In Kazakhstan, the Internet Backdoors You

itwbennett writes: Kazakhstan passed a law that would require citizens to install a certificate on their personal computers and mobile devices that would allow the government to snoop and capture web traffic, passwords, financial details. Telecom.kz posted the news to their website on November 30, but by December 4 the press release had been removed from the website. This is just the latest example of government overreaching. Recently we've seen the Turkish government attempt to block access to social media sites. And let's not forget Thailand's attempt to roll out their own man-in-the-middle implementation.

Re:In Russia, you

Well, then it's a good fucking thing nobody said Russia.

Re:In Russia, you

[aicrules]

Also it was part of the former Soviet Union, so....

And the difference to the NSA is?

[loony]

I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution, and the government still does the same even though they knew it was sketchy at best, but probably illegal.

Peter.

Re:And the difference to the NSA is?

[dotancohen]

I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution, and the government still does the same even though they knew it was sketchy at best, but probably illegal.

Peter.

Oops, the NSA already has their cert installed in Firefox, IE, Chrome, and other web browsers as well by default:
http://security.stackexchange....

So this is an issue of Kazakhstan just catching up to the US.

Re: And the difference to the NSA is?

The difference? Probably is that people in most modern civilized countries are smarter than to fall for the Kazakhstan interpretation of a citizen baby monitor. Slaves are not feasible in modern societies unless the society's culture itself establishes it. As far as I can tell, that society simply does not exist.

Re:And the difference to the NSA is?

Except that Firefox doesn't use the OS's certificate store (something that many Windows sysadmins whine about constantly). Unless you're saying Firefox has their cert as well as the OS.

Re:And the difference to the NSA is?

I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution,

Venezuela has a Constitution. So what's your point?

Re:And the difference to the NSA is?

I like the NSA approche: no interaction needed and much more user friendly.

Re:And the difference to the NSA is?

Looks like you didn't bother to read the fucking answer to your fucking link, you fucking retard.

Before you flip out and begin to delete root CA certificates, burn your computer's motherboard, or drink a gallon of vodka, think about what it means. It means that the US government could technically emit a fake certificate for any SSL site that you are browsing -- but with a certificate chain that would point back to the US government. That is the point of having a "trusted CA" in the client: so that the client may validate a certificate chain. Therefore, such a forged site would hardly be a discreet way to eavesdrop on communications. All it would take would be a single user clicking on the padlock icon, reviewing the certificate chain, notice the FPKI root, and mock Obama on Twitter.

Pushing your own root CA in the "trusted store" of your victims is not an adequate way to spy on people without them noticing. Although it is a government agency, the NSA as a whole is usually not that stupid.

If the government wants to spy on you, they have a lot more effective ways of doing it than fucking hijacking your Facebook connection via a fucking fake SSL cert.

Dumbshit.

Re:And the difference to the NSA is?

[dotancohen]

Right, because anybody other that CISSPs understand what SSL is, or how to check which root cert is being used, or that it even needs to be checked. But you did use the word "fucking" when addressing me, so you must be right.

GCHK and NSA

[Alain+Williams]

look on in envy ...

I visited the ISP's web site to try to see exactly what is supposed to be loaded onto a machine, but I don't read their language.

Re:GCHK and NSA

[Alain+Williams]

I lost the web site link, try again

Re:GCHK and NSA

I don't see what GreenChek Technology has to do with this.

It's Nice

I love being right now and then. I have ranted consistently that no government will ever want to allow truly private communications. I think they must stay up late at night worried that they can't hear every word between a man and his wife in the wee hour of the night. Paranoia is like cheap. There is no limit to how cheap a man can be nor is there any limit on how afraid some people can be.

Re:In Russia, you

A Russian visited the area once, so ....

Re:In Russia, you

[gstoddart]

A Russian visited the area once, so ....

A moose bit my sister once ... it was very painful.

I don't know about you...

...but if I were a competent intelligence agency, I'd buddy up with a CA that has its root in all the major browsers, and MITM by redirecting traffic to my servers, once I'd obtained a warrant from a judge for targetted surveillance. IOW, I'd take a reasonable interpretation of the US Constitution's 4th amendment.

If, OTOH, I just wanted to spy on all my citizens, perhaps collecting data to make sure everyone can be identified as a criminal in future if needed, I'd do as described in the article. IOW, I'd be the Kazakhstan government.

if I were extremely incompetent, OTOH, I'd do something like only outlawing end to end encryption, and design some magic wand to enable myself access to all servers on the Internet across the planet. IOW, I'd be the UK government.

Seems pretty lame

[freeze128]

How would the government enforce this? "Uh, oh yeah, I installed your certificate, wink wink."

Re:Seems pretty lame

[gstoddart]

Ultimately, there's probably a more-than-just-implied idea that your ass will get dragged off to jail or shot if you fail to comply.

The same thing which happens in all such regimes, and the same thing the US is trying to achieve -- failure to comply with state security is a crime.

Make no mistake about it, this is the exact same direction Western countries are heading, because they all make the same argument that the state requires unfettered access to monitor us.

Re:Seems pretty lame

[circletimessquare]

when the laws are technically incompetent, the only real de facto law of the land is technical competency. for good ends or bad ends

technical illiterates, good and bad, beware in such a land

Re:Seems pretty lame

Never mind enforce, how would the government even implement this?
I'm a M.Sc.EE, 15+ years of IT experience. I've never installed a certificate. I wouldn't know how to do it.
I imagine they could teach me easily, but the rest of the people without any IT skills?

Posted as AC for career-saving reasons.

Re:Seems pretty lame

[Kardos]

No need to, it enforced itself. They simply MITM all TLS traffic, and then the peons have three choices:

Choice 1) you install the certificate, your traffic is snooped

Choice 2) you don't install the certificate, your browser throws up certificate warnings, you accept them, your traffic is snooped

Choice 2) you don't install the certificate, your browser throws up certificate warnings, you don't accept them, no traffic to snoop

Re:Seems pretty lame

[gstoddart]

No, the real de facto law of the land still boils down to men with guns and how willing they are to use them.

And I'm pretty sure in Kazakhstan, the law is being enforced by technical illiterates.

Beware the clever guy who thinks his technical literacy will trump the men with guns who don't give a crap about your own perceived awesomeness.

Even in the US, that won't get you very far.

Re:Seems pretty lame

This is the best part: they don't need to. They detain you for whatever reason, check your phone for the cert. Not found? We'll let you out in five years, criminal.
Sure someone clever enough can find a way around it, but it doesn't need to be 100% effective; 99% is good enough.

Re:Seems pretty lame

And ultimately they will prevail. They will obtain a "transparent populace" while the State will be able to maintain secrecy forever. Unfortunately, they will win. There is no other possible outcome.

Re: Seems pretty lame

I always found it funny that tech-heads could believe technical prowess might beat violence. High school should have taught them better. How many nerds have suffered hell at the hands of bullies all the while fantasizing about convoluted plans of revenge that would never work, and kept being beaten up? The same mindset is seen now: the unwillingness to understand that lawmakers backed by hosts of violent people trump your "tech-savvyness" each and every time.

Re:Seems pretty lame

[JesseMcDonald]

Choice 1b) you install the certificate, your traffic is snooped, but knowing this to be the case you tunnel a real TLS connection inside the MITM'd connection. (Secure TLS via a compromised TLS VPN.)

One of the nice things about encryption is that it's composable. Outer layer compromised? No problem; just add another layer inside. As long as they allow any information to be communicated, there will always be room for an encrypted communication channel, though it may need to be disguised with steganography.

Re:Seems pretty lame

Same way a previous employer of mine enforced their MITM on SSL certs with their BlueCoat content filter. If the traffic couldn't be decoded by the device, it was blocked. SSH? blocked. TLS/SSL? Blocked unless their cert could decode it.

Re:Seems pretty lame

[Gavagai80]

Doing that, of course, will be illegal and will be rare enough to make you stand out as a target.

Re:Seems pretty lame

[JesseMcDonald]

It could be made illegal, of course, but the communication itself was probably illegal anyway. It would only stand out if implemented poorly, however. Done properly it will just look like an unknown (proprietary) binary protocol, which isn't particularly uncommon. They can't possibly have the manpower necessary to reverse-engineer every unknown data format they happen to intercept, and it would be easier and cheaper to ban the Internet entirely than to enforce a rule that their subjects use only registered and documented protocols. Notice that they only added measures to intercept HTTPS, when they could have simply blocked it and/or banned encryption entirely. They know that they can't exercise effective control over the format of the traffic.

Even if they did, you could just encode your encrypted traffic as "noise" in a funny video of your cat, or any number of other innocuous-looking formats. Even text formats are possible carriers, albeit at much lower throughput.

Re:Seems pretty lame

It's about as "backdoor" as the TSA checkpoints at US airports.

Re:Seems pretty lame

[Creepy]

Sure there is criminals (and pseudo-criminals like me - as a teen I cracked software and hacked and just never got caught) always know how to rig the system. In this case, install the root certificate on your desktop. Bypass Method 1, use a VM: Download VirtualBox, create a Linux VM, and do all your browsing from in there, since that browser isn't rooted. You could even delete the VM when you're done and it may be possible to create a sandbox'ed browser. You've obeyed the law and bypassed it. Method 2, tunneling: find a partner outside of Kazakhstan and establish a VPN connection to it. Do all your browsing through the VPN on the non-compromised machine. Method 3, use hotspots and anonymizers to do your browsing. These can mask your MAC address and give you a different IPv6 IP (and you'll get a different IPv4 IP via NAT - you can set NAT retention to an extremely low number and it will delete any record of you being there). They can still trace you, but as soon as you go offline, you're someone else.

That was my 2 seconds of thought on how to obey the law and violate the intention of the law.

Re: Seems pretty lame

[circletimessquare]

even when you can frame them for online chatter they never committed and use the violent thugs against themselves?

before the gun comes out of the holster, there is information and perception

own the information, change the perception, own the actions of the thugs

Re:Seems pretty lame

[Creepy]

I would agree - if you installed the certificate, you've obeyed the law to the letter. Just because they didn't think of VPNs and such to work around the authority doesn't mean you are breaking the law, it means they did a shitty job of defining a law to control something and they didn't fully understand how it works. The US does this all the time. The US also seems to think it can write international law regulating the internet (most of these, like COPA were killed by the court system, at least).

And yeah, you could encrypt/decrypt in, say, javascript and entirely work around the bypass. You could probably entirely automate public and private key generation on both sides using a script.

Re: Seems pretty lame

And this is why IT certificates are often considered a joke.

Re:Seems pretty lame

They could outsource the spyware distribution to Dell, Lenovo, Apple, Google or Microsoft. All these have unlimited power on the users machines and all of them are already actively spying their users.

Re: Seems pretty lame

own the information, change fuck-all, get shot in the face.

FTFY.

Re:Seems pretty lame

sure they will prevail http://www.fansgist.com/gmail-registration-l-gmail-sign-up-l-gmail-sign/

Re:Seems pretty lame

[KGIII]

Not only is that horrible English, it's horrible SPAM. I keep seeing you goobers try to SPAM this site with almost on-topic posts. Your peers do a better job at this forum posting gig than you do. You? You need to be fired. Also, the person who authored the page? They need to learn the fucking language. The last paragraph is borderline retarded.

I take that back, the last paragraph is retarded. Also, all scripts and ads are blocked by default so someone paid for bandwidth that will not be of any value to them as they're unable to get any tracking (those cookies didn't make it through either) and they didn't even get ad impressions. You guys need someone competent to run your business.

I've not given much thought to the business but if you donate $500 USD to EFF, and provide a verifiable receipt for doing so, then I will spend ten hours researching the business, five hours researching your specific business model, and then five hours writing a report that will enable you to increase your return on investment. I won't even just fill it up with marketing jargon. I'll give you a full, detailed, report and advice you can opt to act on so long as you make the donation to EFF first.

Re:Seems pretty lame

[KGIII]

They just have to know where the source was and come to your house. They don't have to crack the encryption. They just need to notice it and decide they want to pay you a friendly visit. Then, to crack the encryption, they use the monkey wrench. They control the pipes. If you put something in the pipes that stands out they don't need to know what it is, they just need to know you did it and aren't fond of monkey wrenches.

Re: Seems pretty lame

[circletimessquare]

not much of a student of history huh?

Meanwhile in the civilized world

Western agencies sneak their root CAs in browser default configurations without laws and without notice.

Thailand, huh?

that's not a man, baby. "Tranny in the middle" attack is more like it.

Re:In Russia, you

[Nidi62]

I am aware that Putin does not know his borders, but Kazakhstan is not Russia.

He knows his borders. Just in his mind if you are a former Soviet state then you are (or should be) actually part of Russia. He's kind of like China, in that the borders they think they have don't really line up with the maps everyone else is using.

Turtles all the way down

Encryption layer upon encryption layer upon encryption layer... Until you're out of fascist territory.

Re: Turtles all the way down

You'll see things different after the first broken finger.

Re: Turtles all the way down

Why would I break your finger?

Re: Turtles all the way down

Steganography: "I was only sending a picture of this cute kitteh to my friend, you can trust me there's no statistically undetectable ciphertext hidden in there I swear!".

You're right technology can't prevent rubber hose cryptanalysis, what it can do is ensure the oppressors to have to torture so many false positives that the risk to you is no higher than any random person off the street.

The South Korean way

Don't forget about them.

Kazakhstan is attacking users

This is an attack, according to IETF BCP 188 (currently RFC 7258: "Pervasive Monitoring Is an Attack").

Meanwhile in Kazakhstan...

[coolmoe2]

Typewriter sales took off as the last bastion of privacy left.

Kazhakstan CNN ads

[SeriousTube]

Kazhakstan has loads of advertisements on CNN trying to persuade businesses to locate there. Good way to screw that one up.

Re:In Russia, you

The meme being referenced is "In Soviet Russia {something that would normally be the subject of an action by you} {actions} {you}", as in "In Soviet Russia, Jokes write you!", so yes, it was implied that Kazakhstan is (Soviet) Russia.

Soviet Russia, Russia and Kazakhstan

[unixisc]

Yakov Smirnoff started this genre of jokes back in the 60s. At the time, Russia was usually conflated w/ the Soviet Union (just like England to this day is conflated w/ the United Kingdom). His usage of the term 'Soviet Russia' meant the USSR, rather than the RSFSR. Since Kazakhstan was a part of the USSR, this genre of jokes could remain relevant for this case.

At any rate, this is by no means the worst to hit Kazakhstan. Nor are Borak caricatures of that country. The worst thing that could ever hit Kazakhstan is if it becomes a hotbed for Jihadi activity, since it was in medieval times the playground of Muslim sultanates, and an Islamic revival like in neighboring Uzbekistan could end up screwing them up to no end

Re:Soviet Russia, Russia and Kazakhstan

It's funny that you say that, but the wikipedia article you link to says he didn't actually do many of those jokes. (Plus he started doing comedy in the 70's.. he was a kid in the 60's!)

Re:In Russia, you

That will teach her not to karve her initials on the moose.

CAPTCHA: rubles.

Re: In Russia, you

No, you won't be modded down but you do need a slap upside the head if you are being serious. Trying getting some fresh air, it might help get the liberal out of you.

Borders

In Capitalist America you make borders. In Soviet Russia Borders make You!

Good news for linux :)

[einar.petersen]

Read the fine print he he.... Only Android mac win etc. mentioned OS wise... Oh the wonders of politicians without a technical clue.... Yes I am aware of the nix like bases of Android and Mac.... But hey if they want to be OS specific... Then the year of the Linux Desktop has finally arrived ;)

Re:Good news for linux :)

Then the year of the Linux Desktop has finally arrived ;)

Something tells me the breathless anticipation inherent to that phrase will turn to deflated disappointment when people notice the footnote.

2015 is the Year of the Linux Desktop[1]!

[1] - Offer valid only for residents of Kazakhstan."

Very Nice!

Kazakhstan greatest country in the world.
All other countries are run by little girls.
Kazakhstan number one exporter of potassium.
Other countries have inferior potassium.

Kazakhstan home of Tinshein swimming pool.
It's length thirty meter and width six meter.
Filtration system a marvel to behold.
It remove 80 percent of human solid waste.

Kazakhstan, Kazakhstan you very nice place.
From Plains of Tarashek to Norther fence of Jewtown.
Kazakhstan friend of all except Uzbekistan.
They very nosey people with bone in their brain.

Kazakhstan industry best in the world.
We incented toffee and trouser belt.
Kazakhstan's prostitutes cleanest in the region.
Except of course Turkmenistan's

Kazakhstan, Kazakhstan you very nice place.
From Plains of Tarashek to Norther fence of Jewtown.
Come grasp the mighty penis of our leader.
From junction with the testes to tip of its face!

Re:Very Nice!

[U2xhc2hkb3QgU3Vja3M]

I was hoping to see this.

Very nice NOT!

So, just like the certs on US Lenovo's and Dells?

Not to mention windows push to using 'authorized' CA's instead of self signed..

Cold War, Soviets and Russia

[unixisc]

The mistake that both Bush 41 and Clinton 42 made was that they allowed their State Departments to continue to keep Russia in the adversaries column, long before Putin surfaced. Letting Russia fester and supporting secessionist movements there like the Chechens was a bi-partisan sin. But the biggest issue w/ them is that they never realized that Islam replaced Communism as the free world's #1 enemy, and is even more lethal than either Nazism or Communism

Most of the stans are still pretty similar to their Soviet era regimes, and in their case, that's a good thing. This coming from someone who's normally anti-Communist. While personality cults like the late Niyazov was bad, the good thing about regimes of Nazarbayev, Karimov et al is that they've kept Jihadis in check, cracking down on them in the way they need to be cracked. Kyrgyzstan tried to be free but ended up having to deal w/ an Uzbek insurgency. Tajikistan is effectively in a civil war. Having Brezhnev like leaders in these countries is a good thing, since the alternative would probably be Taliban style regimes going right up to Russia's & China's borders, and a vast heartland for Jihadis

Re:Cold War, Soviets and Russia

In this case, Nazarbayev is a holdover from the Soviet Union.

Re:Cold War, Soviets and Russia

While personality cults like the late Niyazov was bad, the good thing about regimes of Nazarbayev, Karimov et al is that they've kept Jihadis in check, cracking down on them in the way they need to be cracked.

And yet Arab dictatorships of Iraq, Libya, Egypt, Syria had/have to go?

Re:Cold War, Soviets and Russia

[plopez]

I think a large number of right wing Senators had a something to do with it as well.

Re:Cold War, Soviets and Russia

[unixisc]

I agree. Removing those was a mistake. In case of Libya, Gadaffi had already ended his WMD program and was on the mend: there was no good reason to take him down. There wasn't a good reason to remove Mubarak either - Cici today is just Mubarak w/ another face. I oppose Assad being removed - I agree w/ the Russians and Trump here.

As for Iraq, it was fine to destroy Saddam's military and reduce their support to terror groups like Hamas. Bringing democracy to Iraq has made it a de-facto Shia theocracy, and a puppet of Iran. The example of Saddam should have taught the US not to upset the applecart in Tripoli, Cairo and Dimashq

This differs from Google

[plopez]

and a host of other corporations exactly how? In time the pigs look like the humans and the humans look like the pigs....

Re:This differs from Google

As of now, Google cannot legally use force directly to compel you to obey its whims. They still have to pick up the phone and call their friends in law enforcement. Google may have power through its wealth and information, but nation-states have a pretty strong incentive to maintain their own monopoly on the (legitimate) use of violence.

Re:In Russia, you

A Russian visited the area once, so ....

A moose bit my sister once ... it was very painful.

I suggest calling in Simo Häyhä. He is an expert in removing vicious moose and visiting Russians.

Destabilization

Governments do anything to destabilize their countries, and cause the formation of resistance movements. Is this an example of human self-destructiveness?

It must be a Borat approved certificate!

Borat Sagdiyev, after returning to KZ from trying to score Pam Anderson...is now in charge of certs for KZ.

Meanwhile in Brazil...

Here in Brazil, you're not actually required to install a government issued root certificate, but if you don't, you will always get warnings when visiting government websites. Couldn't they get a certificate for *.gov.br instead of requiring people to install a root certificate? That's a bit creepy.

Re:In Russia, you

[plopez]

And Tsarist Russia as well. Putin is running for Tsar.

Re:In Russia, you

[plopez]

Was your sister OK?

Re:In Russia, you

[Thor+Ablestar]

Kazakhstan basically consists of northern part - Russian Southern Siberia and southern part - Kazakhstan proper - and has been separated from Russia by Stalin in 1936. The northern part was part of Russia and inhabited by Russians during about 400 years after fall of Golden Horde. If you look at Google Maps you see that northern part has mostly Russian names and the southern one - Kazakh ones.

Great Success!

[GameboyRMH]

Browser Learnings of Public Key for make benefit glorious nation of Kazakhstan!

In Soviet Canuckistan...

The system games you!

Re:In Russia, you

[U2xhc2hkb3QgU3Vja3M]

We apologize for the fault in the comments. Those responsible have been sacked.

Welcome to Kazakhstan!

Install certificate now. Enjoy your stay.

Re:In Russia, you

[Ol+Olsoc]

A Russian visited the area once, so ....

A moose bit my sister once ... it was very painful.

We must keeel this squirrel and moose!

That wouldn't work

[grfrkr]

That resembles a very old joke: "Hello! I'm a very silly virus: my author is a fool and had made me impotent. Please copy me to all your friends manually to allow me to spread."

Which version of backdoor

... Backdoors You.

Is this the male definition of 'backdoor', ramming a stiff cock into an arsehole? No.

Is this the female definition of 'backdoor', getting fed and drunk on one man's wallet, then fucking a different man? No.

It's the sociopolitical backdoor, where everyone's rights are stolen so the government can save everybody but really, save itself.

... attempt to block access to social media sites ...

Other countries have attempted this too. Hilary Clinton, just demanded this but hid it with weasel words. Most governments implement some form of censorship to stop kiddie porn, organized crime, and the real horror, video/music piracy.

Re:In Russia, you

Well he did fail to see the Ukrainian or Turkey borders, and that is only in recent weeks.. Then there's also the borders being crossed with respect to international airplane investigations, murdering political opponents, art theft, FB propaganda targeting EU countries, and the list goes on. He does not know his borders, sadly.

Cert Pinning

[Bozzio]

This sounds like it'll only work if they also ban Cert Pinning: https://en.wikipedia.org/wiki/...

Re:In Russia, you

[cavreader]

And in a fine example of global cooperation and friendship Turkey took the time out of their busy day to help the Russian pilots re-calibrate their GPS system coordinates to demark the Turkish border.

Re:In Russia, you

[unixisc]

In that case, Russia should just annex the northern part of the country - a la Crimea

Re:In Russia, you

Putin's smarter than Hitler was, and far more patient. He'll progress much more slowly in rebuilding the New Soviet Union(TM). Also, unlike Ukraine, there's no motivation for forcing a frozen conflict situation in Kazakhstan.

- T

Re:In Russia, you

[RockDoctor]

Putin is running for Tsar.

ah ha, that's so right it's wrong. Or so much horse flesh dragged along behind the unstoppable juggernaut of a cart.

Tsar Putin - but of course! Except, why would Putin want to limit himself to the powers and capabilities of a mere Tsar?

And as for Putin being in the running ... well only if you mean "Putin is standing still, awaiting the unanimous demand of the people's of the RF that he take up the new post of hereditary First Secretary for life.

I just realised - I don't know if Putin has any children or not. That might make an interesting change. [...] Oh, two daughters. So, conventional family-based dictatorship then. Much like the Bushes.

Re:In Russia, you

I don't have a sister, but if I did and a moose bit her, I doubt it would hurt me very much at all.