91 comments

[ 4.0 ms ] story [ 91.9 ms ] thread
(happy to elaborate if there are any questions)
So, Dutch intelligence basically has legal leeway to pry anywhere. But I'm curious how they would hand over some "fact" to Police whom cannot normally access that information without some kind of warrant or legal approval from public prosecution.

How does that work in practice (under Dutch law)?

If they find something that is really criminal they can notify the police, but it is not straightforward. Search for "ambtsbericht".
There are ways to inform the police, but they need to do "parallel construction" to allow information in court.
Isn't there any European law that could stop this exaggerated and self-granted power?
Yes, parts of this law are very likely to be struck down by the European Court of Human Rights, if a case ever gets there. Specifically the 100% automatic powers to hack and intercept anyone who is hacked by state backed hackers are pretty unlikely to be legal under the ECHR.
There is literally nothing that can win against national security as "state actors (Russia, China, even mentioned in the text) trying to sabotage your infrastructure - look we have evidence but we're not gonna share it with the public".
Do you mean that's a specific legal argument that is upheld in European courts or Dutch courts?
No, I would say that's just life experience until now.

Nothing ever wins against "we need to keep the country safe".

Taking the perspective that spying is warranted by the asset under threat rather than subject potentially posing it ... that is some pretty scary piece of legislation.
[flagged]
Let's try for once not to divert and sidetrack any world news topic with what the US is doing, please? Not everything should be an opportunity to talk about YOUR country.
(comment deleted)
OK, but that wasn't my intent. I really meant who are we (the US) to criticize the Netherlands when we are doing the same ourselves (and not even fully admitting it). But, I can see that if you are from the Netherlands yourself, then you may very much want to - and have every right to - criticize it! Sorry.
Now define “something suspect”
You'll know it when you see it.
When was the last time that something titled a "Temporary Cyber Act" was ever temporary (other than being replaced by something worse)?
It has already been announced that this law will likely be extended. They later walked that back, but did admit that it is entirely possible to extend this law.
“Nothing is so permanent as a temporary government program”

– Milton Friedman

Hey, you have to applaud them for naming it "temporary", instead of "patriot". What are you? Some kind of a treasonous terrorist? How dare you oppose THE PATRIOT ACT?! /s
They get zero marks because it doesn't appear to be an acronym.
It needs more "Democratic" in it to make it clear it's definitely not authoritarian. Maybe "The Democratic People's Temporary Cyber Act for Freedom"
(comment deleted)
Given the prevalence of TLS, how much SIGINT can actually be done by tapping internet exchanges these days?
Presumably a government could also requisition the private key of several root authority certificates (whether or not they "proudly announce" that is another matter).
Dutch government doesn't have a good reputation there, shepherding control over security infrastructure. First, it's primary CA lost is signing key to Iran, and recently they meant to outsource control over their ".nl" TLD to AWS.
Small addendum on that, DigiNotar was one of the four CA's handing out "PKIoverheid" certificates, so certificates for governmental purposes. See this archived copy of the FAQ (in Dutch) after the DigiNotar breach, specifically the question "Hoe weet de overheid dat certificaten van de 3 andere bedrijven in Nederland die PKI-overheidscertificaten uitgeven wel betrouwbaar zijn?": https://web.archive.org/web/20111019224308/http://www.rijkso...
A root CA key doesn't automatically decrypt the TLS traffic. You just need a single root CA key for a widely trusted CA to perform an active MITM attack. The attack is however likely to show up in Certificate Transparency logs.
Other metadata like DNS, device fingerprints, SNI-leakage[0], timestamps, connection history, etc

You can encrypt DNS with DoH if you want, but the DoH provider still sees its you. You can take it a step further with Oblivious DNS over HTTPS if you really want to conceal DNS activity[1]. Note: this technology is rather new and experimental.

[0] https://en.wikipedia.org/wiki/Server_Name_Indication

[1] https://research.cloudflare.com/projects/network-privacy/odn...

Another option is dnscrypt-proxy[0]. It will easily let you load-balance your DNS queries against a large set of resolvers, ensuring that no resolver gets the full picture. And enforces encryption of course.

[0] https://github.com/DNSCrypt/dnscrypt-proxy

"... ensuring that no resolver gets the full picture."

Unless the resolvers share data with each other.

These public DNSCrypt resolvers will publish claims like "no logging" but how does one verify this is a true statement.

It may be better to use mutiple third party DNS resolvers, whether DoH or DNSCrypt, than to only use one, but the best course of action is not to use third party resolvers at all.

The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it, e.g., https://github.com/cofyc/dnscrypt-wrapper

Personally, instead of DNSCrypt, I prefer CurveDNS,

https://github.com/curvedns/curvedns

There is at least one DNS forwarding service that offers CurveDNS.

For those who might be confused:

From https://dnscurve.org

"Do you run a DNS server that sends out DNS data? For example, do you run an "authoritative DNS server" such as tinydns or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS to publish the IP addresses of your web server and mail server?

This page explains the benefits of adding DNSCurve protection to your outgoing DNS data."

DNSCurve protects outgoing data from authoritative DNS servers.

I use CurveDNS experimentally in homelab in front of tinydns and nsd. It is easy to set up and it works great. Unfortunately not many authoritative DNS servers on the internet are using it even though it is easy to set up and works great (based on own experiments).

As stated above, the best course of action is to avoid using third party DNS resolvers, i.e., public, shared caches. Instead one can run a local cache that sends DNSCurve-encrypted queries to remote authoritative DNS servers. For example,

https://github.com/janmojzis/dq

When using dq or dqcache, packets are _not_ sent "in the clear" for an ISP to sniff.

But, as above, the number of authoritative DNS servers using CurveDNS is unfortunately small.

The problem I see with DNSCrypt is it encourages use of third party DNS resolvers, i.e., shared caches.

I use locally-stored DNS data. When I retrieve DNS data from the interet I retrieve it in bulk using a variety of methods and sources. An unconventional approach perhaps but it works great for me.

Encrypted DNS is arguably pointless if one is using a popular browser that always sends SNI, even when SNI is not required, e.g., websites not using a CDN, or when visiting websites that do not support encrypted SNI, e.g., websites not using a CDN that supports encrypted SNI (ECH). Glad to see that the grandparent comment mentioned SNI.

> Personally, instead of DNSCrypt, I prefer CurveDNS

Neither is a replacement for the other; they're orthogonal. They solve different problems.

You should use both of them.

From the CurveDNS link you posted:

> CurveDNS supports:

> Forwarding of regular (non-protected) DNS packets

These are being sent in the clear, and your ISP is most certainly logging them. You should tell your CurveDNS resolver to use a (local) dnscrypt-proxy instance for resolving "regular (non-protected)" queries that don't have DNSCurve entries. Then you have the best of both worlds!

> The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it

Because DNSCrypt is only for querying recursive resolvers!

... and DNSCurve is only for querying authoritative resolvers.

DNSCrypt is link-level encryption between you and your recursive resolver (the thing you put in /etc/resolv.conf).

DNSCurve is link-level encryption between your recursive resolver (or you) and the authoritative resolver (like this one, which is authoritative for cr.yp.to):

    $ dig -t NS yp.to
    yp.to.                  3600    IN      NS      uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to.
It is a shame that the two names (DNSCurve and DNSCrypt) are so similar.
AFAIK, there is no such thing as an "authoritative resolver". Authoritative DNS servers are commonly called "name servers". Recursive resolvers, i.e., caches, are never authoritative. Some might pretend to be, I have found examples of this easily in the past, highlighting the potential for abuse by operators of third party DNS resolvers.
There is no such thing as a "CurveDNS resolver". CurveDNs is a forwarder that encrypts DNS packets.

For me it runs bound to a loopback address, as do the nsd and tinydns servers. None of this traffic uses the network, there are no remote queries. There is nothing for the ISP to sniff.

When placed in front of a remote authoritative DNS server, that server can be queried using DNSCurve, e.g., with dq or dqcache. The packets are encrypted. ISPs cannot read them.

For example,

   dq -s -k dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6 ianix.com 104.207.143.9

   1 ianix.com - streamlined DNSCurve:
   229 bytes, 1+2+2+2 records, response, authoritative, noerror
   query: 1 ianix.com
   answer: ianix.com 3600 A 104.248.15.206
   answer: ianix.com 3600 A 104.207.143.9
   authority: ianix.com 259200 NS uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com
   authority: ianix.com 259200 NS uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com
   additional: uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com 259200 A 104.248.15.206
   additional: uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com 259200 A 104.207.143.9
The IP address of the ianix.com name servers, 104.207.143.9, and the DNSCurve key, dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6, can be obtained from the com.zone file, which is available for free from https://czds.icann.org/home

No recursive resolver is used. No packets are sent "in the clear". There is nothing for the ISP to sniff. Unlike public DoH or DNSCrypt servers, there is no third party DNS provider involved. No middleman.

I love this software.

It keeps Mullvad from intercepting DNS traffic: if you send cleartext DNS requests on UDP/53 through their network, they intercept it. But DNSCrypt packets are encrypted and authenticated, so they can't.

Bonus: DNSCrypt is still packet-based like UDP, so none of the downsides of DoH: no 3-way handshake, no connection pooling, no stream correlation attacks.

> It's worth noting that all our VPN servers hijack calls to our public DNS server and that the DNS requests are processed on a local non-logging DNS server installed on that VPN server.

https://mullvad.net/en/help/all-about-dns-servers-and-privac...

https://old.reddit.com/r/mullvadvpn/comments/invjgp/how_and_...

Start with phone lines. Or IP addresses.

Even without looking into the encrypted payload there is so much you can learn from graphs connecting and the metadata.

Considering they exchange technology with the USA and other states, I am pretty sure that you can find some malware to install on specific actors's devices (routers/phones/etc.) to have traffic decrypted.

I am decently sure that some state agencies help design routers.... if you know what I mean :)

In addition to what's mentioned in the comments, timing attacks are also possible. If you see what time every packet is sent and received, then you can correlate streams with each other. This is how they figure out who is visiting what Tor websites; you compromise the network of the website, then the network of potential clients, and then you match up the packets. Now they know you visited the website even though you never actually sent a packet addressed to it.
Just being able to analyze the network connections to apply filters and visualizations upon, providing optional deep dives into certain cohorts to create reports or even forecasts is a totalitarian wet dream.
How much cleartext is sent over the net? Nowadays almost everything is encrypted, even things like DoH are becoming standard via Cloudflare/Apple Private Relay.
They all work for the same team
If I were a politician using this against an opponent, I'd write the following press release:

Websites in the range 54.239.0.0/8 often host problematic content. My opponent visited several addresses in this range overnight and hid his traffic with military-grade message scrambling functionality.

Of course that's just AWS and you can't even do HTTP/2 or HTTP/3 without encryption. But do the voters know that? Will they be educated on it? Probably not. And you're not saying anything untrue, you have facts and logs to back up your assertions!

I'm not a crypto expert by any means, but it is my understanding that government actors of larger countries probably have trusted CAs in most devices on the planet that they have control over, and they could issue certificates for arbitrary domain names; and your devices would for the most part be none the wiser.

Of course this is only relevant for targeted surveillance, not mass surveillance.

Happy to be corrected though, I've been wondering about this.

This is precisely the threat model that certificate transparency mitigates.
Perhaps think a bit smaller, and look at companies that operate office-sized TLS interception by installing a CA certificate on each (managed) end device, and generating certificates on-the-fly from that CA. Then, some middlebox is able to inspect the encrypted communication that passes through.

Some web browsers have pinned certificates for certain services, Google Chrome/Chromium being one of those. Subsequently, the browser refuses to perform any more actions towards the server that serves an invalid (according to the browser) certificate. That browser is also one of the reasons the DigiNotar case in 2011 emerged to the surface.

Store now, decrypt later?

Metadata analysis on netflow, source and destination traffic, etc.

Most people still don't use VPNs for everything, and some services outright block or degrade VPN connectivity. Two notable examples are most banks, and 4chan.

I firmly believe 4ch is a Honeypot.

The majority of traffic is available as cleartext to Cloudflare so that they can analyse it. That’s the point of being an enormous centralised TLS termination proxy.
Perhaps a better insight is looking at parties doing TLS termination globally as a reverse proxy service, for example for DDoS mitigation or acting as a web application firewall. Or, who handles your (encrypted) DNS requests? A somewhat trustworthy local ISP, or a large corporation with multiple pages of terms of service and a vague privacy statement? (I'm unfortunately also aware that there exist ISPs that inject ads on non-encrypted connections, or having done so in the past)

In my opinion, it's less about the amount of cleartext traffic, but also about what parties terminate your so preciously encrypted connections/requests, the percentage of internet traffic they handle, and what they exactly store about those requests.

Encryption on the internet doesn't mean it's suddenly safe.

> to protect The Netherlands against Russian and Chinese hackers

So it's a noble cause then? Or does it have privacy implications for innocent netizens? I thought these exchanges would have been tapped in some form way before this announcement?

The new law also lowers the bar for Dutch law enforcement to obtain records from these taps significantly, removing the necessity of a judge to rule whether the request is justified in the investigation.

Surely no law enforcement would overreach when given tools like these, right? Right?

Yeah the Belastingdienst would never do anything naughty with powers like these. Let them in on it too!
>So it's a noble cause then?

If you consider "to play its part in the trade war between US-China which is extending into real WW 3" as noble, then yes, it's noble.

I wanna be noble, too! Where's the form to sign up as a proxy for some war?
It's called "temporary" but I don't see anything about when it is removed. Even with a sunset period (like the US Patriot Act had) it's not typical for states to give up power like this, so I'm guessing this is the new normal :-(

Is there specific intelligence leading to this? It seems very to the point about being related to Russia.

The Patriot Act was temporary too...
And some provisions expired thanks to Trump!

Biden, on the other hand, renews them promptly, to bipartisan satisfaction.

Funny how that works. :p

I'm a technical artist not a security researcher so could someone here elaborate on the supposed threat? Assuming a genuine Russian/Chinese state hacker/outfit, what damage could they cause and how much of that damage would legislation such as this prevent?
(comment deleted)
> what damage could they cause

You want to listen to what they want to do before they do something to your country. This is what this thing allows you to do: every internet packet transiting through the Dutch internet exchanges will be "scanned" (largely read-only).

However:

> The powers granted to the services are broad, but also largely ‘read-only’.

Largely `read-only`, the way I read it, means that in some cases they can actually replace whatever is going through the cable.

I imagine something like:

- terrorist A and B are texting each others, and you replace some of the text that they are sending each other (before this is received over the phone, because you own the "hop"), so that you can maybe redirect them straight into the police hands.

If done properly, I believe this can prevent quite some bad damage - not the simple example above, but probably also major things like serious attacks (e.g., ransom attacks on public institutions, etc). That's my guess - how easy or realistic this is, I can't tell you.

[flagged]
Don't worry, as long as we don't militarise ourselves anymore....

oh shoot, that's also happening!

Oh no, an army on bikes, what are we gonna do about it?! /s
> With the Temporary Cyber Act, we will make optimum use of the data carried on our cables to protect The Netherlands against Russian and Chinese hackers

Twenty years ago, the excuse was "we are restricting your freedom because of what happened in 11/9."

Then in the internet age, the excuse became "we are restricting your freedom to save the children from online abuse."

Now, Europe has unlocked the option to restrict its citizens' freedom because of the "war."

I ask my fellow computer engineers what the hell are we waiting for to pool our minds and resources towards a truly decentralised, encrypted and anonymous overnet. Something a little more practical than I2P, Tor, Freenet, etc. "Oh bad people will use it to do crime" is not a serious enough excuse to just passively accept the government tightening the noose around our digital presence, for total control by the State, all in name of safety and security. Was Bitcoin (2009) the last hurrah of the crypto-anarchist ideals of freedom of thought, freedom from the Big Brother and freedom from the ever-looming State?

https://groups.csail.mit.edu/mac/classes/6.805/articles/cryp...

(comment deleted)
I used to be so optimistic and less cynical.

Now I look at this and all that comes to mind is that actions like this would provide a basis for tapping people closer to source.

All the p2p and e2e encryption in the world won't help if someone is reading every key you type, or in the near future, every thought that crosses your mind.

Still, I applaud your spirit.

It won't happen people choose comfort instead of freedom. Eventually it will become a full blown totalitarian state, and we are going to relive 20th century again it seems.

I can't wait to pay ESG tax because I am breathing.

(comment deleted)
> I ask my fellow computer engineers what the hell are we waiting for to pool our minds and resources towards a truly decentralised, encrypted and anonymous overnet.

I often hear this somewhat loose idea and have to say that I also have such reoccurring thoughts myself. We currently enjoy pretty great freedoms to do stuff, we have the chance to set something up, and those freedoms might be severely restricted in the future. It may be easier to develop something like that now than it will ever be in the future. The problem seems to be that there is no coordinated plan. Stuff like Tor exists, but it hasn't really caught on as much as one would hope. Also it is built upon a rather specific architecture (the internet) from what I understand, which could basically be shutdown by authorities at any moment.

For example, I can't currently safely communicate with people in my geographic area independently of the internet, even though my devices theoretically have the hardware to do so (think of radio capabilities, for example). There might be some lose projects out there capable of some of it that 99.9999% never heard about, but nothing that could actually be considered general-purpose. Why is that?

It isn't an easy problem to solve. And it isn't enough of a problem for people to actually apply themselves nearly enough. Once it is needed in a way that more people would devote their time to it, it might be too late.

As long as they are proud of it. No bad laws have ever been implemented where everyone was proud of it, so this must mean it's not a bad law!! And the people rejoiced...just not on the internet as they didn't want to be spied on
>No bad laws have ever been implemented where everyone was proud of it

"Nobody who speaks German can ever be evil"

- The Simpsons

How do you know everyone is proud of it? For starters, I'm not.
Aren't all governments tapping connectivity the occurs within their borders (whether it be in internet exchanges, sea cables that come onto their shores, etc - kinda doesn't matter where it physically happens)?

I assume this is going on routinely already.

Perhaps it is. That doesn't mean it should be.

Governments think they are above their own laws. Warrants? Privacy rights? Due process? Why bother?

Well in this case they did amend the law through parliament.

Not that I agree with it, no, but it's not like they're acting above it.

That doesn't make it automatically right, just, or even legal. Does it hold up against the European Convention on Human Rights, EU directives, regulations and the country constitution? What does the constitutional court, EU court of justice and EU court of human rights think?

These are not hypothetical questions. I'm not Dutch but in my own (EU) country it's a very common occurrence that the higher courts significantly modify or entirely cancel a fully approved law - often retroactively. Sometimes the state has to pay out damages.

IMHO a parliament acting like they can just vote for anything and that's it is exactly the definition of acting above the law.

> That doesn't make it automatically right, just, or even legal. Does it hold up against the European Convention on Human Rights, EU directives, regulations and the country constitution? What does the constitutional court, EU court of justice and EU court of human rights think?

It should, it's the job of the first chamber (aka the 'senate') to validate this. Unfortunately they have been playing politics more than anything.

> I'm not Dutch but in my own (EU) country it's a very common occurrence that the higher courts significantly modify or entirely cancel a fully approved law - often retroactively.

This sounds more like the common law system (US, UK, Ireland). In Holland it's not like that. The senate is supposed to check that an in fact a local judge can't directly reference the constitution. In common law they can and they create precedents to scope out a law further after implementation.

The EU does overrule it of course. And yes perhaps they can get fined damages. That would be good IMO because it will stop them doing it. But they didn't do anything wrong technically in that sense.

The worst thing they did technically was that this law was inplemented by a cabinet that had already stepped down after the coalition fell apart. New votes were held and a new parliament was formed, but the old cabinet is still in place until a coalition is formed to create the new cabinet.

The biggest problem there was that 24% of people voted for the extreme-right fascist party and nobody except the neoliberals (the party they split out from) and the farmers want to form a government with them. So it will take a lot of time. But the old (neoliberal) cabinet is not supposed to push through any legislation that can be considered controversial. They are doing that all the time though.

No, in my country it's a derived German-style system. It's very unlike a common law system. A local judge can't, but we have a constitutional court who can take up a case against a passed law by themselves. Also, you can work through the tiers of the courts to the highest court or submit a request to the constitutional court.

Not sure about the exact legal theory in the Netherlands but where I am it's not really the job of upper chamber to validate it. Both chambers should have done that but both are bodies with political agendas and they interpret it to their own liking - and that often doesn't pass through the courts.

You should assume so and accept nothing short of end to end encryption as a secure channel. That's been true for decades.

Assume, the Chinese, Russians, North Koreans, Iranians, Americans, and everybody else gets a copy of all the bytes you send and receive. That may or may not be true depending on who or where you are and how competent their people are. But you can't rely on that not being the case so you simply shouldn't. So make sure that whatever they intercept is gibberish.

Is there any unencrypted traffic over these cables at all at this point? It's all ssl and https at this point, I would hope. There's still some intelligence to be extracted from which IP addresses are talking to which other IP addresses. But beyond that? What's really there to be intercepted that we haven't fixed yet?

(comment deleted)
Just how badly is the internet compromised at this point, as in are there any countries or internet corporate policies that forbid contributing to this type of action and would route around the Netherlands due to it violating privacy?
To some extent, this is a gross misuse of their government power. To another extent, tap away. There is no reason for your network traffic not to be an end-to-end encrypted. I'm more or less fine with the government getting my SNI headers, though I will be investing more in Tor and other obfuscation for some purposes.
This is a 'temporary' law that will be reconsidered after 4 years (most of the time this means it will just be continued).

The CTIVD will have supervision during and after the tab (good).

Private data can be held much longer without government approval (why?).

There is no permission needed to tap another server when a party, that is under surveillance, is moving there.

---

I have mixed feelings about this. We know Russia is trying to disrupt the Netherlands because of previous taps. So on one hand it is good that the government can quickly react to such threads. On the other hand it has huge privacy implications.

Some people in this thread think that TLS will keep us private but that is not how it works when they can listen to all traffic. For example they can see I posted a request to Hacker News on a specific time. Then it is a matter of finding all posts that were made around that timestamp to see what I wrote and what my username is.

I am sure it is there to stay as no other thing is going to stay forever as much as “temporary” law giving authorities more power.
> For example they can see I posted a request to Hacker News on a specific time. Then it is a matter of finding all posts that were made around that timestamp to see what I wrote and what my username is.

I think this is a lot of work to do. Just ask some 3 letters agencies for some help on some malware or on some "router firmware bugs" to be exploited etc. They don't care about hacker news readers or posting comments (because this implies you must know the DNS first, etc). They care about botnets DDoS-ing your railway infrastructure, ransomware on hospitals, serious stuff that can lead the country to chaos.

On hn everything is public so if you only have the time at which two or three posts where submitted you can find the user in question easily.
The submitted title ("Dutch gov. proudly announces it will tap Europe's largest internet exchanges") badly broke HN's title guideline, which asks: "Please use the original title, unless it is misleading or linkbait; don't editorialize." - https://news.ycombinator.com/newsguidelines.html

If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...

Don't forget Dutch citizens voted previously in a national referendum against mass surveillance which was promptly ignored and the right to call a referendum repealed.
Indeed, and the government don't care about the laws anyway.

I lived next door to someone that was busted for growing weed. The neighbor on the other side was involved at the time and then continued to harrass him then me because I complained about it for the next 10 1/2 years. The law only allows use of a civilian for a year with a contract in advance and no committing crimes. Didn't stop them. They spent more than 1 million euros in harrassing someone who was already convicted and then their neighbor because they complained.

I was told by the police that my phone had been tapped already, though I had already guessed that.