hackingteam.it - How is this legal/allowed?

[Mordred]

I'm curious to hear some opinions about this company that I discovered a while back and to whom I was considering sending my resume to (I decided already a few months ago I won't do that).

What bugs me is that it seems that this company offers, in the most literal sense, hacking/cracking/security evasion services.
Now I'm not very knowledgeable on hacking laws with a few exceptions regarding ethical hacking & related, and am almost not at all knowledgeable on EU/International laws regarding this (this company initially operated only from Milan, Italy but have now opened a new set of offices in Annapolis, U.S.A.),  but it seems to me that everything about this company is (or at least should be) not only illegal in terms of how they market themselves (Ad #1) but also in terms of the operations that they run.

For instance, on their Careers page you can see the following:

HackingTeam is a company based in Milan, Italy.
 We spend time on interesting projects with smart people, provide great working conditions and enjoy our time together.
Working with us, you will help design, develop and deploy our flagship  product, Remote Control System, that's being used worldwide for fighting crime, and is the #1 solution for governmental offensive interception.

And underneath, where they list the available positions, the top one is:

Hacker / Developer Developers design new features, develop them and polish our software to perfection.
Hackers find out how to overcome the original design of objects, hack into them and uncover all their secrets.
You have to be both, and the more you know, the better.
We need a person with a strong technical background, able to  deeply understand how devices and software work and to hack them.
 At the same time, you should be confident with lean programming and know how to structure code to fit into an enterprise scale software.
 
 We only accept candidates with an unstoppable will to learn!
 
 Depending on the area of development preferred knowledge is: C++, Objective-C, some x86 or ARM Assembly, Ruby or Python, ActionScript or reversing skills.
 Design Patterns and Agile Programming are a must.
Work location is Milan, Italy, and on site presence is a plus.

This all looks very shady to me, and this detailed analysis of their "work" is what immediately led me to disconsider any idea of applying for a job there.
I recently remembered them when checking out cryptome.org and wanted to get an opinion from the EZ community about this business. So, guys, what's your take on this?

[ande]

Definitely not legal in most countries. I have a few cents on this being bullshit as well. I wouldn't go anywhere near that shit.

[vezzy]

I'm not an expert in computer crime law, but my two cents are:

1).

After taking a brief look through their website, they do present themselves in this very dark and shady, almost black market fashion.

However what they appear to be doing is marketing a proprietary backdoor application for use by government agencies and law enforcement. These parties make heightened use of malicious and/or offensive security and surveillance software as we already know, so consequently it follows that private companies dedicated to supplying this demand exist.

They are quite covert about their operations and aren't directly offering their services, which is a must for businesses of this type. Interested parties would need to strike up an explicit conversation to obtain their software, and would be willing to throw away large sums of money, as I assume this "Remote Control System" is insanely expensive.

tl;dr they don't seem to be some skiddie black hat DDoS/"hacking" service on the deep Web or some shit like that, but an under-the-radar legitimate company that exists to market computer surveillance software to law enforcement and government for use in operations. Such businesses do exist and are constantly in demand, be it firearms, espionage hardware, surveillance, security breaching or whatever, but keep a low profile for obvious reasons.

2).

This is all a honeypot to weed out gullible wannabe cybercriminals.

[WirelessDesert]

FBI.

(Will evolve later, on phone)


::edit::

Realised I didn't evolve on my matter :/. And what I would have said would be proven wrong, as it has been done in the posts after this one. So yeah.

[vezzy]

Actually, hold that thought.

I did some quick research, and found this:

http://surveillance.rsf.org/en/hacking-team/

They've been around for a decade now and sell their software exclusively to government agencies, and it has reportedly been used for human rights violations.

Quote from this IBTimes article:

One of the most high-profile of these companies is Hacking Team, a Milan-based company which has been offering its surveillance system to governments and law enforcement agencies for almost a decade. It has come under fire in recent years after it was discovered that its software had been used by repressive regimes in Morocco and the United Arab Emirates to illegally monitor activists.

It has even been alleged that the use of Hacking Team's tools have directly led to the torture and murder of people - a charge strongly denied by Hacking Team.

Unenviable

Eric Rabe has a pretty unenviable job. As head of communications and public policy for Hacking Team, his job consists of defending a company which sells powerful cyber-weapons allowing its customers to monitor your every email, text message, phone call and web search.

Hacking Team, like its competitors, is very secretive about its work, revealing nothing about who it works with, how much it gets paid, and most importantly what exactly its software is used for.

Calls for more regulation and transparency in its dealings have been growing since the revelations last year and while there has been no change in regulations thus far, the negative media coverage does seem to have had an effect on the way Hacking Team deals with the public and the press.

Last month at the annual RSA security conference in San Francisco Rabe and other Hacking Team representatives made an appearance to the surprise of many industry watchers.

At a panel discussion on cyber surveillance, Hacking Team came in for criticism from Jacob Appelbaum, a security expert and core member of the Tor project, as well as from Kurt Opsahl, senior attorney at the Electronic Frontier Foundation (EFF).

According to Tom Brewster from TechWeekEurope who was at the panel discussion, Appelbaum said the use of Hacking Team tools and similar software can be the difference between life and death.

"These people are tortured, some of them are murdered ... the result of the things we are talking about here is a life and death matter."

One of their presentations advertising the product is on WikiLeaks.

Finally, the most interesting article:

https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

A technical analysis of an old RCS version that got leaked to the wild somehow. Haven't read it in its entirety, but be sure to check it out.

------------------------------------

So, the question of whether or not they're legitimate is out. They are.

This leaves us just how effective their product is. Is it snake oil, relying solely on security through obscurity, or is it truly superior?

You could probably get employed. If you don't mind participating in the facilitation of human rights violations. Or you could infiltrate them and leak the source code for everyone!

[Thor]

It shouldn't be legal, and in most countries it probably falls into a gray area, but when it's government agencies who are their clients no one seems to care.

There are other companies like this, companies who sell malware and 0-day exploits to government agencies for large sums of cash.

FinFisher (http://en.wikipedia.org/wiki/FinFisher) is malware which has been sold to governments and is actively in use.

[Mordred]

They've been around for a decade now and sell their software exclusively to government agencies, and it has reportedly been used for human rights violations.

One of their presentations advertising the product is on WikiLeaks.

Finally, the most interesting article:

https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

So, the question of whether or not they're legitimate is out. They are.

This leaves us just how effective their product is. Is it snake oil, relying solely on security through obscurity, or is it truly superior?

Ah, so basically their legitimacy is given by the fact that they cater exclusively to Government Officials and other Security Agency type of "business".

Also given what information is available it does indeed seem that these guys don't give two shits about the privacy of the individual, let alone privacy laws in general. On the other hand the question regarding whether or not their software is actually that good as they claim it is, is quite interesting. I think I might dig deeper on this one and also go through that tech analysis you posted.

Also as a final note, I gave up on the idea of trying to get a job with them when I saw the incredibly vague description that they give for the "Hacker/Developer" title. I mean come on:

Hackers find out how to overcome the original design of objects, hack into them and uncover all their secrets.
You have to be both, and the more you know, the better.
We need a person with a strong technical background, able to  deeply understand how devices and software work and to hack them.

To me it sounds like someone who has a very faint idea of what they want and don't know what to ask for.
With all the other data on how they abuse privacy I'm now positive I wouldn't even want to touch these people with a 10 foot pole, let alone try to get a job there.



@Thor: Do you maybe have names or some sort of identification type for such companies? I'm really interested to see if this is like a well spread thing and something that can be done by anyone as long as he abides by his/her countries laws and only sells to the government or to defense/counterinformation agencies; and unfortunately I found it quite difficult to track these kind of companies down. The only reason I saw about hackingteam.it is because I saw it in a mail on cryptome.org.

And kudos for the link on FinFisher, didn't know about that one.

[Thor]

@Thor: Do you maybe have names or some sort of identification type for such companies? I'm really interested to see if this is like a well spread thing and something that can be done by anyone as long as he abides by his/her countries laws and only sells to the government or to defense/counterinformation agencies; and unfortunately I found it quite difficult to track these kind of companies down. The only reason I saw about hackingteam.it is because I saw it in a mail on cryptome.org.

And kudos for the link on FinFisher, didn't know about that one.

Sure, EndGame (http://www.endgamesystems.com),  VUPEN (http://www.vupen.com/), NetraGard (http://www.netragard.com/)

Of course most companies involved in this sort of stuff keep it relatively quiet.

@thegruqg is one of the most e-famous. He acts as a middle man between security researchers who are looking to sell exploits and governments looking to buy them. Here's an article on him and what he does http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

And here's another article which discusses the 0-day trade, http://www.fastcompany.com/3009156/the-code-war/how-spies-hackers-and-the-government-bolster-a-booming-software-exploit-market

[proxx]

"Governments buying 0-days--"  Im gonna sit back and eat popcorn.
Im hardly suprised.

This is no exception really.
weapons; illegal unless you call it peace
murder; illegal unless you call it freedom
....

You got the point.

[Mordred]

Sure, EndGame (http://www.endgamesystems.com),  VUPEN (http://www.vupen.com/), NetraGard (http://www.netragard.com/)

Of course most companies involved in this sort of stuff keep it relatively quiet.

@thegruqg is one of the most e-famous. He acts as a middle man between security researchers who are looking to sell exploits and governments looking to buy them. Here's an article on him and what he does http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

And here's another article which discusses the 0-day trade, http://www.fastcompany.com/3009156/the-code-war/how-spies-hackers-and-the-government-bolster-a-booming-software-exploit-market

Wow man, thank you for the resources! +1 cookie for you sir!


This @thegruqg guy is... dont have words to describe. Puss of society, a human infection. Fucking cuntbag maybe? Instead of offering the exploits ONLY to the original developers so that they can improve their product and offer better security to their users, he sells it to motherfucking government agencies so that they can spy on the population in a more easy fashion. I'm raging so fucking hard now... Fucking hell.


@proxx: standard human species situation. Bullets or cyberbullets, the difference is just the "cyber" part apparently.

[Alin]

Wow man, thank you for the resources! +1 cookie for you sir!


This @thegruqg guy is... dont have words to describe. Puss of society, a human infection. Fucking cuntbag maybe? Instead of offering the exploits ONLY to the original developers so that they can improve their product and offer better security to their users, he sells it to motherfucking government agencies so that they can spy on the population in a more easy fashion. I'm raging so fucking hard now... Fucking hell.


@proxx: standard human species situation. Bullets or cyberbullets, the difference is just the "cyber" part apparently.

Are you kidding me?


When having a 0-day you have four options;
1. Sell it on the black market and make potentially a lot of money.
2. Sell it to a company like ZDI.
3. Send the shit to full disclosure and get famous.
4. Coordinate release with vendor and expect 5-10 e-mails and 3-4 months until some random french idiot gets the point and then a couple months more testing 3-4 patches that does not fix the problem.


Guess I'm keeping with the first.

[proxx]

Are you kidding me?


When having a 0-day you have four options;
1. Sell it on the black market and make potentially a lot of money.
2. Sell it to a company like ZDI.
3. Send the shit to full disclosure and get famous.
4. Coordinate release with vendor and expect 5-10 e-mails and 3-4 months until some random french idiot gets the point and then a couple months more testing 3-4 patches that does not fix the problem.


Guess I'm keeping with the first.

You forgot option 5.
5.get sued by some company for being an evil terrorist ..



I would def go for the WD-40, awesome stuff.

[kenjoe41]

personally, i wouldn't judge anyone selling a 0-day. The streets are hard and those companies never listen especially those that open  source. Those kids need a reward for there effort of finding that vulnerability.

[proxx]

personally, i wouldn't judge anyone selling a 0-day. The streets are hard and those companies never listen especially those that open  source. Those kids need a reward for there effort of finding that vulnerability.

I agree, only those who buy 'm.
Thats curious.

[Alin]

You forgot option 5.
5.get sued by some company for being an evil terrorist ..

Again, kidding me? Do you have any idea about the laws for these kind of things? Selling applications is not illegal in any country yet, that same ting goes for an application that exploit flaws in other computer software.
On the other hand the laws for reverse engineering of software is very fuzzy.

There exists a number of legitimate businesses that makes money on selling exploits as well as software that could be considered malicious..

@ kenjoe41 - actually the open source community is well known to take security seriously, I suppose you don't have any experience coordinating vulnerability disclosures. The problem with some open source projects is that they are hobby projects and are not always maintained. Some projects are abandoned and only community driven, others are actively maintained and bugs are fixed in a matter of days.