Thoughts on Lawful Malicious Software and its Impact on IT Infrastructure
During the premiere of „A Good American“ we had a chat with journalists. Markus Sulzbacher of Der Standard wanted to know what the implication of the so-called Bundestrojaner (litterally federal trojan, the colloquial German term for the concept of inserting government malware in order to extract information from a suspect’s computer and telephone devices). The idea is to infect a computer system with malicious software that sits in the background and to siphon off the hard-to-get data connected to communication (i.e. messengers, Skype, emails, etc.). We have translated the interview from German to English for you. You can find the original on Der Standard web site.
Der Standard 12.04.2016
Police praise the software as a “wonder weapon against terror”. But for IT expert René Pfeiffer the planned introduction of governmental spying software is no suitable measure for the fight against crime.
Interview: Markus Sulzbacher
Standard: What speaks against the use of governmental spying software?
Pfeiffer: The use requires a manipulation of the device you’re going to spy on. In combination with an ongoing police investigation any form of manipulation is extremely questionable, regarding the evidential value of information and data extracted this way. A federal Trojan relies on an infrastructure, which intentionally keeps computer systems in a state of weakness in term of information security. It’s like a flat with predetermined breaking points on doors and windows. This goes against all principles of IT Security.
Standard: Is there such a thing like a “controlled” use of state espionage software?
Pfeiffer: You can compare malware to it’s biological pendants, bacteria and viruses. Everyone who believes in a controlled use of governmental spying software also believes in the controlled use of biological weapons. As soon as such code is set free, it can be examined and used to program new malware.
Standard: How can one protect oneself against a federal Trojan technically?
Pfeiffer: In the end a federal Trojan is governmental malware and behaves exactly like a digital Trojan horse, from which you protect yourself against by using anti-virus programs and other software. The target of spy attempts, your very own digital infrastructure, can’t distinguish a federal from a criminal Trojan. The outcome is the same, and since we haven’t been able to get rid of past and existing malware yet, we won’t be capable to protect ourselves from this one by using technology alone.
Standard: How does one gets to know about security gaps, information, which is key to programming such spying software?
Pfeiffer: There are companies, specialised in the targeted search and selling of vulnerabilities and exploits of all kinds of software. Efficiency determines the price: You pay a certain price and get information about a particular vulnerability, sometimes including the code to attack it on certain operating systems or applications. Depending on the price, vulnerabilities even come with a warranty: If a security gap has been detected and gets closed, you get a new one for free. Today the trade in vulnerabilities and exploits is socially accepted. It used to be a criminal domain.
Standard: Has there been an incident where the use of a federal Trojan has paid off?
Pfeiffer: I don’t know of a single case, where such a software has helped to so solve or prevent a crime. Anyway, sadly this is not the purpose of these measures, which are called for every time after an act of terror has been committed. They just help to secure the budget for the next few years. Right now IT is sexy, everybody relies upon it: The call for spying software seems more in keeping with the times than to call for more competent personnel and better education. Better still, you don’t have to explain yourself: Digital tools sound like magic, they’re justified by trend. Facts are so yesterday.
Essentially the debate about government-supplied malicious software is the same as with encryption backdoors. The discussion won’t go away by itself. Time to think about the case as Thorsten Benner and Mirko Hohmann from the Global Public Policy Institute (GPPi) in Berlin did. If you have any thoughts, save them for the upcoming Call for Papers for DeepSec.