[HN Gopher] On the new Dutch intelligence and security law
___________________________________________________________________
On the new Dutch intelligence and security law
Author : ahubert
Score : 174 points
Date : 2024-03-12 20:24 UTC (2 hours ago)
(HTM) web link (berthub.eu)
(TXT) w3m dump (berthub.eu)
| ahubert wrote:
| (happy to elaborate if there are any questions)
| repelsteeltje wrote:
| So, Dutch intelligence basically has legal leeway to pry
| anywhere. But I'm curious how they would hand over some "fact"
| to Police whom cannot normally access that information without
| some kind of warrant or legal approval from public prosecution.
|
| How does that work in practice (under Dutch law)?
| ahubert wrote:
| If they find something that is really criminal they can
| notify the police, but it is not straightforward. Search for
| "ambtsbericht".
| gpvos wrote:
| There are ways to inform the police, but they need to do
| "parallel construction" to allow information in court.
| twsted wrote:
| Isn't there any European law that could stop this exaggerated
| and self-granted power?
| ahubert wrote:
| Yes, parts of this law are very likely to be struck down by
| the European Court of Human Rights, if a case ever gets
| there. Specifically the 100% automatic powers to hack and
| intercept anyone who is hacked by state backed hackers are
| pretty unlikely to be legal under the ECHR.
| mk89 wrote:
| There is literally nothing that can win against national
| security as "state actors (Russia, China, even mentioned in
| the text) trying to sabotage your infrastructure - look we
| have evidence but we're not gonna share it with the
| public".
| wolverine876 wrote:
| Do you mean that's a specific legal argument that is
| upheld in European courts or Dutch courts?
| mk89 wrote:
| No, I would say that's just life experience until now.
|
| Nothing ever wins against "we need to keep the country
| safe".
| repelsteeltje wrote:
| Taking the perspective that spying is warranted by the asset
| under threat rather than subject potentially posing it ... that
| is some pretty scary piece of legislation.
| sib wrote:
| When was the last time that something titled a "Temporary Cyber
| Act" was ever temporary (other than being replaced by something
| worse)?
| klabb3 wrote:
| "Nothing is so permanent as a temporary government program"
|
| - Milton Friedman
| ahubert wrote:
| It has already been announced that this law will likely be
| extended. They later walked that back, but did admit that it is
| entirely possible to extend this law.
| givemeethekeys wrote:
| Hey, you have to applaud them for naming it "temporary",
| instead of "patriot". What are you? Some kind of a treasonous
| terrorist? How dare you oppose THE PATRIOT ACT?! /s
| nsteel wrote:
| They get zero marks because it doesn't appear to be an
| acronym.
| peeters wrote:
| It needs more "Democratic" in it to make it clear it's
| definitely not authoritarian. Maybe "The Democratic People's
| Temporary Cyber Act for Freedom"
| divbzero wrote:
| Given the prevalence of TLS, how much SIGINT can actually be done
| by tapping internet exchanges these days?
| gigel82 wrote:
| Presumably a government could also requisition the private key
| of several root authority certificates (whether or not they
| "proudly announce" that is another matter).
| repelsteeltje wrote:
| Dutch government doesn't have a good reputation there,
| shepherding control over security infrastructure. First, it's
| primary CA lost is signing key to Iran, and recently they
| meant to outsource control over their ".nl" TLD to AWS.
| mrngm wrote:
| Small addendum on that, DigiNotar was one of the _four_ CA
| 's handing out "PKIoverheid" certificates, so certificates
| for governmental purposes. See this archived copy of the
| FAQ (in Dutch) after the DigiNotar breach, specifically the
| question "Hoe weet de overheid dat certificaten van de 3
| andere bedrijven in Nederland die PKI-overheidscertificaten
| uitgeven wel betrouwbaar zijn?": https://web.archive.org/we
| b/20111019224308/http://www.rijkso...
| amenghra wrote:
| A root CA key doesn't automatically decrypt the TLS traffic.
| You just need a single root CA key for a widely trusted CA to
| perform an active MITM attack. The attack is however likely
| to show up in Certificate Transparency logs.
| vmoore wrote:
| Other metadata like DNS, device fingerprints, SNI-leakage[0],
| timestamps, connection history, etc
|
| You can encrypt DNS with DoH if you want, but the DoH provider
| still sees its you. You can take it a step further with
| Oblivious DNS over HTTPS if you really want to conceal DNS
| activity[1]. Note: this technology is rather new and
| experimental.
|
| [0] https://en.wikipedia.org/wiki/Server_Name_Indication
|
| [1] https://research.cloudflare.com/projects/network-
| privacy/odn...
| varenc wrote:
| Another option is dnscrypt-proxy[0]. It will easily let you
| load-balance your DNS queries against a large set of
| resolvers, ensuring that no resolver gets the full picture.
| And enforces encryption of course.
|
| [0] https://github.com/DNSCrypt/dnscrypt-proxy
| repelsteeltje wrote:
| Start with phone lines. Or IP addresses.
|
| Even without looking into the encrypted payload there is so
| much you can learn from graphs connecting and the metadata.
| mk89 wrote:
| Considering they exchange technology with the USA and other
| states, I am pretty sure that you can find some malware to
| install on specific actors's devices (routers/phones/etc.) to
| have traffic decrypted.
|
| I am decently sure that some state agencies help design
| routers.... if you know what I mean :)
| jrockway wrote:
| In addition to what's mentioned in the comments, timing attacks
| are also possible. If you see what time every packet is sent
| and received, then you can correlate streams with each other.
| This is how they figure out who is visiting what Tor websites;
| you compromise the network of the website, then the network of
| potential clients, and then you match up the packets. Now they
| know you visited the website even though you never actually
| sent a packet addressed to it.
| jasonvorhe wrote:
| Just being able to analyze the network connections to apply
| filters and visualizations upon, providing optional deep dives
| into certain cohorts to create reports or even forecasts is a
| totalitarian wet dream.
| ls612 wrote:
| How much cleartext is sent over the net? Nowadays almost
| everything is encrypted, even things like DoH are becoming
| standard via Cloudflare/Apple Private Relay.
| ipaddr wrote:
| They all work for the same team
| jrockway wrote:
| If I were a politician using this against an opponent, I'd
| write the following press release:
|
| Websites in the range 54.239.0.0/8 often host problematic
| content. My opponent visited several addresses in this range
| overnight and hid his traffic with military-grade message
| scrambling functionality.
|
| Of course that's just AWS and you can't even do HTTP/2 or
| HTTP/3 without encryption. But do the voters know that? Will
| they be educated on it? Probably not. And you're not saying
| anything untrue, you have facts and logs to back up your
| assertions!
| sva_ wrote:
| I'm not a crypto expert by any means, but it is my
| understanding that government actors of larger countries
| probably have trusted CAs in most devices on the planet that
| they have control over, and they could issue certificates for
| arbitrary domain names; and your devices would for the most
| part be none the wiser.
|
| Of course this is only relevant for targeted surveillance, not
| mass surveillance.
|
| Happy to be corrected though, I've been wondering about this.
| ls612 wrote:
| This is precisely the threat model that certificate
| transparency mitigates.
| mrngm wrote:
| Perhaps think a bit smaller, and look at companies that
| operate office-sized TLS interception by installing a CA
| certificate on each (managed) end device, and generating
| certificates on-the-fly from that CA. Then, some middlebox is
| able to inspect the encrypted communication that passes
| through.
|
| Some web browsers have pinned certificates for certain
| services, Google Chrome/Chromium being one of those.
| Subsequently, the browser refuses to perform any more actions
| towards the server that serves an invalid (according to the
| browser) certificate. That browser is also one of the reasons
| the DigiNotar case in 2011 emerged to the surface.
| unethical_ban wrote:
| Store now, decrypt later?
|
| Metadata analysis on netflow, source and destination traffic,
| etc.
|
| Most people still don't use VPNs for everything, and some
| services outright block or degrade VPN connectivity. Two
| notable examples are most banks, and 4chan.
|
| I firmly believe 4ch is a Honeypot.
| xk_id wrote:
| The majority of traffic is available as cleartext to Cloudflare
| so that they can analyse it. That's the point of being an
| enormous centralised TLS termination proxy.
| mrngm wrote:
| Perhaps a better insight is looking at parties doing TLS
| termination globally as a reverse proxy service, for example
| for DDoS mitigation or acting as a web application firewall.
| Or, who handles your (encrypted) DNS requests? A somewhat
| trustworthy local ISP, or a large corporation with multiple
| pages of terms of service and a vague privacy statement? (I'm
| unfortunately also aware that there exist ISPs that inject ads
| on non-encrypted connections, or having done so in the past)
|
| In my opinion, it's less about the amount of cleartext traffic,
| but also about what parties terminate your so preciously
| encrypted connections/requests, the percentage of internet
| traffic they handle, and what they exactly store about those
| requests.
|
| Encryption on the internet doesn't mean it's suddenly safe.
| vmoore wrote:
| > to protect The Netherlands against Russian and Chinese hackers
|
| So it's a noble cause then? Or does it have privacy implications
| for innocent netizens? I thought these exchanges would have been
| tapped in some form way before this announcement?
| sspiff wrote:
| The new law also lowers the bar for Dutch law enforcement to
| obtain records from these taps significantly, removing the
| necessity of a judge to rule whether the request is justified
| in the investigation.
|
| Surely no law enforcement would overreach when given tools like
| these, right? Right?
| davedx wrote:
| Yeah the Belastingdienst would never do anything naughty with
| powers like these. Let them in on it too!
| Notatheist wrote:
| They've already overreached in the past.
|
| https://nos.nl/artikel/2432715-inlichtingendiensten-
| moeten-g...
|
| https://www.rtlnieuws.nl/tech/artikel/5294998/aftappen-
| aivd-...
| freedomben wrote:
| It's called "temporary" but I don't see anything about when it is
| removed. Even with a sunset period (like the US Patriot Act had)
| it's not typical for states to give up power like this, so I'm
| guessing this is the new normal :-(
|
| Is there specific intelligence leading to this? It seems very to
| the point about being related to Russia.
| fallingknife wrote:
| The Patriot Act was temporary too...
| shrimp_emoji wrote:
| And some provisions expired thanks to Trump!
|
| Biden, on the other hand, renews them promptly, to bipartisan
| satisfaction.
|
| Funny how that works. :p
| Notatheist wrote:
| I'm a technical artist not a security researcher so could someone
| here elaborate on the supposed threat? Assuming a genuine
| Russian/Chinese state hacker/outfit, what damage could they cause
| and how much of that damage would legislation such as this
| prevent?
| mk89 wrote:
| > what damage could they cause
|
| You want to listen to what they want to do before they do
| something to your country. This is what this thing allows you
| to do: every internet packet transiting through the Dutch
| internet exchanges will be "scanned" (largely read-only).
|
| However:
|
| > The powers granted to the services are broad, but also
| largely 'read-only'.
|
| Largely `read-only`, the way I read it, means that in some
| cases they can actually replace whatever is going through the
| cable.
|
| I imagine something like:
|
| - terrorist A and B are texting each others, and you replace
| some of the text that they are sending each other (before this
| is received over the phone, because you own the "hop"), so that
| you can maybe redirect them straight into the police hands.
|
| If done properly, I believe this can prevent quite some bad
| damage - not the simple example above, but probably also major
| things like serious attacks (e.g., ransom attacks on public
| institutions, etc). That's my guess - how easy or realistic
| this is, I can't tell you.
| radicalbyte wrote:
| This is happening at exactly the same time that an extremist far-
| right party are expected to take power.
|
| Fantastic.
| mk89 wrote:
| Don't worry, as long as we don't militarise ourselves
| anymore....
|
| oh shoot, that's also happening!
| FirmwareBurner wrote:
| Oh no, an army on bikes, what are we gonna do about it?! /s
| sph wrote:
| > With the Temporary Cyber Act, we will make optimum use of the
| data carried on our cables to protect The Netherlands against
| Russian and Chinese hackers
|
| Twenty years ago, the excuse was "we are restricting your freedom
| because of what happened in 11/9."
|
| Then in the internet age, the excuse became "we are restricting
| your freedom to save the children from online abuse."
|
| Now, Europe has unlocked the option to restrict its citizens'
| freedom because of the "war."
|
| I ask my fellow computer engineers what the hell are we waiting
| for to pool our minds and resources towards a truly
| decentralised, encrypted and anonymous overnet. Something a
| little more practical than I2P, Tor, Freenet, etc. "Oh bad people
| will use it to do crime" is not a serious enough excuse to just
| passively accept the government tightening the noose around our
| digital presence, for total control by the State, all in name of
| safety and security. Was Bitcoin (2009) the last hurrah of the
| crypto-anarchist ideals of freedom of thought, freedom from the
| Big Brother and freedom from the ever-looming State?
|
| https://groups.csail.mit.edu/mac/classes/6.805/articles/cryp...
| Eager wrote:
| I used to be so optimistic and less cynical.
|
| Now I look at this and all that comes to mind is that actions
| like this would provide a basis for tapping people closer to
| source.
|
| All the p2p and e2e encryption in the world won't help if
| someone is reading every key you type, or in the near future,
| every thought that crosses your mind.
|
| Still, I applaud your spirit.
| zx10rse wrote:
| It won't happen people choose comfort instead of freedom.
| Eventually it will become a full blown totalitarian state, and
| we are going to relive 20th century again it seems.
|
| I can't wait to pay ESG tax because I am breathing.
| sva_ wrote:
| > I ask my fellow computer engineers what the hell are we
| waiting for to pool our minds and resources towards a truly
| decentralised, encrypted and anonymous overnet.
|
| I often hear this somewhat loose idea and have to say that I
| also have such reoccurring thoughts myself. We currently enjoy
| pretty great freedoms to do stuff, we have the chance to set
| something up, and those freedoms might be severely restricted
| in the future. It may be easier to develop something like that
| now than it will ever be in the future. The problem seems to be
| that there is no coordinated plan. Stuff like Tor exists, but
| it hasn't really caught on as much as one would hope. Also it
| is built upon a rather specific architecture (the internet)
| from what I understand, which could basically be shutdown by
| authorities at any moment.
|
| For example, I can't currently safely communicate with people
| in my geographic area independently of the internet, even
| though my devices theoretically have the hardware to do so
| (think of radio capabilities, for example). There might be some
| lose projects out there capable of some of it that 99.9999%
| never heard about, but nothing that could actually be
| considered general-purpose. Why is that?
|
| It isn't an easy problem to solve. And it isn't enough of a
| problem for people to actually apply themselves nearly enough.
| Once it is needed in a way that more people would devote their
| time to it, it might be too late.
| dylan604 wrote:
| As long as they are proud of it. No bad laws have ever been
| implemented where everyone was proud of it, so this must mean
| it's not a bad law!! And the people rejoiced...just not on the
| internet as they didn't want to be spied on
| FirmwareBurner wrote:
| _> No bad laws have ever been implemented where everyone was
| proud of it_
|
| "Nobody who speaks German can ever be evil"
|
| - The Simpsons
| gpvos wrote:
| How do you know everyone is proud of it? For starters, I'm not.
| dotBen wrote:
| Aren't all governments tapping connectivity the occurs within
| their borders (whether it be in internet exchanges, sea cables
| that come onto their shores, etc - kinda doesn't matter where it
| physically happens)?
|
| I assume this is going on routinely already.
| bradley13 wrote:
| Perhaps it is. That doesn't mean it should be.
|
| Governments think they are above their own laws. Warrants?
| Privacy rights? Due process? Why bother?
| wkat4242 wrote:
| Well in this case they did amend the law through parliament.
|
| Not that I agree with it, no, but it's not like they're
| acting above it.
| jillesvangurp wrote:
| You should assume so and accept nothing short of end to end
| encryption as a secure channel. That's been true for decades.
|
| Assume, the Chinese, Russians, North Koreans, Iranians,
| Americans, and everybody else gets a copy of all the bytes you
| send and receive. That may or may not be true depending on who
| or where you are and how competent their people are. But you
| can't rely on that not being the case so you simply shouldn't.
| So make sure that whatever they intercept is gibberish.
|
| Is there any unencrypted traffic over these cables at all at
| this point? It's all ssl and https at this point, I would hope.
| There's still some intelligence to be extracted from which IP
| addresses are talking to which other IP addresses. But beyond
| that? What's really there to be intercepted that we haven't
| fixed yet?
| molticrystal wrote:
| Just how badly is the internet compromised at this point, as in
| are there any countries or internet corporate policies that
| forbid contributing to this type of action and would route around
| the Netherlands due to it violating privacy?
| GauntletWizard wrote:
| To some extent, this is a gross misuse of their government power.
| To another extent, tap away. There is no reason for your network
| traffic not to be an end-to-end encrypted. I'm more or less fine
| with the government getting my SNI headers, though I will be
| investing more in Tor and other obfuscation for some purposes.
| tdudhhu wrote:
| This is a 'temporary' law that will be reconsidered after 4 years
| (most of the time this means it will just be continued).
|
| The CTIVD will have supervision during and after the tab (good).
|
| Private data can be held much longer without government approval
| (why?).
|
| There is no permission needed to tap another server when a party,
| that is under surveillance, is moving there.
|
| ---
|
| I have mixed feelings about this. We know Russia is trying to
| disrupt the Netherlands because of previous taps. So on one hand
| it is good that the government can quickly react to such threads.
| On the other hand it has huge privacy implications.
|
| Some people in this thread think that TLS will keep us private
| but that is not how it works when they can listen to all traffic.
| For example they can see I posted a request to Hacker News on a
| specific time. Then it is a matter of finding all posts that were
| made around that timestamp to see what I wrote and what my
| username is.
| ozim wrote:
| I am sure it is there to stay as no other thing is going to
| stay forever as much as "temporary" law giving authorities more
| power.
| mk89 wrote:
| > For example they can see I posted a request to Hacker News on
| a specific time. Then it is a matter of finding all posts that
| were made around that timestamp to see what I wrote and what my
| username is.
|
| I think this is a lot of work to do. Just ask some 3 letters
| agencies for some help on some malware or on some "router
| firmware bugs" to be exploited etc. They don't care about
| hacker news readers or posting comments (because this implies
| you must know the DNS first, etc). They care about botnets
| DDoS-ing your railway infrastructure, ransomware on hospitals,
| serious stuff that can lead the country to chaos.
| dang wrote:
| The submitted title ("Dutch gov. proudly announces it will tap
| Europe's largest internet exchanges") badly broke HN's title
| guideline, which asks: " _Please use the original title, unless
| it is misleading or linkbait; don 't editorialize._" -
| https://news.ycombinator.com/newsguidelines.html
|
| If you want to say what you think is important about an article,
| that's fine, but do it by adding a comment to the thread. Then
| your view will be on a level playing field with everyone else's:
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
___________________________________________________________________
(page generated 2024-03-12 23:01 UTC)