Search This Blog

Thursday, October 13, 2011

STATE TROJAN - made in Germany

http://www.rall.com/rallblog/comics/2011-07-18.jpg
Of course the USA is far, far further down the fascism path. More like a modern East Germany


On Saturday, Germany's Chaos Computer Club (CCC) released a detailed analysis of the so-called Bundestrojaner (Federal Trojan) used by various police forces to spy on suspects.

According to the CCC, the trojan was in breach of tight limits determind by Germany's highest court, the Federal Constitutional Court.

Rules imposed by the court limit any sort of trojan employed by police and intelligence services to surveillance of VoIP, i.e. voice chats over Skype. However, it appears the police have ignored the Federal Constitutional Court's order by using an insecure and shoddily programmed trojan offering more features than is allowed.

Apart from being badly programmed and insecure, the trojan also allows various modules to be downloaded and installed. Theoretically, investigators would be able to search HDDs and manipulate data. As for shoddy programming, commands transmitted to the trojan are not encrypted, only one single key was used for all the trojans. Data transferred from PCs and commands were routed over a server in the USA, outside of German law.

The trojan, labelled R2D2 by various antivirus outfits due to the inclusion of C3PO, R2D2 and POE in the code, was pieced together by a German company called Digitask. In 2002, the company's former CEO and owner was sentenced to 21 months probation and a 1.5 million euro fine for bribing state employees at the Customs Criminal Office in Cologne.

The company renamed itself from Reuter Leiterplatten GmbH to DigiTask GmbH and once more enjoys selling services to state agencies. Cryptome.org managed to lay its hands on a small presentation by the company.

One of the trojans analysed by the CCC was forwarded to the club by German lawyer Patrick Schladt. Bavarian state police were investigating one of his clients on drug-related charges and installed a trojan on his PC, which forwarded screenshots to investigators which were in clear breach of the law. A court later determined the police had no legal basis to do so.

Furthermore, the Bavarian police shouldn't have made use of a trojan to monitor the client. The Federal Constitutional Court limited not only the means of surveillance, but also in which cases a trojan may be used by state authorities.

Cases are limited to the most serious crimes and terrorism. The client being monitored was a drug distributor whose crime may or may not have been shipping medicines to distribute in Germany, but perhaps not legal to export. Terrorism or serious crime, this is not.

The Bavarian police recently also hit the news in Germany for various cases of police brutality.

One of the cases saw a 14 year old youth losing teeth as a result of a police beating, and his head smashed against a wall. The conservative ruling party in Bavaria, the CSU (Christian Social Union), ignored the case until press reports led to public and political pressure.

Bavaria was not the only federal state to use the trojan.

Baden-Württemberg used it, however its Green-Labour coalition government has stopped. In Brandenburg, it has been used to monitor a suspect against facing an international arrest warrant. Berlin has not used a trojan, due to legal concerns.

Germany has a political scandal brewing which will influence upcoming elections. Heads are set to roll, especially in Bavaria where the trojan has been used in clear breach of law.

The Pirate Party is set to profit. Recent polls have seen the party at nine percent, and voter approval can only be expected to grow in the following weeks and months. Should Angela Merkel's conservative-liberal coalition drop dead before the next election, the situation will become very interesting.

Votes for the Pirate Party will mean less for the Social Democrats and Germany's Green Party, who are more or less expected to form the next coalition government. The most likely  outcome will be either a grand coalition government between Christian and Social Democrats, or a coalition between Social Democrats, Greens and - hold your breath - Pirates.

This is a reasonable scenario, should the Social Democrats and Greens suffer losses to the Pirate Party.

It would indeed be a political earthquake if the Pirate Party pass the five percent barrier required for a seat in the Bundestag, the German Federal Parliament.

Such a result would pressure established parties to become competent in technology and place more scrutiny on the law. Lobbying would be hit hard, while the democratic process would be strengthened.

It wouldn't be far-fetched to recognise the Pirate Party as a replacement for the liberal Free Democrats as an upholder of civil rights in the 21st century.


German state confesses the use of the state trojan.
Someone leaked a presentation about DigiTask's remote forensic spyware. There you go ... has all the features the state trojan has, i.e.
  • Software may be built according to court order
  • "Forbidden" features: removed from software, cannot be activated
  • After installation: online update possible

F-Secure's Mikko Hypponen tweeted amusingly: It's not well written. Which, I guess, makes it *more* likely it's developed by a Government ...

Switzerland and Austria have confessed of using them too.   I bet UK, Ireland, Australia, Canada are using trojans to break into people's computers too. 

No comments: