A few weeks ago, we started seeing reports of a Trojan called Darkcomet RAT on computers belonging to Syrian activists which would capture webcam activity, disable the notification setting for certain antivirus programs, record key strokes, steal passwords, and more--and send that sensitive information to an address in Syrian IP space. Symantec's writeup and recommendations are available here.
Now we've seen reports of new malware, Xtreme RAT, which sends data back to the same address in Syrian IP space and whose release appears to predate the Darkcomet RAT Trojan. Reports indicate the Trojan is being spread through email and chat programs. The malware was used to log keystrokes and take screenshots of the victim's computer, and it is likely that other functionality was also used.
You should take steps to protect yourself from being infected by not running any software received through e-mail, not installing software at all except over HTTPS, and not installing software from unfamiliar sources even if recommended by a pop-up ad or a casual recommendation from a friend. EFF also recommends keeping your computer's operating system up-to-date by immediately installing security updates from their operating system vendor. Do not use an operating system that is obsolete and no longer getting security updates.
Finding any of the following files or processes is an indicator that your computer has been compromised by Xtreme RAT. More indicators are a stronger sign of compromise.
How to identify Xtreme RAT if it is running on your computer, if you are running Microsoft Windows:
1. Go to your Windows Task Manager by pressing Ctrl+Shift+Esc and click on the Processes tab.
Look for a process called svchost.exe running under your username. In this example, the user is Administrator.
2. Open your Documents and Settings folder. Click on your username (in this example, "Administrator"). Click on "All Programs." Click on "Startup." Look for a link labeled "(Empty)", which is a sign of infection.
3. Open your Documents and Settings folder. Click on your username (in this example, "Administrator"). Open the Local Settings folder. Open the Temp folder. Look for two files: _$SdKdwi.bin and System.exe. If "display file extension" is on the file will appear as System.exe. If it is off, it will display as System Project Up-date DMW.
4. Open your Documents and Settings folder. Click on your username (in this example, "Administrator). Open the Local Settings folder. Open the Application Data folder. Open the Microsoft folder. Open the Windows folder. Look for two files: fQoFaScoN.dat and fQoFaScoN.cfg.
5. Click the Start button. Type "cmd" to open a command window. Type "netstat". In the resulting list of active connections, look for an outbound connection to the following IP address: 184.108.40.206.
What To Do If Your Computer is Infected:
If your computer is infected, deleting the above files or using anti-virus software to remove the Trojan does not guarantee that your computer will be safe or secure. This malware gives an attacker the ability to execute arbitrary code on the infected computer. There is no guarantee that the attacker has not installed additional malicious software while in control of the machine.
As of March 6, 2012, there is only one anti-virus vendor which recognizes this Trojan. You may try updating your anti-virus software, running it, and using it to remove the Trojan if it comes up, but the safest course of action is to re-install the OS on your computer.
Recently, Salon’s Glenn Greenwald reported that Idaho billionaire and CEO of Melaleuca, Inc., Frank VanderSloot, has been engaged in a systematic campaign to silence journalists and bloggers from publishing stories about his political views and business practices. VanderSloot and Melaleuca have targeted national news organizations and small town bloggers alike by issuing bogus legal threats alleging defamation and copyright infringement in an attempt to keep legitimate newsworthy information from being released to the public.
This aggressive tactic not only chills otherwise protected free speech, but in many states, also risks triggering liability under “anti-SLAPP” statutes. Anti-SLAPP laws prevent strategic defamation lawsuits—frequently filed by plaintiffs with deep pockets—that have little to no chance of winning, yet are aimed at pressuring the target into settling for fear of expensive litigation.
Last month, after VanderSloot became a finance co-chair on leading Republican presidential candidate Mitt Romney’s election campaign, Melaleuca’s attorneys sent threatening letters to Mother Jones and Forbes, forcing them to temporarily take down articles exploring VanderSloot’s public position on gay rights and Melaleuca’s business practices. It turns out that this practice is nothing new for Vandersloot: he targeted local political blogs in Idaho with similar tactics for years on a local level.
At the beginning of February, a blogger for The Idaho Agenda was forced to take down a post after receiving a defamation suit threat from Melaleuca’s in house counsel. The author indicated that he took it down because he feared the expensive litigation battle but insisted that “the facts included in the post are a matter of public record found elsewhere, including the internet, periodicals and newspapers.”
Back in 2007, Melaleuca pressured the politics blog 43rdStateBlues to take down a critical post written by a pseudonymous blogger “TomPaine.” Another blogger on 43rdStateBlues, “d2”, posted the lawyer’s letter explaining to readers why the original was taken down. Incredibly, Melaleuca’s lawyers then obtained a retroactive copyright certificate on the threat letter and demanded the hosting provider take down the post as well. Even after they complied with the letter, Melaleuca sued TomPaine for copyright infringement then subpoenaed TomPaine’s and d2’s identities.
Now, VanderSloot is at it again. He and his company's lawyers have targeted local Idaho independent journalist Jody May-Chang over posts that are four years old. Melaleuca’s lawyers have challenged a series of articles written by May-Chang, most notably this one, in which she describes VanderSloot’s funding of the billboard campaign and opines that he is “anti-gay.” Melaleuca first sent a letter to May-Chang in 2008, asking not only to correct the post but to take down the stock photograph of VanderSloot that was on his personal website (a common practice among journalists). The photo was taken down but the posts stayed up at a new URL. After re-discovering the post last month, they sent another letter to May-Chang repeated their demands from 2007, but May-Chang has held her ground and kept the post up despite the threat of costly litigation.
Unfortunately, VanderSloot’s strategy is not new and demonstrates the speech-chilling effect options available to those with ready access to aggressive lawyers. Another billionaire, Washington Redskins owner Dan Snyder, attempted to use this tactic against the alt-weekly Washington City Paper last year by suing the publication for libel over a well-sourced article making fun of his business practices. Luckily, Washington City Paper decided to fight the suit and Snyder dropped it after being confronted with potential liability under DC’s new anti-SLAPP statute.
While Idaho does not have an anti-SLAPP law to protect May-Chang, after Greenwald’s report two weeks ago, other news organizations have finally felt free to report on this series of incidents and the inevitable Streisand Effect has taken hold. Rachel Maddow aired a five minute segment on the controversy on her MSNBC show. And Techdirt’s Mike Masnick said this situation shows the need for a strong federal anti-SLAAP statute. Thankfully, while VanderSloot issued a lengthy response the allegations, he or his company’s lawyers have not issued any new legal threats since Greenwald published his investigation.
But as National Journal’s Chris Frates suggests, given that VanderSloot is a co-chair on a leading presidential campaign, Mitt Romney should have to answer to questions about his official surrogate's attempts to circumvent the First Amendment. Frates writes:
And near as I can tell, Romney has yet to answer questions regarding his supporter's tactics. Did he know of VanderSloot's reported pattern of threatening journalists critical of his interests? Does Romney agree with that response? And does Romney stand by VanderSloot? I put those, and other, questions to a campaign spokeswoman but did not get a response.
And while we’re at it, Mitt Romney—along with President Obama—should be asked their position on a federal anti-SLAAP statute. This type of harassment has no place in a country that prides itself on honest public discourse and the free speech rights guaranteed under the First Amendment.
The Public Participation Project, a non-profit organization dedicated to passing federal anti-SLAPP regulation, has highlighted this case as well, and encourages those concerned to petition their congress member to support such legislation by going here.
The Mexican legislature today adopted a surveillance legislation that will grant the police warrantless access to real time user location data. The bill was adopted almost unanimously with 315 votes in favor, 6 against, and 7 abstentions. It has been sent to the President for his approval.
There is significant potential for abuse of these new powers. The bill ignores the fact that most cellular phones today constantly transmit detailed location data about every individual to their carriers; as all this location data is housed in one place—with the telecommunications service provider—police will have access to more precise, more comprehensive and more pervasive data than would ever have been possible with the use of tracking devices. The Mexican government should be more sensitive to the fact that mobile companies are now recording detailed footprints of our daily lives.
In response to the law’s adoption, Mexican human rights lawyerLuis Fernando García told EFF, "Mexican policy makers must understand that the adoption of broad surveillance powers without adequate safeguards undermines the privacy and security of citizens, and is therefore incompatible with their human rights obligations."
Sensitive data of this nature warrants stronger protection, not an all-access pass. Human rights advocates will evaluate all necessary legal options for challenging the legality of the measure. In the meantime, Mexican citizens should evaluate the possibility of requesting access to their own personal data retained by their mobile company according to the Mexican Data Protection Law.
In Germany, the politician and privacy advocate Malte Spitz used a similar local privacy law—which like laws in many European countries, gives individuals a right to know what kinds of data private companies retain about them—to force his cell phone carrier to reveal what records it had on him. The result was 35,831 different facts about his cell phone use over the course of six months, revealing vast amounts of personal information. To demonstrate just how intrusive this data is, Spitz chose to make it all available to the public. Watch the remarkable interactive map of Spitz’s location information if you haven’t done so.
It is time to educate all of our legislators and the general public that sensitive data warrants strong protections. EFF will continue to report on mobile and online surveillance in Mexico.
If you are Mexican, the Data Protection Authority has provided a FAQ on how to request access to your own personal data retained by private companies.
EFF is pleased to see that Websense, a company that produces Internet filtering technology, has issued a statement against Pakistan’s call for proposals [PDF] for companies to assist with their pervasive censorship plans. Websense’s statement, posted on their website also calls upon other producers of filtering technology to refuse complicity with Pakistan’s plans, which run counter to the right to free expression enshrined in Article 19 of the Universal Declaration of Human Rights.
As we wrote last week, the Pakistan Telecommunications Agency (PTA) already censors numerous websites, including those related to minority groups and human rights. The Request for Proposals (RFP) issued in February would expand the censorship regime to enable the blocking of up to 50 million URLs without delays in processing.
Websense was criticized in 2010 after its products were found to have been used by the government of Yemen, but the company quickly responded by issuing a policy against the sale of their wares to foreign governments. In 2011, Websense also became the first company of its type to join the Global Network Initiative (GNI), of which EFF is also a member.
In addition to Websense, the GNI, numerous international groups, and local organizations such as Bytes for All and Bholo Bhi have stated their opposition to the RFP, and an editorial in the Express Tribune called the plan "usurpation of Internet freedom." The international Business and Human Rights Centre is encouraging those concerned sign a petition calling on companies not to bid on the RFP.
Though Websense should be commended for its stance, there are dozens more companies that would be more than happy to make a bid to the PTA. Corporate giant Cisco, McAfee’s SmartFilter, and Canadian company Netsweeper all knowingly sell their wares to foreign governments, and they’re undoubtedly not the only ones.
This complicity with pervasive government censorship must stop. EFF calls on the myriad companies producing Internet filtering software not to take part in what Bytes for All has called Pakistan’s “cold-blooded murder of the Internet.” We further encourage companies to follow Websense’s example and take a stand against government-imposed censorship by joining the Global Network Initiative or adopting their own standards (we recommend our “Know Your Customer” guidelines).
Two weeks ago, Gawker’s Adrian Chen published a leaked copy of Facebook’s Operations Manual for Live Content Moderators, which the company uses to implement the rules and guidelines that determine which content will be allowed on the platform. The document was widely ridiculed for a variety of reasons, from the attitudes expressed toward sex and nudity (photos containing female nipples are banned, as is any “blatant (obvious) depiction of camel toes or moose knuckles”), to its lenient attitude towards gore (crushed heads and limbs are permitted “so long as no insides are showing”), to its arbitrary ban on photos depicting drunk, unconscious, or sleeping people with things drawn on their faces.
Facebook has a long history of banning—among other things—sexual content, which has angered many users over the years. In 2009, more than 11,000 Facebook users participated in a virtual “nurse-in,” changing their user pictures to photos depicting women breastfeeding in response to Facebook’s policy of taking down such photos to comply with their obscenity guidelines. In May 2011, Facebook deleted a picture of a gay couple kissing because it allegedly violated their community standards, prompting widespread outrage from gay rights groups, and an apology from Facebook, which reinstated the photo.
The leaked document also gave some insight into Facebook’s processes in respect to complying with international law. As Chen writes:
Perhaps most intriguing is the category dedicated to "international compliance." Under this category, any holocaust denial which "focuses on hate speech," all attacks on the founder of Turkey, Ataturk, and burning of Turkish flags must be escalated. This is likely to keep Facebook in line with international laws; in many European countries, holocaust denial is outlawed, as are attacks on Attaturk in Turkey.
Unlike Google and Twitter, Facebook does not have the ability to take down content on a country-by-country basis. If they takedown something in response to the laws of one country, it is taken down for everyone. So if you criticize Ataturk on Facebook, even if you are located in the United States, you are out of luck.
NOTE: Facebook tells that this paragraph is mistaken about how they do their takedowns. We apologize for the error.
Shortly after the Facebook leak, blogging platform Tumblr published a draft copy of a policy against blogs that “actively promote self harm,” including eating disorders, sparking intense debate in the Tumblr community. Users expressed concern that the policy could lead to the deletion of blogs that merely discuss self-harm. One user observed that the line between discussion and glorification is blurry and subjective:
“…where does Tumblr plan to draw the line between what is acceptable and what is not? There are no clear cut specifics as to what you will and will not able to post, so how are we as the users of this website supposed to follow this new policy if put into effect. How is the staff going to determine a person’s definition of “promoting” when everyone has a different view on what should and should not be tolerated? Some users may believe that pictures or even general posts about these issues are a means of promoting them, yet others may see these pictures and posts as nothing more than another post on their dash.”
To be clear, Facebook and Tumblr have a right to decide what kinds of content they allow on their platforms. They are private companies and can generally control and limit the kind of speech they allow without regard to the First Amendment or other constraints. But content policies run the risk of angering and alienating longtime users, and they tend to be an increasing burden over time because the decision by the company to police on one topic leads to pressure to police on more topics. They also require deep training of the people involved to recognize the context and be sensitive to ambiguity. As a result, they are very difficult to automate.
Facebook, at least, does not seem to be prepared to properly train and sensitize those who will be responsible for taking down content on their websites. Instead, they appear to be relying upon an underpaid army of inexperienced content moderators—a choice that seems likely to lead to inconsistent and even unfair implementation of the policies. It’s not hard to imagine a moderator who fails to appreciate the difference between commentary and promotion, or even one who uses his or her takedown power to play out a personal grudge or political belief. Even well-intentioned moderators may become overwhelmed with the sheer volume of material on a platform the size of Facebook.
NOTE: After speaking with Facebook, we decided to remove this paragraph.
The simple fact is that there will be mistakes and misuses of any content review system, even if the companies invest in more training. As a result, it is not enough for companies to simply implement takedown rules—they must develop a robust, easy-to-use avenue for error correction, misuse detection, and appeal. For more recommendations on creating and implementing rights-respecting content moderation guidelines, read the Berkman Center's Account Deactivation and Content Removal: Guiding Principles and Practices for Companies and Users.
Content moderation policies are always evolving. EFF will be watching these systems carefully and users should too. Developing a fair and effective approach to content moderation is considerably harder than it looks. The history of the Internet is littered with well-intentioned content policing systems that went awry.
Mobile smartphone apps represent a powerful technology that will only become more important in the years to come. But the unique advantages of the smartphone as a platform—a device that's always on and connected, with access to real world information like user location or camera and microphone input—also raise privacy challenges. And given the sensitivity of the data that many consumers store on their phones, the stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public.
Some of these practices may require the participation of other parties, like the mobile platform provider or ad networks. While each party carries some responsibility, application developers are in a position to take the lead on these issues, whether that means selecting an ad network for its responsible practices or supporting efforts by platforms to incorporate privacy-protective policies and practices.
A mobile user bill of rights
Developers need to create applications that respect these rights.
Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it's not technically or legally required by the platform.The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: "Companies should provide means of with drawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion."
Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash.Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.
Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).
Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a "find friends" feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.
Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.
Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.
Best technical practices
How should developers best keep in line with this bill of rights? Here are some specific practices that developers should use to preserve user privacy.
Anonymizing and obfuscation: Wherever possible, information should be hashed, obfuscated, or otherwise anonymized. A "find friends" feature, for example, could match email addresses even if it only uploaded hashes of the address book.
Secure data transit: TLS connections should be the default for transferring any personally identifiable information, and must be the default for sensitive information.
Secure data storage: Developers should only retain the information only for the duration necessary to provide their service, and the information they store should be properly encrypted.
Internal security: Companies should provide security not just against external attackers, but against the threat of employees abusing their power to view sensitive information.
Penetration testing: Remember Schneier's Law: "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break." Security systems should be independently tested and verified before they are compromised.
Do Not Track: One way for users to effectively indicate their privacy preferences is through a Do Not Track (DNT) setting at the operating system (OS) level. Currently, DNT is limited mostly to web browsers, and only Mozilla's under-development Boot2Gecko supports the Do Not Track flag at the OS level. But developers would benefit from the clear statement of privacy preferences, and should encourage other OS makers to add support.
These recommendations represent a baseline, and all the players—from the application developers to the platform providers to the ad networks and more—should work to meet and exceed them. As the mobile app ecosystem has matured, users have come to expect sensible privacy policies and practices. It’s time to deliver on those expectations.
Ridden the bus or train lately? Then you’ve probably checked your phone to find out when it will arrive. Or if you shop online, you’ve probably checked to see when your packages will arrive. If patent troll ArrivalStar has its way, this could all change. ArrivalStar has launched a blitzkrieg against municipalities and the U.S. Postal Service, among others, claiming that these types of tracking services infringe its patent, leaving those defendants with a few stark choices: fight the expensive lawsuit for years in court, settle and pay ArrivalStar to go away, or stop using the technology altogether (and even then, the municipalities could be forced to pay for their earlier use). ArrivalStar's dangerous suits show no sign of letting up: just this week, it sued Monterey, California and Cleveland. Given the current budget crunch facing many of these entities, the last thing they need is to spend their limited resources (and taxpayer dollars) fending off bogus patent attacks.
If left unchallenged, the broad language in ArrivalStar’s patent could potentially cover any system or technology that tracks a vehicle along a predetermined route and then notifies a potential passenger or package recipient of the vehicle’s status. Specifically, ArrivalStar’s patent claims to cover any vehicle tracking method that (1) tracks a vehicle, (2) compares the tracking information to the vehicle’s scheduled arrival time along a predetermined route, (3) contacts a user, and (4) tells her whether the vehicle is on or off schedule.
To protect our public services, EFF, along with the Samuelson Law, Technology, and Public Policy Clinic at Berkeley Law, plans to challenge this patent. In order to do so, we are looking for prior art created before January 18, 1999 that completes the steps listed above. Useful prior art might describe systems designed to track vehicles for consumers, such as delivery companies, school buses, or public transportation systems. Many technologies could be used to complete the steps in the patent. For example, vehicle tracking (step 1) could be done by radio or GPS transmitter; comparing tracking information to arrival times (step 2) could be done by a computer or by a human; and notification to the user (steps 3 and 4) could take the form of a phone call, text message, email, or other electronic communication.
If you know anything about these types of technologies and want to help us challenge this patent, take a look at the more detailed description (located here) and send any leads on prior art you might have to firstname.lastname@example.org. And let your friends and others who might have particular knowledge about vehicle tracking, fleet coordination, or similar systems know, too. We need your help to bust this dangerous patent!
Syrian Citizen Journalists Face Increasingly Grave Threats
We recently reported on the Syrian government raid on the Syrian Center for Media and Freedom of Expression, during which two bloggers and more than a dozen activists were arrested. The six women arrested have now been conditionally freed and are required to report to state security offices daily. However, nine men including blogger Hussein Ghrer and Mazen Darwish, the director of the Center, remain imprisoned.
Blogger and activist Razan Ghazzawi, who was among those arrested, bravely published a call to free her colleagues on her blog demanding authorities release her "beautiful boss, friends and colleages" at the Center. She also republished the Center's official statement, which demands that Syrian authorities release all detainees "immediately and unconditionally." The Center holds the Syrian authorities fully responsible for the psychological and physical conditions of the detainees.
EFF supports the call from the Syrian Center for Media and Freedom of Expression and reiterates its demand that the detainees—all prisoners of conscience—be released immediately and unconditionally.
As we've recently pointed out, Morocco appears to be once again cracking down on free expression, despite constitutional reforms that demoted the status of the King from sacred to merely "inviolable."
Today, Reporters Without Borders wrote that Walid Bahomane was convicted on February on the piracy charge and sentenced to a year in prison and a fine of MAD 10,000 (~USD 1,200). The young blogger faced charges under Morocco's lèse majesté laws, as well as charges of "online piracy".
Despite the peculiar charges levied on Bahomane, it does not appear that the kingdom is shying away from lèse majesté convictions. Just one day after Bahomane was sentenced, 24-year-old Abdelsamad Haydour was convicted and sentenced to three years in prison by a Taza court for criticizing the king of Morocco in a video posted to YouTube.
EFF once again condemns the use of lèse majesté laws to silence speech and reminds the Moroccan government that its own constitution guarantees freedom of expression.
Why is Uzbekistan blocking Uzbek-language Wikipedia?
Earlier this month, news emerged that Uzbekistan was blocking access to the Uzbek-language iteration of Wikipedia. The news doesn't come as much of a surprise in light of Uzbekistan employing a number of techniques to exert control over the Internet, it is still bewildering to some that the government would block Uzbek Wikipedia, but not its Russian counterpart.
In a piece for the Atlantic, Sarah Kendzior tries to make sense of the strategy, noting that the Russian version of the site contains far more information on the human rights abuses of the Uzbek government. She points to a prior article in which she reveals the way in which the Uzbek government views Uzbek-language online content as within its virtual "territory," and argues that "Uzbekistan's ban on Wikipedia has less to do with blocking access to information than it does with territorializing an ambiguous Uzbek ethnolinguistic virtual space."
Nonetheless, the Uzbek government does block a slew of international sites, including a number of English-language sites that include information on human rights issues in the country. Though the block on Uzbek-language Wikipedia may constitute a power play, it may also be a harbinger of worse censorship yet to come.