German Spy Agency Can Keep Tabs On Internet Hubs, Federal Court Rules (phys.org) 54
Earlier this week, a federal court in Germany threw out a challenge by the world's largest internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service. What this means is that the country's spy agency can continue to monitor major internet hubs if Berlin deems it necessary for strategic security interests. From a report: The operator had argued the agency was breaking the law by capturing German domestic communications along with international data. However, the court in the eastern city of Leipzig ruled that internet hubs "can be required by the federal interior ministry to assist with strategic communications surveillance by the BND." De-Cix says its Frankfurt hub is the world's biggest internet exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, which handles more than six terabytes per second at peak traffic.
De-Cix Management GmbH, which is owned by eco Association, the European internet industry body, had filed suit against the interior ministry, which oversees the BND and its strategic signals intelligence. It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow. The surveillance sifts through digital communications such as emails using certain search terms, which are then reviewed based on relevance.
De-Cix Management GmbH, which is owned by eco Association, the European internet industry body, had filed suit against the interior ministry, which oversees the BND and its strategic signals intelligence. It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow. The surveillance sifts through digital communications such as emails using certain search terms, which are then reviewed based on relevance.
A great argument... (Score:3)
...for encrypting all traffic to every site and even DNS.
Re: (Score:3)
Yep.
Let them do it if they want. Their days are numbered.
Re: (Score:2)
I've been using vpn based in a country immune from snooping, so my traffic is tunneled, essentially double encryption. Good luck decrypting my xkcd visits suckers.
Re: (Score:2)
This. DNS in particular gives you complete metadata of the host name of every URL visited (stub resolvers don't do caching). As for https, the header also gives you the host name in plain text, thus having your site hosted on a shared server with a million others, contrary to common belief, doesn't hide where you connect to. And, for some "mysterious" reason all major browsers completely declined to implement DNSSEC+DANE which would prevent most kinds of active attacks while current CA-based SSL is trivi
Re: (Score:1)
"You are a cow. Cows say moo. MOOOOOO! MOOOOOO! Moo cow MOOOOOO! Moo says the cow. YOU DNSSEC COW!!"
You did something wrong, obviously you wanted to join the USENET discussion at alt.cows.moo.moo.moo
Here's the archive:
http://alt.cows.moo.moo.moo.na... [narkive.com]
Re: (Score:3)
This. DNS in particular
It's almost as if you think these people can't do reverse DNS on your followup connection.
Re: (Score:3)
There's no 1:1 relation between host names and IP addresses, either way.
Re: (Score:2)
There's no 1:1 relation between host names and IP addresses, either way.
There is for 'interesting' servers.
Re: (Score:2)
As for https, the header also gives you the host name in plain text
Just a little nitpick while overall I couldn't agree more: HTTP headers are still encrypted when doing HTTPS; the intended host name (has to) leak from the SSL handshake via SNI [wikipedia.org]. "Has to" because of multiple vhosts; the web server (or reverse proxy) has to know what site you want to hit so that it can give you the right certificate for that vhost in the SSL handshake.
Re: (Score:2)
But even encryption is not enough. Traffic analysis goes a long way towards uncovering your tracks; for this reason no nosy govt agency must be ever allowed this data, nor ISPs+transit providers allowed to aggregate it.
So generate more encrypted traffic. Generate an order of magnitude more encrypted traffic.
Sure, it will make all of the various links look like they are an order of magnitude smaller but so what?
Re: (Score:3)
German quality malware. With extra government and now with 200% more contractors.
No OS, no modem is safe from the reach around of the BND. They will get into any OS.
From space. "German intelligence agency gets spy satellite system funds" (06.11.2017)
http://www.dw.com/en/german-in... [dw.com]
In cyber space.
New surveillance law: German police allowed to hack smartphones (22.06.2017)
http://www.dw.com/en/new-surve... [dw.com]
Welcome to the world of the "State Trojan"
Re: (Score:2)
The BND has a way into the very end of every DSN.
They may but this is due to the proliferation of insecure software. There needs to be a focus on secure software. Secure software isn't perfect but as each flaw is found, the software is quickly updated until people stop finding flaws.
Re: (Score:2)
Clean code in lots of other nations makes real time government malware changes in just one nation stand out.
Re: (Score:2)
If you need antivirus software then you have already lost the security game.
Arguments for encryption (Score:1)
If it doesn't encrypt, don't connect to it.
Next round at the Bundesverfassungsgericht (Score:5, Interesting)
The more interesting round will be at the Bundesverfassungsgericht, where (hopefully) the legality of eavesdropping on all that (mostly intra-country) traffic will be considered.
But in the end, all those court rules are not really important - spy agencies will spy on every bit of traffic, legal or not, as long as they exist. And in the case of the BND we have already seen how they do it even to provide their "friends" in other countries a favour - e.g. for industrial espionage.
Re: (Score:3)
*The only two options I see here, besides of not using the internet, are encrypting everything and or additionally creating a lot of junk data. But since the internet infrastructure is already stressed hard enough here in Germany and our larger telcos give a
Re: (Score:3)
But since that kind of surveillance was something the EU wanted, they sued Germany for non compliance. Then a new data retention law had been drafted by the German government, with some opposition, but eventually it went through and was reinstated in 2015. Ever since then the courts are again working on the validity of this new law, becau
Re: (Score:2)
The only two options I see here, besides of not using the internet, are encrypting everything and or additionally creating a lot of junk data. But since the internet infrastructure is already stressed hard enough here in Germany and our larger telcos give a crap about it even though they get millions of € from the government in order to fix the issues, I prefer the former.
Both encryption and chaff data will be required to foil traffic analysis.
Ultimately Ron Rivest was right [wikipedia.org] but for a different reason.
Re: (Score:2)
It doesn't work like that in every country. In some countries the spying has always been legal due to the interest of national security giving a sufficient weight into the consideration of proportionality for an exception to the associated rights, as the constitution explicitly allows. Since most EU documents already contain lots of national security exceptions, I do expect the German constitution to contain such proportionality argument as well.
The problem I see is one of legal interpretation regarding spy agencies possessing positive powers or negative powers.
Positive powers means that the agency can do whatever is not explicitly prohibited, and negative powers means the agency only has those narrow & specific powers granted by law.
All intelligence gathering agencies should be constrained under negative powers. Secret powers lead to secret governments which inevitably lead to public tyranny.
Strat
East Germany called (Score:2)
they want their secret police surveillance back.
What's next? Youth groups and book burnings? /s
GDPR (Score:2)
Re: (Score:2)
Re: (Score:2)
Since the feed includes German domestic accounts. Will the agency have to get a permission letter from every internet user in Germany? The EU? The world?
They have a default opt-in policy.
Commies/Nazis/Krauts (Score:2)
They never change.
Re: (Score:2)
Exactly. Make it difficult / expensive so targeted (Score:2)
Exactly, their job is to spy. There are a few people (out of billions) that need to be spied upon, too. Bin Laden and his compatriots, for example. The ideal is to make it very difficult or expensive to spy on people, so they only spy on the few people they need to be spying on.
Re: (Score:2)
Devil's Advocate Mode: Activated.
The problem with spying only on the "the few people they need to be spying on" is that you generally don't know who you need to be spying on till you've spied on them.
Devil's Advocate Mode: Off.
Which is not to suggest I approve of spying on the general population. Just that I can see why spy agencies gotta spy. And on as many people as th
Re: (Score:2)
All that bad Germanness stopped in 1989 right? All the other bad Germans had long since found full employment in South America, the USA, UK, France...
They are late AF to the club (Score:2)
Never Forget [wikipedia.org]
In Germany (Score:2)
Old news (Score:2)
Re: (Score:2)