It's funny as the Germans had different priorities from the US. The US mainly wanted to use it to extract information, while the Germans also wanted to increase profits so that they have funds outside of parliamentary control and supervision. So they looked more at the business side of things.
Yeah I doubt the CIA has objected because they got all their needs met from congressional funding. They just already had built plenty of dark money reserves.
people might laugh at you but Colombian "cartels" have deep ties with the government and the military. They even know the patrolling routes of the US Navy.
The German surveillance state was created and ran by ex-Nazi secret services (Aufklärung Ost), introduced by the CIA (BND = Organisation Gehlen). You have look up the various fascist scandals they have been involved in.
It's worrying how government spies are getting legal cover to impersonate legitimate entities. Like spoofing a phone number and faking the voice of a loved one. You don't need to be able to compel speech, when you can employ doppelgangers.
> There's even a promotional video of how FinFly ISP sends a fake iTunes update and infects the target system with FinSpy
From the promo video of it running an ancient version of iTunes on Windows Vista and the brochures it seems they inject their malware via software updates in general, not just iTunes.
I wouldn't be surprised if they force the installation of a certificate root they can use to serve malicious updates (for German OS X users, at least). That's a tactic used by agencies in other countries. Apple et al could probably mitigate this with certificate pinning in their updaters but I'm not sure they can get away with that without running into trouble with other countries that expect to be able to MITM updates.
I would be surprised. IIRC those "other countries" are countries like Iran that have also just shut off access to the internet for the country. I still think we have a few more years of internet freedom in Germany before that happens.
uh, if you actually read the links you posted...from the second article one of the people visited by law enforcement said "In my opinion, gasify everyone" [google translate I must admit, but there were plenty of quotes like this that I think its safe to say this is the intended tone]
I don't see how there is any justifiable grounds to talk about killing people with gas in any context, particularly not in this context.
A Youtuber made a video about an incidents between students where one made a racist joke. He [the Youtuber] said about that joke "that wasn't a bad joke" and got convicted for Volksverhetzung - one of the harshest crimes we have. If you get convicted for that as a non-VIP, your life is effectively over in Germany. That's socially worse than a rape conviction.
And back to the point: whether you consider it right to put people in jail for saying mean things or not - it is absolutely not internet freedom. Not by any stretch of the imagination.
This has nothing to do with NetzDG. If he would have spewed something of that caliber openly on the street he would've had to expect the same thing (depending on where in Germany of course).
That there is no "free speech" in Germany in respect to hatespeech has been the case pre-internet too. I'm not a big fan of NetzDG, but I also have to say that I expected much worse censorship-wise when it passed and I haven't heard of gross misapplications of it so far. If anything Facebook and Twitter show that you can still post a lot of hatespeech despite its existence.
You can do many things: You can pass those laws, put people in jail, make up the term "hate speech" and condemn everyone who does that. But you can not say that we have internet (or any other) freedom in Germany. There is some nice english proverb about a cake and eating it too
You can try to argue that certain things aren't "hate speech" but I don't understand how you can claim it to be a made up term. Hate is a real thing and if you channel that into certain language you get hate speech, plain and simple.
Germany has an interesting history with regards to what various constituents view as protected speech. As someone who hasn't lived in Germany I freely admit that I have a limited view of such things, but as the other poster mentioned these issues precede the internet.
hate itself is real - a word that has a negative connotation, but was never illegal in itself. You could always hate a person or a football club. That word was taken, rebranded to include among other things everything critical of government and made illegal. That's why hate speech is made up. What is called hate speech today was called a rant, "hot take", an insult or whatever just a couple of years ago. Today we literally have a law against "hate crime" - another doubleplusgood word. These things are not real, they're tools to oppress a critical population. Also note that even true things fall under those "crimes". It doesn't matter if what you say is true as long as it's "insulting" to someone.
What does this have to do with "internet freedom" (whatever that means)? Statements that would get you prosecuted when shouted in the streets have that same effect when posted online. Surprised Pikachu face?
No, that's not "by that logic". The entire point is that internet freedom is about things that are conceptually impossible to do on the streets. Like using a VPN or having net neutrality. It's not about whether you get to do things on the internet that are otherwise forbidden.
"will" = "according to a proposed law", but sadly par for the course for our governments to push this kind of thing through, even if a good chunk of their surveillance laws get eaten by the constitutional court. (Maybe we should have a rule that you can't be in politics anymore if multiple of the laws you supported were found to be unconstitutional? ...)
Well in theory that's what elections are for. But majority of the population doesn't seem to bother that much about those things and elects conservatives again and again. Need to raise awareness on these topics ... but unfortunately our opposition is split between crazy wannabe populists, a green party trying hard not to loose momentum by bringing up "critical" topics and a weak liberal party with a leader who's mostly there for being joked about. (Yeah, yeah, ignorant and simplified classification)
"will" isn't the exact translation of the headline, the idea is written in an upcoming law that will be discussed (or rubber-stamped?) next Wednesday...
Mods: This is an article about a proposed law, so "will" isn't really an accurate reflection (yet, or hopefully at all) and the title should be changed.
My proposal: "New German law would force ISPs to redirect traffic to intelligence services for trojan install" (if that is not to long).
Yes, you are right, but the current title is just 2 chars under the limit and I couldn't think of a shorter one. Sorry for the somewhat misleading "will".
My somewhat lame excuse: The law will most probably pass, current govt is a coalition of the two largest parties with overwhelming majority and absolutely no clue about anything digital.
There are a couple problems: one is that proposed bills rarely go anywhere, so it's generally best to wait for a state change [1]. Edit: I think we can override this issue, given that surveillance laws are of particular interest to HN and the comment at https://news.ycombinator.com/item?id=23783164.
The other is that HN is an English-language site. We have deep respect for the German language, but articles on HN need to be in English [2]. I've changed it to https://www.privateinternetaccess.com/blog/new-german-law-wo... for now. If there's a better link, we can change it again.
I would say it more precisely translates to "are supposed to". Although it is clear from the actual content of the article that it would not really be a choice.
No, "are supposed to" is less strict than "must". If the law passes, then they must allow the intelligence services to do this. Or "will have to" if they want to continue to be in the business.
I'm learning German at a fairly low level so I ask this from the perspective of wanting to learn, not as a challenge.
Wouldn't "have to" be "müssen"? In what cases would you use "sollen" to have a similar meaning?
And "sollten" is either Präteritum or Konjunctive II, which as I understand it would both mean "should have", though in different senses. Why is that a more proper translation of "should"?
Most of the times, "sollen" and "müssen" are interchangeable.
However, there are fine nuances between the words.
In that case, "müssen" is more direct and used as a command which has consequences when not followed while "sollen" is more of a prompt or demand that hasn't to be followed.
> Provider sollen Internetverkehr umleiten, damit Geheimdienste hacken können
> Geheimdienste wollen Hardware bei Internet-Providern installieren, um Staatstrojaner in Datenverkehr einzuschleusen. Das steht in einem Gesetzentwurf zum Verfassungsschutzrecht, den die Bundesregierung nächste Woche beschließen will. Die Provider wollen keine Hilfssheriffs sein.
> [...]
> Konkret müssen Anbieter die Installation des Staatstrojaners „durch Unterstützung bei der Umleitung von Telekommunikation … ermöglichen“.
So it translates to "would have to, if the law goes into effect unchanged".
so that roughly translates to the state should have access to my personal property( computer / data ) and should have the right to do so by any means necessary. that sounds much better do remember article 11 and 13 were drafts aswell.
Yes, you are right, I'm sorry for the somewhat misleading translation. But I felt "should" instead of "must" would be more confusing, because that would sound somewhat like "the author would like that". Which he definitely doesn't. Anything longer wouldn't have fit the limit.
FYI: pervasive mass internet surveillance by the US military with the active cooperation of large US telcos AT&T, Verizon, and others already enables this capability in the US and much of the rest of the world.
The surveillance allows them to read the TCP sequence numbers or DNS query IDs, and then spoof valid response packets.
DNS usually isn’t, and TLS still runs over TCP, which is vulnerable to this type of hijacking, so yes, it is indeed still relevant due to both resolution as well as transport layer.
NSA would be very bad at their job indeed if they couldn’t issue valid TLS certificates for any domain to themselves.
The NSA released a who-knows-how-many-day in crypto32.dll to Microsoft recently that allows one to bypass app/driver EC certificate verification. It’s
called CVE-2020-0601.
My assumption is that they had it for years and released it for patching the moment they detected anyone else using it.
It’s not TLS, but it’s close. I still think they’d be bad at their job if they didn’t have some method of getting valid certs, and I don’t think they are bad at their job. With bulk collection they may be able to spoof replies to LE DNS verification. There are lots of avenues.
There are 270+ CAs out there. All the NSA has to do is compromise the CA cert keys of one of them and they can then generate their own valid certs, completely disconnected from CT. All CT tells you is somebody goofed, was tricked into issuing a cert, or an account was compromised and an attacker generated a cert. In other words, not-super-advanced attacks.
The NSA have plenty of tricks. They intercept devices being shipped around the country/world, they tap cables, they dig into airgapped networks, they compromise satellites, they compromise the internal networks of the world's biggest corporations. They've been doing this for decades. If we don't believe they can compromise one organization out of 270...
> and they can then generate their own valid certs, completely disconnected from CT
Aren't browsers now requiring that certificates from many CAs (if not all of them) are submitted to CT before they are accepted as valid by the browser? That is, a certificate without an attached CT proof, even if it has a valid signature from the CA, will be treated as invalid.
(However, given what's being talked about (MITM of software update servers), this might be enough if the libraries being used by the software updater are not as strict as the browsers, and don't require an attached CT proof.)
I live in Denmark and buy hosting/email from a Danish company, but their servers are in Germany. I wonder if they will switch to having servers in other countries (or locally, as they used to have). Otherwise, I'll have to find a different provider.
Possibly, but it's much harder to intercept and mitm specific traffic at that level. On the ISP-side, that's different: they can with high certainty say that some traffic is coming from/to a specific suspect, much like a phone surveillance. This might also apply to individual service, e.g. an email provider.
But they'd need to filter out traffic for a specific suspect. It's unlikely that their approach will be to try to install trojans on every client computer that has traffic that goes through some DC. And if they want to take over a server they know the location of: they already can.
From my experience in a case where a previous version of that tech has been involved (though normal LE, not intelligence), they do take all the available measures to only hit the target, it's not a shot gun approach.
I think you can collect a lot of good data for law enforcement purposes by tapping datacenter networks. Remember the NSA's "SSL added and removed here :-)" slide?
Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
No hands up? Good! The government thanks you for your service. Keep doing what you're doing, they'll keep you safe.
Yeah, but Germany's intelligence services aren't the NSA, neither regarding technical ability, nor regarding the lack of mission constraints. I'm sure they'd love to get their hands on DE-CIX as a whole, but they won't unless somebody with a US passport sits in on the meeting - and if they have that person, they don't need German laws.
I believe that these changes target ISPs and providers like mailbox.org, posteo etc, that have been "privacy first" and not too friendly. These laws aren't for wholesale data intake, they are more like phone surveillance with the added bonus that they (the ISPs and service providers) will be not only required to let them listen in, but to also allow them to inject trojans into the traffic that is being transported. These are very closely related to our laws for mailing services that contain similar things (the wording is very similar as well). They're not for the intelligence services to just walk in and say "Hi, we'll take everything, please", they still require a court order and target specific individuals.
Its german BND sitting at DE-CIX, but they fully cooperate with NSA to the point where they had to answer some ugly questions about why the fuck they helped a foreign intelligence service to literally spy on the german governement. Answer was: they don't verify what NSA queries, they automatically run the selector list and send them the data.
Yes, but as you see, that's already legal (especially if with US-involvement). This is different from that, as it contains the requirement for the provider to manipulate traffic.
> Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
I accept the principle; I wish people would take more action, but I for one am American and I have shifted most of my hosting out of the US because of it. I probably don't have much worth spying on, but on principle I oppose any form of blanket surveillance.
Nope, everyone happily shovels all of their data, as well as all of the data their customers provide them, into AWS, which is very cosy with the US military.
You can be reasonably certain that anything in AWS is available to US military intelligence without judicial oversight.
Every American service and product needs to be treated as compromised, it really comes down to that.
Individual companies now need to earn back basic trust.
This doesn't mean you have to completely abandon your favourite service, just have to modify the way you utilize it.
For example, if you absolutely have to use Google Drive, be sure to encrypt your files with appropriate strength first and assume they are actively trying to decrypt and build a file on you.
Why single out America, Snowden's leaks showed the entire Anglo-sphere is compromised(Five Eyes). Is there any reason to think this isn't the case in any NATO/OECD/etc. country?
Not exactly as easy as they make it sound, thanks to encryption and especially signing. Of course there's probably still enough software not using it and/or users not paying attention.
Is it possible to modify HTTPS traffic? Wouldn't they have to replace the CA certs on the target machine first before being able to modify that traffic?
They just have to hijack one existing CA that's within their jurisdiction and force it to issue MITM certs. Key pinning or certificate transparency may mitigate this.
Or the MITM box could use some kind of HTTP downgrade attack and not worry about certificates at all.
That would "burn" the CA (it will be removed and/or blacklisted from every major browser and operating system once it's exposed, and exposing it gets much easier with the recent push towards certificate transparency), so it can only be done once per CA.
Just wait a few years. I'm sure we will get something to support this on the EU level. It'll be positioned as fighting for your freedom and every company that doesn't implement them is the worst.
I think your worry is a bit out of scope.
There is a thing called "Verhaeltnismaessigkeit" in Germany, and in most other countries where "The Rule Of Law" applies, to paraphrase Trudeau.
Meaning: You are not allowed to burn down the house just because the neighbor was playing the music too loudly.
So others are not to caught in the cross-fire of this operation.
So it will be a very technical challenge to overcome these obstacles.
And since an ISP is not providing updates, coercing OS vendors to alter the CA's for a specific user is a bit far-fetched.
The more likely approach is the acquisition of cryptographic keys to create one's own SSL-Certificiate.
Now: This is the domain of the intelligence-community.
Their bread and butter. Compared to the rest of the world, this community is heavily regulated; you just have to think of the CIA's Black Budget or other agencies from less pleasent countries to get a comparison.
It is best they get the legal framework in place (s.o. heralded it as the OS for society once). The alternative would be clandestine operations outside the law, and that is never good.
Only requirement I would demand for s.th. like this: The solution mustn't be scalable, as to ensure to avoid a subjecting large swats of a population to this, which is challenging with technologies these days.
The good thing is that ISPs will not keel over just because the police are requesting it.
After all they have a reputation and their customers to protect and, let's face it, this is not China, Russia, Iran or some other country were you vanish for far less than demanding more paperwork and speaking out against executive orders.
As long as the mechanisms of a society are functioning and everyone watches everyone and there is due process it works.
It will be a problem if these mechanisms fail though. I for one will be watching with keen interest.
As for the new root certificate to a domain for the agencies:
I already pointed out, s.w. in this discussion, that there is a mechanism called Certificate Pinning. Works wonders if the server configured it.
So yes, they are working on the legal framework, but thanks to the foresight of engineers and people concerned with safety for the general non-technical and technical internet-population, it is a hard challenge officials are facing.
There is no certificate pinning anymore, it's deprecated. Your whole argument is based on the state actually playing nicely and assume a meaningful oversight of intelligence, both are hopelessly naive.
Pretty shocking in a state that has such strict privacy laws. Not sure how the two can come from the same mouth, and even be in public view.
My understanding is that the privacy restrictions are largely the result of half the country having lived under the Statsi, and thus being extremely weary of government eyes. Here it’s out in the open!
By no means. The Stasi was active in the GDR (German Democratic Republic, "East Germany"), and it is not as if those from the east are particularly watchful for state-instigated surveillance.
This predates the wall, but the wall only confirmed what was going on beforehand.
There is something hilarious and schizoid in how Germany is perceived and the realities about this country.
They have strict privacy laws? First Nazi personel in the first half then Stasi personel in the second half of the 20th century were simply requalified and rehired, each bloody time. How do you think?
They are top environmentally-friendly country? Highest polluting coal power plants in EU are located in Germany.
These are both known and highly controversial issues in Germany. The first one is widely accepted as without any alternative. You can't just replace a whole bureaucracy and in retrospect it worked out to only change key positions. But obviously it was a healing and cleaning process over time. The other thing is to be attributed to the fact the we were very quick to abandon atomic power even before climate change issues were that popular. Its a hilarious contradiction. We now actually also have a plan to also get rid of the coal power plants but it will be hard, maybe we need to reintroduce the candle as a source of light. There is no lack of willingness and intent but reality has us all in its tight grip.
You forgot the Nazi personal in the 2nd half. The BND is a NAZI organization. Lookup Gehlen. Didn't change much after they died, if you look at the various BND scandals since.
Obviously, the OP was talking about the perception of Germany today and I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service. And coming to think of it, why wouldn't someone whose qualified to spy on others be rehired to do the same job in Germany after the end of GDR? What do you think secret services do?
Regarding "environmentally friendly", this point is correct but you're omitting that Germany just recently passed a law to get out of coal until 2038. The energy produced in Germany will then be pretty much exclusively renewable which is not a small feat for a country with such a large population.
> Hilarious and schizoid are adjectives that I would assign to your post.
Sorry but you are rude.
> I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service
Stasi personel though?
Are you expecting that people using such nuanced and subtle techniques like Zersetzung against domestic population [1] will suddently become ethical towards anyone they perceive as threat? or as undesirable?
On the facade Germans get some show off initiatives (no Street View!), behind the scenes is business as usual.
Yes, you are right. I apologize, I clearly went overboard.
> Stasi personel though? [...]
I think it's just an over-generalization. Just because you worked for the Stasi automatically makes you a bad fit for a certain job. It really depends.
Nazis were indeed rehired to senior positions, but sensitive parts of the civil service were purged of Stasi operatives, although this did take a long time, especially in Saxony. There has been some resentment of the fact that this often meant that the civil service in Eastern states is dominated by 'Wessies'.
>Pretty shocking in a state that has such strict privacy laws. Not sure how the two can come from the same mouth, and even be in public view.
Because they're not necessarily contradictory. This doesn't just give secret services a blank cheque to spy on everyone, it just provides intelligence agencies with a tool.
I'm German and I don't object in principle to the fact that intelligence, under supervision of the government, has the ability to say, infiltrate criminal networks using software like this. Under certain circumstances the police was always able to wiretap a phone, I don't see the difference here other than this taking into account the changing circumstances of internet communication.
Also from a cultural standpoint if anything people in Germany are more sceptic of erosion of privacy by private power than by the state, we're not the US. The former is pretty much unconstrained, the latter is so tightly limited in scope by law it's not really a practical issue. The scary thing about the Stasi wasn't that they were inteliigence, every country has intelligence officers who can bug someone's home, it was that the GDR was an autocratic regime.
Sure, but a police operation surely could attempt to swap the book cipher out for a compromised one, no?
I think the idea that communication ought to be categorically out of reach of intelligence is very novel. I don't think it was even conceivable decades ago that, with legal justification, intelligence could not hack or be completely locked out of the communication of some network. For criminals who are savy enough, tech has made it much harder, not easier for the government to do their job.
I think there is also a very paradoxical side-effect. A harmstrung government may resort to outsourcing its intelligence work. I read a story about private firms in the US collecting license plate information and selling it back to the police. Clearview AI is certainly another example. If the agencies are limited, there is a real chance of both ineffective policing and a huge unregulated surveillance grey market. I would rather equip the government with enough capacity, but strong legal checks.
Legal checks are a mile-long leash, no matter how strong the cord. This is exchanging freedom for security, since a backdoor like this doesn’t require breaking glass.
The scary stuff about the current development is, that we get flooded with arguments about hardcore criminals, but if you look at the actual changes to the laws, such restrictions are not made, instead these extreme measures are allowed for petty reasons and some politicians will still keep pushing for even more totalitarianism. These siloviki want mass surveillance comparable to what Chinas Ministry of State Security or USAs National Security Agency have. It does not matter if Germany is not ruled by an autocratic regime at the moment, once such systems are in place, it will be.
> It does not matter if Germany is not ruled by an autocratic regime at the moment
I totally get the appeal of that argument, but it completely breaks down once I ask myself how much that autocratic bogeyman regime, once it got into power, would feel bound by privacy protections put in place by their predecessors.
The question is rather: can they use preestablished structures and machinery or do they need to build it from the ground up. Surveilance also needs work, and its less work if everything is prepared.
my point was more: any liberal social democratic society that subjects itself to every increasing censorship and surveillance will devolve towards totalitarianism.
Totalitarianism has been the mode of human governance since prehistory. It's great, effective, and always tempting. The Western world today is the exception, not the rule.
It's also really hard to establish or continue without the surveillance to detect rebellion and corruption.
It makes a big difference, actually. Few regimes go full-on totalitarian right away - it's more common to have a gradual erosion, where they operate within the letter of the law for a while, while gradually diminishing the spirit. So the more the letter allows, the more abuse you'll see from the get go.
Someone said that's a result of constant under-funding and treating your military with no respect - when it's only seen as a choice for those who can't "do any better", you'll get extremists among the ranks.
Sounds plausible, at least in the US soldiers seem to be highly respected and in turn, they respect the country and its people.
> Pretty shocking in a state that has such strict privacy laws
If viewed from the different perspective of government intrusion on tech, it can appear less shocking. A government encouraged by its citizenry to use its leverage over tech companies will continue to do so, and not always in the same ways.
Well either those advising the legislature, who actually carry out the hacks for the security services in Germany, are idiots; or they're very clever people and know exactly what they're doing.
Or I guess it could be security theatre, or a diversion, but neither of those seems compelling here.
My vote is that, whilst I can't understand how it's accomplished as it seems contrary to technical possibility, that the people with billions of funding to make these things possible (Five Eyes, etc.) are probably capable of many things that look like magic.
What does "trojans at ISPs" even mean? TLS works end-to-end and ISPs can do absolutely nothing to see the plaintext. It's unless the CAs at users-side are manually replaced with fake ones nothing can be done. I've never used Windows since I was a kid but I am sure this is pretty much impossible on Linux for example since adding CAs require root privilege.
Presumably, Germany would have little trouble compelling at least one root CA to sign any TLS certificates they wanted. Just a cursory search shows that Google Chrome, on Linux, trusts, e.g.
> CN = D-TRUST Root CA 3 2013
> O = D-Trust GmbH
> C = DE
There is certificate transparency and pinning and so on, and they would be caught (probably, maybe) if they abused this carelessly and at scale, but in practice, for a small number of targets, it would be trivial to wait for users to connect to a less secured TLS site or even a plain-HTTP site (plenty still exist), and then use a browser exploit as the stage 1, followed by whatever escalation of privilege exploit and rootkit is needed. TLS is really good at preventing always-on dragnet surveillance of everyone's internet traffic, but not a counter measure against targeted nation state level attacks.
Well.
That is the reason for Certificate Pinning.
And these days there is no excuse to not enable it server-side.
Helped me detect some MITM-Interceptions.
Not that the content was malicious (OpenDNS just rerouted my requests to a "This site is blocked page", but the certificate was signed by Cisco, and thus valid. Certificate Pinning still picked it up. Little hint: It was an Archlinux-site.).
Here [1] it says that Chrome stopped supporting HTTP Public Key Pinning (HPKP) with Chrome 72. There are other debates on it. See the discussions for excuses.
Google, Mozilla, et al. should make a commitment to revoke the trust of any CA that is found to partake in behavior like that. Even retroactive revocation of existing certificates shouldn't be off the table if the offense is egregious enough.
It's actually pretty scary seeing just how many CAs are in the list of trusted CAs on any given device. While no government is beyond reproach, I do wish there were a way for me as a user to say "don't trust anything signed by CAs outside of these few countries, since it's most likely a hijack, phishing, or in the rare case that I did try to visit some random site, I can approve it manually."
Browsers blacklisted Kazakhstan government certificate used for MITM which was not even trusted. It is absurd to expect anything less than blacklisting such a CA immediately. Certificate transparency is required for all certificates since April, 2018, so you can't really issue rogue certificate.
AFAIK they used different certificate for MITM. Currently they are using certificate mentioned in that bug to issue certificates for government websites (like https://elicense.kz/ ), so actually a lot of citizens who need to use government services have to install that certificate as a root anyway.
I don't think that they would use that certificate for MITM. They're not fools and they understand that it would lead to blacklisting it which would halt a lot of operations in the country.
> It is absurd to expect anything less than blacklisting such a CA immediately.
Is it, though? Germany has a lot more economic leverage than Kazakhstan. Suppose they pass a law requiring any browser sold or otherwise offered on the German market to have the government certificate in the chain of trust... how many large companies would cave?
For many things there isn't really need to get the payload. Get the IP addresses, DNS lookups and TLS SNI information and correlate to information gathered from elsewhere and you can derive a lot.
+1 for the optimism, but unfortunately even with those mitigations it is not enough. Using a VPN in combination with DoT/H is currently best practice I believe.
FinFisher has "drive by infection" packages for sale called FinFly that require traffic injection, according to their brochure. How exactly those work today, i do not know. For example: until 2011 they used a bug in the self update code of iTunes. Having a network level man in the middle can benefit many complex exploit chains.
Conceivably: If you have MITM and can inject... you'd next need web browser 0day exploit chain w/ sandbox escape and then a stealthy trojan to install. This would obviously be quite the capability and require a lot of maintenance to work cross-browser, cross-OS, and evade security products / built-in security features. It is definitely possible however.
The "Trojan" is simply the rhetorical framework chosen by German authorities. Their initial successful push for computer surveillance was in the form of the "state trojan", a piece of malware proposed to be installed on the systems of suspected criminals. Successive pushes have aimed at expanding out from there, using the existing capabilities as justification.
Looking at some of Citizen Lab’s excellent reporting on FinFisher shows that victims were redirected to regular unencrypted http downloads when the malware was installed.
One of the examples given was when a user tried to download Avast antivirus from a well-known software hosting site and the download was done over http.
There are several security sites that have downloadable packet captures of malware infections where you can see in Wireshark that redirects are commonly used.
The law only requires an ISP to redirect traffic to a target specified by the Verfassungschutz (Constitutional Protection Office) or BND (Federal Information Office), for the purposes of listening in or modifying traffic. It doesn't seem to require installing or providing TLS cracking.
This shows 1,648 relays potentially having their traffic monitored under this law. Out of 6,432 relays, that makes up more than 25% of all Tor relays.
Unfortunately, Tor's design doesn't really go far enough in protecting against adversaries with large swaths of visibility. Perhaps it's time for people to begin shifting to I2P, or some other overlay network with more resilience against these types of adversaries.
Tor might not protect anonymity effectively in that case, but in the case given it would still offer protection because of the way the relay circuits are designed.
Unless it's an exit node. 251 of 1,249 exit nodes reside in Germany, or roughly 20%. Exit nodes aren't supposed to modify traffic, so if the compromise is happening upon leaving the exit node en route to whatever destination, that would still trickle back through all the hops.
True. I was thinking about recent initiatives like https://blog.torproject.org/more-onions-porfavor where security is enhanced by having people put their sites on tor. This is more the i2p model though.
Sound strange to me that they need a law for this, unless it is intended as leverage to coerce ISPs into collaboration. Secret service agencies do exist for the purpose of doing nasty things governments cannot afford to put their names on, or even be associated with; this would include spying on own citizens. In other words they'd do what they have already done for decades, but this time since it involves ISPs, ie a third party whose collaboration and silence are necessary, it is possible that the regulation includes also some kind of gag order preventing ISPs to tell their users they're under surveillance.
The hacker tool paragraph is pretty toothless. I just checked one of those legal tech apps and see 12 judgements total that even mention it. There was quite a bit going on when it passed that effectively clarified that working on, and with, tools like that is legal when there's an assumption of dual use for legitimate purposes, e.g. security research (which is like... all of them). LE use would likely benefit from the same assumption.
Well, as far as I know, all of these countries have political systems in which representatives are supposed to act on the behalf of the people. Basically, we can't all work full time to understand every political thing, and vote on them all, so we have someone do it for us: a representative.
Representatives very rarely represent themselves, and are almost always representing either powerful people ( often through lobbying) or citizens.
Given that an absolute minority of citizens are asking for this, it's fair to say it's a top down decision. Most citizens are concerned with things that aren't changing at all, if you'd like further proof on who the representatives work for.
By virtue of it being a top down decision, it is almost certainly being pushed by a small group of very powerful people. When a small group of people have all the power, that's called an oligarchy.
So the question is, why is the oligarchy pushing so hard for control of the internet right now? Well, it's probably not for fun.. so they are worried, I suppose.
Why they are so scared of citizenry though? Anyone that is criminal or really needs security will just use Faraday Cages with disconnected computers.
Literally there is nothing they can do against big league criminals with this much mass surveillance, so only logical conclusion is that this is only intended for use on citizenry.
It's the only logical conclusion. And given that there's so many of us, and so few of them, and they've been taking advantage of us in a very abusive way... I don't think they're wrong. I think there's a good chance this goes sour for them.
I've tried to explain my thoughts on this before, so I'll give it the ol college try again.
I propose that the decentralized anarchistic, freedom of thought nature of the internet has essentially forced an acceleration the timetables for the totalitarian dystopian system.
The internet caught the oligarchs off guard, in the big scheme of things (the oligarchs make plans that their grandchildren execute)... and it took them a bit to catch up, and they now see it as the primary threat to their otherwise nearly total control of the mass consciousness. Think of every medium of communication, and see how it was more or less captured and controlled, whether it be print, radio, or television, and see that although heavily under attack, the internet is still very free, at least at it's core.
This creates a sort of arms race where the oligarchs must corrupt, control and compromise it faster than it can respond in a way that reveals enough of the truth to the masses that they risk some sort of neo-peasants revolt. In that goal they will use their already long tendrils into government and corporate ownership networks et al to accomplish the task. I could get into the nitty gritty, but that's the meta summary.
Surveillance is about control, not about security, but they have gotten very good at the Oxford debate posing that it is. (lamentations about the end of the nation state actor security threat for one)
It weirds me out that you're probably the first person I've seen in years on the internet saying something this "bold" and unambiguous.
I often wonder if there's some system in place which separates us. Or perhaps the combo of logic, intuition, and honesty is just super rare. I don't know, but I hope you're doing well and having a reasonably fulfilling adventure amongst this hellishly senseless superstition culture.
Friendly reminder to go out and see the stars from time to time.
Anarchists and other like-minded people have been aware and vocal about this power structure for decades, centuries even, long before the internet existed.
Why do you think anarchists have generally been tarred as destructive and dangerous in the media and by the political and corporate establishment for so long?
The most insidious thing is that the status quo has become so ingrained in people that they reflexively downvote, censor and ban anarchists, because their masters tell them to.
Thank you for the kind words stranger. I find myself staring at the stars quite frequently actually. Nothing like a full moon night in the desert or high country.
For what it's worth, the journey to this place was not easy for me, and has taken years of searching and learning. The constant struggle is against giving up, apathy is the glove into which evil slips it's hand and all that.
243 comments
[ 3.2 ms ] story [ 235 ms ] threadhttps://en.wikipedia.org/wiki/Crypto_AG
https://www.youtube.com/watch?v=Ra3uSDGL9sw
> There's even a promotional video of how FinFly ISP sends a fake iTunes update and infects the target system with FinSpy
Does Apple not sign iTunes updates?
https://stadt-nachrichten.de/fahndungen/hasskommentare-im-in...
https://www.bild.de/news/inland/news-inland/hass-kommentare-...
https://www.bundesregierung.de/breg-de/aktuelles/gesetz-gege...
Boy China is childs play compared to us.
I don't see how there is any justifiable grounds to talk about killing people with gas in any context, particularly not in this context.
https://www.vice.com/de/article/8xe7jg/kuchen-tv-volksverhet...
A Youtuber made a video about an incidents between students where one made a racist joke. He [the Youtuber] said about that joke "that wasn't a bad joke" and got convicted for Volksverhetzung - one of the harshest crimes we have. If you get convicted for that as a non-VIP, your life is effectively over in Germany. That's socially worse than a rape conviction.
And back to the point: whether you consider it right to put people in jail for saying mean things or not - it is absolutely not internet freedom. Not by any stretch of the imagination.
That there is no "free speech" in Germany in respect to hatespeech has been the case pre-internet too. I'm not a big fan of NetzDG, but I also have to say that I expected much worse censorship-wise when it passed and I haven't heard of gross misapplications of it so far. If anything Facebook and Twitter show that you can still post a lot of hatespeech despite its existence.
Germany has an interesting history with regards to what various constituents view as protected speech. As someone who hasn't lived in Germany I freely admit that I have a limited view of such things, but as the other poster mentioned these issues precede the internet.
My proposal: "New German law would force ISPs to redirect traffic to intelligence services for trojan install" (if that is not to long).
My somewhat lame excuse: The law will most probably pass, current govt is a coalition of the two largest parties with overwhelming majority and absolutely no clue about anything digital.
Edit: would "shall" work instead of "will"?
The other is that HN is an English-language site. We have deep respect for the German language, but articles on HN need to be in English [2]. I've changed it to https://www.privateinternetaccess.com/blog/new-german-law-wo... for now. If there's a better link, we can change it again.
(Submitted URL was https://netzpolitik.org/2020/staatstrojaner-provider-sollen-...)
[1] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
That means there is a element of uncertainty there whether they actually will.
Wouldn't "have to" be "müssen"? In what cases would you use "sollen" to have a similar meaning?
And "sollten" is either Präteritum or Konjunctive II, which as I understand it would both mean "should have", though in different senses. Why is that a more proper translation of "should"?
However, there are fine nuances between the words.
In that case, "müssen" is more direct and used as a command which has consequences when not followed while "sollen" is more of a prompt or demand that hasn't to be followed.
> Provider sollen Internetverkehr umleiten, damit Geheimdienste hacken können
> Geheimdienste wollen Hardware bei Internet-Providern installieren, um Staatstrojaner in Datenverkehr einzuschleusen. Das steht in einem Gesetzentwurf zum Verfassungsschutzrecht, den die Bundesregierung nächste Woche beschließen will. Die Provider wollen keine Hilfssheriffs sein.
> [...]
> Konkret müssen Anbieter die Installation des Staatstrojaners „durch Unterstützung bei der Umleitung von Telekommunikation … ermöglichen“.
So it translates to "would have to, if the law goes into effect unchanged".
The surveillance allows them to read the TCP sequence numbers or DNS query IDs, and then spoof valid response packets.
It’s called QUANTUMINSERT.
https://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-in...
NSA would be very bad at their job indeed if they couldn’t issue valid TLS certificates for any domain to themselves.
Is there any evidence of this? With certificate transparency being mandatory a few years ago, you'd think that the NSA would be caught at least once.
My assumption is that they had it for years and released it for patching the moment they detected anyone else using it.
https://www.cbronline.com/cybersecurity/crypt32-dll-vulnerab...
It’s not TLS, but it’s close. I still think they’d be bad at their job if they didn’t have some method of getting valid certs, and I don’t think they are bad at their job. With bulk collection they may be able to spoof replies to LE DNS verification. There are lots of avenues.
The NSA have plenty of tricks. They intercept devices being shipped around the country/world, they tap cables, they dig into airgapped networks, they compromise satellites, they compromise the internal networks of the world's biggest corporations. They've been doing this for decades. If we don't believe they can compromise one organization out of 270...
Aren't browsers now requiring that certificates from many CAs (if not all of them) are submitted to CT before they are accepted as valid by the browser? That is, a certificate without an attached CT proof, even if it has a valid signature from the CA, will be treated as invalid.
(However, given what's being talked about (MITM of software update servers), this might be enough if the libraries being used by the software updater are not as strict as the browsers, and don't require an attached CT proof.)
From my experience in a case where a previous version of that tech has been involved (though normal LE, not intelligence), they do take all the available measures to only hit the target, it's not a shot gun approach.
Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
No hands up? Good! The government thanks you for your service. Keep doing what you're doing, they'll keep you safe.
I believe that these changes target ISPs and providers like mailbox.org, posteo etc, that have been "privacy first" and not too friendly. These laws aren't for wholesale data intake, they are more like phone surveillance with the added bonus that they (the ISPs and service providers) will be not only required to let them listen in, but to also allow them to inject trojans into the traffic that is being transported. These are very closely related to our laws for mailing services that contain similar things (the wording is very similar as well). They're not for the intelligence services to just walk in and say "Hi, we'll take everything, please", they still require a court order and target specific individuals.
I’m standing here with my hand up :)
You can be reasonably certain that anything in AWS is available to US military intelligence without judicial oversight.
Individual companies now need to earn back basic trust.
This doesn't mean you have to completely abandon your favourite service, just have to modify the way you utilize it.
For example, if you absolutely have to use Google Drive, be sure to encrypt your files with appropriate strength first and assume they are actively trying to decrypt and build a file on you.
Why single out America, Snowden's leaks showed the entire Anglo-sphere is compromised(Five Eyes). Is there any reason to think this isn't the case in any NATO/OECD/etc. country?
Or the MITM box could use some kind of HTTP downgrade attack and not worry about certificates at all.
https://transparencyreport.google.com/https/certificates
As for the new root certificate to a domain for the agencies: I already pointed out, s.w. in this discussion, that there is a mechanism called Certificate Pinning. Works wonders if the server configured it. So yes, they are working on the legal framework, but thanks to the foresight of engineers and people concerned with safety for the general non-technical and technical internet-population, it is a hard challenge officials are facing.
My understanding is that the privacy restrictions are largely the result of half the country having lived under the Statsi, and thus being extremely weary of government eyes. Here it’s out in the open!
This predates the wall, but the wall only confirmed what was going on beforehand.
They have strict privacy laws? First Nazi personel in the first half then Stasi personel in the second half of the 20th century were simply requalified and rehired, each bloody time. How do you think?
They are top environmentally-friendly country? Highest polluting coal power plants in EU are located in Germany.
Obviously, the OP was talking about the perception of Germany today and I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service. And coming to think of it, why wouldn't someone whose qualified to spy on others be rehired to do the same job in Germany after the end of GDR? What do you think secret services do?
Regarding "environmentally friendly", this point is correct but you're omitting that Germany just recently passed a law to get out of coal until 2038. The energy produced in Germany will then be pretty much exclusively renewable which is not a small feat for a country with such a large population.
Sorry but you are rude.
> I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service
Stasi personel though?
Are you expecting that people using such nuanced and subtle techniques like Zersetzung against domestic population [1] will suddently become ethical towards anyone they perceive as threat? or as undesirable?
On the facade Germans get some show off initiatives (no Street View!), behind the scenes is business as usual.
[1] https://en.wikipedia.org/wiki/Zersetzung
Yes, you are right. I apologize, I clearly went overboard.
> Stasi personel though? [...]
I think it's just an over-generalization. Just because you worked for the Stasi automatically makes you a bad fit for a certain job. It really depends.
I am sorry, I am from Russia initially, the KGB-land. No, it's not an over-generalization.
https://www.reddit.com/r/AskHistorians/comments/3j90ua/what_...
Because they're not necessarily contradictory. This doesn't just give secret services a blank cheque to spy on everyone, it just provides intelligence agencies with a tool.
I'm German and I don't object in principle to the fact that intelligence, under supervision of the government, has the ability to say, infiltrate criminal networks using software like this. Under certain circumstances the police was always able to wiretap a phone, I don't see the difference here other than this taking into account the changing circumstances of internet communication.
Also from a cultural standpoint if anything people in Germany are more sceptic of erosion of privacy by private power than by the state, we're not the US. The former is pretty much unconstrained, the latter is so tightly limited in scope by law it's not really a practical issue. The scary thing about the Stasi wasn't that they were inteliigence, every country has intelligence officers who can bug someone's home, it was that the GDR was an autocratic regime.
I think the idea that communication ought to be categorically out of reach of intelligence is very novel. I don't think it was even conceivable decades ago that, with legal justification, intelligence could not hack or be completely locked out of the communication of some network. For criminals who are savy enough, tech has made it much harder, not easier for the government to do their job.
I think there is also a very paradoxical side-effect. A harmstrung government may resort to outsourcing its intelligence work. I read a story about private firms in the US collecting license plate information and selling it back to the police. Clearview AI is certainly another example. If the agencies are limited, there is a real chance of both ineffective policing and a huge unregulated surveillance grey market. I would rather equip the government with enough capacity, but strong legal checks.
I totally get the appeal of that argument, but it completely breaks down once I ask myself how much that autocratic bogeyman regime, once it got into power, would feel bound by privacy protections put in place by their predecessors.
It's also really hard to establish or continue without the surveillance to detect rebellion and corruption.
https://www.bbc.com/news/world-europe-53237685
https://en.wikipedia.org/wiki/Day_X_plot
Someone said that's a result of constant under-funding and treating your military with no respect - when it's only seen as a choice for those who can't "do any better", you'll get extremists among the ranks.
Sounds plausible, at least in the US soldiers seem to be highly respected and in turn, they respect the country and its people.
If viewed from the different perspective of government intrusion on tech, it can appear less shocking. A government encouraged by its citizenry to use its leverage over tech companies will continue to do so, and not always in the same ways.
This idea is fantasy.
Or I guess it could be security theatre, or a diversion, but neither of those seems compelling here.
My vote is that, whilst I can't understand how it's accomplished as it seems contrary to technical possibility, that the people with billions of funding to make these things possible (Five Eyes, etc.) are probably capable of many things that look like magic.
?
> CN = D-TRUST Root CA 3 2013 > O = D-Trust GmbH > C = DE
There is certificate transparency and pinning and so on, and they would be caught (probably, maybe) if they abused this carelessly and at scale, but in practice, for a small number of targets, it would be trivial to wait for users to connect to a less secured TLS site or even a plain-HTTP site (plenty still exist), and then use a browser exploit as the stage 1, followed by whatever escalation of privilege exploit and rootkit is needed. TLS is really good at preventing always-on dragnet surveillance of everyone's internet traffic, but not a counter measure against targeted nation state level attacks.
Or is cert pinning something different than HPKP?
- [1]: https://security.stackexchange.com/questions/213410/did-goog...
It's actually pretty scary seeing just how many CAs are in the list of trusted CAs on any given device. While no government is beyond reproach, I do wish there were a way for me as a user to say "don't trust anything signed by CAs outside of these few countries, since it's most likely a hijack, phishing, or in the rare case that I did try to visit some random site, I can approve it manually."
https://bugzilla.mozilla.org/show_bug.cgi?id=1232689
The answer is basically "no".
I don't think that they would use that certificate for MITM. They're not fools and they understand that it would lead to blacklisting it which would halt a lot of operations in the country.
Is it, though? Germany has a lot more economic leverage than Kazakhstan. Suppose they pass a law requiring any browser sold or otherwise offered on the German market to have the government certificate in the chain of trust... how many large companies would cave?
"What can you learn from an IP?" https://irtf.org/anrw/2019/slides-anrw19-final44.pdf
No-frills data means a lot nowadays.
Looking at some of Citizen Lab’s excellent reporting on FinFisher shows that victims were redirected to regular unencrypted http downloads when the malware was installed.
One of the examples given was when a user tried to download Avast antivirus from a well-known software hosting site and the download was done over http.
There are several security sites that have downloadable packet captures of malware infections where you can see in Wireshark that redirects are commonly used.
They should maybe give bigger warnings, but lets not break all of the old web just to protect a few more people against themselves.
This shows 1,648 relays potentially having their traffic monitored under this law. Out of 6,432 relays, that makes up more than 25% of all Tor relays.
Unfortunately, Tor's design doesn't really go far enough in protecting against adversaries with large swaths of visibility. Perhaps it's time for people to begin shifting to I2P, or some other overlay network with more resilience against these types of adversaries.
Edit: This page gives you a nice visual representation of how much that consists of. Germany is the big one. https://metrics.torproject.org/bubbles.html#country
Representatives very rarely represent themselves, and are almost always representing either powerful people ( often through lobbying) or citizens.
Given that an absolute minority of citizens are asking for this, it's fair to say it's a top down decision. Most citizens are concerned with things that aren't changing at all, if you'd like further proof on who the representatives work for.
By virtue of it being a top down decision, it is almost certainly being pushed by a small group of very powerful people. When a small group of people have all the power, that's called an oligarchy.
So the question is, why is the oligarchy pushing so hard for control of the internet right now? Well, it's probably not for fun.. so they are worried, I suppose.
Literally there is nothing they can do against big league criminals with this much mass surveillance, so only logical conclusion is that this is only intended for use on citizenry.
I propose that the decentralized anarchistic, freedom of thought nature of the internet has essentially forced an acceleration the timetables for the totalitarian dystopian system.
The internet caught the oligarchs off guard, in the big scheme of things (the oligarchs make plans that their grandchildren execute)... and it took them a bit to catch up, and they now see it as the primary threat to their otherwise nearly total control of the mass consciousness. Think of every medium of communication, and see how it was more or less captured and controlled, whether it be print, radio, or television, and see that although heavily under attack, the internet is still very free, at least at it's core.
This creates a sort of arms race where the oligarchs must corrupt, control and compromise it faster than it can respond in a way that reveals enough of the truth to the masses that they risk some sort of neo-peasants revolt. In that goal they will use their already long tendrils into government and corporate ownership networks et al to accomplish the task. I could get into the nitty gritty, but that's the meta summary.
Surveillance is about control, not about security, but they have gotten very good at the Oxford debate posing that it is. (lamentations about the end of the nation state actor security threat for one)
I often wonder if there's some system in place which separates us. Or perhaps the combo of logic, intuition, and honesty is just super rare. I don't know, but I hope you're doing well and having a reasonably fulfilling adventure amongst this hellishly senseless superstition culture.
Friendly reminder to go out and see the stars from time to time.
Why do you think anarchists have generally been tarred as destructive and dangerous in the media and by the political and corporate establishment for so long?
The most insidious thing is that the status quo has become so ingrained in people that they reflexively downvote, censor and ban anarchists, because their masters tell them to.
Big tech is very much a part of the problem.
For what it's worth, the journey to this place was not easy for me, and has taken years of searching and learning. The constant struggle is against giving up, apathy is the glove into which evil slips it's hand and all that.
https://www.ccc.de/en/updates/2011/staatstrojaner
https://www.ccc.de/en/updates/2015/bkag