like this and makes manuals to explain how to use it. Now they can say they are using it for a legal purpose, however if the mere fact of having something that could be used in a sneaky way is illegal then they would be guilty of possessing a criminal artifact. If creating the stuff is illegal, whoever contracts with a government agency to produce this stuff is criminal by this strict an interpretation. It seems to imply that a citizen can commit a crime and a bureaucrat cannot.

Re:

[KDR_11k]

They could simply classify it as a war weapon and limit it to govt agencies...

Re:

[Ihmhi]

Oh come on, it's just spyware, not encryption.

Re:

[skroops]

charged with posessing a criminal artifact? The police get to have cool toys because they are police, and if they have to break in they will. Think slimjims, boltcutters etc. There is no conflict here.

Re:

[Loki_1929]

It seems to imply that a citizen can commit a crime and a bureaucrat cannot.

Sort of like when police officers fly down the road at 40mph+ higher than the speed limit, change lanes without signalling, run stop signs, cut people off, tailgate people on the highway, and generally drive like the biggest bunch of suicidal assholes the road has ever seen but will pull over the rest of us for stepping even slightly out of line without a second thought?

Sorry, I just spend a lot of time on highways, so it just reall

Re:

[Surreal Puppet]

You mean like the catch-all German "hacker program" law, that has had the entire security industry up in arms? The one where you could in theory get arrested for possessing a copy of NMap?
www.schneier.com/blog/archives/2007/08/new_german_hack.html

Valid REason for HAving KeyLogger

[wizzerking]

I am a software developer for some companies, and we have included as part of the test installation keylogger software, as well as mouse clicking software, because with out this log of information we found that humans have no clue as to the path that was used to create a problem in the software. So this a very very legitimate use of the keylogger software, and mouse clicking software when the tester, is running our program. Other times I have used keylogger, and mouse clicking software on a customer's com

Re:

[Aoet_325]

from time to time I run a keylogger on my own systems. It's been pretty useful for going back and figuring out exactly what I was doing last week, it provides a quick way to find some comment I made or a website I was at before, etc.

It helps that I spend a lot of time at a command line as well, but I have even left notes to myself by typing anywhere that will accept text, and then clearing the text out.

It's also nice to be able to know exactly when someone else was on my system and what exactly they were do

Re:

[stephanruby]

When everything settled down, then I was paid to remove the keylogger, and mousing logging software.

This sounds like a great strategy to make sure you get paid. Don't ask for money upfront, only ask for money after the keylogger is installed.

Re:

[Roland Piquepaille]

I think their problem is that they should have sold it under the guise of a computer security assessment tool or something, and not outright say it's for spying on people. It's like those countless micro-camera that are sold to "monitor babies", when in reality everybody knows they're bought by peeping toms who plant them in ladies bathrooms

Re:

[Surreal Puppet]

I honestly don't think you could pass of something this simple as a pen-test tool. You could probably pass it off as a pure remote administration utility. But this would require you to add lots of extraneous functionality that would seriously confuse the intended market, and you couldn't market it to them directly either (I guess this could work anyway if you could incite some really strange grassroots campaign.) On the upside, if the virus engines wouldn't recognize it, you wouldn't have to include signatu

Re:

[Thanshin]

Lady: "Why is there a big pink bear in this dressroom?"
Bear: "Shut up and take off your clothes already."

BO

[negRo_slim]

Back Orifice [wikipedia.org] anyone?

Bane of ICQ 98b users everywhere!

Re:BO

[negRo_slim]

Finding TFA severely lacking, might I recommend a more informative article from, Ars Technica [arstechnica.com].

Time Frame

[cjfs]

As much as the FTC deserves an "A" for effort, however, the timeline of the case is an excellent example of how poorly equipped the government is when it comes to addressing this type of problem. The brief states that RemoteSpy has been available since "at least August 2005.

It hardly seems worth the effort if this time frame is typical. You'd hope any spyware scanner worth using would have picked it up 20x faster.

Re:

[MrNaz]

To have had a greater effect, the court should have ordered that their hands be held in the door when it was being slammed.

Re:

[TubeSteak]

You'd hope any spyware scanner worth using would have picked it up 20x faster.

Not all anti-virus and malware scanners will include commercial products in their database.

Re:

[novalogic]

You'd hope any spyware scanner worth using would have picked it up 20x faster.

Not all anti-virus and malware scanners will include commercial products in their database.

Unless of course the commercial product in question is a Windows system file...

This is good.

[Surreal Puppet]

But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software) [wikipedia.org]. People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476 [securityfocus.com]

"The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."

This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.

Good intentions and all that...

[TapeCutter]

"...if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream."

I don't want to rob you of your dreams (or take away your pipe :), but the road to software hell is paved with legal definitions of the term "spyware".

Re:

[Surreal Puppet]

I totally meant to type "malware", but my head is muddled from a sleepless night. Spyware is of course only a part of the problem.

Re:

[TapeCutter]

Ok, so "spyware" is a type of "malware", so define "malware"? - Can you see where I am going? - What is the magic algorithim that determines if an application is "malware"?

Re:

[Anonymous Coward]

So Vista is malware? ...sorry, too easy...

Re:

[Surreal Puppet]

The thing with spyware is that it's included in legitimate apps, typically, and the user has to click through an EULA. Also, all software sold with the intended purpouse of large-scale crime have to be explicitly designed for the fraud in question (code for capturing credit card numbers and passwords from browser sessions/committing various forms of DDOS attacks for example.) The purpose of the software is obvious from it's construction (which conveniently also sets it apart from how commercial pen testing

use, not possession

[bugi]

It's the use to which it's put.

Consider by analogy a crowbar. It could be used to force open someone's window or someone's head, both illegal; but it could also be used to pry off the hubcap of one's own car, an operation legal in most jurisdictions.

Let's see, legal ethical use of spyware... Hmm, that's a tough one for a civil libertarian. Logging your underage kid's IRC sessions in case you later need to find out where she's run off to meet her 40 year old "friend"?

Re:

[blueskies]

What is the magic algorithm that determines of a freedom fighter is a terrorist?

Anyway, if you are really interesting in learning people are trying to come up with useful definitions that allow us to make the internet safer: http://www.antispywarecoalition.org/documents/definitions.htm [antispywarecoalition.org]

Labeling software correctly, ie: letting consumers make their own decisions, means we don't need the legal system to get involved except where stuff is fraudulently mislabeled.

You want to write malware, fin

Re:

[BountyX]

Credit card numbers are sold for 15$ a pop on irc. Social security numbers can run from 2-10 bucks. Now imagine stealing a backup tape with 15 million records...

Useless Trash

[www.blogLinux.org]

If the television show Cheaters is ok, then surely this should be ok.

Other legal purposes

[Anonymous Coward]

Almost all software has legal use to some extent.
I am a small company owner. I have 5 employees and provide them with computers. I have told them that their computer use is monitored and bought this software to ensure I could perform that task. It does.

My computers are for my company to make money, not their personal use. No personal email. No day-trading. No on-line banking and definitely no gaming. Do that stuff on your own computer and own time. I've had to discipline employees for personal use before

Re:

[Lord Bitman]

Well, your rules don't /matter/, but I see your point.

Re:

[NewWorldDan]

Right, and I don't think the sale of this should be blocked. On the other hand, I think these clowns should be prosecuted for knowingly and willingly aiding and abetting any number of felonies, and most of their customers should be prosecuted as well. This is a program primarily used for criminal purposes and those criminal acts should be prosecuted.

Come on, community!

[77Punker]

Time for OSS to step up to the plate and make a GPL equivalent!

About time.

[sarysa]

I consider myself a moderate libertarian. This is why it's only "moderate". I honestly do think this kind of software should be illegal; in fact I thought it WAS. In my opinion, no one has a legitimate reason to spy on someone else's computing habits, parents included. If you break down privacy you break down society, there's things you just don't want to know about other people, and said other people just as much do not want you to know about them.

And please, don't compare this to gun rights. Guns as self

This leads to an interesting question

[BitterOak]

How easy is it to detect and/or delete keylogger software? Does anyone know if the popular anti-virus software out there will detect it?

What about law enforcement?

[Adrian Lopez]

Does this mean that companies which develop keylogging software for law enforcement use are breaking the law? No? Didn't think so.

It shouldn't be illegal to write this kind of software, but it should be illegal to install it without either the owner's consent or a proper warrant.