Five German states have admitted using a controversial backdoor Trojan to spy on criminal suspects. Samples of the so-called R2D2 (AKA "0zapftis") Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code last weekend. German federal law allows the use of malware to eavesdrop on …
Seriously? 2m Euros for a shonky hacked up badly tested bit of code? I believe I am in the wrong business.
Echoes of the Gestapo...
This story makes today a bad day for respect for privacy in Germany.
In Germany the local hacker's club has openly taken the government to the task for using malware which can _potentially_ have illegal uses. The German politicos have actually answered.
So, now, let's step back for a minute.
When and where have you seen that happen in let's say UK? Or USA?
internet and ethics?
The Germans are on known thin ice, claiming that the aim justifies the means.
The Anglo-Saxon position is philosophically stronger, that any means are okay for security. However, it is also thoroughly anti-social, much as press gangs were, and it requires political hand-holding as one method after another is unveiled and its legal use restricted.
What I look for currently is a commitment to always use the minimum amount of Guantanamo-type extra-legal methods, and not just for this topic. I don't expect it to happen quickly, but cost and competence are two strong driving pressures towards that minimum - compare rail and air security, for instance.
Do you mean the Stasi?
Allowing the government to use legal trojans to spy on people sounds dangerous and bad to me, even though in principle it's no different to a wiretap I guess.
-is there any sort of due process, judicial review etc?
-is the trojan doing things that are not allowed by law (I would tend to believe pretty much anyone against the word of a government official trying to cover their ass)
-what if it ends up infecting other computers to the one here installed?
-what if the suspect is cleared? Can the trojan be remotely disabled / uninstalled?
While I understand that there are SOME legitimate law enforcement requirements, this is plain incompetent, surely any IT-savvy crim would be able to identify this
Is there any evidence of them putting the trojan on device that are the property of anyone other than German citizens?
"Net security firm F-Secure hasn't seen the Trojan in the wild"
It doesn't really answer your question, but it suggests that such evidence is very thin on the ground.
"Net security firm F-Secure hasn't seen the Trojan in the wild"
Or one of those government security folks called them...
"anyone other than German citizens?"
Wrong question: you should be asking whether it has been used on anyone outside of the German government's jurisdiction. Though that's a pretty fuzzy concept these days, following the US approach of 'our jurisdiction is wherever we find people we don't like very much'.
That aside; you may be a foreign national, but if you're in Germany you are reasonably expected to follow local laws and submit to the local enforcement and judiciary.
"so anyone who uploaded the file must have cared little about keeping the technology secret and therefore effective for longer, or they were incompetent"
Perhaps they were suspicious of the file.
... someone said "Hey, how about we test if it can be picked up by lots of different virus scanners...!"
Give up, or take away!
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
RE: Give up, or take away!
"Eternal vigilance is the price of liberty" - Wendell Phillips, regarding slavery, but applicable to those wanting to protect us from those that would do us harm.
Not being an expert in German law, I cannot comment on whether the use of commercial spyware is legal or not. However, being an expert on malware, I can confirm that this particular commercial spyware is shoddy and sloppily written. It's not worth 100 euros, let alone 2 million... Gosh, I'm in the wrong business... :-(
How is it targeted?
Watch out if you travel to Germany
"The sample of the Trojan obtained by the CCC was apparently placed on a suspect's laptop when he passed through customs at the Munich International airport."
Any electronic equipment that is taken out of your sight by German customs must be assumed to be compromised.
Better not have any commercial confidential information on it either - clean it before travelling.
Basically treat travel to Germany like travel to the USA.
Airport security is forever telling the hordes "never let you luggage out of your sight" so how *exactly* do you plant it in customs? Or did they already have the suspect in the small room with no windows?
This does also open the question of validity of evidence. I mean the police have effectively admitted that they tampered with the evidence.
Actually: *every* piece of electronic (and some might even strike the 'electronic') equipment is to be considered compromised after being taken out of your direct supervision. A thinkpad 8xx series might offer some protection, but they are not excatly SOTA anymore...
Take an image with you!
If travellers are concerned, simply wait till you're past the barrier, then restore your hard drive from an Acronis True Image. Doddle.
"How is it targeted?"
It isn't. Doesn't have to be. It's a Trojan, remember? Not a virus. It doesn't spread by itself. It has to be installed on the computer of the victim.
"Any electronic equipment that is taken out of your sight by German customs must be assumed to be compromised."
The-he-heee... They could always try. As long as Germany doesn't outlaw encryption (like France) they will fail. The best they could do is to boot from an external medium (and that won't be easy, either - they will have to bypass the BIOS password) and instal either an MBR or a BIOS rootkit. Which I'll detect during the proper boot process. ;-)
"Better not have any commercial confidential information on it either - clean it before travelling."
Better have it properly protected.
"Basically treat travel to Germany like travel to the USA."
Trust me, it's nothing of the sort. German security is generally polite and competent.
'The sample of the Trojan obtained by the CCC was apparently placed on a suspect's laptop when he passed through customs at the Munich International airport' - That's the bit that gets me, personnally if you have good/bad data on your laptop that you don't want other people to see use encryption people it's not hard.
Or simply switching your laptop on and using the free wireless at the airport installs this on your machine?
even though in principle it's no different to a wiretap
Assuming it's only applied to their own citizens in their own country.
Suppose you were an executive at a foreign company that competes with a German one, or you were bidding on a German project - you might want to be a little suspicious if your laptop is ever out of your sight on a trip to Germany.
Suppose you are a US defence contractor. You don't hand over your laptop to Chinese state security on a visit to China then plug it into your corporate lan - - well Germany just joined that list.
more than wiretap
It is more like wiretap plus house search, since they can access data.
They may also have more difficulty in prosecuting cases where the use of the trojan to collect evidence is known to the court, to prove that they didn't plant files containing incriminating information.
Thank you, Germany
This brilliant piece of forcefully-legalized crap is now going to be the basis of a whole new generation of spam claiming to rid me of "legal" trojans, or another batch just begging to sell me a "legal" trojan-detector.
Plus, you've just opened the way for other countries to get bright ideas. After all, a paltry million or two is nothing in most countries budgets (countries where a majority of citizens have electronic doodads, anyway), so why not ?
So congratulations for the bright idea. Now, if you'll excuse me, I have to lock down all IP packets coming from any teutonic source.
Non-German software companies,
not being bound by German law, can make anti-Bundestrojan security software, right?
Would like to see...
Criminal proceedings against those responsible in the civil service, law enforcement and political spheres, plus proceedings against the company that wrote the software; civil proceedings against the states and the German Federation; trademark infringement proceedings against the ethically bankrupt fucks who wrote the software. The latter just to deliver a final kick to the arse of people who happily take taxpayers' money and then proceed to betray the taxpayer.
Oh, and other nations should be imposing sanctions on Germany and taking the nation to the appropriate European court for interfering with the privacy of individuals. I don't hold out too much hope here, though, since the border/customs agencies in most nations are possibly the least accountable and least scrupulous of any ostensibly non-military agency, and governments like to have a bit of dirty stuff to dish out "just in case".
So does this Trojan spread by itself or is it specific to the computer which the government is trying to access? If it spreads and can infect others then it's clearly an illegally placed piece of malware.