On the new Dutch intelligence and security law(berthub.eu)
berthub.eu
On the new Dutch intelligence and security law
https://berthub.eu/articles/posts/dutch-intelligence-and-security-law/
91 comments
Don't forget Dutch citizens voted previously in a national referendum against mass surveillance which was promptly ignored and the right to call a referendum repealed.
Indeed, and the government don't care about the laws anyway.
I lived next door to someone that was busted for growing weed. The neighbor on the other side was involved at the time and then continued to harrass him then me because I complained about it for the next 10 1/2 years. The law only allows use of a civilian for a year with a contract in advance and no committing crimes. Didn't stop them. They spent more than 1 million euros in harrassing someone who was already convicted and then their neighbor because they complained.
I was told by the police that my phone had been tapped already, though I had already guessed that.
I lived next door to someone that was busted for growing weed. The neighbor on the other side was involved at the time and then continued to harrass him then me because I complained about it for the next 10 1/2 years. The law only allows use of a civilian for a year with a contract in advance and no committing crimes. Didn't stop them. They spent more than 1 million euros in harrassing someone who was already convicted and then their neighbor because they complained.
I was told by the police that my phone had been tapped already, though I had already guessed that.
Aren't all governments tapping connectivity the occurs within their borders (whether it be in internet exchanges, sea cables that come onto their shores, etc - kinda doesn't matter where it physically happens)?
I assume this is going on routinely already.
I assume this is going on routinely already.
Perhaps it is. That doesn't mean it should be.
Governments think they are above their own laws. Warrants? Privacy rights? Due process? Why bother?
Governments think they are above their own laws. Warrants? Privacy rights? Due process? Why bother?
Well in this case they did amend the law through parliament.
Not that I agree with it, no, but it's not like they're acting above it.
Not that I agree with it, no, but it's not like they're acting above it.
That doesn't make it automatically right, just, or even legal. Does it hold up against the European Convention on Human Rights, EU directives, regulations and the country constitution? What does the constitutional court, EU court of justice and EU court of human rights think?
These are not hypothetical questions. I'm not Dutch but in my own (EU) country it's a very common occurrence that the higher courts significantly modify or entirely cancel a fully approved law - often retroactively. Sometimes the state has to pay out damages.
IMHO a parliament acting like they can just vote for anything and that's it is exactly the definition of acting above the law.
These are not hypothetical questions. I'm not Dutch but in my own (EU) country it's a very common occurrence that the higher courts significantly modify or entirely cancel a fully approved law - often retroactively. Sometimes the state has to pay out damages.
IMHO a parliament acting like they can just vote for anything and that's it is exactly the definition of acting above the law.
> That doesn't make it automatically right, just, or even legal. Does it hold up against the European Convention on Human Rights, EU directives, regulations and the country constitution? What does the constitutional court, EU court of justice and EU court of human rights think?
It should, it's the job of the first chamber (aka the 'senate') to validate this. Unfortunately they have been playing politics more than anything.
> I'm not Dutch but in my own (EU) country it's a very common occurrence that the higher courts significantly modify or entirely cancel a fully approved law - often retroactively.
This sounds more like the common law system (US, UK, Ireland). In Holland it's not like that. The senate is supposed to check that an in fact a local judge can't directly reference the constitution. In common law they can and they create precedents to scope out a law further after implementation.
The EU does overrule it of course. And yes perhaps they can get fined damages. That would be good IMO because it will stop them doing it. But they didn't do anything wrong technically in that sense.
The worst thing they did technically was that this law was inplemented by a cabinet that had already stepped down after the coalition fell apart. New votes were held and a new parliament was formed, but the old cabinet is still in place until a coalition is formed to create the new cabinet.
The biggest problem there was that 24% of people voted for the extreme-right fascist party and nobody except the neoliberals (the party they split out from) and the farmers want to form a government with them. So it will take a lot of time. But the old (neoliberal) cabinet is not supposed to push through any legislation that can be considered controversial. They are doing that all the time though.
It should, it's the job of the first chamber (aka the 'senate') to validate this. Unfortunately they have been playing politics more than anything.
> I'm not Dutch but in my own (EU) country it's a very common occurrence that the higher courts significantly modify or entirely cancel a fully approved law - often retroactively.
This sounds more like the common law system (US, UK, Ireland). In Holland it's not like that. The senate is supposed to check that an in fact a local judge can't directly reference the constitution. In common law they can and they create precedents to scope out a law further after implementation.
The EU does overrule it of course. And yes perhaps they can get fined damages. That would be good IMO because it will stop them doing it. But they didn't do anything wrong technically in that sense.
The worst thing they did technically was that this law was inplemented by a cabinet that had already stepped down after the coalition fell apart. New votes were held and a new parliament was formed, but the old cabinet is still in place until a coalition is formed to create the new cabinet.
The biggest problem there was that 24% of people voted for the extreme-right fascist party and nobody except the neoliberals (the party they split out from) and the farmers want to form a government with them. So it will take a lot of time. But the old (neoliberal) cabinet is not supposed to push through any legislation that can be considered controversial. They are doing that all the time though.
No, in my country it's a derived German-style system. It's very unlike a common law system. A local judge can't, but we have a constitutional court who can take up a case against a passed law by themselves. Also, you can work through the tiers of the courts to the highest court or submit a request to the constitutional court.
Not sure about the exact legal theory in the Netherlands but where I am it's not really the job of upper chamber to validate it. Both chambers should have done that but both are bodies with political agendas and they interpret it to their own liking - and that often doesn't pass through the courts.
Not sure about the exact legal theory in the Netherlands but where I am it's not really the job of upper chamber to validate it. Both chambers should have done that but both are bodies with political agendas and they interpret it to their own liking - and that often doesn't pass through the courts.
You should assume so and accept nothing short of end to end encryption as a secure channel. That's been true for decades.
Assume, the Chinese, Russians, North Koreans, Iranians, Americans, and everybody else gets a copy of all the bytes you send and receive. That may or may not be true depending on who or where you are and how competent their people are. But you can't rely on that not being the case so you simply shouldn't. So make sure that whatever they intercept is gibberish.
Is there any unencrypted traffic over these cables at all at this point? It's all ssl and https at this point, I would hope. There's still some intelligence to be extracted from which IP addresses are talking to which other IP addresses. But beyond that? What's really there to be intercepted that we haven't fixed yet?
Assume, the Chinese, Russians, North Koreans, Iranians, Americans, and everybody else gets a copy of all the bytes you send and receive. That may or may not be true depending on who or where you are and how competent their people are. But you can't rely on that not being the case so you simply shouldn't. So make sure that whatever they intercept is gibberish.
Is there any unencrypted traffic over these cables at all at this point? It's all ssl and https at this point, I would hope. There's still some intelligence to be extracted from which IP addresses are talking to which other IP addresses. But beyond that? What's really there to be intercepted that we haven't fixed yet?
Given the prevalence of TLS, how much SIGINT can actually be done by tapping internet exchanges these days?
Other metadata like DNS, device fingerprints, SNI-leakage[0], timestamps, connection history, etc
You can encrypt DNS with DoH if you want, but the DoH provider still sees its you. You can take it a step further with Oblivious DNS over HTTPS if you really want to conceal DNS activity[1]. Note: this technology is rather new and experimental.
[0] https://en.wikipedia.org/wiki/Server_Name_Indication
[1] https://research.cloudflare.com/projects/network-privacy/odn...
You can encrypt DNS with DoH if you want, but the DoH provider still sees its you. You can take it a step further with Oblivious DNS over HTTPS if you really want to conceal DNS activity[1]. Note: this technology is rather new and experimental.
[0] https://en.wikipedia.org/wiki/Server_Name_Indication
[1] https://research.cloudflare.com/projects/network-privacy/odn...
Another option is dnscrypt-proxy[0]. It will easily let you load-balance your DNS queries against a large set of resolvers, ensuring that no resolver gets the full picture. And enforces encryption of course.
[0] https://github.com/DNSCrypt/dnscrypt-proxy
[0] https://github.com/DNSCrypt/dnscrypt-proxy
I love this software.
It keeps Mullvad from intercepting DNS traffic: if you send cleartext DNS requests on UDP/53 through their network, they intercept it. But DNSCrypt packets are encrypted and authenticated, so they can't.
Bonus: DNSCrypt is still packet-based like UDP, so none of the downsides of DoH: no 3-way handshake, no connection pooling, no stream correlation attacks.
> It's worth noting that all our VPN servers hijack calls to our public DNS server and that the DNS requests are processed on a local non-logging DNS server installed on that VPN server.
https://mullvad.net/en/help/all-about-dns-servers-and-privac...
https://old.reddit.com/r/mullvadvpn/comments/invjgp/how_and_...
It keeps Mullvad from intercepting DNS traffic: if you send cleartext DNS requests on UDP/53 through their network, they intercept it. But DNSCrypt packets are encrypted and authenticated, so they can't.
Bonus: DNSCrypt is still packet-based like UDP, so none of the downsides of DoH: no 3-way handshake, no connection pooling, no stream correlation attacks.
> It's worth noting that all our VPN servers hijack calls to our public DNS server and that the DNS requests are processed on a local non-logging DNS server installed on that VPN server.
https://mullvad.net/en/help/all-about-dns-servers-and-privac...
https://old.reddit.com/r/mullvadvpn/comments/invjgp/how_and_...
"... ensuring that no resolver gets the full picture."
Unless the resolvers share data with each other.
These public DNSCrypt resolvers will publish claims like "no logging" but how does one verify this is a true statement.
It may be better to use mutiple third party DNS resolvers, whether DoH or DNSCrypt, than to only use one, but the best course of action is not to use third party resolvers at all.
The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it, e.g., https://github.com/cofyc/dnscrypt-wrapper
Personally, instead of DNSCrypt, I prefer CurveDNS,
https://github.com/curvedns/curvedns
There is at least one DNS forwarding service that offers CurveDNS.
For those who might be confused:
From https://dnscurve.org
"Do you run a DNS server that sends out DNS data? For example, do you run an "authoritative DNS server" such as tinydns or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS to publish the IP addresses of your web server and mail server?
This page explains the benefits of adding DNSCurve protection to your outgoing DNS data."
DNSCurve protects outgoing data from authoritative DNS servers.
I use CurveDNS experimentally in homelab in front of tinydns and nsd. It is easy to set up and it works great. Unfortunately not many authoritative DNS servers on the internet are using it even though it is easy to set up and works great (based on own experiments).
As stated above, the best course of action is to avoid using third party DNS resolvers, i.e., public, shared caches. Instead one can run a local cache that sends DNSCurve-encrypted queries to remote authoritative DNS servers. For example,
https://github.com/janmojzis/dq
When using dq or dqcache, packets are _not_ sent "in the clear" for an ISP to sniff.
But, as above, the number of authoritative DNS servers using CurveDNS is unfortunately small.
The problem I see with DNSCrypt is it encourages use of third party DNS resolvers, i.e., shared caches.
I use locally-stored DNS data. When I retrieve DNS data from the interet I retrieve it in bulk using a variety of methods and sources. An unconventional approach perhaps but it works great for me.
Encrypted DNS is arguably pointless if one is using a popular browser that always sends SNI, even when SNI is not required, e.g., websites not using a CDN, or when visiting websites that do not support encrypted SNI, e.g., websites not using a CDN that supports encrypted SNI (ECH). Glad to see that the grandparent comment mentioned SNI.
Unless the resolvers share data with each other.
These public DNSCrypt resolvers will publish claims like "no logging" but how does one verify this is a true statement.
It may be better to use mutiple third party DNS resolvers, whether DoH or DNSCrypt, than to only use one, but the best course of action is not to use third party resolvers at all.
The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it, e.g., https://github.com/cofyc/dnscrypt-wrapper
Personally, instead of DNSCrypt, I prefer CurveDNS,
https://github.com/curvedns/curvedns
There is at least one DNS forwarding service that offers CurveDNS.
For those who might be confused:
From https://dnscurve.org
"Do you run a DNS server that sends out DNS data? For example, do you run an "authoritative DNS server" such as tinydns or PowerDNS Server or BIND or NSD or MaraDNS or Nominum ANS to publish the IP addresses of your web server and mail server?
This page explains the benefits of adding DNSCurve protection to your outgoing DNS data."
DNSCurve protects outgoing data from authoritative DNS servers.
I use CurveDNS experimentally in homelab in front of tinydns and nsd. It is easy to set up and it works great. Unfortunately not many authoritative DNS servers on the internet are using it even though it is easy to set up and works great (based on own experiments).
As stated above, the best course of action is to avoid using third party DNS resolvers, i.e., public, shared caches. Instead one can run a local cache that sends DNSCurve-encrypted queries to remote authoritative DNS servers. For example,
https://github.com/janmojzis/dq
When using dq or dqcache, packets are _not_ sent "in the clear" for an ISP to sniff.
But, as above, the number of authoritative DNS servers using CurveDNS is unfortunately small.
The problem I see with DNSCrypt is it encourages use of third party DNS resolvers, i.e., shared caches.
I use locally-stored DNS data. When I retrieve DNS data from the interet I retrieve it in bulk using a variety of methods and sources. An unconventional approach perhaps but it works great for me.
Encrypted DNS is arguably pointless if one is using a popular browser that always sends SNI, even when SNI is not required, e.g., websites not using a CDN, or when visiting websites that do not support encrypted SNI, e.g., websites not using a CDN that supports encrypted SNI (ECH). Glad to see that the grandparent comment mentioned SNI.
There is no such thing as a "CurveDNS resolver". CurveDNs is a forwarder that encrypts DNS packets.
For me it runs bound to a loopback address, as do the nsd and tinydns servers. None of this traffic uses the network, there are no remote queries. There is nothing for the ISP to sniff.
When placed in front of a remote authoritative DNS server, that server can be queried using DNSCurve, e.g., with dq or dqcache. The packets are encrypted. ISPs cannot read them.
For example,
No recursive resolver is used. No packets are sent "in the clear". There is nothing for the ISP to sniff. Unlike public DoH or DNSCrypt servers, there is no third party DNS provider involved. No middleman.
For me it runs bound to a loopback address, as do the nsd and tinydns servers. None of this traffic uses the network, there are no remote queries. There is nothing for the ISP to sniff.
When placed in front of a remote authoritative DNS server, that server can be queried using DNSCurve, e.g., with dq or dqcache. The packets are encrypted. ISPs cannot read them.
For example,
dq -s -k dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6 ianix.com 104.207.143.9
1 ianix.com - streamlined DNSCurve:
229 bytes, 1+2+2+2 records, response, authoritative, noerror
query: 1 ianix.com
answer: ianix.com 3600 A 104.248.15.206
answer: ianix.com 3600 A 104.207.143.9
authority: ianix.com 259200 NS uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com
authority: ianix.com 259200 NS uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com
additional: uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com 259200 A 104.248.15.206
additional: uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com 259200 A 104.207.143.9
The IP address of the ianix.com name servers, 104.207.143.9, and the DNSCurve key, dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6, can be obtained from the com.zone file, which is available for free from https://czds.icann.org/homeNo recursive resolver is used. No packets are sent "in the clear". There is nothing for the ISP to sniff. Unlike public DoH or DNSCrypt servers, there is no third party DNS provider involved. No middleman.
AFAIK, there is no such thing as an "authoritative resolver". Authoritative DNS servers are commonly called "name servers". Recursive resolvers, i.e., caches, are never authoritative. Some might pretend to be, I have found examples of this easily in the past, highlighting the potential for abuse by operators of third party DNS resolvers.
> Personally, instead of DNSCrypt, I prefer CurveDNS
Neither is a replacement for the other; they're orthogonal. They solve different problems.
You should use both of them.
From the CurveDNS link you posted:
> CurveDNS supports:
> Forwarding of regular (non-protected) DNS packets
These are being sent in the clear, and your ISP is most certainly logging them. You should tell your CurveDNS resolver to use a (local) dnscrypt-proxy instance for resolving "regular (non-protected)" queries that don't have DNSCurve entries. Then you have the best of both worlds!
> The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it
Because DNSCrypt is only for querying recursive resolvers!
... and DNSCurve is only for querying authoritative resolvers.
DNSCrypt is link-level encryption between you and your recursive resolver (the thing you put in /etc/resolv.conf).
DNSCurve is link-level encryption between your recursive resolver (or you) and the authoritative resolver (like this one, which is authoritative for cr.yp.to):
Neither is a replacement for the other; they're orthogonal. They solve different problems.
You should use both of them.
From the CurveDNS link you posted:
> CurveDNS supports:
> Forwarding of regular (non-protected) DNS packets
These are being sent in the clear, and your ISP is most certainly logging them. You should tell your CurveDNS resolver to use a (local) dnscrypt-proxy instance for resolving "regular (non-protected)" queries that don't have DNSCurve entries. Then you have the best of both worlds!
> The question I have for DNSCrypt fans is _why_ AFAICT no authoritative DNS servers are using it
Because DNSCrypt is only for querying recursive resolvers!
... and DNSCurve is only for querying authoritative resolvers.
DNSCrypt is link-level encryption between you and your recursive resolver (the thing you put in /etc/resolv.conf).
DNSCurve is link-level encryption between your recursive resolver (or you) and the authoritative resolver (like this one, which is authoritative for cr.yp.to):
$ dig -t NS yp.to
yp.to. 3600 IN NS uz5jmyqz3gz2bhnuzg0rr0cml9u8pntyhn2jhtqn04yt3sm5h235c1.yp.to.
It is a shame that the two names (DNSCurve and DNSCrypt) are so similar.In addition to what's mentioned in the comments, timing attacks are also possible. If you see what time every packet is sent and received, then you can correlate streams with each other. This is how they figure out who is visiting what Tor websites; you compromise the network of the website, then the network of potential clients, and then you match up the packets. Now they know you visited the website even though you never actually sent a packet addressed to it.
Start with phone lines. Or IP addresses.
Even without looking into the encrypted payload there is so much you can learn from graphs connecting and the metadata.
Even without looking into the encrypted payload there is so much you can learn from graphs connecting and the metadata.
Considering they exchange technology with the USA and other states, I am pretty sure that you can find some malware to install on specific actors's devices (routers/phones/etc.) to have traffic decrypted.
I am decently sure that some state agencies help design routers.... if you know what I mean :)
I am decently sure that some state agencies help design routers.... if you know what I mean :)
Just being able to analyze the network connections to apply filters and visualizations upon, providing optional deep dives into certain cohorts to create reports or even forecasts is a totalitarian wet dream.
Presumably a government could also requisition the private key of several root authority certificates (whether or not they "proudly announce" that is another matter).
Dutch government doesn't have a good reputation there, shepherding control over security infrastructure. First, it's primary CA lost is signing key to Iran, and recently they meant to outsource control over their ".nl" TLD to AWS.
Small addendum on that, DigiNotar was one of the four CA's handing out "PKIoverheid" certificates, so certificates for governmental purposes. See this archived copy of the FAQ (in Dutch) after the DigiNotar breach, specifically the question "Hoe weet de overheid dat certificaten van de 3 andere bedrijven in Nederland die PKI-overheidscertificaten uitgeven wel betrouwbaar zijn?": https://web.archive.org/web/20111019224308/http://www.rijkso...
A root CA key doesn't automatically decrypt the TLS traffic. You just need a single root CA key for a widely trusted CA to perform an active MITM attack. The attack is however likely to show up in Certificate Transparency logs.
(happy to elaborate if there are any questions)
So, Dutch intelligence basically has legal leeway to pry anywhere. But I'm curious how they would hand over some "fact" to Police whom cannot normally access that information without some kind of warrant or legal approval from public prosecution.
How does that work in practice (under Dutch law)?
How does that work in practice (under Dutch law)?
Isn't there any European law that could stop this exaggerated and self-granted power?
Yes, parts of this law are very likely to be struck down by the European Court of Human Rights, if a case ever gets there. Specifically the 100% automatic powers to hack and intercept anyone who is hacked by state backed hackers are pretty unlikely to be legal under the ECHR.
There is literally nothing that can win against national security as "state actors (Russia, China, even mentioned in the text) trying to sabotage your infrastructure - look we have evidence but we're not gonna share it with the public".
Do you mean that's a specific legal argument that is upheld in European courts or Dutch courts?
No, I would say that's just life experience until now.
Nothing ever wins against "we need to keep the country safe".
Nothing ever wins against "we need to keep the country safe".
> to protect The Netherlands against Russian and Chinese hackers
So it's a noble cause then? Or does it have privacy implications for innocent netizens? I thought these exchanges would have been tapped in some form way before this announcement?
So it's a noble cause then? Or does it have privacy implications for innocent netizens? I thought these exchanges would have been tapped in some form way before this announcement?
The new law also lowers the bar for Dutch law enforcement to obtain records from these taps significantly, removing the necessity of a judge to rule whether the request is justified in the investigation.
Surely no law enforcement would overreach when given tools like these, right? Right?
Surely no law enforcement would overreach when given tools like these, right? Right?
Yeah the Belastingdienst would never do anything naughty with powers like these. Let them in on it too!
They've already overreached in the past.
https://nos.nl/artikel/2432715-inlichtingendiensten-moeten-g...
https://www.rtlnieuws.nl/tech/artikel/5294998/aftappen-aivd-...
https://nos.nl/artikel/2432715-inlichtingendiensten-moeten-g...
https://www.rtlnieuws.nl/tech/artikel/5294998/aftappen-aivd-...
>So it's a noble cause then?
If you consider "to play its part in the trade war between US-China which is extending into real WW 3" as noble, then yes, it's noble.
If you consider "to play its part in the trade war between US-China which is extending into real WW 3" as noble, then yes, it's noble.
I wanna be noble, too! Where's the form to sign up as a proxy for some war?
I'm a technical artist not a security researcher so could someone here elaborate on the supposed threat? Assuming a genuine Russian/Chinese state hacker/outfit, what damage could they cause and how much of that damage would legislation such as this prevent?
> what damage could they cause
You want to listen to what they want to do before they do something to your country. This is what this thing allows you to do: every internet packet transiting through the Dutch internet exchanges will be "scanned" (largely read-only).
However:
> The powers granted to the services are broad, but also largely ‘read-only’.
Largely `read-only`, the way I read it, means that in some cases they can actually replace whatever is going through the cable.
I imagine something like:
- terrorist A and B are texting each others, and you replace some of the text that they are sending each other (before this is received over the phone, because you own the "hop"), so that you can maybe redirect them straight into the police hands.
If done properly, I believe this can prevent quite some bad damage - not the simple example above, but probably also major things like serious attacks (e.g., ransom attacks on public institutions, etc). That's my guess - how easy or realistic this is, I can't tell you.
You want to listen to what they want to do before they do something to your country. This is what this thing allows you to do: every internet packet transiting through the Dutch internet exchanges will be "scanned" (largely read-only).
However:
> The powers granted to the services are broad, but also largely ‘read-only’.
Largely `read-only`, the way I read it, means that in some cases they can actually replace whatever is going through the cable.
I imagine something like:
- terrorist A and B are texting each others, and you replace some of the text that they are sending each other (before this is received over the phone, because you own the "hop"), so that you can maybe redirect them straight into the police hands.
If done properly, I believe this can prevent quite some bad damage - not the simple example above, but probably also major things like serious attacks (e.g., ransom attacks on public institutions, etc). That's my guess - how easy or realistic this is, I can't tell you.
[deleted]
As long as they are proud of it. No bad laws have ever been implemented where everyone was proud of it, so this must mean it's not a bad law!! And the people rejoiced...just not on the internet as they didn't want to be spied on
>No bad laws have ever been implemented where everyone was proud of it
"Nobody who speaks German can ever be evil"
- The Simpsons
"Nobody who speaks German can ever be evil"
- The Simpsons
How do you know everyone is proud of it? For starters, I'm not.
This is a 'temporary' law that will be reconsidered after 4 years (most of the time this means it will just be continued).
The CTIVD will have supervision during and after the tab (good).
Private data can be held much longer without government approval (why?).
There is no permission needed to tap another server when a party, that is under surveillance, is moving there.
---
I have mixed feelings about this. We know Russia is trying to disrupt the Netherlands because of previous taps. So on one hand it is good that the government can quickly react to such threads. On the other hand it has huge privacy implications.
Some people in this thread think that TLS will keep us private but that is not how it works when they can listen to all traffic. For example they can see I posted a request to Hacker News on a specific time. Then it is a matter of finding all posts that were made around that timestamp to see what I wrote and what my username is.
The CTIVD will have supervision during and after the tab (good).
Private data can be held much longer without government approval (why?).
There is no permission needed to tap another server when a party, that is under surveillance, is moving there.
---
I have mixed feelings about this. We know Russia is trying to disrupt the Netherlands because of previous taps. So on one hand it is good that the government can quickly react to such threads. On the other hand it has huge privacy implications.
Some people in this thread think that TLS will keep us private but that is not how it works when they can listen to all traffic. For example they can see I posted a request to Hacker News on a specific time. Then it is a matter of finding all posts that were made around that timestamp to see what I wrote and what my username is.
> For example they can see I posted a request to Hacker News on a specific time. Then it is a matter of finding all posts that were made around that timestamp to see what I wrote and what my username is.
I think this is a lot of work to do. Just ask some 3 letters agencies for some help on some malware or on some "router firmware bugs" to be exploited etc. They don't care about hacker news readers or posting comments (because this implies you must know the DNS first, etc). They care about botnets DDoS-ing your railway infrastructure, ransomware on hospitals, serious stuff that can lead the country to chaos.
I think this is a lot of work to do. Just ask some 3 letters agencies for some help on some malware or on some "router firmware bugs" to be exploited etc. They don't care about hacker news readers or posting comments (because this implies you must know the DNS first, etc). They care about botnets DDoS-ing your railway infrastructure, ransomware on hospitals, serious stuff that can lead the country to chaos.
On hn everything is public so if you only have the time at which two or three posts where submitted you can find the user in question easily.
I am sure it is there to stay as no other thing is going to stay forever as much as “temporary” law giving authorities more power.
How much cleartext is sent over the net? Nowadays almost everything is encrypted, even things like DoH are becoming standard via Cloudflare/Apple Private Relay.
If I were a politician using this against an opponent, I'd write the following press release:
Websites in the range 54.239.0.0/8 often host problematic content. My opponent visited several addresses in this range overnight and hid his traffic with military-grade message scrambling functionality.
Of course that's just AWS and you can't even do HTTP/2 or HTTP/3 without encryption. But do the voters know that? Will they be educated on it? Probably not. And you're not saying anything untrue, you have facts and logs to back up your assertions!
Websites in the range 54.239.0.0/8 often host problematic content. My opponent visited several addresses in this range overnight and hid his traffic with military-grade message scrambling functionality.
Of course that's just AWS and you can't even do HTTP/2 or HTTP/3 without encryption. But do the voters know that? Will they be educated on it? Probably not. And you're not saying anything untrue, you have facts and logs to back up your assertions!
I'm not a crypto expert by any means, but it is my understanding that government actors of larger countries probably have trusted CAs in most devices on the planet that they have control over, and they could issue certificates for arbitrary domain names; and your devices would for the most part be none the wiser.
Of course this is only relevant for targeted surveillance, not mass surveillance.
Happy to be corrected though, I've been wondering about this.
Of course this is only relevant for targeted surveillance, not mass surveillance.
Happy to be corrected though, I've been wondering about this.
Perhaps think a bit smaller, and look at companies that operate office-sized TLS interception by installing a CA certificate on each (managed) end device, and generating certificates on-the-fly from that CA. Then, some middlebox is able to inspect the encrypted communication that passes through.
Some web browsers have pinned certificates for certain services, Google Chrome/Chromium being one of those. Subsequently, the browser refuses to perform any more actions towards the server that serves an invalid (according to the browser) certificate. That browser is also one of the reasons the DigiNotar case in 2011 emerged to the surface.
Some web browsers have pinned certificates for certain services, Google Chrome/Chromium being one of those. Subsequently, the browser refuses to perform any more actions towards the server that serves an invalid (according to the browser) certificate. That browser is also one of the reasons the DigiNotar case in 2011 emerged to the surface.
This is precisely the threat model that certificate transparency mitigates.
Perhaps a better insight is looking at parties doing TLS termination globally as a reverse proxy service, for example for DDoS mitigation or acting as a web application firewall. Or, who handles your (encrypted) DNS requests? A somewhat trustworthy local ISP, or a large corporation with multiple pages of terms of service and a vague privacy statement? (I'm unfortunately also aware that there exist ISPs that inject ads on non-encrypted connections, or having done so in the past)
In my opinion, it's less about the amount of cleartext traffic, but also about what parties terminate your so preciously encrypted connections/requests, the percentage of internet traffic they handle, and what they exactly store about those requests.
Encryption on the internet doesn't mean it's suddenly safe.
In my opinion, it's less about the amount of cleartext traffic, but also about what parties terminate your so preciously encrypted connections/requests, the percentage of internet traffic they handle, and what they exactly store about those requests.
Encryption on the internet doesn't mean it's suddenly safe.
Store now, decrypt later?
Metadata analysis on netflow, source and destination traffic, etc.
Most people still don't use VPNs for everything, and some services outright block or degrade VPN connectivity. Two notable examples are most banks, and 4chan.
I firmly believe 4ch is a Honeypot.
Metadata analysis on netflow, source and destination traffic, etc.
Most people still don't use VPNs for everything, and some services outright block or degrade VPN connectivity. Two notable examples are most banks, and 4chan.
I firmly believe 4ch is a Honeypot.
The majority of traffic is available as cleartext to Cloudflare so that they can analyse it. That’s the point of being an enormous centralised TLS termination proxy.
They all work for the same team
It's called "temporary" but I don't see anything about when it is removed. Even with a sunset period (like the US Patriot Act had) it's not typical for states to give up power like this, so I'm guessing this is the new normal :-(
Is there specific intelligence leading to this? It seems very to the point about being related to Russia.
Is there specific intelligence leading to this? It seems very to the point about being related to Russia.
The Patriot Act was temporary too...
And some provisions expired thanks to Trump!
Biden, on the other hand, renews them promptly, to bipartisan satisfaction.
Funny how that works. :p
Biden, on the other hand, renews them promptly, to bipartisan satisfaction.
Funny how that works. :p
Just how badly is the internet compromised at this point, as in are there any countries or internet corporate policies that forbid contributing to this type of action and would route around the Netherlands due to it violating privacy?
To some extent, this is a gross misuse of their government power. To another extent, tap away. There is no reason for your network traffic not to be an end-to-end encrypted. I'm more or less fine with the government getting my SNI headers, though I will be investing more in Tor and other obfuscation for some purposes.
Taking the perspective that spying is warranted by the asset under threat rather than subject potentially posing it ... that is some pretty scary piece of legislation.
[deleted]
> With the Temporary Cyber Act, we will make optimum use of the data carried on our cables to protect The Netherlands against Russian and Chinese hackers
Twenty years ago, the excuse was "we are restricting your freedom because of what happened in 11/9."
Then in the internet age, the excuse became "we are restricting your freedom to save the children from online abuse."
Now, Europe has unlocked the option to restrict its citizens' freedom because of the "war."
I ask my fellow computer engineers what the hell are we waiting for to pool our minds and resources towards a truly decentralised, encrypted and anonymous overnet. Something a little more practical than I2P, Tor, Freenet, etc. "Oh bad people will use it to do crime" is not a serious enough excuse to just passively accept the government tightening the noose around our digital presence, for total control by the State, all in name of safety and security. Was Bitcoin (2009) the last hurrah of the crypto-anarchist ideals of freedom of thought, freedom from the Big Brother and freedom from the ever-looming State?
https://groups.csail.mit.edu/mac/classes/6.805/articles/cryp...
Twenty years ago, the excuse was "we are restricting your freedom because of what happened in 11/9."
Then in the internet age, the excuse became "we are restricting your freedom to save the children from online abuse."
Now, Europe has unlocked the option to restrict its citizens' freedom because of the "war."
I ask my fellow computer engineers what the hell are we waiting for to pool our minds and resources towards a truly decentralised, encrypted and anonymous overnet. Something a little more practical than I2P, Tor, Freenet, etc. "Oh bad people will use it to do crime" is not a serious enough excuse to just passively accept the government tightening the noose around our digital presence, for total control by the State, all in name of safety and security. Was Bitcoin (2009) the last hurrah of the crypto-anarchist ideals of freedom of thought, freedom from the Big Brother and freedom from the ever-looming State?
https://groups.csail.mit.edu/mac/classes/6.805/articles/cryp...
> I ask my fellow computer engineers what the hell are we waiting for to pool our minds and resources towards a truly decentralised, encrypted and anonymous overnet.
I often hear this somewhat loose idea and have to say that I also have such reoccurring thoughts myself. We currently enjoy pretty great freedoms to do stuff, we have the chance to set something up, and those freedoms might be severely restricted in the future. It may be easier to develop something like that now than it will ever be in the future. The problem seems to be that there is no coordinated plan. Stuff like Tor exists, but it hasn't really caught on as much as one would hope. Also it is built upon a rather specific architecture (the internet) from what I understand, which could basically be shutdown by authorities at any moment.
For example, I can't currently safely communicate with people in my geographic area independently of the internet, even though my devices theoretically have the hardware to do so (think of radio capabilities, for example). There might be some lose projects out there capable of some of it that 99.9999% never heard about, but nothing that could actually be considered general-purpose. Why is that?
It isn't an easy problem to solve. And it isn't enough of a problem for people to actually apply themselves nearly enough. Once it is needed in a way that more people would devote their time to it, it might be too late.
I often hear this somewhat loose idea and have to say that I also have such reoccurring thoughts myself. We currently enjoy pretty great freedoms to do stuff, we have the chance to set something up, and those freedoms might be severely restricted in the future. It may be easier to develop something like that now than it will ever be in the future. The problem seems to be that there is no coordinated plan. Stuff like Tor exists, but it hasn't really caught on as much as one would hope. Also it is built upon a rather specific architecture (the internet) from what I understand, which could basically be shutdown by authorities at any moment.
For example, I can't currently safely communicate with people in my geographic area independently of the internet, even though my devices theoretically have the hardware to do so (think of radio capabilities, for example). There might be some lose projects out there capable of some of it that 99.9999% never heard about, but nothing that could actually be considered general-purpose. Why is that?
It isn't an easy problem to solve. And it isn't enough of a problem for people to actually apply themselves nearly enough. Once it is needed in a way that more people would devote their time to it, it might be too late.
It won't happen people choose comfort instead of freedom. Eventually it will become a full blown totalitarian state, and we are going to relive 20th century again it seems.
I can't wait to pay ESG tax because I am breathing.
I can't wait to pay ESG tax because I am breathing.
I used to be so optimistic and less cynical.
Now I look at this and all that comes to mind is that actions like this would provide a basis for tapping people closer to source.
All the p2p and e2e encryption in the world won't help if someone is reading every key you type, or in the near future, every thought that crosses your mind.
Still, I applaud your spirit.
Now I look at this and all that comes to mind is that actions like this would provide a basis for tapping people closer to source.
All the p2p and e2e encryption in the world won't help if someone is reading every key you type, or in the near future, every thought that crosses your mind.
Still, I applaud your spirit.
[deleted]
[deleted]
When was the last time that something titled a "Temporary Cyber Act" was ever temporary (other than being replaced by something worse)?
It needs more "Democratic" in it to make it clear it's definitely not authoritarian. Maybe "The Democratic People's Temporary Cyber Act for Freedom"
“Nothing is so permanent as a temporary government program”
– Milton Friedman
– Milton Friedman
It has already been announced that this law will likely be extended. They later walked that back, but did admit that it is entirely possible to extend this law.
Hey, you have to applaud them for naming it "temporary", instead of "patriot". What are you? Some kind of a treasonous terrorist? How dare you oppose THE PATRIOT ACT?! /s
They get zero marks because it doesn't appear to be an acronym.
[deleted]
radicalbyte(1)
If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...