The ComputerCOP Thread
#1
The EFF has put together a rather astounding bit of investigative reporting, digging into a program called "ComputerCOP" that is apparently handed out (in locally branded versions) by various law enforcement agencies -- generally local police, but also the US Marshals -- claiming to be software to "protect your children" on the computer. What the EFF investigation actually found is that the software is little more than spyware with weak to non-existent security that likely makes kids and your computer a lot less safe. Aren't you glad your tax dollars are being spent on it?
Quote: The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.

Furthermore, by providing a free keylogging program—especially one that operates without even the most basic security safeguards—law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.
The software is ancient -- dating back about 15 years -- and it doesn't look like it's improved much over the years. Even the interface looks outdated. And it doesn't appear much actual thought has been put into the product and whether or not it does anything to actually keep people safe. Instead, from all appearances, it sounds like the organization behind it is just looking to figure out ways to get taxpayer money from law enforcement, promising "cybersecurity" when it's actually making things worse. The more innocuous, but still pointless part of the tool is the "search" feature:
Quote: The tool allows the user to review recent images and videos downloaded to the computer, but it will also scan the hard drive looking for documents containing phrases in ComputerCOP’s dictionary of thousand of keywords related to drugs, sex, gangs, and hate groups. While that feature may sound impressive, in practice the software is unreliable. On some computer systems, it produces a giant haystack of false positives, including flagging items as innocuous as raw computer code. On other systems, it will only produce a handful of results while typing keywords such as "drugs" into Finder or File Explorer will turn up a far larger number of hits. While the marketing materials claim that this software will allow you to view what web pages your child visits, that's only true if the child is using Internet Explorer or Safari. The image search will potentially turn up tens of thousands of hits because it can't distinguish between images children have downloaded and the huge collection of icons and images that are typically part of the software on your computer.
Sophisticated software, this is not.

Then there's the keylogger/spyware bit.
Quote: ComputerCOP’s KeyAlert keylogging program does require installation and, if the user isn’t careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user’s hard drive. When running on a Mac, the software encrypts these key logs on the user's hard drive, but these can be decrypted with the underlying software's default password. On both Windows and Mac computers, parents can also set ComputerCOP up to email them whenever chosen keywords are typed. When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email. KeyAlert is in included in the "deluxe," "premium," and "presentation" versions of the software.
The lack of encryption is somewhat astounding in this day and age:
Quote: Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.
Incredibly, when EFF approached the maker of ComputerCOP, the guy behind it, Stephen DelGiorno tried to deny any problems:
Quote: “ComputerCOP software doesn’t give sexual predator [sic] or identity thieves more access to children’s computers, as our .key logger [sic] works with the existing email and Internet access services that computer user has already engaged,” he wrote via email.

He further said that ComputerCOP would update the software's licensing agreement to say "that no personal information is obtained nor stored by ComputerCOP."
As the EFF notes, this is both unacceptable and "fairly nonsensical." EFF tested the software and found, of course, that it's quite easy to snatch passwords via the software.

The company appears to have some other difficulties with the truth as well:
Quote: In February, DelGiorno told EFF the keystroke-logging feature was a recent addition to the software and that most of the units he’s sold did not include the feature. That doesn’t seem to jibe with ComputerCOP’s online footprint. Archive.org’s WayBack Machine shows that keystroke capture was advertised on ComputerCOP.com as far back as 2001. Although some versions of ComputerCOP do not have the keylogger function, scores of press releases and regional news articles from across the country discuss the software’s ability to capture a child’s conversations.
Also, this:
Quote: In investigating ComputerCOP, we also discovered misleading marketing material, including a letter of endorsement purportedly from the U.S. Department of Treasury, which has now issued a fraud alert over the document. ComputerCOP further claims an apparently nonexistent endorsement by the American Civil Liberties Union and an expired endorsement from the National Center for Missing and Exploited Children.
You can see the Treasury Department fraud alert here, in which it states: "A falsified letter from the Treasury Executive Office for Asset Forfeiture is being circulated indicating that the Treasury approves or endorses this product: it does not." It also includes a link to a sample letter, which uses multiple fonts (which is common among faked letters). In fact, EFF got DelGiorno to admit to changing an original letter, saying he "recreated the letterhead to make it more presentable" and highlighted certain text. He claims that there was an original letter from 2001 (the date on the letter getting passed around has the date removed), but the Treasury Department has issued the fraud report and says it's unable to find the original document that ComputerCOP claims was sent.

There are some other dubious issues related to the software and getting police departments to buy it (often with federal grants). Here's one example from the county where I grew up:
Quote: Since 2007, Suffolk County Sheriff Vincent DeMarco’s office in New York, where ComputerCOP is based, has bought 43,000 copies of the software—a fact trumpeted in DeMarco’s reelection campaign materials. ComputerCOP’s parent company directly donated to DeMarco’s campaign at leastninetimes over the same period.
As EFF notes, ComputerCOP specifically promotes the tool as an "election and fundraising tool" telling politicians and law enforcement folks that handing it out will make them look good and even sending out camera crews "to record an introduction video with the head of the department."

The whole thing is incredibly sketchy. It's fairly ridiculous that at the same time that law enforcement folks are ridiculously claiming that encryption "harms" children, so many are actively out there spending taxpayer money on, and then distributing, an app that actively puts children (and everyone else) at risk while pretending to be done in the name of safety.

If you happen to have a computer where ComputerCOP was installed, the EFF has handy details on removing it.

Originally Published: Wed, 01 Oct 2014 20:31:00 GMT
source
Reply
#2
Yesterday, we wrote about the EFF's investigation into Computer Cop, the dangerous spyware/keylogger that is sold to police departments and other law enforcement folks as a "perfect election and fundraising tool" because the software gets branded with local law enforcement/politicians and they get to hand it out as a tool to "protect your children" by spying on how they use their computers. The software appears to be a very crappy search system and keylogger. Any keylogger is already a dangerous tool, but this one is especially dangerous in that it transmits the log of keystrokes entirely unencrypted to a server, meaning that all sorts of information, including passwords, credit cards, etc. are transmitted across the internet in the clear. The Computer Cop website looks like it was designed a decade ago and then left to rot (as does its software):
[Image: 0EUSRYjm.png]
The site is so bad that the company's own address in the footer of the website spells the city wrong. The company is based in Bohemia, NY, yet the site's own website spells it Bhomeia. Yes, that's more than one letter out of place:
[Image: czx58Ewl.jpg]
All of this should give you a sense of what's going on here. Rather than actually "protecting children," this is a cynical money-grab by a guy who is convincing politicians to use government money to make children less safe while pretending to "protect the children."

Given the powerful expose by the EFF, you'd think that some of the folks who bought into the bogus software and distributed this dangerous spyware to unsuspecting parents might be regretting their decision. Instead, they're... still playing politics. The San Diego District Attorney, Bonnie Dumanis, didn't apologize. She did release an alert warning about the very software she purchased and promoted and distributed to parents, but then still says the software is generally good and will continue to distribute it.
Quote: In a statement, Dumanis spokesman Steve Walker said the program was still a useful tool for parents.

“Our online security experts at the Computer and Technology Crime High-Tech Response Team continue to believe the benefits of this software in protecting children from predators and bullies online and providing parents with an effective oversight tool outweigh the limited security concerns about the product, which can be fixed,” Walker said.

Walker said that the District Attorney’s Office still has a few copies of the program left and will give them to families who request it.
There don't appear to be any actual redeeming qualities to the software. It doesn't protect anyone, but rather makes them less safe while giving parents a false sense of security. San Diego (and elsewhere) deserve much better, but apparently they're not going to get it.

The "warning" that was sent out just suggests disabling the keylogger part -- and doesn't appear to take any responsibility for purchasing and promoting the software in the past. As for how much money was spent? Apparently San Diego spent $25,000 on the software:
Quote: Dumanis spent $25,000 from asset forfeiture funds — money and property seized during drug and other prosecutions — on 5,000 copies of the program for public dissemination.
Ah, so rather than being directly taxpayer money, it's just money stolen via questionable forfeiture procedures. It's hard to see how that's any better.

Originally Published: Thu, 02 Oct 2014 15:12:01 GMT
source
Reply
#3
Okay, so we thought the response from San Diego's District Attorney Bonnie Dumanis was pretty bad to the revelations about ComputerCOP. After all, she was responding to the news that she had purchased and distributed dangerous spyware masquerading as software to "protect the children" -- and the best she could come up with was that her "security" people still thought it would protect kids? But apparently Damanis has nothing on Sheriff Mike Blakely of Limestone County, Alabama.

Blakely, in a bit of unfortunate timing, just announced that his department had purchased 5,000 copies of the spyware earlier this week, so perhaps it's understandable that this "perfect election and fundraising tool" might actually turn into something of a liability. But Blakely's not going down without a fight. When presented with the news that he's proudly handing out tools that are making the children he's supposed to be protecting less safe, Blakely went with an ad hom the messenger approach, attacking EFF's credibility, and calling them "liberals."
Quote: Blakely referred to the EFF criticism politics as an "Ultra-liberal organization that is not in any way credible on this. They're more interested in protecting predators and pedophiles than in protecting our children."
Anyone even remotely familiar with EFF recognizes that basically every word in that statement is ridiculous, but what are you going to do? The idea that EFF isn't credible on security issues is laugh out loud funny (and, indeed, despite attending a conference and being in a room full of people, I literally laughed out loud upon reading it). However, Blakely insists his IT people are sure the software's fine:
Quote: "We have had the key logger checked out with our IT people. They have run it on our computer system." He said. "There is no malware."
Reread that a few times. "We had the key logger checked out... there is no malware." Dude. A keylogger is malware. That's what it does. From the description here, it sounds like his "IT people" ran some anti-malware software on the computer they installed ComputerCOP on, and because it didn't flag it, they insist it's not malware. But a keylogger is malware by definition. And the fact that this malware happens to pass unencrypted text, including passwords and credit card numbers, over the internet makes it really, really bad.

But don't tell that to Sheriff Blakely. He insists that ComputerCOP might have stopped Columbine. I'm not joking.
Quote: On the phone Wednesday he added "There are some parents out in Columbine Colorado, if they had this kind of software, things would have turned out differently."
That comment is so off it defies a coherent response.

Meanwhile, I'm sure that Sheriff Blakely's "IT People" are trustworthy, given that his website looks like it was designed in 1997 and hasn't been touched since. It even has a visitor counter and a "this site best viewed in Internet Explorer" badge. I'm not joking. And a scroll. The only thing it's missing is an under construction gif and the blink tag:
[Image: Sn3ywFl.png]
And, uh, note that text there:
Quote: You are not permitted to copy, broadcast, download, store (in any medium), transmit, show or play in public, adapt or change in any way, the content of these web pages for any other purpose whatsoever without the prior written permission of the site webmaster.
And there's a copyright notice below it. Of course, anyone who views the website has copied, downloaded, stored and transmitted the webpage in some manner -- so, I'm not quite sure what to do other than to say, that most of those demands are completely bogus and not based on any actual law. As for the copyright -- well, while technically only federal government works are exempt from copyright, and state and local governments can get a copyright in some fashion, it's generally not considered the appropriate role of government officials to be copyrighting official government works. Furthermore, in such cases, there would likely be a very strong presumption of fair use for a whole host of reasons.

Oh, but it gets worse. Not only are you not supposed to copy any of the text on Sheriff Blakely's website, the terms of service on his website say he might put you in jail if you do:
Quote: The unauthorized use, copy, or reproduction of any content of this site inclusive, may be punishable by both fine and imprisonment.
Under what legal theory is that happening? As a sheriff, aren't you supposed to, you know, actually know what the law is? Maybe work on that before slamming the good folks at EFF while distributing dangerous spyware that makes kids less safe. And find someone who's built a website in the last decade.

Originally Published: Thu, 02 Oct 2014 20:10:55 GMT
source
Reply
#4
It appears that the police and other law enforcement folks who spent department money on the awful ComputerCOP spyware simply can't admit that they were handing out software that made kids less safe. Instead, they're sticking by their decision to do so. Given that the company personalized the software in the name of local law enforcement, and pitched it as the "perfect election and fundraising tool," you can understand their reticence to actually admit that they've been making kids a hell of a lot less safe. We already discussed San Diego District Attorney Bonnie Dumanis defending the software, even while issuing an "alert" telling parents how to disable the keylogging feature. Even more bizarre was the response of Limestone County, Alabama, Sheriff Mike Blakely, who simply questioned EFF's credibility in revealing the dangerous nature of the software.

Blakely appears to be doubling down on that argument. In an interview with Ars Technica, he again bizarrely claims that the EFF wants to protect pedophiles and predators, and then also endorses spying on kids:
Quote: With respect to the EFF he said, “I'm not against their criticism but I just think they're probably more interested in protecting predators and pedophiles than in protecting our children.”

“As sheriff, I went down [to schools] and met with kids and I taught them about bicycle safety and not to talk to strangers,” Blakely said, adding that handing out ComputerCOP was just another branch of the department's efforts to keep kids from being solicited online.

“If you and I were married and had a 14-year-old daughter, then yeah I could check on who you're talking to online and you could check who I'm talking to,” he said. “But if [ComputerCOP is] used properly, it's something we whole-heartedly endorse. Now if you're of the persuasion of the people of the EFF who would rather not do anything, then that's something that I can't help.”
That ignores, of course, that the keylogging sends information unencrypted, thus putting children much more at risk. When Ars did ask him about that, Blakely said that they'd have to talk to his "IT people."

It appears that other police departments and district attorneys are similarly trying to defend the fact that they've been distributing dangerous keylogging software that can pass unencrypted cleartext of any information typed by kids. Some law enforcement folks are not just standing by their decision to hand out the spyware, but are continuing to do so. Contra Costa District Attorney Dan Cabral, astoundingly, admits that he intends to continue distributing the software until after someone's been hurt.
Quote: Contra Costa Assistant District Attorney Dan Cabral said Friday that the office has no plans to recall the software it distributed.

"If it turns up later that there's some sort of breach we will do so, but right now we feel it serves its purpose and it assists parents in what its supposed to do," Cabral said Friday.
Steve Moawad, the Senior Deputy District Attorney working for Cabral, ridiculously argues the fact that so many other law enforcement folks got duped is somehow proof that the software must be okay.
Quote: "I am aware of several law enforcement agencies that have looked at the product before and after this report," Moawad said. "I believe the EFF is overstating the risk and, the fact that this program has been handed out by hundreds of law enforcement agencies over a period of 10 years and there's been no reported incidents of identity theft as a result of the use of the software is indicative of that (fact)."
There are many, many problems with this. Just because a specific breach can't be traced back directly to this software doesn't mean breaches haven't happened (and happened regularly). Based on how the software itself works (sending cleartext over the internet), there's really not going to be any indication that when a breach happens it's because of the software. Parents and kids just won't know how the leak of information happened.

Meanwhile, over in Loudon County, Virginia, the Sheriff's Office not only stood by the use of the software but announced plans to hand out more copies next year:
Quote: In a statement issued by the Loudoun County Sheriff's Office today, the agency said “ComputerCOP is very similar to other parental monitoring systems available on the market. The program does not operate without the CD inserted in the computer disk drive and does not allow access from any outside parties, including the Loudoun County Sheriff’s Office or ComputerCOP. The disks are not distributed without explanation from Loudoun County Sheriff’s Office personnel during our Internet Safety: What Parents Need to Know presentations. Parents are made aware at these presentations of the programs limitations and how it is intended to be used. Parents with questions about ComputerCOP are encouraged to attend one of our upcoming Internet Safety courses that will begin in early 2015 at area schools.”
First of all, the claim is misleading to the point of being disingenuous. While the software, by itself, does not "allow access from any outside parties," by sending cleartext copies of keylogging output over the internet, it's revealing that content to many, many potential outside parties. It appears the Loudon County Sheriff's office doesn't even understand the problem -- and yet they claim that they've properly explained the software to parents? That seems difficult to believe.

I'd be curious if the presentation includes an explanation of keylogging, encryption and the dangers of sending cleartext over the internet. Again, it seems doubtful. Hopefully, some parents in Loudon County who do understand this will head on over to the next set of Internet Safety classes, not to be educated, but to educate the police there.

Next up, there are the folks at the Maricopa County, Arizona, Attorney's Office. They, too, are not at all happy with the EFF, while remaining pleased as punch with ComputerCOP's software, despite it putting kids in danger. In an email to CNET's Seth Rosenblatt, the Maricopa County Attorney's Office says it's "ridiculous" to call the software spyware, and also (huh?) claims that EFF is only doing this because it offers "a competing product." Wait, what?
Quote: In short, this is a story filled with inaccurate information and numerous misrepresentations from an organization that just so happens to be offering a competing product. That fact alone warrants skepticism about its conclusions. Unfortunately however, several news outlets (and I am not including CNET here) have accepted and regurgitated the EFF report without making any effort to verify the information it contains or talk to someone who’s actually used the product, let alone checked it out first hand.

To call ComputerCOP "spyware" is ridiculous. This product is fundamentally no different than the parental controls that are available on countless digital devices and so ware used by kids today. In fact, most parents believe they have the right and responsibility to know what their children are doing online, and this product is a simple tool that allows them to do that.
First off, I had no idea that EFF offered its own spyware product. Second, whether or not the product is "fundamentally no different" kind of misses the point. If all such software have serious security problems, that should be an issue.
Quote: Unlike what most experts would term "spyware," ComputerCOP does not surreptitiously send information to third parties. The hysterical claim that ComputerCOP sends notifications emails without encryption... is utterly fatuous and disingenuous. The software uses a user's existing e-mail service to send notifications. A ComputerCOP notification has no greater potential for being compromised than any other e-mail a user sends.
That suggests a level of technical ignorance that is, well, kinda scary. The fact that ComputerCOP sends keylogger info without encryption is entirely accurate. It is neither fatuous nor disingenuous. In response to this bizarre claim from Maricopa County, the EFF's Dave Maass (who wrote the original report) asked Maricopa to hire an independent security team to evaluate the software. Also, despite its claims, Maass notes that over the weekend, Maricopa County appears to have removed their own website promoting ComptuerCOP. Perhaps the Maricopa County's Attorneys Office isn't quite as confident in the software as they claimed.

Meanwhile, one of the security researchers who the EFF used in its original report, Jeremy Gillula, went a step further. On Twitter, he issued a challenge to anyone defending ComputerCOP:
Quote: Challenge to all defending ComputerCOP as secure: you install it, connect to open wifi and login to your bank while I run wireshark. Any money I transfer out using your username and password from the packet logs gets donated to EFF. If I can't get any money, I retract all statements about ComputerCOP's keylogger being insecure. Sound like a deal?
Let's see if anyone takes him up on it.

Permalink | Comments | Email This Story
[Image: mf.gif]

Originally Published: Mon, 06 Oct 2014 19:26:00 GMT
source
Reply




Users browsing this thread: 2 Guest(s)