Coder of Swiss Wiretapping Trojan Speaks Out 114
Lars Sobiraj writes "Ruben Unteregger has worked for a long time as a software-engineer for the Swiss company ERA IT Solutions. His job there was to code malware that would invade PCs of private users, and allow the wiretapping of VoIP calls — in particular, calls made through Skype. In the German-speaking areas of the country, the Trojans were called 'Bundestrojaner' because the Swiss government was involved with their development and use. Unfortunately, Unteregger has to remain silent about the customers of the company. Last night, he published the source code of his Skype-Trojan under the GPL."
GPL ? (Score:1, Insightful)
Maybe I'm wrong and he owns the source code though. But it will give some more ammo to the FUD that carries some big corporations that GPL is bad.
Re:Government Support Malware... Great... (Score:5, Insightful)
but the reality is that there is a risk some idiot out there is going to misuse this information.
SOME idiot? I'm most worried about the government itself, thank you.
Re:Government Support Malware... Great... (Score:5, Insightful)
Yes, we do, for the same reason we want other software to be open source.. security. If we can see into a program's source, we can identify potential security issues. By releasing the trojan's source code, Skype can fix their software.
Call me naive... (Score:2, Insightful)
Re:Government Support Malware... Great... (Score:3, Insightful)
If every tom, dick, harry, and script kiddie out there has a dozen variants, security vendors will have to treat it as a threat, and hopefully end up mitigating the effectiveness of the fed trojan.
Re:Government Support Malware... Great... (Score:3, Insightful)
...releasing open source mal ware code isn't especially helpful either.
Open sourcing it is fine (assuming he's allowed to do so - I know I'd be in trouble if I open sourced the code I'm paid to write) - Even then there's the Wikileaks option if GPL (or whatever) isn't practical. But, both as a courtesy, an aggressive encouragement to improve, and an effort to minimize damage, it should be politely delivered to Skype first. Skype should also be made aware of your intentions, in say 3-6 months, of sharing it with the world.
Re:Call me naive... (Score:4, Insightful)
It's odd that even though I'm 57 years old, I have a far higher opinion of youth than you seem to have. Also odd that you think Doom or Quake would turn teens into killers; what turns teens into killers is mental illness, bad upbringing, or high school bullies. And most of the teens who have these unfortunate circumstances kill themselves, not others.
Most kids I've known from the time I was a teen to now were good kids. Some teenagers I've known were more responsible than a lot of adults I've known. Some were even more responsible than their own parents.
Re:Call me naive... (Score:3, Insightful)
You're looking at if from a perspective that can be generalized "security through obscurity"; at it's core is a hope that limiting the general knowledge of a subject will prevent "bad people" from interfering. Again generalizing the motto could be "The less people know the more everyone is safe."
The weakness of this in practical terms is that people discover things and motivated people can be very creative. If one person or team can accomplish something there is no reason to assume that they are the only ones who possibly could.
Let's think of it in physical terms: To modify your analogy, this is like assuming "I haven't given {violence-prone-teen} a gun; therefore he can't possibly have a gun."
Proper disclosure (which on the surface this seems to be) raises awareness of vulnerabilities and helps motivate those who work towards combating such vulnerabilities. It also means that if those responsible are unwilling/unable to fix the problem that the general public is now aware of a problem and may be able to modify their own vulnerability to it. (With these 2 goals in mind some people follow a firm 2 step process of disclosure; informing "the authorities" first to give them a headstart, then informing the general public.)
Proper disclosure of where a violent teen "might" get a gun disperses the illusion that "I didn't give him a gun so he must be unarmed".
The dilemma does exist that if a vulnerability is not secured after being disclosed then, yes you have essentially given junior directions to a Glock. But as another responder pointed out... this is hardly the only source for potentially malevolent software/code. If junior is determined to kill he will find a way.
Where does your ethical duty fall when you have such knowledge?
That's for you to carefully consider and decide (which is the entire concept behind ethics anyway). But many people would advocate for knowledge, aware that knowledge does not automatically make us safe, but secure in their belief that ignorance never makes us safe... it just makes us feel safe.
Re:Call me naive... (Score:1, Insightful)
of course irresponsibly feeding your children a steady diet of violent entertainment might just qualify as a symptom of "bad upbringing". Results vary.
Re:Government Support Malware... Great... (Score:3, Insightful)
You are the government (at least you're supposed to be) here in the US, so if you're afraid of the government, you're afraid of yourself. How is that for recursive fear? :-D
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Cool... having a sig that highlights why you should be "afraid of yourself" while commenting on the recursive nature of such fear turns it from being a simple recursion into a complex fractal pattern.
Re:GPL ? (Score:3, Insightful)
GPL really is a stupid option in my opinion...it will give some more ammo to the FUD that carries some big corporations that GPL is bad.
Assuming the source code is his to give away (certainly not a given!), I have to disagree.
1) GPL is perfect for this, since it essentially says, look -- take this code and modify it, redistribute it, analyze it, re-publish it...do what you want with it, as long as you allow this same freedom to anyone else who gets the software. This is the whole reason the GPL exists in the first place! In this case, this is good because it allows others to take the code apart, figure out what makes it tick and come up with A/V signatures to detect it without worrying about whether or not you are violating a licensing agreement by trying to analyze and reverse engineer the code. It does also allow black hats to rewrite and enhance it for illicit use, but that's one of the problems with freedom -- you can always abuse freedom, if you choose. And for whatever it's worth, I don't think the black hats were going to be too concerned about license restrictions, anyway...
2) Saying that GPL is bad because software that may possibly be used for ill intent is licensed under the GPL is a logical fallacy. Would anyone in their right mind say that, because someone somewhere has used a car to commit a crime (drunk driving? getaway car in a robbery? ran over someone who pissed them off?) that therefore all cars are inherently evil? Of course not, so why would you say that about software?
3) Okay, maybe that's not what you meant by your "more ammo to FUD" argument. Maybe instead you meant that it allows big corporations to worry that their developers might give away their software products by licensing them under the GPL. How is that any different than any other commercially developed GPL'd product (MySQL, RHEL, etc.)? Or, from another angle, how is that any different than any other big company worrying that their developers might give their intellectual property to a competitor, or publish it on-line somewhere? It is *possible* for this to happen whether it's GPL'd, released under other FOSS licenses or simply posted on-line without any kind of license at all.
Of course, if he doesn't really own the rights to the source code, then all bets are off.