German Government's Malware Analyzed

First time accepted submitter lennier1 writes "The German hacker group CCC (Chaos Computer Club) has analyzed a piece of malware the German government uses in criminal investigations to spy on a suspect's computer. I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

Well

[esocid]

You want competant surveillance too? Sheesh, so demanding.
I'll go ahead and throw out the "if you've got nothing to hide" out there too, and see how this gets modded.

Re:Well

I'd settle for competent spelling. /grandmanotsee

Surprise, surprise, surprise

[AliasMarlowe]

I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict

This must be some new meaning for the word "all" that I have not come across before. Because it implies that "all" means a vanishingly small fraction of the population.

Re:Surprise, surprise, surprise

[Shoe+Puppet]

/etc/init.d/sarcasm start

Re:Surprise, surprise, surprise

[ae1294]

sudo /etc/init.d/sarcasm start

Re:Surprise, surprise, surprise

[Smallpond]

/etc/init.d/sarcasm start

Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

Re:Surprise, surprise, surprise

[ScrewMaster]

/etc/init.d/sarcasm start

Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

I use Windows. I don't know how to be sarcastic.

Re:Surprise, surprise, surprise

/etc/init.d/sarcasm start 2&1 | /dev/null

Re:Surprise, surprise, surprise

/etc/init.d/sarcasm start

Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

I use Windows. I don't know.

FTFY

Re:Surprise, surprise, surprise

/etc/init.d/sarcasm start

Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

I use Windows. I don't know how to be sarcastic.

/etc/init.d/ignorance start

Re:Surprise, surprise, surprise

[cynyr]

lol, i love the ubuntu people, that don't know they can just log in as root to do a bunch of things and then log out...

sudo foo
sudo bar
sudo start foo
sudo start bar

su -
foo
bar
start foo
start bar
exit

Re:Surprise, surprise, surprise

[AliasMarlowe]

Actually, in Ubuntu that should be "sudo su" as the first command...

Re:Surprise, surprise, surprise

[allo]

no. its just "sudo -s". "sudo su" is for people who cannot read manpages.

Re:Surprise, surprise, surprise

[pizzap]

you may use sudo -i as well.

Re:Surprise, surprise, surprise

Yet it takes just as many keystrokes.

Re:Surprise, surprise, surprise

Oh - so sorry..
Start>Run
net start sarcasm

Re:Surprise, surprise, surprise

"sudo -i" works just fine in ubuntu too.

Re:Surprise, surprise, surprise

You would be better with not allowing sudo su, sudo -s an sudo -i at all. Compromising your user password compromises the root account too.

Just memorize two passwords instead of one (user and root), it's safer. And use su when you really need root.

Re:Surprise, surprise, surprise

/etc/rc.d/sarcasm start

Re:Surprise, surprise, surprise

[hb79]

> lol, i love the ubuntu people, that don't know they can just log in as root to do a bunch of things and then log out...

Well, it wasn't that many months ago we had a discussion here, where people were peeing all over the "old Unix beards" who would switch to root to get stuff done. If your wrong intention, distraction, or other mistake will lead you to fuck up, some "are you sure - type your password" message isn't going to make you think twice.

Re:Surprise, surprise, surprise

[broken_chaos]

You have to disallow sudo entirely (or to a carefully-patrolled whitelist of commands), not just "sudo su", "sudo -s" and "sudo -i". Otherwise you can do "sudo bash", "sudo busybox ash", "sudo passwd", "sudo writable-script.sh", "cd bash; ./configure; make; sudo ./bash", and all sorts of other little workarounds.

As far as security goes... I'd give this a shrug at best. At worst, you're in a situation where many people now need the actual root password and that makes logging and monitoring access a lot harder.

Re:Surprise, surprise, surprise

[agw]

You're right.

You would not be able to whitelist any command that may execute a third command, change file bits, change (i.e. specify output files) any script or command that IS in the whitelist, etc.

It's only really useful if you attach a company policy to it saying "we use this to log the commands you run, if you misuse it, you're a bad boy and will be reported".

Re:Surprise, surprise, surprise

[Wintervenom]

#!/bin/bash
if [[ -z $1 ]]; then
    echo "Usage:  ${0##*/} (stop|start|restart) [daemon]"
    exit 1
fi
if [[ -z $2 ]]; then
    d=sarcasm
else
    d=$2
fi
case $(</proc/1/comm) in
    systemd)
        systemctl $1 $d.service
        ;;
    upstart)
        service $d $1
        ;;
    rinit)
        sv $1 $d
        ;;
    init)
        for s in {rc,init}{.d,}; do
            [[ -f /etc/$s/$d ]] && /etc/$s/$d $1
        done
        ;;
    *)

        if [[ $1 == @(stop|restart) ]]; then
            killall $d
            for i in {0..5}; do
                pidof $d &>/dev/null || break
            done
            [[ $? -eq 0 ]] && killall -9 $d
        fi
        if [[ $1 == @(start|restart) ]]; then
            pidof $d &>/dev/null || $d -D
        fi
        ;;
esac
if [[ $? -ne 0 ]]; then
    echo "FATAL:  Could not $1 $d service."
    exit 1
fi

Re:Surprise, surprise, surprise

[ScrewMaster]

/etc/init.d/sarcasm start

Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

I use Windows. I don't know.

FTFY

{sigh} the Slashdot hive-mind can be so literal sometimes.

Re:Surprise, surprise, surprise

[awehttam]

net start sarcasm

Re:Surprise, surprise, surprise

[LordLimecat]

No, sudo su is for people who have a random or unknown root password, but have full sudo capabilities.

Re:Surprise, surprise, surprise

...then an upgrade to IE plus a reboot. followed by 42 system updates and then another reboot.

Re:Surprise, surprise, surprise

launchctl start org.slashdot.sarcasm

Re:Surprise, surprise, surprise

/etc/init.d/sarcasm start 2&1 | /dev/null

Is /dev/null a command on your system?

You mean "/etc/init.d/sarcasm start 2>&1 >/dev/null"

Or just "/etc/init.d/sarcasm start &>/dev/null"

Re:Surprise, surprise, surprise

Even better. sudo -s

Re:Surprise, surprise, surprise

[ScrewMaster]

...then an upgrade to IE plus a reboot. followed by 42 system updates and then another reboot.

Apparently you've not spent any time on Windows 7 (don't know about Vista, never bothered with it) but 7 has improved the update process considerably over XP and earlier: no more use of Internet Explorer as the update vehicle (I'll cheerfully admit that that was not one of Microsoft's better ideas.) Doesn't need to reboot as often after an update either, so it's more competitive with your typical Linux distro in that regard.

As it happens, my entire household is Linux, and on the Ubuntu workstations and Debian server, I still receive plenty of updates (some of those require the occasional reboot.) Frankly, I don't have a problem with that, on any platform. Nobody is perfect, and I'm glad that an ongoing investment is being made in software security and stability, whether it be from Microsoft, Canonical or anyone else. Trying to blame Microsoft for regular system updates when every other vendor worth its salt does the same thing is disingenuous.

The only machine I have left that is still running Windows is the living room HTPC. It runs a stripped-down XP so we can use Netflix, and that will be gone the moment Netflix releases a version of their Silverlight-based player that works under Linux. If they ever do: I'll probably be dropping them at some point in the near future because their streaming selection isn't that good, frankly.

Re:Surprise, surprise, surprise

[rioki]

Except that you need not to type your passwd twice... so much for that...

Re:Surprise, surprise, surprise

[cbiltcliffe]

At worst, you're in a situation where many people now need the actual root password and that makes logging and monitoring access a lot harder.

Or, you could just set up multiple root accounts; one for each admin. Then you can log each admin individually, and know who screwed up what when it hits the fan.

I think there is something...

[Dark+Lord+of+Ohio]

I think there is something we don't know about. If they really got "official" version, then I am expecting that many heads in German federal government will fall.

Re:I think there is something...

[plover]

I think you are overly optimistic about the ability of most governments to correct their own abuses of power. I doubt they'll fire anyone or even stop using the Trojan, they'll just have someone correct some of the deficiencies the CCC found.

At the most, they may take the Undersecretary for Purposes of Scapegoating out and publicly fire him. They might terminate the contract with the software company who developed it. But don't expect "many heads" to roll.

Re:I think there is something...

Unfortunately crass incompetence and general disregard for laws only means the persons responsible will fall UP the promotion ladder. The more you fuck up, the higher you get. The ruling class cannot do wrong. "Du bist Deutschland!"

Re:I think there is something...

[YouDieAtTheEnd]

Fer someone from Ohio, you sure do talk funny.

Re:I think there is something...

[Issarlk]

We are talking about beeping computer with blinking lights in front of strange guys with big glasses typing on keyboard as big 3D skulls rotate over a password form... in the imagination of anyone high enough to fire them. They'll probably shrug and just ask them to hire a goth girl to enhance the security of the encryption channel so that they don't get their computers fried in a deluge of sparks if the bad guys squeeze through the security holes".

Re:I think there is something...

[barv]

More likely than federal public servants being sacked for wrongdoing is a witch hunt to find out who leaked the binary. Oh and also an attempt will be made to hire a proper programmer in place of their script kiddy.

Re:I think there is something...

Heads in the German government rarely fall over wrongdoing. Usually, people just shift blame and weasel out of it.

"At least it's not as bad as in America" is a common political excuse, and it is all done for the purpose of protecting German democracy.

Re:I think there is something...

No they won't. Only a few nerds will understand what the CCC is talking about. These people are so glaring whitehat that they run to the media before even demonstrating that an exploit is possible. They would have had the chance to spoof the trojan and thus make all evidence the trojan has already collected invalid in court. Instead they chose premature publicity, which will have exactly zero consequences, except that now they have alerted the other side, given them precious advice for free, and destroyed their own chance at proving that what they analyzed is indeed a government-issued trojan.

Re:I think there is something...

[ultranova]

I think there is something we don't know about. If they really got "official" version, then I am expecting that many heads in German federal government will fall.

Yeah. A country that was mentored by both Hitler and Stalin really has no excuse for incompetence in this area.

Re:I think there is something...

to find out who leaked the binary

I hope you understand that in order for it to DO anything, you kind of have to... put it on people's computers.

Re:I think there is something...

[Dark+Lord+of+Ohio]

Fer someone from Ohio, you sure do talk funny.

LOL, but I try not to forget to spell check what I send :)

Re:I think there is something...

[rioki]

No no we are unfailable. "Wir sind Papst!"

Re:I think there is something...

[V+for+Vendetta]

It wasn't "leaked". It was handed over to the CCC by a lawyer. He defended a guy in court which the malware was used against to collect evidence.

Re:I think there is something...

[t2t10]

I seriously doubt it. Since WWII, German governments have gotten away with a lot, including massive surveillance and widespread invasions of privacy. Germans just don't care.

extracted binaries

I was going to scan the binaries with some anti-virus programs to see if their signatures were detected, but the downloaded tgz file comes up with errors when attempting to extract. Anyone else running into that problem?

Re:extracted binaries

works perfectly fine for me

Re:extracted binaries

[freedumb2000]

In the german paper at least, it says that it is not currently detected.

Re:extracted binaries

[berniemne]

tgz is fine for me. Avast is not detecting it. I'm scared.

Re:extracted binaries

[Opportunist]

AV tools are only as good as the samples the company making them has. And since I'd guess the German government is no more trustworthy than any other malware spreader, I doubt they handed samples to the various AV makers.

Now that those samples are available, scan again in a few days to see which AV makers put their money where their mouth is, and which are bending over and beg for lube.

Re:Frosty Piss

Sweet, thanks for clearing that up.

But most importantly

[Dunbal]

Can this trojan upload child pornography (or any other incriminating files/images) to the suspects computer, to be collected as "evidence" at a later date? I suspect it can. And if this program can uninstall itself at a later date, then this is a perfect tool for "bring him in, boys". Oh George Orwell, how foresighted you were.

Re:But most importantly

If an authority's intention is to falsely convict someone by planting material on a piece of equipment that they will seize, disassemble and connect to their own equipment during the course of that conviction, why on earth bother planting it remotely?

Re:But most importantly

[Dunbal]

You really don't understand how corruption works, do you? It would not be a false conviction at all. It would be a very real conviction, documented, with a valid chain of evidence and everything. The reasons can be many - from the "guy they think is the criminal but can't actually arrest him for anything because he hasn't done anything they can prove" situation - like Al Capone; to the "rival gang member needs to be taken out quickly because gang A just paid me $100k to lock up the leader of gang B so I will just upload this stuff onto his computer and call in an "anonymous tip"" situation. It even includes the "pay me $100k or you get thrown in jail" situation where the corrupt law enforcement/government agent decides to put the squeeze on someone.

Maybe it's because I live in the third world and am used to dealing with corruption like this almost on a daily basis that I am so cynical. However if anyone (police or otherwise) can clandestinely install a program on your machine/cell phone/whatever and have it upload/execute programs, then all machines/cell phones/whatever can be compromised and such "evidence" shouldn't be admissible in court anymore.

Re:But most importantly

[AliasMarlowe]

If an authority's intention is to falsely convict someone by planting material on a piece of equipment that they will seize, disassemble and connect to their own equipment during the course of that conviction, why on earth bother planting it remotely?

Because the raid, seizure, arrest, and indictment will be made by a completely different organization - the regular local police and local public prosecutor.

For the police and prosecutor to do their job effectively, they must fully believe in the validity of the evidence they have seized and the chain of custody of that evidence must be impeccable. They will emphatically believe in the culpability of the arrested criminal (sorry, "alleged" criminal until the court inevitably pronounces its verdict of guilt) on the basis of this incontestable evidence. They will be utterly in the dark about any surveillance/incrimination operation, and will vilify the accused with confidence, proud to be protecting their community from such evil malefactors.

Re:But most importantly

[Issarlk]

I think in the USA they use special piece of hardware that gives read only access to HDs just to avoid being accused of planting evidence. Maybe it's the same in Germany, in which case planting remotelly is a cool feature.

Re:But most importantly

the procedures at the data collection are tight (using a harware device locker, then using disk-images)
putting the file in a running enviroment is easyer and makes more cence(to make it look like the vikem put them there)
alos the defence could ask for a re-invesigation of the "evedence"
 
b.t.w. yes it can upload files where the german law forbids this

Re:But most importantly

[jeti]

Yes. It contains filedropper functionality. Like most malware, it can download and execute additional applications thereby extending its functionality and it can place documents on the infected PC.

Re:But most importantly

[MichaelSmith]

There may be a difference between a tool which collects evidence for a trial and a tool which collects information for investigators. The latter tool could plant information to help drive an investigation by (say) falsifying communication between conspirators.

Re:But most importantly

I love how 1984 is the only book about a dystopian future.

Re:But most importantly

[fuzzyfuzzyfungus]

Hardware write-blockers are pretty much standard for any hands-on forensics not conducted by utter amateurs. The trouble is, of course, that you can only use those after you seize the hardware, and the feds want something they can use before they seize the hardware.

I don't know if analogous US malware tools(Magic Lantern, CIPAV, possibly others) have been studied in as much detail; and they may or may not be of higher quality; but anything that has to run on the live host system isn't going to be fundamentally less capable of modifying that system.

The problem is that, once you've had malware on the system, all the write-blocker can do is assure you that nothing was tampered with during the forensic investigation, which provides no protection against tampering by the malware, and likely makes anything planted by it appear to be much higher quality evidence...

Re:But most importantly

[izomiac]

Orwell was primarily an essayist, and virtually all of his works take a stance against totalitarianism. People aren't just talking about a single book, they're talking about the life's work of a well known author.

Re:But most importantly

Then it should not be able to be used in any court of law anywhere in the entire world as chain of custody is completly out the window.

Re:But most importantly

That's because most Slashdoters think A Brave New World is a great plan for the future, or that Atlas Shrugged is a handbook on how to run the world.

Re:But most importantly

Your tax Marks at work... Achtung! The existence of such malware just nullified the sentences of all people in German prisons in there for the possession of kiddie porn. And generally anybody convicted of having something on their computer they shouldn't have. They are now all free men since the government obviously planted the evidence. Nice going meine Herren!

Re:But most importantly

[Opportunist]

Oh, don't worry, it won't be. How should it be used, it's never been there! Why do you think it was there? It never downloaded those child porn pics and deleted itself afterwards, and that search warrant was issued for completely different reasons other than a judge seeing the malware's screenshots. You're in for having child porn on your computer that we found in that search, who ever said anything about a government trojan?

Re:But most importantly

People have to be really stupid to install 'Anti-virus' software on their computers. So you want me to intall a program thats going to scan all my files and creates md5 signatures of each, then uploads those signatures to a massive database. And with this database of millions of user file information they'll sell to law inforcement, movie industry, network providers, and the government. The police will use this information to kick in your door. The movie industry will use this informations to send you a subpoena in the mail. Network providers (ISP for Windows users) will use this information to halt the movement of certain file over the network. The government will use this information to delete certain file from your computer. Yea, i want a good Anti-virus sofware program can any body recommend one?

Re:But most importantly

[drinkypoo]

Corruption in the first world is written into law and disguised only with hypocrisy. For example you have to pay to get building codes, most of them can't just be looked up online. But if you don't do it to code they can make you rip it out. Mandatory filing fees even for abused parties, then you have to file another suit if you hope to recover that... we live in a theocracy where the state religion is worship of the state itself.

Re:But most importantly

It also pings the host gnutella/TOR hybrid-network that the attackers created and waits for commands using the UDP protocol.

Re:But most importantly

[AmiMoJo]

However if anyone (police or otherwise) can clandestinely install a program on your machine/cell phone/whatever and have it upload/execute programs, then all machines/cell phones/whatever can be compromised and such "evidence" shouldn't be admissible in court anymore.

The "trojan defence" has been used successfully in court to argue that the owner of the PC did not download illegal material. This just strengthens that defence.

Re:But most importantly

[rioki]

Look, the go into your house to install the software. So why should they not use hardware? Seriously...

Re:But most importantly

[mpe]

Maybe it's because I live in the third world and am used to dealing with corruption like this almost on a daily basis that I am so cynical.

It's more that people in the "third world" tend to take a cynical view of public officials and politicians. Whereas many in the "developed" world tend to be very trusting of the same...

Re:Frosty Piss

[ae1294]

Sweet, thanks for clearing that up.

Slashdot asked me "personally" for my opinion... Gezz, don't mod me bro...

C3PO-r2d2-POE

Communication uses the fixed banner string "C3PO-r2d2-POE" as handshake.
So, this could be the trojan we're looking for.

Also, the code contains a function called "_0zapftis_le_execute()".
"O'zapt is!" is the traditional opening phrase of the Munich October/Beer Festival, where the mayor taps the first barrel of beer with a hammer.

Source: http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

Re:C3PO-r2d2-POE

[ScrewMaster]

Communication uses the fixed banner string "C3PO-r2d2-POE" as handshake. So, this could be the trojan we're looking for.

Also, the code contains a function called "_0zapftis_le_execute()". "O'zapt is!" is the traditional opening phrase of the Munich October/Beer Festival, where the mayor taps the first barrel of beer with a hammer.

Source: http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

What does the "POE" mean? Porn Over Ethernet?

Re:C3PO-r2d2-POE

Correct. "O'zapft is" is Bavarian for "it's tapped".

Re:C3PO-r2d2-POE

The *disassembly* produced by CCC contains those function names. The report mentions near the beginning that all the code is in a DLL without any exported symbols, so that name was picked by the people doing the disassembling; it's not from the original code.

Re:C3PO-r2d2-POE

[gstrickler]

They better be prepared for the cease and desist order from LucasFilm.

Re:C3PO-r2d2-POE

[wzzzzrd]

This string has nothing to do with the disassembly. It's a part of the program you can see with any hex editor.

The name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". This string is used internally by the trojan to initiate data transmission.

link

I'm outraged!

How can the US government keep doing stuff like ... what, it isn't the US government? Then it must be for the good of the country since only the US does stuff like this with anything other than good intentions, carry on.

Re:I'm outraged!

[ScrewMaster]

How can the US government keep doing stuff like ... what, it isn't the US government? Then it must be for the good of the country since only the US does stuff like this with anything other than good intentions, carry on.

No, we're just the only ones that every one likes to complain about, or maybe we just get caught more often. I don't know, but it's not like every government on Earth doesn't do things like this, to one degree or another.

Re:I'm outraged!

[chrb]

Of course they do, and it has a name: Lawful interception. Support for lawful interception is built in to telephone exchanges, network switches etc. When it's used to eavesdrop on terrorists and drug dealers, then people like it. When it's used to eavesdrop on everyone, then people dislike it. Somewhere inbetween there is a vast land where some approve, some disapprove, and many don't care.

[NB: The German constitutional court ruled that there is a sphere of privacy that is afforded total protection and can never be breached, no matter for what reason, for example keeping a diary or husband and wife talking in the bedroom.

That is very interesting: even during a criminal terrorism investigation, a suspect's personal notes and diary are legally protected. I doubt very many other nations have such strong privacy laws. CCC is arguing that because these notes are often held on a personal computer, then the personal computer comes within the "sphere of privacy". Obviously you can see why the police would disagree, as this would outlaw the monitoring of personal PCs for evidence.

Re:I'm outraged!

If the privacy protection makes you think "what a great country", you should note that Germany does not subscribe to the "fruit from a forbidden tree" concept, so even though intercepting truly private information is illegal, illegally obtained information can and will be used in court, if it helps the prosecution's case. The officers who broke the law to get the information usually receive a slap on the wrist, if anything at all.

Re:I'm outraged!

[Opportunist]

The US are just bigger, that's why we hear a lot more about the US than any other country. And only 'cause it's hard to hear anything from Russia, and don't start me on China.

Government all over the planets managed to slip past the point where they're corrupt to the bone. I miss the Soviet Union. As long as it existed, our politicians at least had to pretend they're the good guys.

Re:I'm outraged!

[t2t10]

Of course they do, and it has a name: Lawful interception

Lawful interception requires a court order in the US. In Germany, it's a judgment call by the police, controlled only by internal reviews.

That is very interesting: even during a criminal terrorism investigation, a suspect's personal notes and diary are legally protected.

That's protection against investigation by the police, enforced largely by internal reviews. It isn't protection against intelligence services or state security services, and even for police work there are exceptions.

I doubt very many other nations have such strong privacy laws

You illustrate the major problem with German privacy: Germans actually trust that the existence of laws will protect them from government abuse. You'd think a nation that was run by the Nazis and in which a democratically elected government used personal information to commit mass murder would know better, but apparently the lesson still hasn't sunk in.

I am waiting for an AV signatur update

This hopefully helps that state of the art anti virus software from now on will detect at least this variant of the trojan.

Re:I am waiting for an AV signatur update

[clickforfreepizza]

http://www.f-secure.com/weblog/archives/00002249.html

Strange

i have read the report linked to in the article. This report is written in german. Nothing hints in the binary itself that this is the "real thing". The analyzed binary is a windows-DLL with out exported functions. The C&C server the trojan is 207.158.22.134, which is allocated to Web Intellects in Columbus, Ohio, USA. The connection to the german government is only hearsay for now, we have to believe in it.

Re:Strange

[agw]

Looks like they got it from people who got their computers back after they were busted?

Forget Mafia Wars--play German Gov't Domination!

[Commontwist]

Yes, you too can foster Total Political Disintegration (Normal Mode), Totalitarian Rule (Easy Mode), New Nazi Order (Hard Mode), or Common Sense Government (Insane Mode) by pitting the various German political factions against one another via clever remote control of their computers at home and in the office!

Game Play includes: That's Not My Porn and Child Porn Prisoner internet insertion features, send copies of incriminating e-mails to political rivals and international newspapers, bonus mod features to hack China for bonus points or massive DOS attacks on known enemies of Anonymous (pick a target, any target), and many, many other features that have to be seen to believe. (Especially when taking remote control of laptop cameras to take pictures of Government at home and posting the more interesting captions all over the Internet.)

The German Government, working to make life more difficult for citizens and officials alike. You flew it, you blew it, you rue it. (This software law, that is.)

Re:Frosty Piss

[ScrewMaster]

"I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

No not really...

Really, if the government (any government) is going to get into the malware game, they should hire people to create it for them who are at least as competent as the guys on the other side of the fence.

Re:Frosty Piss

[fuzzyfuzzyfungus]

The piece of incompetence that I find really striking is not so much the general shoddiness; but the fact that the malware is using a proxy setup in the US to avoid having its traffic traced back to the German police entity using it. Even if they know nothing about the tech side of things, surely exporting the evidence outside of the state, country, and EU, to some random datacenter in the US, would mean a hairy pile of privacy and chain-of-custody problems for the chaps in legal?

I am German... and...

[Tanuki64]

I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

... nope, not at all surprised.

Re:I am German... and...

[lennier1]

Sarcasm apparently isn't your strong suit.

Re:I am German... and...

[Tanuki64]

Sarcasm? Where?

Re:I am German... and...

Tust Du nur so, oder bist Du so blÃd?

Re:I am German... and...

[Erikderzweite]

Well played...

CCC's public role in Germany

[BitterKraut]

The Chaos Computer Club is probably not adequately characterized as a 'hacker group'. It was founded in 1981 as a computer club and, while hacking has always been their most prominent activity, they have grown not only into a nation-wide association of about 3000 members, but into an influential civil rights organization as well. Their expertise in matters of IT security is frequently called upon by public media in Germany. The CCC is well respected even by many politicians and their expertise was cited more than once by former Ferderal Minister of the Interior Gerhart Baum during the trial that ended last year with the Verfassungsgericht (federal constitutional court)'s finding that the federal anti-terror law that obliged providers to retain all telecommunications data for six months was unconstitutional. The CCC organizes the annual Chaos Communication Congress that Slashdot readers might remember as being the event where some major hacks were presented to the public: http://it.slashdot.org/story/11/01/02/0231242/detailing-the-security-risks-in-pdf-standard http://games.slashdot.org/story/10/12/29/204253/Playstation-3-Code-Signing-Cracked-For-Good http://it.slashdot.org/story/09/12/28/1931256/gsm-decryption-published http://games.slashdot.org/story/05/12/16/2157217/hacking-the-xbox The CCC is also well know for Project Blinkenlights, which grew out of the CCC but is now an independent project.

So will AntiVirus software find it?

[PolygamousRanchKid+]

Or is it illegal for an app to find viruses that are questionably legal because he government spreads them?

Re:So will AntiVirus software find it?

[allo]

f-secure at least will.

Re:So will AntiVirus software find it?

f-secure at least will.

You're probably referring to their stated policy. However, according to CCC

All examined variants of the trojan were not recognized by any antivirus program at the time of creation of this report. ("Alle untersuchten Varianten des Trojaners wurden zum Zeitpunkt der Berichterstellung von keinem Antivirus-Programm als Schadsoftware erkannt.") -- report page 3

Also, f-secure have not promised to detect all government malware they are aware of:

We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws.

So if there is an EU law or regulation (such as an international treaty) that forbids interfering with an EU government's attempt at spying on their citizens, they will honor it. Not all regulations are public, so there is no way to tell if there is such a regulation or not.

Re:So will AntiVirus software find it?

Which means that the phrase "This decision-making is influenced only by technical factors, and nothing else" is a lie, so why say it in the first place?

Not to mention that with the whole phrase, f-secure basically says, "We side with malware authors when we see fit to do so." Hooray for trustworthy AntiVirus software!

Re:So will AntiVirus software find it?

[Goaway]

Which means that the phrase "This decision-making is influenced only by technical factors, and nothing else" is a lie, so why say it in the first place?

No, it means they hadn't seen this trojan before now, genius. Nobody but the creators and the CCC had, before today.

Re:So will AntiVirus software find it?

They will block this one.
http://www.f-secure.com/weblog/archives/00002249.html

WebIntellects

The Command and Control Server (C+C server) hardcoded into the present trojans is on IP 207.158.22.134. This IP is assigned to commercial webhost Web Intellects in Columbus, Ohio, USA. (translated from CCC report p. 4)

Why don't we all ask WebIntellects what they're doing there?

Re:Frosty Piss

nope, as german law doesnt exclude illegaly obtained evidence from use in court.

ive read enough dystopiae to see where this is goin...

No Supprise Here ... Move Along

That the Nazi Government of Fuehrer Angela Merkel is caught engaging in such Federal buffoonery is of no supprise.

The best thing to happen to the peoples of Deutshland is the nuclear bombing of the Chancellory by US Commander Jack Ripper.

Vell ... meet again ... Don't know vere ... Don't know ven. But I know ... zat ve vill meet again ... zome zunney day ....

++

But...

[rrohbeck]

does it run on Linux?

Re:But...

Nope. It's Linux support is severely lacking. The CCC should ask the STASI to license it under the GPL.

Re:But...

"Nope. It's Linux support is severely lacking. "

It mimics your grammar skills.

Re:But...

The article didn't mention any operating systems. Would have been nice to know. Im assuming it works on win/mac and maybe some popular linux flavors ? If they were smart it was programmed with cross compatibility in mind. Although from TFA "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'". Sounds like maybe they weren't so smart.

Re:But...

[think_nix]

http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf (german)

It appears to be a windows dll. For installing it they are presuming someone would need physical access, user installation per email attachment , or drive by download attacks.

Re:But...

[Mojo66]

So as I terrorist I switch to a Mac and I'm safe? Nice.....

Re:But...

[rrohbeck]

Meh. I feel neglected.

Re:But...

You know that there is another vector (under Windows). The Germans are cheap; the firm they hired was sloppy. Some lovely folks I used to work with at Lockheed that went out on their own developed an approach that has little chance of being detected, but the Germans didn't want to pay for it. They could have enjoyed an unprecedented level of surveillance. Don't be too smug about 'nix, either.

Re:But...

Don't worry, the currently detected version won't work on 64-bit Windows either... Yes, it's a 32bit DLL *without signature* :-)
So you're not alone in being neglected :D

Re:But...

[Phaeilo]

Also, according to the report the kernel driver is x86 only.

Re:But...

Not only that, apparently it only works on 32 bit window systems. [GOOD CITATION NEEDED]

Re:Frosty Piss

[ozmanjusri]

at least as competent as the guys on the other side of the fence.

The general public is not known for their competence in computer software development. The government would be better off employing criminal hackers.

Re:Frosty Piss

[IWannaBeAnAC]

nope, as german law doesnt exclude illegaly obtained evidence from use in court.

Right, but that is appropriate. The USA is the only country I know of that does exclude evidence like that. In most jurisdictions, the aim (idealized, not always realized) of a court case is to uncover the truth of what happened. If the law was broken in the process of obtaining evidence, by all means prosecute the people who broke the law, but to exclude that evidence is a weird thing to do. At least, 90% of the planet thinks so...

The situation in the US is based on a rather bizarre interpretation of the constitution set by the supreme court, actually not so long ago, starting from around 1920. The Fourth Amendment of the constitution is the one about "no unreasonable searches and seizures", and requiring "probable cause". But it doesn't specify what the penalty should be if those rights are violated. In much of the rest of the world, the equivalent violation (eg, of police or some other person obtaining evidence illegally) opens the offender for prosecution but whatever evidence is obtained can still be used. That was the case in the USA before the early 20th century. But several court cases in the 20's and 30's established the "fruit of the poisonous tree" doctrine, in which evidence which was obtained illegally is not admissible in court. This has resulted in many farcical court cases where the facts of the case are well established, but can't be presented in court because the evidence was obtained illegally (in some cases, due to some technical omission). It also results in lots of arguments where opposing lawyers have a big bun fight, and make lots of money, arguing at length over whether a particular fact is allowed to be presented to the court or not.

It has also resulted in the attitude that cops who break the law are already "punished" by being unable to present the evidence in court (and often therefore unable to convict a criminal), and that this is sufficient punishment for the cop. Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves, in the US they typically don't. This is an encouragement towards corrupt behavior.

Re:Frosty Piss

[Kjella]

The USA is the only country I know of that does exclude evidence like that.

Norway would be the second country then. In fact, it's probably stronger than the US protection because an employer that made illegal recordings of his employers had the evidence rejected after filing charges for embezzlement. That one went to the supreme court, I couldn't find a similar case where the police used illegal methods because once that is known the charges would be dropped. Honestly I would be surprised if a modern rule of law didn't include something like that, otherwise there's a million loophole where the police can protect each other or hired thugs to provide evidence without any clear trail.

Re:Frosty Piss

[sourcerror]

I think in Hungary it works similar to the US. Also, evidence can't be reused in a different trial.

Re:Frosty Piss

[maxwell+demon]

"I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

No not really...

I'm sure everyone here is familiar with the concept of sarcasm.

Pirate Party

[Vlad_the_Inhaler]

In other news, the Piratenpartei recently made it to the Berlin City legistature with 8% of the vote and and are currently running nationally with that level of support. If they maintain this, they will be the 4th-5th largest party in Germany.

FAIL

[MrL0G1C]

So, if you're a criminal in Germany, all you have to do is install this software on your computer and then you have plausible deniability because anybody could have uploaded anything to your PC. Your PC could no longer be used as evidence.

Fucked that one up didn't you Germany!!!

Re:FAIL

[dunkelfalke]

It doesn't work that way in Germany. As with the WLAN hotspot, the owner of the hotspot is responsible for all illegal activity on it, even if anybody could have used it.

Re:FAIL

[MrL0G1C]

I don't think you get it, if a criminal steals your car, ram-raids a shop and makes off with the contents, are you telling me that the car owner is responsible for the crimes committed????.. Or perhaps the gov't is responsible because it owns the roads?

Root-kit != WLAN hotspot.

Re:FAIL

whats up with using unrelated analogies? he is not talking about cars, hes is talking about wlan hotspots open or used by the public. why dont you get that?

Re:FAIL

[MrL0G1C]

Root-kit != WLAN hotspot.

why dont you get that?

Re:FAIL

[discord5]

Your initial car analogy is terribly flawed. Don't draw bad car-analogies to prove a point. (If your car is stolen and you fail to report it, you're in for a fun ride, mind you. And reporting it doesn't automatically remove you from the suspect list either.)

Root-kit != WLAN hotspot.

As for the root-kit, you are responsible for the security of your own machine. If you go to court "Oh lol, rootkit get out of jail free" most likely you'll be laughed out of court (straight into jail) unless you can prove it. I wouldn't be terrible surprised if in the end this whole thing backfires in a spectacular way, but for the time being YOU are responsible for YOUR property. If there is no evidence to the contrary, the court assumes that you are in control of your property. Having said that, I'm pretty sure that the legal system in most countries are going to have more than a few headaches in the future when it comes to technology. Far too few people are properly knowledgeable on the technologies they use on a day to day basis, and there is far too much legal gray area.

Also, in before the terrible "burglar in an unlocked home" analogy, and various other scenarios that have nothing to do with computers and Internet.

Re:FAIL

[MrL0G1C]

I live in the UK and the burden of proof is on the prosecution, not the defendant.

How many people got hit by code red - are you seriously telling me in these days of regular exploits in Flash, PDFs, java, browsers, MS office etc that a person can be held at fault for getting rooted!!!!! The gov't gets rooted all the time, If Sony, govt etc can't secure their systems, then how can the technically clueless general public be expected to?

And once again, deliberately opening up your wireless for the public to share is not the same as getting rooted, can you honestly tell me that you know your system doesn't have any unpatched vulnerabilities and can you account for every process and driver etc running?

Re:FAIL

[discord5]

burden of proof is on the prosecution

They've just submitted your laptop as evidence. Let's for the sake of argument say there is 200GB of kiddy porn on it. They've got the burden of proof thing covered you know? Your laptop, your hard drive, thus your kiddy porn. They'll have an expert on the witness stand explaining how they used their fancy forensic toolkit to find it all. It is on your PC, therefor you must have downloaded all that.

You can now wave your arms around in court screaming "rootkit" until your throat is sore, but the burden of proof now lies with you. They submitted the evidence, and it's up to you now to submit yours. They don't have to prove that it wasn't a rootkit that downloaded all that, just that a laptop full of kiddy porn was in your possession. As long as they followed the procedures to make sure the evidence was not contaminated, as far as the court is concerned, it IS acceptable evidence against you. Once you have proven that the machine was rootkitted, only THEN do they have to prove that it wasn't the rootkit that did all that. If the prosecution fails in that, you go free, but if you draw the rootkit card, you still have to prove it.

how can the technically clueless general public be expected to?

That's beyond the point. Most people who own pets are technically clueless as how to train them not to bite people, yet most pet owners are somehow expected to not have their pets bite people (to draw upon another admittedly terrible analogy). Terrible analogy aside, being clueless of the law doesn't excuse breaking it. Your property, your responsibility. If you're not knowledgeable about IT, why didn't you hire someone for that? After all, if you don't know anything about cars, you tend to take it to a garage for maintenance don't you? (heave ho, bad analogy day)

deliberately opening up your wireless for the public to share is not the same as getting rooted

Stop dragging wireless into this. Wireless has nothing to do with this.

can you honestly tell me that you know your system doesn't have any unpatched vulnerabilities and can you account for every process and driver etc running?

I'm going to give you the best advice you'll ever get when it comes to the court system in ANY country: pay a lawyer and shut up unless spoken to. Be it Germany, or the UK, or whatever country you decide that "Innocent until proven guilty" means "lalalala, I can't hear you, lalalala". Like I said, the legal system everywhere is bound to suffer more than a few headaches when it comes to technology and Internet, but if you think that pointing out the flaw in the system will save you without proving it is flawed you're in for a hell of surprise. And I really hope you never get into that position, because going by this discussion you're going to lose that argument, and have quite a few years ahead of you to contemplate it.

You can easily get convicted without a single shred of hard evidence, for any type of crime. An example of this is in Belgium the parachute murder (sorry dutch, google for English) where defendant Els Clottemans had motive, opportunity, and an army of investigators and psychoanalysts against her, but not a single shred of hard evidence. 30 years, first request for appeal denied due to a technicality. Did she do it? Who knows, probably. The court says she did. Was there hard evidence? Nope. Was the burden of proof against her once the prosecutor presented his case? Most definitely. And you know what? She couldn't bring anything in front of a judge that broke the case made by the prosecutor. The prosecutor made fun of her in the courtroom saying that she was expecting "a legal system akin to game of Cluedo". And quite frankly, that's what you're expecting. You're expecting to roll the dice and say "the government did it" "with their spyware" "on my laptop" while ho

Re:FAIL

[MrL0G1C]

"You can easily get convicted without a single shred of hard evidence, for any type of crime."

Not normally in the UK, the CPS (crown prosecution service) wouldn't bring the case to court without some evidence.

I vaguely recall someone in the UK had a case dropped due to the suspect having a trojan and rightly so, the prosecutions job is of course to prove guilt beyond reasonable doubt.

Re:FAIL

[t2t10]

Generally, there's a strong presumption that if it was done with your car and you didn't report your car as stolen, you did it. It's the same with your computer.

EU data protection laws

[Alain+Williams]

exporting the evidence outside of the state, country, and EU, to some random datacenter in the US, would mean a hairy pile of privacy and chain-of-custody problems for the chaps in legal?

Far more than that: it is exporting personal data outside of the country, this is against EU data protection laws. In particular the USA which has been found to NOT have a data protection standard that is good enough -- again a violation of EU data protection laws.

Re:EU data protection laws

[ScrewMaster]

In particular the USA which has been found to NOT have a data protection standard that is good enough

We have one of those?

That description

Sounds like they just copy/pasted subseven.

Re:Frosty Piss

[CSMoran]

"I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

No not really...

I'm sure everyone here is familiar with the concept of sarcasm.

No not really...

Re:Frosty Piss

[clickforfreepizza]

It has also resulted in the attitude that cops who break the law are already "punished" by being unable to present the evidence in court (and often therefore unable to convict a criminal), and that this is sufficient punishment for the cop.

Well, not so in Germany. Typically (at least according to popular lawblog.de) it's like this: Prosecutor gets judge to sign a search order which is blatantly illegal. Search victim goes to court; result: a letter to hang over the fireplace saying the search was illegal.

If the search victim is prosecuted, the court has to weigh what's more important: the injury of the illegal search or dealing with the crime. Hint: answer's always the same.

Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves, in the US they typically don't.

Unless it's something big like the recent blanket surveillance of all mobile phones in a city, I don't know there's ever been any consequence in Germany.

Every time I think our goverment is @ the pinnacle

[gentryx]

...of its own ridiculousness, they manage to pull off something even more stupid. These times the stuff you write on a postcard is better protected by German law than your private emails/data/whatever. It's like politician are afraid of the new technologies. :-/

Re:Frosty Piss

[Opportunist]

Knowing the German government, and how it works, I can tell you how this train wreck came into existence.

Some government employee drafted the requirements for the toy. Being a government employee, he doesn't know jack about security and got his job mostly due to connections and knowledge of people rather than the matter at hand. And as such, his draft was shabby and less than perfect.

The company executing the order did implement it with the minimal effort to meet the requirements, as is usual in such a scenario. And hence the blunders.

Why the shabby not-quite-secure AES implementation? Because the requirements most likely listed "must do AES" without details on why and how.
Why the proxy in the US? Because it wasn't part of the draft and it's been probably cheaper to do.
Why the hole where planting "evidence" is possible? Because audit security was no requirement.
Why all the other blunders? Because they were not part of the bid invitation and implementing them would have increased the cost.

In a nutshell, even if the executing company could do it better, my money is on the wager that it was simply not part of the specs. What's not in the specs does not get implemented.

Re:But most importantly It called ....

It called "Free Anti-virus Software". Or better yet lets have the proles pay to install our spy-ware {Norton, McA..., WindowMali...Tool, etc.)

Re:Frosty Piss

[makomk]

In much of the rest of the world, the equivalent violation (eg, of police or some other person obtaining evidence illegally) opens the offender for prosecution but whatever evidence is obtained can still be used. That was the case in the USA before the early 20th century. But several court cases in the 20's and 30's established the "fruit of the poisonous tree" doctrine, in which evidence which was obtained illegally is not admissible in court.

This incentivises the police and prosecution services in other countries to ride roughshod all over the rules of evidence if the crime is serious and they think it'll net them a conviction. I mean, who really cares if a pedophile was convicted using illegally-collected evidence - he obviously doesn't deserve any rights, and neither the press nor the courts are likely to see anything much wrong with this, if he even lives long enough in jail to be able to sue in the first place. Without the "fruit of the poisonous tree" doctrine, deciding whether or not to deliberately and illegally collect evidence just becomes a gamble - the odds of netting a conviction versus the odds that the person is innocent and it'll backfire - and the police tend to be biased towards assuming guilt. Only throwing out evidence collected in this way can remove the incentive to trample on the constitution.

"Vote for us, we'll write better malware!"

In other news, the Piratenpartei recently made it to the Berlin City legistature with 8% of the vote and and are currently running nationally with that level of support. If they maintain this, they will be the 4th-5th largest party in Germany.

I think I see a political strategy forming...

Re:Frosty Piss

[nabsltd]

Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves

What a quaint belief.

Cops in every jurisdiction don't even get their hand slapped unless they start doing things that are orders of magnitude beyond what would cause normal citizens to be thrown in jail for 10 years. Yes, there are a few examples made, but generally those are going to be people that the rest of the cops didn't like for some other reason.

Re:Frosty Piss

"The government would be better off employing criminal hackers."

The leaders don't like the competition.

Re:Frosty Piss

[ScrewMaster]

at least as competent as the guys on the other side of the fence.

The general public is not known for their competence in computer software development. The government would be better off employing criminal hackers.

The problem there is ... they're criminals. You'd have to have any code they come up with vetted by someone competent enough, indeed tricky enough, to make sure there's nothing in there that could make the whole thing backfire (I mean, hell, if you were a blackhat of that magnitude ... wouldn't you try to put one over on the gendarmes? Just as a matter of principle?) And if you know someone you can trust who's good enough to spot any problems, you might as well just hire him (or her) in the first place.

It's a bit of a conundrum though, if you work for law enforcement: any capable programmer with ethics is going to think twice about accepting that kind of a job in the first place. The fact that it's "for the good guys" isn't sufficient reason in my mind. I wouldn't do it, even though I could. It's one of a number of areas where I just won't go, even if it might be an entertaining technical challenge. Too much potential for innocent people to get hurt, and I wouldn't want that on my head.

Re:Frosty Piss

[ScrewMaster]

"The government would be better off employing criminal hackers."

The leaders don't like the competition.

Ha ... isn't that the truth.

Re:Frosty Piss

[ScrewMaster]

What's not in the specs does not get implemented.

Yeah, I think you hit the nail on the head. Nor should they be implemented: it's not the contractor's fault if the purchasing party has its head up its collective ass. Know what you're asking for when you put out a bid request: it's the only way you'll a. have any chance of getting what you want and b. be able to tell if you ultimately got what you paid for. Specs can be a pain in the neck, and many see them as a waste of time, but without a proper spec a development contract is a crapshoot.

Re:Frosty Piss

[Opportunist]

And I don't even want to blame the guy responsible for the bidding conditions, because I'm in his shoes and I know how it works. You get an assignment to write the specs and they should be done by, well, yesterday. I mean, how long does it take to type those five pages?

What people fail to see is that the work isn't typing. It's pondering what to type and taking every aspect into account. Pretty much like programming, once the code gets written, 90% of the work has already been done. At least if the programmer's worth his money.

Re:Frosty Piss

[rioki]

I read one of the job postings from BKA for "IT Security Programmer". I definitely was not included to do the devils job, even though I had the skill and sufficient background to do it. Maybe I should have done it, would not have been a mess like it is now. (And pass it on to the likes of CCC...)

Re:Frosty Piss

[L4t3r4lu5]

Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves

Tell that to Jean Charles de Menezes. You'll probably need a medium, though.

Re:Frosty Piss

[rioki]

I kind of disagree, in some way. As a government employee you have actually sufficient time to think it though. But the big obvious problem is that you normally don'T think of all the hooks and notches while you write the original spec. Then you go for a bid and Germany, (for government contracts) you need to take the cheapest bid, that fulfills some basic requirements. As it tuns out there is ALWAYS one bid that servilely undercuts the other bids and you know that this one is crap. Only problem is formally the bid is ok. There is a reason why the Netherlands always take the second best bid, that prevents price fixing.

Re:Frosty Piss

[tehcyder]

The USA is the only country I know of that does exclude evidence like that.

Norway would be the second country then. In fact, it's probably stronger than the US protection because an employer that made illegal recordings of his employers had the evidence rejected after filing charges for embezzlement.

I assume, in that case, that the employer went around one night to the embezzler's house with a couple of baseball-bat wielding friends and beat the crap out of him. There's such a thing as natural justice if the legal system fails too egregiously.

Re:Frosty Piss

[ScrewMaster]

I kind of disagree, in some way. As a government employee you have actually sufficient time to think it though. But the big obvious problem is that you normally don'T think of all the hooks and notches while you write the original spec. Then you go for a bid and Germany, (for government contracts) you need to take the cheapest bid, that fulfills some basic requirements. As it tuns out there is ALWAYS one bid that servilely undercuts the other bids and you know that this one is crap. Only problem is formally the bid is ok. There is a reason why the Netherlands always take the second best bid, that prevents price fixing.

Ideally, there should be some give-and-take. There's no way in hell that a spec author can account for everything, know everything, or be aware of special capabilities of a given supplier. Given some communication with contractors during the spec-writing phase a lot of important details can get nailed down, and the purchaser may often learn about options and methodologies of which he wasn't aware. I used to be a contractor, a long time ago: my specs precisely fit customer requirements because I worked them while I was writing it.

Re:Frosty Piss

[Opportunist]

Odd, when I was on the other end of the bargain (i.e. the "picker"), I had pretty much leeway to pick the right offer, as long as I could sensibly argue my choice.

Re:Frosty Piss

[Opportunist]

And that's usually a big nono. You see, when you write the specs together with a potential contractor, a competitor could butt in and argue that that you played favorites and that contractor only won because he pretty much drafted the specs.

Actually, the sensible thing to do when you're writing specs for a field you lack the expert for is to hire such an expert. And that's actually the proscribed procedure in such a case for government contracts. Hire an expert in the field who will then draft the specs with the feds (them writing the "content" requirements, him adding the "technical" requirements) and exclude him or any affiliates of his from the bid for the actual contract. This is the correct procedure.

Sadly, when it comes to computers, suddenly every idiot able to turn on a box calls himself an expert. There's also very little in the form of hard credentials in the field that isn't geared towards the management-compliance driven and less the technical-hands-on driven aspect of ITSEC.