Minister: Dutch police should be allowed to hack and eavesdrop

[Pinga]

Quote:

Opstelten wants to give police the right to hack into computers to install software which can be used, for example, to unscramble information. He also says it should be possible for the police to break into computers to wipe information or make it inaccessible.

http://pastebin.com/zDDDBGgr

http://www.expatica.com/nl/news/dutc...er_247287.html[

http://www.volkskrant.nl/vk/nl/2686/...chokkend.dhtml

[encus]

Another clear example of the death of privacy

[roady]

Let's start with his own computer.......or those from his kids........I bet the proposal will be dropped before you can say "police investigation"....

[FanJ]

Blog by Ronald Prins, CEO of Dutch security company Fox-IT:
http://blog.fox-it.com/2012/10/15/mogen-we-terugslaan/
Unfortunately it is only in Dutch (as far as I know); it would be worth when it would also be available in English. It is well worth reading it.
It describes where this proposal might come from, for example the Bredolab botnet infection in Holland in 2010 and the Dorifel infection in Holland (to name two).
One comment on the blog (by christinekarman) is also worth reading.

Am I defending this proposal? No!
The Fox-IT blog may give you some thoughts about where it might come from and the problems with international cyber crime.

[Mman79]

Quote:

Originally Posted by roady

Let's start with his own computer.......or those from his kids........I bet the proposal will be dropped before you can say "police investigation"....

Nah, he'd claim "national security" to scoot out of that situation I grin but it's true.

[PJC]

The Dutch have been very Liberal and Sensitive to Privacy features...
What happened to them?

[Mman79]

Quote:

Originally Posted by Mr.PC

The Dutch have been very Liberal and Sensitive to Privacy features...
What happened to them?

There's very little that can be said to answer that without talking about political issues which, unfortunately, will get the thread shut down or "trimmed". I can probably dip my toe in the water and be alright by saying that it is both fallout from 9/11 and a desire to control data. Add to that "threats" like Anonymous, and the move of criminal organizations to the internet where they are much harder to get to, and the Internet becomes that last "wild frontier" that they desire to tame.

The increasing use of encryption by "regular people" probably isn't helping either, which is why SilentCircle and their app is getting ugly looks. What SilentCircle is either failing to understand or care about is that along with the "innocents" they are intending to protect, their app is going to open up a whole box of worms when criminals and "enemies" start to use it to. There isn't any way to avoid that happening and that is probably scaring the hell out of LEA and government agencies.

There are a lot of issues that are driving once "free-thinking" nations and governments to these reversals and measures, and it is far more difficult to repair than it is to stop or at least slow down the damage.

[Nebulus]

Quote:

Originally Posted by Mman79

There are a lot of issues that are driving once "free-thinking" nations and governments to these reversals and measures, and it is far more difficult to repair than it is to stop or at least slow down the damage.

I'm afraid it's more than a government issue. As Judge Learned Hand said: "Liberty lies in the hearts of men and women; when it dies there, no constitution, no law, no court can save it; no constitution, no law, no court can even do much to help it".

[Mman79]

Quote:

Originally Posted by Nebulus

I'm afraid it's more than a government issue. As Judge Learned Hand said: "Liberty lies in the hearts of men and women; when it dies there, no constitution, no law, no court can save it; no constitution, no law, no court can even do much to help it".

Correct. The course can be reversed, if we want it bad enough. Complaining on forums and shouting at our TV sets isn't going to cut it. People have become content and complacent, and that usually doesn't end well.

[Baserk]

Quote:

Originally Posted by Mr.PC

The Dutch have been very Liberal and Sensitive to Privacy features...
What happened to them?

The proposal by the current secretary of Justice should be considered also against the background of the current government coalition talks.
While conservatives and social democrats are negotiating a new coalition, the current and soon-to-be-stepping-down government can't even put such laws into place anymore (and the current conservative secretary of Justice might be replaced).

However, in NL (the EU country with the most cellphone-taps per capita, mind you), there is a shift towards even lesser privacy/more government intrusion.
As already mentioned above, our country isn't immune to western world changes reg. online anonymity and privacy and LEA getting more and more power.

[FanJ]

Hi there Baserk,

I agree with you on the private issues you mentioned. Those issues worry me a lot too. It might be Jooske who mentioned those issues already years ago here.

We must be careful about politics issues because they are not allowed. So only one remark, if I am allowed. Whether the proposal is going into Law during this resignation ("demissionair") status of the current government depends on 1) whether it is declared controversial (or not) by the Parlement and 2) whether (if it is not declared controversial) the Parlement agrees with it and 3) some other reasons.
Anyway, enough politics.

The proposal is in the news here. It is in newspapers (for example the NRC on saturday), the TV discussion program Buitenhof on sunday (with Ronald Prins of Fox-IT).

[noone_particular]

Whether or not law enforcement is given the legal ability to hack and eavesdrop is pretty much irrelevant. They're already doing it. There's little that anyone can do about it in a legal sense. From a practical perspective, it's no different than defending against malware and the rest of the spying, datamining, and eavesdropping that's already happening. Installing spyware isn't so easy on default-deny secured units, especially when the rules are based on file hashes and disregards vendor signatures. Relying on detection based security is risky IMO. I wouldn't trust any AV or anti-malware to detect official malware.

Defeating "official" tracking isn't much different than defeating the tracking measures we already face. The only real differences are that we need to pay more attention to jurisdictions, have some knowledge of who cooperates with who in such matters, and recognize that our ISPs may also be our adversaries.

It wouldn't surprise me if at some point, using offshore VPNs and Tor become illegal in a lot of places. They might even manage to outlaw encryption for individuals. I want to see them try to make default-deny illegal or force me to store all my data on the PC or in cloud servers.

[Mman79]

These things are what I fear too. I'm not certain why some are so sure that encryption software could not be banned for personal use. ISPs have increasingly become adversaries. They've gained quite a bit of legal power to monitor activities.

[siljaline]

Dutch government seeks to let law enforcement hack foreign computers

Quote:

The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations.

• Article

[arran]

But how would they hack into a power user's pc who has HIPS and Anti-Executable security software ?

How would they bypass Applocker on win 7 Ultimate?

[ComputerSaysNo]

If you know the Netherlands you would know they have the strictest laws on earth regarding cell phones. So this is no surprise to me.

Quote:

Originally Posted by arran

But how would they hack into a power user's pc who has HIPS and Anti-Executable security software ?

How would they bypass Applocker on win 7 Ultimate?

Those things don't work, if they did malware wouldn't exist. There are so many ways to bypass them.

[arran]

Quote:

Originally Posted by ComputerSaysNo

Those things don't work, if they did malware wouldn't exist.

what do you mean? of course they work. The reason why malware exists is because the majority of people on the internet only use a basic antivirus program. most people don't even use a HIPS or a Anti-Executable program that's why malware exists and has a field day.

Quote:

Originally Posted by ComputerSaysNo

There are so many ways to bypass them.

I agree there are many ways to bypass a normal antivirus program but there isn't many ways a well configured HIPS and Anti-Executable program can be bypassed.

[lotuseclat79]

Dutch government to give law agencies powers to hack foreign computers.

Quote:

Agencies could get investigative powers that involve hacking, installing spyware and destroying data

-- Tom

[Mman79]

Quote:

Originally Posted by arran

what do you mean? of course they work. The reason why malware exists is because the majority of people on the internet only use a basic antivirus program. most people don't even use a HIPS or a Anti-Executable program that's why malware exists and has a field day.



I agree there are many ways to bypass a normal antivirus program but there isn't many ways a well configured HIPS and Anti-Executable program can be bypassed.

I agree and disagree with you on why malware exists to the extent it does. I do agree that matters aren't helped by the amount of "naked" users. Although you do not, in my opinion need complicated measures like HIPS to protect yourself. Malware exists simply because even back in the regular old virus days stealing data was a money maker. Malware on the home front has always been about money. We can talk about the escapades of Anonymous or government use of malware to conduct cyberwar, but outside of those very specific circumstances it is about cold hard cash.

Malware being used as much has a lot to do with the fact that people as a whole are stupid and greedy. If the vast majority of people treated what they saw on the Internet or even out in daily life the same way a spy treats a buxom blonde sitting at the bar, malware wouldn't be anywhere near as effective as it is. The internet is full of fun and knowledge, but, just as with that buxom blonde, you make sure to have a condom and a Walther PPK

What tools you use are completely dependent on what you feel you need and can comfortably use without spending two days on a help forum trying to use it. HIPS can be effective in the right hands, in average hands it might as well not even be there. It will be tweaked, features turned off, rules fiddled with and just basically end up being useless or turning the machine into a doorstop. For myself, a good AV with a web scanner, Noscript and ABP with specific lists are what I feel I need. I also use EMET for a little extra armor. I'm sure many people would look at that setup and point out flaws. However, I would say to them what I would tell anyone..if neither I nor they are getting infected by malware, what does it matter what setup I or they use? Anything past that is, for lack of a better term, a ~ Snipped as per TOS ~ contest.

[Baserk]

Quote:

Originally Posted by noone_particular

Whether or not law enforcement is given the legal ability to hack and eavesdrop is pretty much irrelevant. They're already doing it.
...
It wouldn't surprise me if at some point, using offshore VPNs and Tor become illegal in a lot of places. They might even manage to outlaw encryption for individuals. I want to see them try to make default-deny illegal or force me to store all my data on the PC or in cloud servers.

It's not just the legalisation of police hacking.
This proposal would also legalize hacking foreign computers by low-level LEA, effectively creating an international precedent for every LEA worldwide to hack any individuals computer worldwide.
If the Dutch police is allowed to hack f.i. French/US/Polynesian/whatever civilian/business computers/command servers to kill a botnet or any other criminal network and gather evidence (cc numbers) and then destroy the data, you'll open a can of worms, really nasty worms I'm afraid.
The proposal includes the right to destroy data on foreign computers, making it pretty hard to defend yourself during a case when only LEA can show evidence and the defendant is left with a (partially) zero'ed HDD.
And new is the proposal to force suspects to hand over cryptcontainer passwords, making it illegal to not cooperate with your own prosecution.
Not handing over (and even forgetting) a cryptcontainer password can suddenly become a criminal offense, as already in the UK.
Even in a case where you'll eventually be cleared of all charges, you might spend some time in jail for not decrypting that treasured flick of you and your better half.
A radical break from the centuries old right of 'nemo tenetur'/right against self-incrimination. Future outlawing of encryption for civilians doesn't sound that far-fetched indeed.

[Techwiz]

Privacy is an illusion. Even if it's in your head, there is just some information you can not conceal. Predating the introduction of technology, small communities and households still eavesdropped on each other and spread disinformation. Technology has only improve the effectiveness of this distasteful practice. The only unique contribution of technology in regard to this subject matter is that inter-connectivity acts as a catalysis, exacerbating our natural compulsion to share information and socialize with others. Social pressure compounds this worse, because unless your willing to conform (use the technology) you become the topic of discussion. Misinformation is more likely to spread, unless you participate (damage control). The problem hasn't changed ... just the means by which it's facilitated and the compulsion to participate is stronger. The closest you'll get to anonymity in the information age is spreading disinformation first and following up with aggressive damage control. You have to control how people perceiving you and your actions. Then you have to make sure that anything said to the contrary is discredited or buried with further disinformation.

[noone_particular]

Techwiz,
You're placing too much importance on peer pressure and far too much value on misinformation, aka gossip. I've had no trouble keeping my internet and physical "life" separate. Using Facebook accounts as an example, not having one in itself doesn't automatically result in suspicion. It's how you answer the question. An answer like "I don't like the privacy issues with Facebook" might arouse suspicion. An answer like "What do you do with a Facebook account?" gives a completely different impression. With people who don't know me, I've easily passed myself off as computer illiterate, old school, and/or 50 years behind the times. To a large extent, privacy can be protected by maintaining an illusion and a separation between your internet and "real life" activities.

[noone_particular]

Quote:

Originally Posted by Baserk

It's not just the legalisation of police hacking.
This proposal would also legalize hacking foreign computers by low-level LEA, effectively creating an international precedent for every LEA worldwide to hack any individuals computer worldwide.
If the Dutch police is allowed to hack f.i. French/US/Polynesian/whatever civilian/business computers/command servers to kill a botnet or any other criminal network and gather evidence (cc numbers) and then destroy the data, you'll open a can of worms, really nasty worms I'm afraid.
The proposal includes the right to destroy data on foreign computers, making it pretty hard to defend yourself during a case when only LEA can show evidence and the defendant is left with a (partially) zero'ed HDD.

I agree with this being a pandora's box we don't need opened. That said, there's a big difference between LEA being legally allowed to hack your system and/or capture/destroy data and being able to actually do so. It doesn't matter if an attacker is a rogue hacker or an LEA. The methods of defending oneself don't change. Unless LEA and/or governments have access to some hidden backdoor in the hardware or OS (which wouldn't surprise me in the least), a system can be hardened and defended well enough to make it very difficult if not impossible to attack from the internet.

Quote:

Originally Posted by Baserk

And new is the proposal to force suspects to hand over cryptcontainer passwords, making it illegal to not cooperate with your own prosecution.
Not handing over (and even forgetting) a cryptcontainer password can suddenly become a criminal offense, as already in the UK.
Even in a case where you'll eventually be cleared of all charges, you might spend some time in jail for not decrypting that treasured flick of you and your better half.

This is a separate albeit related problem. This also assumes that they can force you to divulge passwords. There's not much you can do to prevent their accessing data on the equipment when they have physical access to the equipment. That said, if the data they're after is not on the equipment, that's their problem to find it and/or prove that it even exists. Other (controversial) defenses can include automated destruction of data if an incorrect entry is made. The law can prevent you from legally destroying the data. It's not so black and white if their attempts to open the container cause its destruction. "I would have opened it. You didn't ask me to."

[ComputerSaysNo]

Honestly, if it's to do with Child Porn I have no issues with laws that force you to hand over your keys. The problem is when they use those laws for other issues, so there must be strict tight laws only that deal with CP. If they don't cross over then I have no problem with forcing SCUM to hand over their keys.

[Nebulus]

Quote:

Originally Posted by ComputerSaysNo

Honestly, if it's to do with Child Porn I have no issues with laws that force you to hand over your keys. The problem is when they use those laws for other issues, so there must be strict tight laws only that deal with CP. If they don't cross over then I have no problem with forcing SCUM to hand over their keys.

Child porn and terrorism are used these days as pretexts to take away more and more rights from people, no matter if they aren't guilty of anything. Also there is the matter of being innocent until proven guilty: you will not be forced to hand over the keys after you are found guilty, you will be forced to do it when you are still (presumed) innocent.