In Kazakhstan, the Internet Backdoors You

itwbennett writes: Kazakhstan passed a law that would require citizens to install a certificate on their personal computers and mobile devices that would allow the government to snoop and capture web traffic, passwords, financial details. Telecom.kz posted the news to their website on November 30, but by December 4 the press release had been removed from the website. This is just the latest example of government overreaching. Recently we've seen the Turkish government attempt to block access to social media sites. And let's not forget Thailand's attempt to roll out their own man-in-the-middle implementation.

Re:In Russia, you

Well, then it's a good fucking thing nobody said Russia.

Re:In Russia, you

[aicrules]

Also it was part of the former Soviet Union, so....

And the difference to the NSA is?

[loony]

I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution, and the government still does the same even though they knew it was sketchy at best, but probably illegal.

Peter.

Re:And the difference to the NSA is?

[dotancohen]

I bet that there, the government has the legal authority to do this, so what's the big deal? Here we have that pesky thing called the constitution, and the government still does the same even though they knew it was sketchy at best, but probably illegal.

Peter.

Oops, the NSA already has their cert installed in Firefox, IE, Chrome, and other web browsers as well by default:
http://security.stackexchange....

So this is an issue of Kazakhstan just catching up to the US.

Re:And the difference to the NSA is?

[dotancohen]

Right, because anybody other that CISSPs understand what SSL is, or how to check which root cert is being used, or that it even needs to be checked. But you did use the word "fucking" when addressing me, so you must be right.

GCHK and NSA

[Alain+Williams]

look on in envy ...

I visited the ISP's web site to try to see exactly what is supposed to be loaded onto a machine, but I don't read their language.

Re:GCHK and NSA

[Alain+Williams]

I lost the web site link, try again

Re:In Russia, you

[gstoddart]

A Russian visited the area once, so ....

A moose bit my sister once ... it was very painful.

I don't know about you...

...but if I were a competent intelligence agency, I'd buddy up with a CA that has its root in all the major browsers, and MITM by redirecting traffic to my servers, once I'd obtained a warrant from a judge for targetted surveillance. IOW, I'd take a reasonable interpretation of the US Constitution's 4th amendment.

If, OTOH, I just wanted to spy on all my citizens, perhaps collecting data to make sure everyone can be identified as a criminal in future if needed, I'd do as described in the article. IOW, I'd be the Kazakhstan government.

if I were extremely incompetent, OTOH, I'd do something like only outlawing end to end encryption, and design some magic wand to enable myself access to all servers on the Internet across the planet. IOW, I'd be the UK government.

Seems pretty lame

[freeze128]

How would the government enforce this? "Uh, oh yeah, I installed your certificate, wink wink."

Re:Seems pretty lame

[gstoddart]

Ultimately, there's probably a more-than-just-implied idea that your ass will get dragged off to jail or shot if you fail to comply.

The same thing which happens in all such regimes, and the same thing the US is trying to achieve -- failure to comply with state security is a crime.

Make no mistake about it, this is the exact same direction Western countries are heading, because they all make the same argument that the state requires unfettered access to monitor us.

Re:Seems pretty lame

[circletimessquare]

when the laws are technically incompetent, the only real de facto law of the land is technical competency. for good ends or bad ends

technical illiterates, good and bad, beware in such a land

Re:Seems pretty lame

[Kardos]

No need to, it enforced itself. They simply MITM all TLS traffic, and then the peons have three choices:

Choice 1) you install the certificate, your traffic is snooped

Choice 2) you don't install the certificate, your browser throws up certificate warnings, you accept them, your traffic is snooped

Choice 2) you don't install the certificate, your browser throws up certificate warnings, you don't accept them, no traffic to snoop

Re:Seems pretty lame

[gstoddart]

No, the real de facto law of the land still boils down to men with guns and how willing they are to use them.

And I'm pretty sure in Kazakhstan, the law is being enforced by technical illiterates.

Beware the clever guy who thinks his technical literacy will trump the men with guns who don't give a crap about your own perceived awesomeness.

Even in the US, that won't get you very far.

Re: Seems pretty lame

I always found it funny that tech-heads could believe technical prowess might beat violence. High school should have taught them better. How many nerds have suffered hell at the hands of bullies all the while fantasizing about convoluted plans of revenge that would never work, and kept being beaten up? The same mindset is seen now: the unwillingness to understand that lawmakers backed by hosts of violent people trump your "tech-savvyness" each and every time.

Re:Seems pretty lame

[JesseMcDonald]

Choice 1b) you install the certificate, your traffic is snooped, but knowing this to be the case you tunnel a real TLS connection inside the MITM'd connection. (Secure TLS via a compromised TLS VPN.)

One of the nice things about encryption is that it's composable. Outer layer compromised? No problem; just add another layer inside. As long as they allow any information to be communicated, there will always be room for an encrypted communication channel, though it may need to be disguised with steganography.

Re:Seems pretty lame

[Gavagai80]

Doing that, of course, will be illegal and will be rare enough to make you stand out as a target.

Re:Seems pretty lame

[JesseMcDonald]

It could be made illegal, of course, but the communication itself was probably illegal anyway. It would only stand out if implemented poorly, however. Done properly it will just look like an unknown (proprietary) binary protocol, which isn't particularly uncommon. They can't possibly have the manpower necessary to reverse-engineer every unknown data format they happen to intercept, and it would be easier and cheaper to ban the Internet entirely than to enforce a rule that their subjects use only registered and documented protocols. Notice that they only added measures to intercept HTTPS, when they could have simply blocked it and/or banned encryption entirely. They know that they can't exercise effective control over the format of the traffic.

Even if they did, you could just encode your encrypted traffic as "noise" in a funny video of your cat, or any number of other innocuous-looking formats. Even text formats are possible carriers, albeit at much lower throughput.

Re:Seems pretty lame

[Creepy]

Sure there is criminals (and pseudo-criminals like me - as a teen I cracked software and hacked and just never got caught) always know how to rig the system. In this case, install the root certificate on your desktop. Bypass Method 1, use a VM: Download VirtualBox, create a Linux VM, and do all your browsing from in there, since that browser isn't rooted. You could even delete the VM when you're done and it may be possible to create a sandbox'ed browser. You've obeyed the law and bypassed it. Method 2, tunneling: find a partner outside of Kazakhstan and establish a VPN connection to it. Do all your browsing through the VPN on the non-compromised machine. Method 3, use hotspots and anonymizers to do your browsing. These can mask your MAC address and give you a different IPv6 IP (and you'll get a different IPv4 IP via NAT - you can set NAT retention to an extremely low number and it will delete any record of you being there). They can still trace you, but as soon as you go offline, you're someone else.

That was my 2 seconds of thought on how to obey the law and violate the intention of the law.

Re: Seems pretty lame

[circletimessquare]

even when you can frame them for online chatter they never committed and use the violent thugs against themselves?

before the gun comes out of the holster, there is information and perception

own the information, change the perception, own the actions of the thugs

Re:Seems pretty lame

[Creepy]

I would agree - if you installed the certificate, you've obeyed the law to the letter. Just because they didn't think of VPNs and such to work around the authority doesn't mean you are breaking the law, it means they did a shitty job of defining a law to control something and they didn't fully understand how it works. The US does this all the time. The US also seems to think it can write international law regulating the internet (most of these, like COPA were killed by the court system, at least).

And yeah, you could encrypt/decrypt in, say, javascript and entirely work around the bypass. You could probably entirely automate public and private key generation on both sides using a script.

Re:Seems pretty lame

[KGIII]

Not only is that horrible English, it's horrible SPAM. I keep seeing you goobers try to SPAM this site with almost on-topic posts. Your peers do a better job at this forum posting gig than you do. You? You need to be fired. Also, the person who authored the page? They need to learn the fucking language. The last paragraph is borderline retarded.

I take that back, the last paragraph is retarded. Also, all scripts and ads are blocked by default so someone paid for bandwidth that will not be of any value to them as they're unable to get any tracking (those cookies didn't make it through either) and they didn't even get ad impressions. You guys need someone competent to run your business.

I've not given much thought to the business but if you donate $500 USD to EFF, and provide a verifiable receipt for doing so, then I will spend ten hours researching the business, five hours researching your specific business model, and then five hours writing a report that will enable you to increase your return on investment. I won't even just fill it up with marketing jargon. I'll give you a full, detailed, report and advice you can opt to act on so long as you make the donation to EFF first.

Re:Seems pretty lame

[KGIII]

They just have to know where the source was and come to your house. They don't have to crack the encryption. They just need to notice it and decide they want to pay you a friendly visit. Then, to crack the encryption, they use the monkey wrench. They control the pipes. If you put something in the pipes that stands out they don't need to know what it is, they just need to know you did it and aren't fond of monkey wrenches.

Re: Seems pretty lame

[circletimessquare]

not much of a student of history huh?

Thailand, huh?

that's not a man, baby. "Tranny in the middle" attack is more like it.

Re:In Russia, you

[Nidi62]

I am aware that Putin does not know his borders, but Kazakhstan is not Russia.

He knows his borders. Just in his mind if you are a former Soviet state then you are (or should be) actually part of Russia. He's kind of like China, in that the borders they think they have don't really line up with the maps everyone else is using.

Meanwhile in Kazakhstan...

[coolmoe2]

Typewriter sales took off as the last bastion of privacy left.

Kazhakstan CNN ads

[SeriousTube]

Kazhakstan has loads of advertisements on CNN trying to persuade businesses to locate there. Good way to screw that one up.

Soviet Russia, Russia and Kazakhstan

[unixisc]

Yakov Smirnoff started this genre of jokes back in the 60s. At the time, Russia was usually conflated w/ the Soviet Union (just like England to this day is conflated w/ the United Kingdom). His usage of the term 'Soviet Russia' meant the USSR, rather than the RSFSR. Since Kazakhstan was a part of the USSR, this genre of jokes could remain relevant for this case.

At any rate, this is by no means the worst to hit Kazakhstan. Nor are Borak caricatures of that country. The worst thing that could ever hit Kazakhstan is if it becomes a hotbed for Jihadi activity, since it was in medieval times the playground of Muslim sultanates, and an Islamic revival like in neighboring Uzbekistan could end up screwing them up to no end

Good news for linux :)

[einar.petersen]

Read the fine print he he.... Only Android mac win etc. mentioned OS wise... Oh the wonders of politicians without a technical clue.... Yes I am aware of the nix like bases of Android and Mac.... But hey if they want to be OS specific... Then the year of the Linux Desktop has finally arrived ;)

Cold War, Soviets and Russia

[unixisc]

The mistake that both Bush 41 and Clinton 42 made was that they allowed their State Departments to continue to keep Russia in the adversaries column, long before Putin surfaced. Letting Russia fester and supporting secessionist movements there like the Chechens was a bi-partisan sin. But the biggest issue w/ them is that they never realized that Islam replaced Communism as the free world's #1 enemy, and is even more lethal than either Nazism or Communism

Most of the stans are still pretty similar to their Soviet era regimes, and in their case, that's a good thing. This coming from someone who's normally anti-Communist. While personality cults like the late Niyazov was bad, the good thing about regimes of Nazarbayev, Karimov et al is that they've kept Jihadis in check, cracking down on them in the way they need to be cracked. Kyrgyzstan tried to be free but ended up having to deal w/ an Uzbek insurgency. Tajikistan is effectively in a civil war. Having Brezhnev like leaders in these countries is a good thing, since the alternative would probably be Taliban style regimes going right up to Russia's & China's borders, and a vast heartland for Jihadis

Re:Cold War, Soviets and Russia

[plopez]

I think a large number of right wing Senators had a something to do with it as well.

Re:Cold War, Soviets and Russia

[unixisc]

I agree. Removing those was a mistake. In case of Libya, Gadaffi had already ended his WMD program and was on the mend: there was no good reason to take him down. There wasn't a good reason to remove Mubarak either - Cici today is just Mubarak w/ another face. I oppose Assad being removed - I agree w/ the Russians and Trump here.

As for Iraq, it was fine to destroy Saddam's military and reduce their support to terror groups like Hamas. Bringing democracy to Iraq has made it a de-facto Shia theocracy, and a puppet of Iran. The example of Saddam should have taught the US not to upset the applecart in Tripoli, Cairo and Dimashq

This differs from Google

[plopez]

and a host of other corporations exactly how? In time the pigs look like the humans and the humans look like the pigs....

It must be a Borat approved certificate!

Borat Sagdiyev, after returning to KZ from trying to score Pam Anderson...is now in charge of certs for KZ.

Re:In Russia, you

[plopez]

And Tsarist Russia as well. Putin is running for Tsar.

Re:In Russia, you

[plopez]

Was your sister OK?

Re:In Russia, you

[Thor+Ablestar]

Kazakhstan basically consists of northern part - Russian Southern Siberia and southern part - Kazakhstan proper - and has been separated from Russia by Stalin in 1936. The northern part was part of Russia and inhabited by Russians during about 400 years after fall of Golden Horde. If you look at Google Maps you see that northern part has mostly Russian names and the southern one - Kazakh ones.

Great Success!

[GameboyRMH]

Browser Learnings of Public Key for make benefit glorious nation of Kazakhstan!

Re:Very Nice!

[U2xhc2hkb3QgU3Vja3M]

I was hoping to see this.

Very nice NOT!

Re:In Russia, you

[U2xhc2hkb3QgU3Vja3M]

We apologize for the fault in the comments. Those responsible have been sacked.

Re:In Russia, you

[Ol+Olsoc]

A Russian visited the area once, so ....

A moose bit my sister once ... it was very painful.

We must keeel this squirrel and moose!

That wouldn't work

[grfrkr]

That resembles a very old joke: "Hello! I'm a very silly virus: my author is a fool and had made me impotent. Please copy me to all your friends manually to allow me to spread."

Cert Pinning

[Bozzio]

This sounds like it'll only work if they also ban Cert Pinning: https://en.wikipedia.org/wiki/...

Re:In Russia, you

[cavreader]

And in a fine example of global cooperation and friendship Turkey took the time out of their busy day to help the Russian pilots re-calibrate their GPS system coordinates to demark the Turkish border.

Re:In Russia, you

[unixisc]

In that case, Russia should just annex the northern part of the country - a la Crimea

Re:In Russia, you

[RockDoctor]

Putin is running for Tsar.

ah ha, that's so right it's wrong. Or so much horse flesh dragged along behind the unstoppable juggernaut of a cart.

Tsar Putin - but of course! Except, why would Putin want to limit himself to the powers and capabilities of a mere Tsar?

And as for Putin being in the running ... well only if you mean "Putin is standing still, awaiting the unanimous demand of the people's of the RF that he take up the new post of hereditary First Secretary for life.

I just realised - I don't know if Putin has any children or not. That might make an interesting change. [...] Oh, two daughters. So, conventional family-based dictatorship then. Much like the Bushes.