Slashdot Mirror

← Back to Stories (view on slashdot.org)

Italian ISP Hides Data Acquisition by Police

Posted by timothy on from the at-least-this-couldn't-happen-in-the-states dept.

jaromil writes "It happened recently in Italy: the provider Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective, keeping it secret for a whole year, while more than 30.000 people used its encrypted services for private comunications."

13 of 23 comments (clear)

  1. Dear Editors: Do your job. by Bishop · · Score: 3, Insightful

    The submitted summary is an incoherent run on sentence. If the article is important the editors should have take the time to re-write the user submitted summary. When Slashdot started that is what the editors did.

  2. What can be done to prevent this? by vrimj · · Score: 2, Interesting

    I don't regularly use encrypted mail, but I will have a need to do so in the future. How can I assure privicy upstream? Are there US compnies or laws that will make me more secure?

    1. Re:What can be done to prevent this? by GigsVT · · Score: 3, Informative

      The point of encrypted email is you don't have to trust your ISP, or anyone, except the intended recipient.

      If you are trusting some upstream service to do the encryption it sorta defeats the purpose, as this example points out.

      Are there US compnies or laws that will make me more secure?

      No one can make you secure, except yourself.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    2. Re:What can be done to prevent this? by quinto2000 · · Score: 2

      If you are trusting some upstream service to do the encryption it sorta defeats the purpose, as this example points out.

      No, this example points out nothing of the sort. Aruba was purely an ISP hosting a server machine. They shut down the server and stole the SSL keys used for encryption. In no way was Austici relying on them to do anything other than respect the privacy of the box. However, this example does instruct us to not use SSL keys without a passphrase, despite the inconvenience associated with typing in the passphrase every time you restart the service.

      --
      Ceci n'est pas un post
    3. Re:What can be done to prevent this? by Bishop · · Score: 3, Insightful

      Even if Austici used SSL keys with a passphrase Aruba could have still compromised the SSL software to copy all of the unencrypted data.

      The ISP Aruba was much more then an ISP hosting a server machine. Aruba was also providing the physical security of the server. Aruba had physical access to the server, the encryption keys, the encryption software, and the clear text data. Austici had to trust Aruba for the security of the entire system. If Austici wants a secure system they must keep the encryption physically secure. Usually this requires that the servers are in a location that they control and monitor.

  3. Re:Incredible! by FidelCatsro · · Score: 3, Insightful

    Yes , that's not the problem though.
    The problem is they didn't later inform the other perhaps 29,999 people that they also had their data and privacy compromised.
    Not to mention the whole issue of taking their data in the first place

    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  4. Physical security is important by Bishop · · Score: 4, Insightful

    We always suspected that they [the isp Aruba] weren't trustworthy...

    Why did they think their system was secure?

    This article highlights why physical security is so important. Cryptography is a work around for poor physical security. It is not a replacement. As the server held encryption keys the security of the system was completely dependant on the physical security of that server.

    Unfortunately this group hasn't learned their lesson:

    We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.

    This service will still be susceptible to the very same attack.

  5. Re:Incredible! by quinto2000 · · Score: 3, Interesting

    Criminals? Interesting conclusion to draw. Because they were "wiretapped", they must have been committing some crime.

    Actually, Italy has a long history of repressive search and seizure laws that go far beyond what would be considered okay in the US. I am curious to know if they had a warrant for any information that could have been in traffic passing through the server, or it was just some fishing expedition.

    --
    Ceci n'est pas un post
  6. physical security by TheSHAD0W · · Score: 2, Insightful

    Physical security is a potential worry for any person, organization or service; many major security breaches involve physical rather than algorithmic security. (See "social hacking".) The only real solution is to have your own server on your own property, with sufficient safeguards to prevent a "sneak-and-peek" from being successful.

  7. ISP's answer was absolutely true by kawika · · Score: 4, Funny

    If that isn't a "power loss" I don't know what is. This is an answer worthy of the Oracle at Delphi.

  8. Genoa G8 by Exitar · · Score: 3, Interesting

    It seems that Autistici/Inventati server hosted files about a trial that involve italian police abuses during Genoa G8...

  9. Re:Incredible! by Alereon · · Score: 2, Interesting

    Do we know that they weren't under a gag order of some kind that legally prevented them from disclosing their cooperation with the police?

  10. Re:Summary is fine by marcello_dl · · Score: 4, Informative

    I am still trying to figure out waht this means: Aruba lied to a customer calling "power loss"

    It appears the police raid was made and no one bothered to tell the responsible for the servers that an investigation/seizing of data was being made.

    Disruption of service occurred, and the phone calls by costumers were answered with technical excuses, instead of telling the truth.

    This is what italian webpress says.

    Note also that 30000 accounts, personal data, crypto keys, was seized because one single hosted site was under investigation.

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol