T O P

Germany is about to pass a law that allows german intelligence agencies to use trojan software on its citizens without any reasons for suspicion. More people need to know about this!

Germany is about to pass a law that allows german intelligence agencies to use trojan software on its citizens without any reasons for suspicion. More people need to know about this!

SpawnDnD

just from what I read here...not pretty.


JayS36

Very not pretty, considering other countries' governments might pass similar laws getting inspired from this.


AquilamFlammeus

Looks like it might be time to revive the UK pirate party.


TheFlightlessDragon

This is the thing the completely ignorant governments in Western Nations (USA, Canada, UK, etc) are not aware of: having any sort of software back door allows for anyone to potentially walk through it (Saying "back door" is just a nice way to say a "security vulnerability") A government created Trojan or other malware is not inherently different than malware created by criminals, they just serve different purposes If one form of malware created by a supposedly benevolent central government can infect a system, so potentially can any other malware


knucklepuckpdx

Another concern is all the supply chain attacks.. who's to say the government's Trojan doesn't get hijacked?


TheFlightlessDragon

Capturing, isolating, and reverse engineering malware code is difficult but far from impossible Given that there would be incentive for any number of "interested parties" to do exactly that, I would say not only could it happen but it would definitely happen at some point


maxinator80

Exactly. This is done all the time when new ransomware hits. It's only a matter of time until someone notices that they are infected and send a sample to security specialists. Also, cyber criminals and foreign intelligence agencys pay a lot of money for such samples to get the exploits.


sicktothebone

Microsoft and Eset were able do reverse engineer the FinFisher Malware. So it's not impossible, once they find the Malware, we're doomed.


stratus41298

Another interesting point is machine learning. The not-too-distant future could easily have AI dissecting code like this and regurgitating 100,000,000 different possibilities an hour with the help of a super computer. For all I know they're already doing it. Lord knows they're doing it with everything else.


Littledawg1

You can’t just use the governments backdoor. That would be illegal. Come on guy! /s


Mrb1d

Yes that is also technically not possible as they use zero days we first need to buy somewhere else… /s


maxinator80

Germany has a new scetchy agency dedicated to finding exploits. https://en.wikipedia.org/wiki/Central\_Office\_for\_Information\_Technology\_in\_the\_Security\_Sector


BlackSeranna

What, are you saying the government won’t completely secure that back door from the bad guys? /s


TheFlightlessDragon

What I mean is there is no such thing as completely securing any back door If malware is able to infect your system, that indicates there is a security vulnerability... That is what a back door is: a vulnerability, a weak spot in the wall, a chink in the armor It does not matter who created the malware, whether it was a government, criminals, or the boogeyman


BlackSeranna

I get it. The fact that the door is there, that anyone who knows what they are looking for can find it, well. I have never understood corporate/government/head honcho types who think that their work is impenetrable.


TheFlightlessDragon

I imagine that's the same thing the Chinese thought when they built the Great Wall The same thing the French thought when they built the Maginot Line Any sort of back door into a software makes it fundamentally less secure


Hithaeglir

Not every backdoor is directly a vulneralibity. You can for example use fully secure encryption - but with multiple keys. Application is fully secure but the question is who holds the keys. Someone who has no key, has to bruteforce access with similar way than it has no backdoor - only with one attempt less maybe.


TheFlightlessDragon

In theory you'd would be correct. In practice, it's more messy. As my military friends say: no plan survives first contact with the enemy.


ctm-8400

That's not exactly right. By that logic, any system has no security, because the owner will *always* be able to install malware on his system.


[deleted]

[удалено]


ctm-8400

> If a malicious person has physical access to a device, that device should be considered completely compromised, that’s how it’s always been. No there are plenty of methods to minimize what a person can do even with physical access. > You said this like it’s not true, but this is 100% true. What? Than what the point of this sub if every system has no security no matter what? That's clearly not true. There are plenty of ways to mitigate and minimize vulnerabilities. Just because there are ways to bypass them doesn't mean you shouldn't make it harder. You are essentially saying, because it is possible that you'll have a vulnerable system you should just give up and not try to protect it. That's super stupid.


TheFlightlessDragon

There is a world of difference between remotely infecting a system and infecting a system when you have physical access. In the latter case it's as simple as installing a malicious app which installs same as any other app.


ctm-8400

So? Your initial statement was stupid. You said "if someone can infect your system that means it doesn't have security". That's a stupid statement.


[deleted]

[удалено]


port53

Government is going to be exempt from that.


chooseausername873

To be honest I have a lot to hide, like my name, my age, and about a billion other personal information.


MotionAction

Hackers would love if Germany pass the law and implement this method. Government doing half the work for the hackers, because can we really trust government to be safe in cyber security practice? Hackers would bide their time, gather information about Trojan software process, and back door that Trojan software.


jcstrat

That doesn't sound like it's in line with strict Germany's privacy policy at all...


Rochhardo

Thats why the Federal Constitutional Court has already a case for this matter. Many believe that this law will be repelled by the court. Once more, in line with many other internet "security" laws.


theblackcanaryyy

Yeah I think I must be confused because this whole thing sounds like the opposite of what Germany stands for as a country… but I’m an idiot so I’m prolly missing vital information here


jeapplela

Nah you're mostly right. But the country is so far behind in digitization most people probably don't know what this means. And the shitty parties in power are hoping they can just slip this past without anyone realizing. Luckily it will probably (hopefully) be struck down in court. Meanwhile everyone will still continue voting for these parties...


theblackcanaryyy

Oh hey thanks for letting me know! I was hoping someone would!


flopana

Mate we got upload filters, mandatory fingerprints for new IDs and now this shit The amount of ignorant people in my country is just hilarious. Everyone Just says "But I got nothing to hide" without thinkin to steps further or even listening to actual Cybersecurity experts. Im just shattered what this country has become and no one cares to change this.


JustHere2RuinUrDay

Yes. The problem is it takes years to win against them in court. In these years, the law is active. They did that with the BND law as well. Passed in 2016, I think, was ruled unconstitutional in 2019 and not even a year later they just passed it again with next to zero tangible differences.


shadowlillium

My stance still stands: Cybersecurity experts will always have job assurance so long as technically incompetent and illiterate politicians are writing the laws 🤑


TrustmeImaConsultant

I bet my income on that!


therankin

What do you do? /s


TrustmeImaConsultant

My job is to tell managers they don't know jack about security and should be fired. The hard part is to word it nicely.


therankin

Haha. I'm an IT Director and I'm shocked at how many places just let their users have local admin access, it boggles my mind. They say things like "the admin/exec team demands it". I say that's great if you're looking for ransomware.


TrustmeImaConsultant

Frankly, it depends on the user. And how it's done. Giving a user the ability to augment their permissions may be sensible, provided there is oversight and they know what they're doing. In most cases, though, it's a ransomware attack waiting to happen, I'm with you there all the way.


Fanboysblow

The Gestapo would have loved this.


coconut_dot_jpg

Totally the incentive for "Backdooring the entirety of Germany" isn't a big enough reward for Cyber gangs to attempt hijacking or reverse engineer the State Trojan. Am I right gang? -I mean Guys?


Icy-Raccoon-8689

Freedom of speech my ass.!!


foxhelp

That is exactly where they are trying to gain access to! Your back door!


TrustmeImaConsultant

My back door is for exit only. And if they really insist, they can have that shit.


TrustmeImaConsultant

This is Germany, not the US.


boftr

Will they need to force security vendors to whitelist it otherwise the behaviour alone would raise a few eyebrows by most security software.


Mrb1d

Yes, it won’t be allowed to detect and block a trojan in Germany - problem solved!


v4773

If theres backdoors, i has two users. Government and criminals that Don give rats ass about laws.


yerrk

what the hell is going on, first this then the NHS selling medical records to 3rd parties


ZidaneLoire

Knowing cyber security fundamentals is not a choice "for the nerds" nowadays.


TrustmeImaConsultant

There is no "government only" backdoor. Any backdoor that must not be closed because LEAs want it to be there is an incredibly attractive target for criminals. And no, that you need a superspecial key to enter is no security either, because we're talking about state actors here that would be interested in this. And it's not a long way to letters along the lines of "Dear Agent Müller, we know that you have access to that government backdoor key. We have your lovely wife here. I think we can find a mutually acceptable arrangement". Because that essentially means you can kiss any R&D taking place in your country good-bye. No company will continue to do anything that could remotely be considered trade secrets within your jurisdiction. And with Germany, this means... what kind of industry is left after that?


Educational-Yam-8570

Sky net has reach Germany.


DeadDinosaur-8

> Removed from /r/Europe for being low effort You can't make this shit up


kiakosan

I'm actually pretty surprised with this one, I thought Germany was the country where next to no Google maps were available with street view because of privacy concerns


vurt

Government removing rights in the name of "safety" - name a more iconic duo!


Tralan

Ol' Angie 'bout to pull a Dubya?


sn1ped_u

Imagine someone using that same backdoor to connect back to the government spies and hack them.


Butterbean-queen

It’s all been a trap.


jayroger

The title of this post is a blatant lie. There is a lot to criticize about the changes to the law, which exist since 2017, but there still needs to be the suspicion of certain, well-defined crimes to use it against a person.


Norin8

Does anybody know the (german) name of the law?


j0bbs

How do they make sure not to hack foreigners phones who are just passing through ?


naughty_soul69

For real the outreach of the government agencies needs to stop


hitosama

Might as well assign a personal agent per household or per person. What's the difference anyway?


Ozwentdeaf

Holy shit


persphonesass

Welcome to Orwell's Big Brother.


Y57sh2isN7R3TTqgrJ7

Does that mean it is also EU law? Since no member states seem allowed to make laws that aren’t passed and railroaded by the ECJ. Stasi.exe and the EU wonders why UK wanted out!


port53

That's obviously not true otherwise every EU country would have exactly the same laws, and that's clearly not the case.


Y57sh2isN7R3TTqgrJ7

Let’s see shall we, revisit my comment in 12 months