RE: Standing Up Against German Laws - Project HayNeedle
> -Original Message- > From: Florian Echtler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 13 November 2007 20:00 > > > If I read the law correctly, it requires retention of "what IP > > connected to another IP" and "which phone number called where." It > > doesn't bother retaining the URL called (my German is rusty, so I may > > be a little off in my interpretation). Connecting to a random IP on a > > random open port (80 and 443, for example) would be a good start to > > accomplish the goal creating chatter. The issue is that the search > > terms to find those ports could lead to connecting to a site that > > increases your profile against general background chatter, even as it > > is raised with random connection traffic. > As a native German speaker, allow me to clarify: with respect to IP > communication, the law mandates saving the following information for 6 > months: > > - which customer was assigned which IP for what timespan > - sender mail address, receiver mail address and sender IP for each > mail > - in case of VOIP: caller and callee phone number and IP address > > So it wouldn't make much sense to create connection noise on a TCP or > HTTP basis, as this stuff isn't logged. I think one should rather > concentrate on generating email noise in this regard. > > Yours, Florian Hi Florian, The issue with sending email noise is that there is already too much of it already and it is already classified under the banner "spam". I can almost guarantee that were you to start sending random email to many servers, most of their owners would block your IP immediately, or at least look at ways of adding you to RBLs and reporting you to whichever authorities are responsible for enforcing anti-spam and anti-DOS laws. -- "I'd rather be DOSed than VISTAd" - Hilton Travis, 2007 Regards, Hilton Travis Phone: +61 (0)7 3105 9101 (Brisbane, Australia) Phone: +61 (0)419 792 394 Manager, Quark IT www.quarkit.com.au Director, Quark Group www.quarkgroup.com.au War doesn't determine who is right. War determines who is left. This document and any attachments are for the intended recipient only. It may contain confidential, privileged or copyright material which must not be disclosed or distributed. Quark Group Pty. Ltd. T/A Quark Automation, Quark AudioVisual, Quark IT
Re: Standing Up Against German Laws - Project HayNeedle
Hello. On Tue, Nov 13, 2007 at 04:38:39PM -0500, [EMAIL PROTECTED] wrote: > On Tue, 13 Nov 2007 13:07:02 PST, johan beisser said: > > The logs don't contain context, just who/where/when. While > > encryption will prevent (one hopes) the capability of recovering > > context, who you talked to is not kept private or otherwise secret. > > It's probably a good idea to deploy encryption *now*, and use it for > *everything*, and be ready for when (not if) they decide to be more > draconian in their logging requirements. AFAIR the German situation is as follows: Any German email provider having more than 1000 customers has to provide a method for giving government access to the mailbox including the ability to read the content. Access should be controlled by judges. If there are more than 1 customers it has to be done with hardware, so called sina boxes. Even if there is not a precise definition of customer (person, company, contract) it is quite clear that the law has got an impact on users of t-online, web.de, GMX, Freenet and others. This law started Jan 1st, 2005. The data retention law is a possibility to analyze social networks even if email is encrypted. There are other purposes, too. regards Frank
Re: Standing Up Against German Laws - Project HayNeedle
Hi Raju, On Nov 14, 2007 3:20 AM, Raj Mathur <[EMAIL PROTECTED]> wrote: > The mail addresses can only be stored if the server through which the > mail is relayed (or on which it originates) falls under the law. I'd > presume that's not a significant percentage of all mails sent out from > any country. > (a) (as you say) they can of course be trivially extracted from the traffic flow at the provider level. cf the current EFF / NSA / San Francisco case - that (as I understand it) is probably in breach of the US Constitution, yet it happened/is happening. The German law, and similar laws in the UK and other countries, implicitly (at least) enables such tactics; (b) most mail users use mail servers at their employers or their local ISP (ISPs with retail presence in multiple territories will of course have mail servers in situated locally); (c) the balance, excluding those weirdos running their own personal MTA / MSAs, will be using webmail services like Hotmail and Gmail. Tracerouting from the machine I'm typing this on (in the UK) shows a route through my ISP, to LINX (the London IX), and then straight into Google space. The RTT all the way to the final hop is in the 30ms range: [...] 8 209.85.248.80 (209.85.248.80) 25.302 ms 24.348 ms 25.605 ms MPLS Label 548800 TTL=1 9 209.85.248.79 (209.85.248.79) 27.972 ms 36.281 ms 26.562 ms 10 72.14.233.77 (72.14.233.77) 28.266 ms 29.057 ms 27.273 ms 11 66.249.94.146 (66.249.94.146) 29.517 ms 30.668 ms 30.179 ms 12 ik-in-f19.google.com (66.249.91.19) 28.092 ms 27.926 ms 28.564 ms ...which strongly suggests to me that the front-end Gmail webserver my "mail" hits is probably pretty close to me. It's certainly not on the other side of the Atlantic. There's quite a lot of cooperation between EU member states, would a "UKUSA"-type arrangement in the EU be very surprising? =i On Nov 14, 2007 3:20 AM, Raj Mathur <[EMAIL PROTECTED]> wrote: > On Tuesday 13 November 2007 15:29, Florian Echtler wrote: > > [snip] > > As a native German speaker, allow me to clarify: with respect to IP > > communication, the law mandates saving the following information for > > 6 months: > > > > - which customer was assigned which IP for what timespan > > - sender mail address, receiver mail address and sender IP for each > > mail - in case of VOIP: caller and callee phone number and IP address > > The mail addresses can only be stored if the server through which the > mail is relayed (or on which it originates) falls under the law. I'd > presume that's not a significant percentage of all mails sent out from > any country. > > Of course, it's also possible to track (snoop) all SMTP traffic on the > network, but that's totally different from just keeping mail and AAA > server logs and from my understanding that's not what this law > mandates. > > Regards, > > -- Raju > -- > Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ > Freedom in Technology & Software || February 2008 || http://freed.in/ >GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves > -- And what exactly is a dream? And what exactly is a joke? - Syd Barrett
Re: Standing Up Against German Laws - Project HayNeedle
On Tuesday 13 November 2007 15:29, Florian Echtler wrote: > [snip] > As a native German speaker, allow me to clarify: with respect to IP > communication, the law mandates saving the following information for > 6 months: > > - which customer was assigned which IP for what timespan > - sender mail address, receiver mail address and sender IP for each > mail - in case of VOIP: caller and callee phone number and IP address The mail addresses can only be stored if the server through which the mail is relayed (or on which it originates) falls under the law. I'd presume that's not a significant percentage of all mails sent out from any country. Of course, it's also possible to track (snoop) all SMTP traffic on the network, but that's totally different from just keeping mail and AAA server logs and from my understanding that's not what this law mandates. Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ Freedom in Technology & Software || February 2008 || http://freed.in/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves
Re: Standing Up Against German Laws - Project HayNeedle
Florian Echtler wrote: > As a native German speaker, allow me to clarify: with respect to IP > communication, the law mandates saving the following information for 6 > months: > > - which customer was assigned which IP for what timespan > - sender mail address, receiver mail address and sender IP for each mail > - in case of VOIP: caller and callee phone number and IP address This data was required in Italy as well, and indeed was the core of a EU-wide "data retention" spree. Stefano
Re: Standing Up Against German Laws - Project HayNeedle
On Tue, 13 Nov 2007 13:07:02 PST, johan beisser said: > Actually, that's not really part of the issue. The logs don't contain > context, just who/where/when. While encryption will prevent (one > hopes) the capability of recovering context, who you talked to is not > kept private or otherwise secret. It's probably a good idea to deploy encryption *now*, and use it for *everything*, and be ready for when (not if) they decide to be more draconian in their logging requirements. And yes, encrypt *everything* - that way you make it a lot harder to do traffic analysis. If only the "interesting" 10% is encrypted, they know which 10% are interesting connections, which may be as important as the actual content. pgpmjl5zB318D.pgp Description: PGP signature
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 13, 2007, at 12:39 PM, Paul Wouters wrote: Instead of creating noise, one should fix the problem of sending out plaintext email, and encourage people to use email encryption such as Enigma for Thunderbird. Encrypt IM conversations with OTR, and via other ways pro-actively protect ones own privacy. That is a real structural solution. Don't blame others for not using an envelope around your own communication. Actually, that's not really part of the issue. The logs don't contain context, just who/where/when. While encryption will prevent (one hopes) the capability of recovering context, who you talked to is not kept private or otherwise secret.
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
On Nov 11, 2007, at 1:26 PM, Duncan Simpson wrote: The signal-to-noise logic probably does work, but I am not sure the legal angle does. If you were *deliberately* ran the software that acidently downloaded that kiddie porn the suggested angle might not work. That's been an ongoing question for me with regards to things like TOR gateways. As has been recently posted on Risky Business[1] and The Age[2], TOR doesn't prevent sniffing of the traffic leaving its gateway. If a running gateway connects to a server with "information of interest" - child porn, bomb making information, a known criminal forum - that brings authorities investigating to your house, it isn't a very good way to cover ones own tracks with noise. On a similar note, randomly connecting and pushing network data may create noise that obscures important data, but it may be easily filtered out from the logs during analysis. A law requiring log data to be retained for 6 momths should be a major problem to enforce. Last time I think the UK mooted this it did not happen (disclaimer: this might have been a trial balloon designed to generate flak). My reaction at the ISP end was "OK, will you buy us the extra hardware required?" with the intention the answer would be "no" and the plan quietly killed. (Thinking that plain daft things will not be enacted is not always reliable, unfortunately). That's been my first question as well. Storage, at least for compliance purposes, has gotten cheaper. 6 months of log data for most ISPs will still be under the 500GB range of disk. The harder part of the stored logs is making it easily analyzed and relevant. There are, of course, several companies in the data retention compliance arena already, most have offerings for PCI, SOx and HIPAA. It's not a stretch to think there are smaller offerings to handle this German laws lighter retention requirement for logs. [1] http://www.itradio.com.au/security/?p=48 [2] http://www.theage.com.au/news/security/the-hack-of-the-year/ 2007/11/12/1194766589522.html
Re: Standing Up Against German Laws - Project HayNeedle
On Tue, 13 Nov 2007, Florian Echtler wrote: As a native German speaker, allow me to clarify: with respect to IP communication, the law mandates saving the following information for 6 months: - which customer was assigned which IP for what timespan - sender mail address, receiver mail address and sender IP for each mail - in case of VOIP: caller and callee phone number and IP address It's all in the ETSI version of the Transport of Intercepted IP Traffic (http://www.opentap.org/documents/TIIT-v1.0.0.pdf) and the "FuncSpec" document (http://www.opentap.org/documents/101WAI-GT-FuncspecV1.0.1.doc) They might have updated it by now. It used to treat email different from other traffic, but with IM now, I am sure that has changed. See http://www.opentap.org/documents/ for other documents So it wouldn't make much sense to create connection noise on a TCP or HTTP basis, as this stuff isn't logged. I think one should rather concentrate on generating email noise in this regard. Instead of creating noise, one should fix the problem of sending out plaintext email, and encourage people to use email encryption such as Enigma for Thunderbird. Encrypt IM conversations with OTR, and via other ways pro-actively protect ones own privacy. That is a real structural solution. Don't blame others for not using an envelope around your own communication. For pointers on how to obtain more privacy via userfriendly software, see: http://chameleon.spaink.net/PTT.pdf Paul
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
I know this is obvious to everyone on bugtraq, but nobody seems to that told P.S.Ziegler yet. (He might or might not be aware of these facts). If the report is right and logs recoriding you connecting and obtaining an IP address are a concern then you should be terrified already. I suspect that I could reconstruct much of what you did online given access to all the asssociated logs. Getting an IP address from a DHCP server and using almost any other service whatsoever usually generates at least an IP address and timestamp. Bind 9 has logs, and they are on by default, so big brother might be able to deduce a lot just using your ISP's DNS logs. When I say that I got this spam from IP address X at time Y, and give full headers to back this up, most ISPs work out who was responsible and nuke their account. I do not think the "a virus sent that spam not me" or "nobody told me not to send spam" line is very effective. If you allowed a virus to send spam then the internet does not need your box. Period. The signal-to-noise logic probably does work, but I am not sure the legal angle does. If you were *deliberately* ran the software that acidently downloaded that kiddie porn the suggested angle might not work. A law requiring log data to be retained for 6 momths should be a major problem to enforce. Last time I think the UK mooted this it did not happen (disclaimer: this might have been a trial balloon designed to generate flak). My reaction at the ISP end was "OK, will you buy us the extra hardware required?" with the intention the answer would be "no" and the plan quietly killed. (Thinking that plain daft things will not be enacted is not always reliable, unfortunately). Of course the "hand over your keys" law is a lot less effective tbat the government thinks. If an hour has passed they can have my host private key then I no longer have one of the keys required. -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Re: Standing Up Against German Laws - Project HayNeedle
> If I read the law correctly, it requires retention of "what IP > connected to another IP" and "which phone number called where." It > doesn't bother retaining the URL called (my German is rusty, so I may > be a little off in my interpretation). Connecting to a random IP on a > random open port (80 and 443, for example) would be a good start to > accomplish the goal creating chatter. The issue is that the search > terms to find those ports could lead to connecting to a site that > increases your profile against general background chatter, even as it > is raised with random connection traffic. As a native German speaker, allow me to clarify: with respect to IP communication, the law mandates saving the following information for 6 months: - which customer was assigned which IP for what timespan - sender mail address, receiver mail address and sender IP for each mail - in case of VOIP: caller and callee phone number and IP address So it wouldn't make much sense to create connection noise on a TCP or HTTP basis, as this stuff isn't logged. I think one should rather concentrate on generating email noise in this regard. Yours, Florian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
Hi, Am Samstag, 10. November 2007 19:53 schrieb Jan Newger: > > NO! This is totally WRONG! The only thing which is logged, in the case > of internet connectivity, is your IP you got from the ISP. Not even > connections are logged! This is important to understand since many > people are misinformed this way. Read > http://www.vorratsdatenspeicherung.de/content/view/78/86/lang,de/#Umsetzung >_in_Deutschland 1. That document is not quite up-to-date. I don't think there were any improvements in the actually passed law, though. 2. The IP is not "the only thing which is logged". Besides telephone and SMS/MMS connections the following is logged: - for internet connections (i. e. dial-in or equivalent): - IP number - connecting user (i. e. the calling phone number, ppp userid or equivalent) - Timestamp - for email - sender and recipient address of every email (logged on sending as well as receiving servers) - IP address(es) accessing a mailbox - timestamps for both of the above - for anonymizing services (!): - original and anonymized identifiers (e. g. IP or email address) - timestamps So much for "Einigkeit und Recht und Freiheit". Bye, Peter -- Peter ConradTel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 12, 2007, at 11:27 AM, Matt D. Harris wrote: However some of these issues can be mitigated without too much trouble. For example, one could have a dynamically growing dictionary of words to search for based on random words in random results pages that it grabs. At the very least, this would kill any attempts to filter it out of the data mining system. That'd be a significantly different approach. Even grabbing data from the previously browsed cache would also work, as far as seeding dictionary goes. If the point of the system is primarily to create plausible deniability for the end-user, that is, to allow them to say "hayneedle hit the site, not me, so I am innocent", then I'd say it could be effective in that regard barring some proviso in the law that allow them to persecute someone who did not actually even visit a site of their own volition. Beyond that, it's also effective in terms of turning up the noise to signal ratio and making this law that much less effective, while placing a greater burden of ISPs who are then more likely to lobby against it ever more vigorously all while remaining entirely 'white area' in terms of functionality. If I read the law correctly, it requires retention of "what IP connected to another IP" and "which phone number called where." It doesn't bother retaining the URL called (my German is rusty, so I may be a little off in my interpretation). Connecting to a random IP on a random open port (80 and 443, for example) would be a good start to accomplish the goal creating chatter. The issue is that the search terms to find those ports could lead to connecting to a site that increases your profile against general background chatter, even as it is raised with random connection traffic. In that light, I'd regard use of something akin to TOR a slightly better solution for protecting privacy and filling up logs. I understand your post, but I don't think Mr. Ziegler was over- selling his product's effectiveness beyond what it is really capable of. I wasn't saying there was overselling the effectiveness. I do think the approach is innately flawed from a privacy standpoint.
Re: Standing Up Against German Laws - Project HayNeedle
However some of these issues can be mitigated without too much trouble. For example, one could have a dynamically growing dictionary of words to search for based on random words in random results pages that it grabs. At the very least, this would kill any attempts to filter it out of the data mining system. If the point of the system is primarily to create plausible deniability for the end-user, that is, to allow them to say "hayneedle hit the site, not me, so I am innocent", then I'd say it could be effective in that regard barring some proviso in the law that allow them to persecute someone who did not actually even visit a site of their own volition. Beyond that, it's also effective in terms of turning up the noise to signal ratio and making this law that much less effective, while placing a greater burden of ISPs who are then more likely to lobby against it ever more vigorously all while remaining entirely 'white area' in terms of functionality. I understand your post, but I don't think Mr. Ziegler was over-selling his product's effectiveness beyond what it is really capable of. Take care, Matt johan beisser wrote: On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote: The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). There's a few things wrong with this approach. Most of them were outlined by Bruce Schneier when he reviewed "TrackMeNot"[1] last year. The same issues with TrackMeNot apply to Hayneedle, including potential false positives, and list of word combinations that can be filtered out easily, and well, the list goes on. [1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html -- /* * mdh - Solitox Networks (Lead Project Engineer) * Facts often matter little, in the face of fervently held perceptions */
Re: Standing Up Against German Laws - Project HayNeedle
On Nov 10, 2007, at 9:28 AM, Paul Sebastian Ziegler wrote: The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). There's a few things wrong with this approach. Most of them were outlined by Bruce Schneier when he reviewed "TrackMeNot"[1] last year. The same issues with TrackMeNot apply to Hayneedle, including potential false positives, and list of word combinations that can be filtered out easily, and well, the list goes on. [1] http://www.schneier.com/blog/archives/2006/08/trackmenot_1.html
Re: [Full-disclosure] Standing Up Against German Laws - Project HayNeedle
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Sebastian Ziegler wrote: > > Dear Infosec community, > > > > as most of you may have heard the German government passed a law today > > that will lead to all connections being logged for 6 months. This > > includes phone calls as well as all internet connections. NO! This is totally WRONG! The only thing which is logged, in the case of internet connectivity, is your IP you got from the ISP. Not even connections are logged! This is important to understand since many people are misinformed this way. Read http://www.vorratsdatenspeicherung.de/content/view/78/86/lang,de/#Umsetzung_in_Deutschland greetz Jan
Standing Up Against German Laws - Project HayNeedle
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Infosec community, as most of you may have heard the German government passed a law today that will lead to all connections being logged for 6 months. This includes phone calls as well as all internet connections. This is madness for various apparent reasons. In times like these it is necessary to stand up against it. Of course not by committing crimes but by attacking the flawed logic behind those laws itself. There are many approaches to this. And I am sure (and I really hope) that there will be many more taken. This is just one approach that came to my mind today. Introducing Project HayNeedle. A tiny spider-like program written in C# that will create connection sessions on it's own thus trying to create plausible deniablility. It runs within the .NET framework and was tested on Linux and Windows XP. If it runs on your OS, drop me a line, if it doesn't send me a report. It should run on almost any OS supporting Mono. The mechanism is quite easy: It searches Google for random words and picks random pages among the results, then spiders from there (well it is spidering except that it only follows one URL at a time within a session thus simulating a user). A long description of the idea behind it and the technique as well as downloads of the sourcecode and binary can be found here (English and German version): http://observed.de/?entnum=126 Project HayNeedle is released under the GPLv2. So any form of patches, ideas and constructive criticism is welcome. However for the sake of everyones nerves I will not reply to any sort of aggressive and/or flaming mails. Many Greetings Paul Sebastian Ziegler -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNepUaHrXRd80sY8RCqprAKC/8EVMf/FVibcyLWc1ksnq9ZRT7ACg9FpS 4JpBVvHE1TI3ZPkvgSPXuGA= =g7Qt -END PGP SIGNATURE-