Linked by Thom Holwerda on Tue 23rd Oct 2012 18:24 UTC, submitted by Jane Doe
Privacy, Security, Encryption "Last week, the Dutch Minister of Safety and Justice asked the Parliament of the Netherlands to pass a law allowing police to obtain warrants to do the following: install malware on targets’ private computers, conduct remote searches on local and foreign computers to collect evidence, and delete data on remote computers in order to disable the accessibility of 'illegal files'. Requesting assistance from the country where the targetted computer(s) were located would be 'preferred' but possibly not required. These proposals are alarming, could have extremely problematic consequences, and may violate European human rights law." You get true net neutrality with one hand, but this idiocy with another. This reminds me a lot of how some of our busy intersections are designed; by people who bike to city hall all their lives and have no clue what it's like to drive a car across their pretty but extremely confusing and hence dangerous intersections.
Thread beginning with comment 539720
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by MOS6510
by Yehppael on Tue 23rd Oct 2012 18:56 UTC in reply to "Comment by MOS6510"
Yehppael
Member since:
2012-08-01

Some people consider Linux & company to be hacker tools, so instead, run Windows in a virtual machine, and redirect everything from port 22 to it.

Reply Parent Score: 2

RE[2]: Comment by MOS6510
by Alfman on Tue 23rd Oct 2012 19:52 in reply to "RE: Comment by MOS6510"
Alfman Member since:
2011-01-28

If I were a government entity, I'd research ways to break into ordinary computers through the channels manufacturers grant themselves access to, such as OS update mechanisms (which work independently of any inbound firewall techniques, and updates are ostensibly legitimate to an administrator).

How likely is it that no governments have infiltrated the ranks of apple, microsoft, google, ubuntu, etc to copy their signing keys?


Consider that allegedly microsoft implanted a security key to have windows validate NSA signatures:
http://www.darkgovernment.com/news/remembering-the-nsakey/

Edited 2012-10-23 19:53 UTC

Reply Parent Score: 2

RE[3]: Comment by MOS6510
by Doc Pain on Wed 24th Oct 2012 09:54 in reply to "RE[2]: Comment by MOS6510"
Doc Pain Member since:
2006-10-08

If I were a government entity, I'd research ways to break into ordinary computers through the channels manufacturers grant themselves access to, such as OS update mechanisms (which work independently of any inbound firewall techniques, and updates are ostensibly legitimate to an administrator).

How likely is it that no governments have infiltrated the ranks of apple, microsoft, google, ubuntu, etc to copy their signing keys?


That surely is the easier way, but it's possible to do similar things (i. e. hijack the updating mechanism) with no "official" signing:

The full mechanism isn't yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.

This file is signed by Microsoft with a certificate that is chained up to Microsoft root.

Except it isn't signed really by Microsoft.

Turns out the attackers figured out a way to misuse a mechanism that Microsoft uses to create Terminal Services activation licenses for enterprise customers. Surprisingly, these keys could be used to also sign binaries.

[...]

Microsoft has announced an urgent security fix to revoke three certificates used in the attack.

The fix is available via — you guessed it — Microsoft Update.


Source: "Microsoft Update and The Nightmare Scenario"

http://www.f-secure.com/weblog/archives/00002377.html

The less people care and leave security considerations to others (often: no one), the easier such investigation tools could be deployed widely. Unnoticed by users who don't care anyway, even "artificial evidence" could be created, fitting the bill well:

1. Install malware on targets’ private computers

2. Conduct remote searches on local and foreign computers to collect evidence

3. Delete data on remote computers in order to disable the accessibility of “illegal files.”

as explained in the article. "But I didn't write or download that!" - "But we found it on your PC." - "I didn't do it!" - "Prove that." :-)

Reply Parent Score: 4