Today, I was on BFM talking about Hacking Team, the audio for which is below, and more comments and thoughts below that.
This is my last ditch attempt to get a conversation started about the use of surveillance software by the Government—and these conversations should take place a the higher (and more powerful) levels of goverment. Talking about it to myself on this blog isn’t taking it anywhere.
If we want change we’re going to have to get the Government involved. I know, it sounds pretty depressing that we have to get the government involved, but unfortunately they’re the people we need to convince to have a proper discussion here. There’s a whole bunch of links below for more details.
I had a really great time during the interview and encourage you to listen, if for nothing else than for the smooth sultry acoustic aphrodisiac that is my voice. But if you’re a lazy, like Garfield on rainy Sunday after a banana leaf meal, then here’s a quick FAQ on the matter.
Question 1: What is Spyware?
Spyware is software built to spy on computer users. In the past we used the term to describe relatively harmless ad cookies and software in ‘search toolbars’ to spy on users browsing and surfing habits. But this isn’t about that.
This is about a far more pervasive and invasive tool, that sucks up all the information in a computer to report back to its master. This is spyware on a different level, if personal data was dust in the air, this is the Dyson Vacuum cleaner that sucks it all up.
Question 2: How does Spyware work?
Spyware infects your computer by exploiting vulnerabilities and flaws in the software already installed on it. This includes things like Adobe Flash, Java and even the Operating systems (iOS, Windows, Mac OS, Android). Once a computer is infected it begins sending back screenshots, personal communications, e-mail messages, sms, whatsapp conversation to the command and control server.
A newer feature of spyware is the remote control capability that allows the attacker to take photos with your smartphone camera, or record using your inbuilt microphone, all without your knowledge.
Question 3: Does the Malaysian Government but Spyware?
Based on all the evidence we’ve seen, from the discovery of Command and Control Servers for Finfisher (a specific spyware model) within our borders, to the thousands of e-mails and documents in the Hacking Team breach that point to 3 agencies buying it, there is little room for doubt that at least some Government Departments have purchased spyware from both Gamma and Hacking Team.
Oh, and Paul Low also semi-admitted it 😉
Question 4: Every other government buys it, why should we be worried.
The purchase of spyware isn’t the issue, what we should focus on is the context of usage in Malaysia.
- Why is the PMO buying spyware when it doesn’t have any investigative authority?
- Why did the Government outsource the operations of the surveillance software to a private 3rd-party? Is it legal to empower contractors with this capability?
- Why does the Government continue to deny the usage of spyware on both a policy and technical level? If the Government truly didn’t buy spyware, then an investigation must be launched on Miliserv Sdn. Bhd. who bought it using their name.
- Does the law permit certain ‘features’ of the spyware, including remote control that can capture intimate pictures of an individual and private conversations that should be off-limits to government surveillance?
Question 5: Don’t we need this to combat terrorist?
Yes and No. ISIS is not your father’s Al-Qaeda, their tactics are mass-propaganda followed by lone-wolf attacks. These attacks usually require no funding from head-office and very little formal communication between ISIS and the individuals. By definition self-radicalization and lone-wolves don’t communicate much with the outside world.
Hence, surveillance doesn’t help because there is nothing to surveli. There are still legitimate uses for spyware, but not all the time, and definitely not by the PMO and MACC. We shouldn’t be writing blank cheques to the Government for surveillance, and we shouldn’t be intimidated by terrorist–otherwise they would already have won.
Here’s a bunch of links I think might be useful.
- My initial post on the Finfisher spyware found in Malaysia (link)
- My second post on Finfisher, the one after CitizenLab released the infection file, where I concluded it was indeed spying. (link)
- A post at security.my dissecting the file (link)
- The original post from Citizenlab about the infection file (link)–page 107 (a second link)
- Phineas Fisher hacks Gamma (link)
- Phineas Fisher hacks Hacking Team (link)
- My exceptionally long post about Hacking Team’s software in Malaysia (link)
- My rebuttal to Dato Seri Azalina Othman, that Malaysia did indeed buy from Hacking Team (link)
- Paul Low’s response that the MACC did indeed buy Hacking Team Software (link)
- Further proof Malaysia bought spyware (if you ever needed it)
- 5 Questions we need to ask about spyware (link)
- My rebuttal on why surveillance doesn’t work with ISIS tactics (link)
- The MACC Act (link), for other acts including the Criminal Procedure Code, check out the AG’s website (link).
- My previous kick-ass BFM interview (link)
Or visit https://www.keithrozario.com/tag/spyware for all my post relating to spyware 🙂