In the secretive world of surveillance technology, he goes just by his initials: MJM.
His mystique is such that other security professionals avoid using wireless Internet near him. MJM himself suggests that those he meets allay their paranoia by taking batteries out of their mobile phones.
- Special Report: Unsafe at Any Bitrate
MJM -- Martin J. Muench -- is the developer of Andover, U.K.-based Gamma Group’s FinFisher intrusion software, which he sells to police and spy agencies around the world for monitoring computers and smartphones to intercept Skype calls, peer through Web cameras and record keystrokes.
In the past year, the hacker-turned-executive has himself been under attack as the 2011 Arab Spring uprisings unravelled the cloak of secrecy he’d operated behind.
FinFisher’s once-elusive FinSpy tool has been exposed targeting activists from the Persian Gulf kingdom of Bahrain; decoded for the first time by computer-virus hunters; placed under export control by the U.K.; and traced to countries with poor human rights records, such as Turkmenistan in Central Asia.
As evidence mounts that repressive regimes routinely use surveillance gear to track and capture dissidents, FinSpy has been singled out as one of the most invasive weapons. The attention has subjected Muench to death threats, he says, and government scrutiny.
It’s against this backdrop -- which Muench, 31, calls a “witch hunt” -- that he’s decided to explain himself, opening his Munich offices to a journalist.
“I’m the personified evil,” Muench says of his role as the face of FinFisher, which he defends as a tool for catching pedophiles and terrorists. Muench, who was born in northern Germany and grew up in a town (population 800) that he won’t name out of concern for his family’s security, started hacking at around age 13. As managing director of Gamma’s German-based unit, Gamma International GmbH, he’s developed FinFisher spyware since 2007, and leads its marketing.
“The product helps to catch serious criminals and helps to save lives,” says Muench, who stands about 1.9 meters tall (almost 6 feet 3 inches), has close-cropped hair and is dressed in a black, collared shirt, distressed blue jeans and black shoes. He won’t provide examples of crimes solved, saying it could jeopardize clients’ methods. “So we have to live with the bad guy image,” he says.
Other units of Gamma Group provide intelligence training and sell surveillance vans, wireless microphone systems and interrogation rooms outfitted with audio and video capabilities. The company is controlled by members of a British family, the Nelsons.
Of Gamma’s products, FinFisher has become the flashpoint. It represents the leading edge of a largely unregulated trade in cybertools that is transforming surveillance, making it more intrusive as it reaches across borders and spies into peoples’ digital devices, whether in their living rooms or back pockets.
A Bloomberg News investigation this year into the abuses of intrusion products and the threats of computer espionage has shown how technologies from companies such as Gamma and its competitor, Milan-based HackingTeam, represent the next step in a digital arms race between governments and the people they watch.
Political dissidents who discovered FinSpy trying to infect their e-mail inboxes heap scorn on Muench for what they say is complicity in rights abuses.
“I have little respect for this man for his role in the violation of my privacy rights and for risking the work we are doing,” says Ala’a Shehabi, 31, a U.K.-born democracy advocate and economist hit by FinSpy in Bahrain this April and May.
Muench responds that he and his spyware have been misunderstood, and that any product can be used for harm. “So can a can of fizzy drink or a car battery,” he says.
To drive that point home, Gamma Group’s communications director, Robert Partridge, points to a glass bottle of Coca- Cola in the middle of a table in the company’s conference room. Carbonated beverages, he explains, could be very painful when poured in the noses of interrogation subjects who have been turned upside down.
Muench says Gamma acts responsibly by only selling FinFisher to governments and obeying the export laws of the U.S., the U.K. and Germany. After he sells a system, it’s out of his hands, says Muench.
“We have no control; once it’s out there it’s basically with the country,” he says during the five-hour interview that veered from a product demonstration in Gamma’s conference room to lunch at a Bavarian restaurant serving specialties from Munich’s Oktoberfest tents to getting lost driving his company’s black BMW 528i sedan back to the office. “That’s why we check, ‘Are they bad guys?’ before we deliver it.” He doesn’t reveal which governments have purchased FinFisher.
Muench, whose only formal education after high school was a part-time university course in jazz piano, is trying to set the record straight about himself and his company after a blistering year.
In May, Bloomberg News obtained spyware that had been sent to activists from Bahrain and gave copies to a San Francisco- based security expert, Morgan Marquis-Boire, for analysis. Marquis-Boire dissected the samples and found they were Muench’s product. His research, published by the University of Toronto Munk School of Global Affairs’ Citizen Lab, and Bloomberg News stories about it appeared in July.
Also in July, London-based Privacy International, which monitors surveillance abuses, informed the British government it planned to file a lawsuit to force regulation of surveillance technology sales, including those of FinFisher.
The next month, following the disclosures that the software had targeted dissidents, the U.K. government informed Gamma it must obtain export licenses to sell FinSpy outside the European Union.
At the same time, researchers including Claudio Guarnieri of Boston-based security risk-assessment company Rapid7; Bill Marczak, a computer science doctoral candidate at the University of California Berkeley; and Marquis-Boire, whose day job is working as a security engineer at Google Inc., found computers that appeared to be command servers for FinSpy in at least 15 countries.
They also documented FinSpy’s ability to take over mobile phones -- turning on microphones, tracking locations and monitoring e-mails.
The pressure has continued to build.
On Oct. 12, U.S. law enforcement officials warned smartphone users to protect themselves against FinFisher, calling it malware, or malicious software.
“FinFisher is a spyware capable of taking over the components of a mobile device,” the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and National White Collar Crime Center, said in a Website alert to the public. “FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.”
Muench has put himself forward as Gamma’s point man on the issue, as Gamma’s controlling shareholders, the Nelsons, remain in the background. He says they act only as investors, providing money and customer contacts for FinFisher.
The family declined requests to be interviewed for this story through Partridge, who acts as a spokesman for both Gamma and the Nelsons.
Before joining the Gamma group of companies 13 years ago, Partridge says, family patriarch William Nelson, now 80, held a half ownership of Wallop Holdings Ltd., a pyrotechnics and defense company that made flares, riot-control equipment and smoke generators.
Questions that arose from Nelson’s time at Wallop, also based in Andover in southern England, foreshadowed the current FinFisher controversy.
Wallop twice denied published reports that it may have had dealings with Saddam Hussein’s Iraq. In one instance, the company said it had rejected an Iraqi request for rocket launcher samples in 1984. Then, in the 2003 invasion of Iraq, Scottish troops found grenades in boxes outside Basra bearing Wallop’s name. That led Wallop to disclose that it had sold smoke grenades to Kuwait in 1986, and to suggest that the weapons must have been seized by Iraqi troops during their earlier occupation of the neighboring country, according to news reports at the time.
“Wallop Industries at no time supplied Saddam Hussein or Iraq,” Gamma spokesman Partridge says. The items found in Iraq bore codes that matched the Kuwaiti sale, and Wallop never made rocket launchers, he says.
Nelson sold his stake when new owners purchased Wallop in September 1987 in a deal that valued the company at 7.6 million pounds ($12 million), according to a company announcement.
After the sale, Nelson retired until 1999, when he joined Gamma, which had been founded in Beirut in 1990 as a trading company dealing in general and electrical goods, Partridge says. Today, under Nelson family control, the U.K. and German companies that comprise what is now Gamma Group specialize in surveillance and security.
The transformation shows why governments seeking to protect human rights must modernize their export controls to keep up with changing technology, says Ben Scott, a former policy advisor for innovation to U.S. Secretary of State Hillary Clinton.
“Shipping guns and grenades over an ocean leaves a physical trail in a way that downloading software does not,” says Scott, senior advisor to the Washington-based Open Technology Institute, a policy group that promotes affordable and universal communications networks and studies the social impact of new technologies.
As Gamma expanded, it sold governments eavesdropping gear for intercepting communications, Muench says. In recent years, such passive surveillance, which includes phone tapping, became less effective as Internet communications boomed.
“More customers came and complained, basically saying ‘Oh, we can’t get this and that and that, so we need to find a way to intercept,’” Muench says.
By 2007, Muench had gained recognition as a developer of BackTrack, one of the best-known free tool kits for computer penetration testing.
That year, Gamma approached him and, according to Muench, said, ’Listen we need professional government tools to face these kinds of challenges.’” He made the jump to corporate life.
Muench built the German business from a home office to a unit that now employs about 30 people on the second floor of a modern building with floor-to-ceiling windows in a neighborhood filled with technology companies. He owns 15 percent of the German-based Gamma International, he says.
Muench stayed under the radar until the Arab Spring, which exposed surveillance technologies used by regimes across the Middle East, turned the tables on him. As the purveyor of technology for secret stalking, he has himself become the hunted.
Muench and FinFisher first came under scrutiny after a sales pitch made to Egyptian state security for a system priced at 388,604 euros ($499,084) was uncovered following that country’s February 2011 revolution. A sale was never completed, Muench says.
The secret FinFisher software became an object of fascination within the virus-hunting world. In March 2011, Mikko Hypponen, chief research officer at Helsinki-based data security company F-Secure Oyj, vowed that if a copy were ever found, he’d write anti-virus protection against it.
From then, the attention didn’t let up. In December, anti- secrecy website WikiLeaks posted Gamma promotional videos showing how police could plant FinSpy on a target’s computer.
This year, the Citizen Lab and Bloomberg News reports about Bahrain on July 25 started the clock on a race between Muench, who needed to quickly rewrite his software, and the researchers and security companies, who began tracing where FinSpy was in use and crafting protection for its potential targets.
“It’s a cat and mouse game,” says Muench, who was in Brasilia that day pitching FinFisher at the Latin American installment of the ISS World surveillance tradeshow, known as the Wiretapper’s Ball.
While Muench says the samples analyzed were demonstration versions, and not the operational software used by clients, they were close enough to require modifications, he says. Changing characteristics of the product would make it harder to detect by anyone who had seen the Bahraini samples. For the first time ever, he found himself in a position of having to put the company’s emergency plan in action.
Colleagues in Munich opened a safe (the combination is “666,” he jokes) and removed a hard drive about the size of a large box of matches, which contained a modified version of the spyware, Muench says.
“We always have a spare, just in case,” he says.
It took two days for programmers to prepare the new software for release on FinSpy systems around the world, and to inform customers of the update, he says.
To respond to the critics, Muench says he wants to demonstrate that FinSpy is a responsible product that includes features that make the data it gathers suitable for presentation in a court of law.
In the Munich conference room, where cabinets display black, plastic suitcases filled with cyber-interception gear, he fires up FinSpy on his Apple laptop, which projects what he’s doing onto a screen at the front of the room. The console that intelligence agents use to monitor infected computers comes to life, in blue, black and white.
“Understand, I can’t show you 100 percent, but I’ll show you most,” Muench says.
He moves the arrow on his computer across the top of the screen, where tabs indicate two choices: “PC Targets” and “Mobile Targets.” The targets for the live demonstration are Gamma computers used for such purposes, Muench says.
Clicking into the PC tab, he brings up a page filled with line after line of names and flags representing countries around the globe. The colors of Brazil, Indonesia, Malaysia, Singapore and the U.K. and several other nations are represented.
“What we have here is an overview of PC targets that are currently infected,” Muench says.
He clicks into one line and pulls up the transcript of a Skype text chat. Another click takes him to a recorded Skype call, on which he points to the timestamps. If the audio file is edited, the software will indicate how many seconds have been cut -- a safeguard against misuse, he says.
He then switches to “Mobile Targets,” revealing a separate list, this time of handsets.
FinSpy Mobile can infect almost every kind of device, including Apple Inc.’s iPhones and smartphones running Google’s Android or Microsoft Corp.’s Windows systems, according to a pamphlet Muench provides.
Asked if the publicity he’s gotten for such surveillance powers inspires mistrust in the people he meets, Muench says he’s given up on a social life for now. “If I meet a girl and she Googles my name, she’ll never call back,” he says.
In Bahrain, Shehabi isn’t shedding a tear for MJM.
“Anyone who supports these governments in their campaign of repression deserves the reputation they get,” she says.
To contact the reporter on this story: Vernon Silver in Rome at firstname.lastname@example.org
To contact the editor responsible for this story: Melissa Pozsgay at email@example.com