HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

Law Enforcement Still Defending ComputerCOP: Says They'll Keep Distributing It Until After Someone's Been Hurt

from the say-what-now? dept

It appears that the police and other law enforcement folks who spent department money on the awful ComputerCOP spyware simply can't admit that they were handing out software that made kids less safe. Instead, they're sticking by their decision to do so. Given that the company personalized the software in the name of local law enforcement, and pitched it as the "perfect election and fundraising tool," you can understand their reticence to actually admit that they've been making kids a hell of a lot less safe. We already discussed San Diego District Attorney Bonnie Dumanis defending the software, even while issuing an "alert" telling parents how to disable the keylogging feature. Even more bizarre was the response of Limestone County, Alabama, Sheriff Mike Blakely, who simply questioned EFF's credibility in revealing the dangerous nature of the software.

Blakely appears to be doubling down on that argument. In an interview with Ars Technica, he again bizarrely claims that the EFF wants to protect pedophiles and predators, and then also endorses spying on kids:
With respect to the EFF he said, “I'm not against their criticism but I just think they're probably more interested in protecting predators and pedophiles than in protecting our children.”

“As sheriff, I went down [to schools] and met with kids and I taught them about bicycle safety and not to talk to strangers,” Blakely said, adding that handing out ComputerCOP was just another branch of the department's efforts to keep kids from being solicited online.

“If you and I were married and had a 14-year-old daughter, then yeah I could check on who you're talking to online and you could check who I'm talking to,” he said. “But if [ComputerCOP is] used properly, it's something we whole-heartedly endorse. Now if you're of the persuasion of the people of the EFF who would rather not do anything, then that's something that I can't help.”
That ignores, of course, that the keylogging sends information unencrypted, thus putting children much more at risk. When Ars did ask him about that, Blakely said that they'd have to talk to his "IT people."

It appears that other police departments and district attorneys are similarly trying to defend the fact that they've been distributing dangerous keylogging software that can pass unencrypted cleartext of any information typed by kids. Some law enforcement folks are not just standing by their decision to hand out the spyware, but are continuing to do so. Contra Costa District Attorney Dan Cabral, astoundingly, admits that he intends to continue distributing the software until after someone's been hurt.
Contra Costa Assistant District Attorney Dan Cabral said Friday that the office has no plans to recall the software it distributed.

"If it turns up later that there's some sort of breach we will do so, but right now we feel it serves its purpose and it assists parents in what its supposed to do," Cabral said Friday.
Steve Moawad, the Senior Deputy District Attorney working for Cabral, ridiculously argues the fact that so many other law enforcement folks got duped is somehow proof that the software must be okay.
"I am aware of several law enforcement agencies that have looked at the product before and after this report," Moawad said. "I believe the EFF is overstating the risk and, the fact that this program has been handed out by hundreds of law enforcement agencies over a period of 10 years and there's been no reported incidents of identity theft as a result of the use of the software is indicative of that (fact)."
There are many, many problems with this. Just because a specific breach can't be traced back directly to this software doesn't mean breaches haven't happened (and happened regularly). Based on how the software itself works (sending cleartext over the internet), there's really not going to be any indication that when a breach happens it's because of the software. Parents and kids just won't know how the leak of information happened.

Meanwhile, over in Loudon County, Virginia, the Sheriff's Office not only stood by the use of the software but announced plans to hand out more copies next year:
In a statement issued by the Loudoun County Sheriff's Office today, the agency said “ComputerCOP is very similar to other parental monitoring systems available on the market. The program does not operate without the CD inserted in the computer disk drive and does not allow access from any outside parties, including the Loudoun County Sheriff’s Office or ComputerCOP. The disks are not distributed without explanation from Loudoun County Sheriff’s Office personnel during our Internet Safety: What Parents Need to Know presentations. Parents are made aware at these presentations of the programs limitations and how it is intended to be used. Parents with questions about ComputerCOP are encouraged to attend one of our upcoming Internet Safety courses that will begin in early 2015 at area schools.”
First of all, the claim is misleading to the point of being disingenuous. While the software, by itself, does not "allow access from any outside parties," by sending cleartext copies of keylogging output over the internet, it's revealing that content to many, many potential outside parties. It appears the Loudon County Sheriff's office doesn't even understand the problem -- and yet they claim that they've properly explained the software to parents? That seems difficult to believe.

I'd be curious if the presentation includes an explanation of keylogging, encryption and the dangers of sending cleartext over the internet. Again, it seems doubtful. Hopefully, some parents in Loudon County who do understand this will head on over to the next set of Internet Safety classes, not to be educated, but to educate the police there.

Next up, there are the folks at the Maricopa County, Arizona, Attorney's Office. They, too, are not at all happy with the EFF, while remaining pleased as punch with ComputerCOP's software, despite it putting kids in danger. In an email to CNET's Seth Rosenblatt, the Maricopa County Attorney's Office says it's "ridiculous" to call the software spyware, and also (huh?) claims that EFF is only doing this because it offers "a competing product." Wait, what?
In short, this is a story filled with inaccurate information and numerous misrepresentations from an organization that just so happens to be offering a competing product. That fact alone warrants skepticism about its conclusions. Unfortunately however, several news outlets (and I am not including CNET here) have accepted and regurgitated the EFF report without making any effort to verify the information it contains or talk to someone who’s actually used the product, let alone checked it out first hand.

To call ComputerCOP "spyware" is ridiculous. This product is fundamentally no different than the parental controls that are available on countless digital devices and so ware used by kids today. In fact, most parents believe they have the right and responsibility to know what their children are doing online, and this product is a simple tool that allows them to do that.
First off, I had no idea that EFF offered its own spyware product. Second, whether or not the product is "fundamentally no different" kind of misses the point. If all such software have serious security problems, that should be an issue.
Unlike what most experts would term "spyware," ComputerCOP does not surreptitiously send information to third parties. The hysterical claim that ComputerCOP sends notifications emails without encryption... is utterly fatuous and disingenuous. The software uses a user's existing e-mail service to send notifications. A ComputerCOP notification has no greater potential for being compromised than any other e-mail a user sends.
That suggests a level of technical ignorance that is, well, kinda scary. The fact that ComputerCOP sends keylogger info without encryption is entirely accurate. It is neither fatuous nor disingenuous. In response to this bizarre claim from Maricopa County, the EFF's Dave Maass (who wrote the original report) asked Maricopa to hire an independent security team to evaluate the software. Also, despite its claims, Maass notes that over the weekend, Maricopa County appears to have removed their own website promoting ComptuerCOP. Perhaps the Maricopa County's Attorneys Office isn't quite as confident in the software as they claimed.

Meanwhile, one of the security researchers who the EFF used in its original report, Jeremy Gillula, went a step further. On Twitter, he issued a challenge to anyone defending ComputerCOP:
Challenge to all defending ComputerCOP as secure: you install it, connect to open wifi and login to your bank while I run wireshark. Any money I transfer out using your username and password from the packet logs gets donated to EFF. If I can't get any money, I retract all statements about ComputerCOP's keylogger being insecure. Sound like a deal?
Let's see if anyone takes him up on it.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Violynne (profile), 6 Oct 2014 @ 11:29am

    I'm curious if any of these idiots are confident enough to install the software on the work and home computers they use.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 1:10pm

      Re:

      Sadly, I suspect that many of them are that confident. Probably confident to take a laptop with ComputerCOP installed to a Starbuck's, too. And I'd suspect that said laptop probably doesn't have drive-level encryption.

      reply to this | link to this | view in chronology ]

    • icon
      JMT (profile), 6 Oct 2014 @ 4:56pm

      Re:

      They've already admitted to installing it on their own police computers, and said it was just fine...

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 6 Oct 2014 @ 12:01pm

    'My money is more important than your safety.'

    Let's see if anyone takes him up on it.

    Not. A. Chance.

    They'll put the personal information of others, including the very children they claim to be protecting, at risk, no problem, but their own?
    I'm betting every last one of them will be too cowardly to take the bet, to put their money(literally) where their mouth is.

    Mind, I would love to be proven wrong on this, any cop who actually accepted the challenge to prove how 'secure' the software is would instantly regain my respect, because it would show that they honestly do think the software is secure, that it really will protect, rather than harm, people, and they are willing to put their own bank account at risk to prove it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 12:46pm

      Re: 'My money is more important than your safety.'

      ...any cop who actually accepted the challenge to prove how 'secure' the software is would instantly regain my respect, because it would show that they honestly do think the software is secure, that it really will protect, rather than harm, people, and they are willing to put their own bank account at risk to prove it.

      There's a word for that cop, who inevitably will accept - we used to call them a "patsy."

      reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 6 Oct 2014 @ 12:36pm

    Proving himself a fool

    The more Blakely talks, the more obvious it is that he doesn't know have a clue what he's talking about.

    reply to this | link to this | view in chronology ]

  • identicon
    Baron von Robber, 6 Oct 2014 @ 12:50pm

    " When Ars did ask him about that, Blakely said that they'd have to talk to his "IT people.""

    That would be Joe "Fishy" Bob, his Uncle Dad.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 6 Oct 2014 @ 12:50pm

    Do Not Question My Authority

    Nothing to see here people when law enforcement "professionals" speak you listen and then unquestioningly act consequences be damned.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 12:56pm

    EFF poked the wasp's nest.

    You're not allowed to challenge the ruling class for the ruling class knows best.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 12:58pm

    Maricopa County uses ComputerOCP? We've known for a while that their sheriff is a knuckle-dragging thug, but this just puts the icing on the cake!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 1:00pm

    In the land where we have massive breaches of secure servers through heartbleed and shellshock exploits and the NSA filling sucking data out of every hole in the internet, these idiots think their unencrypted, third-party data transferring spyware is 'safe'.

    I mean that really has to tell you something.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 1:02pm

      Re:

      Also massive data breeches in several large retail chains in the last several years, such as (but not limited to) Target and Home Depot.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Oct 2014 @ 1:03pm

        Re: Re:

        This is truly security through obscurity. But now that they're in the highlight, I wonder how long that security is going to last.

        Of course if the data is stolen, they're going to blame the thieves, not the terribly flawed software they've been warned about.

        reply to this | link to this | view in chronology ]

      • icon
        David Muir (profile), 6 Oct 2014 @ 1:17pm

        Re: Re:

        Sadly, the massive breeches at Target and other retail chains in the last several years are actually related to the obesity problem.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 1:09pm

    I want a copy of ComputerCOP just because it seems to be the only legal spyware on the market right now.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 1:15pm

    how do you think they could admit to how useless this software is and how dangerous it is for kids? it would mean those who got the kick-backs having to return them!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 1:30pm

    "If it turns up later that there's some sort of breach we will do so, but right now we feel it serves its purpose and it assists parents in what its supposed to do," Cabral said Friday.

    "Challenge Accepted" -Hackers

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 1:33pm

      Response to: Anonymous Coward on Oct 6th, 2014 @ 1:30pm

      "CHALLENGE DENIED" - CFAA

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Oct 2014 @ 1:40pm

        Re: Response to: Anonymous Coward on Oct 6th, 2014 @ 1:30pm

        Awwwww...

        You know I was thinking about it, and you really don't have to take any information at all. All you would have to do leave a hint that the program has been compromised. (Pffttt... I'm not even a hacker. I'm not even really sure if it would be possible to "fake" a hacking without accessing the data.)

        reply to this | link to this | view in chronology ]

      • identicon
        Baron von Robber, 6 Oct 2014 @ 1:51pm

        Re: Response to: Anonymous Coward on Oct 6th, 2014 @ 1:30pm

        EPIC FAIL! - Those that work in data security.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 6 Oct 2014 @ 1:44pm

      Re:

      The sad part is that it's not much of a challenge. Since everything's sent in the clear, collecting the data it sends is a trivial effort.

      reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 6 Oct 2014 @ 1:48pm

    Question for EFF/anyone who's checked the s/w

    Since it's transmitting data unencrypted, what measures (if any) does this software take to prevent someone from altering the data in transit?

    For that matter, what steps does it take to prevent someone from just fabricating it outright?

    reply to this | link to this | view in chronology ]

  • icon
    Blackfiredragon13 (profile), 6 Oct 2014 @ 1:55pm

    Why of course EFF has a competing product! It's called common sense! Computer cop is just trying to compete. So, what will you choose: common sense, or the world's worst bit of programming since the first Trojan?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 2:38pm

    This sounds somewhat familiar.

    It reminds me of the SOPA discussion by Congress which basically went like this: "I don't understand any of this... BRING IN THE NEEEEEERDS".
    I often feel humiliated for politicians, but that discussion, and this is just proud ignorance that takes the cake. It was so embarrassing to watch people who run a country, act like a bunch of 12 year old kids.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 3:31pm

    Does this particular key logger get a pass from av software? If so, how would it be to make a cracked version of it that runs w/o the disk present?

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 6 Oct 2014 @ 3:39pm

    Something I've been wondering about is not only the actual uptake/installation rate of this, but how many parents actually pay attention to, or maintain, this bit of dangerous code on their children's computers/accounts? I also wonder how it is being re-purposed by recipients.

    reply to this | link to this | view in chronology ]

  • icon
    ysth (profile), 6 Oct 2014 @ 4:30pm

    Hypocrite

    "As sheriff, I went down [to schools] and met [met, as in, didn't know, was a stranger to] with kids and I taught them about bicycle safety and not to talk to strangers [like me]".

    reply to this | link to this | view in chronology ]

  • icon
    pariahfanclub (profile), 6 Oct 2014 @ 4:58pm

    Law Enforcement Still Defending ComputerCOP: Says They'll Keep Distributing It Until After Someone's Been Hurt

    Just upload ComputerCOP to VirusTotal. Let the fifty-something malware scanners decide if it is malicious, potentially-unwanted or clean.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 6:11pm

      Re: Law Enforcement Still Defending ComputerCOP: Says They'll Keep Distributing It Until After Someone's Been Hurt

      I'm curious to see the results for this. Keep us updated?

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 6 Oct 2014 @ 6:22pm

        Re: Re: Law Enforcement Still Defending ComputerCOP: Says They'll Keep Distributing It Until After Someone's Been Hurt

        Unfortunately, currently most of them do know about it, they just give it a pass, likely because it's being handed out by the police, despite the fact that in function it's no better than your average spyware/malware, and is in fact worse, because people are trusting it to keep them safe while it's instead doing the exact opposite.

        'ComputerCOP doesn't appear in any of the major malware/spyware registries, so you'll need to do a little digging yourself.'

        It's one redeeming feature is that it's apparently relatively easy to remove if you know to look for it.

        Source:
        https://www.eff.org/deeplinks/2014/09/computercop-howto

        reply to this | link to this | view in chronology ]

  • identicon
    anon, 6 Oct 2014 @ 9:08pm

    This is the old infallibility of the pope thing.

    How dare you question our wisdom--we may not always be right, but we are never wrong.

    reply to this | link to this | view in chronology ]

  • icon
    toyotabedzrock (profile), 6 Oct 2014 @ 10:00pm

    Someone should create a packet filter that can grab SMTP traffic generated by the program and maybe hand it off to the metasploit people so they get the message.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2014 @ 4:34am

    We are governed by cabbages.

    reply to this | link to this | view in chronology ]

  • icon
    CivilLibertarian (profile), 7 Oct 2014 @ 7:32am

    I sent an email to the Suffolk County Sheriff's office the other day asking them to stop handing out this malware. Guess what? No reply (no surprise) and the the link for ComputerCOP is still up on the web site.

    reply to this | link to this | view in chronology ]

  • identicon
    Just Another Anonymous Troll, 7 Oct 2014 @ 11:34am

    Seriously?

    In this age of government surveillance, do they honestly think I'm dumb enough to install government-issued surveillance software onto my computer?

    reply to this | link to this | view in chronology ]

  • identicon
    Claire Rand, 7 Oct 2014 @ 1:10pm

    plain text...

    So presumably not that hard to fake the data feed then...?

    *innocent*

    reply to this | link to this | view in chronology ]

  • icon
    KoD (profile), 7 Oct 2014 @ 2:20pm

    I guess the competing product must be open and free internet? Competing with their dragnet? Idk, man... Nothing else makes sense to me.

    reply to this | link to this | view in chronology ]

  • identicon
    Zonker, 7 Oct 2014 @ 4:15pm

    Are they really claiming that all a kid has to do to not be monitored by ComputerCOP is to eject the CD from the computer?

    If true, it would be easier to circumvent than holding down the shift button while inserting a music CD. If false, they are lying about the CD requirement and it's running all the time.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2014 @ 5:11am

    FBI: Well, take over the computer, lock the computer, and then demand a ransom payment before it would unlock. Steal images from your system of your children or your, you know, or steal your banking information, take your entire life.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.