Forgot your password?
typodupeerror
Security IT

Coder of Swiss Wiretapping Trojan Speaks Out 114

Posted by Soulskill
from the is-swiss-software-full-of-security-holes dept.
Lars Sobiraj writes "Ruben Unteregger has worked for a long time as a software-engineer for the Swiss company ERA IT Solutions. His job there was to code malware that would invade PCs of private users, and allow the wiretapping of VoIP calls — in particular, calls made through Skype. In the German-speaking areas of the country, the Trojans were called 'Bundestrojaner' because the Swiss government was involved with their development and use. Unfortunately, Unteregger has to remain silent about the customers of the company. Last night, he published the source code of his Skype-Trojan under the GPL."
This discussion has been archived. No new comments can be posted.

Coder of Swiss Wiretapping Trojan Speaks Out

Comments Filter:
  • GPL ? (Score:1, Insightful)

    by Pieroxy (222434) on Wednesday August 26, 2009 @10:46AM (#29201731) Homepage
    GPL really is a stupid option in my opinion. Most certainly the guy doesn't even own the source code since he did it under contract from an employer, so he cannot really "release" what is not his...

    Maybe I'm wrong and he owns the source code though. But it will give some more ammo to the FUD that carries some big corporations that GPL is bad.
  • by Kokuyo (549451) on Wednesday August 26, 2009 @10:53AM (#29201877) Journal

    but the reality is that there is a risk some idiot out there is going to misuse this information.

    SOME idiot? I'm most worried about the government itself, thank you.

  • by AndrewNeo (979708) on Wednesday August 26, 2009 @10:58AM (#29201969) Homepage

    Yes, we do, for the same reason we want other software to be open source.. security. If we can see into a program's source, we can identify potential security issues. By releasing the trojan's source code, Skype can fix their software.

  • Call me naive... (Score:2, Insightful)

    by Zantac69 (1331461) on Wednesday August 26, 2009 @11:11AM (#29202163) Journal
    ...but isnt this is a little irresponsible? Its not as irresponsible as handing a loaded Glock to a 17 year old that as raised on Half-Life, Doom, Quake, etc...but still. You are giving basically ready made code to cryp kiddies to cut, paste, and be stupid with. True black hats probably dont need it (or already had it), but that kind of makes it too easy for the wannabes. I can see why code would be released so that software makers can IMPROVE and and lock down their code to prevent snooping like this...but to just toss it out there so anyone can play with it. :shrug: Just does not seem right. (of course - the snooping to begin with was probably not "right" to begin with)
  • by fuzzyfuzzyfungus (1223518) on Wednesday August 26, 2009 @11:20AM (#29202301) Journal
    I think we do. If the malware is a "feds only" tool, there will be pressure, overt or covert, on security vendors to make their products look the other way when it shows up. That would be bad.

    If every tom, dick, harry, and script kiddie out there has a dozen variants, security vendors will have to treat it as a threat, and hopefully end up mitigating the effectiveness of the fed trojan.
  • by gnick (1211984) on Wednesday August 26, 2009 @11:23AM (#29202357) Homepage

    ...releasing open source mal ware code isn't especially helpful either.

    Open sourcing it is fine (assuming he's allowed to do so - I know I'd be in trouble if I open sourced the code I'm paid to write) - Even then there's the Wikileaks option if GPL (or whatever) isn't practical. But, both as a courtesy, an aggressive encouragement to improve, and an effort to minimize damage, it should be politely delivered to Skype first. Skype should also be made aware of your intentions, in say 3-6 months, of sharing it with the world.

  • by mcgrew (92797) * on Wednesday August 26, 2009 @11:55AM (#29203001) Homepage Journal

    It's odd that even though I'm 57 years old, I have a far higher opinion of youth than you seem to have. Also odd that you think Doom or Quake would turn teens into killers; what turns teens into killers is mental illness, bad upbringing, or high school bullies. And most of the teens who have these unfortunate circumstances kill themselves, not others.

    Most kids I've known from the time I was a teen to now were good kids. Some teenagers I've known were more responsible than a lot of adults I've known. Some were even more responsible than their own parents.

  • by hitnrunrambler (1401521) on Wednesday August 26, 2009 @12:23PM (#29203531)

    You're looking at if from a perspective that can be generalized "security through obscurity"; at it's core is a hope that limiting the general knowledge of a subject will prevent "bad people" from interfering. Again generalizing the motto could be "The less people know the more everyone is safe."

          The weakness of this in practical terms is that people discover things and motivated people can be very creative. If one person or team can accomplish something there is no reason to assume that they are the only ones who possibly could.

          Let's think of it in physical terms: To modify your analogy, this is like assuming "I haven't given {violence-prone-teen} a gun; therefore he can't possibly have a gun."

          Proper disclosure (which on the surface this seems to be) raises awareness of vulnerabilities and helps motivate those who work towards combating such vulnerabilities. It also means that if those responsible are unwilling/unable to fix the problem that the general public is now aware of a problem and may be able to modify their own vulnerability to it. (With these 2 goals in mind some people follow a firm 2 step process of disclosure; informing "the authorities" first to give them a headstart, then informing the general public.)

          Proper disclosure of where a violent teen "might" get a gun disperses the illusion that "I didn't give him a gun so he must be unarmed".

          The dilemma does exist that if a vulnerability is not secured after being disclosed then, yes you have essentially given junior directions to a Glock. But as another responder pointed out... this is hardly the only source for potentially malevolent software/code. If junior is determined to kill he will find a way.

          Where does your ethical duty fall when you have such knowledge?
    That's for you to carefully consider and decide (which is the entire concept behind ethics anyway). But many people would advocate for knowledge, aware that knowledge does not automatically make us safe, but secure in their belief that ignorance never makes us safe... it just makes us feel safe.

  • by Anonymous Coward on Wednesday August 26, 2009 @12:28PM (#29203599)

    of course irresponsibly feeding your children a steady diet of violent entertainment might just qualify as a symptom of "bad upbringing". Results vary.

  • by hitnrunrambler (1401521) on Wednesday August 26, 2009 @12:34PM (#29203693)

    You are the government (at least you're supposed to be) here in the US, so if you're afraid of the government, you're afraid of yourself. How is that for recursive fear? :-D

    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.

    Cool... having a sig that highlights why you should be "afraid of yourself" while commenting on the recursive nature of such fear turns it from being a simple recursion into a complex fractal pattern.

  • Re:GPL ? (Score:3, Insightful)

    by element-o.p. (939033) on Wednesday August 26, 2009 @01:22PM (#29204409) Homepage

    GPL really is a stupid option in my opinion...it will give some more ammo to the FUD that carries some big corporations that GPL is bad.

    Assuming the source code is his to give away (certainly not a given!), I have to disagree.

    1) GPL is perfect for this, since it essentially says, look -- take this code and modify it, redistribute it, analyze it, re-publish it...do what you want with it, as long as you allow this same freedom to anyone else who gets the software. This is the whole reason the GPL exists in the first place! In this case, this is good because it allows others to take the code apart, figure out what makes it tick and come up with A/V signatures to detect it without worrying about whether or not you are violating a licensing agreement by trying to analyze and reverse engineer the code. It does also allow black hats to rewrite and enhance it for illicit use, but that's one of the problems with freedom -- you can always abuse freedom, if you choose. And for whatever it's worth, I don't think the black hats were going to be too concerned about license restrictions, anyway...

    2) Saying that GPL is bad because software that may possibly be used for ill intent is licensed under the GPL is a logical fallacy. Would anyone in their right mind say that, because someone somewhere has used a car to commit a crime (drunk driving? getaway car in a robbery? ran over someone who pissed them off?) that therefore all cars are inherently evil? Of course not, so why would you say that about software?

    3) Okay, maybe that's not what you meant by your "more ammo to FUD" argument. Maybe instead you meant that it allows big corporations to worry that their developers might give away their software products by licensing them under the GPL. How is that any different than any other commercially developed GPL'd product (MySQL, RHEL, etc.)? Or, from another angle, how is that any different than any other big company worrying that their developers might give their intellectual property to a competitor, or publish it on-line somewhere? It is *possible* for this to happen whether it's GPL'd, released under other FOSS licenses or simply posted on-line without any kind of license at all.

    Of course, if he doesn't really own the rights to the source code, then all bets are off.

Life would be so much easier if we could just look at the source code. -- Dave Olson

Working...