I work in IT and I’m sure I’ve made decisions that have puzzled people or made them wonder what sort of special idiot I am. Fortunately for me most of what I’ve done hasn’t really had significant real world consequences. The same can not be said of the new surveillance detecting tool from Amnesty, Privacy International and the EFF. This new spyware detecting tool is called Deteckt and is aimed at people who fear they may be at risk of targeted surveillance. Now I’m sure that the people that wrote it are both very clever and well meaning, however if you’re subject to targeted surveillance and the sort of tools that government agencies might deploy then you’re up against people who are also very clever and not very well meaning. To be honest they quite probably down right hostile with no good intent towards you at all. Now if you think you’re or interest to such people you hopefully have reasonable security and are already running tools to detect the normal run of the mill spyware and malware programs and of course an anti-virus program. Detekt therefore we can I think assume is aimed to detect the kind of nastiness that those usual tools can’t spot.
Well except it isn’t, not really. According to their intentions the main aim is to “raise awareness“, actually detecting spyware is just the secondary aim. They are also according to their information mainly targeting known commercially available (well available to governments at least) software and they expect the people making it to start working to avoid Detekt really quickly.
So this awareness raising tool is expected to be actively worked against and yet the install instructions tell you to turn off your antivirus programs and then run it as Administrator!
Now as it’s aimed to run on windows machines they don’t actually have much choice about this. But they are advising people who thing they are the target of serious hostile action to disable their existing security measures to run a bit of software downloaded from the internet as a privileged user. Yes they advise you to be disconnected from the internet at the time, but still this is not usually considered clever. Anti-virus and other anti-malware tools normally avoid this problem but having a digital signature that you can check and that the program itself can check. From the install instructions this is not the case with Detekt and the earlier releases didn’t even have a signature to verify if you new how to (well except for some unknown format digital signature)
This is really not following best practice, and it’s good to see that the latest release does come with checksums you can check, though the installation advice doesn’t so much as suggest you do such a thing. There are already a lot of very good tools and advice out there for whistle blowers and the like – which don’t generally advise you to turn off your security to run an unverified bit of software.
Whilst I’m sure that the “resistsurveillance.org” site is run by the people that it claims to be, that also can’t be verified as the domain registration registration information is all obfuscated. Of course if it was set up by a malicious actor I’m sure Amnesty and co would be shouting from the roof tops that it wasn’t them but really that’s hardly the point.
All of which means that the people behind Detekt (whoever they may actually be) are advising people at risk from serious and advanced surveillance threats to abandon good practice, download a bit of software from an open source site and run it as Administrator with all security turned off without first verifying it’s in anyway genuine. This strikes me as a rather counterproductive way to “raise awareness”. Unless of course having a few people disappeared is an acceptable awareness raising technique these days. I’m hoping that the software actually just puts up a big image which says “don’t be stupid next time”. However given the size of the program it could be doing almost anything and there’s plenty of space there for malicious parties to hide something nasty if they got the chance.
If they wanted to raise awareness in a way less likely to shaft the most at risk, they could have pointed to the vast amounts of good advice out there. Including any of the various portable secure Linux systems which let you start from a clean secure system every time. Hell they could even rebadge it with their funky awareness logo, as long as they also told people how to verify it was genuine, provided a method to verify that the people behind it were actually the people behind it and maybe provided multiple download paths so that it was at least slightly harder for the ungodly to target the download site.
It’s nice that they want to raise awareness, and unless you’re being paranoid the risks are really fairly small – except of course if you think you’re the subject of state sponsored targeted surveillance then paranoid is the very thing you need to be.