As a Professor, attorney, and technologist, I deliver many academic lectures at John Jay College of Criminal Justice, lecture at conferences to professional organizations, and train law enforcement around the country. In 2012, I began warning of FinFisher, a German-based company (previously U.K.-based) that produces and sells computer intrusion systems, including remote monitoring solutions, and had recently developed the ultimate spyware for smartphones and computers.

Back then, details of FinFisher and its software were not publicly available. The company is secretive as its clients are government intelligence agencies. Some of FinFisher’s clients include nations with poor records on human rights, personal liberties, and privacy, including Mongolia, Pakistan, Vietnam, Nigeria, and Singapore. FinFisher has also reportedly sold software to intelligence communities in South Africa, Australia, Belgium, Slovakia, and the Netherlands.

In 2012, there was little information publicly available as to the full capabilities and reach of FinFisher’s software products. However, since then, information has slowly leaked out through WikiLeaks and other reputable sources. Today, FinFisher is known to produce the most powerful commercial weaponized surveillance malware software packages on the planet.

Two products of significance are FinSpy PC (computer spyware) and FinFisher Relay (smartphone spyware), which when installed grant the ability to intercept all files/documents and communications, such as those over Skype, email, and even video and audio through the webcam and microphone. These two software products can be remotely “pushed” (installed without the user’s knowledge or actions via a Trojan Horse or other method) to any computer or smartphone. This includes OS X, Windows and Linux computers, as well as Android, iOS, BlackBerry, Symbian, and Windows mobile devices. Users of these devices do not have to be anywhere near the vicinity of the person installing the malware. Furthermore, it is nearly impossible to identify that the malware has been installed without conducting a deep forensic analysis.

Disturbingly, researchers at citizenlab.org published evidence and reports showing the use of FinSpy PC and FinFisher Relay against journalists, activists, and political non-desirables around the world by government intelligence agencies. But at least the software was only available to international government intelligence agencies and generally kept out of the hands of cyber criminals… until now.

In 2013, during a presentation to the United States Association of Inspectors’ General, I warned that it was only a matter of time until FinFisher’s software would leak out on the web, becoming accessible to cyber criminals and others with malicious intent.

That day has arrived.

Yesterday, on September 15, 2014, Julian Assange, WikiLeaks Editor-in-Chief, allowed both FinSpy PC and FinFisher Relay to be openly published on WikiLeaks.org. In other words, as of yesterday, millions of cyber criminals around the world have access to a weaponized surveillance malware package that can be installed with very little effort, giving access to almost all the data on a user’s computer or smartphone.

Within minutes of the site going live, I received a barrage of communications via phone, email, Twitter, and text message from students, law enforcement, and researchers around the world. Most people just wanted to talk about the release of the software, while others asked how long it would take me to download and analyze the software.

Before lunchtime, my lab at John Jay College of Criminal Justice (The Advanced Research Domain for Information Security in Public Policy) had downloaded all available software and documentation. While my team and I obviously cannot deploy the software “in the wild,” we are able to analyze its code to determine exactly how virulent the software really is. We will be devoting a significant amount to time in the near future to analyze this threat and report our findings.

There is a glimpse of bright light shining through the murky water… Julian Assange and WikiLeaks did not release this software for cyber criminals to obtain and use, although it will be an unintended result. Their primary goal was to allow security researchers to analyze the code to come up with methods to protect us all (the public). While we are all at risk today, you can be sure that future software updates from Apple, Google, and Microsoft will contain significant security improvements rendering this software obsolete. That is, of course, until FinFisher updates the code within their products, and the cycle starts over again…

Adam Scott Wandt, J.D., M.P.A., is an Assistant Professor of Public Policy at John Jay College of Criminal Justice, where he serves on both the Graduate faculty of the Digital Forensics and Cyber Security program and the Masters of Public Administration in Inspection and Oversight program. Professor Wandt is an Attorney and Counselor-at-Law in the State of New York.

Media requests on this issue should be sent to the attention of apiyapinansook@jjay.cuny.edu with FinFisher clearly identified in the subject line.

Professor Wandt On Twitter: @Prof_Wandt

Professor Wandt’s Presentation at the Association of Inspectors’ General 2013 Annual Meeting. The topic of the presentation is “Mobile Device Investigations: Thinking Outside the Box.”

Did 4Chan Identify the Boston Bombers?

Americans tend think of hacking groups like Anonymous and 4Chan as mischievous criminals who cause damage and cost corporations and governments millions upon millions of dollars.

But occasionally the views of these groups align with popular opinion.

In response to the explosions at the Boston Marathon, online discussion forums are abuzz with the story that the global hacking group 4Chan took to the Internet to conduct their own cyber investigation. 4Chan reportedly requested assistance from the public and collected scores of photographs, a technique called crowd sourcing.

4Chan painstakingly analyzed the photos and identified several individuals who may have been involved with the bombing.

A website has been created (http://imgur.com/a/sUrnA) with annotated photographs showing the suspects at different points in time. Two photographs are annotated “Suspect #1” and “Suspect #2.” The suspects can be seen with and without two backpacks that may have been used to carry the bombs. A third suspect carries a duffel bag. Several other suspects are also identified. The photographs and evidence are clearly presented to the public.

This type of crowd sourced criminal investigation is a fairly new activity for hacker groups to engage in. What are the pros and cons of these activities?

PROS:

1. Taking initiative to increase public safety.
2. Conducting a public and transparent investigation.
3. Collecting evidence that may assist law enforcement.
4. Looking out for Americans.

CONS:

1. May be considered inappropriate or illegal interference with a federal investigation.
2. Alerting and outing possible suspects could cause problems for law enforcement.
3. Releasing evidence before the government deems it appropriate may be considered a problem for national security.
4. What if these people are innocent? What about violent vigilantly responses?
5. What if images are being doctored?

One final thought: Looking at these photographs, I noticed that some of these people look like special ops, not terrorists. Two of the suspects are wearing tactical pants and the backpacks possibly used to carry the bombs look like tactical gear. Did 4Chan simply identify undercover law enforcement or military, not terrorists?

Perhaps these photographs leave more questions unanswered than answered. But one thing is for sure… hacker groups engaging in crowd sourced criminal investigations is an interesting behavior that raises new ethical and legal issues.

Take a look at this archive of 4Chan’s photo investigation work (http://imgur.com/a/sUrnA) and tell me what you think in the comments below.

Everywhere we look today, we see signs and images reminding us of the tragic events of 9/11/2001. The slogan “Never Forget” has become the symbolic mantra associated with that horrible day. We see the words “Never Forget” … But what do they really mean? What is it we should “Never Forget?”

Should we Never Forget the events of 9/11/2001, or the people who lost their lives that day? Should we Never Forget the heroes that responded to 9/11 and the many who perished when the buildings fell.  Should we Never Forget the Twin Towers, American Airlines Flights 11 and 77, United Airlines Flight 175, or the Pentagon? Should we Never Forget that we were attacked by al Queda or Osama Bin Laden? Should we Never Forget where we were or how we felt when we watched the news and felt helplessly sad and defeated?

Should we Never Forget the days following 9/11? Days of amazing patriotism where everyone flew an American flag and stood together in solidarity; Days where differences in race, color and religion seemed to fade away.  For a short period of time following 9/11, we were all American and we were all in this together.

I used to think that is what “Never Forget” meant, but today, I look at it differently. I see the phrase in a way that might upset people.

I ask that we Never Forget what life was like before 9/11.

I ask that we Never Forget there was a time when we did not live in fear. A time before SWAT Teams freely roamed the streets of New York City. A time before the TSA. A time before armed military in the subways,  Penn Station, and Grand Central Terminal. A time before the NSA spied on just about everybody and everything. A time before the Patriot Act and the Protect America Act. A time before the president had the authority to suspend habeaus corpus. A time before water boarding and the horrors of Guantanamo Bay.

I ask that we Never Forget that our country was once free and prosperous. A time before fear controlled us. A time where the NYPD enforced quality of life crimes and did community policing. A time when racial profiling was frowned upon and not official policy.

I ask that we Never Forget there was a time when the world respected us. A time before we invaded Iraq. A time when our military budgets were much smaller and our international aid much larger. A time where we valued education and public service. A time where we respected (most) politicians. A time before hate. A time before the Tea party. A time before OWS, massive debt, bailouts and TARP.

We should Never Forget the lives lost and the damage done on 9/11/2001. But more importantly, we should Never Forget who we were, as a nation, when we went to sleep on 9/10/2001.

We should Never Forget that a terrorist’s mission (by definition) is to force political or social change by fear. We should Never Forget that the terrorists accomplished this and therefore won on 9/11.

As far back as I can remember, I have always defined “marriage” as “man + woman.” While I am not (and never was) homophobic, and always felt that homosexuals should have the same civil liberties as everyone else, my natural instincts told me that homosexuals did not qualify for marriage simply because it did not fit my mathematical definition.

However, I did support gay rights, domestic partnerships and civil unions, and felt that states not allowing those were violating individuals’ civil liberties. Even through law school, as my appreciation for the law and civil rights matured, I still felt that marriage equaled man + woman. It probably didn’t help that I was a registered and active Republican and felt a strong party alliance.

In Brown v. Board of Education (1954), the United States Supreme Court held that the “separate but equal” concept in education was inherently unequal, overturning the long-respected legal precedent of Plessy v. Ferguson (1896). This same theory is now presenting itself as to gay marriage: Can a separate system allowing for “marriage” between men and women, and “civil unions” or “domestic partnerships” between two men or two women, be equal? Oddly enough, I was able to test this theory myself.

After moving to Manhattan with my girlfriend (now my wife), we decided to take advantage of the New York State Domestic Partnership law (section 4201 of the New York Public Health Law). We were not yet ready to be married, and were not even engaged, but my girlfriend was starting law school and her health insurance options were limited.

My girlfriend and I met all the legal criteria to register as domestic partners: we were New York residents, over 18, not married or related by blood, were in a “close and committed personal relationship,” lived together, nor in an existing Domestic Partnership or “registered as a member of another Domestic Partnership within the last six months.” We filled out an application, had it notarized, went to City Hall and paid a $35 fee, and voile!, we were domestic partners. The irony is that the law was created to provide homosexuals with the same rights and privileges of married couples, but was open to heterosexuals as well, because hey, the law cannot discriminate.

In the matter of a couple of minutes, my girlfriend and I had all of the same rights and privileges as a married couple while being able to dissolve the partnership with nothing more than a certified letter and a $27 fee. It crossed my mind that this was a superior alternative to marriage, because in case it didn’t work out, we would avoid the need to pay for expensive divorce lawyers.

My next stop was the Human Resources Department at John Jay College of Criminal Justice, where I informed them that I was upgrading my healthcare policy to include my domestic partner. I felt like I was getting one over on the system. My girlfriend had access to the same wonderful healthcare policy that I had, and I could still easily walk away at any time with the stamp of a notary. We had all the same rights as a married couple… or so I thought.

As it turns out, the joke was on me. Not only did we not have all the same rights and privileges as a married couple, but due to an absurd IRS ruling, the value of the healthcare benefits my girlfriend received were being added to my W-2 as taxable income. In case this is not clicking in your head, there is a tax on being a gay couple (or at least, they don’t enjoy the same tax benefits as “real” married couples).

Crap! Separate but equal really is inherently unequal. By this time, I had graduated law school and my notions of civil rights had matured and I realized that something here was terribly wrong. I was conflicted. I still defined “marriage” as “man + woman,” but I also recognized the serious injustice that came with civil unions and domestic partnerships.

My brain immediately came up with a solution: the government needs to get out of the business of marriage. Why is government licensing (permitting) us to marry anyway? What is the compelling government interest here? Wasn’t marriage traditionally a religious concept? So who is government to tell us whether or not two people can be licensed (permitted) to get married? Doesn’t separation of church and state apply here?

I eventually married my girlfriend and being Jewish, we had a Rabbi perform the ceremony. Even though we were forced by the State of Florida (where we were married) to obtain a marriage license prior to the wedding, I absolutely forbid the Rabbi from making any reference to the State of Florida in our ceremony. (“By the power invested in me by the State of Florida, I now pronounce you husband and wife,” was omitted from our ceremony at my request.) Who the hell do the states think they are? I was standing under a Chuppah with a Rabbi and my almost wife, and the State of Florida was going to give us permission to marry? What are we – cars, real estate, am I her property?

So here I am, a recovering Republican (because today’s national level Republicans are just totally nuts); utterly confused by the concept of gay marriage; knowing that all men (and women) are created equal, endowed with certain unalienable rights, among them, the rights to life, liberty and the pursuit of happiness; and knowing that nothing in this world makes me as happy as my wife.

My brain still defines marriage with the mathematical equation of “man + woman,” but even more important to me is that we don’t deny homosexuals the same rights that I enjoy, including the right to marriage. Knowing that government will always stay involved, I see only one possible conclusion: states like Massachusetts, Iowa, Connecticut, New Hampshire, New York, Vermont and the District of Columbia are doing what the Constitution requires them to by allowing same-sex marriages. Any other result is as disgusting as prohibiting blacks and whites from being in the same classroom. Gay marriage is not wrong – I am.

Gay people are just that… people. And unless we start treating them like people, we are no better than those that stood outside public schools with shotguns, staring down the National Guard, swearing on their lives they would never let a black child set foot in their white school.

My New Marriage Equation: Marriage = 1+1

In a rather disturbing example illustrating how courts don’t understand societal use and impact of computers and technology, it seems that the Court of Appeals of the State of New York (NY’s highest court) has held that it is perfectly legal to view child pornography on the Web (or at least non-convictable as possession), as long as the viewer does not pay for it or intentionally download a copy to a computer.

In a decision that will be formally released at the end of this week, Judge Ciparick writes in the majority opinion in The People v James D. Kent  that detectives finding “cached Internet files” of child pornography on a defendant’s computer does not constitute possession of child pornography. The Court further “conclude[s] that merely viewing Web images of child pornography does not, absent other proof, constitute either possession or procurement [of child pornography] within the meaning of our [NYS] Penal Law.” This would apply even in the case where the defendant browsed several child pornography pictures in a row, which were cached on the computer as internet files. (Caching is the process of automatically saving a copy of browsed website images to the computer, so that it can be quickly loaded the next time the user visits the same website).

The Defendant, Professor of Public Administration James D. Kent, of a Dutchess County College, was properly convicted on other counts of possessing child pornography on his work  computer that he had downloaded and saved to his “Documents” folder  (so justice was served). However, the precedent that was created in this case will, without a doubt, be exploited by future pedophiles who will use this legal loophole to safely view and build caches of child pornography without having to fear a criminal conviction for possession. It is more than possible for those interested in child pornography to build large caches of internet child pornography, without formally “downloading them.” Those caches could later be retrieved, shared and distributed without leaving any evidence that they were accessed.

I also think it is ridiculous in today’s digital age for someone as sophisticated as this defendent to claim that he was ignorant that images viewed on his computer were cached by the system. In 2012, I believe this is common knowledge.

The burden now lies with the NYS Legislature to draft and pass new legislation preventing people from exploiting this upsetting loophole, while protecting those who may accidentally stumble upon such disturbing contraband while innocently surfing the Web.

The soon to be released opinion in “The People v James D. Kent” can be found here: http://www.nycourts.gov/ctapps/Decisions/2012/May12/70opn12.pdf

Follow Professor Wandt on Twitter: @Prof_Wandt