
Dutch secret service tries to recruit Tor-admin - Liriel
http://www.burojansen.nl/bvd-aivd/dutch-secret-service-tries-to-recruit-tor-admin/
======
digitalengineer
We (the Dutch) have one of the most watched societies and it's never enough.
All phone/internet data is saved for years with almost dragnet like strength,
even though it was deemed excessive by judges. The police buy their traffic
information from TomTom, the highways are littered with camera's with licence
plate-scanning abilities, cities have permanent bluetooth capable scanners
around them (to monitor traffic it is said) and there are there is talk to add
a RIFD chip to the official licence plates... And still it's not enough...

~~~
Accacin
So on a scale of 0 - United Kingdom, where would you say the Dutch are?

~~~
askmike
When it comes to passive surveillance (cameras, dragnet internet tapping)
probably not that far behind.

But when it comes to more invasive measures like internet censorship [1], or
requiring suspects to give over encryption keys (else potentially put them in
jail if they refuse) [2] or simply the way you are treated at an airport. The
UK is much, much worse.

[1]:
[https://en.wikipedia.org/wiki/Internet_censorship_in_the_Uni...](https://en.wikipedia.org/wiki/Internet_censorship_in_the_United_Kingdom)

[2]:
[https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...](https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom)

------
StavrosK
Hah, this is rich:

> If you work with us there are benefits, for example if we ask you to crash a
> system in a public place and you would be arrested for that, we make sure
> you don’t get arrested and nobody will know about it, not even the police

"If you do us a favor, there's the amazing perk that you might not even go to
jail for it!"

~~~
secfirstmd
Yeah but that sort of thing is also a hook...once you do it once they begin to
own and have greater control over you. Similar to how even when the individual
might not want to take anything in return for information, they will want to
get the individual to take money or something else in return (free trips to
stuff, ego stroking, sex, drugs etc). Especially on a regular basis.

This means the individual has a) compromised themselves and now cannot feel
"clean" in this previous environment and b) are starting to get used to/spend
the new perk/cash so pretty soon they can't live without it. The power
relationship then swings more towards a needs based one. Suddenly the
handler(s) are the only people who really know the truth about how the
informant truly is. Also the handler(s) are the only people how can meet the
new need that the person has got hooked on.

------
coretx
Dutch Pirateparty founder and sometimes information broker here. During my 10+
years of both national and international activism, politics and intelligence
trade I came to realize that approximately 2 out of 3 people, NGO's, etc. is
compromised. Furthermore, the report is matching what I encountered in
reality.

~~~
dsl
It is dishonest and dangerous to claim that NGOs are compromised without
providing any proof. I've worked in that space, and it is critically important
that aid workers are seen as politically neutral and with pure intentions.

As an example the Taliban was targeting NGOs in the Afghanistan/Pakistan
region because they believed efforts to vaccinate against polio were in fact
an attempt to poison Muslims. Dozens of doctors, nurses, and volunteers were
killed because someone like you decided to start a baseless rumor.

Most first world intelligence agencies have policies against embedding spies
in aid operations. When it became common knowledge we used a vaccination
campaign to collect on UBL, many people resigned from the Agency.

~~~
67726e
> because they believed efforts to vaccinate against polio were in fact an
> attempt to poison Muslims

Or more likely a terrorist organization in those countries started such rumors
to turn public sentiment against the west. Oh, and then the USG used a
vaccination program to attempt to track down terrorists, which played a role
in the take-down of Osama Bin Laden.

It's fair to say that there are compromised NGOs, based on the OBL incident
alone.

~~~
sprafa
My current understanding is the vaccine doctor story was a cover for the fact
that Bin Laden was brought in trough a walk-in. But that's Seymour Hersh'
story so who knows.

------
rahkiin
I am really not sure how I feel about this, being dutch myself. Isn't this how
any country would recruit new people? I don't see what is so wrong about it.
Isn't it logical for secret agencies to monitor possible recruits? Isn't that
what other companies do as well, to an extent? (Using linkedIn, buying data
from Facebook/Twitter/whoever sells).

I am not really patriotic, but this is about 'protecting' your country, right?
And if we will have some WWIII I think it will be mostly 'cyber'.

Regarding the threat: well duh, you are doing something that might make you an
accomplice of a crime (with whatever law they make) so yeah, they could arrest
you then. How is that even surprising?

But eh, I am not an (ethical) hacker, I just build software...

~~~
morsch
There's nothing particularly wrong with them trying to recruit him (though
opinions regarding covert internal observation services differ), but they're
not just interested in him for his technical prowess. They're asking him to
report on people in hacker spaces, hacker conventions, etc; ie. to spy on many
of the people that participate in this forum.

There's always been running gags about spooks at hacker conventions, but it's
"nice" to have a confirmation (even if it's hard to verify).

~~~
roel_v
What 'running gags'? I've been to cons in Europe in the late 1990's where
people would openly say they were from special departments of the police or
intelligence services, and that they were there to recruit, learn about what's
going on in the scene and to keep tabs on groups and 'scene' dynamics. This
has been common practice and knowledge for 15+ years. I don't even see what's
surprising about it.

~~~
morsch
Who said anything about being surprised? And are you saying there were no
running gags about it?

FWIW, I'm assuming they would have asked him to report on fellow hackers
without openly saying so. I got that implication from the article, but it
doesn't say so and presumably they wouldn't have made that explicit when they
approached him.

------
Freak_NL
That student's account of meeting those AIVD suits reads like a spy-thriller
fanfic, but if it's true then he's pretty brave publishing it like this.

I'm sure the AIVD's cyber division has some talent, but the AIVD leadership is
pretty naive about the internet. Last year the director publicly criticized
WhatsApp for providing end-to-end encryption because it makes his job harder.
Sure. It's not as if any half-decent terrorist wouldn't use advanced
cryptography or simply use burner phones to plan and coordinate their attacks.

~~~
pricechild
Naive or pushing a narrative to people who are naive themselves.

~~~
StavrosK
Pushing a narrative to people who are naive themselves or pushing a narrative
about pushing a narrative to people who are naive themselves to people who are
naive themselves.

------
sjbase
It's always hard to believe a second-hand story on the Internet, but
suspending skepticism for a moment: kudos to the guy for telling this. There's
easily enough information in there to be identified by the agents he spoke to.
He's taking a huge risk.

Or maybe he included some false info for noise injection... if so, how do we
know which parts to believe? Skepticism suspension lifted, I suppose.

~~~
secfirstmd
>He's taking a huge risk

I understand how it can be viewed that way and it's certainly a bit of a risk
but realistically it's not a huge risk.

If this is AVID, at the end of the day, despite what many may think due to
outlying examples, they are an intelligence organisation working in a
democracy and their agents aren't normally going to be in the business of
retribution for someone turning down a pitch. Plus, if they became known for
unnecessary retribution for minor things like someone saying no to a pitch, it
would damage their long-term efforts in other areas.

They will expect that probably the majority of the pitches they make will be
rejected. It's not something new to them. Similarly they will have risk
assessed and planned for the eventuality of it being made public. Yes, it will
annoy them but they will still just keep on moving through the social network
analysis diagrams until they find and pitch the right people they are looking
for.

Plus, while it will make some people more weary in future, occasionally
exposure of efforts like this often leads to a softening up of others who
might be interested in doing this sort of thing for them in future. Maybe a
few months down the line someone in the community gets pissed off with others
and remembers this article and drops AVID a mail........

------
t0mas88
This isn't that strange. The police (more public than secret service) and
national cyber crime team (also public) are very open in hiring IT and
especially infosec talent from the industry, universities and at conferences.
They even commercially sponsor IT related news outlets and communities and
organise hacker challenges to recruit talent in that space.

By far the biggest part of what those teams do isn't secret and fits within
the law. The "problem" is that Dutch law is very liberal on wire tapping,
decryption etc as long as there is a reasonable suspicion and/or court order.
Actually not far behind the rubber stamping in the US, but without the
limitation that they can't target our own citizens (so: much worse than the US
for locals, but similar for foreigners)

Obviously the military and domestic secret service hire the same people and
have even wider abilities within the law and quite a wide grey area. Most of
the public doesn't care enough to make it a political topic, so nobody stops
them.

------
DavidWanjiru
I may be wondering because I'm standing on an atoll of ignorance in a sea of
knowledge, but I wonder why the intelligence themselves can't became Tor
admins and do away with needing to recruit anyone.

~~~
Neliquat
I can imagine the red tape for training, then buying and running a node would
be a bigger hassle than the usual MO of bribery.

------
anondon
Something very similar happens in the movie _The Recruit_. Must watch for
hackers.

I hope the authorities don't go after him for making this public though.

I don't know what it would take for Governments around the world to
acknowledge the importance of encryption and anonymity tools. Access to
private data cuts both ways, if the Government can do it so can the black
hats. Maybe a large scale hack of Government networks devastating the economy
will bring them to their senses.

Given the allegations of Russia's involvement in the recent election, whether
true or not, I was expecting Governments around the world to think deeply
about cyber security issues. Looks like that won't happen anytime soon.

------
fixxer
Tor is a huge inconvenience to a government that wants to suppress the
exchange of controversial ideas within the civilian population.

It is also a huge problem to a government struggling to halt, for instance,
Islamic terrorists that are well established within that population and
potentially use Tor for communication.

I think this is a case of the latter and I don't disagree with the sentiment
100%. The region faces some substantial challenges and we're going to see
civil liberties erode.

------
neoeldex
I'm surprised they're interested in infiltrating hackerspaces. Is this where
they spend our tax money on? Our surveillance state is going in the wrong way.

~~~
throwaway7767
If your goal is to collect everything like the western intelligence services,
infiltrating hackerspaces and the CCC seems like a very efficient use of
resources. Especially if they're focusing on Tor and related projects, which
they seem to be.

------
Grangar
This is pretty worrying, I've shared the story around.

~~~
danieldk
I would be more worried if secret services were not trying to acquire assets
and keep tabs on potential threats.

If others do it, you have to do it too.

~~~
eeZah7Ux
> If others do it, you have to do it too.

And this is why war exists.

------
lawless123
5k a month max seems a a bit low.. for that..

Is it after tax?

------
tinus_hn
So they have looked at publicly available information and asked them to work
for them. What's the surprise? That the intelligence agencies have people
working for them that go to security conferences? That they will say that if
you hack a system under their responsibility they will shield you and
otherwise they won't? I don't really see the problem here.

~~~
JumpCrisscross
> _That they will say that if you hack a system under their responsibility
> they will shield you_

Promises are cheaper than deeds. You don't need to actually protect anyone.
It's actually better, from the agency's perspective, if they can convert an
asset from an honest law-abiding man to someone who has "crash[ed] a system in
a public place". They have leverage over the latter.

This is how criminals work. Given the secrecy involved, you could never be
sure you weren't working for one.

~~~
tinus_hn
Except recently a widely-publicized law was introduced that actually allows
the intelligence agencies to break into computers. So the offer is legitimate
and the rest is paranoid superstition.

~~~
JumpCrisscross
> _the offer is legitimate and the rest is paranoid superstition_

How do you know it's the Dutch intelligence agency recruiting him and not a
foreign agency or criminal group? It's unlikely AIVD would put him on their
official payroll. From an asset's perspective it will always be difficult to
tell--that's how the handler maintains deniability.

------
whazor
This is a new strategy of AIVD and MIVD, they are desperately trying to hire
skilled hackers.

He thinks that AIVD wants him to infiltrate hacker scenes. Reality is probably
that they want him to recruit more hackers.

Same story about the tor nodes, AIVD knows that hackers want to have tor
nodes. They obviously do not care about Tor, thus want to look like they are
cool.

~~~
phicoh
Note this interview:
[http://www.trouw.nl/tr/nl/4324/Nieuws/article/detail/4452683...](http://www.trouw.nl/tr/nl/4324/Nieuws/article/detail/4452683/2017/01/24/Veiligheidsdienst-
zoekt-jonge-hackers-tegen-Russische-dreiging.dhtml)

Note they did offer him a position to manage young hackers.

I guess the sad part is the threat. Hackers have to decide for themselves if
they want to work for the government or not. But is bad if part of recruitment
is making threats (and demanding that those threats kept secret).

------
franzpeterstein
hm, what's wrong ycombinator? Is that a technically/database problem? I don't
no it's possible to post double content, with same headline and same link. I
mean, that's (in my personal opinion) bad database design.

>
> [https://news.ycombinator.com/item?id=13484071](https://news.ycombinator.com/item?id=13484071)

~~~
DanBC
The duplicate detector is weak to allow good stories get a second chance.

[https://news.ycombinator.com/item?id=11273241#11273580](https://news.ycombinator.com/item?id=11273241#11273580)

~~~
franzpeterstein
Ah! Ok, thanks for the info thread link.

------
unixhero
Better the Dutch than some other agency.

------
besselheim
Sounds like he just turned down a rather nice job offer, and burned his
bridges by being publicly disgruntled about it.

~~~
phicoh
Many in the Dutch hacker scene would never work for the Dutch government (at
least, the more sensitive parts such as intelligence agencies, police, etc.).

So mostly likely he didn't want to work for them anyway and was very unhappy
about the implicit threats related to his tor exit-nodes.

~~~
besselheim
Still, he'd have been better off staying quiet about it, in case he changed
his outlook in years to come.

~~~
phicoh
For IT professionals the risk doesn't seem very high. Just running tor exit-
nodes is not illegal. There are enough jobs in IT where you don't have to
worry about any kind of government approval.

There are lots of stories about people who in one way or another got in
contact with the intelligence agencies and nothing really bad happened to
them.

Of course, agreeing to secrecy and then spilling the beans is not recommended.
But in this case the agents decided to tell him stuff without any kind of
agreement.

------
throw2016
It's their job to secure 'assets' and they have a near endless amount of
resources, influence and leverage to do so. It's anyone's guess how many
'assets' secret service around the world have on their rolls.

While its easy to give in to paranoia or a witchhunt it would be equally amiss
to pretend these things don't happen regularly. Things positioned as privacy
centric would especially have a lot of attention on them from services around
the world.

Few would be able to resist, the money, power, purpose and if they have
leverage less so. Which makes privacy that much more important, its easy to
get leverage if everyone is on file.

Trust is a huge premium. For those who need privacy or secrecy better to trust
yourself. You don't need any specific technology or project to get those
things.

