Monday, January 12, 2009

Police Backdoors

I ran across this article titled "Police set to step up hacking of home PCs" the other day. It details a new law approved by the UK government allowing police to hack into suspected home computers. In-order to carry out these Hacks, they will be sending E-mails with virus attachments or breaking into homes and installing keystroke loggers.

This kind of behavior is displayed by most governments these days. However, what did surprise me is that they asked security product/service providers to stop detecting/blocking their keystroke loggers and other malicious tools.

I was glad to read that a few security vendors have taken issue and denied cooperation with this matter. As per ZDNet, security vendors Kaspersky Labs and Sophos told ZDNet UK that they would not make any concession in their protective software for the police hack.

Symantec declined to comment on whether it would block a police hack, saying the matter was "politically sensitive". However, the security vendor has said in the past that it would not scan for the FBI's Magic Lantern keystroke-logging software.

I personally think the entire concept is ridiculous, especially the part where security vendors are expected to turn a blind eye to these police hacks. I feel that an AV that would voluntarily miss malicious code used for these police hacks would probably as a direct result miss other malicious code also.

Also, If any malicious users or malware authors were to get their hands on this malicious police code (which is fairly likely since they are installing it on suspect PCs), it would be fairly easy to reverse engineer the code and create malware to mimic its behavior and bypass security software.

Security through obfuscation, i.e. with the hope that no-one will look there, or look deep enough is always a bad idea. The entire concept of asking Vendors to create police backdoors sounds to me like a malformed version of "Security through obfuscation".