MJM as Personified Evil Says Spyware Saves Lives Not Kills Them

[Eugen Leitl]

http://www.bloomberg.com/news/2012-11-08/mjm-as-personified-evil-says-spyware-saves-lives-not-kills-them.html

MJM as Personified Evil Says Spyware Saves Lives Not Kills Them

By Vernon Silver - 2012-11-08T23:01:00Z

In the secretive world of surveillance technology, he goes just by his
initials: MJM.

His mystique is such that other security professionals avoid using wireless
Internet near him. MJM himself suggests that those he meets allay their
paranoia by taking batteries out of their mobile phones.

    Special Report: Unsafe at Any Bitrate 

MJM -- Martin J. Muench -- is the developer of Andover, U.K.-based Gamma
Groupbs FinFisher intrusion software, which he sells to police and spy
agencies around the world for monitoring computers and smartphones to
intercept Skype calls, peer through Web cameras and record keystrokes.

In the past year, the hacker-turned-executive has himself been under attack
as the 2011 Arab Spring uprisings unravelled the cloak of secrecy hebd
operated behind.

FinFisherbs once-elusive FinSpy tool has been exposed targeting activists
from the Persian Gulf kingdom of Bahrain; decoded for the first time by
computer-virus hunters; placed under export control by the U.K.; and traced
to countries with poor human rights records, such as Turkmenistan in Central
Asia.

As evidence mounts that repressive regimes routinely use surveillance gear to
track and capture dissidents, FinSpy has been singled out as one of the most
invasive weapons. The attention has subjected Muench to death threats, he
says, and government scrutiny.

Itbs against this backdrop -- which Muench, 31, calls a bwitch huntb -- that
hebs decided to explain himself, opening his Munich offices to a journalist.

bPersonified Evilb

bIbm the personified evil,b Muench says of his role as the face of FinFisher,
which he defends as a tool for catching pedophiles and terrorists. Muench,
who was born in northern Germany and grew up in a town (population 800) that
he wonbt name out of concern for his familybs security, started hacking at
around age 13. As managing director of Gammabs German-based unit, Gamma
International GmbH, hebs developed FinFisher spyware since 2007, and leads
its marketing.

bThe product helps to catch serious criminals and helps to save lives,b says
Muench, who stands about 1.9 meters tall (almost 6 feet 3 inches), has
close-cropped hair and is dressed in a black, collared shirt, distressed blue
jeans and black shoes. He wonbt provide examples of crimes solved, saying it
could jeopardize clientsb methods. bSo we have to live with the bad guy
image,b he says.

Other units of Gamma Group provide intelligence training and sell
surveillance vans, wireless microphone systems and interrogation rooms
outfitted with audio and video capabilities. The company is controlled by
members of a British family, the Nelsons.  Transforming Surveillance

Of Gammabs products, FinFisher has become the flashpoint. It represents the
leading edge of a largely unregulated trade in cybertools that is
transforming surveillance, making it more intrusive as it reaches across
borders and spies into peoplesb digital devices, whether in their living
rooms or back pockets.

A Bloomberg News investigation this year into the abuses of intrusion
products and the threats of computer espionage has shown how technologies
from companies such as Gamma and its competitor, Milan-based HackingTeam,
represent the next step in a digital arms race between governments and the
people they watch.

Political dissidents who discovered FinSpy trying to infect their e-mail
inboxes heap scorn on Muench for what they say is complicity in rights
abuses.

bI have little respect for this man for his role in the violation of my
privacy rights and for risking the work we are doing,b says Alaba Shehabi,
31, a U.K.-born democracy advocate and economist hit by FinSpy in Bahrain
this April and May.

Misunderstood Spyware

Muench responds that he and his spyware have been misunderstood, and that any
product can be used for harm. bSo can a can of fizzy drink or a car battery,b
he says.

To drive that point home, Gamma Groupbs communications director, Robert
Partridge, points to a glass bottle of Coca- Cola in the middle of a table in
the companybs conference room. Carbonated beverages, he explains, could be
very painful when poured in the noses of interrogation subjects who have been
turned upside down.

Muench says Gamma acts responsibly by only selling FinFisher to governments
and obeying the export laws of the U.S., the U.K. and Germany. After he sells
a system, itbs out of his hands, says Muench.

bNo Controlb

bWe have no control; once itbs out there itbs basically with the country,b he
says during the five-hour interview that veered from a product demonstration
in Gammabs conference room to lunch at a Bavarian restaurant serving
specialties from Munichbs Oktoberfest tents to getting lost driving his
companybs black BMW 528i sedan back to the office. bThatbs why we check, bAre
they bad guys?b before we deliver it.b He doesnbt reveal which governments
have purchased FinFisher.

Muench, whose only formal education after high school was a part-time
university course in jazz piano, is trying to set the record straight about
himself and his company after a blistering year.

In May, Bloomberg News obtained spyware that had been sent to activists from
Bahrain and gave copies to a San Francisco- based security expert, Morgan
Marquis-Boire, for analysis. Marquis-Boire dissected the samples and found
they were Muenchbs product. His research, published by the University of
Toronto Munk School of Global Affairsb Citizen Lab, and Bloomberg News
stories about it appeared in July.

Also in July, London-based Privacy International, which monitors surveillance
abuses, informed the British government it planned to file a lawsuit to force
regulation of surveillance technology sales, including those of FinFisher.

Targeting Dissidents

The next month, following the disclosures that the software had targeted
dissidents, the U.K. government informed Gamma it must obtain export licenses
to sell FinSpy outside the European Union.

At the same time, researchers including Claudio Guarnieri of Boston-based
security risk-assessment company Rapid7; Bill Marczak, a computer science
doctoral candidate at the University of California Berkeley; and
Marquis-Boire, whose day job is working as a security engineer at Google
Inc., found computers that appeared to be command servers for FinSpy in at
least 15 countries.

They also documented FinSpybs ability to take over mobile phones -- turning
on microphones, tracking locations and monitoring e-mails.

The pressure has continued to build.

On Oct. 12, U.S. law enforcement officials warned smartphone users to protect
themselves against FinFisher, calling it malware, or malicious software.

Government Warning

bFinFisher is a spyware capable of taking over the components of a mobile
device,b the Internet Crime Complaint Center, a partnership between the
Federal Bureau of Investigation and National White Collar Crime Center, said
in a Website alert to the public. bFinFisher can be easily transmitted to a
Smartphone when the user visits a specific web link or opens a text message
masquerading as a system update.b

Muench has put himself forward as Gammabs point man on the issue, as Gammabs
controlling shareholders, the Nelsons, remain in the background. He says they
act only as investors, providing money and customer contacts for FinFisher.

The family declined requests to be interviewed for this story through
Partridge, who acts as a spokesman for both Gamma and the Nelsons.

Before joining the Gamma group of companies 13 years ago, Partridge says,
family patriarch William Nelson, now 80, held a half ownership of Wallop
Holdings Ltd., a pyrotechnics and defense company that made flares,
riot-control equipment and smoke generators.

Iraq Questions

Questions that arose from Nelsonbs time at Wallop, also based in Andover in
southern England, foreshadowed the current FinFisher controversy.

Wallop twice denied published reports that it may have had dealings with
Saddam Husseinbs Iraq. In one instance, the company said it had rejected an
Iraqi request for rocket launcher samples in 1984. Then, in the 2003 invasion
of Iraq, Scottish troops found grenades in boxes outside Basra bearing
Wallopbs name. That led Wallop to disclose that it had sold smoke grenades to
Kuwait in 1986, and to suggest that the weapons must have been seized by
Iraqi troops during their earlier occupation of the neighboring country,
according to news reports at the time.

bWallop Industries at no time supplied Saddam Hussein or Iraq,b Gamma
spokesman Partridge says. The items found in Iraq bore codes that matched the
Kuwaiti sale, and Wallop never made rocket launchers, he says.

Surveillance Shift

Nelson sold his stake when new owners purchased Wallop in September 1987 in a
deal that valued the company at 7.6 million pounds ($12 million), according
to a company announcement.

After the sale, Nelson retired until 1999, when he joined Gamma, which had
been founded in Beirut in 1990 as a trading company dealing in general and
electrical goods, Partridge says. Today, under Nelson family control, the
U.K. and German companies that comprise what is now Gamma Group specialize in
surveillance and security.

The transformation shows why governments seeking to protect human rights must
modernize their export controls to keep up with changing technology, says Ben
Scott, a former policy advisor for innovation to U.S. Secretary of State
Hillary Clinton.

bShipping guns and grenades over an ocean leaves a physical trail in a way
that downloading software does not,b says Scott, senior advisor to the
Washington-based Open Technology Institute, a policy group that promotes
affordable and universal communications networks and studies the social
impact of new technologies.

Expanding Business

As Gamma expanded, it sold governments eavesdropping gear for intercepting
communications, Muench says. In recent years, such passive surveillance,
which includes phone tapping, became less effective as Internet
communications boomed.

bMore customers came and complained, basically saying bOh, we canbt get this
and that and that, so we need to find a way to intercept,bb Muench says.

By 2007, Muench had gained recognition as a developer of BackTrack, one of
the best-known free tool kits for computer penetration testing.

That year, Gamma approached him and, according to Muench, said, bListen we
need professional government tools to face these kinds of challenges.bb He
made the jump to corporate life.

Muench built the German business from a home office to a unit that now
employs about 30 people on the second floor of a modern building with
floor-to-ceiling windows in a neighborhood filled with technology companies.
He owns 15 percent of the German-based Gamma International, he says.

Tables Turn

Muench stayed under the radar until the Arab Spring, which exposed
surveillance technologies used by regimes across the Middle East, turned the
tables on him. As the purveyor of technology for secret stalking, he has
himself become the hunted.

Muench and FinFisher first came under scrutiny after a sales pitch made to
Egyptian state security for a system priced at 388,604 euros ($499,084) was
uncovered following that countrybs February 2011 revolution. A sale was never
completed, Muench says.

The secret FinFisher software became an object of fascination within the
virus-hunting world. In March 2011, Mikko Hypponen, chief research officer at
Helsinki-based data security company F-Secure Oyj, vowed that if a copy were
ever found, hebd write anti-virus protection against it.

Exposing FinSpy

>From then, the attention didnbt let up. In December, anti- secrecy website
WikiLeaks posted Gamma promotional videos showing how police could plant
FinSpy on a targetbs computer.

This year, the Citizen Lab and Bloomberg News reports about Bahrain on July
25 started the clock on a race between Muench, who needed to quickly rewrite
his software, and the researchers and security companies, who began tracing
where FinSpy was in use and crafting protection for its potential targets.

bItbs a cat and mouse game,b says Muench, who was in Brasilia that day
pitching FinFisher at the Latin American installment of the ISS World
surveillance tradeshow, known as the Wiretapperbs Ball.

While Muench says the samples analyzed were demonstration versions, and not
the operational software used by clients, they were close enough to require
modifications, he says. Changing characteristics of the product would make it
harder to detect by anyone who had seen the Bahraini samples. For the first
time ever, he found himself in a position of having to put the companybs
emergency plan in action.

Emergency Plan

Colleagues in Munich opened a safe (the combination is b666,b he jokes) and
removed a hard drive about the size of a large box of matches, which
contained a modified version of the spyware, Muench says.

bWe always have a spare, just in case,b he says.

It took two days for programmers to prepare the new software for release on
FinSpy systems around the world, and to inform customers of the update, he
says.

To respond to the critics, Muench says he wants to demonstrate that FinSpy is
a responsible product that includes features that make the data it gathers
suitable for presentation in a court of law.

In the Munich conference room, where cabinets display black, plastic
suitcases filled with cyber-interception gear, he fires up FinSpy on his
Apple laptop, which projects what hebs doing onto a screen at the front of
the room. The console that intelligence agents use to monitor infected
computers comes to life, in blue, black and white.

Live Demonstration

bUnderstand, I canbt show you 100 percent, but Ibll show you most,b Muench
says.

He moves the arrow on his computer across the top of the screen, where tabs
indicate two choices: bPC Targetsb and bMobile Targets.b The targets for the
live demonstration are Gamma computers used for such purposes, Muench says.

Clicking into the PC tab, he brings up a page filled with line after line of
names and flags representing countries around the globe. The colors of
Brazil, Indonesia, Malaysia, Singapore and the U.K. and several other nations
are represented.

bWhat we have here is an overview of PC targets that are currently infected,b
Muench says.

He clicks into one line and pulls up the transcript of a Skype text chat.
Another click takes him to a recorded Skype call, on which he points to the
timestamps. If the audio file is edited, the software will indicate how many
seconds have been cut -- a safeguard against misuse, he says.

He then switches to bMobile Targets,b revealing a separate list, this time of
handsets.

FinSpy Mobile can infect almost every kind of device, including Apple Inc.bs
iPhones and smartphones running Googlebs Android or Microsoft Corp.bs Windows
systems, according to a pamphlet Muench provides.

Asked if the publicity hebs gotten for such surveillance powers inspires
mistrust in the people he meets, Muench says hebs given up on a social life
for now. bIf I meet a girl and she Googles my name, shebll never call back,b
he says.

In Bahrain, Shehabi isnbt shedding a tear for MJM.

bAnyone who supports these governments in their campaign of repression
deserves the reputation they get,b she says.

To contact the reporter on this story: Vernon Silver in Rome at
vtsilver at bloomberg.net

To contact the editor responsible for this story: Melissa Pozsgay at
mpozsgay at bloomberg.net