Kudos to the team for being immediately open about the issue.
I'm not sure if this is a new development or an older issue. One thing you need to understand is that the timing for this info getting out there is perhaps a little less than a coincidence. Estonia is poised to have local elections very soon (mid October) and even non-citizens can vote, as long as they are residents and have an ID card.
Traditionally one of the parties (Keskerakond) has received very few votes from the e-voting. They have an older voting crowd and also less urban, and get the majority of Russian speaking votes. They would have a lot to gain from speculation over security issues with e-voting. Also, Keskerakond, has had ties with Russia and Russian money financing some of their campaigns.
I'm not saying it's Russia, but the timing of the announcement of the vulnerability is very interesting
>I'm not saying it's Russia, but the timing of the announcement of the vulnerability is very interesting
Any articles you can link to which will detail something like this Russia has done? I've also heard similar comments about the ransomware attack on Czech Republic, which is indicating of past behavior of Russia.
American media companies don't seem to cover Russia (atleast as well as China, excluding the recent election news frenzy. Or maybe they don't get shared that much). Russian government seems to silence domestic critics, so any verbose story which is noteworthy by international journalists?
(I'm fine with spending a good number of hours on this so anyone is welcome to post any number of links)
OK, since this is being discussed here: has anybody found a use case for the Estonian e-Residency? I tried to actually register a company and a bank account and gave up after trying for several hours.
I just could not find out how to do it. Here [0] they mentioned that from 2017, it should be possible to open an account without physically going to Estonia. Judging from the comments below, there are also other confused e-Residency card holders with the same issue.
It looks like that's something they hoped to have in place for 2017, but still is not possible. From the official website FAQ at https://e-resident.gov.ee/faq/
"Visit the bank office in person and apply for a bank account. The bank will want to know how you are connected to Estonia and how you plan to use the account. You will need to bring your e-residency card along."
In terms of opening a bank account, SEB now offers a way to do that through a video meeting: http://www.seb.ee/eng/remote-advisory, although right now if you're not yet a client, you can not use it. They promise to open it up for new clients as well, but no ETA I think.
Registering a company remotely should work. That's the easy part for Estonia to implement because the company registry is a government office.
Opening a bank account is more difficult because it's up to individual banks to make the decision to allow remote account holders. Banks are private companies, and government can't easily force their hand without the big hammer of passing some legislation in the Estonian parliament (which would then also need to be vetted for compatibility with pre-existing EU law).
In my experience, European banks seem to go out of their way to make it difficult to open an account. I've had bank accounts in Finland, France and USA, and the last one was a breeze compared to the others.
My use case: as a Russian citizen living in Russia but planning to release an app, I'd much rather prefer doing it via an EU company than via a Russian company.
First, there's a lot of nasty stuff happens to business owners who don't have proper "protection" (their businesses get "transferred" to the right people and they themselves go to jail on phony charges for not wanting to sell their business for peanuts).
Second, the situation in Russia will definitely get worse, and when that happens, the problem I described above will also get worse. I just don't want to expose a business generating revenue in USD in Russia. And if it gets exposed (which it will, due to the automatic information exchanges between jurisdictions), I will have an additional barrier of protection against unwanted "transfers" -- it's easy to do to a Russian business, but it's much harder with foreign companies.
And third, selling an app while being listed in app stores as a Russian company definitely won't improve my first impressions, given all the hype about Russian hackers (there's even an example of it in this thread!)
By the way, if you want to register a company, go with a provder like LeapIN.eu -- they're fantastic.
Under Russian tax law, a company is a tax resident in Russia if (a) it is incorporated in Russia, (b) its management and central control are in Russia, or (c) if a treaty deems it to be in Russia. Estonia has no tax treaty with Russia, so (c) is not relevant. In your case, (a) is also not relevant. Point (b) is more interesting: do you live in Russia and exercise management of your Estonian company in Russia?
If yes, then you own a Russian-resident company and Russian corporate tax law is applicable. You are required to prepare financial statements and file corporate tax returns in Russia. Presumably there's also many foreign ownership disclosure requirements.
Please consider discussing your case with a tax advisor if you have not already done so. I would never ever easily recommend a citizen of an OECD country incorporate a company overseas without first thoroughly researching disclosure requirements and tax law. Please be careful as tax laws generally are of the "go straight to jail" type.
I wish this Estonian e-residency program would contain more warnings in red about the significant impact such a foreign company will have on a shareholder. This applies to Atlas as well--non-US-residents need to be extremely careful with US corporations as there's a good chance they will not actually be resident in the US.
In many OECD countries, if you, a resident of a state, incorporates a company in another state, and you control that company from your home country, your company in the foreign jurisdiction will be deemed a resident in your home country and require tax returns in your home country. I am perplexed by the number of people setting up businesses outside their country, not realizing the numerous disclosures and extremely complicated tax planning that comes with it.
> Very vague on details. No links to exact researchers or their findings.
That's the whole point. When you are dealing with a major security incident (anything impacting a countries ID cards would count), one of the first things you should do is tell the world that something is happening and the steps you took to stop the bleeding.
Roughly quoting from the FAQ featured today in local press[1]:
Q: Is the white paper published? Can anyone use it for hacking the ID card?
A: The scientific research will be published later this autumn at an international scientific conference. Within the academic community it is not accepted to publish specific exploitations.
"Theoretically, an ID-card can be used for person identification and digital signing - without having a card and not knowing PIN-codes. It is not enough to know public keys to crack the ID-card, an attacker would also need a lot of processing power to compute the private key and special software to put a digital signature."
"In October 2014 ID-cards began to use a brand new faster chips, which are based on new technology and therefore more secure. That new chip has received French and German safety certificates, which confirm the compliance of the chip with safety requirements. The same chip is currently used in several other countries, as well as on payment cards and business certificates. The vulnerability risk arose due to the combination of chip operation and software."
"We took a number of steps to minimize risks: closed the ID-card public key database, our experts analyze the situation and are looking for a solution to restore the highest security level."
> When notified, Estonian authorities immediately took precautionary measures [...]
> We are grateful to the researchers for uncovering this issue and providing us with the opportunity to ensure our digital society can emerge stronger and more secure.
Such a different approach compared with companies following the too usual policy of burying their head in the sand. This increases respect and trust. Taking no actions or communicating no action is detrimental to trust.
21 comments
[ 1.8 ms ] story [ 62.4 ms ] threadI'm not sure if this is a new development or an older issue. One thing you need to understand is that the timing for this info getting out there is perhaps a little less than a coincidence. Estonia is poised to have local elections very soon (mid October) and even non-citizens can vote, as long as they are residents and have an ID card.
Traditionally one of the parties (Keskerakond) has received very few votes from the e-voting. They have an older voting crowd and also less urban, and get the majority of Russian speaking votes. They would have a lot to gain from speculation over security issues with e-voting. Also, Keskerakond, has had ties with Russia and Russian money financing some of their campaigns.
I'm not saying it's Russia, but the timing of the announcement of the vulnerability is very interesting
(updated for formatting)
Any articles you can link to which will detail something like this Russia has done? I've also heard similar comments about the ransomware attack on Czech Republic, which is indicating of past behavior of Russia.
American media companies don't seem to cover Russia (atleast as well as China, excluding the recent election news frenzy. Or maybe they don't get shared that much). Russian government seems to silence domestic critics, so any verbose story which is noteworthy by international journalists?
(I'm fine with spending a good number of hours on this so anyone is welcome to post any number of links)
[0] https://e-residency.zendesk.com/hc/en-us/articles/205283661-...
"Visit the bank office in person and apply for a bank account. The bank will want to know how you are connected to Estonia and how you plan to use the account. You will need to bring your e-residency card along."
In terms of opening a bank account, SEB now offers a way to do that through a video meeting: http://www.seb.ee/eng/remote-advisory, although right now if you're not yet a client, you can not use it. They promise to open it up for new clients as well, but no ETA I think.
Opening a bank account is more difficult because it's up to individual banks to make the decision to allow remote account holders. Banks are private companies, and government can't easily force their hand without the big hammer of passing some legislation in the Estonian parliament (which would then also need to be vetted for compatibility with pre-existing EU law).
In my experience, European banks seem to go out of their way to make it difficult to open an account. I've had bank accounts in Finland, France and USA, and the last one was a breeze compared to the others.
My use case: as a Russian citizen living in Russia but planning to release an app, I'd much rather prefer doing it via an EU company than via a Russian company.
First, there's a lot of nasty stuff happens to business owners who don't have proper "protection" (their businesses get "transferred" to the right people and they themselves go to jail on phony charges for not wanting to sell their business for peanuts).
Second, the situation in Russia will definitely get worse, and when that happens, the problem I described above will also get worse. I just don't want to expose a business generating revenue in USD in Russia. And if it gets exposed (which it will, due to the automatic information exchanges between jurisdictions), I will have an additional barrier of protection against unwanted "transfers" -- it's easy to do to a Russian business, but it's much harder with foreign companies.
And third, selling an app while being listed in app stores as a Russian company definitely won't improve my first impressions, given all the hype about Russian hackers (there's even an example of it in this thread!)
By the way, if you want to register a company, go with a provder like LeapIN.eu -- they're fantastic.
If yes, then you own a Russian-resident company and Russian corporate tax law is applicable. You are required to prepare financial statements and file corporate tax returns in Russia. Presumably there's also many foreign ownership disclosure requirements.
Please consider discussing your case with a tax advisor if you have not already done so. I would never ever easily recommend a citizen of an OECD country incorporate a company overseas without first thoroughly researching disclosure requirements and tax law. Please be careful as tax laws generally are of the "go straight to jail" type.
I wish this Estonian e-residency program would contain more warnings in red about the significant impact such a foreign company will have on a shareholder. This applies to Atlas as well--non-US-residents need to be extremely careful with US corporations as there's a good chance they will not actually be resident in the US.
Does anyone know more about this?
That's the whole point. When you are dealing with a major security incident (anything impacting a countries ID cards would count), one of the first things you should do is tell the world that something is happening and the steps you took to stop the bleeding.
The information will come =]
Q: Is the white paper published? Can anyone use it for hacking the ID card?
A: The scientific research will be published later this autumn at an international scientific conference. Within the academic community it is not accepted to publish specific exploitations.
[1] http://www.err.ee/616783/id-kaardi-turvarisk-politsei-vastus...
"Theoretically, an ID-card can be used for person identification and digital signing - without having a card and not knowing PIN-codes. It is not enough to know public keys to crack the ID-card, an attacker would also need a lot of processing power to compute the private key and special software to put a digital signature."
"In October 2014 ID-cards began to use a brand new faster chips, which are based on new technology and therefore more secure. That new chip has received French and German safety certificates, which confirm the compliance of the chip with safety requirements. The same chip is currently used in several other countries, as well as on payment cards and business certificates. The vulnerability risk arose due to the combination of chip operation and software."
"We took a number of steps to minimize risks: closed the ID-card public key database, our experts analyze the situation and are looking for a solution to restore the highest security level."
> We are grateful to the researchers for uncovering this issue and providing us with the opportunity to ensure our digital society can emerge stronger and more secure.
Such a different approach compared with companies following the too usual policy of burying their head in the sand. This increases respect and trust. Taking no actions or communicating no action is detrimental to trust.