IT

Malaysian government using spyware against citizens? No, not really.

By Kit

March 15, 2013

By Keith Rozario | march 15, 2013 keithrozario.com

I’ve been pretty busy the past few months, and my post count has been pretty low, and although I just returned from a 2 week trip abroad and am now flushed full of work, I decided to burn a bit of the midnight oil today because the Malaysian Insider completely pissed me off.

It all started with an article from Lim Kit Siangs blog, which read “Malaysia uses spyware against citizens, NYT reports“. The post was merely a cut-and-copy reproduction of a Malaysian Insider article that had the same headline. The headline really got my blood churning and it was followed up with an even more mouth watering opening paragraph:

Malaysia is among 25 countries using off-the-shelf spyware to keep tabs on citizens by secretly grabbing images off computer screens, recording video chats, turning on cameras and microphones, and logging keystrokes, US newspaper the New York Times (NYT) reported yesterday. …. Global human rights group Human Rights Watch said in its 2013 report that Malaysia has yet to ratify core human rights treaties, despite being a member of the United Nations Human Rights Council. It added that Putrajaya continued to violate the rights to free association and public assembly last year, besides decreasing freedom of expression by amending the Evidence Act. ….

Unfortunately folks–this article is dead wrong. Not only is it deceiving and irresponsible, the fact that it appears on a news portal (rather than a personal blog) is terribly upsetting. The author of the article Boo Su-Lyn isn’t a freshie journalist either–you might remember here from the time she snuck into a Puteri UMNO meeting to report on what was said behind the walled-doors of UMNO, that was an impressive piece of journalism. This article however, is just a pile of bullshit–topped up with ignorance and sprinkled with deception.

*I’m just guessing of course that the Boo Su-Lyn that snuck into UMNO is the same Boo Su-Lyn here.

An Introduction to Spyware and FinSpy

Probably good to start with a short intro on Spyware and Finspy. Spyware is merely a generic term used to refer to malicious software that tries to infect your computer and perform various ‘nasty’ things. These ‘nasty’ things range from the harmless pop-ups of adverts to the not-so harmless stealing of personal data. Spyware has been around almost as long as the internet, and usually spreads via emails and thumb-drives, but mostly it rears its ugly head when you visit free porn sites — somebody has to pay the hosting bill for all those videos right?

FinSpy however is in a class of it’s own. According to the NYT article “FinSpy is spyware sold by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.”

The only problem is, some governments view political opposition as a criminal offence, and Gamma Group has sold this piece of spyware to these ‘questionable’ governments. The spyware is professionally built and masquerades as a JPEG picture. We aren’t talking about some high school kid writing code here, this is hardcore Enterprise-level spyware. For the more technical understanding of FinSpy, take a look at a full blown report by Citizen Lab here. (note: this is not meant for the layman).

In fact, Citizen Labs are the people to first break the news about Malaysia being involved in all this hullubala!!

So what has Malaysia got to do with it

FinSpy wouldn’t be any good unless it was sending data back to its master, all that spying would be worthless unless the spy-er got a hold of the data it wanted to spy on in the first place. On the internet, the most sensible way to send the data back would be to route it to a server somewhere (let’s call them FinSpy servers), and it’s here that the Glorious Name of our Marvellous nation gets sullied.

Back in August 2012, the New York Times reported that FinSpy servers were popping up in 10 countries–fortunately Malaysia wasn’t on that list. Things have changed though, the latest report from Citizen Lab reports that they found a FinSpy server–on a Malaysian IP!!

That single factoid, that a FinSpy server was hosted on a Malaysian IP is all the evidence we have that the Malaysian Government is spying on it’s citizens. Needless to say that’s not exactly a solid foundation for such a dramatic accusation.

Boo Su-Lyn needs to read the reports properly

So let’s get this straight. I’m a part-time blogger, up to my neck in assignments, and in about 1 hour on Google I can easily say that there is no evidence to say that Malaysian government was using spyware on its Citizens. Just because one FinSpy server (out of 25 found) happens to be hosted in Malaysia doesn’t mean the government is using it. How is it then, that a journalist–possibly a full time one– can’t find the time to properly check her facts before making such accusations–when I can do it in 1 hour.

Nowhere in the NYT article does it say Malaysia was spying on it’s citizens–although to be fair, the title of the NYT post did say “Researchers Find 25 Countries Using Surveillance Software” which isn’t accurate either. The accurate title would be “Researchers find FinSpy servers in 25 countries”. Just because a country is hosting a server doesn’t mean it is spying on it’s citizens.

So let’s look at the facts:

Facts About FinFisher & FinSpy in Malaysia

Fact 1: Citizen Lab reported that they found 33 servers in 25 countries.

Fact 2: By their own admission they admit the list is possibly incomplete “due to the large diversity of ports used by FinSpy servers, as well as other efforts at concealment”

Fact 3: Citizen Labs goes on to clearly disclaim that “ a discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies. In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country”

Fact 4: The initial NYT report that found the first 10 servers–found them hosted on Amazon EC2 instances. Instances even I can procure with a credit card.

Fact 5: The Malaysian IP (though not published in full) belongs to a company called GPL host.

Fact 6: GPL Host has a partnership with TM in Malaysia for their hosting (which explains the Malaysian IP).

Fact 7: Eight FinSpy servers out of the 33 found were hosted by GPL Host. Only one of these servers was from Malaysia

Fact 8: The Malaysian IP is in the 117.121.240.X range. The other 7 FinSpy servers exist in nearby ranges, and are hosted in the US, Singapore and Australia. All of the servers in the 117.121.X.X range are hosted by GPLHost.

Fact 9: GPL Host is a Hosting company, which means anyone with a credit card can procure a server within their IP range for use. (which includes their Malaysian IP range).

Fact 10: Just to reiterate, Citizen Lab (who’ve done extensive research here) claim “in some cases, servers were found running on facilities provided by commercial hosting providers that could be purchased by actors from any country“. These include commercial hosting providers just like GPLHost.

Conclusion

It’s far more likely, that there is just one actor here, procuring servers from GPLHost and running FinSpy for one operation in (possibly) just one country–than it is that each of the 8 GPLHost servers are run by 8 separate individuals across 4 different countries–and all 8 of them just ‘so happened’ to pick this one obscure hosting company instead of something more common like Amazon EC2.

It’s also far-fetched, based on this data to conclude that “Malaysia is using spyware on it’s citizens” when it’s far more likely that Malaysia is merely a hosting ground for an overseas operation. I could be wrong–but as far as I can tell–no one has found an instance of FinFisher targeting Malaysian citizens. Let’s be honest la, do you really think the BN government has the technical know-how to pull this off?

Finally, the entire article was written with an intention to deceive. There is no way a definitive conclusion could be made from the data given and then Boo Su-Lyn goes on to sprinkle excerpts from the Human Rights Watch–which is valid but obviously has nothing to do with the article in question. The Human Rights quote isn’t mentioned anywhere in either the NYT article or in Citizen Lab. The allusion is clearly present, and I for one don’t appreciate it.

Now you all know me, I’m by no means the biggest supporter of the government. In fact, I much rather vote a Parang Wielding Rhesus Monkey than anyone from BN, but reporters have to be fair–and when they mis-report news on technology, I view it as my responsibility to set them straight!! (and it’s not a responsibility I take lightly).

So take note Ladies and Gentlemen–there’s about as much proof that your friendly neighbourhood BN government is spying on you as there is proof of a human colony on Mars. It is POSSIBLE, and indeed quite exciting to think about–but ultimately the evidence is inconclusive and nothing suggest it exist.

*image shamelessly stolen from the Amazing people at Citizen Labs who wrote the original report https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/

— **Emphasis and links by the author.