243 comments

[ 3.2 ms ] story [ 235 ms ] thread
The German surveillance state is very capable and often understated. They even “ran” Crypto AG with the NSA for decades and even profited from it.

https://en.wikipedia.org/wiki/Crypto_AG

TIL. Didn’t know Germany was involved in that.
It's funny as the Germans had different priorities from the US. The US mainly wanted to use it to extract information, while the Germans also wanted to increase profits so that they have funds outside of parliamentary control and supervision. So they looked more at the business side of things.
I guess funding was not a big issue for the CIA...
They are still flush with cash from decades of running cocaine.
Yeah I doubt the CIA has objected because they got all their needs met from congressional funding. They just already had built plenty of dark money reserves.
The German surveillance state was created and ran by ex-Nazi secret services (Aufklärung Ost), introduced by the CIA (BND = Organisation Gehlen). You have look up the various fascist scandals they have been involved in.
It's worrying how government spies are getting legal cover to impersonate legitimate entities. Like spoofing a phone number and faking the voice of a loved one. You don't need to be able to compel speech, when you can employ doppelgangers.

> There's even a promotional video of how FinFly ISP sends a fake iTunes update and infects the target system with FinSpy

Does Apple not sign iTunes updates?

From the promo video of it running an ancient version of iTunes on Windows Vista and the brochures it seems they inject their malware via software updates in general, not just iTunes.
I wouldn't be surprised if they force the installation of a certificate root they can use to serve malicious updates (for German OS X users, at least). That's a tactic used by agencies in other countries. Apple et al could probably mitigate this with certificate pinning in their updaters but I'm not sure they can get away with that without running into trouble with other countries that expect to be able to MITM updates.
I would be surprised. IIRC those "other countries" are countries like Iran that have also just shut off access to the internet for the country. I still think we have a few more years of internet freedom in Germany before that happens.
uh, if you actually read the links you posted...from the second article one of the people visited by law enforcement said "In my opinion, gasify everyone" [google translate I must admit, but there were plenty of quotes like this that I think its safe to say this is the intended tone]

I don't see how there is any justifiable grounds to talk about killing people with gas in any context, particularly not in this context.

That's the examples they put in press releases. Just for a sanity check on what tiny harmless things are punished by those laws:

https://www.vice.com/de/article/8xe7jg/kuchen-tv-volksverhet...

A Youtuber made a video about an incidents between students where one made a racist joke. He [the Youtuber] said about that joke "that wasn't a bad joke" and got convicted for Volksverhetzung - one of the harshest crimes we have. If you get convicted for that as a non-VIP, your life is effectively over in Germany. That's socially worse than a rape conviction.

And back to the point: whether you consider it right to put people in jail for saying mean things or not - it is absolutely not internet freedom. Not by any stretch of the imagination.

This has nothing to do with NetzDG. If he would have spewed something of that caliber openly on the street he would've had to expect the same thing (depending on where in Germany of course).

That there is no "free speech" in Germany in respect to hatespeech has been the case pre-internet too. I'm not a big fan of NetzDG, but I also have to say that I expected much worse censorship-wise when it passed and I haven't heard of gross misapplications of it so far. If anything Facebook and Twitter show that you can still post a lot of hatespeech despite its existence.

You can do many things: You can pass those laws, put people in jail, make up the term "hate speech" and condemn everyone who does that. But you can not say that we have internet (or any other) freedom in Germany. There is some nice english proverb about a cake and eating it too
You can try to argue that certain things aren't "hate speech" but I don't understand how you can claim it to be a made up term. Hate is a real thing and if you channel that into certain language you get hate speech, plain and simple.

Germany has an interesting history with regards to what various constituents view as protected speech. As someone who hasn't lived in Germany I freely admit that I have a limited view of such things, but as the other poster mentioned these issues precede the internet.

hate itself is real - a word that has a negative connotation, but was never illegal in itself. You could always hate a person or a football club. That word was taken, rebranded to include among other things everything critical of government and made illegal. That's why hate speech is made up. What is called hate speech today was called a rant, "hot take", an insult or whatever just a couple of years ago. Today we literally have a law against "hate crime" - another doubleplusgood word. These things are not real, they're tools to oppress a critical population. Also note that even true things fall under those "crimes". It doesn't matter if what you say is true as long as it's "insulting" to someone.
There are more parts to freedom than just freedom of speech.
What does this have to do with "internet freedom" (whatever that means)? Statements that would get you prosecuted when shouted in the streets have that same effect when posted online. Surprised Pikachu face?
By that logic, China is doing excellent on internet freedom, since whatever is banned online, is also mostly illegal in the streets too.
No, that's not "by that logic". The entire point is that internet freedom is about things that are conceptually impossible to do on the streets. Like using a VPN or having net neutrality. It's not about whether you get to do things on the internet that are otherwise forbidden.
"will" = "according to a proposed law", but sadly par for the course for our governments to push this kind of thing through, even if a good chunk of their surveillance laws get eaten by the constitutional court. (Maybe we should have a rule that you can't be in politics anymore if multiple of the laws you supported were found to be unconstitutional? ...)
Well in theory that's what elections are for. But majority of the population doesn't seem to bother that much about those things and elects conservatives again and again. Need to raise awareness on these topics ... but unfortunately our opposition is split between crazy wannabe populists, a green party trying hard not to loose momentum by bringing up "critical" topics and a weak liberal party with a leader who's mostly there for being joked about. (Yeah, yeah, ignorant and simplified classification)
"will" isn't the exact translation of the headline, the idea is written in an upcoming law that will be discussed (or rubber-stamped?) next Wednesday...
Probably rubber-stamped. But you are right, my translation is confusing. I'm very sorry.
Given the recent series of atrocious child porn scandals in Germany, I think this has a good chance of passing.
Mods: This is an article about a proposed law, so "will" isn't really an accurate reflection (yet, or hopefully at all) and the title should be changed.

My proposal: "New German law would force ISPs to redirect traffic to intelligence services for trojan install" (if that is not to long).

Send this to hn@ycombinator.com as an email.
Yes, you are right, but the current title is just 2 chars under the limit and I couldn't think of a shorter one. Sorry for the somewhat misleading "will".

My somewhat lame excuse: The law will most probably pass, current govt is a coalition of the two largest parties with overwhelming majority and absolutely no clue about anything digital.

Edit: would "shall" work instead of "will"?

What about "may"?
"German proposal would"
There are a couple problems: one is that proposed bills rarely go anywhere, so it's generally best to wait for a state change [1]. Edit: I think we can override this issue, given that surveillance laws are of particular interest to HN and the comment at https://news.ycombinator.com/item?id=23783164.

The other is that HN is an English-language site. We have deep respect for the German language, but articles on HN need to be in English [2]. I've changed it to https://www.privateinternetaccess.com/blog/new-german-law-wo... for now. If there's a better link, we can change it again.

(Submitted URL was https://netzpolitik.org/2020/staatstrojaner-provider-sollen-...)

[1] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

"Sollen" translates to "should" and not "will"

That means there is a element of uncertainty there whether they actually will.

Actually it translated to "have to", not "should" (which would more properly be "sollten").
Better "will have to" .. "if the law is passed".
I would say it more precisely translates to "are supposed to". Although it is clear from the actual content of the article that it would not really be a choice.
No, "are supposed to" is less strict than "must". If the law passes, then they must allow the intelligence services to do this. Or "will have to" if they want to continue to be in the business.
I'm learning German at a fairly low level so I ask this from the perspective of wanting to learn, not as a challenge.

Wouldn't "have to" be "müssen"? In what cases would you use "sollen" to have a similar meaning?

And "sollten" is either Präteritum or Konjunctive II, which as I understand it would both mean "should have", though in different senses. Why is that a more proper translation of "should"?

Most of the times, "sollen" and "müssen" are interchangeable.

However, there are fine nuances between the words.

In that case, "müssen" is more direct and used as a command which has consequences when not followed while "sollen" is more of a prompt or demand that hasn't to be followed.

I think a better translation for 'sollen' would be 'shall'.
Sollten is indeed Konjunktiv.
Full text from the netzpolitik article:

> Provider sollen Internetverkehr umleiten, damit Geheimdienste hacken können

> Geheimdienste wollen Hardware bei Internet-Providern installieren, um Staatstrojaner in Datenverkehr einzuschleusen. Das steht in einem Gesetzentwurf zum Verfassungsschutzrecht, den die Bundesregierung nächste Woche beschließen will. Die Provider wollen keine Hilfssheriffs sein.

> [...]

> Konkret müssen Anbieter die Installation des Staatstrojaners „durch Unterstützung bei der Umleitung von Telekommunikation … ermöglichen“.

So it translates to "would have to, if the law goes into effect unchanged".

so that roughly translates to the state should have access to my personal property( computer / data ) and should have the right to do so by any means necessary. that sounds much better do remember article 11 and 13 were drafts aswell.
Yes, you are right, I'm sorry for the somewhat misleading translation. But I felt "should" instead of "must" would be more confusing, because that would sound somewhat like "the author would like that". Which he definitely doesn't. Anything longer wouldn't have fit the limit.
FYI: pervasive mass internet surveillance by the US military with the active cooperation of large US telcos AT&T, Verizon, and others already enables this capability in the US and much of the rest of the world.

The surveillance allows them to read the TCP sequence numbers or DNS query IDs, and then spoof valid response packets.

It’s called QUANTUMINSERT.

https://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-in...

Is this relevant since nearly everything is https these days?
DNS usually isn’t, and TLS still runs over TCP, which is vulnerable to this type of hijacking, so yes, it is indeed still relevant due to both resolution as well as transport layer.

NSA would be very bad at their job indeed if they couldn’t issue valid TLS certificates for any domain to themselves.

>NSA would be very bad at their job indeed if they couldn’t issue valid TLS certificates for any domain to themselves.

Is there any evidence of this? With certificate transparency being mandatory a few years ago, you'd think that the NSA would be caught at least once.

The NSA released a who-knows-how-many-day in crypto32.dll to Microsoft recently that allows one to bypass app/driver EC certificate verification. It’s called CVE-2020-0601.

My assumption is that they had it for years and released it for patching the moment they detected anyone else using it.

https://www.cbronline.com/cybersecurity/crypt32-dll-vulnerab...

It’s not TLS, but it’s close. I still think they’d be bad at their job if they didn’t have some method of getting valid certs, and I don’t think they are bad at their job. With bulk collection they may be able to spoof replies to LE DNS verification. There are lots of avenues.

There are 270+ CAs out there. All the NSA has to do is compromise the CA cert keys of one of them and they can then generate their own valid certs, completely disconnected from CT. All CT tells you is somebody goofed, was tricked into issuing a cert, or an account was compromised and an attacker generated a cert. In other words, not-super-advanced attacks.

The NSA have plenty of tricks. They intercept devices being shipped around the country/world, they tap cables, they dig into airgapped networks, they compromise satellites, they compromise the internal networks of the world's biggest corporations. They've been doing this for decades. If we don't believe they can compromise one organization out of 270...

> and they can then generate their own valid certs, completely disconnected from CT

Aren't browsers now requiring that certificates from many CAs (if not all of them) are submitted to CT before they are accepted as valid by the browser? That is, a certificate without an attached CT proof, even if it has a valid signature from the CA, will be treated as invalid.

(However, given what's being talked about (MITM of software update servers), this might be enough if the libraries being used by the software updater are not as strict as the browsers, and don't require an attached CT proof.)

My guess is that Germany will lose its web hosts as no one will trust to host anything in that country if this passes.
I live in Denmark and buy hosting/email from a Danish company, but their servers are in Germany. I wonder if they will switch to having servers in other countries (or locally, as they used to have). Otherwise, I'll have to find a different provider.
It's primarily about ISPs, not data centers. Your servers are typically secured with SSL.
Backbones appear to be included.
Possibly, but it's much harder to intercept and mitm specific traffic at that level. On the ISP-side, that's different: they can with high certainty say that some traffic is coming from/to a specific suspect, much like a phone surveillance. This might also apply to individual service, e.g. an email provider.
If it's in a data center security services have physical access.
But they'd need to filter out traffic for a specific suspect. It's unlikely that their approach will be to try to install trojans on every client computer that has traffic that goes through some DC. And if they want to take over a server they know the location of: they already can.

From my experience in a case where a previous version of that tech has been involved (though normal LE, not intelligence), they do take all the available measures to only hit the target, it's not a shot gun approach.

I think you can collect a lot of good data for law enforcement purposes by tapping datacenter networks. Remember the NSA's "SSL added and removed here :-)" slide?

Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)

No hands up? Good! The government thanks you for your service. Keep doing what you're doing, they'll keep you safe.

Yeah, but Germany's intelligence services aren't the NSA, neither regarding technical ability, nor regarding the lack of mission constraints. I'm sure they'd love to get their hands on DE-CIX as a whole, but they won't unless somebody with a US passport sits in on the meeting - and if they have that person, they don't need German laws.

I believe that these changes target ISPs and providers like mailbox.org, posteo etc, that have been "privacy first" and not too friendly. These laws aren't for wholesale data intake, they are more like phone surveillance with the added bonus that they (the ISPs and service providers) will be not only required to let them listen in, but to also allow them to inject trojans into the traffic that is being transported. These are very closely related to our laws for mailing services that contain similar things (the wording is very similar as well). They're not for the intelligence services to just walk in and say "Hi, we'll take everything, please", they still require a court order and target specific individuals.

Its german BND sitting at DE-CIX, but they fully cooperate with NSA to the point where they had to answer some ugly questions about why the fuck they helped a foreign intelligence service to literally spy on the german governement. Answer was: they don't verify what NSA queries, they automatically run the selector list and send them the data.
Yes, but as you see, that's already legal (especially if with US-involvement). This is different from that, as it contains the requirement for the provider to manipulate traffic.
> Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)

I’m standing here with my hand up :)

Snowden uncovered astonishing breaches of Trust in the US, has there been a major loss of Hosts here?
I accept the principle; I wish people would take more action, but I for one am American and I have shifted most of my hosting out of the US because of it. I probably don't have much worth spying on, but on principle I oppose any form of blanket surveillance.
Nope, everyone happily shovels all of their data, as well as all of the data their customers provide them, into AWS, which is very cosy with the US military.

You can be reasonably certain that anything in AWS is available to US military intelligence without judicial oversight.

Every American service and product needs to be treated as compromised, it really comes down to that.

Individual companies now need to earn back basic trust.

This doesn't mean you have to completely abandon your favourite service, just have to modify the way you utilize it.

For example, if you absolutely have to use Google Drive, be sure to encrypt your files with appropriate strength first and assume they are actively trying to decrypt and build a file on you.

>American

Why single out America, Snowden's leaks showed the entire Anglo-sphere is compromised(Five Eyes). Is there any reason to think this isn't the case in any NATO/OECD/etc. country?

Not exactly as easy as they make it sound, thanks to encryption and especially signing. Of course there's probably still enough software not using it and/or users not paying attention.
Is it possible to modify HTTPS traffic? Wouldn't they have to replace the CA certs on the target machine first before being able to modify that traffic?
They just have to hijack one existing CA that's within their jurisdiction and force it to issue MITM certs. Key pinning or certificate transparency may mitigate this.

Or the MITM box could use some kind of HTTP downgrade attack and not worry about certificates at all.

That would "burn" the CA (it will be removed and/or blacklisted from every major browser and operating system once it's exposed, and exposing it gets much easier with the recent push towards certificate transparency), so it can only be done once per CA.
After first try all german CAs may get removed so probably once ever
Just wait a few years. I'm sure we will get something to support this on the EU level. It'll be positioned as fighting for your freedom and every company that doesn't implement them is the worst.
I would hope that any CA they try to force this on sues them, as that leaking would surely destroy their business.
Certificate transparency would not work against targeted MITM attack
I think your worry is a bit out of scope. There is a thing called "Verhaeltnismaessigkeit" in Germany, and in most other countries where "The Rule Of Law" applies, to paraphrase Trudeau. Meaning: You are not allowed to burn down the house just because the neighbor was playing the music too loudly. So others are not to caught in the cross-fire of this operation. So it will be a very technical challenge to overcome these obstacles. And since an ISP is not providing updates, coercing OS vendors to alter the CA's for a specific user is a bit far-fetched. The more likely approach is the acquisition of cryptographic keys to create one's own SSL-Certificiate. Now: This is the domain of the intelligence-community. Their bread and butter. Compared to the rest of the world, this community is heavily regulated; you just have to think of the CIA's Black Budget or other agencies from less pleasent countries to get a comparison. It is best they get the legal framework in place (s.o. heralded it as the OS for society once). The alternative would be clandestine operations outside the law, and that is never good. Only requirement I would demand for s.th. like this: The solution mustn't be scalable, as to ensure to avoid a subjecting large swats of a population to this, which is challenging with technologies these days. The good thing is that ISPs will not keel over just because the police are requesting it. After all they have a reputation and their customers to protect and, let's face it, this is not China, Russia, Iran or some other country were you vanish for far less than demanding more paperwork and speaking out against executive orders. As long as the mechanisms of a society are functioning and everyone watches everyone and there is due process it works. It will be a problem if these mechanisms fail though. I for one will be watching with keen interest.

As for the new root certificate to a domain for the agencies: I already pointed out, s.w. in this discussion, that there is a mechanism called Certificate Pinning. Works wonders if the server configured it. So yes, they are working on the legal framework, but thanks to the foresight of engineers and people concerned with safety for the general non-technical and technical internet-population, it is a hard challenge officials are facing.

There is no certificate pinning anymore, it's deprecated. Your whole argument is based on the state actually playing nicely and assume a meaningful oversight of intelligence, both are hopelessly naive.
Based on the headline I hoped they were fixing trojans by redirecting C&C traffic to the government, but no, the government is installing trojans. :-(
I laughed. You may well be the most optimistic person on HN. Bravo.
Pretty shocking in a state that has such strict privacy laws. Not sure how the two can come from the same mouth, and even be in public view.

My understanding is that the privacy restrictions are largely the result of half the country having lived under the Statsi, and thus being extremely weary of government eyes. Here it’s out in the open!

There is something hilarious and schizoid in how Germany is perceived and the realities about this country.

They have strict privacy laws? First Nazi personel in the first half then Stasi personel in the second half of the 20th century were simply requalified and rehired, each bloody time. How do you think?

They are top environmentally-friendly country? Highest polluting coal power plants in EU are located in Germany.

These are both known and highly controversial issues in Germany. The first one is widely accepted as without any alternative. You can't just replace a whole bureaucracy and in retrospect it worked out to only change key positions. But obviously it was a healing and cleaning process over time. The other thing is to be attributed to the fact the we were very quick to abandon atomic power even before climate change issues were that popular. Its a hilarious contradiction. We now actually also have a plan to also get rid of the coal power plants but it will be hard, maybe we need to reintroduce the candle as a source of light. There is no lack of willingness and intent but reality has us all in its tight grip.
You forgot the Nazi personal in the 2nd half. The BND is a NAZI organization. Lookup Gehlen. Didn't change much after they died, if you look at the various BND scandals since.
<redacted>

Obviously, the OP was talking about the perception of Germany today and I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service. And coming to think of it, why wouldn't someone whose qualified to spy on others be rehired to do the same job in Germany after the end of GDR? What do you think secret services do?

Regarding "environmentally friendly", this point is correct but you're omitting that Germany just recently passed a law to get out of coal until 2038. The energy produced in Germany will then be pretty much exclusively renewable which is not a small feat for a country with such a large population.

> Hilarious and schizoid are adjectives that I would assign to your post.

Sorry but you are rude.

> I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service

Stasi personel though?

Are you expecting that people using such nuanced and subtle techniques like Zersetzung against domestic population [1] will suddently become ethical towards anyone they perceive as threat? or as undesirable?

On the facade Germans get some show off initiatives (no Street View!), behind the scenes is business as usual.

[1] https://en.wikipedia.org/wiki/Zersetzung

> Sorry but you are rude.

Yes, you are right. I apologize, I clearly went overboard.

> Stasi personel though? [...]

I think it's just an over-generalization. Just because you worked for the Stasi automatically makes you a bad fit for a certain job. It really depends.

>Just because you worked for the Stasi automatically makes you a bad fit for a certain job.

I am sorry, I am from Russia initially, the KGB-land. No, it's not an over-generalization.

Nazis were indeed rehired to senior positions, but sensitive parts of the civil service were purged of Stasi operatives, although this did take a long time, especially in Saxony. There has been some resentment of the fact that this often meant that the civil service in Eastern states is dominated by 'Wessies'.

https://www.reddit.com/r/AskHistorians/comments/3j90ua/what_...

>Pretty shocking in a state that has such strict privacy laws. Not sure how the two can come from the same mouth, and even be in public view.

Because they're not necessarily contradictory. This doesn't just give secret services a blank cheque to spy on everyone, it just provides intelligence agencies with a tool.

I'm German and I don't object in principle to the fact that intelligence, under supervision of the government, has the ability to say, infiltrate criminal networks using software like this. Under certain circumstances the police was always able to wiretap a phone, I don't see the difference here other than this taking into account the changing circumstances of internet communication.

Also from a cultural standpoint if anything people in Germany are more sceptic of erosion of privacy by private power than by the state, we're not the US. The former is pretty much unconstrained, the latter is so tightly limited in scope by law it's not really a practical issue. The scary thing about the Stasi wasn't that they were inteliigence, every country has intelligence officers who can bug someone's home, it was that the GDR was an autocratic regime.

They can wiretap, sure, but they can’t practically compel you to give up your book cipher.
Sure, but a police operation surely could attempt to swap the book cipher out for a compromised one, no?

I think the idea that communication ought to be categorically out of reach of intelligence is very novel. I don't think it was even conceivable decades ago that, with legal justification, intelligence could not hack or be completely locked out of the communication of some network. For criminals who are savy enough, tech has made it much harder, not easier for the government to do their job.

I think there is also a very paradoxical side-effect. A harmstrung government may resort to outsourcing its intelligence work. I read a story about private firms in the US collecting license plate information and selling it back to the police. Clearview AI is certainly another example. If the agencies are limited, there is a real chance of both ineffective policing and a huge unregulated surveillance grey market. I would rather equip the government with enough capacity, but strong legal checks.

Legal checks are a mile-long leash, no matter how strong the cord. This is exchanging freedom for security, since a backdoor like this doesn’t require breaking glass.
The scary stuff about the current development is, that we get flooded with arguments about hardcore criminals, but if you look at the actual changes to the laws, such restrictions are not made, instead these extreme measures are allowed for petty reasons and some politicians will still keep pushing for even more totalitarianism. These siloviki want mass surveillance comparable to what Chinas Ministry of State Security or USAs National Security Agency have. It does not matter if Germany is not ruled by an autocratic regime at the moment, once such systems are in place, it will be.
> It does not matter if Germany is not ruled by an autocratic regime at the moment

I totally get the appeal of that argument, but it completely breaks down once I ask myself how much that autocratic bogeyman regime, once it got into power, would feel bound by privacy protections put in place by their predecessors.

The question is rather: can they use preestablished structures and machinery or do they need to build it from the ground up. Surveilance also needs work, and its less work if everything is prepared.
my point was more: any liberal social democratic society that subjects itself to every increasing censorship and surveillance will devolve towards totalitarianism.
Can you explain surveillance leads to totalitarianism? It's not obvious to me.
Totalitarianism has been the mode of human governance since prehistory. It's great, effective, and always tempting. The Western world today is the exception, not the rule.

It's also really hard to establish or continue without the surveillance to detect rebellion and corruption.

It makes a big difference, actually. Few regimes go full-on totalitarian right away - it's more common to have a gradual erosion, where they operate within the letter of the law for a while, while gradually diminishing the spirit. So the more the letter allows, the more abuse you'll see from the get go.
Some other shocking stuff from Germany: far right supporters in the military stealing ammunition/weapons (and an alleged plot to assassinate someone):

https://www.bbc.com/news/world-europe-53237685

https://en.wikipedia.org/wiki/Day_X_plot

Someone said that's a result of constant under-funding and treating your military with no respect - when it's only seen as a choice for those who can't "do any better", you'll get extremists among the ranks.

Sounds plausible, at least in the US soldiers seem to be highly respected and in turn, they respect the country and its people.

> Pretty shocking in a state that has such strict privacy laws

If viewed from the different perspective of government intrusion on tech, it can appear less shocking. A government encouraged by its citizenry to use its leverage over tech companies will continue to do so, and not always in the same ways.

Is the Trojan based on magic? How will redirecting target computer infect it. What about out tipping off the suspect when it fails to implant?

This idea is fantasy.

Well either those advising the legislature, who actually carry out the hacks for the security services in Germany, are idiots; or they're very clever people and know exactly what they're doing.

Or I guess it could be security theatre, or a diversion, but neither of those seems compelling here.

My vote is that, whilst I can't understand how it's accomplished as it seems contrary to technical possibility, that the people with billions of funding to make these things possible (Five Eyes, etc.) are probably capable of many things that look like magic.

?

(comment deleted)
What does "trojans at ISPs" even mean? TLS works end-to-end and ISPs can do absolutely nothing to see the plaintext. It's unless the CAs at users-side are manually replaced with fake ones nothing can be done. I've never used Windows since I was a kid but I am sure this is pretty much impossible on Linux for example since adding CAs require root privilege.
Presumably, Germany would have little trouble compelling at least one root CA to sign any TLS certificates they wanted. Just a cursory search shows that Google Chrome, on Linux, trusts, e.g.

> CN = D-TRUST Root CA 3 2013 > O = D-Trust GmbH > C = DE

There is certificate transparency and pinning and so on, and they would be caught (probably, maybe) if they abused this carelessly and at scale, but in practice, for a small number of targets, it would be trivial to wait for users to connect to a less secured TLS site or even a plain-HTTP site (plenty still exist), and then use a browser exploit as the stage 1, followed by whatever escalation of privilege exploit and rootkit is needed. TLS is really good at preventing always-on dragnet surveillance of everyone's internet traffic, but not a counter measure against targeted nation state level attacks.

Well. That is the reason for Certificate Pinning. And these days there is no excuse to not enable it server-side. Helped me detect some MITM-Interceptions. Not that the content was malicious (OpenDNS just rerouted my requests to a "This site is blocked page", but the certificate was signed by Cisco, and thus valid. Certificate Pinning still picked it up. Little hint: It was an Archlinux-site.).
Google, Mozilla, et al. should make a commitment to revoke the trust of any CA that is found to partake in behavior like that. Even retroactive revocation of existing certificates shouldn't be off the table if the offense is egregious enough.

It's actually pretty scary seeing just how many CAs are in the list of trusted CAs on any given device. While no government is beyond reproach, I do wish there were a way for me as a user to say "don't trust anything signed by CAs outside of these few countries, since it's most likely a hijack, phishing, or in the rare case that I did try to visit some random site, I can approve it manually."

You could, for example, use the Certificate Manager in Firefox to delete specific authorities you do not trust.
Browsers blacklisted Kazakhstan government certificate used for MITM which was not even trusted. It is absurd to expect anything less than blacklisting such a CA immediately. Certificate transparency is required for all certificates since April, 2018, so you can't really issue rogue certificate.
Here's the Bugzilla report where they actually request their root be added to Firefox:

https://bugzilla.mozilla.org/show_bug.cgi?id=1232689

The answer is basically "no".

AFAIK they used different certificate for MITM. Currently they are using certificate mentioned in that bug to issue certificates for government websites (like https://elicense.kz/ ), so actually a lot of citizens who need to use government services have to install that certificate as a root anyway.

I don't think that they would use that certificate for MITM. They're not fools and they understand that it would lead to blacklisting it which would halt a lot of operations in the country.

> It is absurd to expect anything less than blacklisting such a CA immediately.

Is it, though? Germany has a lot more economic leverage than Kazakhstan. Suppose they pass a law requiring any browser sold or otherwise offered on the German market to have the government certificate in the chain of trust... how many large companies would cave?

(comment deleted)
Thanks for this very insightful comment. I'm sure that wasn't obvious to many. It certainly wasn't to me.
For many things there isn't really need to get the payload. Get the IP addresses, DNS lookups and TLS SNI information and correlate to information gathered from elsewhere and you can derive a lot.
+1 Hopefully DNS over tls and new sni encryption standards will put an end to all this in next 5-10 years
+1 for the optimism, but unfortunately even with those mitigations it is not enough. Using a VPN in combination with DoT/H is currently best practice I believe.
Even multi-layer VPNs or Tor leak data via global correlation attacks. We need VPNs and Tor to start doing network bandwidth padding.
Yes, I agree. Is there anything we can do in the meantime?
think mobile - isp are the place to conduct baseband attacks from.
Think storage - in a snowglobe kind of way, networking is just a dynamic storage pool (or tamperable storage in this case).

No-frills data means a lot nowadays.

FinFisher has "drive by infection" packages for sale called FinFly that require traffic injection, according to their brochure. How exactly those work today, i do not know. For example: until 2011 they used a bug in the self update code of iTunes. Having a network level man in the middle can benefit many complex exploit chains.
I hope someone sees this and can enlighten us on how the technique currently works with TLS being more prevalent.
Conceivably: If you have MITM and can inject... you'd next need web browser 0day exploit chain w/ sandbox escape and then a stealthy trojan to install. This would obviously be quite the capability and require a lot of maintenance to work cross-browser, cross-OS, and evade security products / built-in security features. It is definitely possible however.
The "Trojan" is simply the rhetorical framework chosen by German authorities. Their initial successful push for computer surveillance was in the form of the "state trojan", a piece of malware proposed to be installed on the systems of suspected criminals. Successive pushes have aimed at expanding out from there, using the existing capabilities as justification.
That is a good question.

Looking at some of Citizen Lab’s excellent reporting on FinFisher shows that victims were redirected to regular unencrypted http downloads when the malware was installed.

One of the examples given was when a user tried to download Avast antivirus from a well-known software hosting site and the download was done over http.

There are several security sites that have downloadable packet captures of malware infections where you can see in Wireshark that redirects are commonly used.

Browsers should phase out and block executable downloads from HTTP sources in 12 months.
They should not.

They should maybe give bigger warnings, but lets not break all of the old web just to protect a few more people against themselves.

Any untouched, unpatched, unmaintained executables from 2007 should not be ran today, period.
Well they can still see (to some extent) which websites you visit, and how often. And how much data you upload or download.
The law only requires an ISP to redirect traffic to a target specified by the Verfassungschutz (Constitutional Protection Office) or BND (Federal Information Office), for the purposes of listening in or modifying traffic. It doesn't seem to require installing or providing TLS cracking.
(comment deleted)
VPN service providers can expect a pretty good future for them (not only with this, but also the new EU copyright guidelines).
And Tor.
https://metrics.torproject.org/rs.html#search/country:de

This shows 1,648 relays potentially having their traffic monitored under this law. Out of 6,432 relays, that makes up more than 25% of all Tor relays.

Unfortunately, Tor's design doesn't really go far enough in protecting against adversaries with large swaths of visibility. Perhaps it's time for people to begin shifting to I2P, or some other overlay network with more resilience against these types of adversaries.

Edit: This page gives you a nice visual representation of how much that consists of. Germany is the big one. https://metrics.torproject.org/bubbles.html#country

Tor might not protect anonymity effectively in that case, but in the case given it would still offer protection because of the way the relay circuits are designed.
Unless it's an exit node. 251 of 1,249 exit nodes reside in Germany, or roughly 20%. Exit nodes aren't supposed to modify traffic, so if the compromise is happening upon leaving the exit node en route to whatever destination, that would still trickle back through all the hops.
So you're saying the government should get in the business of providing VPN service?
Sound strange to me that they need a law for this, unless it is intended as leverage to coerce ISPs into collaboration. Secret service agencies do exist for the purpose of doing nasty things governments cannot afford to put their names on, or even be associated with; this would include spying on own citizens. In other words they'd do what they have already done for decades, but this time since it involves ISPs, ie a third party whose collaboration and silence are necessary, it is possible that the regulation includes also some kind of gag order preventing ISPs to tell their users they're under surveillance.
Does that imply that the German intelligence service has the crypto keys for Windows Update? Otherwise modified Microsoft updates won't work.
Germany hassome weired laws that prohibit the use of "hacker tools". How can there be a German company creating these tools?
some animals are more equal than others
The hacker tool paragraph is pretty toothless. I just checked one of those legal tech apps and see 12 judgements total that even mention it. There was quite a bit going on when it passed that effectively clarified that working on, and with, tools like that is legal when there's an assumption of dual use for legitimate purposes, e.g. security research (which is like... all of them). LE use would likely benefit from the same assumption.
Germany, the US, and Mexico all in the same week? The oligarchs are getting worried, it would seem.
Huh? What do you mean?
Well, as far as I know, all of these countries have political systems in which representatives are supposed to act on the behalf of the people. Basically, we can't all work full time to understand every political thing, and vote on them all, so we have someone do it for us: a representative.

Representatives very rarely represent themselves, and are almost always representing either powerful people ( often through lobbying) or citizens.

Given that an absolute minority of citizens are asking for this, it's fair to say it's a top down decision. Most citizens are concerned with things that aren't changing at all, if you'd like further proof on who the representatives work for.

By virtue of it being a top down decision, it is almost certainly being pushed by a small group of very powerful people. When a small group of people have all the power, that's called an oligarchy.

So the question is, why is the oligarchy pushing so hard for control of the internet right now? Well, it's probably not for fun.. so they are worried, I suppose.

Why they are so scared of citizenry though? Anyone that is criminal or really needs security will just use Faraday Cages with disconnected computers.

Literally there is nothing they can do against big league criminals with this much mass surveillance, so only logical conclusion is that this is only intended for use on citizenry.

It's the only logical conclusion. And given that there's so many of us, and so few of them, and they've been taking advantage of us in a very abusive way... I don't think they're wrong. I think there's a good chance this goes sour for them.
I've tried to explain my thoughts on this before, so I'll give it the ol college try again.

I propose that the decentralized anarchistic, freedom of thought nature of the internet has essentially forced an acceleration the timetables for the totalitarian dystopian system.

The internet caught the oligarchs off guard, in the big scheme of things (the oligarchs make plans that their grandchildren execute)... and it took them a bit to catch up, and they now see it as the primary threat to their otherwise nearly total control of the mass consciousness. Think of every medium of communication, and see how it was more or less captured and controlled, whether it be print, radio, or television, and see that although heavily under attack, the internet is still very free, at least at it's core.

This creates a sort of arms race where the oligarchs must corrupt, control and compromise it faster than it can respond in a way that reveals enough of the truth to the masses that they risk some sort of neo-peasants revolt. In that goal they will use their already long tendrils into government and corporate ownership networks et al to accomplish the task. I could get into the nitty gritty, but that's the meta summary.

Surveillance is about control, not about security, but they have gotten very good at the Oxford debate posing that it is. (lamentations about the end of the nation state actor security threat for one)

It weirds me out that you're probably the first person I've seen in years on the internet saying something this "bold" and unambiguous.

I often wonder if there's some system in place which separates us. Or perhaps the combo of logic, intuition, and honesty is just super rare. I don't know, but I hope you're doing well and having a reasonably fulfilling adventure amongst this hellishly senseless superstition culture.

Friendly reminder to go out and see the stars from time to time.

Anarchists and other like-minded people have been aware and vocal about this power structure for decades, centuries even, long before the internet existed.

Why do you think anarchists have generally been tarred as destructive and dangerous in the media and by the political and corporate establishment for so long?

The most insidious thing is that the status quo has become so ingrained in people that they reflexively downvote, censor and ban anarchists, because their masters tell them to.

Big tech is very much a part of the problem.

Thank you for the kind words stranger. I find myself staring at the stars quite frequently actually. Nothing like a full moon night in the desert or high country.

For what it's worth, the journey to this place was not easy for me, and has taken years of searching and learning. The constant struggle is against giving up, apathy is the glove into which evil slips it's hand and all that.

Just shows how rotten to the core the services are.
Has anybody found any credible institutional source on this?
There are a lot of insecure updaters. I remember reading the list from evilgrade a few years back. It was shocking.