this scripts is long, confused and full of notes, links and questions, if you have the coffee on, it is better to stop it. This work was hard and we hope you like it.
We are talking about malware, offensive security and the attempt to legalize this institutional malware.
As we like to touch with our hands the stuff about what we talk about, we got one of this "malware" and we start do create a documentation about the setup of this. For everybody who wants to get hands dirty with us.
Then we get infected voluntarily using a device with his malware in order to study it closer, understanding how it works and which bugs may have.
Last, as many and many people are trying to create some rule and law about this very dangerous stuff we need strong guarantees in order to not accused of some false data gathered from our devices1, we have tried to generate some fake proof in order to understand how reliable are this gov-malware.
The conclusion we got is that there is no way to be sure technically that the evidence are real
We documented all the steps in a detail post, here instead, we want to analyze the ongoing proposal to legalize this malwares.
the concrete threat about the abuse of this very powerful tool move us to bring some lights on this foggy situation.
We are not law maker, but seems the malware in italy are already regulated. The crime is well now for hacker like us, 615-ter C.P. aka "Abusive Access into a System device" which shows also a specific part if the crime is done by an official.
But, the fact this tools are daily used from the police as investigation tool and nobody is showing any problem about that, is the demonstration about how a law is a perfect repressive tools, but is not working very well as justice and social tool. Which Police station will investigate about their own investigation tools ?
What we are trying to do for the future is to try to avoid that our (and yours) devices will spy us. Then, We would like spread some good security pratice in order to avoid to get infected from this and other trojans: we will surely need help because we know that won't be not exactly easy.
how do you explain the use of a tank ? We just need to talk about terrorism, about pedoporn? We just need to talk shit about some politician? Or maybe act against some big national operation ? We feel absolutely NOT protected from the italian law to regulate malware written and showed by "Civici Innovatori" (law:Quintarelli) which show a lot of issues; we just stopped a second reading tecnical operative law proposal2 how to rule and limit this and we discover they are trying to create similitudes with the malware functionality and the some regulated police pratice, like: tag after someone, intercept location data or real confiscation of the data into a device.
Trying to create similitudes between classic pratice and malware features it's absurd from every point of view and for every kind of justice act you may consider:
compare a confiscation to a remote file acquisition of a device is ridiculous. During a confiscation there's the presence of the person investigated which can verify what is happening, can request the presence of a lawyer and at the end should receive a list of the confiscated material. We can't imagine how this can be possible during a remote confiscation using a malware.
a real confiscation aim to cut off the availability of a specific tool, like a gun. The malware doesn't cut off this availability, because is not made for this.
Compare the GPS tracking of a real tagging is ridiculous. Get the digital data and easy to be analyzed from invasive algorithm is not comparable to a real shadowing, the quality of the data is completely another level.
But most of all there's a quantitative question about costs: do a shadowing from the police desk to 1000 people doesn't have the same cost to do it for real, it's clear that if yesterday doing a shadowing was a matter of time and money, but now, with a malware all you need is just to focus clic and press a button. The consequences of this is quite obvious. Just trying to imagine that this two operations are the same is quite ridiculous.
Then we start from the idea that a device is owned by the person investigated, but this is not always true. For example all the "public" device, the internet point, the libraries, the university. Reading the email from an internet point tapped where a person under surveillance used the pc before of us, bring us a risk because the pc is bugged (so is an infected pc) our email will go to the police. Even if we with a used device, our email will be delivered to the police.
Then there is a temporal problem. With a classical mobile interception, the SMS are grabbed starting from a specific day and the interception has a time limit for legal reason. The trojan is another story, it can read the data with no time limit, sending all the conversation on the device from the beginning of it's history, because it is all saved there.
During a shadowing there's the guarantee (except to hire a lookalike) that the position is the effective location of the investigated person. But the device may not travel with the person, it can be stolen or forgotten in a taxi. So basically the device owned by the person is not the person.
To believe as we read in the document, that the installation of a malware doesn't lower the security level where is installed is ridiculous, the base idea of the malware is exactly to let open some vulnerability in order to use it and doing so keep insecure the device of everybody in order to infect them.
To certify the impossibility to alterate the evidence seems impossible to obtain and later we prove it in two different way. But there's more. How is possible to certify the producer is not compromised? How is possible to verify that behind the massive architecture there's not a backdoor for someone else being able to use it? No, there's no way to verify it.
Lastly, seems a paradox for us that the government want to use digital weapons bought from a shadow market and very less transparent as the zero-day market
during our experiment we notice that the input of this 'objects' are considered trusted (not modified by the user), which is clearly erroneous. What may happen if a skype username is AAAA' DROP ALL TABLES--? and if it's length is 10million chars? And what if instead of an image we put something different and the malware breaks ? (yes it broke very badly). How the law will consider this social behaviour? self-defense? evidence occultation?
For us this 'objects' can't be regulated. For us there's a danger hidden into the secret action of the government over the citizen and this danger is way more unsafe than any other threats, fullstop.
We want to know all, not just the stats about how many malware are sold or exported (as recently requested by Hermes to the italian government), but we want to know specifically how exactly are used these new surveillance technique, like IMSI-Catcher or Government Malware and how many of them are used
If someone want to tell us, fell free to write us an email:
Underscore _TO* Hacklab // underscore chiocciola autistici.org
Key fingerprint = 5DAC 477D 5441 B7A1 5ACB F680 BBEB 4DD3 9AC6 CCA9
gpg2 --recv-keys 0x9AC6CCA9
