“Last week, the Dutch Minister of Safety and Justice asked the Parliament of the Netherlands to pass a law allowing police to obtain warrants to do the following: install malware on targets’ private computers, conduct remote searches on local and foreign computers to collect evidence, and delete data on remote computers in order to disable the accessibility of ‘illegal files’. Requesting assistance from the country where the targetted computer(s) were located would be ‘preferred’ but possibly not required. These proposals are alarming, could have extremely problematic consequences, and may violate European human rights law.” You get true net neutrality with one hand, but this idiocy with another. This reminds me a lot of how some of our busy intersections are designed; by people who bike to city hall all their lives and have no clue what it’s like to drive a car across their pretty but extremely confusing and hence dangerous intersections.
Thom, just boot in to BeOS. That will have them scratching their heads for a while trying to figure out why their hack tool doesn’t work on your computer.
Some people consider Linux & company to be hacker tools, so instead, run Windows in a virtual machine, and redirect everything from port 22 to it.
If I were a government entity, I’d research ways to break into ordinary computers through the channels manufacturers grant themselves access to, such as OS update mechanisms (which work independently of any inbound firewall techniques, and updates are ostensibly legitimate to an administrator).
How likely is it that no governments have infiltrated the ranks of apple, microsoft, google, ubuntu, etc to copy their signing keys?
Consider that allegedly microsoft implanted a security key to have windows validate NSA signatures:
http://www.darkgovernment.com/news/remembering-the-nsakey/
Edited 2012-10-23 19:53 UTC
That surely is the easier way, but it’s possible to do similar things (i. e. hijack the updating mechanism) with no “official” signing:
The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
This file is signed by Microsoft with a certificate that is chained up to Microsoft root.
Except it isn’t signed really by Microsoft.
Turns out the attackers figured out a way to misuse a mechanism that Microsoft uses to create Terminal Services activation licenses for enterprise customers. Surprisingly, these keys could be used to also sign binaries.
[…]
Microsoft has announced an urgent security fix to revoke three certificates used in the attack.
The fix is available via ^aEUR” you guessed it ^aEUR” Microsoft Update.
Source: “Microsoft Update and The Nightmare Scenario”
http://www.f-secure.com/weblog/archives/00002377.html
The less people care and leave security considerations to others (often: no one), the easier such investigation tools could be deployed widely. Unnoticed by users who don’t care anyway, even “artificial evidence” could be created, fitting the bill well:
1. Install malware on targets^aEURTM private computers
2. Conduct remote searches on local and foreign computers to collect evidence
3. Delete data on remote computers in order to disable the accessibility of ^aEURoeillegal files.^aEUR
as explained in the article. “But I didn’t write or download that!” – “But we found it on your PC.” – “I didn’t do it!” – “Prove that.”
Doc Pain,
“Source: ‘Microsoft Update and The Nightmare Scenario'”
Good link to show that these things do happen. This faulty process has presumably been corrected, but that signing keys could be leaked to a government agency is a problem shared by all update mechanisms.
To protect your assets from snoops (corporate or governmental) you really should run two separate networks, one where nothing is allowed to connect externally, and another which can connect externally. Then no components like flash drives as can shared between the networks. This way if there is a backdoor, it cannot be accessed and cannot be used to control the machine. Frankly most people don’t have anything worth protecting to this extent, but if your operating an Iranian nuclear facility, you probably do.
They can always pass a law to disallow incompatible operating systems and other hacking tools.
Offensive cyber weapons seem to be all the rage for government entities these days.
http://www.computerweekly.com/news/1280089993/US-to-develop-offensi…
http://www.guardian.co.uk/uk/2011/may/30/military-cyberwar-offensiv…
http://www.informationweek.com/government/security/air-force-seeks-…
I will probably get a lot of negative comments on this, but I would still like to point out the following.
I am a Dutch citizen and in my opinion this is not such a bad idea at all. The Dutch police force is very careful in using any kind of force because excessive force will result in public outrage.
Why not add this as a weapon in their arsenal to ensure the state safety? Given the safety in this country, and the trust we bestow on our police force I feel this might be useful.
Consider for instance, how recently several ISPs got a threat from somebody posing as being part of anonymous (or some other online children organisation, I don’t really remember), say this had indeed been real. It would feel good to me to have some sort of digital riot police. Because yes, this is expensive for those companies.
Anyway, things like stuxnet should have been a wake-up call for the world already. I would be proud if my government would actually have to balls to come out and legalise (thus admit) to these kind of activities instead of keeping secrets from their citizens.
Yes, I know, we should not give up our digital freedom etc etc. However I would expect tech savvy users to be able to secure their systems…
It’s a matter of trust, indeed.
One big issue is that there’s no remote chance of ensuring due process when it comes to “evidence” that’s collected on a cracked box.
While malicious police officers can always lose a zip-lock bag with weed while conducting an appartment search, that’s an isolated data point – bits are all alike, and terribly easy to copy. That makes for quite untraceable tampering of evidence.
And now we’re exclusively in the realm of trust.
Consider a search using these powers for child pornography: After things are done, there’s no useful evidence that this data was there _before_ the search was started (except if they also raid the appartment and find other evidence, such as hard copies – in which case: raid the appartment, find the hard copies, bust the bastard; no remote computer search required).
Yes indeed, trust is the keyword here. If I would live in another country I would not be able to see a positive side to this.
Considering things like child pornography, we have had some issues where an apprehended suspect had this on an encrypted drive. In that case it might be very useful for law enforcement to be able to get the encryption’s key in advance some way or other.
Just read the other day (from an US perspective) how in Iran the Ayatollah (portrayed as “the bad guy”) reused the snooping infrastructure of the Shah (“the reasonable guy”) after taking over power.
Also, the Netherlands had a “religion” field in their citizens register, which became an issue when the Nazis went in. (for the Nazis, that harmless item became useful infrastructure)
It’s nice to be able to trust your current government, but it’s not a bad idea to think about the consequences when things change. (In case of the religion field, it’s hard to think of _that_ before it happened, but AFAIK many European countries stopped keeping track like that after WW2 due to what happened)
Both Ayatollah and the Nazis could have built up the desired infrastructure by themselves after their power grab, but each would have taken time. Time that could prove crucial when attempting to set things straight early.
Giving police (or anybody) up-to-date equipment to easily enter machines can be very uncomfortable for a democratic opposition of an undesirable future government.
And since there’s so much future ahead of us, I’m afraid things are just bound to happen. Not everywhere, but the “let us (but only us, and secretly) snoop on computers” movement is uncomfortably global.
And plant some data on the way, since the images on the suspect’s system are uncomfortably close, but not quite illegal yet (“but he’s definitely one of ‘those'”)?
Or to push the statistics, so everyone can see that this newly granted power was really, really necessary? (Wouldn’t even have to be organizational. One “well-meaning” staff at the right place is enough for real damage)
In the end, I’d prefer the police to hunt those who physically hurt children, not necessarily those who keep the pictures (those, too – but IMHO it’s secondary).
Otherwise we’ll live in a world were family members still rape their kids (people close to the children make up >80% of the abusers), but simply don’t produce graphic evidence anymore.
Yeah, awesome. How about China decides that it’s perfectly legal and acceptable for the Chinese government to do the exact same thing and spy..i mean “collect evidence” on Dutch citizens on Dutch soil etc? Not such a good idea now, is it.
I have a better idea: don’t do these things at all.
As a matter of fact, I have lived in the People’s Republic of China for some time. I know the difference between oppressive and free countries first hand…
I know enough to say that I could accept it in the Netherlands and not somewhere else.
Yeah, but I bet everyone else might not be so keen on letting the Dutch spy on them. I know I’m not.
No-one died and made you the world police.
The dutch government has a major distribution channel for spyware: the digital tax-forms.
With this law I expect us to become the most vurnerable nation in record time.
I think we have a secret intelligence service for these kinds of operation, certainly if it’s done abroad.
Every computer is unique, even if they’re all same model Dells running the same version of Windows. No doubt the police spytool will work on one and crash another. No doubt this will also happen to innocent people. I know of a case where someone I knew got arrested and his equipment taken, because he had the same on-line username as some idiot. That’s the only thing they had in common, yet it took months before he got his stuff back.
This is another step towards a police state. It’s not a term I like to use, because it quickly gives the impression that it sounds worse than it is, but it’s another way of secretly checking up on people. You’re being spied on by people you can’t even see.
Probably it will only be used for very serious crimes, but then we’ll get some statistic that some lesser crimes cost us far more money so the public would’t mind if they lower the bar. Before you know it you’ll get arrested if you have over 10 MP3 files of which they can’t determine if they are legal or not.
Both old and recent history has proved, time and again, that with everything, including governments, when there are means, they will be abuse.
One phrase here is wierd ‘illegal files’ — can a file be illegal? If I infringe on some property or right and thus create a file, the *act* of creating the file is illlegal. If the same file is now in posession of someone who is authorized or has the rights to use the file, then it’s legal. Illegal are activities, not things. Or am I wrong?
I know it’s not illegal to own a car, but in the Dutch city of Rotterdam the policy actively look out for expensive cars with young people in them. If they can’t explain how they paid for it they’re in trouble.
It’s comparable with having 1.001 MP3s files on your hard disk while not owning the CDs or having an iTunes account. This doesn’t make them illegal files or makes the act of getting them illegal, but it may be fishy enough for the police to hassle you.
Downloading stuff is legal in The Netherlands, yet the anti-piracy foundation keeps pretending it is.
If something isn’t illegal they’ll try to make it so. With MP3s they might throw in a statistic saying how much music is pirated and if we stopped it music would become cheaper and artists happier. They can’t stop it of course, the only victims being foolish kids, but even if they could the prices wouldn’t come down anyway.
I think the problem with cyber crime is that the dangerous people aren’t easily caught. These cyber crime laws will catch more normal users, a number who didn’t even know their daughter downloaded some music on her parents PC, than they will real bad guys.
If you’re a serious cyber criminal you’ll know how they’re trying to track you and you take measures. That leaves the general public.
The German authorities have one of those and might have used it already.
Its lack of security has been exposed numerous times by organisations like the CCC, yet politicians claim it cannot be abused.
Same thing would happen in this case, machines would be made vulnerable by organisations supposedly charged with keeping everyone safe. Irony