Re: [liberationtech] Finfisher Spy Kit Revealed in Bahrain
Am 27.07.2012 12:58, schrieb Erich M.: Here is my take [German alas] on that matter including the reaction of the Social Democrat fraction in Europarl. MEP Leichtfried from .AT has been the rapporteur and the guy who managed to introduce surveillance software into the catalogue of dual use goods. Software is a service, not a good. Without discouraging the efforts: While it may undermine the commercial base it won't help to stop the spread of these tools. The Service aspect frames it more into commercial assistence of foreign espionage, here foreign domestic espionage. Services imply that the export nations do not develop the capabilities themselves and allows for all kind of trojan horses (export versions) and contacts, from which you could assess the current capabilities of the regime. Ironic: During the 90ths we voiced strong opinions against crypto export regulations, now virtually the same community seeks export controls for surveillance technology. The common denominator of my campaigning on the EU level is reduction of legal risks for software development. We both know that even general-purpose equipment and operating systems could be dual use. It's tricky from a regulatory perspective, but the cases are crystal-clear. An applicable line is to put citizens and export nations on equal footing. Tools where use is unlawful for citizens under our jurisdiction should also be controlled for service export to external parties. --- A ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Finfisher Spy Kit Revealed in Bahrain
On 7/27/12 11:54 PM, Andre Rebentisch wrote: The common denominator of my campaigning on the EU level is reduction of legal risks for software development. We both know that even general-purpose equipment and operating systems could be dual use. It's tricky from a regulatory perspective, but the cases are crystal-clear. An applicable line is to put citizens and export nations on equal footing. Tools where use is unlawful for citizens under our jurisdiction should also be controlled for service export to external parties. I have to deal with export control stuff for my daily job, but for what's related to the Waseenaar Arrangement Control List (http://www.wassenaar.org/controllists/index.html). The one of my high interests is related to Cryptography where software it's explicitly cited: https://docs.google.com/viewer?url=http://www.wassenaar.org/controllists/2011/WA-LIST%2520%252811%2529%25201%2520Corr/08%2520-%2520WA-LIST%2520%252811%2529%25201%2520Corr.%2520-%2520Cat%25205P2.doc Basically you can avoid the control if and only if the items meet all of the following: == Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; * The cryptographic functionality cannot easily be changed by the user; * Designed for installation by the user without further substantial support by the supplier; and * Not used since 2000 * When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs a. to c. above. == So the general concept for crypto-exports on dual-use is that: - if it's a standard tool - that you sell to anyone - that the customer can install on it's own (because it's not a customized, developed ad-hoc for the customer) then no export control apply. Still i generally think that if a western country company don't sell something to a regime, other companies from regimes will do: www.iranascience.com/1-home/newsletters/21-Web%2520Filters.pdf -naif ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Finfisher Spy Kit Revealed in Bahrain
On Fri, Jul 27, 2012 at 11:54:33PM +0200, Andre Rebentisch wrote: Am 27.07.2012 12:58, schrieb Erich M.: Here is my take [German alas] on that matter including the reaction of the Social Democrat fraction in Europarl. MEP Leichtfried from .AT has been the rapporteur and the guy who managed to introduce surveillance software into the catalogue of dual use goods. Software is a service, not a good. Without discouraging the efforts: While it may undermine the commercial base it won't help to stop the spread of these tools. The Service aspect frames it more into commercial assistence of foreign espionage, here foreign domestic espionage. Services imply that the export nations do not develop the capabilities themselves and allows for all kind of trojan horses (export versions) and contacts, from which you could assess the current capabilities of the regime. Ironic: During the 90ths we voiced strong opinions against crypto export regulations, now virtually the same community seeks export controls for surveillance technology. I am a bit skeptical about it. From the technical point of view to prohibit a business between EU/US companies and dictatorship countries is almost impossible (because they can use dozens of subcontractors in many 'grey' countries and they do it if they want). Therefore, it is hard to say if this should be regulated by a law, I would prefer market - personally I would never buy anything from the company that supports a dictator regime. The most companies cannot afford to do it, because otherwise their reputation can be endangered. Pavol -- ___ [wil...@trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] signature.asc Description: Digital signature ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Finfisher Spy Kit Revealed in Bahrain
On Sat, Jul 28, 2012 at 08:40:33PM +, Jacob Appelbaum wrote: Likewise, the free market has yet to deal with Cisco, EMC, and the myrid of companies like Nokia Siemens, Huawei and others who directly sell surveillance, censorship and outright tracking systems. The market has rewarded Cisco for their efforts with the Golden Shield project. This is even after Cisco was caught red handed advertising it for use in hunting down unwanted (religious) groups of people. Of course I really don't like this situation. But I am not sure if any draconian government's laws against these corporations would work. I don't believe that export controls or total absolute sanctions are the right path forward. Rather, we should hold these companies to account for their actions _in the US and Europe_ where they would not be reasonable, legal or ethical. Specifically when they do this for a profit and disregard the impact on society as a whole - something most of these companies are doing without even a slight regard for human life. Definitely. And propagation of all information about these bad companies (e.g. I really like http://werebuild.telecomix.org/wiki/Blue_cabinet). I try to choose my network vendor according to the information in this document and also recommend this list to many my friends/customers. Maybe I am completely out of reality, but still think that the pressure against these bad corporations should be made primarily by people (human activists/organizations, potential/real customers of these corporations, etc.), not governments. Because it's a primary ethical problem, then the legal one. Pavol -- ___ [wil...@trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] signature.asc Description: Digital signature ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Finfisher Spy Kit Revealed in Bahrain
On 07/27/2012 02:53 PM, Fabio Pietrosanti (naif) wrote: tnx to the other voices that tuned in meanwhile, I agree on close to all Andre R. posted National Security Agencies of which Nation? German Bundesnachrichtendienst in this case. See more below on Ipoque, Utimaco and a venerable SIGINT company named RS. * Gamma Group have an origin in Germany. * Then moved all the companies to UK (offshore or real moving of busines?) offshore, to avoid questions in Germany. There were never any exports from Germany to this and that country - True. The export was via UK ;) * mail.gammagroup.com mailserver is in Beirut, Lebanon. So it's interesting that it's not very clear where they are based. Also on Linkedin there is *not a single person* that worked for one of their group company. Fabio, would you expect people so close to the agencies will make a coming out there? Many of the vendors and sales staffers are former agency men and still sport a security clearance. This is a highly specialized branch, so that is very common. In any case as far as i know there's no export version of software like this, not like it is for crypto if it reside under dual-use wassenaar agreement. Sure there is one but an _informal_ export version. Sales would of course never ever name it thus but emphasize that theirs was of course a completely reliable full scale solution. ;) Professional _intrusion_ software suites or telco monitoring set ups exported to the Mid East etc. are always backdoored in one way or another. The trojan producer just differentiate the products based on their capabilities and feature, basing on that the pricing. ack / syn . BUT: the trojan producer is in most cases not identical with the company that integrates the trojan into a surveillance suite. That is why I am not that optimistic as to extracting a possible virus signature. These suites all work on a modular base. You just screw another armorbreaker warhead onto this deep penetration missile, so to say, if you change your intrusion method but keep the rest of the sw modules. I also know of companies that asked for export permission (of monitoring technologies) to national authorities (in italy) and just because it was difficult to understand what it is, the authorities are not able to answer within 90days, and so it's by default allowed . Business as usual, very familiar, Fabio. As an additional fun conspiracy theory, at 4.1km from their Munich office there is SecurStar GmbH that in 2006 developed a mobile trojan: http://pastebin.com/caxxuNe8 It is not a conspiracy but only historic, concerning the federal Bavarian goverment.The Siemens telco surveillance unit has been there from the 80ies. Take a look how far the HQ of Bundesnachrichtendienst in Munich/Pullach is from Siemens Allee ;) You should find Trovicor rather close by as well. http://maps.google.com/maps?q=Pullach+BNDoe=utf-8client=ubuntuchannel=fsgbv=1um=1ie=UTF-8hl=ensa=Ntab=wl There are even more such companies bunkered in on the outskirts of Munich. Radio comms longtime SIGINT specialist Rohde Schwarz is located there. OE3EMB mode RS adorable spectrum vertical network analyzers! Omnipotent signal generators! 2 Hz = 20 GHz in one piece of equip! Ahh! Oh no I am getting a hard-on... /OE3EMB mode RS has acquried ISS regular Ipoque recently and became exclusive distributor of core Utimaco products. Oh that is another ISS regular. All that deutsche Wertarbeit stuff is just a drive around two corners from Pullach. Must close now. OE3EMB needs a towel Erich -naif ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech -- http://moechel.com/kontakt.htmlPGP KEY 0xEA7DC174 fingerprint 02AA B2E7 C609 307D 34FE 4B5C ACC6 A796 EA7D C174 --... ...-- -.. . . .-. .. -.-. --- . ...-- . -- -... ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click yes (once you click above) next to would you like to receive list mail batched in a daily digest? You will need the user name and password you receive from the list