
€2m?!?
Seriously? 2m Euros for a shonky hacked up badly tested bit of code? I believe I am in the wrong business.
Five German states have admitted using a controversial backdoor Trojan to spy on criminal suspects. Samples of the so-called R2D2 (AKA "0zapftis") Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code last weekend. German federal law allows the use of malware to eavesdrop on …
In Germany the local hacker's club has openly taken the government to the task for using malware which can _potentially_ have illegal uses. The German politicos have actually answered.
So, now, let's step back for a minute.
When and where have you seen that happen in let's say UK? Or USA?
The Germans are on known thin ice, claiming that the aim justifies the means.
The Anglo-Saxon position is philosophically stronger, that any means are okay for security. However, it is also thoroughly anti-social, much as press gangs were, and it requires political hand-holding as one method after another is unveiled and its legal use restricted.
What I look for currently is a commitment to always use the minimum amount of Guantanamo-type extra-legal methods, and not just for this topic. I don't expect it to happen quickly, but cost and competence are two strong driving pressures towards that minimum - compare rail and air security, for instance.
Allowing the government to use legal trojans to spy on people sounds dangerous and bad to me, even though in principle it's no different to a wiretap I guess.
-is there any sort of due process, judicial review etc?
-is the trojan doing things that are not allowed by law (I would tend to believe pretty much anyone against the word of a government official trying to cover their ass)
-what if it ends up infecting other computers to the one here installed?
-what if the suspect is cleared? Can the trojan be remotely disabled / uninstalled?
While I understand that there are SOME legitimate law enforcement requirements, this is plain incompetent, surely any IT-savvy crim would be able to identify this
Wrong question: you should be asking whether it has been used on anyone outside of the German government's jurisdiction. Though that's a pretty fuzzy concept these days, following the US approach of 'our jurisdiction is wherever we find people we don't like very much'.
That aside; you may be a foreign national, but if you're in Germany you are reasonably expected to follow local laws and submit to the local enforcement and judiciary.
Not being an expert in German law, I cannot comment on whether the use of commercial spyware is legal or not. However, being an expert on malware, I can confirm that this particular commercial spyware is shoddy and sloppily written. It's not worth 100 euros, let alone 2 million... Gosh, I'm in the wrong business... :-(
"The sample of the Trojan obtained by the CCC was apparently placed on a suspect's laptop when he passed through customs at the Munich International airport."
Any electronic equipment that is taken out of your sight by German customs must be assumed to be compromised.
Better not have any commercial confidential information on it either - clean it before travelling.
Basically treat travel to Germany like travel to the USA.
Airport security is forever telling the hordes "never let you luggage out of your sight" so how *exactly* do you plant it in customs? Or did they already have the suspect in the small room with no windows?
This does also open the question of validity of evidence. I mean the police have effectively admitted that they tampered with the evidence.
"How is it targeted?"
It isn't. Doesn't have to be. It's a Trojan, remember? Not a virus. It doesn't spread by itself. It has to be installed on the computer of the victim.
"Any electronic equipment that is taken out of your sight by German customs must be assumed to be compromised."
The-he-heee... They could always try. As long as Germany doesn't outlaw encryption (like France) they will fail. The best they could do is to boot from an external medium (and that won't be easy, either - they will have to bypass the BIOS password) and instal either an MBR or a BIOS rootkit. Which I'll detect during the proper boot process. ;-)
"Better not have any commercial confidential information on it either - clean it before travelling."
Better have it properly protected.
"Basically treat travel to Germany like travel to the USA."
Trust me, it's nothing of the sort. German security is generally polite and competent.
'The sample of the Trojan obtained by the CCC was apparently placed on a suspect's laptop when he passed through customs at the Munich International airport' - That's the bit that gets me, personnally if you have good/bad data on your laptop that you don't want other people to see use encryption people it's not hard.
Or simply switching your laptop on and using the free wireless at the airport installs this on your machine?
Assuming it's only applied to their own citizens in their own country.
Suppose you were an executive at a foreign company that competes with a German one, or you were bidding on a German project - you might want to be a little suspicious if your laptop is ever out of your sight on a trip to Germany.
Suppose you are a US defence contractor. You don't hand over your laptop to Chinese state security on a visit to China then plug it into your corporate lan - - well Germany just joined that list.
This brilliant piece of forcefully-legalized crap is now going to be the basis of a whole new generation of spam claiming to rid me of "legal" trojans, or another batch just begging to sell me a "legal" trojan-detector.
Plus, you've just opened the way for other countries to get bright ideas. After all, a paltry million or two is nothing in most countries budgets (countries where a majority of citizens have electronic doodads, anyway), so why not ?
So congratulations for the bright idea. Now, if you'll excuse me, I have to lock down all IP packets coming from any teutonic source.
Criminal proceedings against those responsible in the civil service, law enforcement and political spheres, plus proceedings against the company that wrote the software; civil proceedings against the states and the German Federation; trademark infringement proceedings against the ethically bankrupt fucks who wrote the software. The latter just to deliver a final kick to the arse of people who happily take taxpayers' money and then proceed to betray the taxpayer.
Oh, and other nations should be imposing sanctions on Germany and taking the nation to the appropriate European court for interfering with the privacy of individuals. I don't hold out too much hope here, though, since the border/customs agencies in most nations are possibly the least accountable and least scrupulous of any ostensibly non-military agency, and governments like to have a bit of dirty stuff to dish out "just in case".