So a German group of hackers, the "Chaos Computer Club" has uncovered and decoded a Trojan wich apparently was used by the German Government for spying.

Here's an article:
http://www.businessweek.com/news/2011-10-10/german-trojan-spyware-violates-constitution-hackers-say.html

And in German:
http://www.faz.net/aktuell/politik/inland/staatstrojaner-regierung-verspricht-aufklaerung-11488340.html

Apparently this spyware was used by the Bavarian LKA (http://en.wikipedia.org/wiki/Landeskriminalamt), in a way wich would violate the German constitution.

Of course, the German people are already going nuts about this, throwing out terms like "new Stasi" and "police state" :rolleyes: .

What are your opinions on this?

"Chaos Computer Club"

...which is not affiliated with me, by the way.

This must be causing quite a furor.

It does. The existence is nothing new, but it is embarrassingly bad programmed, contains functions which were explicitly declared illegal by the constitutional court and was controlled over a server in the US. Here (http://ccc.de/en/updates/2011/staatstrojaner)'s the beef from the CCC.

So is there any evidence to support the CCC's allegations?

Oh, wait... what, exactly are the CCC's allegations?

So is there any evidence to support the CCC's allegations?

Oh, wait... what, exactly are the CCC's allegations?


There's a link in my post. Feel free to click on it if you want.

There's a link in my post. Feel free to click on it if you want.

I saw the link. I clicked on it, and read the article. Aside from a rather mundane explanation of the basic capabilities of modern trojans (ETA: And that they'd been told of such a one "in the wild"), CCC doesn't seem to be alleging much of anything at all. Was there a particular paragraph you had in mind?

Was there a particular paragraph you had in mind?

The CCC analysis reveals functionality in the "Bundestrojaner light" (Bundestrojaner meaning "federal trojan" and is the colloquial German term for the original government malware concept) concealed as "Quellen-TKÜ" that go much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court. The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance.

The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

Sounds like an allegation, backed up by data, no?

ETA As a Bavarian, I am constitutionally required to defend this as g'schert, but then I haven't been home for a while...

ETA As a Bavarian, I am constitutionally required to defend this as g'schert, but then I haven't been home for a while...


You noticed the nickname they gave it, from how some internal functions are named?

0zapftis http://forums.randi.org/imagehosting/9907451897c0442ad.gif

"It's tapped!" (http://en.wikipedia.org/wiki/Oktoberfest#Modern_festival) Can't make this stuff up.... :D

edit: correction - it was the CCC, not the original programmers who named the functions this way while reverse engineering the thing.

You noticed the nickname they gave it, from how some internal functions are named?

0zapftis http://forums.randi.org/imagehosting/9907451897c0442ad.gif

"It's tapped!" (http://en.wikipedia.org/wiki/Oktoberfest#Modern_festival) Can't make this stuff up.... :D


That had me laughing too :D

See edit. Hacker humour. ;)

Sounds like an allegation, backed up by data, no?

ETA As a Bavarian, I am constitutionally required to defend this as g'schert, but then I haven't been home for a while...

Yeah, that's the paragraph I'm referring to. It describes generic trojan functionality.

I note from the BusinessWeek article linked in the OP, that the "objectionable" functionality alleged by the CCC is actually permitted under German law. I also note from that article that the software is apparently freely available, and has been for years.

According to the BusinessWeek article, the CCC claims some of the trojan functionality violates the ruling of the constitutional court, but the article also says the court's ruling is that the government must meet certain legal requirements for using those functions.

So what exactly is the CCC alleging?
The trojan as built violates some German law? If so, which law?
The trojan as used violates some German law?
The trojan they were told about was installed by the German government?
The trojan they were told about was operated in situ by the German government, including its alleged "illegal" functions?


About that last: Since the so-called "illegal" functions are actually permissible in certain circumstances under German law, why is mere existence of those functions a problem?

This must be causing quite a furor.

This must be causing quite a führer.

This must be causing quite a führer.

That wasn't funny.

Thanks, now could you please go to this thread (http://forums.randi.org/showthread.php?t=221416) and explain the joke I posted there?

(teleportation* occurs)

This must be causing quite a furor.


GiwKb-x7wXQ








* Add to dictionary

Since the so-called "illegal" functions are actually permissible in certain circumstances under German law, why is mere existence of those functions a problem?

Small correction; according to the story, it's not even the existence of the so-called "illegal" functions. Instead, it's just that the trojan has the potential to load these functions.

So can somebody explain to me the difference between "can legally load wiretapping functions (under certain conditions)" and "can legally load spycam functions (under certain conditions)"?

Is there some nuance of the story that I'm missing? Some German legal arcana that nobody has bothered to explain to us foreigners? Some nuance of German culture that has been lost in translation?

ETA: Or should I assume from the sudden downsurge in discussion and upsurge in Hitler jokes, that the topic really has no merit?

theprestige, your questions are answered in the CCC statement I linked to and even in the part Floyt quoted. Don't really know why I should repeat it for you if it's there in plain sight, especially given your tone. Here (http://www.spiegel.de/international/germany/0,1518,790944,00.html)'s a SPIEGEL article from a few days ago which links to another article describing the rulings of the constitutional court which were violated. You can strike the qualifier, the claims are true. This is developing into quite the scandal.

If the CCC's claims are true, then the software has functions which were expressly forbidden by Germany's highest court, the Federal Constitutional Court, in a landmark 2008 ruling (http://www.spiegel.de/international/germany/0,1518,538378,00.html) which significantly restricted what was allowed in terms of online surveillance.

(teleportation* occurs)




GiwKb-x7wXQ








* Add to dictionary

Looks like Aidoneus beat you to the punch line.

It does. The existence is nothing new, but it is embarrassingly bad programmed, contains functions which were explicitly declared illegal by the constitutional court and was controlled over a server in the US. Here (http://ccc.de/en/updates/2011/staatstrojaner)'s the beef from the CCC.

German illegal programming functions must be explicitly declared?
Not Visual Basic then?

The way I've understood it, they bought it from a company, it was not specifically made for the LKA. In other words, if I get this correctly, the LKA did not specifically order illegal software.

theprestige, your questions are answered in the CCC statement I linked to and even in the part Floyt quoted. Don't really know why I should repeat it for you if it's there in plain sight, especially given your tone. Here (http://www.spiegel.de/international/germany/0,1518,790944,00.html)'s a SPIEGEL article from a few days ago which links to another article describing the rulings of the constitutional court which were violated. You can strike the qualifier, the claims are true. This is developing into quite the scandal.

The problem is, my questions are not answered in the part Floyt quoted. And as far as I can tell from the material provided, the rulings of the court were not violated.

Taking the second point first: The court ruled that the so-called "illegal" functions are in fact legal in some circumstances. Since the functions are in fact legal, it follows that it cannot be illegal to develop software that is able to perform those functions.

Taking the first point second: The software in question does not actually include the so-called "illegal" functions. Instead, it includes the ability to install arbitrary functions at a later time, including the so-called "illegal" functions.

As far as I can tell, the CCC's complaint is that there exists a piece of software, sometimes used by the German government (but not exclusive to the German government), that can load other programs including programs that must meet strict legal requirements for use; and that either the existence of this software, or its installation on a computer system, is illegal in some way (or at least is a very big problem of some kind for the German government).

What I'm trying to figure out is, in what way is the software in question illegal? Did the BusinessWeek article misinterpret the court's ruling somehow?

The software is not illegal, but the usage of it by German state agencies for spying on German citizens is.

Ok, as you asked nicely i've read the BW article now. Kind of confused and missing the point, but even it contains the crux in the first paragraph:

The German government is using spying software that violates the country’s constitutional law because it contains functions beyond the interception of Internet-based communication, a hacker organization said.


Same in Floyt's quote of the CCC press release linked by me:

The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.


The court ruled that the state can use trojan horse software only in certain cases and only to intercept (encrypted) internet telephony, not to take over a citizens computer and do whatever they want. And certainly not, like this piece of incompetent crap does, leave the door open for everybody else. For details see the CCC statement. They were among the experts heard by the constitutional court before it came to the decision, and they know the details better than anybody else. Despite the name, these aren't script kiddies with Guy Fawkes masks.

Now clear?

The software is not illegal, but the usage of it by German state agencies for spying on German citizens is.


The court ruled that the state can use trojan horse software only in certain cases and only to intercept (encrypted) internet telephony, not to take over a citizens computer and do whatever they want. And certainly not, like this piece of incompetent crap does, leave the door open for everybody else. For details see the CCC statement. They were among the experts heard by the constitutional court before it came to the decision, and they know the details better than anybody else. Despite the name, these aren't script kiddies with Guy Fawkes masks.

Now clear?

Thank you for explaining that.

Now the company that made the bug is claiming that they are not incompetent.