Bruce Schneier: "Hacking Team is a Dangerous Company"

The American security guru fears that the diffusion of the software could be used by criminal groups

This interview also appeared in Italian.

You wrote in your blog: "I don't think the company is going to survive". However, at least in Italy and in the US Hacking Team has powerful sponsors...Will they survive?
«It remains to be seen. We know from the leaked documents that they have sold their products to the most repressive governments in the world...and overcharged them whenever possible. We know that they secretly put spyware and remote-control capabilities into the software they sold, allowing them back-door access without the knowledge of the governments they sold to. We know that they try to shield their activities from the UN in any way they can. We know, because of how completely and severely they were penetrated, that their own network security was pretty bad. They've already told all of their customers to stop using their software because it is no longer safe for them to do so. Hacking Team might have enough money in their bank accounts to stay around for a while, but do you think anyone will do business with them ever again?».

Do you think that now that the Hacking Team trojan is on the loose criminals could use it?
«Certainly it's possible that others will learn their techniques now that their code is public, but I didn't see anything particularly advanced about their products. It was just packaged nicely for Third-World government use».

How can you use technologies like the Hacking Team trojan to target awful criminals while at the same time making sure that these technologies do not end up into the hands of terrible regimes, as it happened with Hacking Team clients like Sudan or Ethiopia?
«You cannot. This is a fundamental characteristic of the global Internet. There has to be one answer for everybody. Either we have a world where everyone can spy, including the NSA and the Italian police and the Sudanese government; or we can have a world where no one can spy. This isn't just Hacking Team. The company was a cyber-weapons arms manufacturer for governments and organizations who couldn't build their own tools. This is also the US, the UK, Russia, China, and other countries sophisticated enough to build their own custom surveillance and hacking tools».

Is it true that trojans like the RCS trojan of Hacking Team allow to plant false data into the target's devices? If so, this is very problematic for law enforcement agencies trying to gain evidences against criminals...
«Yes. When someone takes over your computer, they can do more than copy data: they can add or delete it as well. This means they could plant false evidence on targets' computers. This makes it a problem for ethical law-enforcement agencies, and a solution for unethical ones».

How do you judge the WikiLeaks' decision of publishing the full database of Hacking Team data?
«Personally, I am very happy to see a dangerous and despicable company like Hacking Team exposed like this. The ethics of publishing the internal details of a company are complicated, and in general I prefer privacy. But in this case the hacker who released the data was a whistleblower, and Hacking Team is a company that needed the whistle blown on it».

Categories: Italian, Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.