As others have noted, this is unlikely to protect against new infections, since governments will surely just check to make sure their malware isn't detected by the scanner. On the other hand, since we don't really trust corporate AV to detect state-sponsored malware, it seems like this fills a need right now, and will likely result in some organizations discovering they've been compromised by this kind of surveillance malware. So this still seems very useful right now.
As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.
So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.
A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.
That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.
Detekt is mostly about a different and earlier part of the problem: allowing groups that may be currently targets of illegitimate state surveillance to confirm that they have been infected by specific tools that we know to be used by state attackers, and therefore confirm that they are indeed under this specific sort of surveillance.
Up until now getting to the point of confirming that fact, has mostly relied on manual examination by experts. If an activist or journalist suspects they may be under surveillance or infected with malware, they need to navigate the usual challenges to fixing a malware infection, plus they need to eliminate the (often far more probable) case that they are infected with the usual petty criminal spyware.
This is about being able to positively identify a relatively small number of cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of thousands of potential targets, and a huge array of potential exploiters of vulnerabilities. Right now all the organizations supporting Detekt (EFF, Amnesty International, Privacy International and Digitale Gesellschaft) receive queries about potential infection cases from all around the world: now we can scale up a little the first step of that triage we conduct. The positive identifications that come out of Detekt we can take further, and base, for instance, the <a href="http://www.washingtonpost.com/business/technology/us-citizen... cases against the Ethiopian government</a> in the UK and US that PI and EFF are conducting.
As part of a number of groups that do digital and physical security training for journalists and human rights defenders, most of us have/do recommend the use of live CDs like TAILS etc. Unfortunately my experience has shown that it is very very difficult to get anything other than a small percentage of journalists or HRDs using them for any period of time - especially in countries where IT literacy levels are low. Linux (and also PGP) is just too much of a cultural shift for most people. I mean even a security conscious guy like Glen Greenwald didn't even bother to learn PGP or Live CD usage in the first few months of Snowden reaching out to him.
It is a gap in capability that many of us (including Danny at EFF) are working on day and night to try and bridge though!
This can be said of every security solution. The value of security is to increase the attackers' cost, which will deter attackers who don't want to pay the higher price. There is no absolute security.
Also, the prospect of updates will increase attacker costs more, as some attackers will feel the need to proactively avoid detection by future versions too.
It's called TAILS. It also triggers scrutiny by "the big g".
http://www.theregister.co.uk/2014/07/03/nsa_xkeyscore_stasi_...
IMHO signature/heuristic-based detection techniques are always prone to error, and should be replaced with behaviour-based detection (and blocking). At the moment, I think a good firewall (on another known-clean machine - ideally running 100% open-source software) should be enough to detect any suspicious network traffic.
[1] http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&i...
[2] http://stackoverflow.com/questions/22926360/malwarebytes-giv...
[3] http://forum.bitdefender.com/index.php?showtopic=45169
[4] http://board.flatassembler.net/topic.php?t=8154
[5] https://forum.avast.com/index.php?topic=152926.0
[6] https://forum.avast.com/index.php?topic=120578.0
[7] http://itsacleanmachine.blogspot.ca/2012/01/antivirus-anger....
And yes I do use cracks : I wish I was able to reward my fellow devs but I don't have a start-up salary (even for my country my salary is pretty low) and open source softwares are usually (and I insist on usually, not always) not up to par.
So sue me.
Yes. The signatures are written more generically to detect the samples though. AV software can (or at least shouldn't) write signatures so generically because the potential for false positives. Since the scanner is scanning a non-enterprise environment the signatures can be a little more generic.
Is there any FOSS equivalent to Little Snitch?
Obviously there are issues that need to be addressed further, but some system where people collectively share who is trustworthy and who is not would be valuable.
It would be something like http://winhelp2002.mvps.org/hosts.htm but for more than just ads.
[1] http://www.clamav.net/doc/install.html
[2] http://www.clamxav.com for OSX
https://github.com/botherder/detekt/issues/20
The developer immediately closed my report, without discussion and all he could say is: "Trust me. Detekt definitely isn't spyware."
Somehow, this does not make me feel secure.
0350F024 012D4110 /CALL to socket from _socket.012D410A
0350F028 00000002 |Family = AF_INET
0350F02C 00000001 |Type = SOCK_STREAM
0350F030 00000000 \Protocol = IPPROTO_IP
0350F034 012DBAD8 _socket.012DBAD8
0350F038 02D93610
0350F03C 00000000
0350F040 00000001
0350F044 00000002
0350F048 1E0C18A8 RETURN to python27.1E0C18A8
It starts a local Python web server in order to serve the main dialog of the application, the one with the language selector, which is an HTML page embedded in a browser control. No wonder it hung when you denied the connection and showed a blank frame. If you let it continue and figure out where it's listening, you can actually visit the page in your web browser and see the program's dialog. One of the most convoluted ways to display a dialog I've ever seen, and probably worth a "WTF?", but I don't think it's intended to be malicious. The developer could've handled this a bit better, that's for sure.
consider that the majority of the people who aim to download and use this THING are those who do something against their government's red lines. This is quiet enough to make this THING a good Trojan horse for hiding anything than can track/detect(detekt!?) an activist. serving the main dialog of the application may be merely a camouflage for other uses of Python inside the file.
any idea?
The developer has re-opened my report now, which will probably never be addressed anyway, since the UI is so convoluted.
Funny thing is that this 'anti-spyware' app creates more confusion than most of the spyware I've seen. Sadly, most people will just run this thing and think they're safe, since they believe the authorities (eff.org, amnesty) but don't even use a firewall.
NB: I haven't read about the technical features of the tool.
It probably uses some kind of signature mechanism to identify malware.
...Surely the authors realize that they've just drawn a line in the sand against an APT. The biggest one ever.
Their tool and signature updates are presumably freely available online.
Have fun keeping those sigs up to date, tool authors!
You'd have been better off passing it around to journalists only via sneakernet and simply not talking about it.
Oh, user moyix brings up an excellent point that I had not considered re: "right now".
This is awesome, just not for me as a non-Windows user. I don't want this to perpetuate the myth that using Mac or Linux makes you impervious though.
I still think the best solution to this, and other problems, is outbound filtering at the gateway.
lol