Hacker News new | more | comments | ask | show | jobs | submit login
“100 spies” will monitor all SMS and email that goes in and out of Norway (translate.google.com)
108 points by DyslexicAtheist 17 days ago | hide | past | web | favorite | 46 comments

This article references another news article as their source.

Link to original: https://translate.google.com/translate?sl=no&tl=en&u=https%3...

At least the Norwegians (and other Scandinavian countries) are publicly open about what they are doing. You'd probably never see this 'news story' in the UK or US except as the solution to some event that supposedly justified it

Meh, we have had the same thing as you guys for a long time. FRA (the signal intelligence in sweden) has been recording our border-passing communications for many years. This is maybe not new knowledge, but definitely not that widespread.

The information gathered (oh, they have access to XKeyscore) is then shared within X eyes (nine? fourteen?) program. The extent of FRA's intelligence operations was not known before snowden.

Some of it became more public knowledge in 2008 when there was a new law that gave them permission to do cable interception. It was later confirmed that they had been doing cable interception before the law was enacted, in conflict with the law, but "with acceptance" of the administration.

Sweden is really not much better than other countries. Norway is following suit, but with a slightly "better" law that at least requires secret court orders to store other things than metadata of things passing the border.

Edit: oh, and they are allowed (or at least not strictly disallowed) to do targeted hacking, which they have done in cooperation with other (NSA) intelligence agencies.

But, at least we do not have a secret bugdet like other democracies :) . They got about 1 billion SEK last year, or about 0.1% of the national budget.

Guess again.

https://www.ft.com/content/eef717f2-bb6e-11e8-8274-55b729265... https://www.army.mod.uk/who-we-are/corps-regiments-and-units...


There is so much information available in democracies if you have the time to work through it, that they are effectively protected just by the sheer amount of documentation an interested observer has to plough through.

Start with the annual budgets - they´re extremely informative as to what the real issues are.

Imagine if the "100 spies" were representatives you could vote for.

This is a proposed bill and is far from being implemented yet. It is currently being evaluated by all involved departments, institutions and companies and has predictably received sharp critique from many angles. It will be interesting to see if it survives the process at all.

How does that work with encrypted transport? Yahoo, Microsoft, Google and of course many others, all provide IMAP over TLS so sending email to them and receiving from them doesn't go in the clear.

My personal belief is that they dont. Best they could achieve is trapping the ISP's sending mail server in Norway before the mail is encrypted but there is no capability to decrypt SSL without obtaining the keys.

They could still store metadata like sending IP address, timestamp etc.

Using foreign webmail via HTTPS would not be intercepted in any possible way. Unless they get support from the service provider in question. I think the service providers you mention will comply with law enforcement and give out your data. But those are isolated cases and mass data required by intelligence services is a different thing. National security letters are only for US Govt use and other governments have no access.

I also think legislation like this is years late now that about every protocol has encrypted variants and they don't get any meaningful results compared to the money spent.

They get the keys from the NSA.

(Sarcasm, but a non-zero fear that it's true.)

I thought that the NSA used backdoors and didn't need keys... (ie: direct access to large corporation's servers, where the data is not encrypted)

In the majority of cases, TLS for SMTP (delivery between MTAs) is still trivially downgradeable. So they could presumably downgrade and read SMTP traffic that's going between MTAs in Norway and MTAs outside Norway.

Wouldn't that also be trivially detectable?

Of course, as long as you're one of the parties involved in the SMTP communication.

The problem is that even though you're trivially able to detect that TLS is not in use, the vast majority of mail providers won't act on that knowledge by refusing to send mail unencrypted (except maybe for some hosts explicitly whitelisted for that approach).

Why? Too many broken TLS setups, historically. Might be better now, I vaguely remember some push towards that from the big providers.

From one party's perspective, it may just look like the other party does not support TLS. Without another point of reference, MTAs can't tell the difference between a lack of TLS support and a downgrade attack.

Alternatively, the government could also conduct a TLS certificate man-in-the-middle, which would work in most cases since almost no MTAs validate certificates outside of occasionally trying DANE (a spec for pinning certs over DNSSEC).

Because almost nobody in the real world uses DNSSEC, there's a standard in the works that addresses this threat more directly:


Even the data is encrypted is worth to save for the future. They will be able to access when they have the key or when some quantum computing breaks it.

Like most gov, they probably have access to a root CA and they MITM.

There are currently no publicly trusted CAs participating in such a scheme. If there were, it'd be trivially detectable due to the millions of fraudulent certificates showing up in Certificate Transparency logs.

Of course they won't tell you that they are doing it...

They _have_ to tell you, there's no alternative option. If they don't publish the certs in multiple logs, then they aren't considered valid by browsers.

Didn't a new Norwegian CA offer free https certs a while back? </tinfoil>

Clickbait title. It's a proposed bill.

I'd watch that movie though.

100 people in suits and tie intercepting "Norsemen" memes and analyzing fake-book reviews such as "The Dragon with the Girl Tattoo"

edit: apologies just realized the latter was Swedish not Norwegian

pours drink into chess computer

I doubt most tech literate criminals won't use something like Telegram or Matrix over a tor relay.

Whenever I and my girlfriend talk about anything too personal, I always joke about the government's ability to hear our conversation.

WhatsApp and Viber provide cryptographic communication but, if I'm not mistaken, it needs to be explicitly enabled and I've also read there's a bunch of metadata exposed.

You are mistaken about WhatsApp. It does end to end encryption by default. What needs to be explicitly enabled is that theoretically WhatsApp/some bad guy could steal an WhatsApp account, and it would create a new public key, and if you didn't turn on security notifications, you might not be aware that the person you think you are talking to changed. You also should verify that the end to end encryption keys match, but most users are not paranoid to that level.

I heard a couple of times, after people get a new phone number, after installing WhatsApp, they see the conversation from the old owner of this phone number. How can this happen then?

If you really mean conversations of the original owner, I can't believe that's true after e2e has been enabled.

But it could be that messages sent to the original owner are received, since WhatsApp automatically re-encrypts and sends messages if the message has not been received yet and the key has been changed. So basically that would mean the message would be sent when the previous owner already changed their number. So the people shouldn't have sent the messages at all.

WhatsApp e2e encryption just makes sure that the only person that can read the message is the owner of the number, not necessarily the person you want to send it to.

WhatsApp also does backup.

In drive&icloud(?) AFAIK, so that would be linked to the owner of the phone at that time.

Doubtful that they are seeing the old conversations, but people with the old phone numbers can send new messages to the new account with this phone number, continuing an old conversation.

Quite many crimes are such that if you were a smart person, you would not be committing them in the first place.

I think this is why even simple things such as wiretapping and checking which cell phones registered near the crime scene still work.

I assume "100 spies" is the name of the server running all the traffic is funneled through.

the tag name of the docker container that runs on the same Linode VPS as the rest of Norway's Internet infra. /s

edit: just some friendly (immature) banter from another European

How exactly does this work with encryption, which is becoming more and more prevalent? E.G., Tor...

You decrypt the traffic. Or you monitor on a point in the chain where the traffic has already been decrypted. I think what you meant to ask was how do they obtain the decryption keys or establish a point of presence post-decryption?

You can't decrypt the traffic. You can however monitor it at a point that traffic has already been decrypted. SMS messages are not encrypted and email is only encrypted between you and your email provider whether that email goes on to its final email recipient server encrypted or not is entirely up to the email provider.

> You can't decrypt the traffic

Sure you can. There are many how-to's on decrypting SSL/TLS using wireshark, you just have to have the keys. Here's one - https://support.citrix.com/article/CTX116557

100 New/More/Added Spies. Not "100 spies".


You are definitely not only one mate

You aren’t shadow banned.

Sounds like it's only meta-data of emails, not actual content when TLS is used.

When TLS is used there is no metadata either... server x talked to server y for a while, but what, if anything, happened we know not.

>When TLS is used there is no metadata either... server x talked to server y for a while, but what, if anything, happened we know not.

Quite a bit of metadata really...

Client X: IP address

Server Y: IP address

Client X request: TLS parameters that can be analyzed through TLS fingerprinting

Server Y response: Hostnames supported by SNI

Server Y response: TLS parameters that can be analyzed thorough TLS fingerprinting

In this case running your own server works against you.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact