German Government Spyware

[Greedo]

So a German group of hackers, the "Chaos Computer Club" has uncovered and decoded a Trojan wich apparently was used by the German Government for spying.

Here's an article:
http://www.businessweek.com/news/20...pyware-violates-constitution-hackers-say.html

And in German:
http://www.faz.net/aktuell/politik/...egierung-verspricht-aufklaerung-11488340.html

Apparently this spyware was used by the Bavarian LKA , in a way wich would violate the German constitution.

Of course, the German people are already going nuts about this, throwing out terms like "new Stasi" and "police state" .

What are your opinions on this?

 

[Chaos]

"Chaos Computer Club"

...which is not affiliated with me, by the way.

 

[shemp]

This must be causing quite a furor.

 

[Childlike Empress]

It does. The existence is nothing new, but it is embarrassingly bad programmed, contains functions which were explicitly declared illegal by the constitutional court and was controlled over a server in the US. Here's the beef from the CCC.

 

[theprestige]

So is there any evidence to support the CCC's allegations?

Oh, wait... what, exactly are the CCC's allegations?

 

[Childlike Empress]

So is there any evidence to support the CCC's allegations?

Oh, wait... what, exactly are the CCC's allegations?

There's a link in my post. Feel free to click on it if you want.

 

[theprestige]

There's a link in my post. Feel free to click on it if you want.

I saw the link. I clicked on it, and read the article. Aside from a rather mundane explanation of the basic capabilities of modern trojans (ETA: And that they'd been told of such a one "in the wild"), CCC doesn't seem to be alleging much of anything at all. Was there a particular paragraph you had in mind?

 

[Floyt]

Was there a particular paragraph you had in mind?

The CCC analysis reveals functionality in the "Bundestrojaner light" (Bundestrojaner meaning "federal trojan" and is the colloquial German term for the original government malware concept) concealed as "Quellen-TKÜ" that go much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court. The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance.

The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

Sounds like an allegation, backed up by data, no?

ETA As a Bavarian, I am constitutionally required to defend this as g'schert, but then I haven't been home for a while...

 

[Childlike Empress]

ETA As a Bavarian, I am constitutionally required to defend this as g'schert, but then I haven't been home for a while...

You noticed the nickname they gave it, from how some internal functions are named?

0zapftis

"It's tapped!" Can't make this stuff up....

edit: correction - it was the CCC, not the original programmers who named the functions this way while reverse engineering the thing.

 

[Greedo]

You noticed the nickname they gave it, from how some internal functions are named?

0zapftis [qimg]http://www.internationalskeptics.com/forums/imagehosting/9907451897c0442ad.gif[/qimg]

"It's tapped!" Can't make this stuff up....

That had me laughing too

 

[Childlike Empress]

See edit. Hacker humour.

 

[theprestige]

Sounds like an allegation, backed up by data, no?

ETA As a Bavarian, I am constitutionally required to defend this as g'schert, but then I haven't been home for a while...

Yeah, that's the paragraph I'm referring to. It describes generic trojan functionality.

I note from the BusinessWeek article linked in the OP, that the "objectionable" functionality alleged by the CCC is actually permitted under German law. I also note from that article that the software is apparently freely available, and has been for years.

According to the BusinessWeek article, the CCC claims some of the trojan functionality violates the ruling of the constitutional court, but the article also says the court's ruling is that the government must meet certain legal requirements for using those functions.

So what exactly is the CCC alleging?

• The trojan as built violates some German law? If so, which law?
• The trojan as used violates some German law?
• The trojan they were told about was installed by the German government?
• The trojan they were told about was operated in situ by the German government, including its alleged "illegal" functions?

About that last: Since the so-called "illegal" functions are actually permissible in certain circumstances under German law, why is mere existence of those functions a problem?

 

[Aidoneus]

This must be causing quite a furor.

This must be causing quite a führer.

 

[Damien Evans]

This must be causing quite a führer.

That wasn't funny.

 

[Beerina]

Thanks, now could you please go to this thread and explain the joke I posted there?

(teleportation* occurs)

This must be causing quite a furor.

* Add to dictionary

 

[theprestige]

Since the so-called "illegal" functions are actually permissible in certain circumstances under German law, why is mere existence of those functions a problem?

Small correction; according to the story, it's not even the existence of the so-called "illegal" functions. Instead, it's just that the trojan has the potential to load these functions.

So can somebody explain to me the difference between "can legally load wiretapping functions (under certain conditions)" and "can legally load spycam functions (under certain conditions)"?

Is there some nuance of the story that I'm missing? Some German legal arcana that nobody has bothered to explain to us foreigners? Some nuance of German culture that has been lost in translation?

ETA: Or should I assume from the sudden downsurge in discussion and upsurge in Hitler jokes, that the topic really has no merit?

 

[Childlike Empress]

theprestige, your questions are answered in the CCC statement I linked to and even in the part Floyt quoted. Don't really know why I should repeat it for you if it's there in plain sight, especially given your tone. Here's a SPIEGEL article from a few days ago which links to another article describing the rulings of the constitutional court which were violated. You can strike the qualifier, the claims are true. This is developing into quite the scandal.

If the CCC's claims are true, then the software has functions which were expressly forbidden by Germany's highest court, the Federal Constitutional Court, in a landmark 2008 ruling which significantly restricted what was allowed in terms of online surveillance.

 

[shemp]

(teleportation* occurs)













* Add to dictionary

Looks like Aidoneus beat you to the punch line.

 

[Soapy Sam]

It does. The existence is nothing new, but it is embarrassingly bad programmed, contains functions which were explicitly declared illegal by the constitutional court and was controlled over a server in the US. Here's the beef from the CCC.

German illegal programming functions must be explicitly declared?
Not Visual Basic then?

 

[Greedo]

The way I've understood it, they bought it from a company, it was not specifically made for the LKA. In other words, if I get this correctly, the LKA did not specifically order illegal software.