Finfisher Spyware Use By Governments Expanding, Masquerades as Firefox 108
nk497 writes "Mozilla has sent a cease-and-desist order to Gamma International, after it was revealed the controversial creator of spyware for governments was disguising itself as Firefox on PCs. 'We cannot abide a software company using our name to disguise online surveillance tools that can be — and in several cases actually have been — used by Gamma's customers to violate citizens' human rights and online privacy,' Mozilla said."
DavidGilbert99 writes on the wider implications of the Citizen Lab report: "Governmental spying software has been in the news a lot in recent months and today Citizen Lab has revealed its latest findings, showing that one of the most prolific tools in use, Finfisher, is now in use in 36 countries around the world [beware the auto playing video ads with sound]." And, Voulnet adds "According to analysis and report by CitizenLab of the Gamma FinFisher trojan spyware used against dissidents in the middle east and around the world, the FinFisher codebase uses the LGPL GNU Multiple Precision Arithmetic Library, possibly without adhering to its distribution restrictions."
Sue, sue, sue (Score:5, Insightful)
Re:Sue, sue, sue (Score:5, Insightful)
If I were Mozilla, I certainly would. Whenever I hear of Firefox now, I'm going to associate the name with Malware and probably just use something else. Sure after thinking about it for a bit, I'll remember this story, but that first impression matters a lot when branding is concerned.
Damage to their brand has certainly occured.
Re:Sue, sue, sue (Score:4, Funny)
Not only that, but I sign all my emails with "In God we trust" just to piss off the daemon.
Re: (Score:2)
There is nothing wrong with the real Firefox (as it relates to this story). But that's not what I'm talking about here. I'm talking about how people react to brands and how it often is an irrational behavior. In fact, the very reason that branding works is because of irrational behavior. Let's try a few examples. Consider what associations your mind makes when you first hear these brands/products/trademarks/names.
White Ford Bronco
Zyclon B
Bushmaster
Jonestown
Sandusky
Re: (Score:3)
You know malware is effective when you see retards posting things like this. Absolutely nothing wrong with the real Firefox and yet he wants to avoid using it for no good reason.
Actually, there's a very good reason. As you say, there's nothing wrong with the REAL Firefox, but there's a piece of Malware disguising itself as Firefox. How can you be sure you have the real one? Since this product is in use by governments, they probably have the ability to redirect connections to mozzila.org to their own server. So how can you be sure you're using the real Firefox? (Actually, that is a serious questions. As a "Firefox" user, I'd be interested to know if there's a utility I can run
Re: (Score:3)
</tinfoilhat>
Re: (Score:1)
Is the "harm" caused to Firefox's reputation worth any punitive damages? They don't sell Firefox and can't really claim loss of revenue. Maybe they can claim loss of donations to Mozilla?
Re:Sue, sue, sue (Score:5, Interesting)
Re:Sue, sue, sue (Score:5, Insightful)
Is the "harm" caused to Firefox's reputation worth any punitive damages? They don't sell Firefox and can't really claim loss of revenue. Maybe they can claim loss of donations to Mozilla?
Less downloads is less sponsoring from Google. But what does revenue have to do with this? Is this capitalistic brain washing that instructs you that you cannot do anything unless money is involved?
Re: Sue, sue, sue (Score:1)
FRAUD!. Throw the book at them and treat them like any member of an organised criminal hacking syndicate.
Re: (Score:3)
The Firefox brand has a perceived value, a value of identifying that product with that brand. It doesn't have to sell anything, it just has to have a 'goodwill' value associated with an identifiable brand. The fraudulent use of the brand, damages the goodwill associated with Firefox and enables a civil suit to be filed to protect and establish not just damages but punitive damages. As the abuse is particular egregious and threatens the perception of security of the products punitive damages could be quite
Re: (Score:3)
Welcome to the civil court system (Score:3)
You can't sue for damages if there aren't any. I don't care if you think it shouldn't be that way, that is how it actually is. Civil court is largely for remedying economic damages. Like if you hire me to do work on your house, I cause damage, and then refuse to pay for it, that is what civil court would be for.
So if I do something to you that is not illegal and causes you no economic harm, well you'll have trouble suing me (successfully) for it. There are cases and trademark infringement is one of them tha
No. (Score:5, Insightful)
You can't sue for damages if there aren't any.
Simply because Firefox is free to download does not mean that Mozilla does not derive any income from Firefox. Mozilla does not run off donations from people like you and I, they provide a service to a number of companies that pay they many many millions of dollars.
Loss is reputation results in fewer downloads results in a product association that is worth less to these companies.
Trademark law (Score:5, Insightful)
It's a clear trademark law violation.
"Firefox" is a name owned and controller by Mozilla, and is used to clearly designate one specific product: the Firefox browser.
Gamma are abusing the same name, Firefox, to masquerade their surveillance tool as a browser. They use the same name with intent to create confusion.
This is not allowed by trademark law and is punishable. It's almost a textbook's case.
About loss of revenue: Mozilla might not be selling copies of Firefox to end-users, they are still getting paid (by Google, among other) to produce it.
If suddenly Firefox becomes knkown as a filthy malware (which is exactly what Gamma is doing, and which exactly against what trademark law was designed) Mozilla might lose revenue though from sponsors instead of end-users.
Re: (Score:3)
Who's law? Gamma is based in England.
Re: (Score:1)
Munich, Germany, with a branch in the U.K., says Wikipedia.
Re:Trademark law (Score:4, Funny)
Dammit, I knew I shouldn't have read TFA.
Re: (Score:3)
Reading the TFA never ends up well in the long run.
Re: (Score:2)
Can you cite one CEO of any company ever being extradited to the US?
Especially for another company's lawsuit.
Re: (Score:2)
Really? Are they exactly the same as the US laws, that the GP was citing?
Re: (Score:2)
Good to know. Great insight.
You might want to know that laws in different countries are ... different.
Re: (Score:2)
Confusion (Score:2)
Even if they swap a few letters around, this is clearly made on the sole purpose of creating confusion and make the victim think it's mozilla's firefox.
That's exactly what trademark law was made against.
If Microsoft can sue anything containing "Windows" in the name, if Bethesda can sue anything containing "Scrolls" in the name, if even Apple can sue everything whose name merely begins with lower case 'i' letter... Then Mozilla could certainly sue a company whose product is designed to make use think it's Fi
Re: (Score:2)
Re: (Score:3)
Trademark damages are not limited to loss to revenue. They can also be determined by how much money is made by the infringer. Which can easily be treble. So while Mozilla might not have "lost" any money from this, the other company certainly benefited, and the role of the damage calculation Is to prohibit such behavior as it means a bigger company could willi
Re: Sue, sue, sue (Score:2)
Re:Sue, sue, sue (Score:4, Interesting)
I believe this company has already found itself on anonymous' radar. Watch out for fun on the horizon as I expect them to exploit the finfisher C&C servers for their own gain and to the embarassment of finfisher's customers.
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
They won't lose, if it's within the EU, the government(s) run the very real risk of the EU breathing down their necks and reigning them in if they do break European laws.
Same cannot be said for the USA tho.
victory for open source (Score:2)
This is one of the big reasons for supporting open source applications - violations like this can be exposed without relying on a single central authority to uncover it and trusting that the central authority will not be beholden to other interests.
Kudos to the firefox team!
Wrong interpretation (Score:5, Interesting)
The firefox part has nothing to do with "open source" or GPL violation.
Gamma isn't using a single line of code from firefox.
Instead they are abusing Mozilla's trademark.
This is a simple classical violation of trademark law. (and a clear one).
The LGPL violations are regarding some subcomponent used by finfisher, namely libGMP.
Re: (Score:1)
Thanks - I didn't mention licensing, sounds as though you read that into my comment.
This is a violation of trust more than anything else.
What this has to do with open source is that open source provides the means to identify impostors more readily - and the nicest thing is that there is a means to work around them without being required to use their "version".
Re: (Score:2)
How on earth does open source provide the means to identify imposters more readily? What central authority are you talking about? md5 will allow you to check that binary whether it's FOSS or not, and your eyeballs are pretty good at determining if another program is stealing a logo/name.
Re: (Score:2)
Absolutely nothing in this case would change if Firefox were a closed-source app. No part of this has anything to do with open source.
Re: (Score:3)
Re: (Score:3)
"Gamma isn't using a single line of code from firefox.
I am sure Darl McBride could fix that problem.
Re: (Score:2)
"Gamma isn't using a single line of code from firefox.
I am sure Darl McBride could fix that problem.
Kill that thought. Kill it with a heated spoon.
Re: (Score:2)
Can you sue under LGPL if you're not a customer? Ie, the customer never requests a copy of the source code, therefore Gamma is not required to produce it, so no license violation?
Making available is mandatory (Score:2)
under the GPL, making the source code available under some form is mandatory, no matter what.
So Gamma is violating because there's no way to get the source code of their copyleft parts.
In addition to that, the forensics using finfisher to spy are deploying it - thus distributing binaries, and should alsoprovide the parts of source code which are required by the license.
Failure to do so would be a copyright violation:
- Gamma can't copy libGMP without a license, and the license asks Gamma to provide some sour
Re: (Score:2)
Yes but the point is that only a few people have the legal standing to sue over this, not just any interested third party. The customers who received the binaries for example could sue if they were not given the source code when asked (and you don't have to proactively distribute the sources). Presumably the customers of this product aren't going to sue, as it would expose them publicly as users of the software.
Also there is a lot of assumption that there was a violation of license, but has anyone actuall
Definition of distribution (Score:2)
Presumably the customers of this product aren't going to sue, as it would expose them publicly as users of the software.
But the victims got a copy of the binary (although against their will) but did not recieve anything clearly identifying the binary, contact information, licensing of free/libre opensource components nor source code. In fact everything is done to clearly identify the binary as something completely false and different - masquerading as Mozilla's Firefox (hence the trademark violation I mention above).
Because Gamma tries to hide Finfisher from the victim, the victim isn't properly informed of her/his rights re
Re: (Score:2)
"This is one of the big reasons for supporting open source applications - violations like this can be exposed without relying on a single central authority to uncover it and trusting that the central authority will not be beholden to other interests."
By "supporting open source applications" you must mean using their products for free, and by "without relying on a single central authority" you must mean relying on Mozilla as if it wasn't a single central authority. No doubt Mozilla is only "beholden" to you
In the USA, that's criminal. (Score:3)
Re: (Score:1)
Re:In the USA, that's criminal. (Score:4, Funny)
Pshaw, it's only criminal if it isn't being used by the government. Don't you know nothing?
Re: (Score:3)
How are they getting away with this in Great Britain?
Using the tool may well be a criminal offence, but selling it isn't necessarily. And making it look like Firefox is Trademark violation, which is a Civil matter, not a criminal one.
It took a while for Mozilla to hear about Gamma and put together a lawsuit. I don't see how this is any different in the US.
Re: (Score:2)
Re:In the USA, that's criminal. (Score:4, Informative)
How are they getting away with this in Great Britain?
Read the ibtimes link - the good old USA is one of the 36 countries.
So, how are they getting away with this in the US?
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Producing the program is completely legal.
Using the program or selling it to people who use it illegally (might be) an issue.
AFAIK its a British company. The U.S. endorses lots of these international companies anyway.
Trademark ; Copyright (Score:5, Insightful)
Mozilla's case is a very clear one. Although the software (the source code) is free and open, the trademark (the branding) *IS* NOT. (Hence all the IceWeasel and similar source builds). Gamma company is clearly using a name registered to Mozilla to masquerade itself, and abuse end-users' confusion to make them think it's a Mozilla registered product. That's almost the book case for which Trademark was designed. :-( )
The only thing which could prevent Mozilla from winning at the court would be government meddling (although, this is likely as its a widely used *surveillance* tool
In theory, Gamma should have negociated a trademark licensing deal (just as do Linux distribution which provide their own branding on top of Mozilla's. The Firefox which comes with opensuse isn't the exact binary which is available at mozilla.org, but they are allowed to package their build and still call it "Mozilla Firefox" because they obtained a permission).
In practice, Mozilla will probably refuse to grant Gamma a license.
The libGMP case is much more interesting: they copied code which don't belong to them. Either they are violating its license and breaking copyright law. Or, they'll have to abid to the license and make their surveillance tool end-user- (or should it be more properly called "end-victim"- ) modifiable. (Either the whole package if its GPL or at least the LGPL parts if there are only LGPL parts in Finfisher).
Meaning that victims could without any restriction take-over finfisher by injecting their own libraries: it would end up completely legal and possible to tamper with a wiretapping device because the license of some part of it require the end-user to be able to customise them (in case of LGPL, or to customise the whole package in case of GPL).
Re: (Score:2)
I agree that Mozilla should have no problem stopping Gamma International from using their trademark, but I think you are wrong about the libGMP case. Using FOSS according to the license in no way makes your code more vulnerable to getting its libraries hijacked. It means appropriately releasing the parts of your own source code as FOSS. If your implementation is any good, it shouldn't be possible to tamper with the device.
Re: (Score:1)
This is why they should have spoofed IE. Microsoft would have happily provided a license to allow this.
Re: (Score:3)
This is why they should have spoofed IE. Microsoft would have happily provided a license to allow this.
The goal was to mimic a piece of software that a user might intentionally install and run on their computer.
How? (Score:3, Interesting)
Re: (Score:1)
The government doesn't care a whole hell of a lot if other governments are spying on their own citizens, as long as their espionage doesn't cross borders and spy on our stuff. All the better if our government has a backdoor into the software letting us spy on their citizens.
Re: (Score:2)
They haven't started legal action.
Who provides hashes on Windows? (Score:2)
Re: (Score:2)
Yup - and not just on windows. It's common in security software to see "here are our hashes, but what you should really do is check the signature on your download: here's how.
If someone puts up a fake download page for Firefox, they'll put fake hashes on the same page for you to verify. Code signing at least tries to establish a chain of trust (cue rant about the CA system, joke that it is).
Re: (Score:2)
Yes. Very much so.
Remember... (Score:5, Funny)
Re: (Score:2)
...They didn't get Al Capone for murder, they got him for distributing LGPL code without attribution.
Well, given the current state of legal systems, they simply went for the greater offense to prosecute (violating someone's IP, gosh!).
kONSPIRAsee (Score:2)
As has been noted here, and is very obvious to those with any modicum of insight, the brand and trust value in FF has been greatly tarnished:
Will the general public be more reticent to use FF?
Will computer techs be less likely to reccommend FF to users?
Will enterprises be less likely to use FF?
I think the answer is yes on all counts.
Gamma International(AKA major cunts) picked the obvious choice of "trusted" and "independent" browsers to s
Welcome to the next level, dood! (Score:1)
How about, evil is as evil does!
There's an article in that rag owned by notorious dog killer, Blethens (the Seattle Times) describing "white hats" --- a most muddied description when it pertains to those who support the status quo, which is coding software to track everyone today!
Narus [wikipedia.org], now a Boeing subsidiary, would describe themselves as "white hats" --- yet their DPI technology [wikipedia.org] (Deep Packet Inspection) has been used to track down, torture and murder pro-dem
Re: (Score:1)
Slashdot should add "P.S.=>" to the lameness filter.........
Or simply too much boldface.