German Chaos Computer Club analyzes and releases government malware (ccc.de)
From the press release: "The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet."
66 comments
[ 3.0 ms ] story [ 128 ms ] threadLuckily the German public is by and large opposed to surveillance. (for historical reasons)
http://www.infratest-dimap.de/umfragen-analysen/bundesweit/s...
However I don't really think that the German public is strongly opposed to surveillance, especially since the media tried making a big deal out of the few incidences where some assholes decided to beat up people on the Munich and Berlin subways lately.
http://www.wahlrecht.de/umfragen/index.htm
The fact is that the citizens of Germany, and most other Western nations formerly known as the "free world" are today under more intense surveillance than the Stasi could have ever dreamed of. The German public in general is just mildly less apathetic about this as the rest of us.
The only thing that makes a real difference in Germany is the constitutional court, that appears to suffer less from political influences than the highest courts in most other nations, and actually takes its task of protecting citizens constitutional rights very seriously.
Especially with the relatively good European laws on the matter, most of stuff like this would lose in court but it never gets to that point because 1 - a lot of people don't want to spend the time and effort to push it to that point, 2 - with modern spying being so well hidden, people don't even notice their rights are being abused, so what would they sue for.
I keep hearing that, and I'm sorry, but it's pure sensationalist bullshit.
At the end, the Stasi employed one secret informer per ~90 citizens (!), and one official employee per ~180 citizens. That was the (proportionally) biggest secret service that ever existed. The Stasi kept tabs on more or less anything happening in the Eastern German society, down to what individual people had for lunch, and had infiltrated every organisation within its reach.
I can understand disagreement with things like this Bundestrojaner. But spouting ridiculous, sensationalist comparisons like these only harms a legitimate issue by painting its adherents as raving zealots.
Just mining Facebook and twitter will tell you what lots of people had for lunch...
[1] http://www.faz.net/aktuell/chaos-computer-club-der-deutsche-... [2]
[1] http://www.spiegel.de/netzwelt/netzpolitik/0,1518,790756,00....
Binaries not signed + no knowledge of how the infection is done + server in the USA which they said they didn't penetrate to look what's behind it.
I'm not doubting them, it would just be very interesting.
Translates to: > The Chaos Computer Club (CCC) received malware, whose owners who had reason to believe that it could possibly be the "Federal Trojan". One of these and its function is described by this document, other versions have been used for comparisons.
I guess they won't publish any more information to protect their sources.
I'm not saying it unlikely to be the federal trojan but if they had real proof, that would be so much bigger and could really damage the surveillance efforts.
I guess they are right. However, the features implemented in this trojan horse (Skype wiretapping, taking screenshots, keylogging, etc.) certainly look like it is to be used for general wiretapping/espionage. Additionally, CCC has obtained copies/variants(?) from several sources. If guess these were found on computers of people who have reasons to suspect the German police is spying on them. Overall, I assume that all other explanations for the existance of this software are significantly less likely than it being a police wiretapping rootkit.
Edit: FAZ (German) writes that the software was found on several harddrives that were connected to a certain police investigation. The software had been deleted from the disks but could be recovered [2]. I guess that these disks were confiscated based on search warrants and later returned to their owners. This makes me believe that the analyzed software is indeed the German police's Bundestrojaner.
[1] http://www.f-secure.com/weblog/archives/00002249.html
[2] http://www.faz.net/aktuell/chaos-computer-club-der-deutsche-...
Especially the latter can be impossible to do legally if you don't manage to shut down however is controlling it.
In any case this doesn't matter because the government would have to put these safe guards in place. They cannot not implement them simply because someone might suspect the government behind it if it is detected.
They rarely are.
Releasing the binaries alone to back up such a statement might be good enough for the hacker community but if you want to persuade the public you need to be more professional in your choice of words.
Even though this is a great achievement and I hope that this will have significant impact.
Also, we decided to detect it.
How generous...
And not just Apple, they're just one of the first with effective lock-in, and market-share.
Soon having programming/debugging tools could be ample evidence of intent to criminally (the only way) access a computing device.
Are there any serious anti-virus open source alternatives available?
http://www.f-secure.com/virus-info/bdtp.shtml
"F-Secure Corporation would like to make known that we will not leave such backdoors to our F-Secure Anti-Virus products, regardless of the source of such tools. We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws."
So they won't leave explicit backdoors in their software, but their decision on whether or not to detect a particular malware is influenced by EU law.
Transparency is a top priority, otherwise we're approaching a high-tech East Germany. The group I least trust snooping on the world is the government (ie, above the law).
That said, there might be Bundestrojaners for 64-bit Windows. Or even entirely different operating systems.
http://www.faz.net/polopoly_fs/1.1486520.1318104289!/image/3...
Years ago, police was using cameras and directional microphones. But as technology evolves, the methods to prevent crime have to envolve as well. To not allow the police to use the same technology as the criminals would actually endanger stability of the society. If you don't agree, have a look at what happened and happens in Africa all the time as an extreme example to what happens it mankind lives without proper regulations.
The key point that needs to be discussed is not whether this kind of technology should be used, it's how and who is allowed to use it. Countries need a proper separation of powers. And the use of surveillance should only under any circumstances be approved by the independed jurisdiction.
Personally, if you can get one pedophile or terrorist I wouldn't care if the whole police of Germany would share my Jena Jameson collection.
I'm not saying I disagree with you, but if you are going to be confrontational then at least try not to be so blatantly hypocritical.
[1] http://www.schneier.com/blog/archives/2008/05/londons_camera...
[2] http://articles.cnn.com/2010-02-25/opinion/schneier.security...
[3] http://www.google.nl/search?q=london+cameras+reduce+crime
"Well knows" facts are usually anything but, and no doubt the original poster also though that "Proper surveillance has saved uncountable lives" was also a well known fact.
Those are pretty poor citations ( CNN or Bruce Schneier's personal blog are hardly reliable resources for criminology research). Most of it seems to be based on the statements of a single police officer. Schneier cites him as an authority when he agrees with him, but ignores him when he says things Schneier doesn't like . For example:
More training was needed for officers, [Detective Chief Inspector Mick Neville] said. Often they do not want to find CCTV images "because it's hard work"
Whereas Schneier states:
The solution isn't for police to watch the cameras more diligently
It's worth noting that this officer seems to be trying to get support for increased funding for his department, so his remarks need to be taken in that context.
As I said before I don't disagree with you that CCTV is probably a waste of money, but that it has done "nothing" to decrease or help solve crimes is not what studies have found. There also seems to be a large geographical/cultural factor.
http://ann.sagepub.com/content/587/1/110.short
Effects of Closed-Circuit Television on Crime
This article reports on the findings of a systematic review--incorporating meta-analytic techniques--of the available research evidence on the effects of closed-circuit television (CCTV) on crime in public space. A number of targeted and comprehensive searches of the published and unpublished literature and contacts with leading researchers produced twenty-two CCTV evaluations that met our criteria for inclusion in this review. CCTV had a significant desirable effect on crime, although the overall reduction in crime was a rather small 4 percent. All nine studies showing evidence of a desirable effect of CCTV on crime were carried out in the United Kingdom. Conversely, the other nine studies showing no evidence of any desirable effect of CCTV on crime included all five North American studies. CCTV was most effective in reducing crime in car parks. It had no effect on violent crimes but had a significant desirable effect on vehicle crimes.
Crime reduction is also not the only possible effect of CCTV: http://eab.sagepub.com/content/41/1/60.abstract
The Eye of the Camera Effects of Security Cameras on Prosocial Behavior
This study addresses the effects of security cameras on prosocial behavior. Results from previous studies indicate that the presence of others can trigger helping behavior, arising from the need for approval of others. Extending these findings, the authors propose that security cameras can likewise trigger such approval-seeking behaviors by implying the presence of a watchful eye. Because people vary in the extent to which they strive for others' approval, it was expected that the effects of security cameras on prosocial behavior vary with participants' need for approval. To test these predictions, an experimental study was conducted with “presence of security camera” and “need for approval” as independent variables. Results showed that participants indeed offered more help in the presence of a security camera but only to the extent that this helping involved public or observable behavior. As expected, this effect was more pronounced for individuals high in need for approval. Practical implications and suggestions for future research are discussed.
Now of course there is a question about whether we should be trying to manipulate people in these ways, and whether it is worth it given the costs (reduction in freedom, financial, potential for abuse etc), but I don't think we can have that debate unless we at least attempt to find out what the impacts on crime are (rather than just cherry picking like ...
The issue here is that this malware obviously exceeds the limits that the German Federal Constitutional Court explicitly set for such tools.
For example, anyone can upload and run arbitrary files on the victim's computer - prosecutors but also anyone who knows the computer's IP address. This allows tampering with evidence.
Additionally, not only actual communication is captured but everything you do in a browser window, e.g., writing your diary on Google Docs. Obtaining such information would legally require a search warrant. This means that police can escalate their privileges without judicial oversight.
And finally, all captured information is sent to a server in the USA, clearly outside of German jurisdiction. Weakly encrypted. Together with the previously mentioned problems, this would allow the USA to ask the German police to monitor a suspected terrorist, then siphon off the wiretapping results and even place incriminating data on the victim's computer. Of course, the CIA would never do such a thing.
The question here is not whether the police may use wiretaps, the question is whether the police [1] may systematically break the law and lie to the public and courts about what they actually can do.
[1] of course, the police in this context means only certain representatives and departments.
In Germany we call this line of "argument" the "Kinderpornokeule" (which roughly translates to "Child Porn Cudgel"). I'm sick and tired of people using it, in addition to - excuse my language - retarded assertions about surveillance and law enforcement, completely unrelated bullshit that's somehow supposed to prove a nonexistent point (Africa? Seriously?) and loads and loads of FUD to make sure nobody can disagree.
To make my point a bit clearer: No amount of "but think of the children", "we need to catch the terrorists" and FUD bullshit bingo will get me to relinquish essential liberties that generations of people fought hard to obtain.
The especially striking thing about this trojan is the functionality to load additional modules and go far, far beyond simple wiring tapping of (otherwise encrypted) communications (at the source) - which was the only thing that was actually approved (and the reason for this software in the first place) and it was stated clearly that the software must NOT go beyond wire tapping and technical precautions have to be taken to prevent the software from doing anything else.
Furthermore CCC's analysis showed that the part of loading additional code was actually hidden, obfuscated and spread out amongst the machine code - whereas the rest of the code was very straight forward, no obfuscations. So clearly whoever developed that thing was very aware of how illegal and unlawful that functionality is.
[1] (in German) http://www.faz.net/aktuell/feuilleton/ein-amtlicher-trojaner...
From the wording of the tweet I assume that instead some LKA (crime investigation departments on the state level) had been using the malware.
[1] http://twitter.com/#!/RegSprecher/status/123056930888491008
http://ijure.org/wp/archives/727 (in german)