German Intelligence Traded Citizen Data For NSA Surveillance Software

An anonymous reader sends news that Germany's domestic intelligence agency, the BfV, was so impressed with the NSA's surveillance software that they were willing to "share all data relevant to the NSA's mission" in order to get it. "The data in question is regularly part of the approved surveillance measures carried out by the BfV. In contrast, for example, to the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency, the BfV does not use a dragnet to collect huge volumes of data from the Internet. Rather, it is only allowed to monitor individual suspects in Germany -- and only after a special parliamentary commission has granted approval. ... Targeted surveillance measures are primarily intended to turn up the content of specific conversations, in the form of emails, telephone exchanges or faxes. But along the way, essentially as a side effect, the BfV also collects mass quantities of so-called metadata. Whether the collection of this data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts."

Networks are not private

One thing people don't seem to understand is that networks (phone, IP, etc) are not private. They aren't designed to be, they were never meant to be. In fact, they were designed for a complete opposite purpose: so that nodes on the network could exchange information freely and without prejudice. The concept of security on a network was added later (poorly) and is antithetical to the purpose of network communications.

Therefore, just assume that whatever information you are sending out on a communication network is being captured or consumed by any other node on the network.

Re:Networks are not private

[0123456]

There's a big difference between freely exchanging information and having someone scoop up all that information when it's not addressed to them.

When you sit on a bench in the park talking to your girlfriend, you don't expect some stranger in a trenchcoat to lean in between you and listen to everything you say.

But, yes, it's unfortunate that the warnings from the 90s were ignored, and we didn't get automatic encryption by default across the Net to ensure this couldn't happen.

Re:Networks are not private

But computer and phone networks are not park benches. Again, I don't understand why people don't understand this. Networks are meant to "scoop up" information no matter where it is addressed. In fact, the original networks broadcast all the nodes information to all the other nodes. This ended because it was inefficient, not due to privacy issues.

You will also never have "automatic encryption" across the network they way they are designed now, because nodes can stand in for other nodes. You cannot be sure what node you are talking to, and data can be monitored end to end (this was intentional and part of the design!)

Re:Networks are not private

[0123456]

No, they're not. Networks are supposed to take data from one machine and deliver it to another. They're not designed to deliver it to anyone else along the way. That's an attack on the network, not part of the design.

And automatic encryption can easily be handled by pushing public keys into DNS. Yes, the NSA could force people to push fake keys into DNS, but then no-one would trust it any more.

Re:Networks are not private

> People can be seen in public.

> That gives me the right to record and catalog the movements of every human on earth

#NSAlogic

Re:Networks are not private

"They're not designed to deliver it to anyone else along the way"

Um, yes, that is EXACTLY my point. They ARE designed to deliver to anyone else "along the way". It is amazing how people don't understand how a network works. If you send information from node A to node B there can be any number of intermediate nodes on the way that also handle the information. This is the original design. Usually the intermediate nodes are switches/routers/etc. They aren't attacking the network.

In fact as I said originally, the first networks were 100% broadcast.

Re:Networks are not private

[mrbester]

My NIC begs to differ. It receives every packet and discards those not addressed to it, except when I set it to promiscuous mode.

Re:Networks are not private

this is like someone rudely eavesdropping on a conversation you are having on the street saying if you wanted it to be private you better do it in a room you can lock.

Re:Networks are not private

[lambsonic]

You are creating a straw-man out of the GP's terms. The GP even used the term *delivered* to make the appropriate distinction. Information in a payload that is encrypted is not the *delivered* information *without* the decryption key information. A network *may* have access to the *delivered* information, but it doesn't necessarily *need* to have it, and having it is considered a security weakness that may be *attacked*.

Re:Networks are not private

I think you are confused. My point is that the original design of networks is to deliver bits to network nodes. In fact the original networks delivered all the bits to all the nodes. That is the entire point. As I said, encryption was added later (badly) and won't ever work well due to the way networks have been designed. Networks were never designed to deliver data from point A to B without C, D, F seeing it. That was added later.

Re:Networks are not private

[GameboyRMH]

And automatic encryption can easily be handled by pushing public keys into DNS. Yes, the NSA could force people to push fake keys into DNS, but then no-one would trust it any more.

And this would be different than what they did to the CA system in what way?

Re:Networks are not private

"except when I set it to promiscuous mode"

Christ you guys like to argue. Well guess what? The NSA has everything set to promiscuous mode and so does every bad actor on the network. The point is that networks were never designed to keep data private. In fact they were designed for the opposite function.

Re:Networks are not private

It wouldn't be different at all. I don't think these guys understand. Just assume your network is compromised. There is no technological solution to this, unless you radically redesign the concept of a network. We are using network concepts from the 1960's here. I don't have a solution. My sole statement is that networks weren't designed for privacy and still aren't.

Re:Networks are not private

[GameboyRMH]

If all else fails, there's out-of-band key exchange...

Re:Networks are not private

[lambsonic]

The existing networks only need to see the routing information, not the information in the payload, which can be encrypted. So you have a point that the routing information can easily be snooped, which is a significant problem.

I've submitted patches to snort too.

Can I have data on the whole of Sweden in return, please? Actually, no, dragnet operations are immoral... I'll stick to women aged between 18 and 34. Thanks!

(Nobody believes this was the nature of the exchange. This is merely what was written down. Humans are rationalising creatures, not rational creatures, and will formulate official-sounding bullshit in support of anything. Why was Germany really willing to share this data?)

Re:I've submitted patches to snort too.

They were willing to share the data because Germany is an ally of the US. In my opinion the reality of some rogue terrorist organization obtaining a nuclear bomb and detonating it in a population center is quite real. Although I am not a fear monger, this is a real devastating threat and something the West needs to monitor closely.

Re:I've submitted patches to snort too.

Why was Germany really willing to share this data?

Because all of NATO (and some others) are in a mutual data alliance for communal benefit. If you think this is somehow specific between the US and Germany, you have a lot to learn. Despite their post-Snowden posturing, France is in on it too, and with less than half as much citizen protection as US, UK, or Germany. I haven't heard much on the scale of information from any of the rest of Europe.

Re:I've submitted patches to snort too.

First sale doctrine man...

Re:I've submitted patches to snort too.

Agreed on first sentence. As for the trollish rest, intelligence agencies have routinely failed to spot very convoluted plans, and grow - like anything which desires power - because nobody is stopping them.

The reason nobody has detonated a nuclear bomb in a population center is that nobody sane enough to organise it has wanted to since the '40s. Mutually Assured Destruction is a well-understood geopolitical meme. So, Israel and Iran don't want to nuke each other because they're not fucking stupid, and Kim Jong-un won't actually launch anything because he's not fucking stupid either. ISIS doesn't want to be obliterated in half an hour, so it won't nuke anyone.

But, like all primates, they'll all do a hell of a lot of chest-beating and other entertaining posturing.

The moment some unknown pops up which just wants to watch the world burn, some of the world unfortunately ends up burning. The best one can do is not render too many people hopeless enough to think like this.

Re: I've submitted patches to snort too.

All Power to cows! They don't do chest-beating! They just sit somewhere, eat their own barf, and say MOOOOOOOO!

Re:I've submitted patches to snort too.

This is how the US can spy on its citizenry "legally" for ages. US agents scoop up British and German data. British and German scoop up American data, then all the data is swapped. US never spied on Americans, and German Republic never spied on Germans.

But, they are not Five Eyes. Still don't sit at the big boys table.

Re:I've submitted patches to snort too.

"nobody sane enough to organise it has wanted to"

You don't know this to be true. It is entirely possible that various organizations have tried this and have been thwarted, but that hasn't been made public.

I think it is very naive to think that no one will detonate a nuclear bomb on a population center because they aren't "stupid". After all, the US dropped two on population centers only 50 years ago. Countries still bomb population centers to this day, inflicting tens of thousands of casualties. If you gave ISIS a bomb I can almost guarantee one of those nuts would use it. After all you cannot destroy ISIS anyway, because they are a loose group of (mostly) young radicals.

Re:I've submitted patches to snort too.

This is incorrect.
The US Intelligence Community cannot use data on US persons without authorization no matter HOW it was acquired.
Forbidden collection in the US is simply the easiest way to prevent most of that - but that is not the only restriction in place.

Re:I've submitted patches to snort too.

[Schmorgluck]

They were willing to share the data because Germany is an ally of the US.

True, but usually between allies it's a matter of courtesy and long-term mutual benefices, not a matter of bargain. I doubt French and German intelligence agencies traded something with the CIA in the summer of 2001 when they warned it that something big was afoot.

A little surprising

[MagickalMyst]

I find this a little surprising. The NSA might have some great spy tools, but some of the most incredible programmers and IT people that I have ever known are German.

One would think that they could not only build an NSA type system, but do it better.

Re: A little surprising

Really? I am not familiar with any German software companies other than Software AG and SAP (both which produce uniformly terrible software).

Re: A little surprising

NSA has the advantage that the most popular systems to hack are American.

Re: A little surprising

Yeh but BfV wanted to be able to tap Gmail and Hotmail and Ec2 and Paltalk and Skype and Facebook and that comes from bulk surveillance data the NSA has on Germans. Having great programmers doesn't give you the raw mass surveillance data to work on.

So this nicely reaches around the mass surveillance limit on BfV, it no longer taps the phones of internet of suspects, it just runs a query against the bulk surveillance data of Germans, and of course not doubt lobbies to keep the mass surveillance in place behind the scenes.

As to BfV's data feed to NSA, the NSA knows what it contains, the data registrar the German government *doesn't*. Old STASI loyalty there.

Re: A little surprising

[drinkypoo]

I find this a little surprising. The NSA might have some great spy tools, but some of the most incredible programmers and IT people that I have ever known are German.

And yet, no software houses but Crytek are known for being German. And when the Nazis wanted to manage the concentration camps, they called IBM. I don't see any evidence that Germans are particularly good at software development.

Re: A little surprising

Ever heard of SAP?

https://en.wikipedia.org/wiki/List_of_the_largest_software_companies

Re: A little surprising

[drinkypoo]

Ever heard of SAP?

Oh shit, SAP is German? Well, that settles it. Germans are shit at software development.

OK, not really. I know logic doesn't work like that. But holy hell. If Germans are responsible for SAP, maybe they really are evil.

Re: A little surprising

[dunkelfalke]

Yes, we are. Open Office also used to be ours by the way.

Re: A little surprising

The NSA most likely has had budgets orders of magnitudes larger than the BfV for a longer period of time. Most of the time, projects fail. Even if, say 1 in 10 USA projects succeed and Germany is so much better that 1 in 5 succeed, why would Germany fund that many projects to have the chance at getting a successful project in the future when they know there is already something with a proven track record that they can get now?

Re: A little surprising

[Tablizer]

One would think that [Germans could]... do it better.

USA has more experience snooping and more victims, I mean subjects to test it on. Domain experience matters.

Re: A little surprising

Many outstanding German programmers acquired their values in the hacker community. Hacker culture is different in Germany: There is hardly any acceptance for black hat hacking and using technology to spy on people.

Re: A little surprising

> Ever heard of SAP?

RRReeeeeeeeEEeeeeeeee!!!

Re: A little surprising

[Schmorgluck]

Ah, you may be mostly right on that. The CCC is primarily German, after all.

Re: A little surprising

[greenfruitsalad]

are you familiar with Leonard Poettering?

Re: A little surprising

[Morpf]

While this might be true, as far as I can tell our best or even good developers would not go to a spy agency as they are intelligent people with concience.

LOL

[Feral+Nerd]

Every time I hear some political pundit on TV talking about the evils of communism and the police states of the old Soviet bloc I am reminded of crap like this and I laugh out loud. The more time that passes from the fall of communism the more 1984 becomes reality and not in fascist dictatorships or communist countries like Orwell predicted but in the so called democratic countries of Western Europe and North America. I wonder what Orwell would have made of that?

Re:LOL

Orwell's Oceania comprised the UK and the USA.

Re:LOL

[DarkOx]

Every time I hear some lefty telling me we need more government in more regulation to prevent abuses by corporation I am reminded of this stuff and laugh out loud. So called democratic countries of Western Europe and North America already have governments that are more abusive than any corporate ever could be.

Re:LOL

[Errol+backfiring]

Well, that is hardly surprising when you let the corporations run the government. We need more people in regulation to prevent both corporation and government abuses. Especially in a democ(k)racy.

Re:LOL

[dunkelfalke]

abusive than any corporate ever could be.

ORLY?

Re:LOL

[Schmorgluck]

Holy Chao! I didn't know there had been such a trial!

Too bad that the crimes of Chiquita in the early 20th century won't ever be punished...

Chancellor posturing

This all shows: the Chancellor's reaction back then "Das geht gar nicht" was just empty posturing, and actually she (and her government, staff and party) don't give a rat's ass about anyone's privacy.

Whatever's needed to cling to power, I suppose.

(Yeah, yeah. That's the BfV, not the Merkel, and all that. You expect any "real" consequences? Thought so. Predictable, ain't it?)

Re:Chancellor posturing

[0123456]

As a general rule, if a politician's lips are moving, they're lying.

Re:Chancellor posturing

[Greystripe]

I have never liked that rule. It leaves out far too much. I prefer if they are breathing, they are lying.

Re:Chancellor posturing

[Schmorgluck]

Conclusion: we'd better elect vampires.

Like trading cards

[ITRambo]

This reminds me of people trading baseball cards, only scarier.

A little surprising? A LOT surprising!

It's not like the Germans to employ Gestapo tactics.

It's A Business

What people need to understand about the current security and surveillance industry is that it is, first and foremost, a business. The business of keeping the now tens of thousands of people involved in permanent pensionable employment.

I'm not simply talking about the bonanza of outsourcing, supply contracts, and R&D being enjoyed by companies in the security industry supply chain -- though this is a factor as well obviously. I'm talking about the entire attitude of the 100% government employees who ultimately sit at the center of this process. A generation of managers and "leaders" in the Western world has been raised on an ideology of "Marketism", to believe in "markets", "customers", "stakeholders", "competitiveness", "trading partners", "contracts", and "global synergies", even when such concepts have utterly no place in the work they are charged with carrying out.

Case in point: This story. Why would a domestic intelligence agencies actually hand over that most precious of all intelligence resources data, to a FOREIGN rival intelligence agency. Even in the globalist dreamland of one happy Western Civ family, such a move makes little and less sense. But in the world of "Marketism", this is simply "doing business", "making a deal", making an "optimal tradeoff". All notions of basic fundamentals, rationalism, or common sense is secondary to the Cargo Cult drive to act as though your organisation is some kind of stock brokerage -- complete with "performance bonuses" for yourself of course. Sadly, most employees by this stage do not even require financial incentive. They have reached the point where they want to engage in these ridiculous actions, as they have internalized the ideology.

And this is an ideology. It's infected our society's professional classes from top to almost bottom. A belief that the principals of the "Markets" are universal, omni-applicable, aspirational and virtuous in all circumstances. It is now the religion of the western professionals, and unbelievers are not smiled upon. Such a mindset might be suited to industries in finance or industry -- though even this is an increasingly dubious proposition -- but it is clear that applying them to public services and now even state security services is calamity now transcending utter insanity.

I believe we are approaching peak Marketism. The dogma has become too pervasive, too obvious, too familiar, and the buzzwords are all losing their power, even as modern society loses its momentum. Hopefully we will see the pendulum swing away from this Marketist cult, but if it does, you can expect the three or four generations raised on, and ultimately paid by, this ideology to launch an almighty campaign to maintain their ascendancy. They had better hope they won't have "rationalized" their ability to do so in the meantime.

Re:It's A Business

[0123456]

As usual, when there's another abuse of power by government, some lefty comes along to blame it on EVIL FREE MARKETS!

Because, as we know, if governments controlled everything, they'd never abuse their power like this. No, sir.

Re:It's A Business

[lambsonic]

The GP merely talked about market-only thinking, not free markets. In fact, the Marxist ideology you are referencing as a straw-man is merely an extension of the liberal thinking of Adam Smith. Even Adam Smith discussed the disparity of power between classes. That is why Marxists are also labeled liberals. The extreme ideology is unregulated markets, just as extreme as unregulated state power. Markets can be free and regulated at the same time the same way people can be free and regulated at the same time. Freedom is about self-determination, the ability to make choices. For example, anti-discrimination laws increase freedom because a significant percentage of the population is now able to make choices that otherwise would be limited and infringed by others. More people may now choose to marry, and otherwise participate in society, because of law that prevents discrimination.

Scaremongering

"In my opinion the reality of some rogue terrorist organization obtaining a nuclear bomb and detonating it in a population center is quite real."

Classic scaremongering, but the most likely scenario here is NSA spies on German political machine, US shapes German politics to be compliant to US wishes. Democracy lost in Germany, German business undermined, unfair trade agreements pushed through.... etc.

*Not* terrorist organization obtains nuclear weapon by Hotmail, NSA taps all Hotmail, spots threat, sends data to BfV, who arrest terrorist.

German software companies

[sjbe]

I am not familiar with any German software companies other than Software AG and SAP (both which produce uniformly terrible software).

Then you haven't looked very hard. Plus there are tons of German companies that make software that are not pure software companies. Siemens for example makes quite a lot of software.

Re:German software companies

[drinkypoo]

Siemens for example makes quite a lot of software.

yeah, I hear they make centrifuge software with some killer undocumented features

Re:German software companies

[Schmorgluck]

There's no such thing as an "undocumented feature". I'd really like for people to stop using that phrase, it's fundamentally absurd.

If there is a doubt ...

[houghi]

If there is a doubt if it is legal, assume it isn't legal. And approach it that way.

The standard is NOT to collect information, unless so if any OTHER data is collected, it is illegal to do so.

Just follow the idea of what the law was intended for and it becomes clear. When in doubt, do NOT collect the data.

Re:If there is a doubt ...

[Schmorgluck]

To put it another way: to individuals, everything that isn't explicitly forbidden is allowed, but to institutions, everything that isn't explicitly allowed is forbidden.

Blame sentient network?

Lets be clear about this, its not accidental snooping by some sort of sentient 'network'.

NSA has been faking certificates, Backdooring encryption, faking websites, installing taps into fibre optics around the world, hacking into servers to install back doors, writing malware, blocking encrypted connections force unencrypted fall backs etc. etc.

It didn't accidentally wake up and find it was building 7 massive exabyte class data centers!

"You will also never have "automatic encryption" across the network they way they are designed now"
Thats simply not true, you can exchange a first time key, and to defeat that key exchange, NSA would have to intercept all communications all the time. If it missed the first exchange, it fails, if it missed ANY subsequent exchange, the tap is revealed.

The problem currently is the certificate authorities and key cancel are a back door the NSA uses.

Re:Blame sentient network?

"Thats simply not true, you can exchange a first time key, and to defeat that key exchange, NSA would have to intercept all communications all the time. If it missed the first exchange, it fails, if it missed ANY subsequent exchange, the tap is revealed."

Correct, but they ARE intercepting all key exchanges all the time. Or you can assume they are. You can't tell if they are or aren't so you cannot tell if the network is secure. The point is that this type of security was added on later, and since nodes can "stand in" for other nodes, you cannot design end to end encryption. What if the NSA replaced all of Google's gmail servers with their monitoring nodes that have the same key information, or added an intermediate node with the key information? You would never know BY DESIGN. Nodes can be replaced by other nodes.

Networks are not private BY DESIGN. We can attempt to add privacy, but see how well that has worked.

Re:Blame sentient network?

[Kavonte]

you can exchange a first time key, and to defeat that key exchange, NSA would have to intercept all communications all the time. If it missed the first exchange, it fails, if it missed ANY subsequent exchange, the tap is revealed.

That's actually a great idea. Too bad that security people are all to happy to ignore good solutions and stick with bad ones simply because they haven't yet found a perfect solution. Everyone knows that unencrypted HTTP communications are bad. We also know that certificate authorities merely provide a false sense of security, particularly against people like the NSA. Yet apparently we'd rather stick with bad and worse rather than adopt any idea that is merely "good" but not infallible.

Others have replied that the NSA can intercept that key exchange each and every time, but the simple fact is that they can't. Sometimes people will communicate while on the same LAN, other times from within the same ISP at points so close that the packets never go deep enough into the internet that the NSA gets to intercept them, and there will likely be a lot of people running honeypot communications just to detect whether the NSA doing a MITM on them. So while they might be able to fool a lot of people a lot of the time, there will be a lot of people detecting such activity, which would raise a huge red flag for everyone when detections of this activity hit the news. Not to mention that, as far as we presently know, they aren't doing MITM work on any sort of large scale, but rather, just for targeted investigations, and so over the short term such a scheme would provide real security, and over the long term it would have the capability of alerting us to when they have begun doing MITM attacks on everyone.

Unfortunately, people working on encryption schemes don't consider it good enough to merely put an end to mass spying. They insist upon perfection, including "deniability" and "perfect forward secrecy" and every other encryption feature they can think of, even if that requires moving the goal posts so far that they are impractical to reach and so we're doomed to simply have no encryption at all.

Common Deal

[Etherwalk]

I feel like this is a common deal between various western countries and the NSA. At least, this isn't the first time I've heard of it being made, although I don't recall the context in which I've heard of it in the past.

Name your source

Coward. Put your name to the article

Don't get fooled by "parliamentary control"

In recent years we've had several scandals in Germany, NSA being the most recent, that have shown that our intelligence services are pretty much out of parliamentary control. The government is probably in on it, and tries its hardest to keep everything under wraps. The western democracies are firmly on their way to total surveillance states, and modern technology is making it possible. If it can be done, it will be done, laws be damned.

That's funny

When one TLA deals with another, apparently "metadata" suddenly becomes a valuable asset as "data".

Yet when the TLA deals with the citizenry, they insist that "metadata" isn't data.