Slashdot Mirror

← Back to Stories (view on slashdot.org)

Italian ISP Hides Data Acquisition by Police

Posted by timothy on from the at-least-this-couldn't-happen-in-the-states dept.

jaromil writes "It happened recently in Italy: the provider Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective, keeping it secret for a whole year, while more than 30.000 people used its encrypted services for private comunications."

6 of 23 comments (clear)

  1. Dear Editors: Do your job. by Bishop · · Score: 3, Insightful

    The submitted summary is an incoherent run on sentence. If the article is important the editors should have take the time to re-write the user submitted summary. When Slashdot started that is what the editors did.

  2. Re:Incredible! by FidelCatsro · · Score: 3, Insightful

    Yes , that's not the problem though.
    The problem is they didn't later inform the other perhaps 29,999 people that they also had their data and privacy compromised.
    Not to mention the whole issue of taking their data in the first place

    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  3. Physical security is important by Bishop · · Score: 4, Insightful

    We always suspected that they [the isp Aruba] weren't trustworthy...

    Why did they think their system was secure?

    This article highlights why physical security is so important. Cryptography is a work around for poor physical security. It is not a replacement. As the server held encryption keys the security of the system was completely dependant on the physical security of that server.

    Unfortunately this group hasn't learned their lesson:

    We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.

    This service will still be susceptible to the very same attack.

    1. Re:Physical security is important by Anonymous Coward · · Score: 1, Insightful

      Not just physical security. Too many people think that encryption == secure. It means absolutely nothing if your "secure" shopping basket is submitted through HTTPS if the web application is vulnerable to an SQL injection attack. Encryption only keeps the data secure as it is being moved from one place to another. It doesn't magically make either of the end-points secure. It's like assuming that just because prisoners arrive at a prison in handcuffs that you don't need to bother with locks on the doors.

  4. physical security by TheSHAD0W · · Score: 2, Insightful

    Physical security is a potential worry for any person, organization or service; many major security breaches involve physical rather than algorithmic security. (See "social hacking".) The only real solution is to have your own server on your own property, with sufficient safeguards to prevent a "sneak-and-peek" from being successful.

  5. Re:What can be done to prevent this? by Bishop · · Score: 3, Insightful

    Even if Austici used SSL keys with a passphrase Aruba could have still compromised the SSL software to copy all of the unencrypted data.

    The ISP Aruba was much more then an ISP hosting a server machine. Aruba was also providing the physical security of the server. Aruba had physical access to the server, the encryption keys, the encryption software, and the clear text data. Austici had to trust Aruba for the security of the entire system. If Austici wants a secure system they must keep the encryption physically secure. Usually this requires that the servers are in a location that they control and monitor.