Expenditure Report Reveals Germany Monitors Skype, Google Mail, Facebook Chat 89
hypnosec writes "The German Government has gone a bit too far trying to be transparent, inadvertently revealing that German police monitor Skype, Google Mail, MSN Hotmail, Yahoo Mail, and Facebook chat when necessary. The revelations, spotted by the annalist blog, come from a report of expenses incurred by the Federal Ministry of the Interior following a parliamentary inquiry. The report contains lots of tables and as many would find those boring, some highlights: On page 34 and page 37 of the report line item 486 and 265 respectively, represent decoding software for Google Mail, MSN Hotmail, Yahoo Mail for prevention and investigation."
Reveals too much? (Score:5, Insightful)
Isn't it good that the government is transparent?
Re:Reveals too much? (Score:5, Insightful)
I don't understand why the modded you down.
Being transparent (and therefore disclosing what can be seen as wrongdoing) is a GOOD thing.
I did not like the "too transparent" suggestion that seems to lead to the conclusion that it's better to be secretive so you can get away with wrongdoing. Which is where USA seems to be going. No oversight due to never ending secrecy claims.
Now, in this specific case, the revelation had little to do with transparency of that issue but of a mistake regarding government expenditure.
Re: (Score:2)
Thirded. Came here to say the same thing.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
So far, there is no evidence of wrongdoing, just that they have, and may have used software for accessing various services used by people to communicate.
A separate investigation would be needed to see if the German police services are using these tools following German laws.
Re: (Score:2)
Skype is a slattern - and its pimps are voyeurs.
Achtung !
Irony that is (Score:2)
Hello and welcome to the Internet. You must be new here. We here do sometimes happen to speak in strange tongues, sometimes we might even portrait a thing desirable as being appalling. That is a rhetoric trick called irony, sometimes even sarcasm. HTH.
What the author mean to say was this: the government probably did reveal more than they meant to, as spying on their on citizens on a regular basis is so 1984, and no one from 2012 wants to live in a future like that and we'll have elections here in Germany so
HTTPS (Score:1)
Isn't most Google Mail traffic SSL encrypted?
Re: (Score:1)
I have that problem
Re:HTTPS (Score:4, Insightful)
I thought it all was. I get redirected when I try to use non-SSL.
A smart man-in-the-middle would yank that redirection, and 99% of the users wouldn't notice them missing s after http. Or if the s is there, they would not notice that they are on gooogle.de rather than google.de...
As long as the users rely on redirections for their safety, rather than entering the full URL (including the https part) themselves, they are fair game for men in the middle.
And all this without even installing a Bundestrojaner on the victim's computer...
Re: (Score:3)
A smarter man-in-the-middle would have their own CA in your trust store, so you still get your fancy SSL supposedly pointing to the same site, only singed by TheMan instead.
"Best" of both words - you still get an encrypted session to keep out the non-TheMan snoopers, and TheMan gets to watch you.
Re: (Score:3)
Whereas a missing redirection to https would be blamed on a glitch in google's servers, or on the phase of the moon...
Just whithness what happened to this infamous Dutch CA, which got hacked, and suddenly had loads of bogus certifcate bearing its signature in circulation...
Smart spooks only risk revealing thei
Re: (Score:2)
Re: (Score:2)
Was not aware of Certificate Patrol. Sounds useful... will look into that.
There's no PR though in what I'm thinking. All they would have to do is get their own CA trusted by a root trust, (which could have some PR) OR they could simply get their own installed in their target(s) browsers in which point they could issue any SSL cert they wanted without having to involve a third party.
Then, the MITM "proxy" would re-wrap the SSL with their own certificate. Google would be none the wiser, and the end user would
Re: (Score:2)
All they would have to do is get their own CA trusted by a root trust, (which could have some PR)
... which would indeed be very obvious to Certificate Patrol, and would certainly embarass the "root trust" which certified the rogue CA.
they could simply get their own installed in their target(s) browsers
Sure. That's basically a similar approach to the Bundestrojaner, but instead of installing a keylogger, they would "just" install their rogue root certificate into the victim's browser.
Re: (Score:2)
Its been while since I used Cert Patrol, but I don't think a user would necessarily realize a MITM was happening because it generates so many alerts for legit/mundane cert changes. I stopped using it around the time I realized the CA trust model is fundamentally broken.
The bogus cert you mention got detected because it went into circulation... But having a CA participate in "lawful intercept" against a handful of targeted individuals at a time (per domain) carries far less risk of being detected.
Re: (Score:1)
Which is useless if the party that wants to monitor you is somewhat sophisticated:
a) they have access to your computer remotely (keylogger, screengrabber, remote desktop, etc)
b) they can make you think you're accessing Google (MITM)
Re: (Score:1)
Verisign hand out all their certificates to major governments, haven't you heard?
Re: (Score:1)
What's funny about this, is that it's not even a paranoid conspiracy theory or some kind of obscure secret. They say they do it. They promise all users that it's guaranteed to be insecure.
Re: (Score:3)
Re: (Score:2)
Sure, from your browser to Google's server it's encrypted. What about from Google's MTA to the next MTA? Or from that MTA to the one after that? What if the recipient uses plain old POP3 to access the email you sent through GMail using HTTPS?
If your message isn't encrypted end to end, it may as well not be encrypted at all.
news? (Score:2)
how is this news? (tinfoil fully charged)
Re: (Score:1)
Re: (Score:2)
this is new insofar as it is an official government document. The common knowledge you mentioned was mostly based on (plausible) assumptions and verbal statements of politicians/law-enforcement spokespersons.
can't make you happy (Score:5, Insightful)
lack of transparency: complain about lack of transparency
transparency: complain about what you see
I'd much rather be able to see that my government is doing something I'd like to know more about, than to know that they're hiding something from me that's potentially of interest to me.
Re: (Score:2)
"gone a bit too far"? (Score:4, Insightful)
I personally would like to know and hold my government responsible for things like this. In theory one might argue that given a sutable warrant it might be perfectly reasonable to monitor someone. The German people have a right to know what their government is doing IMHO.
I guess the culture in Europe vs. the U.S. is probably quite different... But no matter what the reasons transparency is almost always better than the opposite.
Re: (Score:1)
Indeed, common sense tells me that a government that keeps secrets can't logically be representing the people they keep secrets from -- just as a business contract can't possibly represent both parties' interests when one party refuses to disclose all pertinent information to the other. (As we all know, the relationship between government and citizen is supposedly represented by a contract.)
Searching for details reveals wikileaks (Score:4, Informative)
Pfff, stupid full article. (Score:2)
I'd prefer... (Score:1)
Re: (Score:3, Interesting)
I'd actually prefer they not tell me when/where they monitor, but what they monitor. See, there are very bad people in the world who want to kill me and destroy my country. Doesn't matter which country. I want my government to have the ability to monitor them. I want to know the magnitude of the monitoring, so that I know the government is still part of "me and my country" instead of the evil people. However, I don't want the evil people to know when and where they are being monitored.
Re: (Score:2)
I want to know the magnitude of the monitoring, so that I know the government is still part of "me and my country" instead of the evil people.
Please stop badmouthing the US. If your country's government is cooperating with us, there are probably good freedom-related reasons they're doing so.
Re:I'd prefer... (Score:5, Insightful)
See, there are very bad people in the world who want to kill me and destroy my country. Doesn't matter which country.
Wrong. Brazil is one of the largest economies in the world, and a regional power in South America, with influence over all our neighboring countries. But we don't have enemies. Why? Because we mostly keep to ourselves. Our relationship with other countries is one of selling and purchasing, not one of throwing military might around. Truth be told, a few times some more ideologically motivated governments of ours indeed started moving into that direction, but the next one usually defused the situation by reverting the idiot policy, thus bringing back international goodwill. So, although we do have lots of internal social issues, at least one we don't have is the entirely optional one of terrorism, which we avoid by the quite simple expedient of not pissing people off.
What doesn't mean avoiding legitimate wars when they present themselves. The trick here is to not start them. Keeping to oneself does wonders in that regards too. The other country has a dictator you despise? Don't mess there, it isn't your problem. It has a dictator you like who's going to be overthrown? Don't mess there, it isn't your problem. There are troops marching into your borders. Oh, now you go and mess there.
How hard can that be?
Re: (Score:3)
Wrong. Brazil is one of the largest economies in the world, and a regional power in South America, with influence over all our neighboring countries. But we don't have enemies. Why? Because we mostly keep to ourselves. Our relationship with other countries is one of selling and purchasing, not one of throwing military might around.
That can get difficult -- what do you do when one of your trading partner countries refuses to trade with you, because you refuse to be unfriendly to a country they don't like?
(The potential is there for Brazil regarding the Falkland Isles.)
Re: (Score:2)
That can get difficult -- what do you do when one of your trading partner countries refuses to trade with you, because you refuse to be unfriendly to a country they don't like?
Consistency is key. If they know you absolutely will not give up neutrality, they don't try making you give up neutrality, as they know it'll be futile. But even if they decide to stop trading with you, well, you stop trading, all the while keeping diplomatic channels open.
Regarding the Falkland islands, I don't know details on how our diplomacy deal with it, but Argentina is indeed our biggest regional trade partner, and they do have this habit of now and then simply suspending trade while they attempt fai
Re: (Score:2)
The other country has a dictator you despise? Don't mess there, it isn't your problem. It has a dictator you like who's going to be overthrown? Don't mess there, it isn't your problem. There are troops marching into your borders. Oh, now you go and mess there.
How hard can that be?
I'm all for letting countries stay to themselves, but why does a dictator need to step on your lawn before he gets a response? Didn't most of Europe take that stance during WWII?
Germany annexed Austria, violating the Treaty of Versailles and St. Germain ... no response. ... no response. ... no response. ... finally a response! (and 6 years of world war)
Germany invaded Czechoslovakia
Italy conquered Albania
Germany attacked Poland
Re: (Score:2)
I'm all for letting countries stay to themselves, but why does a dictator need to step on your lawn before he gets a response? Didn't most of Europe take that stance during WWII?
There are exceptions to any rule. The problem is when the exception becomes the rule.
Or rather, they have the ability (Score:4, Insightful)
This is not a direct proof of snooping, just that the German government has the ability to do so. That doesn't necessarily mean that it abuses that power in warrantless monitoring.
Re: (Score:2)
This is not a direct proof of snooping, just that the German government has the ability to do so. That doesn't necessarily mean that it abuses that power in warrantless monitoring.
And what?
Even if they don't do it today, they'll do it someday.
Re: (Score:2)
As long as they obtain a warranty before doing it i see no problem.
Re: (Score:2)
You mean like in the US....where they used to require a warrant but no longer do?
Re: (Score:2)
This is not a direct proof of snooping, just that the German government has the ability to do so.
That's even more significant, because if the German government has the ability to do so, who else does? It means that SSL and the Skype protocols are not nearly as secure as one might have thought. That's much bigger news than the fact that the Germans might be spying on a few of their citizens. (Unless you happen to be German, in which case that too is a really big deal.)
Re: (Score:2)
I don't think they cracked SSL, rather they plant a trojan on target machines.
Re: (Score:1)
I don't think they cracked SSL, rather they plant a trojan on target machines.
The item on the list reads "Software to decode recorded telecommunications: Google Mail, MSN Hotmail, Yahoo Mail" (2 identical items with different price actually)
Re: (Score:1)
This is the same German government that a few years ago was complaining that Skype was too hard to monitor, right? Now Microsoft owns them and I seem to notice that monitoring Skype seems to no longer be a challenge.
Next question: which particular slimy nation-state put MS up to buying Skype so they could wreck a perfectly good security system?
Isn't there a word for corporations and governments acting together for common goals? Starts with an "f" I think...
Re: (Score:2)
This is not a direct proof of snooping, just that the German government has the ability to do so. That doesn't necessarily mean that it abuses that power in warrantless monitoring.
So, let's ask them for details on what they have been doing. Queue response: "National Security! We can't tell you!" sotto voce "Monitor him, he's asking questions".
you know who else... (Score:4, Funny)
Surprised? (Score:5, Insightful)
I'm not. Any modern government (law enforcement or intelligence agencies) would or at least should have this capability. The real question is, do they use it without warrants, use it in an indiscriminant fashion, etc. If they were going after a legitimate suspect, they should have the capability to do so.
Re: (Score:2)
I'm not. Any modern government (law enforcement or intelligence agencies) would or at least should have this capability.
Really? Because saying they should have this capability is equivalent to saying we shouldn't be using strong, effective encryption.
Re: (Score:2)
I'm not. Any modern government (law enforcement or intelligence agencies) would or at least should have this capability.
Really? Because saying they should have this capability is equivalent to saying we shouldn't be using strong, effective encryption.
National security trumps your ability to keep your Skype conversations absolutely private. Sorry, but what else do you expect?
Good job Germany... (Score:1, Flamebait)
Way to set back your government back a generation.
I'm sure references are bound to be made towards Facsism, etc etc... but frankly... it just reinforces a bad stigma against Germany after all the bad thoughts already in place over the past 100 years.
Really though, I'm sure the US does this, but just isn't quite 'that' transparent yet.
Re:Good job Germany... (Score:5, Insightful)
Re: (Score:1, Troll)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
And so a pedantic twit get's to put another notch on his belt...
Try being pedantic yourself -- it's "gets". Apostrophes aren't just random little pre-s symbols you know.
Re: (Score:2)
And so a pedantic twit get's to put another notch on his belt...
Try being pedantic yourself -- it's "gets". Apostrophes aren't just random little pre-s symbols you know.
There's a difference between making a small grammatical mistake like the GP and talking utter bollocks like the GGP.
Re: (Score:3)
Countries or governments do not monitor. These are people who monitor other people.
No these are people acting as representatives of the government, which is in itself a representative of the people of that country.
I've seen this ultra-individualistic lpseudo-libertarian crap before on slashdot before. So, for example, that's not a US soldier shootinga member of al Qaeda, they're just two guys having a mano a mano fight with no need for The Government to be involved or even exist. It's stupid.
Re: (Score:2)
For example, we know of an extreme case, when a military officer send a CD with a sensitive information to WikiLeaks.org
But the same may happen with one's data from monitoring. It can be sent not only to a government via an official channel, but to a local mob, to political extremists, it can get just to a crazy person from physical people, who
Re: (Score:2)
The fact that Germany actually openly admits it is a feather in their cap. Everyone does it, Germany just has the decency to be forthright about it.
I don't think Germany openly admitted it -- more likely they forgot to suppress it.
Re: (Score:1)
I think it's kind of funny I got modded flamebait when the only part of my post which was negative was the shot at Germany in the first line. I'll admit, that was intentional.
The rest was actually explaining that we shouldn't be surprised to see REAL flamebait and Nazi references since this is a critical report on Germany.
I'm also quite aware that we're all monitored probably much more than we'd like or be even remotely comfortable with if we really knew.
Just because they have the s/w ! = using it (Score:1)
Just because they have the software, some of which is used to send secure encrypted Skype and decode it on the other end, does not mean they're using it on you.
Now put some underwear on.
I mean, seriously, that's just gross.
For extra hilarity (Score:2)
Meanwhile, the German federal consumer protection minister is widely known for criticizing Facebook's poor record on privacy.
She's right, mind you, but it's still funny.
People seem to be systematically blind to threats from the public or private sector, depending on political affiliation. Right-wing Americans chiefly fear their own government, not caring what corporations might do with their data. In comparatively liberal Germany, the untechnical mainstream froths at the thought of Google showing a publical
Well that about wraps it up for Skype (Score:2)
Now how are those alternative VOIP/Video clients coming along?
Cheap! (Score:1)
Not too expensive, this decoding software of theirs.