Slashdot Mirror

← Back to Stories (view on slashdot.org)

Italian ISP Hides Data Acquisition by Police

Posted by timothy on from the at-least-this-couldn't-happen-in-the-states dept.

jaromil writes "It happened recently in Italy: the provider Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective, keeping it secret for a whole year, while more than 30.000 people used its encrypted services for private comunications."

23 comments

  1. Incredible! by Mensa+Babe · · Score: 0

    In other news, the telephone company didn't inform criminals that their line is wiretapped. Film at 11.

    --
    Karma: Positive (probably because of superiour intellect)
    1. Re:Incredible! by FidelCatsro · · Score: 3, Insightful

      Yes , that's not the problem though.
      The problem is they didn't later inform the other perhaps 29,999 people that they also had their data and privacy compromised.
      Not to mention the whole issue of taking their data in the first place

      --
      The only things certain in war are Propaganda and Death. You can never be sure which is which though
    2. Re:Incredible! by quinto2000 · · Score: 3, Interesting

      Criminals? Interesting conclusion to draw. Because they were "wiretapped", they must have been committing some crime.

      Actually, Italy has a long history of repressive search and seizure laws that go far beyond what would be considered okay in the US. I am curious to know if they had a warrant for any information that could have been in traffic passing through the server, or it was just some fishing expedition.

      --
      Ceci n'est pas un post
    3. Re:Incredible! by Alereon · · Score: 2, Interesting

      Do we know that they weren't under a gag order of some kind that legally prevented them from disclosing their cooperation with the police?

    4. Re:Incredible! by convolvatron · · Score: 0, Flamebait

      you delusional idiot. how much information gathering goes on in the us, without warrant, precisely for the purposes of fishing. get a clue.

  2. Dear Editors: Do your job. by Bishop · · Score: 3, Insightful

    The submitted summary is an incoherent run on sentence. If the article is important the editors should have take the time to re-write the user submitted summary. When Slashdot started that is what the editors did.

  3. What can be done to prevent this? by vrimj · · Score: 2, Interesting

    I don't regularly use encrypted mail, but I will have a need to do so in the future. How can I assure privicy upstream? Are there US compnies or laws that will make me more secure?

    1. Re:What can be done to prevent this? by GigsVT · · Score: 3, Informative

      The point of encrypted email is you don't have to trust your ISP, or anyone, except the intended recipient.

      If you are trusting some upstream service to do the encryption it sorta defeats the purpose, as this example points out.

      Are there US compnies or laws that will make me more secure?

      No one can make you secure, except yourself.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    2. Re:What can be done to prevent this? by quinto2000 · · Score: 2

      If you are trusting some upstream service to do the encryption it sorta defeats the purpose, as this example points out.

      No, this example points out nothing of the sort. Aruba was purely an ISP hosting a server machine. They shut down the server and stole the SSL keys used for encryption. In no way was Austici relying on them to do anything other than respect the privacy of the box. However, this example does instruct us to not use SSL keys without a passphrase, despite the inconvenience associated with typing in the passphrase every time you restart the service.

      --
      Ceci n'est pas un post
    3. Re:What can be done to prevent this? by GigsVT · · Score: 1

      You don't get it. Your encryption key should be on your computer, not your ISPs, or a "privacy oriented email" service's machine.

      So it is exactly what I said. People trusting an upstream provider, Autistici, to do the encryption for them, Autistici, in turn, trusted their hosting provider not to tamper with the machine. It backfired, as is to be expected, with that many people having access to the private key.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    4. Re:What can be done to prevent this? by Bishop · · Score: 3, Insightful

      Even if Austici used SSL keys with a passphrase Aruba could have still compromised the SSL software to copy all of the unencrypted data.

      The ISP Aruba was much more then an ISP hosting a server machine. Aruba was also providing the physical security of the server. Aruba had physical access to the server, the encryption keys, the encryption software, and the clear text data. Austici had to trust Aruba for the security of the entire system. If Austici wants a secure system they must keep the encryption physically secure. Usually this requires that the servers are in a location that they control and monitor.

  4. Physical security is important by Bishop · · Score: 4, Insightful

    We always suspected that they [the isp Aruba] weren't trustworthy...

    Why did they think their system was secure?

    This article highlights why physical security is so important. Cryptography is a work around for poor physical security. It is not a replacement. As the server held encryption keys the security of the system was completely dependant on the physical security of that server.

    Unfortunately this group hasn't learned their lesson:

    We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.

    This service will still be susceptible to the very same attack.

    1. Re:Physical security is important by Anonymous Coward · · Score: 1, Insightful

      Not just physical security. Too many people think that encryption == secure. It means absolutely nothing if your "secure" shopping basket is submitted through HTTPS if the web application is vulnerable to an SQL injection attack. Encryption only keeps the data secure as it is being moved from one place to another. It doesn't magically make either of the end-points secure. It's like assuming that just because prisoners arrive at a prison in handcuffs that you don't need to bother with locks on the doors.

  5. Summary is fine by Anonymous Coward · · Score: 0

    Huh?

    It's a perfectly well formed, grammatically correct sentence.

    Maybe you belong to the 5-second generation where your attention span can't hold onto anything longer than the grunts from MTV presenters?

    Furthermore, the sub-sentences in the summary are properly separated by commas, whereas yours aren't.

    1. Re:Summary is fine by maddskillz · · Score: 1

      I am still trying to figure out waht this means:
      Aruba lied to a customer calling "power loss"

    2. Re:Summary is fine by Anonymous Coward · · Score: 1, Funny

      It happened recently in Italy: the provider Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective, keeping it secret for a whole year, while more than 30.000 people used its encrypted services for private comunications.

      It is not, in fact, a "perfectly well-formed, gramatically correct sentence." There subject/object confusion, a missing comma between "customer" and "calling," and several other miscellaneous mistakes. It could also have been written much more succinctly and less confusingly. Which is not to mention the fact that run-on sentences can have technically perfect grammar and syntax. The complaint "it is a run-on sentence" is not one about grammar, but about style.

      Maybe you belong to the aging nerd generation whose (not "where your") random bitterness at the valid complaints of those whom you assume to be younger than you stems from the fact that you, in your similar youth, were a hated, powerless outcast. It is a possibility.

    3. Re:Summary is fine by marcello_dl · · Score: 4, Informative

      I am still trying to figure out waht this means: Aruba lied to a customer calling "power loss"

      It appears the police raid was made and no one bothered to tell the responsible for the servers that an investigation/seizing of data was being made.

      Disruption of service occurred, and the phone calls by costumers were answered with technical excuses, instead of telling the truth.

      This is what italian webpress says.

      Note also that 30000 accounts, personal data, crypto keys, was seized because one single hosted site was under investigation.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    4. Re:Summary is fine by Anonymous Coward · · Score: 0

      zing!

    5. Re:Summary is fine by Rick+the+Red · · Score: 1
      Yes, but the statement
      Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective,
      reads, to me, that they had a "power loss" and when people called to complain they were told the "power loss" was really a police action to acquire all data contained in the harddisks of the AUT/INV collective, when in fact it was a "power loss." At least, that's how it reads to me.

      Maybe they meant that the citizens have lost all power over the Police.

      --
      If all this should have a reason, we would be the last to know.
  6. physical security by TheSHAD0W · · Score: 2, Insightful

    Physical security is a potential worry for any person, organization or service; many major security breaches involve physical rather than algorithmic security. (See "social hacking".) The only real solution is to have your own server on your own property, with sufficient safeguards to prevent a "sneak-and-peek" from being successful.

  7. ISP's answer was absolutely true by kawika · · Score: 4, Funny

    If that isn't a "power loss" I don't know what is. This is an answer worthy of the Oracle at Delphi.

    1. Re:ISP's answer was absolutely true by djdanlib · · Score: 1

      You must go NOW and seek the Oracle with My directions. Be not fooled by any clueless saps claiming to be the TRUE server of our knowledge. Report your Progres every hour.

      Query the Oracle, USING proper syntax, and retrieve from it the stored procedure which you must execute in ORDER to ALTER the WINDOW of your mind, and receive the true VIEW. Only the SELECT will learn the correct answer, the rest will be INSERTed headfirst to the DUMP.

      Now back up on your two-wheel tape drive, exit the door, turn around, and go.

  8. Genoa G8 by Exitar · · Score: 3, Interesting

    It seems that Autistici/Inventati server hosted files about a trial that involve italian police abuses during Genoa G8...