I'd be more worried if this was a backdoor in a popular program or operating system that was specified by the government and implemented by the original software author rather than more typical malware/trojan more akin to a wiretap. The former would be widespread and affect millions of users, while this appears to be a tool for use by law enforcement to carry out legitimate surveilance in criminal investigations. Presumably every modern government has such capabilities or they are really asleep at the switch.
The main gripe the authors of the paper have is not that this trojan exists - there are indeed German laws that allow for such a trojan - but that it has been so insecurely implemented, and also collects information that cannot be identified as "communication" (which is a requirement for this German law).
Any data received from the command and control server is sent unencrypted and unchecked. Additionally, the trojan contains a "backdoor within a backdoor", which allows any code to be attached to the trojan and executed unchecked!
Moral issues of computer surveillance aside, this trojan is a shocking example of the German government's (if indeed this is a government effort) incompetence regarding the internet.
another gripe was the fact that the "backdoor within a backdoor" functionality (which AFAIK was ruled unlawful by German courts) is the only part of the trojan that tries to hide what it does.
I would challenge the concept of the government carrying out "legitimate surveilance" through this dubious means.
The person surveiled has not been has not convicted of a crime yet the state has taken onto itself to install software that would leave the person open to further hacking by random individuals.
This is akin to the police not simply breaking into the house of a man they suspected of a crime but also them leaving his door a-jar after they left. See the Sony Rootkit.
If they got a warrant first I'd be OK with it - as long as they were competent of course and didn't leave the person vulnerable.
It's no different from getting a warrant for a phone tap, or a copy or your US mail.
(Incidentally they don't need a warrant for a copy of the address on the front, called http://en.wikipedia.org/wiki/Mail_cover - so presumably they don't need a warrant to ask your ISP for a list of IP address, but I'd want a court to confirm that first.)
What in my post lead you to believe I thought that governments don't engage in a variety of dubious surveillance (including surveillance which leaves open back doors to the victims machine)? They certainly do.
The thing is that exposing these acts and fighting all efforts to make such acts legal is still important for limiting how much the state can do.
