Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Censorship Communications Government The Internet

In Kazakhstan, the Internet Backdoors You (csoonline.com) 94

itwbennett writes: Kazakhstan passed a law that would require citizens to install a certificate on their personal computers and mobile devices that would allow the government to snoop and capture web traffic, passwords, financial details. Telecom.kz posted the news to their website on November 30, but by December 4 the press release had been removed from the website. This is just the latest example of government overreaching. Recently we've seen the Turkish government attempt to block access to social media sites. And let's not forget Thailand's attempt to roll out their own man-in-the-middle implementation.
This discussion has been archived. No new comments can be posted.

In Kazakhstan, the Internet Backdoors You

Comments Filter:
  • by loony ( 37622 ) on Tuesday December 08, 2015 @10:23AM (#51080973)

    I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution, and the government still does the same even though they knew it was sketchy at best, but probably illegal.

    Peter.

    • I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution, and the government still does the same even though they knew it was sketchy at best, but probably illegal.

      Peter.

      Oops, the NSA already has their cert installed in Firefox, IE, Chrome, and other web browsers as well by default:
      http://security.stackexchange.... [stackexchange.com]

      So this is an issue of Kazakhstan just catching up to the US.

  • look on in envy ...

    I visited the ISP's web site to try to see exactly what is supposed to be loaded onto a machine, but I don't read their language.

  • by Anonymous Coward

    ...but if I were a competent intelligence agency, I'd buddy up with a CA that has its root in all the major browsers, and MITM by redirecting traffic to my servers, once I'd obtained a warrant from a judge for targetted surveillance. IOW, I'd take a reasonable interpretation of the US Constitution's 4th amendment.

    If, OTOH, I just wanted to spy on all my citizens, perhaps collecting data to make sure everyone can be identified as a criminal in future if needed, I'd do as described in the article. IOW, I'd be

  • How would the government enforce this? "Uh, oh yeah, I installed your certificate, wink wink."
    • Ultimately, there's probably a more-than-just-implied idea that your ass will get dragged off to jail or shot if you fail to comply.

      The same thing which happens in all such regimes, and the same thing the US is trying to achieve -- failure to comply with state security is a crime.

      Make no mistake about it, this is the exact same direction Western countries are heading, because they all make the same argument that the state requires unfettered access to monitor us.

    • when the laws are technically incompetent, the only real de facto law of the land is technical competency. for good ends or bad ends

      technical illiterates, good and bad, beware in such a land

      • No, the real de facto law of the land still boils down to men with guns and how willing they are to use them.

        And I'm pretty sure in Kazakhstan, the law is being enforced by technical illiterates.

        Beware the clever guy who thinks his technical literacy will trump the men with guns who don't give a crap about your own perceived awesomeness.

        Even in the US, that won't get you very far.

        • by Anonymous Coward

          I always found it funny that tech-heads could believe technical prowess might beat violence. High school should have taught them better. How many nerds have suffered hell at the hands of bullies all the while fantasizing about convoluted plans of revenge that would never work, and kept being beaten up? The same mindset is seen now: the unwillingness to understand that lawmakers backed by hosts of violent people trump your "tech-savvyness" each and every time.

          • even when you can frame them for online chatter they never committed and use the violent thugs against themselves?

            before the gun comes out of the holster, there is information and perception

            own the information, change the perception, own the actions of the thugs

    • by Kardos ( 1348077 )

      No need to, it enforced itself. They simply MITM all TLS traffic, and then the peons have three choices:

      Choice 1) you install the certificate, your traffic is snooped

      Choice 2) you don't install the certificate, your browser throws up certificate warnings, you accept them, your traffic is snooped

      Choice 2) you don't install the certificate, your browser throws up certificate warnings, you don't accept them, no traffic to snoop

      • Choice 1b) you install the certificate, your traffic is snooped, but knowing this to be the case you tunnel a real TLS connection inside the MITM'd connection. (Secure TLS via a compromised TLS VPN.)

        One of the nice things about encryption is that it's composable. Outer layer compromised? No problem; just add another layer inside. As long as they allow any information to be communicated, there will always be room for an encrypted communication channel, though it may need to be disguised with steganography.

        • Doing that, of course, will be illegal and will be rare enough to make you stand out as a target.

          • It could be made illegal, of course, but the communication itself was probably illegal anyway. It would only stand out if implemented poorly, however. Done properly it will just look like an unknown (proprietary) binary protocol, which isn't particularly uncommon. They can't possibly have the manpower necessary to reverse-engineer every unknown data format they happen to intercept, and it would be easier and cheaper to ban the Internet entirely than to enforce a rule that their subjects use only registered

            • by Creepy ( 93888 )

              I would agree - if you installed the certificate, you've obeyed the law to the letter. Just because they didn't think of VPNs and such to work around the authority doesn't mean you are breaking the law, it means they did a shitty job of defining a law to control something and they didn't fully understand how it works. The US does this all the time. The US also seems to think it can write international law regulating the internet (most of these, like COPA were killed by the court system, at least).

              And yeah,

            • by KGIII ( 973947 )

              They just have to know where the source was and come to your house. They don't have to crack the encryption. They just need to notice it and decide they want to pay you a friendly visit. Then, to crack the encryption, they use the monkey wrench. They control the pipes. If you put something in the pipes that stands out they don't need to know what it is, they just need to know you did it and aren't fond of monkey wrenches.

  • by Anonymous Coward

    that's not a man, baby. "Tranny in the middle" attack is more like it.

  • Typewriter sales took off as the last bastion of privacy left.
  • Kazhakstan has loads of advertisements on CNN trying to persuade businesses to locate there. Good way to screw that one up.
  • Read the fine print he he.... Only Android mac win etc. mentioned OS wise... Oh the wonders of politicians without a technical clue.... Yes I am aware of the nix like bases of Android and Mac.... But hey if they want to be OS specific... Then the year of the Linux Desktop has finally arrived ;)
  • and a host of other corporations exactly how? In time the pigs look like the humans and the humans look like the pigs....

  • by Anonymous Coward

    Borat Sagdiyev, after returning to KZ from trying to score Pam Anderson...is now in charge of certs for KZ.

  • by GameboyRMH ( 1153867 ) <<moc.liamg> <ta> <hmryobemag>> on Tuesday December 08, 2015 @02:00PM (#51082979) Journal

    Browser Learnings of Public Key for make benefit glorious nation of Kazakhstan!

  • That resembles a very old joke: "Hello! I'm a very silly virus: my author is a fool and had made me impotent. Please copy me to all your friends manually to allow me to spread."

  • This sounds like it'll only work if they also ban Cert Pinning: https://en.wikipedia.org/wiki/... [wikipedia.org]

An adequate bootstrap is a contradiction in terms.

Working...