Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Government's Malware Analyzed

Posted by timothy on from the unter-dem-mikroskop dept.

First time accepted submitter lennier1 writes "The German hacker group CCC (Chaos Computer Club) has analyzed a piece of malware the German government uses in criminal investigations to spy on a suspect's computer. I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

25 of 162 comments (clear)

  1. Re:Surprise, surprise, surprise by Shoe+Puppet · · Score: 4, Funny

    /etc/init.d/sarcasm start

    --
    (+1, Disagree)
  2. Re:I think there is something... by plover · · Score: 2

    I think you are overly optimistic about the ability of most governments to correct their own abuses of power. I doubt they'll fire anyone or even stop using the Trojan, they'll just have someone correct some of the deficiencies the CCC found.

    At the most, they may take the Undersecretary for Purposes of Scapegoating out and publicly fire him. They might terminate the contract with the software company who developed it. But don't expect "many heads" to roll.

    --
    John
  3. Re:Surprise, surprise, surprise by Smallpond · · Score: 2

    /etc/init.d/sarcasm start

    Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

  4. But most importantly by Dunbal · · Score: 4, Insightful

    Can this trojan upload child pornography (or any other incriminating files/images) to the suspects computer, to be collected as "evidence" at a later date? I suspect it can. And if this program can uninstall itself at a later date, then this is a perfect tool for "bring him in, boys". Oh George Orwell, how foresighted you were.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:But most importantly by Dunbal · · Score: 5, Insightful

      You really don't understand how corruption works, do you? It would not be a false conviction at all. It would be a very real conviction, documented, with a valid chain of evidence and everything. The reasons can be many - from the "guy they think is the criminal but can't actually arrest him for anything because he hasn't done anything they can prove" situation - like Al Capone; to the "rival gang member needs to be taken out quickly because gang A just paid me $100k to lock up the leader of gang B so I will just upload this stuff onto his computer and call in an "anonymous tip"" situation. It even includes the "pay me $100k or you get thrown in jail" situation where the corrupt law enforcement/government agent decides to put the squeeze on someone.

      Maybe it's because I live in the third world and am used to dealing with corruption like this almost on a daily basis that I am so cynical. However if anyone (police or otherwise) can clandestinely install a program on your machine/cell phone/whatever and have it upload/execute programs, then all machines/cell phones/whatever can be compromised and such "evidence" shouldn't be admissible in court anymore.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:But most importantly by AliasMarlowe · · Score: 5, Insightful

      If an authority's intention is to falsely convict someone by planting material on a piece of equipment that they will seize, disassemble and connect to their own equipment during the course of that conviction, why on earth bother planting it remotely?

      Because the raid, seizure, arrest, and indictment will be made by a completely different organization - the regular local police and local public prosecutor.

      For the police and prosecutor to do their job effectively, they must fully believe in the validity of the evidence they have seized and the chain of custody of that evidence must be impeccable. They will emphatically believe in the culpability of the arrested criminal (sorry, "alleged" criminal until the court inevitably pronounces its verdict of guilt) on the basis of this incontestable evidence. They will be utterly in the dark about any surveillance/incrimination operation, and will vilify the accused with confidence, proud to be protecting their community from such evil malefactors.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    3. Re:But most importantly by jeti · · Score: 4, Informative

      Yes. It contains filedropper functionality. Like most malware, it can download and execute additional applications thereby extending its functionality and it can place documents on the infected PC.

    4. Re:But most importantly by izomiac · · Score: 2

      Orwell was primarily an essayist, and virtually all of his works take a stance against totalitarianism. People aren't just talking about a single book, they're talking about the life's work of a well known author.

    5. Re:But most importantly by Opportunist · · Score: 2

      Oh, don't worry, it won't be. How should it be used, it's never been there! Why do you think it was there? It never downloaded those child porn pics and deleted itself afterwards, and that search warrant was issued for completely different reasons other than a judge seeing the malware's screenshots. You're in for having child porn on your computer that we found in that search, who ever said anything about a government trojan?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:But most importantly by drinkypoo · · Score: 2

      Corruption in the first world is written into law and disguised only with hypocrisy. For example you have to pay to get building codes, most of them can't just be looked up online. But if you don't do it to code they can make you rip it out. Mandatory filing fees even for abused parties, then you have to file another suit if you hope to recover that... we live in a theocracy where the state religion is worship of the state itself.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Re:Surprise, surprise, surprise by ScrewMaster · · Score: 2

    /etc/init.d/sarcasm start

    Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

    I use Windows. I don't know how to be sarcastic.

    --
    The higher the technology, the sharper that two-edged sword.
  6. Re:Frosty Piss by fuzzyfuzzyfungus · · Score: 5, Interesting

    The piece of incompetence that I find really striking is not so much the general shoddiness; but the fact that the malware is using a proxy setup in the US to avoid having its traffic traced back to the German police entity using it. Even if they know nothing about the tech side of things, surely exporting the evidence outside of the state, country, and EU, to some random datacenter in the US, would mean a hairy pile of privacy and chain-of-custody problems for the chaps in legal?

  7. Re:I am waiting for an AV signatur update by clickforfreepizza · · Score: 2

    http://www.f-secure.com/weblog/archives/00002249.html

  8. CCC's public role in Germany by BitterKraut · · Score: 5, Informative

    The Chaos Computer Club is probably not adequately characterized as a 'hacker group'. It was founded in 1981 as a computer club and, while hacking has always been their most prominent activity, they have grown not only into a nation-wide association of about 3000 members, but into an influential civil rights organization as well. Their expertise in matters of IT security is frequently called upon by public media in Germany. The CCC is well respected even by many politicians and their expertise was cited more than once by former Ferderal Minister of the Interior Gerhart Baum during the trial that ended last year with the Verfassungsgericht (federal constitutional court)'s finding that the federal anti-terror law that obliged providers to retain all telecommunications data for six months was unconstitutional. The CCC organizes the annual Chaos Communication Congress that Slashdot readers might remember as being the event where some major hacks were presented to the public: http://it.slashdot.org/story/11/01/02/0231242/detailing-the-security-risks-in-pdf-standard http://games.slashdot.org/story/10/12/29/204253/Playstation-3-Code-Signing-Cracked-For-Good http://it.slashdot.org/story/09/12/28/1931256/gsm-decryption-published http://games.slashdot.org/story/05/12/16/2157217/hacking-the-xbox The CCC is also well know for Project Blinkenlights, which grew out of the CCC but is now an independent project.

  9. But... by rrohbeck · · Score: 2

    does it run on Linux?

    --
    thegodmovie.com - watch it
  10. Re:C3PO-r2d2-POE by gstrickler · · Score: 2

    They better be prepared for the cease and desist order from LucasFilm.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  11. Re:Frosty Piss by IWannaBeAnAC · · Score: 5, Interesting

    nope, as german law doesnt exclude illegaly obtained evidence from use in court.

    Right, but that is appropriate. The USA is the only country I know of that does exclude evidence like that. In most jurisdictions, the aim (idealized, not always realized) of a court case is to uncover the truth of what happened. If the law was broken in the process of obtaining evidence, by all means prosecute the people who broke the law, but to exclude that evidence is a weird thing to do. At least, 90% of the planet thinks so...

    The situation in the US is based on a rather bizarre interpretation of the constitution set by the supreme court, actually not so long ago, starting from around 1920. The Fourth Amendment of the constitution is the one about "no unreasonable searches and seizures", and requiring "probable cause". But it doesn't specify what the penalty should be if those rights are violated. In much of the rest of the world, the equivalent violation (eg, of police or some other person obtaining evidence illegally) opens the offender for prosecution but whatever evidence is obtained can still be used. That was the case in the USA before the early 20th century. But several court cases in the 20's and 30's established the "fruit of the poisonous tree" doctrine, in which evidence which was obtained illegally is not admissible in court. This has resulted in many farcical court cases where the facts of the case are well established, but can't be presented in court because the evidence was obtained illegally (in some cases, due to some technical omission). It also results in lots of arguments where opposing lawyers have a big bun fight, and make lots of money, arguing at length over whether a particular fact is allowed to be presented to the court or not.

    It has also resulted in the attitude that cops who break the law are already "punished" by being unable to present the evidence in court (and often therefore unable to convict a criminal), and that this is sufficient punishment for the cop. Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves, in the US they typically don't. This is an encouragement towards corrupt behavior.

  12. Re:Frosty Piss by Kjella · · Score: 2

    The USA is the only country I know of that does exclude evidence like that.

    Norway would be the second country then. In fact, it's probably stronger than the US protection because an employer that made illegal recordings of his employers had the evidence rejected after filing charges for embezzlement. That one went to the supreme court, I couldn't find a similar case where the police used illegal methods because once that is known the charges would be dropped. Honestly I would be surprised if a modern rule of law didn't include something like that, otherwise there's a million loophole where the police can protect each other or hired thugs to provide evidence without any clear trail.

    --
    Live today, because you never know what tomorrow brings
  13. Pirate Party by Vlad_the_Inhaler · · Score: 2

    In other news, the Piratenpartei recently made it to the Berlin City legistature with 8% of the vote and and are currently running nationally with that level of support. If they maintain this, they will be the 4th-5th largest party in Germany.

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
  14. Re:Frosty Piss by clickforfreepizza · · Score: 2

    It has also resulted in the attitude that cops who break the law are already "punished" by being unable to present the evidence in court (and often therefore unable to convict a criminal), and that this is sufficient punishment for the cop.

    Well, not so in Germany. Typically (at least according to popular lawblog.de) it's like this: Prosecutor gets judge to sign a search order which is blatantly illegal. Search victim goes to court; result: a letter to hang over the fireplace saying the search was illegal.

    If the search victim is prosecuted, the court has to weigh what's more important: the injury of the illegal search or dealing with the crime. Hint: answer's always the same.

    Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves, in the US they typically don't.

    Unless it's something big like the recent blanket surveillance of all mobile phones in a city, I don't know there's ever been any consequence in Germany.

  15. Re:Frosty Piss by Opportunist · · Score: 2

    Knowing the German government, and how it works, I can tell you how this train wreck came into existence.

    Some government employee drafted the requirements for the toy. Being a government employee, he doesn't know jack about security and got his job mostly due to connections and knowledge of people rather than the matter at hand. And as such, his draft was shabby and less than perfect.

    The company executing the order did implement it with the minimal effort to meet the requirements, as is usual in such a scenario. And hence the blunders.

    Why the shabby not-quite-secure AES implementation? Because the requirements most likely listed "must do AES" without details on why and how.
    Why the proxy in the US? Because it wasn't part of the draft and it's been probably cheaper to do.
    Why the hole where planting "evidence" is possible? Because audit security was no requirement.
    Why all the other blunders? Because they were not part of the bid invitation and implementing them would have increased the cost.

    In a nutshell, even if the executing company could do it better, my money is on the wager that it was simply not part of the specs. What's not in the specs does not get implemented.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. Re:Frosty Piss by makomk · · Score: 2

    In much of the rest of the world, the equivalent violation (eg, of police or some other person obtaining evidence illegally) opens the offender for prosecution but whatever evidence is obtained can still be used. That was the case in the USA before the early 20th century. But several court cases in the 20's and 30's established the "fruit of the poisonous tree" doctrine, in which evidence which was obtained illegally is not admissible in court.

    This incentivises the police and prosecution services in other countries to ride roughshod all over the rules of evidence if the crime is serious and they think it'll net them a conviction. I mean, who really cares if a pedophile was convicted using illegally-collected evidence - he obviously doesn't deserve any rights, and neither the press nor the courts are likely to see anything much wrong with this, if he even lives long enough in jail to be able to sue in the first place. Without the "fruit of the poisonous tree" doctrine, deciding whether or not to deliberately and illegally collect evidence just becomes a gamble - the odds of netting a conviction versus the odds that the person is innocent and it'll backfire - and the police tend to be biased towards assuming guilt. Only throwing out evidence collected in this way can remove the incentive to trample on the constitution.

  17. Re:Frosty Piss by nabsltd · · Score: 2

    Whereas in other jurisdictions the cop would lose their job, or end up in jail themselves

    What a quaint belief.

    Cops in every jurisdiction don't even get their hand slapped unless they start doing things that are orders of magnitude beyond what would cause normal citizens to be thrown in jail for 10 years. Yes, there are a few examples made, but generally those are going to be people that the rest of the cops didn't like for some other reason.

  18. Re:FAIL by dunkelfalke · · Score: 2

    It doesn't work that way in Germany. As with the WLAN hotspot, the owner of the hotspot is responsible for all illegal activity on it, even if anybody could have used it.

    --
    "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  19. Re:FAIL by discord5 · · Score: 2

    Your initial car analogy is terribly flawed. Don't draw bad car-analogies to prove a point. (If your car is stolen and you fail to report it, you're in for a fun ride, mind you. And reporting it doesn't automatically remove you from the suspect list either.)

    Root-kit != WLAN hotspot.

    As for the root-kit, you are responsible for the security of your own machine. If you go to court "Oh lol, rootkit get out of jail free" most likely you'll be laughed out of court (straight into jail) unless you can prove it. I wouldn't be terrible surprised if in the end this whole thing backfires in a spectacular way, but for the time being YOU are responsible for YOUR property. If there is no evidence to the contrary, the court assumes that you are in control of your property. Having said that, I'm pretty sure that the legal system in most countries are going to have more than a few headaches in the future when it comes to technology. Far too few people are properly knowledgeable on the technologies they use on a day to day basis, and there is far too much legal gray area.

    Also, in before the terrible "burglar in an unlocked home" analogy, and various other scenarios that have nothing to do with computers and Internet.