[SplinterCell]

Quote:

Originally Posted by R_U_Nuts

First.. it's not my project, it's Sheran's. I am in no way affiliated with his company or project.
Second.. I haven't "poked around" anything you own, if I did you can bet your she-male pron collection you'd never know it.

That first message was to Sheran, he was poking around. Your obviously confused and when you replied I was under the impression you were Sheran. I didn't much care so I ran with it. Now I'm confused and what does this have to do with anything? If 202.47.68.166 isn't your IP address move along. As I said before I'm offensive because, I'm skeptical of anyone with Kim Jong Il avatars he's (Sheran's) a damn spy! The wagons are always circled and when need be I send "Scouts Out!"

PhoneSnoop is bad if anyone want's to run Kisses remember he's also the damn PhoneSnoop! That's something you can't argue weather Brian Krebs can't believe anyone would be hard on you or theirs an article on PC World that mentions Sheran. The Department of Homeland Security called you/Sheran out!

This is getting to be a combative thread so I'm going to step aside and go for a long run. And cat I don't care if anything I say makes sense to you, yes, I_am_nuts! I sleep with a tomahawk, just enjoy your evening.


What a thread,
Chris

[HaTaX]

Wow, this is a pretty explosive thread! But so much fun to read! There seems to be a lot of chest huffing in here with responses that aren't that different from "My security unit is bigger and badder then yours!", which is always fun to watch from the outside in a thread.

Now on the thread topic, first of all I'd like to say that sheran-g has done a very good job of handling the skeptical (to say the least in some instances) responses he's gotten and facing them heads on, kudos on that.

I'd be willing to bet that most of the people that feel you've got conflicting interests with the software you've developed is because they do get the impact and mess that spyware and viruses create for the security industry. They're the ones that probably end up dealing with the fallout from such breaches in either the workplace or home, and because of that they're sensitive to the amount of content out there that does just that.

Once bitten (or watched someone else get bit), you really are twice shy. So the people around here are more likely to be involved in security with the BB being a reasonably secure platform, and they're just a little trigger happy when someone developing the product and the anti-product comes onto their turf.

Personally I wouldn't install either of the products because I have no need or interest in them, and for that exact reason I'm personally not weighing where the author's interests lie. I have more interest in the content he's presenting, so I asked myself a question... Is there another application on the BB that will let you view active / running processes or connections made to various networks? Nope... And in my book that's actually a fairly serious problem. You've got tools in the development environment to test system activity, but on the deployed platform it's not so trivial.

The release of Kisses is actually welcome in my book for troubleshooting as well if it was expanded to be more of a system level monitor and would still allow someone to watch for spyware activity. Would be great to see an app for this on the BB..

The Kisses and PhoneScoop applications appear to be fairly trivial from a programming standpoint as to what they do. The only real trick with it is to remove it from all of the systems UI screens, and otherwise you just have to deal with the core of the program, no hours lost on UI tweaking. Because of the complexity, I think it's very believable that they were truly developed as proof of concept apps at the very start, and fleshed out to clearly get his point across.

Thanks again for the info and I'll hang around this thread for a bit just to watch the fireworks..

[sheran-g]

Hello HaTaX,

Thanks for your level-headed response. Quite a refreshing change

Quote:

Originally Posted by HaTaX

I'd be willing to bet that most of the people that feel you've got conflicting interests with the software you've developed is because they do get the impact and mess that spyware and viruses create for the security industry. They're the ones that probably end up dealing with the fallout from such breaches in either the workplace or home, and because of that they're sensitive to the amount of content out there that does just that.

You know, I did consider this at one point, I can totally empathize with them if this is truly the case. For me, personally, I got a different vibe from the responses though.

Quote:

Originally Posted by HaTaX

Once bitten (or watched someone else get bit), you really are twice shy. So the people around here are more likely to be involved in security with the BB being a reasonably secure platform, and they're just a little trigger happy when someone developing the product and the anti-product comes onto their turf.

Again, it is quite plausible, but then some of the harshest reactions came from people who didn't seem to know a whole lot about how the BlackBerry device operated. To me, it seemed like opinions were already formed based on a bulletin by either US-CERT or DHS. And typically, if a bulletin comes out of there, then you might as well wear the scarlet letter and be branded a terrorist. From where I'm standing, this seems more likely to me, but you do raise a valid point.

Quote:

Originally Posted by HaTaX

The release of Kisses is actually welcome in my book for troubleshooting as well if it was expanded to be more of a system level monitor and would still allow someone to watch for spyware activity. Would be great to see an app for this on the BB..

This is my intention and the direction I will most likely take. I wanted to empower end users to be able to look into areas of their handhled and recognize anomalies. This would mostly suit power users who are very much aware of how their phones work. Thus, they could spot something out of place in an instant.

One of the features I'm working on is the ability to take a look at what is stored on the Runtime and Persistent stores of the BlackBerry. If the contents aren't protected, then its trivial to list the data stored at various locations. Thus, with this feature, you can see exactly what other programs store on your persistent store or runtimestore. One concern for this area is that if passwords or credentials are stored in the clear, then its up for grabs by any third party program. The only problem with this is performance. I have a working version, but I'm trying to find a more efficient way of going about it.

Another feature is to implement a check whenever an application is installed or removed. This can be done with the newer OS 5.0.0 API and I'm working on adding that to Kisses as well.

There's still no way to determine which programs have installed listeners. IMHO, this would be perfect to identify which of your apps on your handheld have implemented a PhoneListener or MessageListener for example.

Quote:

Originally Posted by HaTaX

Thanks again for the info and I'll hang around this thread for a bit just to watch the fireworks..

I look forward to more positive contributions and ideas if you've got them. Thanks for taking the time to write in.

[ushernut]

I think you guys really take this too seriously. I don't think PhoneSnoop can be treated as a virus or spyware. It is just a feature that blackberry can do.

Ok, if you think PhoneSnoop as a spayware, then wat about the application which is used to help people find and locate their lost blackberry. One of those applications feature is calling their own lost blackberry and hear the surroundings.
What if I install this kind locate lost blackberry app on other ppl's blackberry? I can still use this feature to spy.
Now wat, are you going to say that app is also a spyware?

This is just like people who invent bomb. You use bomb to kill people, at the same time, you can use it to help people, e.g. destroy old buildings..
In a word, it all depends on how people use it.

[davidandrew]

Quote:

Originally Posted by ushernut

This is just like people who invent bomb. You use bomb to kill people, at the same time, you can use it to help people, e.g. destroy old buildings..
In a word, it all depends on how people use it.

Not to stray off topic, but their is a difference between a bomb and demolition
equipment. They don't bomb old buildings.
Bombs kill people, so I don't see how helpful that is to humanity.

Anyways, yeah you could consider that spyware, yes you maybe using it for the 'right' purposes, but who's to say EVERYONE is going to use it like that. That's why you must be careful and take somethings serious, their's a sliver lining to everything.

[CISO]

Quote:

Originally Posted by davidandrew

Not to stray off topic, but their is a difference between a bomb and demolition
equipment. They don't bomb old buildings.
Bombs kill people, so I don't see how helpful that is to humanity.

Anyways, yeah you could consider that spyware, yes you maybe using it for the 'right' purposes, but who's to say EVERYONE is going to use it like that. That's why you must be careful and take somethings serious, their's a sliver lining to everything.

Well now In that case I suppose medicine can be considered poison (in the wrong hands) and so on...

Personally, I'd have a much better feeling about "Kisses" and it's developer - regardless of skill - if he hadn't developed and made phonesnoop available outside a controlled security research community.

Several security researchers have faced civil and criminal sanction for their part in so called awareness building!

[sheran-g]

Quote:

Originally Posted by CISO

Personally, I'd have a much better feeling about "Kisses" and it's developer - regardless of skill - if he hadn't developed and made phonesnoop available outside a controlled security research community.

I'd like to know what constitutes a "controlled security research community" in your opinion.

[CISO]

Quote:

Originally Posted by sheran-g

I'd like to know what constitutes a "controlled security research community" in your opinion.

For anyone who thinks that using a "tool" like phonesnoop etc. is just a "feature of the Blackberry, they should feel fortunate that they don't work for me... What's the difference between using this software without the consent of the "snooped" and an illegal wiretap. Why shouldn't these people be prosecuted as such?

But I digress. It's not so much what I think it is, but what it is in fact. In any scientific method there is a defined population, theory, hypothesis etc... Putting this sw out in the "wild" without limit under the color of research and building awareness is a sham. If you had started with Kisses as a means to identify the other already extant sw that could be identified that would be one thing, but you didn't.

We could go round and round with this for a good long time, but let's not...

[sheran-g]

I am very much aware of the perils of 'arguing on the internet' and I have said so in my blog post as well.

Quote:

Originally Posted by CISO

For anyone who thinks that using a "tool" like phonesnoop etc. is just a "feature of the Blackberry, they should feel fortunate that they don't work for me... What's the difference between using this software without the consent of the "snooped" and an illegal wiretap. Why shouldn't these people be prosecuted as such?

The thing is you cannot use PhoneSnoop and expect a user to not know of its existence because:

The phone: RINGS when a call comes in
The homescreen: DISPLAYS an icon of the program
The applications folder: DISPLAYS an installed program in it

If prosecution comes into play, then I think it should similarly (if not more so) be applicable to the developers of FlexiSpy and Mobile-spy. Their products are far more insidious than PhoneSnoop.

Quote:

Originally Posted by CISO

But I digress. It's not so much what I think it is, but what it is in fact. In any scientific method there is a defined population, theory, hypothesis etc... Putting this sw out in the "wild" without limit under the color of research and building awareness is a sham. If you had started with Kisses as a means to identify the other already extant sw that could be identified that would be one thing, but you didn't.

It becomes a sham only if I stand to profit from either of the tools. I do not gain financially from these tools (which is a shame because if I charged $5 for PhoneSnoop and $10 for Kisses, I would have made $10000 based on 30% of my current downloads in 12 days). But I am not going to charge for the tools and I never will. With regard to the attention: I could certainly do without all the supposed 'notoriety' that these tools have brought me because of the percentage of users who are still not well versed in topics like proof-of-concept, stealth and security.

I think its futile for me to sit here and constantly "defend" my position. Especially considering I have nothing to gain from it. If there are legitimate questions on technical or security aspects of PhoneSnoop or Kisses, I will be happy to address them in this thread. As for accusations of being a "sham" or pushing these tools for personal gain, I'm done talking about that.

[CISO]

Quote:

Originally Posted by sheran-g

I am very much aware of the perils of arguing on the internet and I have said so in my blog post as well.
<...>
It becomes a sham only if I stand to profit from either of the tools...

The issue of profit is really moot for me in this discussion... I've seen many cases where a "researcher" broke laws in the name of raising awareness and then paid a price for it by losing a job, going to jail, or facing whatever sanction... Monetary profit is irrelevant. If one goes around trying doors in a community - enters the house and leaves a note saying they were there, they've still committed a crime. The alarm company that provides a means for the owner to monitor access is however seen as valuable. That's the point I was making in your development of both products. I see no value in the open distribution of a program like Phonesnoop, and it's unfortunate that your work on Kisses, may suffer by association.

BTW, you might want to re-think your choice of analogy by using an image that is demeaning to the developmentally disabled. I'm sure some might think it funny - I do not.

Happy Thanksgiving!

[sheran-g]

Quote:

Originally Posted by CISO

BTW, you might want to re-think your choice of analogy by using an image that is demeaning to the developmentally disabled. I'm sure some might think it funny - I do not.
Happy Thanksgiving!

Happy Thanksgiving to you and all on the forum. I gave you a link to a Google search for the phrase 'arguing on the internet' which is what is transpiring on this thread. As for the results and interpretation, YMMV.

[mulberries]

I will say what it appears to me :

the guy sheran did a spying tool - not too bright one though...

Then he see that flexispy and mobispy are himalayas compared to his tiny app.

so he wrote an app that detects these spy apps but not his....

so that he can claim that his spy app is an undetectable spyware...

then he was caught red handed then he created another id to support himself, and lol even that was caught !

and the prostitute is still preaching chastity !


I may be wrong... but those who feel the same way what I feel... pls express.

[lop1]

Just my two cents :

A big Thank you to Sheran-g to have made kisses , first tool to show some hidden process/software in a blackberry.

And knowing that he has also made the PhoneSnoop software give me a better confidence on Kisses software. For my point of view the PhoneSnoop is a typical POC with all the safeguard embedded, only media journalists can think of it as a real threat.

I would like also to second HaTax post about some extensions of kisses to monitor process running and to show all the connection running on the blackberry. This will be very cool , we need this sort of tools badly before the blackberry specific malware arrive.

[SplinterCell]

Quote:

Originally Posted by lop1

Just my two cents :

...PhoneSnoop is a typical POC with all the safeguard embedded, only media journalists can think of it as a real threat.

Apparently so does The Department of Homeland Security; did you miss the US-CERT warning?

[hrbuckley]

For what it may be worth I installed Kisses on my Blackberry as part of my duties to evaluate, and provide advice on Blackberry security matters.

Comming from an open source background, what Sheran has done is standard practice: theorize a vulnerability, research the vulnerability, develop proof of concept tools to ground truth the vulerability, develop a fix or profilactic, finnally publish everything.

Kisses doesn't tell me anything I need to know, and my advice up my chain was/is that the protective measures we employ, some of which have been discussed here, provide superior protection from and detecthion of malware than tools like Kisses. Having said that though, consumer level users don't have large professional IT departments to defend them. Some IT departments don't have support at high enough levels to enforce the kind of protection that many of you here would consider rudimentary.

I don't know if Sheran is a black hat or a white hat, but if you constrast what he has done with the authors of FlexiSpy, or SS8 and Etisalat I'm inclined to give him the benifit of the doubt.

[lop1]

"US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user's BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop."

CERT does not speak of a threat , only of an application that CAN listen to conversation.

AND you need physical access to the target blackberry ,

AND as already explain by Sheran-g

The phone: RINGS when a call comes in
The homescreen: DISPLAYS an icon of the program
The applications folder: DISPLAYS an installed program in it

SO I confirm : only media journalists can think of it as a real threat.