
“100 spies” will monitor all SMS and email that goes in and out of Norway - DyslexicAtheist
https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fwww.nettavisen.no%2Fnyheter%2F100-spioner-skal-overvake-alle-sms-er-og-e-poster-som-gar-inn-og-ut-av-norge%2F3423589246.html
======
danielskogly
This article references another news article as their source.

Link to original:
[https://translate.google.com/translate?sl=no&tl=en&u=https%3...](https://translate.google.com/translate?sl=no&tl=en&u=https%3A%2F%2Fwww.aftenposten.no%2Fnorge%2Fi%2Fqn9JrO%2FDet-
koster-dyrt-a-vare-Storebror-Her-er-regnestykket-for-a-overvake-din-nettbruk)

------
olivermarks
At least the Norwegians (and other Scandinavian countries) are publicly open
about what they are doing. You'd probably never see this 'news story' in the
UK or US except as the solution to some event that supposedly justified it

~~~
bjoli
Meh, we have had the same thing as you guys for a long time. FRA (the signal
intelligence in sweden) has been recording our border-passing communications
for many years. This is maybe not new knowledge, but definitely not that
widespread.

The information gathered (oh, they have access to XKeyscore) is then shared
within X eyes (nine? fourteen?) program. The extent of FRA's intelligence
operations was not known before snowden.

Some of it became more public knowledge in 2008 when there was a new law that
gave them permission to do cable interception. It was later confirmed that
they had been doing cable interception before the law was enacted, in conflict
with the law, but "with acceptance" of the administration.

Sweden is really not much better than other countries. Norway is following
suit, but with a slightly "better" law that at least requires secret court
orders to store other things than metadata of things passing the border.

Edit: oh, and they are allowed (or at least not strictly disallowed) to do
targeted hacking, which they have done in cooperation with other (NSA)
intelligence agencies.

But, at least we do not have a secret bugdet like other democracies :) . They
got about 1 billion SEK last year, or about 0.1% of the national budget.

------
messo
This is a proposed bill and is far from being implemented yet. It is currently
being evaluated by all involved departments, institutions and companies and
has predictably received sharp critique from many angles. It will be
interesting to see if it survives the process at all.

------
kwhitefoot
How does that work with encrypted transport? Yahoo, Microsoft, Google and of
course many others, all provide IMAP over TLS so sending email to them and
receiving from them doesn't go in the clear.

~~~
sametmax
Like most gov, they probably have access to a root CA and they MITM.

~~~
Ajedi32
There are currently no publicly trusted CAs participating in such a scheme. If
there were, it'd be trivially detectable due to the millions of fraudulent
certificates showing up in Certificate Transparency logs.

~~~
trumped
Of course they won't tell you that they are doing it...

~~~
Ajedi32
They _have_ to tell you, there's no alternative option. If they don't publish
the certs in multiple logs, then they aren't considered valid by browsers.

------
dajohnson89
Clickbait title. It's a proposed bill.

~~~
andai
I'd watch that movie though.

~~~
DyslexicAtheist
100 people in suits and tie intercepting _" Norsemen"_ memes and analyzing
fake-book reviews such as " _The Dragon with the Girl Tattoo_ "

edit: apologies just realized the latter was Swedish not Norwegian

~~~
ohiovr
_pours drink into chess computer_

------
x15
I doubt most tech literate criminals won't use something like Telegram or
Matrix over a tor relay.

Whenever I and my girlfriend talk about anything too personal, I always joke
about the government's ability to hear our conversation.

WhatsApp and Viber provide cryptographic communication but, if I'm not
mistaken, it needs to be explicitly enabled and I've also read there's a bunch
of metadata exposed.

~~~
greiskul
You are mistaken about WhatsApp. It does end to end encryption by default.
What needs to be explicitly enabled is that theoretically WhatsApp/some bad
guy could steal an WhatsApp account, and it would create a new public key, and
if you didn't turn on security notifications, you might not be aware that the
person you think you are talking to changed. You also should verify that the
end to end encryption keys match, but most users are not paranoid to that
level.

~~~
_trampeltier
I heard a couple of times, after people get a new phone number, after
installing WhatsApp, they see the conversation from the old owner of this
phone number. How can this happen then?

~~~
lieuwex
If you really mean conversations of the original owner, I can't believe that's
true after e2e has been enabled.

But it could be that messages sent to the original owner are received, since
WhatsApp automatically re-encrypts and sends messages if the message has not
been received yet and the key has been changed. So basically that would mean
the message would be sent when the previous owner already changed their
number. So the people shouldn't have sent the messages at all.

WhatsApp e2e encryption just makes sure that the only person that can read the
message is the owner of the number, not necessarily the person you want to
send it to.

~~~
StavrosK
WhatsApp also does backup.

~~~
lieuwex
In drive&icloud(?) AFAIK, so that would be linked to the owner of the phone at
that time.

------
ourmandave
I assume "100 spies" is the name of the server running all the traffic is
funneled through.

~~~
DyslexicAtheist
the tag name of the docker container that runs on the same Linode VPS as the
rest of Norway's Internet infra. /s

edit: just some friendly (immature) banter from another European

------
lostgame
How exactly does this work with encryption, which is becoming more and more
prevalent? E.G., Tor...

~~~
auiya
You decrypt the traffic. Or you monitor on a point in the chain where the
traffic has already been decrypted. I think what you meant to ask was how do
they obtain the decryption keys or establish a point of presence post-
decryption?

~~~
mlindner
You can't decrypt the traffic. You can however monitor it at a point that
traffic has already been decrypted. SMS messages are not encrypted and email
is only encrypted between you and your email provider whether that email goes
on to its final email recipient server encrypted or not is entirely up to the
email provider.

~~~
auiya
> You can't decrypt the traffic

Sure you can. There are many how-to's on decrypting SSL/TLS using wireshark,
you just have to have the keys. Here's one -
[https://support.citrix.com/article/CTX116557](https://support.citrix.com/article/CTX116557)

------
ElijahLynn
100 New/More/Added Spies. Not "100 spies".

------
rocqua
Sounds like it's only meta-data of emails, not actual content when TLS is
used.

~~~
chrismeller
When TLS is used there is no metadata either... server x talked to server y
for a while, but what, if anything, happened we know not.

~~~
CWSZ
>When TLS is used there is no metadata either... server x talked to server y
for a while, but what, if anything, happened we know not.

Quite a bit of metadata really...

Client X: IP address

Server Y: IP address

Client X request: TLS parameters that can be analyzed through TLS
fingerprinting

Server Y response: Hostnames supported by SNI

Server Y response: TLS parameters that can be analyzed thorough TLS
fingerprinting

