| News | Features | Interviews |
| Blog | Contact | Editorials |
| Dutch gov. proposes cyberattacks against... Everyone |
| By Thom Holwerda, submitted by Jane Doe on 2012-10-23 18:24:52 |
| "Last week, the Dutch Minister of Safety and Justice asked the Parliament of the Netherlands to pass a law allowing police to obtain warrants to do the following: install malware on targets’ private computers, conduct remote searches on local and foreign computers to collect evidence, and delete data on remote computers in order to disable the accessibility of 'illegal files'. Requesting assistance from the country where the targetted computer(s) were located would be 'preferred' but possibly not required. These proposals are alarming, could have extremely problematic consequences, and may violate European human rights law." You get true net neutrality with one hand, but this idiocy with another. This reminds me a lot of how some of our busy intersections are designed; by people who bike to city hall all their lives and have no clue what it's like to drive a car across their pretty but extremely confusing and hence dangerous intersections. |
|
| RE[2]: Good idea? |
| By error32 on 2012-10-24 05:17:57 |
|
As a matter of fact, I have lived in the People's Republic of China for some time. I know the difference between oppressive and free countries first hand... I know enough to say that I could accept it in the Netherlands and not somewhere else. |
 - Score: 2 |
| RE[3]: Good idea? |
| By Soulbender on 2012-10-24 06:26:12 |
|
Yeah, but I bet everyone else might not be so keen on letting the Dutch spy on them. I know I'm not. No-one died and made you the world police. |
| - Score: 4 |
| Comment by MOS6510 |
| By MOS6510 on 2012-10-24 06:59:35 |
|
I think we have a secret intelligence service for these kinds of operation, certainly if it's done abroad. Every computer is unique, even if they're all same model Dells running the same version of Windows. No doubt the police spytool will work on one and crash another. No doubt this will also happen to innocent people. I know of a case where someone I knew got arrested and his equipment taken, because he had the same on-line username as some idiot. That's the only thing they had in common, yet it took months before he got his stuff back. This is another step towards a police state. It's not a term I like to use, because it quickly gives the impression that it sounds worse than it is, but it's another way of secretly checking up on people. You're being spied on by people you can't even see. Probably it will only be used for very serious crimes, but then we'll get some statistic that some lesser crimes cost us far more money so the public would't mind if they lower the bar. Before you know it you'll get arrested if you have over 10 MP3 files of which they can't determine if they are legal or not. |
| - Score: 2 |
| RE: Comment by MOS6510 |
| By pysiak on 2012-10-24 07:35:36 |
|
> Probably it will only be used for very serious crimes, but then we'll get some statistic that some lesser crimes cost us far more money so the public would't mind if they lower the bar. Before you know it you'll get arrested if you have over 10 MP3 files of which they can't determine if they are legal or not. Both old and recent history has proved, time and again, that with everything, including governments, when there are means, they will be abuse. One phrase here is wierd 'illegal files' -- can a file be illegal? If I infringe on some property or right and thus create a file, the *act* of creating the file is illlegal. If the same file is now in posession of someone who is authorized or has the rights to use the file, then it's legal. Illegal are activities, not things. Or am I wrong? |
| - Score: 2 |
| RE[2]: Comment by MOS6510 |
| By MOS6510 on 2012-10-24 07:47:27 |
|
I know it's not illegal to own a car, but in the Dutch city of Rotterdam the policy actively look out for expensive cars with young people in them. If they can't explain how they paid for it they're in trouble. It's comparable with having 1.001 MP3s files on your hard disk while not owning the CDs or having an iTunes account. This doesn't make them illegal files or makes the act of getting them illegal, but it may be fishy enough for the police to hassle you. Downloading stuff is legal in The Netherlands, yet the anti-piracy foundation keeps pretending it is. If something isn't illegal they'll try to make it so. With MP3s they might throw in a statistic saying how much music is pirated and if we stopped it music would become cheaper and artists happier. They can't stop it of course, the only victims being foolish kids, but even if they could the prices wouldn't come down anyway. I think the problem with cyber crime is that the dangerous people aren't easily caught. These cyber crime laws will catch more normal users, a number who didn't even know their daughter downloaded some music on her parents PC, than they will real bad guys. If you're a serious cyber criminal you'll know how they're trying to track you and you take measures. That leaves the general public. |
| - Score: 3 |
| RE[3]: Good idea? |
| By pgeorgi on 2012-10-24 08:00:31 |
|
> Yes indeed, trust is the keyword here. If I would live in another country I would not be able to see a positive side to this. Just read the other day (from an US perspective) how in Iran the Ayatollah (portrayed as "the bad guy") reused the snooping infrastructure of the Shah ("the reasonable guy") after taking over power. Also, the Netherlands had a "religion" field in their citizens register, which became an issue when the Nazis went in. (for the Nazis, that harmless item became useful infrastructure) It's nice to be able to trust your current government, but it's not a bad idea to think about the consequences when things change. (In case of the religion field, it's hard to think of _that_ before it happened, but AFAIK many European countries stopped keeping track like that after WW2 due to what happened) Both Ayatollah and the Nazis could have built up the desired infrastructure by themselves after their power grab, but each would have taken time. Time that could prove crucial when attempting to set things straight early. Giving police (or anybody) up-to-date equipment to easily enter machines can be very uncomfortable for a democratic opposition of an undesirable future government. And since there's so much future ahead of us, I'm afraid things are just bound to happen. Not everywhere, but the "let us (but only us, and secretly) snoop on computers" movement is uncomfortably global. > Considering things like child pornography, we have had some issues where an apprehended suspect had this on an encrypted drive. In that case it might be very useful for law enforcement to be able to get the encryption's key in advance some way or other. And plant some data on the way, since the images on the suspect's system are uncomfortably close, but not quite illegal yet ("but he's definitely one of 'those'")? Or to push the statistics, so everyone can see that this newly granted power was really, really necessary? (Wouldn't even have to be organizational. One "well-meaning" staff at the right place is enough for real damage) In the end, I'd prefer the police to hunt those who physically hurt children, not necessarily those who keep the pictures (those, too - but IMHO it's secondary). Otherwise we'll live in a world were family members still rape their kids (people close to the children make up >80% of the abusers), but simply don't produce graphic evidence anymore. |
| - Score: 5 |
| RE[3]: Comment by MOS6510 |
| By Doc Pain on 2012-10-24 09:54:17 |
|
> If I were a government entity, I'd research ways to break into ordinary computers through the channels manufacturers grant themselves access to, such as OS update mechanisms (which work independently of any inbound firewall techniques, and updates are ostensibly legitimate to an administrator). How likely is it that no governments have infiltrated the ranks of apple, microsoft, google, ubuntu, etc to copy their signing keys? That surely is the easier way, but it's possible to do similar things (i. e. hijack the updating mechanism) with no "official" signing: The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root. Except it isn't signed really by Microsoft. Turns out the attackers figured out a way to misuse a mechanism that Microsoft uses to create Terminal Services activation licenses for enterprise customers. Surprisingly, these keys could be used to also sign binaries. [...] Microsoft has announced an urgent security fix to revoke three certificates used in the attack. The fix is available via — you guessed it — Microsoft Update. Source: "Microsoft Update and The Nightmare Scenario" http://www.f-secure.com/weblog/a... The less people care and leave security considerations to others (often: no one), the easier such investigation tools could be deployed widely. Unnoticed by users who don't care anyway, even "artificial evidence" could be created, fitting the bill well: 1. Install malware on targets’ private computers 2. Conduct remote searches on local and foreign computers to collect evidence 3. Delete data on remote computers in order to disable the accessibility of “illegal files.” as explained in the article. "But I didn't write or download that!" - "But we found it on your PC." - "I didn't do it!" - "Prove that." :-) |
| - Score: 4 |
| Federal Trojan |
| By anda_skoa on 2012-10-24 10:07:51 |
|
The German authorities have one of those and might have used it already. Its lack of security has been exposed numerous times by organisations like the CCC, yet politicians claim it cannot be abused. Same thing would happen in this case, machines would be made vulnerable by organisations supposedly charged with keeping everyone safe. Irony |
| - Score: 3 |
| RE[4]: Comment by MOS6510 |
| By Alfman on 2012-10-24 14:03:16 |
|
Doc Pain, "Source: 'Microsoft Update and The Nightmare Scenario'" Good link to show that these things do happen. This faulty process has presumably been corrected, but that signing keys could be leaked to a government agency is a problem shared by all update mechanisms. To protect your assets from snoops (corporate or governmental) you really should run two separate networks, one where nothing is allowed to connect externally, and another which can connect externally. Then no components like flash drives as can shared between the networks. This way if there is a backdoor, it cannot be accessed and cannot be used to control the machine. Frankly most people don't have anything worth protecting to this extent, but if your operating an Iranian nuclear facility, you probably do. |
| - Score: 3 |
| News | Features | Interviews |
| Blog | Contact | Editorials |