Write Keyloggers Professionally!


GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

Welcome, Crispin!

Michael Howard has broken the news: “Crispin Cowan joins Windows Security:

I am delighted to announce that Crispin Cowan has joined the core Windows Security Team!

For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy. He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot!

Let me add my own welcome. Crispin and I have collaborated on a couple of projects, and I look forward to working with him more, and seeing what happens when he applies himself to Windows security.

[A clarification: Crispin is joining Microsoft, not Emergent Chaos (today, anyway). I remain the only MS employee blogging here, and my comments do not represent my employer. I was simply excited and wanted to share the news.]

Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting:

Title: IT Security Architecture Manager Needed

Company: TJX Companies

Location: Framingham, MA

Skills: Very strong technical security background in both the mainframe and distributed environments.

Term: Full Time

Pay: DOE

Length: Full Time


TJX Companies is seeking an IT Security Architecture Manager who has at least
6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred.

Read on. If you like being the sheriff who cleans up town, this could be for you!

Movie Plot Threat No Longer a Metaphor


Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, “I’m here to shoot a pilot.”

On the one hand, yes indeed, on the list of things you shouldn’t say while in Immigration, “I’m here to shoot a pilot” is right up there with being careful how you greet your friend John.

But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It’s a Google search for “Mike Figgis.” All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (filmbug.com), and link #5 (mooviees.com) all have pictures of him.

Admittedly, IMDB says he was born in Cumbria, England, and hollywood.com (link #4) says he was “Kenyan-born.” Hmmm. Highly suspicious. But filmbug says,

Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.

And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948
(Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there’s a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, “Cumberland” instead of “Cumbria” and unless you’ve taken Latin, that might look suspicious as well.

So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent “Sugartits.”

Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they’d made it easy.

Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it’s not true.

Rootkit on a Stick


The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.

Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.

There is other amusing information on the web site, such as:

All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.

Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.

What a relief! An industry-standard encryption algorithm. Wanna bet it’s in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I’d love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?

Picture of the SnoopStick shamelessly appropriated from their web site, because I didn’t want their weblogs to get the information. It’s bad enough to write about them at all.

The Price of Nothing and the Value of Everything

money-mattress.jpgIn the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version.

I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally tempted by the service for some of my own domains.

The Economist also thinks it’s a good idea, so much so that they slur us in IT security:

IT bosses tend to argue that web-based software is not secure. Their real fear, probably, is that web-based software will mean fewer jobs in corporate IT. But the trend will be hard to resist. Trusting the web with your software is not so very different from trusting the bank with your money, instead of keeping under the mattress at home.

There are several things to object to here. The first is the smug attack on the professionalism of corporate IT people. I find it all the more obnoxious for hiding behind the word “probably” which is one of the oldest rogue’s tricks in journalism. I won’t dwell on that too much, because it is unusual for The Economist to have such a lapse, and this one is forgivable because it is probably caused by the onset of tertiary syphilis in the responsible editor. (I’ll apologize for my counter-slur if a paper supporting the claim that the probability that “security” concerns are actually about budgets is greater than 0.5 is accepted at WEIS this year.)

The next thing to object to is the confusion between software and data. Email, and any concerns with it, are not about the software, they’re about the data. Anyone who has qualms about outsourcing to Google most likely has it about the data, not about the software.

Another confusion The Economist makes is between money and information. There are a number of differences between money and information, but one that is relevant here is that if my bank is robbed, I still have my money (which is one of many reasons why banks are better than mattresses). This is not true with information. If information is stolen, you can’t pull it back. Furthermore, Google isn’t going to insure or indemnify against information loss the way that governments and banks indemnify depositors. If an outsourcer gets broken into, it’s still my breach, and breaches are not cheap.

Not only are emails information, but they are corporate documents. They can be subpoenaed or discovered. I have no idea what would happen if I were in a lawsuit and Google were asked to turn my email that they host over. I would hope that Google would refuse, but what happens if a judge disagrees? Let us also not forget that any such dispute would happen in the US courts. It would also be subject to US national security laws, and these laws not only require your service provider to turn over your emails, but require them not to tell you about it. Additionally, some assert that emails lose their status as protected communications after they’ve been aged for 180 days. My eyebrow is raised, as I am an equal-opportunity cynic, but that’s hardly tin-foil-hat territory.

The last thing to remember is that despite what The Economist seems to think, rarely does one find a free lunch. Google does not offer email services for free. It sells them to you, and you pay by letting them use your data to sell adverts. Google’s payment is exactly the advertising value of scanning all your email. You may think it’s worth it, but you may not. I think this is something about which gentlebeings can disagree.

There are situations in which outsourcing one’s documents may make sense. If, for example, you’re a state university and your documents are ultimately the property of the taxpayers, then some of the security concerns go away. But not all of them. To get rid of the risks, an outsourcer would have to secure the data so that they can’t lose it or be compelled to release it. Unfortunately, that would most likely change the economics of the bargain and make it so that the outsourcer would be giving out a free lunch.

None of this means that outsourcing your domains to Google is a bad idea, it just means that there are costs, benefits, and risks. The cost of a Gmail-hosted domain is the value of the use of your information. This might be analogous to letting the bank use your money, and may be worth it. However, implying that managing your own information is like keeping your money in a mattress is wrong. It’s more like buying your own shares rather than letting a fund manager do it. It’s a tradeoff of many things: time, money, effort, etc. Surely an economist can understand the difference between saving and investing.

Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer:

These are leadership level positions in a growing
company with great financial resources. Each of these team members will have
the chance to attend conferences, participate in industry developments, and
will be encouraged to establish their leadership in the industry through
publications and/or presentation opportunities. For a technologist, this is a
chance to make (and be rewarded for) critical contributions to the success of a
company for whom technology is both its heart and lifeblood.

I have fond memories of working with a number of these people when we were at Zero-Knowledge. They’re great folks in a great city, and if you fit the bill, you should give them a chance.

I’m happy to facilitate introductions.