German Intelligence Traded Citizen Data For NSA Surveillance Software

An anonymous reader sends news that Germany's domestic intelligence agency, the BfV, was so impressed with the NSA's surveillance software that they were willing to "share all data relevant to the NSA's mission" in order to get it. "The data in question is regularly part of the approved surveillance measures carried out by the BfV. In contrast, for example, to the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency, the BfV does not use a dragnet to collect huge volumes of data from the Internet. Rather, it is only allowed to monitor individual suspects in Germany -- and only after a special parliamentary commission has granted approval. ... Targeted surveillance measures are primarily intended to turn up the content of specific conversations, in the form of emails, telephone exchanges or faxes. But along the way, essentially as a side effect, the BfV also collects mass quantities of so-called metadata. Whether the collection of this data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts."

Networks are not private

[Anonymous Coward]

One thing people don't seem to understand is that networks (phone, IP, etc) are not private. They aren't designed to be, they were never meant to be. In fact, they were designed for a complete opposite purpose: so that nodes on the network could exchange information freely and without prejudice. The concept of security on a network was added later (poorly) and is antithetical to the purpose of network communications.

Therefore, just assume that whatever information you are sending out on a communication netw

Re:Networks are not private

[0123456]

There's a big difference between freely exchanging information and having someone scoop up all that information when it's not addressed to them.

When you sit on a bench in the park talking to your girlfriend, you don't expect some stranger in a trenchcoat to lean in between you and listen to everything you say.

But, yes, it's unfortunate that the warnings from the 90s were ignored, and we didn't get automatic encryption by default across the Net to ensure this couldn't happen.

Re:

[Anonymous Coward]

But computer and phone networks are not park benches. Again, I don't understand why people don't understand this. Networks are meant to "scoop up" information no matter where it is addressed. In fact, the original networks broadcast all the nodes information to all the other nodes. This ended because it was inefficient, not due to privacy issues.

You will also never have "automatic encryption" across the network they way they are designed now, because nodes can stand in for other nodes. You cannot be sure wh

Re:Networks are not private

[0123456]

No, they're not. Networks are supposed to take data from one machine and deliver it to another. They're not designed to deliver it to anyone else along the way. That's an attack on the network, not part of the design.

And automatic encryption can easily be handled by pushing public keys into DNS. Yes, the NSA could force people to push fake keys into DNS, but then no-one would trust it any more.

Re:

[Anonymous Coward]

"They're not designed to deliver it to anyone else along the way"

Um, yes, that is EXACTLY my point. They ARE designed to deliver to anyone else "along the way". It is amazing how people don't understand how a network works. If you send information from node A to node B there can be any number of intermediate nodes on the way that also handle the information. This is the original design. Usually the intermediate nodes are switches/routers/etc. They aren't attacking the network.

In fact as I said originally,

Re:

[lambsonic]

You are creating a straw-man out of the GP's terms. The GP even used the term *delivered* to make the appropriate distinction. Information in a payload that is encrypted is not the *delivered* information *without* the decryption key information. A network *may* have access to the *delivered* information, but it doesn't necessarily *need* to have it, and having it is considered a security weakness that may be *attacked*.

Re:

[lambsonic]

The existing networks only need to see the routing information, not the information in the payload, which can be encrypted. So you have a point that the routing information can easily be snooped, which is a significant problem.

Re:

[mrbester]

My NIC begs to differ. It receives every packet and discards those not addressed to it, except when I set it to promiscuous mode.

Re:

[GameboyRMH]

And automatic encryption can easily be handled by pushing public keys into DNS. Yes, the NSA could force people to push fake keys into DNS, but then no-one would trust it any more.

And this would be different than what they did to the CA system in what way?

Re:

[GameboyRMH]

If all else fails, there's out-of-band key exchange...

Blame sentient network?

[Anonymous Coward]

Lets be clear about this, its not accidental snooping by some sort of sentient 'network'.

NSA has been faking certificates, Backdooring encryption, faking websites, installing taps into fibre optics around the world, hacking into servers to install back doors, writing malware, blocking encrypted connections force unencrypted fall backs etc. etc.

It didn't accidentally wake up and find it was building 7 massive exabyte class data centers!

"You will also never have "automatic encryption" across the network they

Re:

[Kavonte]

you can exchange a first time key, and to defeat that key exchange, NSA would have to intercept all communications all the time. If it missed the first exchange, it fails, if it missed ANY subsequent exchange, the tap is revealed.

That's actually a great idea. Too bad that security people are all to happy to ignore good solutions and stick with bad ones simply because they haven't yet found a perfect solution. Everyone knows that unencrypted HTTP communications are bad. We also know that certificate authorities merely provide a false sense of security, particularly against people like the NSA. Yet apparently we'd rather stick with bad and worse rather than adopt any idea that is merely "good" but not infallible.

Others have re

I've submitted patches to snort too.

[Anonymous Coward]

Can I have data on the whole of Sweden in return, please? Actually, no, dragnet operations are immoral... I'll stick to women aged between 18 and 34. Thanks!

(Nobody believes this was the nature of the exchange. This is merely what was written down. Humans are rationalising creatures, not rational creatures, and will formulate official-sounding bullshit in support of anything. Why was Germany really willing to share this data?)

Scaremongering

[Anonymous Coward]

"In my opinion the reality of some rogue terrorist organization obtaining a nuclear bomb and detonating it in a population center is quite real."

Classic scaremongering, but the most likely scenario here is NSA spies on German political machine, US shapes German politics to be compliant to US wishes. Democracy lost in Germany, German business undermined, unfair trade agreements pushed through.... etc.

*Not* terrorist organization obtains nuclear weapon by Hotmail, NSA taps all Hotmail, spots threat, sends dat

Re:

[Schmorgluck]

They were willing to share the data because Germany is an ally of the US.

True, but usually between allies it's a matter of courtesy and long-term mutual benefices, not a matter of bargain. I doubt French and German intelligence agencies traded something with the CIA in the summer of 2001 when they warned it that something big was afoot.

Re:

[Anonymous Coward]

This is how the US can spy on its citizenry "legally" for ages. US agents scoop up British and German data. British and German scoop up American data, then all the data is swapped. US never spied on Americans, and German Republic never spied on Germans.

But, they are not Five Eyes. Still don't sit at the big boys table.

A little surprising

[MagickalMyst]

I find this a little surprising. The NSA might have some great spy tools, but some of the most incredible programmers and IT people that I have ever known are German.

One would think that they could not only build an NSA type system, but do it better.

German software companies

[sjbe]

I am not familiar with any German software companies other than Software AG and SAP (both which produce uniformly terrible software).

Then you haven't looked very hard [wikipedia.org]. Plus there are tons of German companies that make software that are not pure software companies. Siemens for example makes quite a lot of software.

Re:

[drinkypoo]

Siemens for example makes quite a lot of software.

yeah, I hear they make centrifuge software with some killer undocumented features

Re:

[Schmorgluck]

There's no such thing as an "undocumented feature". I'd really like for people to stop using that phrase, it's fundamentally absurd.

Re:

[greenfruitsalad]

are you familiar with Leonard Poettering?

Re:

[drinkypoo]

I find this a little surprising. The NSA might have some great spy tools, but some of the most incredible programmers and IT people that I have ever known are German.

And yet, no software houses but Crytek are known for being German. And when the Nazis wanted to manage the concentration camps, they called IBM. I don't see any evidence that Germans are particularly good at software development.

Re:

[drinkypoo]

Ever heard of SAP?

Oh shit, SAP is German? Well, that settles it. Germans are shit at software development.

OK, not really. I know logic doesn't work like that. But holy hell. If Germans are responsible for SAP, maybe they really are evil.

Re:

[dunkelfalke]

Yes, we are. Open Office also used to be ours by the way.

Re:

[Tablizer]

One would think that [Germans could]... do it better.

USA has more experience snooping and more victims, I mean subjects to test it on. Domain experience matters.

Re:

[Schmorgluck]

Ah, you may be mostly right on that. The CCC is primarily German, after all.

Re:

[Morpf]

While this might be true, as far as I can tell our best or even good developers would not go to a spy agency as they are intelligent people with concience.

LOL

[Feral Nerd]

Every time I hear some political pundit on TV talking about the evils of communism and the police states of the old Soviet bloc I am reminded of crap like this and I laugh out loud. The more time that passes from the fall of communism the more 1984 becomes reality and not in fascist dictatorships or communist countries like Orwell predicted but in the so called democratic countries of Western Europe and North America. I wonder what Orwell would have made of that?

Re:

[Anonymous Coward]

Orwell's Oceania comprised the UK and the USA.

Re:

[DarkOx]

Every time I hear some lefty telling me we need more government in more regulation to prevent abuses by corporation I am reminded of this stuff and laugh out loud. So called democratic countries of Western Europe and North America already have governments that are more abusive than any corporate ever could be.

Re:

[Errol backfiring]

Well, that is hardly surprising when you let the corporations run the government. We need more people in regulation to prevent both corporation and government abuses. Especially in a democ(k)racy.

Re:

[dunkelfalke]

abusive than any corporate ever could be.

ORLY [wikipedia.org]?

Re:

[Schmorgluck]

Holy Chao! I didn't know there had been such a trial!

Too bad that the crimes of Chiquita in the early 20th century won't ever be punished...

Re:

[0123456]

As a general rule, if a politician's lips are moving, they're lying.

Re:

[Greystripe]

I have never liked that rule. It leaves out far too much. I prefer if they are breathing, they are lying.

Re:

[Schmorgluck]

Conclusion: we'd better elect vampires.

Like trading cards

[ITRambo]

This reminds me of people trading baseball cards, only scarier.

It's A Business

[Anonymous Coward]

What people need to understand about the current security and surveillance industry is that it is, first and foremost, a business. The business of keeping the now tens of thousands of people involved in permanent pensionable employment.

I'm not simply talking about the bonanza of outsourcing, supply contracts, and R&D being enjoyed by companies in the security industry supply chain -- though this is a factor as well obviously. I'm talking about the entire attitude of the 100% government employees who ult

Re:

[0123456]

As usual, when there's another abuse of power by government, some lefty comes along to blame it on EVIL FREE MARKETS!

Because, as we know, if governments controlled everything, they'd never abuse their power like this. No, sir.

Re:

[lambsonic]

The GP merely talked about market-only thinking, not free markets. In fact, the Marxist ideology you are referencing as a straw-man is merely an extension of the liberal thinking of Adam Smith. Even Adam Smith discussed the disparity of power between classes. That is why Marxists are also labeled liberals. The extreme ideology is unregulated markets, just as extreme as unregulated state power. Markets can be free and regulated at the same time the same way people can be free and regulated at the same time.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Schmorgluck]

To put it another way: to individuals, everything that isn't explicitly forbidden is allowed, but to institutions, everything that isn't explicitly allowed is forbidden.

Common Deal

[Etherwalk]

I feel like this is a common deal between various western countries and the NSA. At least, this isn't the first time I've heard of it being made, although I don't recall the context in which I've heard of it in the past.