To not even be sure whether a website you visit, or a file you download is actually what its creator says it is, is like picking up an orange but the government secretly replaces it with an apple that contains almost no vitamin C in it at all.
You have the right to seek out and eat an orange for your immune system and survival, and no government should have the right to interfere with that, at any time.
This law is a fundamental attack on basic quality of life and basic human rights for all Germans. Whoever proposed it should be ashamed of themselves. I hope the parliament outright rejects it for what it is.
The very fact it has been proposed is Orwellian and chilling. Internet giants like Google should resist this technology and tell us when a government has just tampered with our web browsing.
> Whoever proposed it should be ashamed of themselves
Name and shame: Interior Minister Horst Seehofer of the conservative-authoritarian CSU. He and his party friends are who want this.
We have the chance to kick them out of office in 2021, it's time for the stranglehold of Conservative internet-printers (Internetausdrucker, a German word for tech illiterates) as Interior Ministers to end once and for all.
Otto Schily exited office in 2005, fifteen years ago. While he is a law-and-order hardliner himself, he's not relevant for any recent discussions. Since then the office was filled by hardline authoritarians (Schäuble, Maiziere, HP Friedrich, Maiziere, Seehofer).
But if Schily is any indication (and why not?) it doesn't help to have a different party fill that position. Just like it took Nixon to go to China (because he wasn't at risk of being mistaken for a friend of communism) other partys can't afford to look much "weaker" than the current folks - and then have _anything_ go wrong.
> But if Schily is any indication (and why not?) it doesn't help to have a different party fill that position.
I agree on that one. There aren't many progressives in interior politics aside from Left and Greens, the rest is all authoritarian/law-and-order hardliners. Frankly, it's disgusting.
Look at the history of CDU/CSU interior ministers, both federal and in the states. They are authoritarians, and their party line regarding interior politics is authoritarian.
As for calling them Nazis... well, when one looks at the events regarding former Verfassungsschutz chef Maaßen, instituted by HP Friedrich and protected by successor Seehofer until it was no longer tenable, who is accused of having protected the AfD during his term: it's not that far to at least imply ideological support or tolerance toward far right political positions.
Yet more proof that "Conservatism is progressivism driving the speed limit". And the speed limit seems to be rather generous in this case. But for some it's never high enough, they'd pull down all of Chesterton's fences at the merest whim.
> I hope the parliament outright rejects it for what it is.
Unfortunately, there's not much hope for this. As the article states: "The proposed law is already the result of lots of back and forth within the government and many expect it to pass when it is presented to Germany’s congressional body, the Bundestag, after next week."
I wonder how they would break TLS though. Your ISP cannot just break that up. Maybe degrade your connection to http, but without local access to your machine, it would be quite difficult to inject something in a data stream that is encrypted. Easier to do it through app stores of any kind.
Browsers and operating systems include a list of root certificates which includes those of various governments. Pretty much any government can thus issue valid HTTPS certificates for any domain to MITM traffic.
Part of dns actually prevents that. So long as you are using a browser that has implemented its use, dnd entries specifify the public signing key of the destination server, so if the browser receives a packet signed using a different certificate the Browser will prevent you from navigating there.
I know for a fact that Chrome and Firefox have implemented this as standard behavior specifically to prevent this kind of man in the middle attack, and have explicitly come out against previous government attempts to subvert this guarantee of privacy.
The biggest problem isn't that your own government might swap that orange you wanted for an apple, it's that by making it possible they also make it possible for a foreign government to do so, and they're likely to replace the orange with cyanide.
The US government has tried and failed to push this kind of idiocy through every other year for the last 2 decades. Every major tech company tells them they will flat out refuse to compromise everyone's safety to accommodate idiocy and the attempt is ultimately dropped.
Yes, I would recommend a VPN service beyond the jurisdiction of your own government. It is not complete protection, but it is another step. Of course paying them is a transaction that would require the provider to regard local laws, but there are still ways around that. The law will be challenged of course and I hope it will get repelled. Until then this can all help. But yes, be careful with your choice of VPN or host your own.
What. Its awful. Privacy doesnt need comparisons or analogies. We have the language to describe privacy in native terms. We dont need help of figurative speech mixing and muddying the waters.
> Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say
I love making analogies. I even compared apples to oranges and it worked!
Humour aside, analogies are really important and I have never understood the disparagement of comparing one group or situation to another. Analogising is a tool to help understand one other and promote diversity.
I always get a kick out of analogies on HN. When there’s a technical concept being discussed, someone will make a non-technical analogy. When there’s a non-technical concept being discussed, someone will make a technical analogy.
And it’s all inevitably followed by an argument about the analogy itself.
I believe that compassionate educational material - which would allow for diverse pedagogical 'ladders' or 'on-ramps' for people on different skill levels - on the core systemic issues/challenges we are currently facing, is a much better strategy than flimsy and inaccurate analogies.
I think there is a common false belief that only technical people can understand some concepts. I believe it’s more the case that as a society we often don’t have good pedagogical tools available to us in the public domain to help people become the critical thinkers our democratic society needs them to be.
I say this with the hope for a shift towards social production/Commons-based peer production, and a re-imagining of the (currently) rentier and extractive business models on digital assets, which make no sense anymore in a digital society where information is light.
Design global, make local.
Favorite authors on this: Aaron Swartz('s manifesto), Kevin Carson and Yochai Benkler.
analogies are great, but there's just literally nothing that corresponds to vitamin c on the internet. the analogy just goes into completely unchartered waters and crashes against the rocks when it pretends that it is a life or death matter. the internet can't stop you getting scurvy - in fact, since it's effective at reducing exercise, it seems to run in the opposite direction from the truth and it's just alarmist nonsense.
Analogies can’t convince anyone who is not already sympathetic – anyone wanting to oppose your point would only poke holes in and argue about the analogy itself; making analogies does not help when arguing. Analogies only help when explaining something to someone who genuinely wants to understand it.
In what theoretical dimension do you find these “neutral interested third party” people? In my experience, every discussion is a result of (at least) two people with both an opposing view and and, more crucially, an interest to argue the point. The very prerequisite of a debate is an interest in arguing a specific point of view, which most often precludes any participant being a neutral third party.
Of course, you could always argue “for the gallery”, i.e. not try to persuade your opponent, but to merely use the debate as a platform to reach an audience. But this is not persuasion; this is rhetoric. Analogies can be used as rhetorical tools. But analogies won’t persuade your opponent.
Therefore, if you’re arguing with someone else one-on-one, and there is no one else to win over by rhetorical tricks, you should avoid using analogies, since analogies aren’t persuasive.
Thank you for this conception. Metaphor and analogy are vital in every human endeavor.
As for my reasoning why:
Analogies and other figurative speech is important, not just as conversational tools, but also in thinking.
Language is a metaphorical tool we place on reality to manage and interpret it. This is true for human languages and programming languages. Take Python. This is a high level language which an interpreter uses to help a computer parse it into the needed lower language for its understanding. The language alone though does little on its own without the multiple layers computers use to apply given instructions.
Human language is multiple levels higher than computer languages when it comes to interpreting reality. Pretty much all human language is a metaphor because it doesn't directly mean what we are referring to. It instead refers to our mental conception of what we are attempting to relate to in reality.
Germany has a proven history of doing very bad things, just check the last century and a half and it is hard to find something worse. By comparison, messing up with your computer is a gesture of goodwill, they could give you some Cyclon.
It's funny as the Germans had different priorities from the US. The US mainly wanted to use it to extract information, while the Germans also wanted to increase profits so that they have funds outside of parliamentary control and supervision. So they looked more at the business side of things.
Yeah I doubt the CIA has objected because they got all their needs met from congressional funding. They just already had built plenty of dark money reserves.
people might laugh at you but Colombian "cartels" have deep ties with the government and the military. They even know the patrolling routes of the US Navy.
The German surveillance state was created and ran by ex-Nazi secret services (Aufklärung Ost), introduced by the CIA (BND = Organisation Gehlen). You have look up the various fascist scandals they have been involved in.
"will" = "according to a proposed law", but sadly par for the course for our governments to push this kind of thing through, even if a good chunk of their surveillance laws get eaten by the constitutional court. (Maybe we should have a rule that you can't be in politics anymore if multiple of the laws you supported were found to be unconstitutional? ...)
Well in theory that's what elections are for. But majority of the population doesn't seem to bother that much about those things and elects conservatives again and again. Need to raise awareness on these topics ... but unfortunately our opposition is split between crazy wannabe populists, a green party trying hard not to loose momentum by bringing up "critical" topics and a weak liberal party with a leader who's mostly there for being joked about. (Yeah, yeah, ignorant and simplified classification)
What does "trojans at ISPs" even mean? TLS works end-to-end and ISPs can do absolutely nothing to see the plaintext. It's unless the CAs at users-side are manually replaced with fake ones nothing can be done. I've never used Windows since I was a kid but I am sure this is pretty much impossible on Linux for example since adding CAs require root privilege.
Presumably, Germany would have little trouble compelling at least one root CA to sign any TLS certificates they wanted. Just a cursory search shows that Google Chrome, on Linux, trusts, e.g.
> CN = D-TRUST Root CA 3 2013
> O = D-Trust GmbH
> C = DE
There is certificate transparency and pinning and so on, and they would be caught (probably, maybe) if they abused this carelessly and at scale, but in practice, for a small number of targets, it would be trivial to wait for users to connect to a less secured TLS site or even a plain-HTTP site (plenty still exist), and then use a browser exploit as the stage 1, followed by whatever escalation of privilege exploit and rootkit is needed. TLS is really good at preventing always-on dragnet surveillance of everyone's internet traffic, but not a counter measure against targeted nation state level attacks.
Google, Mozilla, et al. should make a commitment to revoke the trust of any CA that is found to partake in behavior like that. Even retroactive revocation of existing certificates shouldn't be off the table if the offense is egregious enough.
It's actually pretty scary seeing just how many CAs are in the list of trusted CAs on any given device. While no government is beyond reproach, I do wish there were a way for me as a user to say "don't trust anything signed by CAs outside of these few countries, since it's most likely a hijack, phishing, or in the rare case that I did try to visit some random site, I can approve it manually."
Browsers blacklisted Kazakhstan government certificate used for MITM which was not even trusted. It is absurd to expect anything less than blacklisting such a CA immediately. Certificate transparency is required for all certificates since April, 2018, so you can't really issue rogue certificate.
AFAIK they used different certificate for MITM. Currently they are using certificate mentioned in that bug to issue certificates for government websites (like https://elicense.kz/ ), so actually a lot of citizens who need to use government services have to install that certificate as a root anyway.
I don't think that they would use that certificate for MITM. They're not fools and they understand that it would lead to blacklisting it which would halt a lot of operations in the country.
> It is absurd to expect anything less than blacklisting such a CA immediately.
Is it, though? Germany has a lot more economic leverage than Kazakhstan. Suppose they pass a law requiring any browser sold or otherwise offered on the German market to have the government certificate in the chain of trust... how many large companies would cave?
Well.
That is the reason for Certificate Pinning.
And these days there is no excuse to not enable it server-side.
Helped me detect some MITM-Interceptions.
Not that the content was malicious (OpenDNS just rerouted my requests to a "This site is blocked page", but the certificate was signed by Cisco, and thus valid. Certificate Pinning still picked it up. Little hint: It was an Archlinux-site.).
Here [1] it says that Chrome stopped supporting HTTP Public Key Pinning (HPKP) with Chrome 72. There are other debates on it. See the discussions for excuses.
FinFisher has "drive by infection" packages for sale called FinFly that require traffic injection, according to their brochure. How exactly those work today, i do not know. For example: until 2011 they used a bug in the self update code of iTunes. Having a network level man in the middle can benefit many complex exploit chains.
The "Trojan" is simply the rhetorical framework chosen by German authorities. Their initial successful push for computer surveillance was in the form of the "state trojan", a piece of malware proposed to be installed on the systems of suspected criminals. Successive pushes have aimed at expanding out from there, using the existing capabilities as justification.
For many things there isn't really need to get the payload. Get the IP addresses, DNS lookups and TLS SNI information and correlate to information gathered from elsewhere and you can derive a lot.
+1 for the optimism, but unfortunately even with those mitigations it is not enough. Using a VPN in combination with DoT/H is currently best practice I believe.
Looking at some of Citizen Lab’s excellent reporting on FinFisher shows that victims were redirected to regular unencrypted http downloads when the malware was installed.
One of the examples given was when a user tried to download Avast antivirus from a well-known software hosting site and the download was done over http.
There are several security sites that have downloadable packet captures of malware infections where you can see in Wireshark that redirects are commonly used.
Conceivably: If you have MITM and can inject... you'd next need web browser 0day exploit chain w/ sandbox escape and then a stealthy trojan to install. This would obviously be quite the capability and require a lot of maintenance to work cross-browser, cross-OS, and evade security products / built-in security features. It is definitely possible however.
The law only requires an ISP to redirect traffic to a target specified by the Verfassungschutz (Constitutional Protection Office) or BND (Federal Information Office), for the purposes of listening in or modifying traffic. It doesn't seem to require installing or providing TLS cracking.
Pretty shocking in a state that has such strict privacy laws. Not sure how the two can come from the same mouth, and even be in public view.
My understanding is that the privacy restrictions are largely the result of half the country having lived under the Statsi, and thus being extremely weary of government eyes. Here it’s out in the open!
>Pretty shocking in a state that has such strict privacy laws. Not sure how the two can come from the same mouth, and even be in public view.
Because they're not necessarily contradictory. This doesn't just give secret services a blank cheque to spy on everyone, it just provides intelligence agencies with a tool.
I'm German and I don't object in principle to the fact that intelligence, under supervision of the government, has the ability to say, infiltrate criminal networks using software like this. Under certain circumstances the police was always able to wiretap a phone, I don't see the difference here other than this taking into account the changing circumstances of internet communication.
Also from a cultural standpoint if anything people in Germany are more sceptic of erosion of privacy by private power than by the state, we're not the US. The former is pretty much unconstrained, the latter is so tightly limited in scope by law it's not really a practical issue. The scary thing about the Stasi wasn't that they were inteliigence, every country has intelligence officers who can bug someone's home, it was that the GDR was an autocratic regime.
The scary stuff about the current development is, that we get flooded with arguments about hardcore criminals, but if you look at the actual changes to the laws, such restrictions are not made, instead these extreme measures are allowed for petty reasons and some politicians will still keep pushing for even more totalitarianism. These siloviki want mass surveillance comparable to what Chinas Ministry of State Security or USAs National Security Agency have. It does not matter if Germany is not ruled by an autocratic regime at the moment, once such systems are in place, it will be.
> It does not matter if Germany is not ruled by an autocratic regime at the moment
I totally get the appeal of that argument, but it completely breaks down once I ask myself how much that autocratic bogeyman regime, once it got into power, would feel bound by privacy protections put in place by their predecessors.
The question is rather: can they use preestablished structures and machinery or do they need to build it from the ground up. Surveilance also needs work, and its less work if everything is prepared.
my point was more: any liberal social democratic society that subjects itself to every increasing censorship and surveillance will devolve towards totalitarianism.
Totalitarianism has been the mode of human governance since prehistory. It's great, effective, and always tempting. The Western world today is the exception, not the rule.
It's also really hard to establish or continue without the surveillance to detect rebellion and corruption.
It makes a big difference, actually. Few regimes go full-on totalitarian right away - it's more common to have a gradual erosion, where they operate within the letter of the law for a while, while gradually diminishing the spirit. So the more the letter allows, the more abuse you'll see from the get go.
The surveillance, including the mass surveillance of the communication, existed even in older times. It is, for example, documented that both British and US secret services went through all the telegrams that passed their commercial infrastructure, often based on a simple "gentleman's agreement" with the companies, even in the 19th century, and certainly in the 20th.
Other countries were somehow aware of that weakness of telegrams, and the practice of attempting to use some code for telegram messages existed even then.
Back in the age of feudalism the holy roman emperor, who was neither holy, nor roman, nor an emperor, but the head of the House of Habsburg, gave the monopoly of postal services as an hereditary title to the House of Thurn und Taxis who had been building their postal services for two centuries, eliminating their competition in the empire, under the rule that letters are read and checked for conspiracy against the crown. That happened in black rooms, or cabinet noir or Geheime Kanzlei and became common in all of europe. In the 17th century the "Wiener Postloge" for example was well known for their efficiency not only in opening, copying and re-sealing letters by forging wax-seals, but also for their state of the art crypto-analysis.</history>
It's a trope that "sounds good" but IMHO doesn't get one more knowledge.
a) It was de facto an empire, but with an emperor allowing huge independence to the local rulers. So he was an emperor, even if he couldn't do "anything anytime".
"The power of the emperor was limited, and while the various princes, lords, bishops, and cities of the empire were vassals who owed the emperor their allegiance, they also possessed an extent of privileges that gave them de facto independence within their territories. " (1)
b) It was "holy" in the sense of "Christian" and in the sense of getting weaker due to the "holy wars" raging even between the parts of the empire.
c) the "roman" could be the most disputed, but it reflects the millenniums-long belief of what the "real" empire is supposed to be, namely, the one that is the successor of the rulers by which we name two months in a year even today.
The trope's origin is Voltaire. His influence on the beliefs of the western world must be acknowledged, but it must be recognized that he wrote a lot with the intention of changing them (and some changes were even bigger than he accepted).
"For the historian, Voltaire's famous quip has three aspects: 1) What did Voltaire mean by it in 1756 when he wrote the line in his Essay on Customs? 2) How did contemporaries, including the Austrian Habsburgs, understand it? 3) Does the quote accurately describe the events the Philosophe is discussing (Charles IV of Bohemia and the Golden Bull of 1356)? Voltaire in fact exaggerates the weakness of the Empire in both 1356 and 1756, and uses an anachronistic standard to evaluate both: the quasi nation states of the 1750s. The three parts of the imperial title had changed in meaning during the four centuries after 1356. The jibe nonetheless reflects something of the thought of Voltaire and the French Enlightenment."
Sure, but a police operation surely could attempt to swap the book cipher out for a compromised one, no?
I think the idea that communication ought to be categorically out of reach of intelligence is very novel. I don't think it was even conceivable decades ago that, with legal justification, intelligence could not hack or be completely locked out of the communication of some network. For criminals who are savy enough, tech has made it much harder, not easier for the government to do their job.
I think there is also a very paradoxical side-effect. A harmstrung government may resort to outsourcing its intelligence work. I read a story about private firms in the US collecting license plate information and selling it back to the police. Clearview AI is certainly another example. If the agencies are limited, there is a real chance of both ineffective policing and a huge unregulated surveillance grey market. I would rather equip the government with enough capacity, but strong legal checks.
Legal checks are a mile-long leash, no matter how strong the cord. This is exchanging freedom for security, since a backdoor like this doesn’t require breaking glass.
There is something hilarious and schizoid in how Germany is perceived and the realities about this country.
They have strict privacy laws? First Nazi personel in the first half then Stasi personel in the second half of the 20th century were simply requalified and rehired, each bloody time. How do you think?
They are top environmentally-friendly country? Highest polluting coal power plants in EU are located in Germany.
These are both known and highly controversial issues in Germany. The first one is widely accepted as without any alternative. You can't just replace a whole bureaucracy and in retrospect it worked out to only change key positions. But obviously it was a healing and cleaning process over time. The other thing is to be attributed to the fact the we were very quick to abandon atomic power even before climate change issues were that popular. Its a hilarious contradiction. We now actually also have a plan to also get rid of the coal power plants but it will be hard, maybe we need to reintroduce the candle as a source of light. There is no lack of willingness and intent but reality has us all in its tight grip.
Nazis were indeed rehired to senior positions, but sensitive parts of the civil service were purged of Stasi operatives, although this did take a long time, especially in Saxony. There has been some resentment of the fact that this often meant that the civil service in Eastern states is dominated by 'Wessies'.
Obviously, the OP was talking about the perception of Germany today and I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service. And coming to think of it, why wouldn't someone whose qualified to spy on others be rehired to do the same job in Germany after the end of GDR? What do you think secret services do?
Regarding "environmentally friendly", this point is correct but you're omitting that Germany just recently passed a law to get out of coal until 2038. The energy produced in Germany will then be pretty much exclusively renewable which is not a small feat for a country with such a large population.
> Hilarious and schizoid are adjectives that I would assign to your post.
Sorry but you are rude.
> I think we can safely assume that no Ex-Nazi personnel is currently working at the German secret service
Stasi personel though?
Are you expecting that people using such nuanced and subtle techniques like Zersetzung against domestic population [1] will suddently become ethical towards anyone they perceive as threat? or as undesirable?
On the facade Germans get some show off initiatives (no Street View!), behind the scenes is business as usual.
Yes, you are right. I apologize, I clearly went overboard.
> Stasi personel though? [...]
I think it's just an over-generalization. Just because you worked for the Stasi automatically makes you a bad fit for a certain job. It really depends.
You forgot the Nazi personal in the 2nd half. The BND is a NAZI organization. Lookup Gehlen. Didn't change much after they died, if you look at the various BND scandals since.
By no means. The Stasi was active in the GDR (German Democratic Republic, "East Germany"), and it is not as if those from the east are particularly watchful for state-instigated surveillance.
This predates the wall, but the wall only confirmed what was going on beforehand.
> Pretty shocking in a state that has such strict privacy laws
If viewed from the different perspective of government intrusion on tech, it can appear less shocking. A government encouraged by its citizenry to use its leverage over tech companies will continue to do so, and not always in the same ways.
Someone said that's a result of constant under-funding and treating your military with no respect - when it's only seen as a choice for those who can't "do any better", you'll get extremists among the ranks.
Sounds plausible, at least in the US soldiers seem to be highly respected and in turn, they respect the country and its people.
I accept the principle; I wish people would take more action, but I for one am American and I have shifted most of my hosting out of the US because of it. I probably don't have much worth spying on, but on principle I oppose any form of blanket surveillance.
Nope, everyone happily shovels all of their data, as well as all of the data their customers provide them, into AWS, which is very cosy with the US military.
You can be reasonably certain that anything in AWS is available to US military intelligence without judicial oversight.
Every American service and product needs to be treated as compromised, it really comes down to that.
Individual companies now need to earn back basic trust.
This doesn't mean you have to completely abandon your favourite service, just have to modify the way you utilize it.
For example, if you absolutely have to use Google Drive, be sure to encrypt your files with appropriate strength first and assume they are actively trying to decrypt and build a file on you.
Why single out America, Snowden's leaks showed the entire Anglo-sphere is compromised(Five Eyes). Is there any reason to think this isn't the case in any NATO/OECD/etc. country?
I live in Denmark and buy hosting/email from a Danish company, but their servers are in Germany. I wonder if they will switch to having servers in other countries (or locally, as they used to have). Otherwise, I'll have to find a different provider.
Possibly, but it's much harder to intercept and mitm specific traffic at that level. On the ISP-side, that's different: they can with high certainty say that some traffic is coming from/to a specific suspect, much like a phone surveillance. This might also apply to individual service, e.g. an email provider.
I think you can collect a lot of good data for law enforcement purposes by tapping datacenter networks. Remember the NSA's "SSL added and removed here :-)" slide?
Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
No hands up? Good! The government thanks you for your service. Keep doing what you're doing, they'll keep you safe.
Yeah, but Germany's intelligence services aren't the NSA, neither regarding technical ability, nor regarding the lack of mission constraints. I'm sure they'd love to get their hands on DE-CIX as a whole, but they won't unless somebody with a US passport sits in on the meeting - and if they have that person, they don't need German laws.
I believe that these changes target ISPs and providers like mailbox.org, posteo etc, that have been "privacy first" and not too friendly. These laws aren't for wholesale data intake, they are more like phone surveillance with the added bonus that they (the ISPs and service providers) will be not only required to let them listen in, but to also allow them to inject trojans into the traffic that is being transported. These are very closely related to our laws for mailing services that contain similar things (the wording is very similar as well). They're not for the intelligence services to just walk in and say "Hi, we'll take everything, please", they still require a court order and target specific individuals.
Its german BND sitting at DE-CIX, but they fully cooperate with NSA to the point where they had to answer some ugly questions about why the fuck they helped a foreign intelligence service to literally spy on the german governement. Answer was: they don't verify what NSA queries, they automatically run the selector list and send them the data.
Yes, but as you see, that's already legal (especially if with US-involvement). This is different from that, as it contains the requirement for the provider to manipulate traffic.
> Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
But they'd need to filter out traffic for a specific suspect. It's unlikely that their approach will be to try to install trojans on every client computer that has traffic that goes through some DC. And if they want to take over a server they know the location of: they already can.
From my experience in a case where a previous version of that tech has been involved (though normal LE, not intelligence), they do take all the available measures to only hit the target, it's not a shot gun approach.
It's worrying how government spies are getting legal cover to impersonate legitimate entities. Like spoofing a phone number and faking the voice of a loved one. You don't need to be able to compel speech, when you can employ doppelgangers.
> There's even a promotional video of how FinFly ISP sends a fake iTunes update and infects the target system with FinSpy
From the promo video of it running an ancient version of iTunes on Windows Vista and the brochures it seems they inject their malware via software updates in general, not just iTunes.
I wouldn't be surprised if they force the installation of a certificate root they can use to serve malicious updates (for German OS X users, at least). That's a tactic used by agencies in other countries. Apple et al could probably mitigate this with certificate pinning in their updaters but I'm not sure they can get away with that without running into trouble with other countries that expect to be able to MITM updates.
I would be surprised. IIRC those "other countries" are countries like Iran that have also just shut off access to the internet for the country. I still think we have a few more years of internet freedom in Germany before that happens.
uh, if you actually read the links you posted...from the second article one of the people visited by law enforcement said "In my opinion, gasify everyone" [google translate I must admit, but there were plenty of quotes like this that I think its safe to say this is the intended tone]
I don't see how there is any justifiable grounds to talk about killing people with gas in any context, particularly not in this context.
A Youtuber made a video about an incidents between students where one made a racist joke. He [the Youtuber] said about that joke "that wasn't a bad joke" and got convicted for Volksverhetzung - one of the harshest crimes we have. If you get convicted for that as a non-VIP, your life is effectively over in Germany. That's socially worse than a rape conviction.
And back to the point: whether you consider it right to put people in jail for saying mean things or not - it is absolutely not internet freedom. Not by any stretch of the imagination.
This has nothing to do with NetzDG. If he would have spewed something of that caliber openly on the street he would've had to expect the same thing (depending on where in Germany of course).
That there is no "free speech" in Germany in respect to hatespeech has been the case pre-internet too. I'm not a big fan of NetzDG, but I also have to say that I expected much worse censorship-wise when it passed and I haven't heard of gross misapplications of it so far. If anything Facebook and Twitter show that you can still post a lot of hatespeech despite its existence.
You can do many things: You can pass those laws, put people in jail, make up the term "hate speech" and condemn everyone who does that. But you can not say that we have internet (or any other) freedom in Germany. There is some nice english proverb about a cake and eating it too
You can try to argue that certain things aren't "hate speech" but I don't understand how you can claim it to be a made up term. Hate is a real thing and if you channel that into certain language you get hate speech, plain and simple.
Germany has an interesting history with regards to what various constituents view as protected speech. As someone who hasn't lived in Germany I freely admit that I have a limited view of such things, but as the other poster mentioned these issues precede the internet.
hate itself is real - a word that has a negative connotation, but was never illegal in itself. You could always hate a person or a football club. That word was taken, rebranded to include among other things everything critical of government and made illegal. That's why hate speech is made up. What is called hate speech today was called a rant, "hot take", an insult or whatever just a couple of years ago. Today we literally have a law against "hate crime" - another doubleplusgood word. These things are not real, they're tools to oppress a critical population. Also note that even true things fall under those "crimes". It doesn't matter if what you say is true as long as it's "insulting" to someone.
What does this have to do with "internet freedom" (whatever that means)? Statements that would get you prosecuted when shouted in the streets have that same effect when posted online. Surprised Pikachu face?
No, that's not "by that logic". The entire point is that internet freedom is about things that are conceptually impossible to do on the streets. Like using a VPN or having net neutrality. It's not about whether you get to do things on the internet that are otherwise forbidden.
FYI: pervasive mass internet surveillance by the US military with the active cooperation of large US telcos AT&T, Verizon, and others already enables this capability in the US and much of the rest of the world.
The surveillance allows them to read the TCP sequence numbers or DNS query IDs, and then spoof valid response packets.
DNS usually isn’t, and TLS still runs over TCP, which is vulnerable to this type of hijacking, so yes, it is indeed still relevant due to both resolution as well as transport layer.
NSA would be very bad at their job indeed if they couldn’t issue valid TLS certificates for any domain to themselves.
There are 270+ CAs out there. All the NSA has to do is compromise the CA cert keys of one of them and they can then generate their own valid certs, completely disconnected from CT. All CT tells you is somebody goofed, was tricked into issuing a cert, or an account was compromised and an attacker generated a cert. In other words, not-super-advanced attacks.
The NSA have plenty of tricks. They intercept devices being shipped around the country/world, they tap cables, they dig into airgapped networks, they compromise satellites, they compromise the internal networks of the world's biggest corporations. They've been doing this for decades. If we don't believe they can compromise one organization out of 270...
> and they can then generate their own valid certs, completely disconnected from CT
Aren't browsers now requiring that certificates from many CAs (if not all of them) are submitted to CT before they are accepted as valid by the browser? That is, a certificate without an attached CT proof, even if it has a valid signature from the CA, will be treated as invalid.
(However, given what's being talked about (MITM of software update servers), this might be enough if the libraries being used by the software updater are not as strict as the browsers, and don't require an attached CT proof.)
The NSA released a who-knows-how-many-day in crypto32.dll to Microsoft recently that allows one to bypass app/driver EC certificate verification. It’s
called CVE-2020-0601.
My assumption is that they had it for years and released it for patching the moment they detected anyone else using it.
It’s not TLS, but it’s close. I still think they’d be bad at their job if they didn’t have some method of getting valid certs, and I don’t think they are bad at their job. With bulk collection they may be able to spoof replies to LE DNS verification. There are lots of avenues.
This shows 1,648 relays potentially having their traffic monitored under this law. Out of 6,432 relays, that makes up more than 25% of all Tor relays.
Unfortunately, Tor's design doesn't really go far enough in protecting against adversaries with large swaths of visibility. Perhaps it's time for people to begin shifting to I2P, or some other overlay network with more resilience against these types of adversaries.
Tor might not protect anonymity effectively in that case, but in the case given it would still offer protection because of the way the relay circuits are designed.
Unless it's an exit node. 251 of 1,249 exit nodes reside in Germany, or roughly 20%. Exit nodes aren't supposed to modify traffic, so if the compromise is happening upon leaving the exit node en route to whatever destination, that would still trickle back through all the hops.
True. I was thinking about recent initiatives like https://blog.torproject.org/more-onions-porfavor where security is enhanced by having people put their sites on tor. This is more the i2p model though.
I'm learning German at a fairly low level so I ask this from the perspective of wanting to learn, not as a challenge.
Wouldn't "have to" be "müssen"? In what cases would you use "sollen" to have a similar meaning?
And "sollten" is either Präteritum or Konjunctive II, which as I understand it would both mean "should have", though in different senses. Why is that a more proper translation of "should"?
Most of the times, "sollen" and "müssen" are interchangeable.
However, there are fine nuances between the words.
In that case, "müssen" is more direct and used as a command which has consequences when not followed while "sollen" is more of a prompt or demand that hasn't to be followed.
I would say it more precisely translates to "are supposed to". Although it is clear from the actual content of the article that it would not really be a choice.
No, "are supposed to" is less strict than "must". If the law passes, then they must allow the intelligence services to do this. Or "will have to" if they want to continue to be in the business.
> Provider sollen Internetverkehr umleiten, damit Geheimdienste hacken können
> Geheimdienste wollen Hardware bei Internet-Providern installieren, um Staatstrojaner in Datenverkehr einzuschleusen. Das steht in einem Gesetzentwurf zum Verfassungsschutzrecht, den die Bundesregierung nächste Woche beschließen will. Die Provider wollen keine Hilfssheriffs sein.
> [...]
> Konkret müssen Anbieter die Installation des Staatstrojaners „durch Unterstützung bei der Umleitung von Telekommunikation … ermöglichen“.
So it translates to "would have to, if the law goes into effect unchanged".
Yes, you are right, I'm sorry for the somewhat misleading translation. But I felt "should" instead of "must" would be more confusing, because that would sound somewhat like "the author would like that". Which he definitely doesn't. Anything longer wouldn't have fit the limit.
so that roughly translates to the state should have access to my personal property( computer / data ) and should have the right to do so by any means necessary. that sounds much better do remember article 11 and 13 were drafts aswell.
But as a state they forbid sales of Mein Kampf and Nazi paraphernalia, so they're cool and anti-fascist... /s
(Not invoking the Godwin law, this is an actual comment on an actual situation, to point the hypocrisy of token anti-totalitarian moves - 70 years too late - vs actual totalitarian law-making...)
"will" isn't the exact translation of the headline, the idea is written in an upcoming law that will be discussed (or rubber-stamped?) next Wednesday...
Is it possible to modify HTTPS traffic? Wouldn't they have to replace the CA certs on the target machine first before being able to modify that traffic?
They just have to hijack one existing CA that's within their jurisdiction and force it to issue MITM certs. Key pinning or certificate transparency may mitigate this.
Or the MITM box could use some kind of HTTP downgrade attack and not worry about certificates at all.
That would "burn" the CA (it will be removed and/or blacklisted from every major browser and operating system once it's exposed, and exposing it gets much easier with the recent push towards certificate transparency), so it can only be done once per CA.
Just wait a few years. I'm sure we will get something to support this on the EU level. It'll be positioned as fighting for your freedom and every company that doesn't implement them is the worst.
I think your worry is a bit out of scope.
There is a thing called "Verhaeltnismaessigkeit" in Germany, and in most other countries where "The Rule Of Law" applies, to paraphrase Trudeau.
Meaning: You are not allowed to burn down the house just because the neighbor was playing the music too loudly.
So others are not to caught in the cross-fire of this operation.
So it will be a very technical challenge to overcome these obstacles.
And since an ISP is not providing updates, coercing OS vendors to alter the CA's for a specific user is a bit far-fetched.
The more likely approach is the acquisition of cryptographic keys to create one's own SSL-Certificiate.
Now: This is the domain of the intelligence-community.
Their bread and butter. Compared to the rest of the world, this community is heavily regulated; you just have to think of the CIA's Black Budget or other agencies from less pleasent countries to get a comparison.
It is best they get the legal framework in place (s.o. heralded it as the OS for society once). The alternative would be clandestine operations outside the law, and that is never good.
Only requirement I would demand for s.th. like this: The solution mustn't be scalable, as to ensure to avoid a subjecting large swats of a population to this, which is challenging with technologies these days.
The good thing is that ISPs will not keel over just because the police are requesting it.
After all they have a reputation and their customers to protect and, let's face it, this is not China, Russia, Iran or some other country were you vanish for far less than demanding more paperwork and speaking out against executive orders.
As long as the mechanisms of a society are functioning and everyone watches everyone and there is due process it works.
It will be a problem if these mechanisms fail though. I for one will be watching with keen interest.
As for the new root certificate to a domain for the agencies:
I already pointed out, s.w. in this discussion, that there is a mechanism called Certificate Pinning. Works wonders if the server configured it.
So yes, they are working on the legal framework, but thanks to the foresight of engineers and people concerned with safety for the general non-technical and technical internet-population, it is a hard challenge officials are facing.
There is no certificate pinning anymore, it's deprecated. Your whole argument is based on the state actually playing nicely and assume a meaningful oversight of intelligence, both are hopelessly naive.
Does this not invalidate the claims by many small companies that data has good days privacy laws and that your data is safe there? Could we arrange a petition where users of those services can sign up to say they will change providers if the law passes?
Sound strange to me that they need a law for this, unless it is intended as leverage to coerce ISPs into collaboration. Secret service agencies do exist for the purpose of doing nasty things governments cannot afford to put their names on, or even be associated with; this would include spying on own citizens. In other words they'd do what they have already done for decades, but this time since it involves ISPs, ie a third party whose collaboration and silence are necessary, it is possible that the regulation includes also some kind of gag order preventing ISPs to tell their users they're under surveillance.
Not exactly as easy as they make it sound, thanks to encryption and especially signing. Of course there's probably still enough software not using it and/or users not paying attention.
Germany already had a law where any security software on your machine = you are a hacker.
At least this time is is simply useless. The secret services are not magicians and the fact that they have access to my home network or the link does not mean that they can do anything spectacular.
Well either those advising the legislature, who actually carry out the hacks for the security services in Germany, are idiots; or they're very clever people and know exactly what they're doing.
Or I guess it could be security theatre, or a diversion, but neither of those seems compelling here.
My vote is that, whilst I can't understand how it's accomplished as it seems contrary to technical possibility, that the people with billions of funding to make these things possible (Five Eyes, etc.) are probably capable of many things that look like magic.
You would think that the country, after recovering from both naziism, and also a chilling communist rule in the east, would worry more about the surveillance state growing. What is German public sentiment about that sort of thing? Does anybody know?
The current law is not yet big in the media. I am not sure if there will be a big discussion. If public media decides to push this topic, there will be resistance. I doubt that the average German will notice that this law was passed, if there is a lack of big media covering this topic.
The hacker tool paragraph is pretty toothless. I just checked one of those legal tech apps and see 12 judgements total that even mention it. There was quite a bit going on when it passed that effectively clarified that working on, and with, tools like that is legal when there's an assumption of dual use for legitimate purposes, e.g. security research (which is like... all of them). LE use would likely benefit from the same assumption.
Well, as far as I know, all of these countries have political systems in which representatives are supposed to act on the behalf of the people. Basically, we can't all work full time to understand every political thing, and vote on them all, so we have someone do it for us: a representative.
Representatives very rarely represent themselves, and are almost always representing either powerful people ( often through lobbying) or citizens.
Given that an absolute minority of citizens are asking for this, it's fair to say it's a top down decision. Most citizens are concerned with things that aren't changing at all, if you'd like further proof on who the representatives work for.
By virtue of it being a top down decision, it is almost certainly being pushed by a small group of very powerful people. When a small group of people have all the power, that's called an oligarchy.
So the question is, why is the oligarchy pushing so hard for control of the internet right now? Well, it's probably not for fun.. so they are worried, I suppose.
Why they are so scared of citizenry though? Anyone that is criminal or really needs security will just use Faraday Cages with disconnected computers.
Literally there is nothing they can do against big league criminals with this much mass surveillance, so only logical conclusion is that this is only intended for use on citizenry.
I've tried to explain my thoughts on this before, so I'll give it the ol college try again.
I propose that the decentralized anarchistic, freedom of thought nature of the internet has essentially forced an acceleration the timetables for the totalitarian dystopian system.
The internet caught the oligarchs off guard, in the big scheme of things (the oligarchs make plans that their grandchildren execute)... and it took them a bit to catch up, and they now see it as the primary threat to their otherwise nearly total control of the mass consciousness. Think of every medium of communication, and see how it was more or less captured and controlled, whether it be print, radio, or television, and see that although heavily under attack, the internet is still very free, at least at it's core.
This creates a sort of arms race where the oligarchs must corrupt, control and compromise it faster than it can respond in a way that reveals enough of the truth to the masses that they risk some sort of neo-peasants revolt. In that goal they will use their already long tendrils into government and corporate ownership networks et al to accomplish the task. I could get into the nitty gritty, but that's the meta summary.
Surveillance is about control, not about security, but they have gotten very good at the Oxford debate posing that it is. (lamentations about the end of the nation state actor security threat for one)
It weirds me out that you're probably the first person I've seen in years on the internet saying something this "bold" and unambiguous.
I often wonder if there's some system in place which separates us. Or perhaps the combo of logic, intuition, and honesty is just super rare. I don't know, but I hope you're doing well and having a reasonably fulfilling adventure amongst this hellishly senseless superstition culture.
Friendly reminder to go out and see the stars from time to time.
Anarchists and other like-minded people have been aware and vocal about this power structure for decades, centuries even, long before the internet existed.
Why do you think anarchists have generally been tarred as destructive and dangerous in the media and by the political and corporate establishment for so long?
The most insidious thing is that the status quo has become so ingrained in people that they reflexively downvote, censor and ban anarchists, because their masters tell them to.
Thank you for the kind words stranger. I find myself staring at the stars quite frequently actually. Nothing like a full moon night in the desert or high country.
For what it's worth, the journey to this place was not easy for me, and has taken years of searching and learning. The constant struggle is against giving up, apathy is the glove into which evil slips it's hand and all that.
It's the only logical conclusion. And given that there's so many of us, and so few of them, and they've been taking advantage of us in a very abusive way... I don't think they're wrong. I think there's a good chance this goes sour for them.
I see. So does this relate to German citizens only or is it true for immigrants as well ? I guess its true for all since the Trojan will be installed on the ISP servers ?
Mods: This is an article about a proposed law, so "will" isn't really an accurate reflection (yet, or hopefully at all) and the title should be changed.
My proposal: "New German law would force ISPs to redirect traffic to intelligence services for trojan install" (if that is not to long).
There are a couple problems: one is that proposed bills rarely go anywhere, so it's generally best to wait for a state change [1]. Edit: I think we can override this issue, given that surveillance laws are of particular interest to HN and the comment at https://news.ycombinator.com/item?id=23783164.
The other is that HN is an English-language site. We have deep respect for the German language, but articles on HN need to be in English [2]. I've changed it to https://www.privateinternetaccess.com/blog/new-german-law-wo... for now. If there's a better link, we can change it again.
Yes, you are right, but the current title is just 2 chars under the limit and I couldn't think of a shorter one. Sorry for the somewhat misleading "will".
My somewhat lame excuse: The law will most probably pass, current govt is a coalition of the two largest parties with overwhelming majority and absolutely no clue about anything digital.
You have the right to seek out and eat an orange for your immune system and survival, and no government should have the right to interfere with that, at any time.
This law is a fundamental attack on basic quality of life and basic human rights for all Germans. Whoever proposed it should be ashamed of themselves. I hope the parliament outright rejects it for what it is.
The very fact it has been proposed is Orwellian and chilling. Internet giants like Google should resist this technology and tell us when a government has just tampered with our web browsing.