Android researcher angry after finding his open source code in Hacking Team malware

[LucidMew]

A security researcher has taken umbrage at Italian malware developer Hacking Team after discovering that his open source exploit tools were included in Android surveillance software sold to governments around the world.

 

Collin Mulliner, well-known in security circles for exposing vulnerabilities in mobile devices, published a blog post Tuesday that attempts to set the record straight. To wit: his tools—which among other things surreptitiously capture conversations and other sounds within earshot of infected Android phones—were used without permission or notice by Hacking Team. He learned about the use only after the breach of Hacking Team computers, which resulted in a 400-gigabyte leak of confidential company documents, including these e-mails showing company engineers discussing Mulliner's tools.

 

In Tuesday's post, Mulliner wrote:

I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists. Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them. Just to make this very clear: I did not write any of those tools for Hacking Team.

 

For the future I will use a license for all my software that excludes use for this kind of purpose. I have no clue yet how this license would look like so if anybody has a hint about pre existing open source licenses that exclude this kind of usage please drop me an email.

 

Obviously Hacking Team also used other open source software such as Cuckoo Sandbox. I hope everybody is going to think about future license to prevent this kind of usage. I'm not a lawyer but I would be interested in what legal action one could take if their software license excluded the use case of Hacking Team.

 

Mulliner said he received an e-mail following the data dump from someone who formed the mistaken impression Mulliner designed the Android tools with Hacking Team in mind. He said the false impression is understandable when reading through Hacking Team source code, which along with Mulliner's Android Dynamic Binary Instrumentation tool, includes his name, website, and e-mail address. It wouldn't be surprising if Mulliner's contributions form only a small part of the open source software folded in to Hacking Team products, which leaked sales invoices show were sold to repressive governments in Sudan, Ethiopia, Egypt and elsewhere.

 

 

 

source: http://arstechnica.com/security/2015/07/researcher-takes-umbrage-after-finding-his-code-in-hacking-team-malware/

 

Ignoring the moralities/legalities of what HackingTeam did/does: 

Once you release your code to the wild for open source, it's kinda out of your control how it gets used. The guy was a well-known security hacker on the 'good' side, and probably expected his code to be treated with respect, or have the vulnerabilities patched. Speaking as an aspiring programmer in college, I tend to live vicariously through my code and feel proud of both myself and the piece of software that I wrote, when it does what it's supposed to do. Knowing that your code does some legally gray stuff that goes against your moral code has to hurt. Especially when people think he helped "the bad guys". He wrote on his blog (https://www.mulliner.org/blog/blosxom.cgi/security/hackingteam.html)

 

 

 

The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take a look at the leaked code. Take, for example, the libt.c file from the HackedTeam repository. Hacking Team left all the copyright information (my name, website, and email address) in those files.

 

In addition to my ADBI framework Hacking Team also used my SMS fuzzer injector that I wrote in 2009 while working on the SMS fuzzing project together with Charlie Miller. Their Android fuzzer also made use of my ADBI framework. 

 

So it wasn't just one project of one guy that they used. Several tools from several people made its way into the Hacking Team's suite of tools.

 

It's not Collin Mulliner, or any other open source developer's fault for doing what they like doing and sharing it with the world. They uploaded it in good faith and then HT took it and used it. The blame should be placed on Google and the Android team that allowed known vulnerabilities to be unpatched, for three years.

 

 

[Atmos]

Well, that's part of what can happen with open source projects. 

 

He can be mad, I would be too in his place, but it's open source, so he can't exactly reserve the uses for it, unless there's some hidden contract or agreement in the open source for it not being used in malicious content.

[FakezZ]

Well, that's part of what can happen with open source projects. 

 

He can be mad, I would be too in his place, but it's open source, so he can't exactly reserve the uses for it, unless there's some hidden contract or agreement in the open source for it not being used in malicious content.

Security by hiding the source code is not true security. Period.

[Gala]

Holy shit its just some random framework, hes talking shit like he took all his code and took credit for it. To me its all okay, he left his name, gave credit, doesn't brake the license....

[Guest]

Hacking team weren't giving the source to their clients, were they? So wouldn't GPL have sufficed?

I get that they could have used the guy's code while complying with GPL, but I don't think any such company would have wanted to.

[spartaman64]

Holy shit its just some random framework, hes talking shit like he took all his code and took credit for it. To me its all okay, he left his name, gave credit, doesn't brake the license....

except that guy wants to improve security and the hacking team is trying to destroy security so its not ok on a moral level. imagine if you write a book promoting peace and then someone twists your words to justify them killing people

[NateGSR117]

That still sucks, not much you can do about it.