In this post I speak only for myself, with my own personal opinions and not the ones of any of the organizations I partnered with.
It’s been a crazy week that started roughly with Detekt and that, as it wasn’t crazy enough, unexpectedly ended with me and my “partner in crime” Morgan publishing information on NSA & GCHQ’s malware. It’s been a sleepless and stressful week, and now I feel it’s time to draw some conclusions.
As some of you might have heard, last week I launched together with Amnesty International, Privacy International, EFF and Digitale Gesellschaft a campaign named Resist Surveillance along with a simple utility called Detekt, designed to identify the presence of very specific families of malware on Windows computers.
Oh boy, it got attention.
Much to my surprise, the media coverage was enormous. Disproportionate I would say. It brought the campaign to the attention of a general public that was not the intended audience of our initiative. It attracted a lot of users and a lot of criticisms.
The premises of the tool were quite clear, but largely misunderstood. The first goal was to raise awareness on the inherent issues of the growing adoption of spyware by law enforcement and intelligence agencies. I will not get into the ideas and the specific concerns here, as I’ll probably dedicate a separate post to explain my motivations.
The second goal was to publicly provide a simple utility dedicated to the ones that are most likely targeted with state malware due to their journalistic and political activities and leverage some exclusive detection techniques that allowed us to identify such threats quite accurately.
It was widely and deeply misunderstood. It got perceived as a general purpose antispyware, which it wasn’t. It got perceived as a long term solution, which it wasn’t. The media coverage largely misrepresented the nature of the initiative. Some articles even titled “If you want to know if the NSA is spying on you, download this tool”, which is wrong and outrageous.
Many of the critics were directed to the technical implementation of the tool. We certainly had issues, especially in the beginning, with false positives that I did not expect. I worked around the clock to fix the issues as quickly as humanly possible and replying to every single person that wrote me informing them about the issue, apologizing and assisting with subsequent scanning attempts.
Many complained about the ease with which Detekt could be bypassed. Let me tell you, those critics missed the basic premise of the initiative: once the detection patterns are out and likely fixed in a matter of days by the respective surveillance vendors, potential bypassing of the tool itself is just completely irrelevant. At that point the tool is burned anyway.
It was a race, that had to be rapid and wide. That’s the reason why I didn’t even bother worrying for a second about reactionary bypass techniques.
Much to my surprise, some also felt it was a matter of controversy that we only detected a handful of spyware families. Well, that was the whole point. We specifically selected ones that have been used in political contexts. Later I even decided to narrow down the scanning to just two, FinFisher and HackingTeam RCS, mostly as a response to the large mischaracterization of Detekt as general purpose anti-spyware. No, false positives were not the motivation behind the removal of the others.
We were not replacing any security software. We were not pretending to be one. Unfortunately Antiviruses are regularly tested by surveillance vendors and routintely evaded by state malware:
This is the unfortunate nature of commercial surveillance: spyware vendors will work tirelessly until they’ll have bypassed any existing security software, before distributing their product to the customers.
It’s a cat and mouse game, that will never end. My hope was to twist the game and execute a quick action.
We had an edge, and wanted to make the best out of it. It worked:
Drawing a comparison with security vendors has never been part of my intentions. I realize their limitations as I do realize mine. You also have to consider that a large part of my intended audience often does not have access to commercial products, either because of a lack of resources or because of logistical issues, such as inability to do acquisitions online.
During the last years of work in this area, I’ve repeatedly encountered people who operate with old computers, old and unpatched versions of Windows and unsurprisingly no security product whatsoever. They are resourceless and left helpless.
We wanted to run a rapid triaging campaign dedicated to the many people that I know are being unjustly surveilled and harassed because of their social and political struggles, and that we are just not able to reach.
Ultimately, this was a learning experience. We had some problems. We helped some people. I failed at communicating my intentions to a large audience, but maybe we unintentionally succeeded at raising awareness in the general public and make people reflect on the dangers of the increasing use of malware and computer hacking by governments worldwide.
I stay true to my intentions, trying and failing is hopefully still better than not trying at all.
