German/Afghanistan Trojan Horse Affair

[Halvar Flake <halvar () gmx de>]

There's a lot of hoopla in German media about the german SIGINT folks
having to admit that they trojanized Afghanistan's Ministry of Commerce
and Industry.
(http://www.spiegel.de/international/germany/0,1518,550212,00.html)

The entire situation is hilarious, as Mrs. Merkel criticized the chinese
for having sponsored hacking sprees into German government institutions
last year - I guess she is not overly happy about all this stuff hitting
the press now.
(http://www.timesonline.co.uk/tol/news/world/europe/article2332130.ece)

The first article is actually quite interesting. It is terribly hard to
get any information about InfoSec stuff in Europe (we'd need a Mr.
Bamford around here I fear), so the article is really amongst the only
data points to be found.

"    In 2006, Division 2 consisted of 13 specialist departments and a
management team (Department 20A), employing about 1,000 people. The
departments are known by their German acronyms, like MOFA (mobile and
operational telecommunications intelligence gathering), FAKT (cable
telecommunications intelligence gathering) and OPUS (operational support
and wiretapping technology)."

So there are people working on this sort of stuff in Germany after all.
I wonder why one never meets any at any security conferences - they
either have excellent covers or no budget to travel to any conferences.

Another amusing tidbit:

"    Perhaps it will never be fully clear why the BND chose this
particular ministry and whether other government agencies in Kabul were
also affected -- most of the files relating to the case have apparently
been destroyed."

I find the regularity with which important files regarding espionage or
KSK misbehavior are destroyed or lost a little bit ... peculiar.
(http://images.zeit.de/text/online/2007/27/Bundeswehr-Loeschaffaere)

There's a bit in the article about emails that have a .de domain ending
being automatically discarded by their surveillance tools. Hilarious.

The issue came to light because during the surveillance a German
reporter had her email read, too (she was communicating with an Afghan
official whose emails were being read). This is a violation of the
freedom of the press here in Germany, and normally, the BND should've
dealt with this by reporting their breach to the parliamentary
subcommittee for intelligence oversight, which they somehow didn't. A
whistleblower inside the BND then sent a letter to a bunch of
politicians, making the situation public.

It's always hard to make any judgements in cases as these, as the public
information is prone to being unreliable, but it is encouraging that a
whistleblower had the guts to send a letter out. I am a big fan of the
notion that everyone is personally responsible for his democracy.

The topic of intelligence and democracies is always difficult: If one
accepts the necessity of intelligence services (which, by their nature,
operate in dodgy terrain, and which, due to their requirements for
secrecy, are difficult to control democratically), then one has to make
sure that parliamentary oversight works well. This implies that the
intelligence agencies properly inform the parliamentary committee, and
it also implies that the parliamentary committee keeps the information
provided confidential.

There seem to be only two ways to construct parliamentary oversight in a
democracy: Pre-operation or post-operation. Pre-operation would have the
committee approve of any potentially problematic operation ahead of it
being performed. If things go spectacularly wrong, the fault is to be
blamed on the committee. The problem with this is secrecy: Such a
committee is big, and for operational security it seems dangerous to
disseminate any information this widely.

This appears to be the reason why most democracies seem to opt for a
"post-operation" model: The services have in-house legal experts, and
these legal experts judge on the 'legality' of a certain operation. The
the operation takes place, and the committee is notified after the fact
if something goes spectacularly wrong.

The trouble with this model appears to be that the intelligence service
doesn't have much incentive to report any problems: They can always hope
the problem goes away by itself. It is the higher-ups in the hierarchy
that have to report to the committee, and they are the ones whose heads
will roll if things go wrong.

It appears to be an organisational problem: Information is supposed to
flow upwards in the organisational hierarchy, but at the same time, the
messenger might be shot. This is almost certain to lead to a situation
where important information is withheld.

I guess it's any managers nightmare that his "subordinates" (horrible
word -- this should mean "the guys doing the work and understanding the
issues") in the organisation start feeding him misinformation.
Organisations start rotting quickly if the bottom-up flow of information
is disrupted. The way things are set up here in Germany seems to
encourage such disruptions. And if mid-level management is a failure but
blocks this information from upper management, the guys in the trenches
have not only the right, but the duty to send a letter to upper management.

I have no clue if there is any country that has these things organized
in a better way -- it seems these problems haunt most democracies.

Anyhow, if anyone happens to stumble across the particular software used
in this case, I think it would make for a terribly interesting weekend
of reverse engineering -- I am terribly nosy to what sort of stuff the
tool was capable of :)

Cheers,
Halvar
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave