
German politicians targeted in mass data attack - camtarn
https://www.bbc.co.uk/news/world-europe-46757009
======
jstanley
How interesting!

I wrote an encrypted pastebin that uses IPFS:
[https://hardbin.com/](https://hardbin.com/)

I run a public gateway for it on the hardbin.com domain to make it easy for
beginners to use without running their own IPFS node.

Earlier today I got my first ever takedown request for a hardbin paste! CERT-
Bund ("the national cyber security authority in Germany") gave me a link to a
paste with encryption key and asked me to take it down. I have blocked the
link in my nginx config, but I don't know whether that was the right thing to
do or not. I'm interested in hearing opinions either way. Obviously it can
still be accessed through other IPFS nodes.

The paste contained a bunch of German political party names, alongside links
to RAR files, which I presume contained this leaked data.

~~~
LinuxBender
In my humble opinion, you did the right thing. Whether or not providing access
to the dump is legal or ethical, you would certainly receive substantial legal
attention should you not comply.

It is on the leaker to find methods to share files that can not be easily
traced to a public server or a named owner. This is no different than if
someone running one of the many reverse tor proxies (public to hidden network)
were told to block access to something. They risk losing their server, domain,
accounts and much worse. When dealing with embarrassment of government
officials, laws get a little muddy and some people will look the other way.

~~~
gammateam
But did that government agency do the right thing?

It seems more like a waste of public resources to take down links to encrypted
files on a distributed file system? The nodes dont even know what theyre
hosting and the cataloger to the pointers has pure discretion

~~~
LinuxBender
They have to make a best effort to protect their people, as futile as it may
seem. If the archive really contained home addresses, their family members
lives may be at risk.

~~~
gammateam
Was this the best effort or simply an effort

------
Quanttek
The hack is clearly politically motivated, targeting all but the far-right
parties (i.e. AfD is conspicuously missing) and left-leaning public figures.
The data is often highly personal, including iCloud dumps, private photos,
emails, and messages.

~~~
sschueller
Or the AfD is so technically inebt that it only has one party member that even
has email...

~~~
blattimwind
AfD members are very active on Facebook and various other networks.

------
tnolet
My SO is a journalist in Germany. She's all over this. Not clear if there are
any clear "scandals". Would be fantasticly German if absolutely nothing fishy
shows up.

~~~
flexie
Isn’t German politics ridden with scandals at the personal level? I remember
several cases of German top politicians faking their academic records.

~~~
arrrg
Plagiarism was the issue, approached systematically first in 2011, in the wake
of the Guttenberg† scandal. (Plagiarism was discovered in defense minister
Guttenberg’s dissertation in early 2011. His title was subsequently revoked by
his university and he resigned as defense minister.)

After the Guttenberg scandal a wiki sprung up which investigated more past
academic works from people, first mostly politicians.

Now, plagiarism is a serious issue, but these politicians were not “faking”
their academic records. They actually had those titles, the universities had
just failed to identify their plagiarism and given them the titles in spite of
it.

As such hacking them won’t likely reveal such scandals, only actually looking
at those (already public) academic works and searching for plagiarism will …
which is what has already been happening.

—

† Annette Schavan resigned two years earlier because of plagiarism-
accusations, so his wasn’t the first case, even when only looking at recent
cases.

~~~
jabberthemutt
> Now, plagiarism is a serious issue, but these politicians were not “faking”
> their academic records.

'Faking' is a word not even strong enough. Those people acquired titles by
fraud and deception.

------
cntlzw
Looks more like someone gathered sensitive data from several breaches instead
of a single "hack".

~~~
rndgermandude
There is data dumped from social media accounts, data that was clearly dumped
from icloud accounts, etc.

------
Nasrudith
While the hackers are clearly malevolent in their intentions I can't help but
think of the one only surefire way to prevent this sort of meddling is radical
transparency requirements among political canidates. They will wield immense
power so asking them to be openly monitored would be justifiable at levels
above even the judicial system so long as it was applied uniformly.

It would indeed be awkward and something politicians everywhere would be
reluctant to implement but it would work and respect human rights which is
more than can be said about many measures in intelligence.

~~~
mc32
That’s not the answer either. You’ll not get the most able or most willing
politicians but only the cleanest or anodyne candidates who may not be the
ablest candidates. It’s a terrible filter.

~~~
perfmode
We already don’t get the most able politicians. We get corrupt and self-
interested ones en masse.

This argument is strong in theory, but not so much in practice.

~~~
geofft
But we're making steps towards not doing so. Why give up?

This is like arguing for monarchy because democracy is a huge amount of
time/effort and is imperfect anyway so why not save time. I've heard many bad
arguments for monarchism as it happens, but none are quite so bad as "Why
bother even trying to have good government?"

~~~
perfmode
Accountability is precisely how we are making progress.

------
kerng
There arent any details yet about how it was done.

Were the computers of the individuals targeted directly via spearphishing, or
was it done by compromising iCloud,etc. directly or (id say most likely)
password bruteforce account and no 2FA.

If anyone finds an article with more details, please share.

~~~
pgeorgi
[https://www.tagesschau.de/newsticker/liveblog-hack-
politiker...](https://www.tagesschau.de/newsticker/liveblog-hack-
politiker-101.html#Betroffener-Hacker-nutzten-schwaches-E-Mail-Passwort)
explains one case: poor email password plus password recovery across different
services.

2FA would likely have protected that person.

------
kristofferR
What an amazingly annoying hack to browse, you need to spend hours to just
compile the whole thing.

It's not really that complicated to just create a magnet of a folder and then
spend time spreading the magnet link.

------
interfixus
> _A cyber analyst told the BBC there was speculation that hackers may have
> exploited weaknesses in email software to get hold of passwords that those
> targeted had also used on social media accounts_

If so (as probable, according to Occam), just the usual incompetence,
irresponsibility, and self-inflicted damage. If you keep confidential data
under no better protection than a Mickey Mouse password, ought you not be held
accountable when it is - inevitably - leaked?

------
TazeTSchnitzel
I don't know if this is the doing of the Russian government, but it certainly
sounds like the kind of thing they'd do.

~~~
tannhaeuser
This feels more like the work of a hacker activist group with the intent to
show politicians how exposed everybody is. Especially in light of frequent
naive statements about the internet and digitalisation (eg. recent interview
with Dorothea Bär).

------
cat199
"Contacts, private chats and financial details were put out on Twitter that
belong to figures from every political party except the far-right AfD." ...
"However, the fact that no right-wing politicians were targeted while
prominent figures who had criticised them had been, suggested domestic right-
wingers may also have been responsible, he told the BBC."

hmm. editor?

------
nabla9
A clue:

>Only AfD appears to have escaped

AfD is a right-wing political party in Germany. Their focus is migration,
Islam and strengthening ties to Russia.

------
tempodox
Nice. Now, please do the same to the Aussies, Brits, and U.S.-ians.

~~~
adimitrov
So far, it seems that the data dumped is purely "personal effects." E.g.
pictures of children, phone numbers, private chats with family.

Democracy and public policy do _NOT_ benefit from this kind of "transparency."
This is the "ad hominem" of hacks: vacuous, mean-spirited and — hopefully —
entirely ineffectual.

~~~
chopin
It's exactly the kind of data our politicians deemed fair game for mass
surveillance (eg. BND at DE-CIX). I have little sympathy.

I also disagree that there is no potential benefit. Maybe it reminds those in
power that any data retained may come back to haunt you. And it might dampen
attempts to weaken encryption. Even legislation which explicitly exempts
politicians from mass surveillance would probably make the public more aware
of the problem.

~~~
adimitrov
You do have a point that this kind of data is, in fact, collected by mass
government surveillance.

I don't think the reverse holds, though. Politicians will not end up
understanding private people's concerns over surveillance, because to them
it's something else entirely. One is a frivolous attack on the individual, the
other is a more abstract policy goal for the Good Cause™. I'm not saying this
line of thought is legitimate, but instead that I have the strong suspicion
this will not be interpreted as a message for "Datensparsamkeit" by the powers
that be.

I'm also wary of the argument that they "deserve" it. A lot of people who have
nothing to do with said decisions were targeted, and maybe even some who
opposed surveillance. The notion that "politicians" "deserve" to have their
private data exposed by virtue of being politicians is _Sippenhaft_ —
collective punishment.

~~~
chopin
Unfortunately no politician in power has voted against surveillance. Even the
green party is guilty of this where in power (Polizeiaufgabengesetz in Hessen
and Baden-Württemberg, both of which I consider anti-constitutional).

