Germany is about to pass a law that allows german intelligence agencies to use trojan software on its citizens without any reasons for suspicion. More people need to know about this!

Germany is about to pass a law that allows german intelligence agencies to use trojan software on its citizens without any reasons for suspicion. More people need to know about this!


just from what I read here...not pretty.


Very not pretty, considering other countries' governments might pass similar laws getting inspired from this.


Looks like it might be time to revive the UK pirate party.


This is the thing the completely ignorant governments in Western Nations (USA, Canada, UK, etc) are not aware of: having any sort of software back door allows for anyone to potentially walk through it (Saying "back door" is just a nice way to say a "security vulnerability") A government created Trojan or other malware is not inherently different than malware created by criminals, they just serve different purposes If one form of malware created by a supposedly benevolent central government can infect a system, so potentially can any other malware


Another concern is all the supply chain attacks.. who's to say the government's Trojan doesn't get hijacked?


Capturing, isolating, and reverse engineering malware code is difficult but far from impossible Given that there would be incentive for any number of "interested parties" to do exactly that, I would say not only could it happen but it would definitely happen at some point


Exactly. This is done all the time when new ransomware hits. It's only a matter of time until someone notices that they are infected and send a sample to security specialists. Also, cyber criminals and foreign intelligence agencys pay a lot of money for such samples to get the exploits.


Microsoft and Eset were able do reverse engineer the FinFisher Malware. So it's not impossible, once they find the Malware, we're doomed.


Another interesting point is machine learning. The not-too-distant future could easily have AI dissecting code like this and regurgitating 100,000,000 different possibilities an hour with the help of a super computer. For all I know they're already doing it. Lord knows they're doing it with everything else.


You can’t just use the governments backdoor. That would be illegal. Come on guy! /s


Yes that is also technically not possible as they use zero days we first need to buy somewhere else… /s


Germany has a new scetchy agency dedicated to finding exploits. https://en.wikipedia.org/wiki/Central\_Office\_for\_Information\_Technology\_in\_the\_Security\_Sector


What, are you saying the government won’t completely secure that back door from the bad guys? /s


What I mean is there is no such thing as completely securing any back door If malware is able to infect your system, that indicates there is a security vulnerability... That is what a back door is: a vulnerability, a weak spot in the wall, a chink in the armor It does not matter who created the malware, whether it was a government, criminals, or the boogeyman


I get it. The fact that the door is there, that anyone who knows what they are looking for can find it, well. I have never understood corporate/government/head honcho types who think that their work is impenetrable.


I imagine that's the same thing the Chinese thought when they built the Great Wall The same thing the French thought when they built the Maginot Line Any sort of back door into a software makes it fundamentally less secure


Not every backdoor is directly a vulneralibity. You can for example use fully secure encryption - but with multiple keys. Application is fully secure but the question is who holds the keys. Someone who has no key, has to bruteforce access with similar way than it has no backdoor - only with one attempt less maybe.


In theory you'd would be correct. In practice, it's more messy. As my military friends say: no plan survives first contact with the enemy.


That's not exactly right. By that logic, any system has no security, because the owner will *always* be able to install malware on his system.




> If a malicious person has physical access to a device, that device should be considered completely compromised, that’s how it’s always been. No there are plenty of methods to minimize what a person can do even with physical access. > You said this like it’s not true, but this is 100% true. What? Than what the point of this sub if every system has no security no matter what? That's clearly not true. There are plenty of ways to mitigate and minimize vulnerabilities. Just because there are ways to bypass them doesn't mean you shouldn't make it harder. You are essentially saying, because it is possible that you'll have a vulnerable system you should just give up and not try to protect it. That's super stupid.


There is a world of difference between remotely infecting a system and infecting a system when you have physical access. In the latter case it's as simple as installing a malicious app which installs same as any other app.


So? Your initial statement was stupid. You said "if someone can infect your system that means it doesn't have security". That's a stupid statement.




Government is going to be exempt from that.


To be honest I have a lot to hide, like my name, my age, and about a billion other personal information.


Hackers would love if Germany pass the law and implement this method. Government doing half the work for the hackers, because can we really trust government to be safe in cyber security practice? Hackers would bide their time, gather information about Trojan software process, and back door that Trojan software.


That doesn't sound like it's in line with strict Germany's privacy policy at all...


Thats why the Federal Constitutional Court has already a case for this matter. Many believe that this law will be repelled by the court. Once more, in line with many other internet "security" laws.


Yeah I think I must be confused because this whole thing sounds like the opposite of what Germany stands for as a country… but I’m an idiot so I’m prolly missing vital information here


Nah you're mostly right. But the country is so far behind in digitization most people probably don't know what this means. And the shitty parties in power are hoping they can just slip this past without anyone realizing. Luckily it will probably (hopefully) be struck down in court. Meanwhile everyone will still continue voting for these parties...


Oh hey thanks for letting me know! I was hoping someone would!


Mate we got upload filters, mandatory fingerprints for new IDs and now this shit The amount of ignorant people in my country is just hilarious. Everyone Just says "But I got nothing to hide" without thinkin to steps further or even listening to actual Cybersecurity experts. Im just shattered what this country has become and no one cares to change this.


Yes. The problem is it takes years to win against them in court. In these years, the law is active. They did that with the BND law as well. Passed in 2016, I think, was ruled unconstitutional in 2019 and not even a year later they just passed it again with next to zero tangible differences.


My stance still stands: Cybersecurity experts will always have job assurance so long as technically incompetent and illiterate politicians are writing the laws 🤑


I bet my income on that!


What do you do? /s


My job is to tell managers they don't know jack about security and should be fired. The hard part is to word it nicely.


Haha. I'm an IT Director and I'm shocked at how many places just let their users have local admin access, it boggles my mind. They say things like "the admin/exec team demands it". I say that's great if you're looking for ransomware.


Frankly, it depends on the user. And how it's done. Giving a user the ability to augment their permissions may be sensible, provided there is oversight and they know what they're doing. In most cases, though, it's a ransomware attack waiting to happen, I'm with you there all the way.


The Gestapo would have loved this.


Totally the incentive for "Backdooring the entirety of Germany" isn't a big enough reward for Cyber gangs to attempt hijacking or reverse engineer the State Trojan. Am I right gang? -I mean Guys?


Freedom of speech my ass.!!


That is exactly where they are trying to gain access to! Your back door!


My back door is for exit only. And if they really insist, they can have that shit.


This is Germany, not the US.


Will they need to force security vendors to whitelist it otherwise the behaviour alone would raise a few eyebrows by most security software.


Yes, it won’t be allowed to detect and block a trojan in Germany - problem solved!


If theres backdoors, i has two users. Government and criminals that Don give rats ass about laws.


what the hell is going on, first this then the NHS selling medical records to 3rd parties


Knowing cyber security fundamentals is not a choice "for the nerds" nowadays.


There is no "government only" backdoor. Any backdoor that must not be closed because LEAs want it to be there is an incredibly attractive target for criminals. And no, that you need a superspecial key to enter is no security either, because we're talking about state actors here that would be interested in this. And it's not a long way to letters along the lines of "Dear Agent Müller, we know that you have access to that government backdoor key. We have your lovely wife here. I think we can find a mutually acceptable arrangement". Because that essentially means you can kiss any R&D taking place in your country good-bye. No company will continue to do anything that could remotely be considered trade secrets within your jurisdiction. And with Germany, this means... what kind of industry is left after that?


Sky net has reach Germany.


> Removed from /r/Europe for being low effort You can't make this shit up


I'm actually pretty surprised with this one, I thought Germany was the country where next to no Google maps were available with street view because of privacy concerns


Government removing rights in the name of "safety" - name a more iconic duo!


Ol' Angie 'bout to pull a Dubya?


Imagine someone using that same backdoor to connect back to the government spies and hack them.


It’s all been a trap.


The title of this post is a blatant lie. There is a lot to criticize about the changes to the law, which exist since 2017, but there still needs to be the suspicion of certain, well-defined crimes to use it against a person.


Does anybody know the (german) name of the law?


How do they make sure not to hack foreigners phones who are just passing through ?


For real the outreach of the government agencies needs to stop


Might as well assign a personal agent per household or per person. What's the difference anyway?


Holy shit


Welcome to Orwell's Big Brother.


Does that mean it is also EU law? Since no member states seem allowed to make laws that aren’t passed and railroaded by the ECJ. Stasi.exe and the EU wonders why UK wanted out!


That's obviously not true otherwise every EU country would have exactly the same laws, and that's clearly not the case.


Let’s see shall we, revisit my comment in 12 months