back to article Mozilla accuses Gamma of dressing up dictators' spyware as Firefox

Firefox-maker Mozilla claims spook supplier Gamma International disguises its spyware as the popular web browser - and wants it to stop. The non-profit software foundation slapped a cease-and-desist demand on UK-based FinFisher developer Gamma. In the legal letter, Mozilla said its Firefox trademark is being violated and that …

COMMENTS

This topic is closed for new posts.
  1. Ken Hagan Gold badge

    An opportunity for AV companies

    Most popular software packages are digitally signed these days. It would be fairly simple to write code to check a list of a hundred or so "most popular" packages (all recent versions) and check that their certs are correct. It wouldn't take very long either, since the cost is essentially one pass of your directory tree plus one signature check for each of the whitelisted apps that it finds. As "heuristic" checks go, this strikes me as whole lot more useful than hosing your OS, which is what some of the AV companies seem to do.

    If the AV companies won't bother, perhaps MS would like to consider it for their own monthly malware scan (from Windows Update). Since I'm a generous bloke, I hereby put the idea of "using digital signatures for their intended purpose" into the public domain.

    1. Anonymous Coward
      Anonymous Coward

      Cease and desist?

      Sod that,

      Litigation, litigation, litigation....sue,sue,sue.

      That will end them.

      1. Tom 13

        Cease and desist

        IS the start of litigation.

    2. eulampios

      Re: An opportunity for AV companies

      Package check-summing and gpg-signing has been around on well designed OS's for quite a long time now. Say, digital signing Apt had implemented in 2003 and Debian adopted since 2005. md5/sha- verification of the contents of a package has been there perhaps since the dawn of time.

    3. Neoc

      Re: An opportunity for AV companies

      I seem to remember that this is how virus scanners *used* to work, before they went "Heuristic" - they'd scan your HDD and created MD5s from your files for later comparison.

      1. Ken Hagan Gold badge

        Re: An opportunity for AV companies

        "I seem to remember that this is how virus scanners *used* to work"

        It's similar, certainly, so we know it is scalable up to quite ridiculously large numbers, but there is a difference. Traditional AV uses signatures of unknown EXEs to see if they contain known viruses. I'm suggesting using the signatures of known EXEs to see if they contain unknown viruses.

    4. El Andy

      Re: An opportunity for AV companies

      Windows has had various warnings against running/downloading unsigned binaries for years. However the freetard brigade have consistently whined that it's all part of some grand conspiracy against them and part of some devious plot to extract money out of them.

      1. phiz

        Re: An opportunity for AV companies

        You are assuming there is trust in the signing process? I'm sure any government could bend the arm of MS or issuer to sign their binary to ensure it gets installed. All it would take is one to sign it, and be trusted by all computers regardless of country.

        1. El Andy

          Re: An opportunity for AV companies

          @phiz: So on the off chance that some government might just possibly be able to compromise a cert auth, we should instead allow anybody to spoof applications by having no signing process at all? It's not a case of "every signed app must be implicitly trusted", but instead "anything not signed should be treated as potentially compromised"

          There would be nothing to stop app authors also providing their own verification mechanisms if they're really that worried about a CA being compromised. And the minute a single CA was identified as being compromised in any way, it'd pretty much kill their business off.

        2. Ken Hagan Gold badge

          Re: An opportunity for AV companies

          "You are assuming there is trust in the signing process?"

          No, I am not. I am assuming that the AV vendor builds the whitelist themselves and verifies that (for example) the version of Firefox.exe on the customers machine matches one of the versions of Firefox that the AV vendor has seen in their own lab.

          I am also assuming that the bad guys can't just switch to Trojanising *unpopular* software, because their infection strategy depends on popularity. Therefore, the whitelist would not need to be unmanageably large in order to be effective.

  2. nuked
    Stop

    The 'legitimate' monetisation of cyber-warfare. What could possibly go wrong...

  3. jai

    The company did not respond to our requests at the time of writing.

    Best to check if there are two copies of "Firefox" installed on the El Reg computers.

  4. Anonymous Coward
    Thumb Down

    Loathsome purveyors of malware. I do hope Mozilla make them pay for the damage that's being caused to their reputation.

    What sort of odious software engineer is happy to work on this stuff?

    1. unwarranted triumphalism
      Thumb Down

      People with responsibilities, that's who. We don't all live in your hippie utopia.

      1. Steven Roper
        Flame

        @unwarranted triumphalism

        Since you voluntarily accepted the "responsibilities" of being a fucking scumbag by choosing to work for these sorts of companies, how well do you sleep at night knowing your "responsibilities" are killing innocent people?

        Sleep tight, scumbag. Sleep lightly.

      2. sabroni Silver badge

        re: People with responsibilities

        Responsibility? I think the word you're looking for is greed.

  5. Derek Jones

    Where can we download the source?

    Firefox is distributed under the Mozilla Public license, https://www.mozilla.org/MPL/2.0/, which as I understand it requires distribution of "... any Modifications that You create or to which You contribute, must be under the terms of this License."

    Where can I download the source code of the changes and updates Gamma has made?

    1. danR2

      Re: Where can we download the source?

      I imagine here is a security-exception escape clause, especially the last sentence:

      __________

      4. Inability to Comply Due to Statute or Regulation

      If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.

      __________

      1. Derek Jones

        Re: Where can we download the source?

        I imagine that Gamma would like to be covered by that clause, but arn't they just a commercial company with no special privileges?

        1. danR2

          Re: Where can we download the source?

          I'm suspecting the laws in various countries make exceptions for commercial interests dealing with defense, security, and law-enforcement parties. There's the notorious secrecy law surrounding RIM/Blackberry and law enforcement a while back; but the details are no longer in my memory.

      2. danR2

        Re: Where can we download the source?

        Can't see the downvote.

        I'm simply offering a conjecture based on the wording copied straight out of the agreement.

        1. sabroni Silver badge
          Thumb Up

          Re: Can't see the downvote

          votes. Mentioning downvotes is like a red rag to a bull round here.....

    2. Neoc

      Re: Where can we download the source?

      I may have misunderstood, but from what I read I thought they were re-packaging their spyware to look like a Firefox executable to the OS, but that it wasn't FF in any way.

      Did I read wrong?

  6. Antoinette Lacroix
    FAIL

    Wrong audience

    " . . .to trick them into installing FinSpy on their Windows PCs."

    I may be dead wrong . . but haven't the people, worth monitoring, ditched that OS a long time ago ? As long as $GOV targets Windows PCs, the real hacks have nothing to worry about. A BSD version - now that would be cute.

    1. Ken Hagan Gold badge

      Re: Wrong audience

      Actually, I think you are dead wrong. Whilst it is true that anyone specialising in cyber-warfare probably isn't running XP, there are plenty of other criminal types who use computers in much the same way that I use a car. For example, I believe Bin Laden's hideout had a number of Windows machines.

    2. sabroni Silver badge

      Re: I may be dead wrong

      You are. The idea that political activism is tied to a particular operating system is genuinely pathetic. Real activism requires you to get out there and do something, no OS required.

      Good use of, commas though.

  7. mIRCat
    Facepalm

    So what you're saying is....

    "“Gamma’s software is entirely separate, and only uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion.”

    Fowler stressed FinSpy does not affect Firefox. “Gamma’s software is entirely separate, and only uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion,” Fowler claimed."

    It sounds like Gamma's software is entirely separate, and only uses Mozilla's brand and trademarks to lie and mislead as one of the methods for avoiding detection and deletion. Do I have that right?

  8. btrower

    Could not happen if ...

    If our PK infrastructure so horribly broken, this type of thing would be impossible. As Ken Hagan above mentions, even the existing one will allow a patch.

  9. Anonymous Coward
    Anonymous Coward

    Another take/solution

    Parallels to earlier Firefox story:

    http://www.theregister.co.uk/2013/04/16/mozilla_threatens_teliasonera

    - Gamma is selling technology to snoop on citizens.

    - Mozilla community opposes this behaviour - and asks Thawte to rescind all the Gamma certificates.

    - Thawte of course refuses to do so and Mozilla responds that Thawte's root certificate won't be included in the future versions.

    I foresee this as plausible as Firefox removing TeliaSonera's certificates.

  10. Alan Denman

    So your PC security has been Thwarted !

    Yep,

    it does seem to of make any Thawte certificate near worthless.

This topic is closed for new posts.

Other stories you might like