Hacker News new | comments | ask | show | jobs | submit login
German government to use Trojan spyware to monitor citizens (dw.com)
520 points by temp on Feb 23, 2016 | hide | past | web | favorite | 185 comments

I doubt they have capable programmers working for them. A few years ago the Chaos Computer Club discovered the 'predecessor' version of this State-Trojan ("Bundestrojaner"). This version was a perfect example what happens when you _want_ to have such a software but your programmers _suck_ at even most basic things (like establishing a working traffic-encryption).

Here's the video (in German): https://youtu.be/zAV-hTpperU

We shouldn't fear their 'capabilities' but rather their lack of knowledge that'll ultimately lead to 'open systems' which can later be exploited by other criminals.

In fact, our State (I'm from Germany) supports criminal activities by using a crappy software that'll crack the basic security measures of Windows.

I doubt they have any professional Linux programmers working for them. Working for the State also means earning only a fraction of what you can earn in the free market.

I do not fear the State but criminals who'll sooner or later exploit holes created by our "security agencies".

>We shouldn't fear their 'capabilities' but rather their lack of knowledge that'll ultimately lead to 'open systems' which can later be exploited by other criminals.

We should fear their intent. Their capabilities are beside the point -- they could hire the very best tomorrow if they found they need to.

Spot on. We should also fear the attempt to make such activity legal.

Capabilities will evolve on all sides. The mindset that cedes the right of the state to engage in this activity and instead falls back to a position of mounting a technological defense against them is a losing one. It essentially says to the state, "it's fair game to come get whatever you can".

Given enough time and intent, the unlimited resources of the state will ultimately prevail. More importantly, this is not the posture that private citizens should tolerate with their governments. This is first and foremost a legal matter. Technological capabilities are secondary.

Not only that, they could take over the already-built infrastructure of tech companies tomorrow if they wanted to.

I guess you are not involved in politics? There is a lot of evidence that we should be very afraid of the state if you look at Verfassungsschutz activities. They are monitoring a lot of people who oppose policy backed by the state and there is a precedent in which “opposition members” were banned from state official jobs (teachers, ...) just a few years ago. Opposition member can mean for example being involved in anti nuclear-power protests.

Edit: People are also targeted for being critical of the Verfassungsschutz, so me writing this as well as you replying positively is a likely reason to be monitored, take care!

And not just a few years ago, this is an ongoing issue. For instance, a government minister in Hessen tries to ensure that this politician from AfD (in opposition to the ruling CDU/SDP coalition) should not be able to work as a teacher.


You're conveniently letting out the part about the racist remarks which are the actual cause. I'm all in favor of not letting racists teach children.

Well, very likely the same can be said about anti-nuclear protesters: they're not excluded for "political reasons", but for criminal actions which are "actual cause". Or so someone says. (Though in the case of this teacher, it looks like no crime could be cooked up). With AfD I've heard of trying to use just the political alignment as a reason (couldn't find the link just now).

You're missing the key difference here: The maximum an anti-nuclear protester could hope to achieve through his or her actions would be to have the country quit nuclear power generation, nuclear waste storage, etc.

The political views of a far-right politician such as Höcke (probably aka Landolf Ladig[1]), if you translate them into what he hopes to turn Germany into, threaten the liberal democratic basis of the German constitution. And that we have a law against.

Naturally, the means through which said anti-nuclear activists try to achieve their goals, if only of making themselves heard, need to be legal, and if those actions are sufficiently illegal that they constitute a crime, I'm sure that will get the perpetrators in trouble and rightly so.

[1] https://andreaskemper.wordpress.com/2016/01/09/landolf-ladig...

This is drifting beside the original point, but my understanding is that the anti-nuclear movement in Germany has established a non-negligible violent culture. If you go to these protests, you know you're going to participate in or give vocal support for violent action.


(I don't mind drifting for a bit)

A considerable part of their actions is very disruptive, seeking to, in the view of the protesters, I imagine, annoy everybody involved in the transport of nuclear waste to such an extent that they'll give up, while in actuality just causing a financial burden for the taxpayer (17000(!) policemen were in service during the protest you linked to according to [1]). That includes the traditional "Schottern" (the "[removal of] gravel from the bed of the train tracks to stop the train" as the article calls it), see also [2].

Even encouraging others to go "Schottern" on the internet is punishable[3] (sorry, again only in German) and punished, though.

And with respect to physical attacks, I think those protesters are rather harmless. I believe not a single policeman was injured in the aforementioned protests, even though thousands of protests were there (1500 at some point, 5000 at another point in time).

[1] http://www.zeit.de/politik/deutschland/2010-11/castor-gorleb... [2] https://de.wikipedia.org/wiki/Schottern [3] http://www.oberlandesgericht-celle.niedersachsen.de/portal/l...

Actually I thought dozens of policemen were also injured, and police cars torched. Also a couple of paramedics were attacked if I got this right (I'm not native German).


Anyway, I think that based on this it is not entirely unreasonable that the police does keep an eye on the protesters.

However, I'm quite doubtful about the wisdom of the "Trojan" plan:


It says nowhere how the police got injured (attacked by the protesters, tripped and fell, got a dose of their own pepper spray, accidentally struck by a college when they used force on protesters). It does not say if the paramedics were attacked or if the injuries were just accidents. It also says nowhere that any police vehicles were torched, just that some police vehicles were somehow damaged.

If I recall correctly (well, this is from 2011), the majority of injured police was not at the hands of protesters but accidents, exhaustion and "friendly fire" - but a very few police got attacked or were injured in brawls and suffered minor injuries - the paramedics were mistakenly pepper sprayed by the police, and the police vehicles mostly had accidents where they drove into ditches and such, but a one or two were e.g. scrapped or damaged by people throwing train track gravel at it. Both injuries and damage (to police property), were aggravated by heavy rain and storm and the events taking place in rural areas and/or on gravel train tracks.

According to the police itself, most protesters were strictly peaceful and caused property damage to the train tracks at most ("Schottern").

So you got it mostly wrong, I'm afraid.

I do think it is extremely unreasonable and actually harmful to democracy for the police to track lawful, non-violent peaceful protesters exercising their basic rights (Grundgesetz) of free speech and freedom of assembly, or sanction or discourage them otherwise. This does not include violent people or people breaking the laws by e.g. willfully causing property damage, of course.

I also think it's very wrong to sanction people who you claim to be racist. If they are found to be unlawfully racist by an actual court, or demonstratively found to spread racist garbage as a teacher at a school, then again, that's a different matter.

If dozens of policemen are injured and a couple of police cars burn in a demonstration, and the demonstrators had nothing to do with it, I must say that this a very remarkable coincidence. The police don't trip over like that and get careless with their matches anywhere else, to such a degree.

My understanding of the demonstrations is that they were not intended as lawful, non-violent peaceful protests. The organizers wanted to make criminal damage (the "Shottern"), and some of the group were also very intent on violence.

The problem here is that anyone who was participating surely must have known what they're about to participate, even if many have themselves only wanted to not damage or hit anyone themselves. Just create a crowd where this can be done. And it is indeed hard to decide what level of surveillance is necessary and appropriate to prevent violence and large-scale damage.

The focus is a tabloid paper that belongs to the right of the political spectrum, they're rather fond of taking the police report at face value. And it's like the parent says: The police counts scratches and paint bags as "damage" (note: it's not a dozen police cars burned) as well as ankle injuries as "injured" (1). There are some clashes between the police and the protesters at the castor demos, but the demonstrations are not violent. The overwhelming majority is peaceful.

(1) That's fair to do, but something to keep in mind when interpreting the numbers.

If you're looking for samples you'll probably find sufficient if you're looking for NPD affiliates (they're not illegal either). If you look up cases where the affiliation is left-wing or anarchist you'll find even more. The standards for teachers are really very strict [1] - the must be "weltanschaulich neutral".

There's certainly a debate to be had about whether they're too strict, but IMHO, Höcke is so far across the line that I'm all in favor of keeping him out.

Edit: Note: higher standards apply for all government employees, but they're stricter for some, among them teachers, police etc.

When I started working in public sector I had to sign that I'm not a member of an unconstitutional group. As examples it included a list similar to this one: https://www.justiz.bayern.de/media/pdf/verzeichnis_extrorgan... It includes left-wing, right-wing, and islamist extremist groups.

Interestingly this list also contains the leftist party "Die Linke" which now has been a member of the federal parliament for a rather long time. That being said it's probably not a hindrance if you are a member there but you are expected to explain yourself.

Very interesting list, but perhaps it is meant to include some hardline former members of the SED?

Die Linke is seen by some as some sort of pariah in the German political landscape, due to its legacy and roots in the SED from which they never really distanced themselves in a very clear form. It's a bit of a touchy topic and the expansion to west Germany swept up a lot of nutcases, some of them in the more extremist spectrum. The topic gets even more confused since they're fairly well rooted in Eastern Germany where they are basically a left wing form of the SPD while they never managed to achieve that success in the West.

Interesting list indeed, and not only the entry for "Die Linke" is at least questionable

And who gets to decide who is a racist?

Due process is there for a reason.

In this case I don't doubt it will end up in the courts which will observe due process. The statement was "we will try by all means" and Höcke is certainly free to appeal. Though the statements quoted were obviously racist, not even thinly veiled.

The distinction we hold in America is between letting a racist teach children vs teaching racism to children -- it is the act, not the beliefs, that are controlling. Though obviously I understand why European states are more wary in such cases.

I'm against censoring. What I read here: >>hatte ... von einem "lebensbejahenden afrikanischen Ausbreitungstyp" gesprochen - was von Experten als rassistisch gewertet worden war<< [1] should not be compared with how the term 'racist' has e.g. been used in the Third Reich. As I understand, it's a scientific method to generalize and the race is a factor (among many others) and one should be allowed to say such things without loosing the job.

[1] http://www.focus.de/politik/videos/er-hatte-sport-und-geschi...

You're mistaken. There's no censoring going on at all. Höcke is free to say whatever he wants in public. He even gets more publicity and reach than most people. However, freedom of speech doesn't mean that statements are without consequence. He already collected a warning for voicing extreme right tendencies earlier (before the AFD even existed) and well, now there's consequences. He's a history teacher and fringe right wing people are just the kind of history teachers that are unfit for the job. (fringe left-wing nutcases as well).

You are wrong. Censoring [1] is exactly what I said, "the purpose of suppressing parts deemed objectionable on moral, political, military, or other grounds". He is being threatened to lose his job, this is suppression. You don't have to agree with him but one should be careful with 'fringe right wing' claims and who is or is not fit for a job. [1] http://dictionary.reference.com/browse/censoring

> You are wrong.

Just because you have a different opinion does not make yours right nor does it make mine wrong. I'll reiterate for you why I don't see any censorship here.

Bernd Höcke is "verbeamteter" Teacher. Beamte in germany are a special kind of state employees that get many benefits (1) but in return give up some liberties (2) and as part of their oath of office they commit themselves to a neutral political view in public and a very strict adherence to the constitution. All kind of extreme political opinion voiced in public are off limits for them - left or right. It's a contract that Bernd Höcke willingly and freely entered without coercion. He violated that rule in 2006 and was warned. He now violated it again. He basically violated his employment contract and for that he's terminated. He's still free to voice his opinion. No censorship here.

(1) can't be fired unless they commit a grave offense, get their health insurance and pension funded by the government etc. (2) also the right to strike, etc

sorry, he leads a party that openly called for shooting children at the border. He's fringe (or I hope so, because if he isn't, I need to emigrate)

> he leads a party that openly called for shooting children at the border.

My understanding is that

1) he is not leading the party, he is one of the speakers for the party in the local (state) assembly. And I understand he is actually repeatedly clashing with the actual AfD leadership.

2) any comments about "shooting children" or even generally changing rules of engagement regarding firearms are not, as far as I know, an AfD party position, as the party leader responds in [0]

3) I understood the comments about using firearms were for a context where authorities are under a violent attack when performing their duties. Specifically, did they mention children? I didn't think so, but I could be mistaken.

I don't need to like what the "fringe" says, but I wouldn't like to make it bigger than it is. Because precisely this kind of exaggeration is what is undermining the credibility of legitimate criticism of AfD (the most devastating kind being, "hey, what would you really do instead?" because that is a question that is very hard to answer.) Its supporters see the opponents as just twisting the truth.

(I'm not experiencing this in Germany, but there are very similar discussions going on here in the Nordic countries: enormous straw men constructions are built all the time around criticism of immigration policies, and people are really quite fed up with that. If you keep repeating to people that they are racists, they may eventually start to believe you. In Sweden, the political consensus to "exclude the extreme right fringe from politics" seems to be resulting in the "extreme right fringe" now having the second largest electoral support of all parties [1], and continuing to grow. Once they go near 50 % it's going to be hard to talk about "fringe".)

[0] http://www.dw.com/en/german-right-leaning-afd-leader-calls-f... [1] http://www.aftonbladet.se/nyheter/article22117739.ab

> Specifically, did they mention children? I didn't think so, but I could be mistaken.

you are mistaken.

can you translate this phrase? google translate produces "life-affirming African propagation type", which doesn't have any clear meaning...

The intended and implied meaning "the African race has more sex and reproduces faster"

HN doesn't disappoint ;-) knew already at writing time that this will deplete karma. (Nevermind, I have enough :-)

Nice term... who gets to define what counts. I remember a recent UK failing to protect children incident that shows the term itself is worthless to be used as any part of official government law.

What is the expected outcome of "being monitored"? If a new WWIII starts that means you'll be disappeared? In the mean time - what impact will this have on you?

I am just wondering how governments make intelligence "actionable".

Right now its mostly about “divide and conquer”. They inject moles into political groups which will then actively push for violence and extremism which in turn causes a split of the group. Another effect is that people that are active in opposition politics are always questioning whether their comrades are on the states payroll (“V-Mann”). The goals here are to 1) weaken opposition, and 2) provide plausible reason for more sate security (e.g. Verfassungsschutz).

(Historically, the Verfassungsschutz was founded after WW2 and its goal was to persecute communists. It was headed by hardcore Nazis for more than 30 years. Even the Americans called it a “phony” institution, since its name translates to “Constitution Protectors”.)

There are rumors that big parts of the Neo-Nazi scene is funded by the Verfassungsschutz. They funded and instrumented the NSU assassinations and the Oktoberfest bombing. That's only what we know of today, go figure.

If there was a fascist regime change in Germany, yes, I would expect a lot of people to be disappeared.

Impact on me personally, right now? How would you feel if there was a military black-ops agency tapping you?

In the past they used it to infect the laptop of a potentially drug trafficking medical doctor.

Of course it's unclear what the secret police is up to. This is mainly for the federal police and customs police.

> I doubt they have any professional Linux programmers working for them. Working for the State also means earning only a fraction of what you can earn in the free market.

Fortunately for them there is enough of commercial companies already that sell high-quality spyware to any government that able to pay for it.

Those companies also lack professional programmers. Actually, such companies sell for extremely expensive software programmed by students or consultants. The CCC disassembled the trojan and found out that they've used simple string manipulations to split Win32-APIs. For example OpenFile was split into "Open" and "File" etc.

In today's world we can assume that the number of programmers with deep knowledge of systems is only going to dwindle

I shudder to think of code written by interns

But why would they split 'Open' and 'File'?


It is also a usual trick to avoid detection by "heuristic" antivirus software (even in legit software).

The software was reportedly developed in-house with only a backup purchased from FinFisher.

This is so delusional and easily refuted.

It doesn't matter that it isn't perfect as long as it works. Let's assume, this one example of finfisher's (IIRC) tools was used on a lesser infraction, I don' remember specifics. Why burn a good traffic encryption that the CCC would go to analyze? The use oftools that will cost more if a simpler, even faulty tool will still beat the target, is also debateable. And why are there capable programmers at the NSA, but none could be in the BSI or BND. We even know they use tools from the NSA, so where's the difference?

Consider the debacle Stuxnet caused when there were presumably some very capable developers working on it.

Some potential outcomes of malware, poorly written or not: it spreads to other machines, it exposes information publicly which harms many third parties, it is co opted and repurposed by other criminals.

Maybe they currently don't have capable programmers but I've definitely known programmers from Germany very capable of doing such. Whether they can hire / find them or not is another thing entirely. Indeed the issue with creating a massive backdoor into everyone's system is how insecure a backdoor can and will always be, if the wrong person exploits it you now have an entire country as a botnet?

It may sound exaggerated but when I think about it, every interaction with german government sponsored software I had, has been rather terrible. Admittedly, it weren't that many occassions, but in comparison enterprise software generally felt like progressive and forward thinking as hell.

I think you have a very valid point here. Still, their intentions are worrying.

I don't buy the whole "real programmers would never make spyware." Who do you think made Stuxnet?

There are many companies willing to produce this type of software. As such the ability of the developers employed by the German government isn't an impediment to them doing something like this.

I'd say the thing to fear then is the fact that these "sucky" programmers have the power of state mandate. They should be feared in that incompetence is backed by absolute power.

They could do some scary stuff then... or at least they can fuck things up to such an effect that should be worrisome.

"I do not fear the State..."

That's a nice sentiment and while I hope you're correct it's not really good enough in any country. This state is Germany and it has two of the poster children for state terror in the last 100 years. The Stasi and well, there are times when Godwin's really doesn't apply. National Socialists happened and we can't pretend they didn't.

Neither of these two examples did the state start out the way it became.

I thought even Windows was more secure by default these days. Is there reason to think the German government can actually install trojans remotely, especially if you decline any offer to click on interesting emails?

Learning from Prism in US, I think it's highly possible. Remember the state also has control over ISPs and internet access. They can inject binary into files you download. It is very unlikely that you operate in an air-gapped computer. I've been learning some reverse engineering lately and the possibilities for injecting malicious code seem endless. If such a practice happens, people will have to live in paranoia.

Am I the only one who has no issue with these kinds of things? As long as they're treated like a regular wiretap, and only used on a crime suspect with a lawful warrant, what's the actual problem with this?

Because by taking complete control of a suspects computer, with a software that's essentially a version of backorifice, you're mudding up all the evidence you might have found. A wiretap is completely passive. Sure one might fake that data as well, but in it's nature it's different from taking control of the whole computer, I would say.

Perhaps. But no-knock search warrants are also legal. The police can break into your house and put cameras or microphones in it with a warrant. Even though the process of breaking-in does affect the evidence a little, or even opens the possibility of a cop planting drugs or something, it's generally still accepted in court.

This is basically the same thing as using malware for surveillance. I'd argue the malware is even less invasive.

Digital evidence is IMO a different matter than physical evidence. The threshold for implanting fake digital evidence is very low. You need fewer people, you can cover your traces easily... To break-in and install cameras you need to find a suitable time where the suspect is away for a long time. And you can't always break-in to the house and change things, you won't be permitted. The monitoring of the use of these trojans is the most important problem. With a trojan horse you have access to the computer 24/7 and you can do whatever you want. Of course you could argue that police could also plant fake physical evidence, but that's a lot harder to do and you need more people. (more witnesses) There is a thin line seperating a state of law from a police state.

It's true that it is probably easier to get away with planting fake digital evidence than fake physical evidence. But, I mean, there has to be some trust in law enforcement. If law enforcement does this on a regular basis - and the US police have much more in the past, especially against certain minority groups - the entire system collapses.

So until there's evidence of German law enforcement planting fake evidence, I still see no issue with this.

you should be afraid of This state, when the Germans decide to be complete idiots, they don't hold back.

someone needs to show up at their parliament or whatever they government with, in a nazi uniform, salute the bench, and start yapping about computer security in your best hitter voice.

This is the correct path forward to move society into a digital era. It follows the well established principle that the state uses force in legally proscribed ways to maintain security. Known as the “monopoly of the legitimate use of force”, this is a core concept of modern law (https://en.wikipedia.org/wiki/Monopoly_on_violence). This concept carries over cleanly from the past into the digital era. In this case govt security forces are committing digital violence in the same way that criminals do. Same thing as when the SWAT team breaks down a door, just a digital version.

The alternative is that the government co-opts manufacturers so that government agencies can carry out security tasks without using digital violence. That’s what the FBI is seeking in the Apple case and it is a much worse direction for society because it challenges the existence of strong security in our increasingly digital society.

Note that the legitimate use of force is done according to law. As stated in the article, “In order to use the malware, government officials will have to get a court order, allowing authorities to hack into a citizen's system.”. If your objection to this is “they say that it’s done according to law but we know there will also be instances of them using it inappropriately” then you are also arguing that strong encryption (and pretty much any interesting technology) should not be allowed for public use because we know there will also be instances of it being used to achieve bad ends.

I understand that the reality of police, military, etc are not as nice as the theory but I have not seen people here explicitly rejecting the use of force by the state. If you oppose the German government employing spyware, you should consider whether you also oppose it arresting people in general. I suspect most people here have no alternative to suggest in place of the centuries of legal tradition that western societies are built on.

Use of force requires transparency and regulation to avoid corruption. That's why we have things like a separate judiciary, warrants, publicly available court documents, freedom of information requests, and so on and so forth. The use of force is also minimized wherever possible; warrants restrict the scope, both for arrests and searches, and are filtered through the aforementioned public and separate judicial system. Then we have things like the Posse Comitatus Act and use-of-force guidelines encouraging or mandating diplomatic and less-lethal attempts when possible and limiting force to dedicated peacekeepers.

Governments have been using their digital force violently, indiscriminately, and secretly. None of those are acceptable even on their own and all three together is outrageous.

This is an interesting thought to consider. I'd note that there are people who aren't very happy about the present state of SWAT team usage, prosecuting folks in such a way to require plea deals, and other excesses in the state's exercising of it's powers.

On a specific line:

> If your objection to this is [...] you are also arguing that strong encryption [...] should not be allowed for public use

This is a false equivalence: asking for restrictions on the state is not equivalent to asking for restrictions on the public.

Also in general, there is no requirement to make "digital violence" the same as "physical violence". The state's use of violence is restricted by law, I don't see a reason the forbidding of "digital violence" would fall outside the legal framework already established.

One thing that's important to consider here is what happens if a corrupt government sabotages the democratic process. The US deals with that scenario via the second amendment, Germany relies on non-violent means like protests and civil disobidience (which can be very effective tools as demonstrated by the reuinition of Germany).

The problem with both approaches is that it requires organisation among citizens, which in turn requires a way to communicate with minimal danger of the secret police showing up immedietly afterwards. In the past this was ensured because surveilance was extremely hard to scale to an entire country. In recent years mass surveilance has become a reality, is increasingly hard to escape, and requires fewer and fewer human beings.

Of course right now the system is limited by judical oversight, and that's great. But over the course of decades the seperation of powers is bound to fail occasionally. We need more protection from the government than that.

>If you oppose the German government employing spyware, you should consider whether you also oppose it arresting people in general

Obviously we still need law enforcement, but police existed before the wiretap and can exist in a post-wiretap world.

> Same thing as when the SWAT team breaks down a door, just a digital version.

Not quite the same thing, because the SWAT team is not stealthy when it breaks down a door.

The stealth aspect is what bothers me about this: it's much harder to make ensure a stealthy operation sticks to all the rules than a public one.

In fact, the recent years in Germany have shown that the Parliament doesn't have firm control over what the various secret services do.

If the monopoly on violence applies to information technology as well as physics technology, then the second amendment and similar doctrines also apply. The whole Apple case could also be interpreted as the US government attempting to get around that by taxing, legislating, and undercutting the ammunition manufacturing industry out of existence.


> According to a 2008 decision by the German Constitutional Court, remote access to a citizen's computer is permissible only if there is life-threatening danger or suspicion of criminal activity against the state.

That's their usual shtick. The same was used to legitimize blanket license plate scanning (now used for speeding tickets) and data retention laws (mainly used for drug trafficking).

"Life-threatening danger" my ass.

> The same was used to legitimize blanket license plate scanning

Was that ever illegal? The license plates are publicly displayed and visible, and you could already put people on the field watching and manually noting the license plates down, or even put cameras and look at the footage later. The only thing that changes is the economics of making it automated, no?

In Germany any kind of data collection must be backed by a cause. So automated license plate scanning was illegal since it allows creation of movement profiles by the state, something that is very much frowned upon.

Putting fixed cameras up and filming the public is not legal either in Germany - you can't have a surveillance camera pointed to public space, for example filming the boardwalk in front of your house. Whether dashcams are legal is still contested [1].

Whether large=scale manual collection would be legal is an interesting question which has - to the best of my limited knowledge - never been put to the test :)

[1] a fairly ok high level summary in german: https://www.adac.de/infotestrat/ratgeber-verkehr/verkehrsrec...

> you can't have a surveillance camera pointed to public space

Interesting so a business for example can't have a camera monitoring outside (or inside) the place of business for security purposes? Can they apply for an exemption and is it normally granted?

You can monitor your own property if you inform properly (post notices, renters have to agree, ...)

> Can they apply for an exemption and is it normally granted?

No. If your camera monitors public space (streets, sidewalk, ...) it either has to be so far in the distance that it can't identify people or cars, or you have to block these parts of the image (either physically, or by blanking those parts of the signal before they are recorded. Many cameras allow to put black boxes over parts of the image in firmware)

> You can monitor your own property if you inform properly

Even that is restricted. For example it is not allowed to video monitor your employees in almost all cases. To use video surveillance you have to have a legitimate reason and even then the rights of you and the ones being filmed need to be carefully balanced.

true, i was maybe generalizing a bit to much.

Inside a business is not a "public place", it is a place to which the public have access. Outside a business is similar, unless the camera is outside and pointing to the road or pavement.

In England if you have CCTV you're expected to register with the Information Commissioner.



Even so, we're heavily surveilled in the UK.

The german BDSG references "publicly accessible areas", so it still applies in a shop. http://www.gesetze-im-internet.de/englisch_bdsg/englisch_bds...

(supercool, for that occasion I figured out that there's an official english translation, didn't know that)

They can monitor their inside place (if there is a clear sign there) and and also their door from the outside (as long as the public street isn't filmed). Videos have to be deleted quickly and can only be used for theft prevention purposes. Exemptions can't be granted by the government and courts will usually decide against business owners that violate those rules.

Afaik inside is possible but requires signs (and probably you're subject to checks), outside no. You can't even have empty camera bodies pointing to the street.

> So automated license plate scanning was illegal since it allows creation of movement profiles by the state, something that is very much frowned upon.

Is this really true? My understanding is you guys do a lot of speed limit enforcement by camera.

We do, but the camera only captures a picture of the speeder at the place where the violation occurs which constitutes a valid cause. So it's no usable for tracking (unless the target you're tracking is speeding through every radar trap). On top of that, once the ticket is paid the data is supposed to be deleted. (whether that really happens is yet another discussion)

Normally you would compare the timestamps on photos of the license plate in two places; you don't know whether or not the driver was speeding until you have the second timestamp.

Or does it only take a picture in response to an instantaneous speed measurement? This seems much less useful, as you could just speed everywhere except the tiny range of the speed trap.

German courts routinely differentiate between things done automatically at high-speed and the same action performed manually. While the former is theoretically equivalent to the latter, in practice it's impossible to do large-scale data evaluation by hand so it's not reasonable to judge them by the same criteria. Additionally, in Germany the state and the people are barred from using certain kinds of information in mass even if they had been publicly displayed.

Just as a more concrete example, I'm not allowed to point a camera out of my window and film the things happening at the lively public street below me 24/7. A single short clip of the general area on the other hand is completely fine.

>Was that ever illegal? The license plates are publicly displayed and visible

Well, you are also publicly visible when you walk around the town, but police following you around all the time without a reason/warrant is illegal (at least that's the case in my country, it should be in yours too if it's not).

Second, something being "publicly displayed" and "allowed to be scanned automatically by government (or another party), catalogued and stored for millions of people" is not the same thing.

>The only thing that changes is the economics of making it automated, no?

No, it's the "mass surveillance of citizens whereabouts" that's the illegal part that is/should be illegal. Even if it was to be performed manually by people.

Now, one could say that it's just the "economics" that changes, but beyond that, the economics are also an enabler. If it wasn't for automated scanning it would impractical to even do it, so what changes is the very possibility of this happening.

One didn't need to make non-automated license plate scanning illegal because it wasn't practical to perform it in the first place.

Sure, it could happen at low scale, with "spies" manually writing e.g. all the plates parked in an area, or whenever a particular car passes from a particular street. But it wasn't practical or widespread enough to make sense to single out and ban as a practice. The law is not an absolute affair.

But then the process of something becoming automated can be a pretty deciding factor. Say a policeman overheard you talking about something that is illegal in public, and decides to investigate. Fine and dandy. Say the government mounts microphones in all public places, and does sophisticated speech recognition on it to find people talking about illegal things. In principle, that is very similar to a policeman overhearing a conversation, in scope, it isn't. That capability opens up terrifying possibilities.

Pervasive automated license plate scanning is a qualitative change. It's one thing to have a chap by the side of the road writing numbers into a piece of paper; it's another thing entirely to track most of the routes of all vehicles in a city. You can't trivially extend the principle of one to permitting the other, since it's not feasible to flood an entire city with spotters with notepads.

The problem is that there is no probable cause for blanket license plate scanning per se - but there are certain cities that mandated ACTUAL companies to install license plate scanners/cameras on their private buildings to scan all cars driving by - then forced companies to try to keep this secret.

That should not be legal.

In Germany? Do you have a source for that?

No, California, US

Whenever I read "crimes against the state" I get scared about the intentions of those in a position to determine what falls into this category

Well, in germany that usually is meant to be "Verbrechen gehen die freiheitlich demokratische Grundordnung", that is anything that tries to overthrow the order of the state or the immutable paragraphs of the constitution. The problem is more that the restriction to crimes against the state gets lifted. The definition is actually fairly strict.

This is really the key point with regards to mass surveillance, isn't it? It's not about protecting citizens from harm, it's about entrenching the existing power structure.

I think this really illustrates one of the biggest concerns with concentrating software power in the executive: what if a totalitarian seizes control? How much damage can they accomplish?

Last time, less than 100 years ago, 2/3rds of the Jewish race was eliminated. How much damage could be done to a targeted minority in the information age? Governments by my account, have killed (6 million) an order of magnitude more innocents than terrorists ever have, and short of nukes, ever will.

When Snowden's NSA leak had just started, there was a podium discussion about it on German TV. Well, a few, but in one specifically one of the guests was a lesser german TV celebrity, known for science shows if I remember correct. If I had to guess, I would say he was probably born in Germany, but his family immigrated. And that background is plainly visible. And that is important because of one sentence he said that practically no german with a german heritage of 80 years or more would have dared to say -- "If Nazi Germany had the NSA's surveillance capabilities, the Holocaust would have been over in a month."

And this is not a theoretical worry, in an interview with Gen.Alexander there was a question whether he is worried about building this technological infrastructure and its abuse potential by future potential successor entities. His reply was along the lines of "Nothing will come after us." Which to a German, strikes a lot of similar chords to Nazi Germany's eternal Reich rhetoric.

If you're referring to the Holocaust, the state-orchestrated mass-murder part of it was actually ten million dead, not six.

And there is no something as a 'jewish race'.

You should probably take another look at some discussions around the definition of race in modern times. It certainly can be used to refer to a grouping of people by common culture, such as the "Jewish" race.

As a side note, I've seen some pretty heated arguments about this. It's a bit strange to me why this is such a contentious subject. Is this coming from people who still think we have cleanly delineated "races" like Caucasoid, Mongoloid & Negroid?

"How much damage can they accomplish?"

instantly made me think about Donald Trump... :/

Civilians are now subject to an unprecedented level of surveillance. It would be a mistake to underestimate the probabilities of abuse of personal and private information. The 'justifications' for spying are as endless as the means for carrying it out; in 2001 it was Al Queda, today it's ISIL and tomorrow it will be something else. Exactly how these surveillance programs are implemented is beside the point. The results are very clearly a loss of privacy and freedom of expression. Whether or not you're likely to become a security threat will be left to the interpretation of bureaucrats rummaging through your Evernote entries and text messages.

If you are doing nothing wrong, you have nothing to fear, citizen.

This is for your own protection, citizen.

Your prompt compliance in this matter is appreciated, citizen.

Get back in the designated free-speech zone.

It sounds like big news but I'm pretty sure that US intelligence is laughing at this kind of software... Germany is very bad on spying on its own citizens (this is by design, e.g. the privacy laws) in comparison to the USA which I think is even better on spying German citizens than their own government ;)

Good thing the EU is now forcing US companies to keep EU customer data in the EU. You know, to prevent spying on people's data.

If a government is going to spy on me, I'd rather it be my own.

I highly disagree. That you even say something like this, shows how privliged of a state you must live in.

Beeing spyed on by the same institution that has the monopoly on violence. If that institution stops liking me, I have a huge problem, a potentially life threatning situation. If the state of Iran has a simular problem with me, I don't care because they dont have a police force and an army in central europe.

Yes, it is said from my subjective point of view. I am not advocating for any state to spy on me, though.

It is interesting that you mentioned the state of Iran. They are, for example, responsible for the assassination of 85 innocent Argentinian civilians in '94, and I am sure of many other crimes around the world too. They did not have a police force or an army in Argentina. So, I think one should care.

One should care, but the question is what is more relevant. It is true that governments can act outside of their border, but its a lesser concern.

'If I'm going to be forced to eat a pile of shit for my lunch, I'd rather it be my own'

No thanks.

Against your own government you have at least some amount of leverage, be that through courts or legal system or by supporting a political movement. Against a foreign government you're out of options. There is no feasible way a german citizen can appeal an act of the american administration.

Gross, but also true.

That really doesn't make a lot of sense. I don't care if foreign governments spy on me, they can't enforce law here, my own government very much can.

Why? Foreign governments can't prosecute (or persecute) you.

Are our operating systems so vulnerable? Even if we're talking about governments, how is it still possible for someone to 'break' into my computer without me doing anything stupid. How do they plan to install Trojans into my computer?

IIRC the predecessor was injected as malware into MITM'ed software downloads.

So if the police wants to deploy it against a suspect they first get access to their network traffic and then work from there. It was intended as an alternative to breaking and entering to deploy surveillance equipment or gain physical access to hardware.

Of course this approach has several obvious limitations (e.g. encryption) but there may be other approaches in use. That's just what I remember from when the original trojan was reported on a few years back.

If it is deployed similar to other observation tools, the "großer Lauschangriff" (= big eavesdropping attack) allows for physical entry and deployment of surveillance equipment. I suspect that until there is a clear precedent saying otherwise they'll use that to deploy software on target computers.

in the US at least, Snowden revealed they were even intercepting newly purchased hardware while in-transit and introducing corrupt hardware.

Do we know who wrote this version? The last one was from FinFisher IIRC.

It's developed by the Federal Criminal Police Office [0] (german BKA) They also bought another program from FinFisher as a backup that needs to be altered to fit the regulations and stuff. [0] only in German sorry: http://www.spiegel.de/netzwelt/netzpolitik/bundestrojaner-in...

I don't know what "Steigerung der passgenauen Einsatzfähigkeit" means (I speak german; I just don't know what it means), but it sounds like they still need the exploits from FinFisher.

I think it means "better aim". "Passgenau" could mean "better fitted fit" which is actually a tautology because a "fit" already "fits".

Legal German is like any other "legal Language". Not for human consumption. ;)

I would translate it freely as "to cover more specific situations", specific exploits sounds like a candidate. Or maybe for different OSes, or against different communication software their own solution can't cover.

I just hope they don't start pressuring anti-virus makers to ignore their malware; lest we be exposed to malware pretending to be government spyware.

> The interior ministry spokesman defended the government's decision, saying "basically we now have the skills in an area where we did not have this kind of skill." The program was already endorsed by members of the government in autumn 2015, the ministry said.

By this do they mean they've only now just found and hired someone that can build this program? Is that what they mean by "skill"?

I think they used the German word "Fähigkeit" which better translates to something like ability (of an intelligence service).

"capability" would probably be the best translation of "Fähigkeit"

Ah, yes thanks, that was the word I was looking for. This is the closest translation which covers the meaning in this context.

The funny thing is they don't want to develop an all-purpose trojan. It's only meant to intercept communication before it is encrypted and sent over the wire. This came to happen because they were unable to listen in on Skype calls in the past. So they're basically deploying a trojan which is able to copy VOIP traffic.

From media reports it's unclear if communication includes chat and email, which would make the trojan a keylogger. There are lawyers that argue email, without PGP encryption, is within the 'Quellen-TKÜ' laws reach.

Furthermore the government is not allowed to turn the infected machine into a listening station, by law the flat of a person is under stronger protection than his communication.

Technically this will be really hard to enforce in software...

> "basically we now have the skills in an area where we did not have this kind of skill...

when we were STASI

Are we headed for civil war in cyber space? This is the kind of bs that starts to wake people up.

It's been a cold civil war for many years. Encryption - and communication technology in general - is a power usable by anybody, not just established institutions.

As Dan Geer explains:

    In other words, [c]onvergence is an inevitable consequence of the
    very power of cyberspace in and of itself. [I]ncreasingly powerful,
    location independent technology in the hands of the many will tend
    to force changes in the distribution of power.  In fact, that is
    the central theme of this essay -- that the power that is growing
    in the net, per se, will soon surpass the ability of our existing
    institutions to modify it in any meaningful way, so either the net
    must be broken up into governable chunks or the net becomes government.
    It seems to me that the leverage here favors cyberspace whenever
    and wherever we give cyberspace a monopoly position, which we are
    doing that blindly and often.  In the last couple of years, I've
    found that institutions that I more or less must use [...] no longer
    accept paper letter instructions, they each only accept digital
    delivery of such instructions.  This means that each of them has
    created a critical dependence on an Internet swarming with men in
    the middle and, which is more, they have doubtlessly given up their
    own ability to fall back to what worked for a century before.

    It is that giving up of alternative means that really defines what
    convergence is and does.  It is said that all civil wars are about
    on whose terms re-unification will occur.  I would argue that we
    are in, to coin a phrase, a Cold Civil War to determine on whose
    terms convergence occurs. 


http://geer.tinho.net/geer.blackhat.6viii14.txt (section "10. Convergence")

No, hunger and intolerable cruelty is what wake people up.

What's to stop someone setting up a honey trap computer all exposed with Microspy Windows running on it, and effectively summoning these guys.

I genuinely am interested in their payloads...

Nothing. Also nothing is stopping anti-virus companies from making their software detect the "Bundestrojaner" as soon as they have learned to recognize it. They have done this with the previous version, too:

https://www.avira.com/en/support-for-home-knowledgebase-deta... (2011)

For context, Avira is a German anti-virus company.

Thanks. I wasn't actually aware they're a German company. This should make it even more reassuring though: if even German anti-virus companies won't give it any special treatment, this really makes it no more of a concern than any other malware from the user's POV (other than the political debate of course).

considered how Germans are obsessed with privacy and state surveillance (see for example cash usage vs electronic payments), let's see a country going nut in 3 2 1 ...

Its legitimate use is so restricted (§20k BKAG [1] in conjunction with §4a BKAG [2]) that this would be a waste of everybody's time and effort; there's bigger fish to fry where privacy is concerned. Illegitimate use of such tools is (potentially) a different story, but that's part of the bigger problem of effectively controlling the BND and the other intelligence services.

[1] https://dejure.org/gesetze/BKAG/20k.html

[2] https://dejure.org/gesetze/BKAG/4a.html

You have a bit too positive image of us ;)

Yes, it will spark discussions again, and certainly be tested in front of our highest courts, and probably fail in some aspects and send back to the drawing boards again after a few years, but I don't expect that much "outrage", at least as long as it remains a tool for few specialized cases.

I'm working in Germany (Berlin) and I was shocked by how often you see "cash-only" signs and how electronic payments are avoided on a privacy ground. Plus I saw the reaction from a German colleagues when it was a matter of communicating some personal data to a company that manages the salaries and I realised how Germans are obsessed (not necesserily in a bad way) about their privacy

Yet they (the Germans I've known) don't seem to give a second thought to handing out their bank account numbers to businesses for electronic payment purposes. Discount card use seemed to be widespread as well despite all the tracking that inevitably comes with it. I never once got through the check-out stampede at Rewe without being asked if I had a card. I met some wantrepreneurs in Berlin who were hatching discount/reward card schemes of their own, not something that would attract much investor attention here in the States, unless of course it was "the Uber of discount cards". No, stop, that's not an Idea.

The constitutional court is expected to rule on this in April based on an older complaint which makes it even more egregious that they start using it now.

That will never happen. It's all posing. In my experience they are most likely obsessed with the privacy of others.

Let's not forget they are the country of the Stasi, where your own colleagues will report to your manager about your little Facebook habit, where people yell at you on the spot for not recycling properly and where landlords demand intrusive credit records before renting.

We won’t really go nuts over this – the trojan is so bad, it won’t do any real damage.

Goog luck hacking in my Ubuntu box with latest patches and an iptables firewall... The only reasonable way to obtain people's data is to lock them in some Guantanamo like infrastructure and get their password. Betting on weak security as a mean to control people can't eventually prevail because open systems get patched at faster speed than vulnerabilities found.

Apparently this "trojan" only works on a Windows computer.


So this goes both ways and the German citizens can monitor their government right?

On a practical level, I feel like configuring my systems as just-try<n>.come-get-me.de

If it's like any other IT project, they probably have just finished the Windows XP version of their 'trojan'.

Good luck getting a trojan onto an iOS 9 based iPhone 6.

a second one text to preinstalled one? What would be the use?

a second one text to preinstalled one? What would be the use?

It seems today's governments, like churches of the dark ages, wants too much control over what is not their fucking problem.

One could easily mirror the title as: "German citizens to use Trojan spyware to monitor governments".

> They [trojans] are often used by hackers and thieves to gain access to somebody else's data.

What does this make the German government?

If you get something on a suspect, bring him/her into custody and start your investigation but bugging them and putting their digital life at risk for the lure and greed for information gathering is just detestable and unethical.

How can someone justify spyware in any shape and form?!

I see why merkel was upset with the US spying on her...

When the state has a monopoly on force any speech against them is hate speech. Defending the censorship of people you dont like will simply come back to bite you.

We detached this subthread from https://news.ycombinator.com/item?id=11159089 and marked it off-topic.

There is a clear and well defined border of hate speech and free speech in Germany. This is untouched.

Today it may be good fun to watch people with a differing opinion get arrested and harassed as a part of "justice" but tomorrow when they decide you dont need encryption and youre the one being targeted it wont be so funny.

You are not arrested for "having an opinion" but if you call for violence, deny the holocaust or endorse genocide. Those are not opinions.

Nobody moves the definition every day and it has nothing to do with encryption nor can those laws ever used against encryption by definition as they all include doing something in public.

Probably everybody who knows the German society will know whether something is "just an opinion" or violates one of those laws just be looking at most statements. It's one of those "I know when I see it" definitions that is shared among Germans. That being said courts have created very narrow and clear precedent on those laws.

>You are not arrested for "having an opinion" but if you call for violence, deny the holocaust or endorse genocide. Those are not opinions.

Those are all opinions. An opinion is a view or judgement on a given item. Just because they are opinions you do not like doesn't make them anything more than opinions.

>Nobody moves the definition every day and it has nothing to do with encryption nor can those laws ever used against encryption by definition as they all include doing something in public.

Nobody moves to definition? Talk to me about the use of spyware on citizens, I'm pretty sure that definition just got moved.

>Probably everybody who knows the German society will know whether something is "just an opinion" or violates one of those laws just be looking at most statements. It's one of those "I know when I see it" definitions that is shared among Germans. That being said courts have created very narrow and clear precedent on those laws.

Well if the state say so then it has to be okay right?

The thing is, this discussion is really off-topic. This spyware has nothing to do with hate-speech laws. It's supposed to be used in instances where wiretapping is legal but not possible. The idea is that the spyware wiretaps "at the source". Again, that has absolutely nothing to do with hate-speech laws and no definition has been shifted.

You will probably not even find a reasonable number of people living in Germany in favor of repealing those laws let alone something near a majority. Those laws are ok because the people living here are ok with those kinds of hate-speech laws. If you don't like it you are free to stay away from Germany.

Merkel has already told facebook and twitter to delete comments and ban accounts negative of her 'policies'.

This is not true at all. The German Government is asking Facebook to delete comments which could be categorized as hate speech ("Volksverhetzung" in German). These comments are not "negative of her policies", they are calling on people to kill, gas or otherwise attack refugees, politicans or journalists. They are simply asking Facebook to comply with German law.

Some comments comparable to those in question are curated at a tumblr blog (https://perlen-aus-freital.tumblr.com/). Those comments are anything but a political statement against Merkel's policies. They are born out of pure hatred.

I cannot stand these racist morons myself. And a lot of what I have seen in the last months clearly violates German law. But I think it’s very problematic to put some private company in charge to do this censoring.

The “no censorship (with some exceptions)” law in our constitution is usually interpreted in the sense that you can say, write, show, publish anything you want and that only afterwards a court can rule that it’s violating some law and censor it („Verbot der Vorzensur“). This principle is turned upside down when the government demands that private companies do the censoring and all public oversight is lost.

Also: I’m pretty sad that gone mad „Asylkritiker“ are here too :( I always thought of hackernews as this little civilized island.

When a state defines 'hate speech' laws they're really defining 'thought criminal' laws.

Merkle and co. are trying to manipulate public opinion through the destruction of contrarian thought from the public realm.

Hate speech laws and thought crimes are on a totally different level. In Germany you are completely free to use the most blatant hate speech as much as you like as long as you don't do so in public.

Those laws are also not created by "Merkel and co." but decades old and introduced by the allies after the second world-war.

No they are not (as outlined aboved). Death threats are not part of any public discourse nor political statements. People are able to oppose the government's policies without being silenced.

On a related note, the hate speech laws have not been introduced by the Merkel government.

When someone incites people to attack Cologne mayor Henriette Reker in an attempt to kill her for her positive views and policies regarding immigration and refugees, I'd classify this speech as "hate speech & call for violence" and should be dealt with swiftly and firmly in accordance with the law.

It's not just hate speech. "Volksverhetzung" implies that it is also incitement to commit crimes.

When you stand on the street and loudly demand that specific people or groups of people should be killed or injured in specific ways, that's a different matter from just saying those same people shouldn't be allowed into the country or should be deported.

One is demanding a change in policy or political action. The other is demanding vigilante "justice" and lynching.

This has nothing to do with Merkel (who btw is a conservative -- her refugee policy has been the single most liberal thing she did since entering office) and everything to do with upholding the constitution and the state of law.

Whether you demand the murder of refugees, nazis or antifa, if you openly do so while addressing the public, you are committing a crime under German law. The law protects all humans, not just refugees.

This is not because of "her policies".. it's because of German law. USA cannot dictate laws in Europe!

Doing hate speech against ethnic groups or sympathize with Hitler in public is no problem for Facebook it seems (German: Volksverhetzung). Here in Germany it is and was against the law!

At the same time USA and facebook is getting crazy and deletes posts immediately if you see naked female body parts! This is not against any law here in Germany.

So what is more dangerous for the public?

She is asking them to remove racist comments that call for violence.


Wow, you really have no idea what you're talking about

Source please?

Anecdotally speaking, FB & TW are doing an awful job of complying with Merkel's "supposed orders" as I see people dissing her and her policies esp. immigration whether for or against all the time and in German too.


On the sidelines of a United Nations luncheon on Saturday, Merkel was caught on a hot mic pressing Zuckerberg about social media posts about the wave of Syrian refugees entering Germany, the publication reported.

The Facebook CEO was overheard responding that "we need to do some work" on curtailing anti-immigrant posts about the refugee crisis. "Are you working on this?" Merkel asked in English, to which Zuckerberg replied in the affirmative before the transmission was disrupted.

This does not concern mere anti-immigrant posts but those that are blatantly against long-existing German laws, such as calls for violence, incitement of the masses, trivialization the actions of the Nazi regime and so on. Those have been against Facebook's own community guidelines before but enforcement has been spotty.

Don't bother... "actionwords" is a troll account, created 2 hours ago. I am not so sure if it is a troll with political motivation or just a "for the lulz"-kind. On a side-note: it is very interesting that on HN, these kinds of trolls are way less visible than on other platforms

Ah, thanks that's what I suspected but never checked. Nonetheless I think that the responses of me and others in this subthread should provide a good view to how those things are handled differently in Germany to those who are not trolling.

She is not asking to remove content critical of her policies, she is asking to remove content promoting violence or racial hatred. You can criticize her policies as much as you want.

This is just friendly chit chat/small talk on the sidelines of a UN event not the draconian and sky-falling issue as you portrayed it.

Don't you think that something that grave would warrant official communications instead other than informal exchange of words without a single mention of refugees or immigrants?

Much ado about nothing!

It's hardly a secret, the government is very open about curtailing hate speech on social networks. It's not a huge step in a country where everybody is used to Holocaust denial being a crime (much to your chagrin, I'm sure).

Could you please not try to derail the discussion with unrelated discussions? While there is a lot to debate in that space, it doesn't really have anything to do with these surveillance tools.

Do you have any reference about that?

There's been 3 references posted already. All social media is monitored in germany for state-defined 'hate speech' ie, anti mass illegal immigration speech.

I will always remember that days when german businesses requested servers in their offices because AWS was under NSA...

This is not an uncommon request... actually a lot of German companies (especially the bigger ones) will never trust public cloud infrastructures especially when they are based in another country.

The difference is that the NSA is legally allowed to intercept ALL traffic and access ALL data whereas the "Bundestrojaner" has to meet very tight regulations to be deployed and can only be deployed individually.

The concern with the NSA is dragnet surveillance. The concern with the Bundestrojaner is pinpoint surveillance (plus the high risk of third party abuse of infected systems and the chance of infecting unrelated systems).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact