Today, I was on BFM talking about Hacking Team, the audio for which is below, and more comments and thoughts below that. Your browser does not support native audio, but you can download this MP3 to listen on your device. …
If you believe (as I do), that the government bought spyware, then here are some pertinent questions
Question 1: Do these government agencies actually have investigative powers?
While the police might have the legal authority to investigate someone, does the PMO, MACC or anyone else share that authority. If a government agency has no right to investigate someone, then why is it buying spyware?
The conversation should end here, as I don’t believe the PMO has any authority to use spyware, but the next question actually goes even further and ask if anyone has the legal authority to use it.
Question 2: Is spyware legal?
Installing spyware on a laptop or smartphone is far more intrusive than a regular home search, it’s like having an invisible officer stationed in your house listening in on everything you say and do. It doesn’t just invade the privacy of the victim, but even those that victim communicates with, shares their laptop with or even those that just happen to be nearby.
The MACC act, that governs the powers of the commission, specifically state that a the Public Prosecutor or Commissioner of the MACC can authorize the interception of communications if they ‘consider’ that the specific communication might help in an ongoing investigation. However, spyware from hacking team isn’t really ‘intercepting’ communications, because what is being communicated through the Internet is usually encrypted, Hacking team circumvents this by capturing the data before it is encrypted and then sends that captured data in a separate communication back to its control servers. Strictly speaking, this isn’t interception, its shoulder surfing on steroids.
More worrying, is that the spyware might take screen shots of diary entries and notes that the victim never intended to communicate with anyone, or draft e-mail entries that they later delete are also captured by this spyware. Obviously this falls into a different category than simple ‘interception’, but I’m not done yet.
The Prime Ministers Department has denied (twice!) that it has ever procured surveillance software from Hacking Team. Even though hundreds of e-mails in the leaked Hacking Team archive point to it. The latest rebuttal, Datuk Azalina distanced her Ministry from other government agencies, encouraging reporters to seek official statement directly from other agencies accused of procuring the spyware.
In the mean-time though, we’ve now learnt that the MACC has made a ‘semi’ admission that they procured the spyware, and to clear any doubts there’s more proof at the end of this post. But in-spite of this, Datuk Seri Azalina has remained silent.
To be clear, I’m not accusing anyone of anything. I’m merely reproducing what is already in the public domain, in the hopes of us taking this conversation further to address more pertinent points. We are frustratingly stuck on this issue of purchase (or lack thereof) because the Prime Ministers Department denies it bought spyware. I find it quite appalling that the Ministry would issue a simple denial without further clarification when I had furnished many documents, in other words they’ve provided an unsubstantiated denial to my substantiated claim.
So…here’s an e-mail (linked here), showing Miliserv requesting Hacking Team to register the Prime Ministers Department as the End User of the system in the Licensing agreement, and here’s another (below), showing Miliserv preparing to welcome 6 PMO staff to their headquarters in Milan for ‘advanced training’. I have removed the names of the PMO staff (red blocks) as I believe that employees shouldn’t be punished for mistakes their employers commit (but you can search for it online, it comes with passport numbers as well). Why send 6 staff to Milan for training if you didn’t buy the spyware?
The Government has denied buying spyware from hacking team, they really should have checked with me before issuing the statement.
On the 23rd of November 2015, Datuk Seri Azalina Othman Said denied that the Malaysian government had procured spyware from hacking team. In a formal response (in Parliament!!), the Minister simply stated “For your information, no such device was purchased by the Prime Minister’s Department”.
For YOUR information, dear Minister, I don’t like being lied to, and oh look there’s a flying pig by the window.Next time ask your PR guys to call me before you go setting your pants on fire.
Ok folks, here’s a step-by-step on why we can trust the hacking team leak, why there’s conclusive proof Malaysia bought this spyware, and why we should be worried about the manner in which it is being used. So let’s go.
By now, you either know someone that’s been a victim of nasty malware or have yourself been on the business end of nefarious software. The perpetual duel between security companies and malicious elements in cyberspace has changed dramatically over time, and no change has been so dramatic as the rise of a new type of threat, a threat we call…ransomware!!
…but what is Ransomware?
Ransomware is piece of nefarious code that infects your machine the same way any ordinary virus or spyware would. But what differentiates it from other threats is what it does after its infected a system.
Ransomware immediately seeks out specific file types like Microsoft Documents, Excel Spreadsheets, digital pictures, all for the purpose of encryption. Different Ransomwares target different file types, but the idea is behind it is to seek out these files that are considered particularly valuable to the user, and one that a user would pay lots of money to retrieve if ever lost. These files are then quickly encrypted using ‘bank-level’ encryption ciphers making them un-readable to the user.
Once the files are ‘safely’ encrypted, the user is usually prompted with the–Pay us money or never see your files again!!
The famous (or infamous) cryptolocker, would request payments only in bitcoin, before the decryption key would be released to the user, the malware has kidnapped your files and the only way to get them back is to pony up the cash.
In essence, cryptolocker held your files from ransom, in much the same way kidnappers hold kids for ransom in those hollywood movies, but unlike hollywood this is real, and the one and only way to get back the files is either pray for a miracle, or make the payment.
There are two types of governments in the world, Those that build complex surveillance software to spy on their citizens, and those that buy them–and our government is more the buying type.
Few nation-states have the budgets to build out complex surveillance software, but some are finding that ‘off the shelf’ software sold by dodgy companies are just as effective at a fraction of the price. The problem with buying of course, is that sometimes those dodgy companies that are manufacturing these spying software also sell their wares to repressive regimes like Sudan, and being on the same customer list with Sudan doesn’t quite bode well for any ‘moderate’ government.
Take Gamma Corp for example, the organization responsible for the FinSpy and Finfisher suite used by the Malaysian government in the run-up to the 2013 General elections. Another is Hacking team, an Italian based company that produces similar remote control software (RCS).
And in a bit of internet karma–both of these companies were hacked themselves…possibly by the same person.
In August 2014, Gamma was hacked and had 40GB of data forcefully exfiltrated from their servers. My analysis of that leak, revealed no information about Malaysian purchases of their FinSpy software simply because a large chunk of that data was encrypted.
Recently however, Hacking Team had a much more severe attack, one that managed to extract 10 times more data, and here I found ample evidence of Malaysian government agencies procuring spyware from Hacking Team presumably to be used against Malaysians.
The question of course is should you be worried, the answer is Yes, and not just for the obvious reasons. After combing though a trove of documents, I found that 3 government agencies procured the ‘flagship’ RCS software from Hacking team, and from my layman’s understanding of the law, none of them have authority to actually use it.
Worst still, some e-mails point to incompetent IT skills as well as bad Procurement practices, that actually annoyed hacking team’s salesforce. I will conclude this post with why this attack on Hacking Team has a positive outlook for regular internet users, and why our government agencies procuring this stuff isn’t exactly ALL THAT BAD.
The new Prevention of Terrorism Act (POTA) in Malaysia should not be considered in isolation but rather in the context of the 6 other anti-terrorism Bills that were concurrently proposed. All of these new laws, will almost certainly come into effect, thanks to the whip system employed by the ruling party. Yet the laws violate fundamental human rights, such as a right to fair trial and right to personal privacy.
I’m particularly worried about the amendments to the Security Offenses Special Measures Act (SOSMA), an amendment that has slipped under the radar simply because its been out-done by harsher changes to the sedition act, and the new POTA.
The original SOSMA had granted Law Enforcement powers to intercept and store any kind of communication, including digital communications, without any judicial oversight. Police Officers ‘not below the rank of SuperIntendants’ could wiretap any communications if the ‘felt’ there was need to do so, without obtaining any warrant. Section 24 of the act further stipulated, that law enforcement did not have to reveal how they obtained such information and could not be compelled to do so under the law, which acts as blank cheque to the police and other investigative bodies to utilize any and all manner of surveillance and intelligence gathering, regardless of their legality of their methods, since no oversight can be carried out on their methods.
The amendment to SOSMA, further enhances existing powers to allow for any evidence “howsoever obtained, whether before of after a person has been charged” to be admissible in a court of law. Which isn’t a big jump from where we were, but making this statement explicit in the act, leads me to only one conclusion.
Our legislators have granted such a broad powers to the Police and the executive branch of government, that they now can intercept, and store communications of millions of Malaysians, hence the next logical step would be state-wide bulk surveillance. In light of what the NSA and GCHQ have already done, SOSMA would make it perfectly legal for Malaysian authorities to execute identical surveillance programs locally and have all the evidence generated under such program be admissible in a court of law without ever revealing how the evidence was obtained.
Think about it, on the one hand, the Government amends Sosma to allow it to collect just about anything as evidence without any Judicial oversight that might ‘slow down the process’, and on the other hand it needs POTA to detain ‘terrorist’ without a trial because its hard to come by evidence. It doesn’t make any sense, what’s the point of creating POTA if you’ve already removed all the barriers to collecting evidence, and what’s the point of SOSMA if you already have the powers to detain someone without any evidence.
It would seem to me, that by allowing Government surveillance of any kind, and by allowing detention without trial, we’re creeping into a world where the Government can intercept all your communications to learn about what you’re thinking and doing–and then detain you without any justification. That’s a world even Stalin would envy.
I know I’m a tin-foil hat wearing conspiracy nut, and I know I’m on an extreme edge when it comes to political and social views—not many Malaysians agree with me on many things. Still…I think that if you look at the acts in totality, place it in context of the current trends of Government surveillance across the world, and consider that our government has a track record of deploying spyware in Malaysia, seems perfectly reasonably to me, to conclude that our government wants to run a state-sponsored bulk-surveillance operations in Malaysia.
The team over at the FireEye threat intelligence published a special report(pdf) detailing an long running (and still on-going) cyber-espionage operation that has targeted multiple entities in ASEAN countries, including Malaysia. The program was reported to be running for more than a decade, and the sustained period coupled with the list of targets the program had, led FireEye to believe it to be a state-sponsored activity, as no other other type of organization would be able to afford such a professionally run program, operated for such a long period of time with no discernible source of income.
The group were nicknamed APT30, an abbreviation for Advanced Persistent Threat number 30 (I’m guessing the 30 part, because FireEye have other APTs on their github page). APT is a cyber-security term coined to identify an attacker that has both the capability and persistence to target specific entities up until they eventually break, and then continue to suck information from their victims for a significant amount of time. Basically there are script kiddies, hackers and then the ‘Advanced Persistent Threats’, APTs are a class above the rest.
APT30 operated a suite of tools including back-doors, and command and control software that were given catchy names like Backspace, NetEagle, Flashflood and ShipShape. The tools demonstrated a fair amount of sophistication in the way the functioned, but what really impressed the FireEye team was the level of professionalism that the coders exhibited, the malware had a well defined version control system, automated tools to manage many of the operational task and even the functionality that allowed for the system to be operated 24/7 by a team working on shifts, with one window requesting the operator to enter their ‘attendant code’. I wouldn’t be surprised if the system even calculated yearly increments, and provided KPI reports in the background.
Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen US federal agencies try to legislate mandatory technical backdoors into software and how the Syrian government treats internet access for its Citizens like candy for their children–you only get it if you behave.
In Pakistan, a wholesale blockade of youtube means their citizens are missing not just Gangnam Style, but Gentlemen as well (although that may not necessarily be a bad thing)–and we all know how much censorship and surveillance is going on in China.
A French court is now asking twitter to hand over account details to identify individual users that tweeted anti-semitic messages, both the Dutch and German police are users of spyware from companies that the are deemed ‘corporate enemies of the internet’ by reporters without borders, and while you may agree that courts have a right to curtail hate speech, just ruminate for a moment how one-sided French law is when they aggressively pursue anti-Semitic messages but forbid Muslims school girls from wearing a hijab to school because it is supposedly a symbol of oppression. These biases point to deep flaws in our belief that freedom of speech can somehow be regulated by governments–the term regulated freedom of speech is an oxymoron to begin with.
This of course doesn’t just affect the ‘bad’ countries, those with lifetime membership cards to the axis of evil, but countries we’d generally consider good guys as well, those we associate with a respect for personal privacy and citizen rights, so that we did end up like this? To truly appreciate where we are we need to go back to how it all starts.
A false sense of Insecurity
Throughout history it all starts in the name of national security, or keeping the peace. Government agencies ramp up the security concerns and threat levels to grant a false sense of insecurity to its citizens–because it’s only in this environment that citizens are willing to grant such unilateral powers to the government (and its agencies). People aren’t too willing to allow for unilateral government interception of communications–unless of course they perceive that terrorist live among us, and the government requires these powers to protect the innocent.
The track records of governments has never been good. September 11 was a colossal failure of government intelligence, and it’s usually used an example of why governments should do better. What most people don’t know is that a company called Acxiom had data for 11 hijackers, and provided that data to assist in investigations post 9/11, it turns out had the government agencies used Acxiom, they may have had additional security on the planes that crashed into the WTC. The breadth and depth of the information provided to law enforcement has been kept secret–and in the wake of such attacks nobody bothered to ask whether Acxiom was operating within legal limits of collecting and storing that data–worse still people forget that Acxiom itself was hacked leaking private information of millions of Americans. Yes it may have help thwart the attacks on 9/11, but the Acxiom itself became a target of attack shortly after details of its information bounty were published, there are a lot of people who would pay for that kind of information.
Even with the fundamental problems of the government storing such private information–government agencies throughout the world continue to ramp up security concerns in the hope of scaring people into giving up their freedoms. Closer to home we continuously see the ‘threat of sedition’ being used to deny individuals and private citizens their rights. The ‘possibility’ of a repeat of May 13th, is now accepted as a ‘high probability’ even though there is no data to suggest that a repeat is possible let alone probable. Just like courts in France we see a glaring bias in the execution of these sedition laws–and the targets are often pro-opposition rather than pro-government.
The Malaysian government is now being accused of running spyware suites like Finfisher, which incorporates a voyeuristic like ability on the malware owner to spy on the victims. The makers of Finfisher claim their software is only sold to governments–without realizing it’s the governments themselves that are illegally spying on its citizens.
Not since Tom Sawyer tricked his friends to paint his white fence has such levels of deception been seen.
However, the level of deception isn’t what is troubling, it’s the level of apathy among the mainstream society to these revelations that send shivers down my spine. No one from the general public seems perturbed that the very technology that was supposed to advance democracy and free speech in Malaysia is now being used to suppress it.
And we’re not the only ones spying on our citizens…
In 2 days time, the South-East Asian nation of Malaysia will go through its 13th General Election since 1955. Some might look negatively on the number 13, but for the vast majority of Malaysians the coming few days will either raise our hopes or shatter them.
Malaysia has had only 1 party in power since it’s independence—that’s a long time to be in power, and for the first time since 1955 the ruling party in Malaysia is under threat, not just to lose it’s 2/3rd majority in Parliament, but the entire elections altogether, and with it control of the Federal Government.