Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy The Internet Communications Government Network Networking The Courts

German Spy Agency Can Keep Tabs On Internet Hubs, Federal Court Rules (phys.org) 54

Earlier this week, a federal court in Germany threw out a challenge by the world's largest internet hub, the De-Cix exchange, against the tapping of its data flows by the BND foreign intelligence service. What this means is that the country's spy agency can continue to monitor major internet hubs if Berlin deems it necessary for strategic security interests. From a report: The operator had argued the agency was breaking the law by capturing German domestic communications along with international data. However, the court in the eastern city of Leipzig ruled that internet hubs "can be required by the federal interior ministry to assist with strategic communications surveillance by the BND." De-Cix says its Frankfurt hub is the world's biggest internet exchange, bundling data flows from as far as China, Russia, the Middle East and Africa, which handles more than six terabytes per second at peak traffic.

De-Cix Management GmbH, which is owned by eco Association, the European internet industry body, had filed suit against the interior ministry, which oversees the BND and its strategic signals intelligence. It said the BND, a partner of the US National Security Agency (NSA), has placed so-called Y-piece prisms into its data-carrying fibre optic cables that give it an unfiltered and complete copy of the data flow. The surveillance sifts through digital communications such as emails using certain search terms, which are then reviewed based on relevance.

This discussion has been archived. No new comments can be posted.

German Spy Agency Can Keep Tabs On Internet Hubs, Federal Court Rules

Comments Filter:
  • by Gravis Zero ( 934156 ) on Saturday June 02, 2018 @05:15AM (#56714674)

    ...for encrypting all traffic to every site and even DNS.

    • Yep.

      Let them do it if they want. Their days are numbered.

      • I've been using vpn based in a country immune from snooping, so my traffic is tunneled, essentially double encryption. Good luck decrypting my xkcd visits suckers.

    • This. DNS in particular gives you complete metadata of the host name of every URL visited (stub resolvers don't do caching). As for https, the header also gives you the host name in plain text, thus having your site hosted on a shared server with a million others, contrary to common belief, doesn't hide where you connect to. And, for some "mysterious" reason all major browsers completely declined to implement DNSSEC+DANE which would prevent most kinds of active attacks while current CA-based SSL is trivi

      • This. DNS in particular

        It's almost as if you think these people can't do reverse DNS on your followup connection.

      • by fisted ( 2295862 )

        As for https, the header also gives you the host name in plain text

        Just a little nitpick while overall I couldn't agree more: HTTP headers are still encrypted when doing HTTPS; the intended host name (has to) leak from the SSL handshake via SNI [wikipedia.org]. "Has to" because of multiple vhosts; the web server (or reverse proxy) has to know what site you want to hit so that it can give you the right certificate for that vhost in the SSL handshake.

      • by Agripa ( 139780 )

        But even encryption is not enough. Traffic analysis goes a long way towards uncovering your tracks; for this reason no nosy govt agency must be ever allowed this data, nor ISPs+transit providers allowed to aggregate it.

        So generate more encrypted traffic. Generate an order of magnitude more encrypted traffic.

        Sure, it will make all of the various links look like they are an order of magnitude smaller but so what?

    • by AHuxley ( 892839 )
      The BND has a way into the very end of every DSN.
      German quality malware. With extra government and now with 200% more contractors.
      No OS, no modem is safe from the reach around of the BND. They will get into any OS.
      From space. "German intelligence agency gets spy satellite system funds" (06.11.2017)
      http://www.dw.com/en/german-in... [dw.com]
      In cyber space.
      New surveillance law: German police allowed to hack smartphones (22.06.2017)
      http://www.dw.com/en/new-surve... [dw.com]
      Welcome to the world of the "State Trojan"
      • The BND has a way into the very end of every DSN.

        They may but this is due to the proliferation of insecure software. There needs to be a focus on secure software. Secure software isn't perfect but as each flaw is found, the software is quickly updated until people stop finding flaws.

        • by AHuxley ( 892839 )
          Strange how the few really good AV brands with real time global comparison ability are not so welcome in the NATO nations.
          Clean code in lots of other nations makes real time government malware changes in just one nation stand out.
  • by Anonymous Coward

    If it doesn't encrypt, don't connect to it.

  • by ffkom ( 3519199 ) on Saturday June 02, 2018 @05:45AM (#56714750)
    One notable aspect of this court rule was that it did not even consider the legality of _what_ the BND wants others to do - they were purely ruling on the validity of the formal order to provide them access.

    The more interesting round will be at the Bundesverfassungsgericht, where (hopefully) the legality of eavesdropping on all that (mostly intra-country) traffic will be considered.

    But in the end, all those court rules are not really important - spy agencies will spy on every bit of traffic, legal or not, as long as they exist. And in the case of the BND we have already seen how they do it even to provide their "friends" in other countries a favour - e.g. for industrial espionage.
    • by fazig ( 2909523 )
      Yes, legality was never a factor in whether they're doing it or not. *Technical possibilities are factor. I still hope that they get slammed in Karlsruhe. At least some moral integrity can be shown by a justice system that is still a separated power.

      *The only two options I see here, besides of not using the internet, are encrypting everything and or additionally creating a lot of junk data. But since the internet infrastructure is already stressed hard enough here in Germany and our larger telcos give a
      • by Agripa ( 139780 )

        The only two options I see here, besides of not using the internet, are encrypting everything and or additionally creating a lot of junk data. But since the internet infrastructure is already stressed hard enough here in Germany and our larger telcos give a crap about it even though they get millions of € from the government in order to fix the issues, I prefer the former.

        Both encryption and chaff data will be required to foil traffic analysis.

        Ultimately Ron Rivest was right [wikipedia.org] but for a different reason.

  • they want their secret police surveillance back.

    What's next? Youth groups and book burnings? /s

  • Since the feed includes German domestic accounts. Will the agency have to get a permission letter from every internet user in Germany? The EU? The world?
    • The GDPR has a convenient exemption for "national security"
    • by Agripa ( 139780 )

      Since the feed includes German domestic accounts. Will the agency have to get a permission letter from every internet user in Germany? The EU? The world?

      They have a default opt-in policy.

  • They never change.

    • The Purpose of an Intelligence Agency is to spy. You seem surprised that they would want to do that. If we want privacy we need to make spying so expensive that they only do it where required.
      • Exactly, their job is to spy. There are a few people (out of billions) that need to be spied upon, too. Bin Laden and his compatriots, for example. The ideal is to make it very difficult or expensive to spy on people, so they only spy on the few people they need to be spying on.

        • The ideal is to make it very difficult or expensive to spy on people, so they only spy on the few people they need to be spying on.

          Devil's Advocate Mode: Activated.

          The problem with spying only on the "the few people they need to be spying on" is that you generally don't know who you need to be spying on till you've spied on them.

          Devil's Advocate Mode: Off.

          Which is not to suggest I approve of spying on the general population. Just that I can see why spy agencies gotta spy. And on as many people as th

    • by AHuxley ( 892839 )
      Nobody expects the new look Stasi on the webcam, in the OS, listening to the mic.
      All that bad Germanness stopped in 1989 right? All the other bad Germans had long since found full employment in South America, the USA, UK, France...
  • your hub is any microphone, camera and text the German gov can detect on the internet.
  • Yeah, I remember back when 70% of the traffic between European IP addresses was routed through MAE-East in West Virginia.
    • by AHuxley ( 892839 )
      Thats why peering was so not expensive to the USA. All the "international" data got lured to the USA for collection.

The explanation requiring the fewest assumptions is the most likely to be correct. -- William of Occam

Working...