My varied interests include, among others:
Attack techniques on servers and networks
One of the most important questions that we at Sysadmins are so concerned with is: Do we have enough coffee there?
followed by are my systems and my network also securely configured and secured? The first question is
always easy to answer: No, go get some more. The second is much more complex to answer. What does secure
configuration and security mean? Secured against what and against whom? Should I forbid everything and only
allow what is explicitly listed or should I only forbid what is not allowed. How do my firewall rules look like?
How do I set the spam filters? Which password policy is reasonable and which backup strategy should I
use? In order to answer all these questions and to be able to take appropriate action, a certain und
erstanding of attack techniques as well as types of attackers is essential, because "If you know you
rself and the enemy, you don't need to fear the outcome of a hundred battles." Sun Tzi
"The greatest achievement is to break the enemy's resistance without a fight."
You will always be defeated by an open conflict with the attacker (hackback)) so let it be the same.
As long as you do not know your attacker, his intentions and tactics, you can do nothing else but
watch him and fear him. War is above all the high art of deception. Let him see what he should see
and think what he should think and then strike often and hard.
It is a computer system that is designed to attract targeted attacks. The aim of the honeypot
is to mislead the attacker, to distract him from the actual target of the attack, to log and analyse
his attack methods or to identify the attacker. The dummy target can be a software, a PC, a server
or a network component. It presents itself to the outside world as an interesting attack target
and may be knowingly provided with security holes.
Protection of a server
The most important additional measures include Integrity check:
The task of the integrity check within the basic architecture is to monitor the operating system relevant files. The integrity check detects changes in the content of configuration files and also changes in the access permissions of these files.
To enable central maintenance of users and authorizations, the user administration of the operating system is linked to a central user administration. Before a user can access data or resources, the access control checks the authorization of a user based on the access rights. If the access permissions are not met, access to the data is denied.
Patch and change management:
To prevent security holes or errors in the operating system and services, the server is connected to a patch and change management system that performs the installation of security updates and bug-fixed software. This reduces potential vulnerabilities and increases the system stability (and thus the availability) of the server.
The data backup of a server ensures that in the event of data loss it is possible to restore the data from the backup. This allows IT operations to be resumed quickly. monitoring:
Monitoring in particular plays a central role in the operation of servers, since the failure of a server is not always immediately noticed. A faulty function or the failure of one component is often only detected via other components that no longer function properly.
Furthermore, only those services that are absolutely necessary should run on a server, and everything that does not need to be opened for operation should be closed at ports. If possible, port numbers should be moved to unprivileged ports (e.g. SSH). Programs like fail2ban protect against brute force attacks. RKHUNTER and CHKROOTKIT help to detect rootkits. A suitable cronjob keeps the system up-to-date.
The attack scenarios in the IP - protocol and the higher levels can be roughly classified as follows:
IP - Level: IP - Spoofing ICMP - Attacks Routing - Attacks Broadcast - Storms by ARP - Abuse IP -
Fragmentation attacks Packet bombing TCP - Level: SYN - Flooding TCP - Sequence numbers -
Attack Termination of TCP - Connections Take over of TCP - Connections (Hijacking) UDP - Level: UDP -
Spoofing Application level: Attacks on DNS - System Attacks on mail systems Telnet - Attacks FTP -
Attacks Attacks on news servers Attacks on web servers
"It is a war doctrine not to assume that the enemy will not advance, but to rely on one's own willingness to confront him; not to assume that he will not attack, but to take precautions for one's own invincibility. The Distributed Denial of Service< /strong>
(DDoS) attack is a "distributed" denial of service (DoS) attack, which in turn is a service blockade. This occurs when a requested service is no longer available or only available in a very limited way. In most cases, the trigger is a deliberate overload of the IT infrastructure.
What does anDDoS attack look like?
In a DDoS attack, attackers specifically cause the unavailability of a service or server. One of the ways is to infect several computers with malware that allows them to take control of these computers unnoticed. The attackers misuse this infected computer network, also known as botnet, remotely for their DDoS attacks. They use the botnet to attack their target in parallel, bombarding its infrastructure with countless requests. The more computers are connected together, the more powerful the attack. Attacked servers without DDoS protection are overwhelmed by the enormous number of requests, their Internet line is overloaded. Websites only build up very slowly or are no longer available at all.
Who are the attackers?
Motives for a DDoS attack are also diverse:
Extortion, competitive damage, envy or political protest.
What methods do attackers use?
Cyber criminals use different types of DDoS attacks. The methods can be ordered according to the respective layers (according to the Open Systems Interconnection Model for network protocols, OSI model for short) at which the attack is aimed. One of the most common methods is to overload system resources or network bandwidths (layers 3 and 4). The trend among cyber criminals in recent years has been to shift attacks to the application layer (layer 7). However, patterns and bandwidths of DDoS attacks change daily.
Find open ports
A PortScan scans the network for open ports. To do this, the portscanner sends TCP packets to ports on the target computer and waits to see if they accept a connection and are therefore open. Closed ports, on the other hand, send back an RST packet and if there is no response, this indicates a packet filter. In addition, an FTP and UDP scan, among other things, is performed to find other open ports. In addition to information on open ports of services such as HTTP, SMB, FTP, iSCSI, SMTP, SNMP, MySQL and MongoDB, the system and network scan determines host names and MAC addresses.
What you should know about the different techniques
The purpose of TCP port scanning is to detect the network services offered by a target system.
The idea behind TCP port scanning is relatively simple. A test packet is sent to the target port,
and depending on the response - or lack of response - from the target system, one of the followin
g states can be inferred from the target port: The port is open, closed or filtered. An open port
accepts incoming connections to provide a specific service. For a closed port, there is no application
that accepts incoming connections. As a result, such a port rejects any connection requests.
If packet filtering is set up to reject packets sent to the destination port, it is a filtered port.
In this case it is usually not possible to determine whether the port is open or closed. In order to
understand the methods used for TCP port scanning, it is necessary to know about one central
mechanism of the Transmission Control Protocol: TCP connection establishment. There are essentially
two scenarios for TCP connection establishment, which can be illustrated as follows:
In the first scenario (open port), an application - on host B - listens for incoming connections
on a specific port. The port is therefore considered open. More precisely, it is in the status TCP LISTEN.
When an incoming connection request is received - in the form of a SYN or synchronization packet -
the target system (Host B) responds with a SYN/ACK packet to confirm synchronization.
As soon as Host A - that is, the host from which the connection request originated -
replies with an ACK packet, the connection is established on both sides. In the second scenario
(closed port), no application listens for incoming connections on a specific port on host B.
Therefore, the port is considered closed and has the status TCP CLOSED. When receiving an
incoming connection request, the target system (host B) rejects the connection request with an
RST or reset packet. Using packet filtering leads to a third possible scenario. Here, packets
sent to a target node are simply rejected - either on an intermediate system or on the target
system itself. As a result, the target system never responds. Since the target system does not
respond when a test packet is sent to the port, it is a filtered port. In some cases, packet
filtering can be configured to signal rejected packets by means of ICMP (Internet Control Message Protocol)
error messages. The following two considerations apply to filtered ports. First, if there is no
response to a test packet, it is not possible to conclude whether the port is being filtered or
whether the test packet was simply dropped, for example, as a result of a congested network.
Second, even if it is safe to assume that no packets are dropped due to a congested network,
one must wait longer than with open and closed ports to infer that the port is being filtered.
The following can be stated: In the first two scenarios, there is a positive response that
clearly indicates the status of the port. In the case of a filtered port, however, you will
have to wait longer to be sure that there is no response from the attacked host.
The Connect Scan
The simplest method for TCP port scanning is known as TCP connect scan. With this method,
the scan tool simply tries to establish a normal TCP connection with the target port using
the normal function and system calls. The time needed to find out what state the destination
port is in can be estimated approximately as follows: In open or closed state: 1 * Round Trip Time -
this means the tool has to wait until the SYN packet has reached the destination node and the
SYN/ACK or RST packets have been received in response to the connection request. In filtered state:
Usually at least 75 seconds. This is a time specification that depends on the respective implementation.
After that, a time-out occurs. However, a scan tool may be able to reduce the timeout value.
Since the local TCP/IP stack - usually at the core of the operating system - handles the
connection requests, another important aspect of the TCP Connect scan is that each port
scanned ties up system resources for that TCP connection. This includes, among other things,
an entry in the list of existing connections, which can ultimately limit the maximum number
of ports that can be scanned simultaneously at any given time. Also important to know:
In the case of an open port, the TCP connection is established completely. This means
that a monitoring device - for example an Intrusion Detection System (IDS) - could
isolate the IP address of the scanning node and deduce that it has not been falsified
or otherwise manipulated. This may be undesirable if the TCP port scan is actually the
result of malicious activity. TCP connect scan can be invoked with Nmap as follows: nmap -sT example.com
The SYN scan
If a TCP port scan is performed, it should be clear that there is no interest in actually
establishing a connection to the target system. The intention is rather to get a response,
or no response, to the test packet - typically a SYN packet. For this reason, TCP scan tools
generally implement the so-called SYN scan. In a SYN scan, the test packet is a specially
created SYN packet sent by the scan tool rather than the underlying TCP implementation.
This method has a number of advantages, including Scanning a TCP port does not necessarily
bind local resources to the scanned ports - for example, the operating system core does
not notice the attempted connection. Since even in the case of open ports the TCP connecti
ons are never established completely, the scanned node cannot detect whether the source
address of the test packets was falsified or otherwise manipulated. This is especially
true when fake traffic is used to hide the actual scanning traffic, as in Nmap's -D option.
This usually results in fewer packets because connections established due to open ports do
not need to be closed or aborted. Since this technique requires the scan tool to create the
TCP packets, superuser privileges are usually required. However, this is no longer a chal
lenge today, as users generally have full control over the system they are using. To perfo
rm a SYN scan with Nmap, type: nmap -sS example.com
The FIN, NULL and XMAS scan
The TCP specification covers the processing rules of packets for all possible scenarios.
This also applies to those that - although theoretically conceivable - hardly ever occur
in practice. Some of these scenarios can be triggered and used for the purpose of TCP port
scanning. For example, the TCP specification states that if an incoming TCP packet is
received without the ACK bit set and it is not a SYN or RST packet, the host must r
espond as follows: If the port is closed, that is, it has the status TCP CLOSED, an RST
segment should be sent in response. If the port is open, that is, in the status TCP LISTEN,
the incoming packet should be automatically discarded. Since a certain packet can lead to
two different responses depending on the status of the corresponding port, the previously
mentioned packets can be used for the purpose of TCP port scanning. Any packet without a set
ACK bit - which is also not a SYN or RST packet - can be used to trigger one of the two re
sponses described above. If no TCP flag is set at all in the test packet, the scanning tech
nique is called TCP NULL scanning. If only the FIN or Finish bit is set in the test packet,
it is called a TCP FIN scan. And if only the FIN, PSH (push) and URG (urgent) bits are set
in the test packet, the method is called XMAS scan. Although the names for the individual
scan methods vary depending on the bits set in the TCP test packet, all three methods use
the same TCP processing rules. A possible advantage of these techniques compared to connect
or SYN scan is that they allow port scan to work even if packet filtering prevents incomin
g connections by discarding SYN packets. As with SYN scan, a destination node cannot dete
ct whether the received test packets come from a spoofed source address or not - especiall
y when fake traffic is used. In order to understand the methods used for TCP port scanning
, it is necessary to know about one central mechanism of the Transmission Control Protoco
l: TCP connection setup. On the other hand, these methods may lead to a wrong interpret
ation of the port status. Since one of the two possible results of a port scan is a dro
pped test packet for an open port, a packet dropped due to an overloaded network - or f
or other reasons - can be misinterpreted as an open port. In addition, the scan tool wou
ld typically have to wait longer to detect a dropped packet than it would if it received
a positive response indicating an open port. Because these scanning methods require th
e scan tool to send specially crafted TCP packets, the scan tool must normally run wi
th superuser privileges. However, the same applies here as for the SYN scan: This is
usually not a challenge. If you are using Nmap, the FIN scan can be started like this
: nmap -sF example.com Instead of using the -sF option for the FIN scan, the NULL and
XMAS scans can be called with the -sN and -sX parameters, respectively.
The ACK scan
The ACK scan is not actually a port scanning method.
It is a method designed to determine whether or not a particular port is being filtered.
If a packet with only the ACK bit set is sent to a destination port, there are two possible
results depending on whether port filtering is performed or not: Not filtered - that is,
the port is open or closed. An RST packet is sent in response to the test packet. Filtered
. No response is sent in response to the test packet. If connections to a particular por
t are blocked by discarding incoming SYN packets, this is generally done automaticall
y, regardless of whether the port is open or closed. However, ACK packets still trigg
er a response and help determine the type of packet filtering that is preventing inc
oming connection requests. As with other scanning techniques that include specially
created TCP test packets, the identity of the scanning node can be easily hidden.
This is especially true when fake traffic is used during port scanning, as with
Nmap's -D option. In addition, because the ACK scan requires the scanning tool
to send specially crafted TCP packets, the tool must usually be run with super
user privileges. However, as mentioned earlier, this is not a serious problem.
To perform an ACK scan with Nmap, type the following command: nmap -sA exam
A more detailed description of the several methods with nmap you can find below.
Port Scanning Techniques
Only one method may be used at a time, except that UDP scan (-sU) and any one of the SCTP scan types (-sY, -sZ) may be combined with any one of the TCP scan types. As a memory aid, port scan type options are of the form -s, where is a prominent character in the scan name, usually the first. The one exception to this is the deprecated FTP bounce scan (-b). By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). Of the scans listed in this section, unprivileged users can only execute connect and FTP bounce scans.
-sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt. When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.
-sU (UDP scans)
While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run. UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data, --data-string, or --data-length options are specified. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones. A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in net/ipv4/icmp.c). Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per second makes a 65,536-port scan take more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.
sY (SCTP INIT scan) SCTP
is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states. This technique is often referred to as half-open scanning, because you don't open a full SCTP association. You send an INIT chunk, as if you are going to open a real association and then wait for a response. An INIT-ACK chunk indicates the port is listening (open), while an ABORT chunk is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.” Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: “you are unlikely to get here, but if you do, drop the segment, and return.” When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types:
Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX)
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered closed, while no response means it is open|filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered.
-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered.
-sW (TCP Window scan)
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP Window value in that reset is positive or zero, respectively. This scan relies on an implementation detail of a minority of systems out on the Internet, so you can't always trust it. Systems that don't support it will usually return all ports closed. Of course, it is possible that the machine really has no open ports. If most scanned ports are closed but a few common port numbers (such as 22, 25, 53) are filtered, the system is most likely susceptible. Occasionally, systems will even show the exact opposite behavior. If your scan shows 1,000 open ports and three closed or filtered ports, then those three may very well be the truly open ones.
-sM (TCP Maimon scan)
The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.
--scanflags (Custom TCP scan)
Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules! The --scanflags argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of URG, ACK, PSH, RST, SYN, and FIN. For example, --scanflags URGACKPSHRSTSYNFIN sets everything, though it's not very useful f or scanning. The order these are specified in is irrelevant. In addition to specifying the desired flags, you can specify a TCP scan type (such as -sA or -sF). That base type tells Nmap how to interpret responses. For example, a SYN scan considers no-response to indicate a filtered port, while a FIN scan treats the same as open|filtered. Nmap will behave t he same way it does for the base scan type, except that it will use the TCP flags you specify instead. If you don't specify a base type, SYN scan is used.
-sZ (SCTP COOKIE ECHO scan)
SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. Also, there may be non-stateful firewall rulesets blocking INIT chunks, but not COOKIE ECHO chunks. Don't be fooled into thinking that this will make a port scan invisible; a good IDS will be able to detect SCTP COOKIE ECHO scans too. The downside is that SCTP COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.
-sI [:] (idle scan)
This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). Full details of this fascinating scan type are in the section called “TCP Idle Scan (-sI)”.
Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules).
You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IP ID changes. Otherwise Nmap will use the port it uses by default for TCP pings (80).
-sO (IP protocol scan)
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) re supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the -p option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.
Besides being useful in its own right, protocol scan demonstrates the power of open-source software. While the fundamental idea is pretty simple, I had not thought to add it nor received any requests for such functionality. Then in the summer of 2000, Gerhard Rieger conceived the idea, wrote an excellent patch implementing it, and sent it to the announce mailing list (then called nmap-hackers). I incorporated that patch into the Nmap tree and released a new version the next day. Few pieces of commercial software have users enthusiastic enough to design and contribute their own improvements!
Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the eight-bit IP protocol field. The headers are usually empty, containing no data and not even the proper header for the claimed protocol. The exceptions are TCP, UDP, ICMP, SCTP, and IGMP. A proper protocol header for those is included since some systems won't send them otherwise and because Nmap already has functions to create them. Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMP protocol unreachable messages. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol as open. An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked as closed while port unreachable (type 3, code 3) marks the protocol open. Other ICMP unreachable errors (type 3, code 0, 1, 9, 10, or 13) cause the protocol to be marked filtered (though they prove that ICMP is open at the same time). If no response is received after retransmissions, the protocol is marked open|filtered
-b (FTP bounce scan)
An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this feature allows is causing the FTP server to port scan other hosts. Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would. Nmap supports FTP bounce scan with the -b option. It takes an argument of the form :@:. is the name or IP address of a vulnerable FTP server. As with a normal URL, you may omit :, in which case anonymous login credentials (user: anonymous password:[email protected]) are used. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) on is used.
Other types of attacks on a network
The Land Attack
The so-called land attack sends a request to an open port of your computer to establish a connection with itself. The attack leads to an infinite loop in the attacked computer, which results in a greatly increased processor load and can lead to a crash in certain operating systems.
With an ICMP flood, a large number of ICMP packets are sent to your network. Since the computer in charge has to react to every incoming packet, the processor load is increased considerably.
During SYN flood, a large number of connection requests are sent to your computer. The system reserves certain resources for each of these connections, which causes it to use up all of its resources and no longer respond to other connection attempts.
Attacks for "takeover
Internet - Routing - Attacks
IP - packets can fulfil various additional functions by entering data in the 8 bit long option field. These are generally only used by the system administrator for test and monitoring purposes. Routing - Options such as "Loose Source Routing" can also be used for attacks on the internal network from outside.
The Source - Routing - Attack
The simplest routing attack uses the Internet protocol option 9 (Strict Source Routing)
or 3 (Loose Source Routing). In both cases the route through the network can be determined
by the sender of the IP routing packet. In the case of "Strict Source Routing",
each switching node must be specified in the correct order. Two nodes entered as
sequential must actually be directly connected to each other. If this is not the case,
an error message is displayed. "Loose Source Routing", on the other hand, also allows
additional hops between two specified IP address nodes without having to specify the
complete route. This makes it a very convenient tool for an attacker from the outside t
o be misused. The data stream of the target station can thus be "redirected" to the
intruder's computer system without any problems. To do this, the attacker in turn s
imulates the IP address of an internal system (IP address spoofing) and opens a conne
ction to the target station by activating the "Loose Source Routing" option, whereby
a path leading through the attacking system is specified as the route for the resp
onse packets. Thus, the intruded system has all possibilities of the simulated int
ernal station at its disposal. Again, the reason for successful attacks according
to the described method lies in the permeability of the gateways of the affected network
for IP packets with internal addresses over external data lines. The activation of
corresponding input filters or the filtering of IP packets with activated source
routing option closes this gap.
The RIP attack
With the help of the RIP attack it is possible to "redirect" entire communication
relationships between two internal stations via an external attacker without being noticed.
The attacker (X) simulates an internal station (A) and sends modified RIP (Routing Information
Protocol) packets to the second accessing station (B) and to the gateways located between X and
B. These packets instruct B as well as the gateways to transfer each packet from B to A - accor
ding to the falsified route information - not to A but to X. The attacker X evaluates the incomi
ng packets for A (passwords, logins, etc.) and sends them, provided with the "Source - Route -
Option", on to their actual destination A. By activating the "Source - Route - Option", X
ensures that all response packets from A to B can also be monitored. Similar to the Source
- Route - Attack, RIP - Attacks are prevented by Gateways, which block IP - Address -
Spoofing - Packets. Furthermore, all internal routers should be configured in such a wa
y that it is not possible to change existing routes without further ado.
The Exterior Gateway Protocol (EGP)
This protocol is used to exchange routing information between two autonomous systems. I
n the Internet, for example, so-called "mid-level networks" are connected to the Internet
backbone. The EGP variant commonly used in Europe for communication between Internet providers is
BGP -4 (Boarder Gateway Protocol 4). Attacks based on this EGP can affect several
hundred networks at a single blow. One attack variant consists of pretending to be another
autonomous gateway (EGP - Spoofing) and thus, for example, diverting the entire traffic b
etween two Internet providers via the own system.
Broadcast - Storms through ARP - Misuse
ARP attacks are a variant of attack that serves to massively impair the operational
readiness of the target network. They are used to bring network components into overload
situations in the hope of causing undefined states and then launching an attack.
Normally the Address - Resolution - Protocol in networks is used to find the hardware address
assigned to an Internet address. For this purpose ARP - packets are sent to all network particip
ants in the form of broadcasts. If an address cannot be found within a network segment, gateways
forward the ARP request by broadcast to all connected networks. If artificially generated ARP -
packets are generated to search for non-existing IP - addresses, this quickly leads to a "broadcast
- storm" of the gateways. This effect can be "improved" by sending synthetic "ARP replies" of the
non-existent address after the first broadcast storm, which are then forwarded by the gateways via
broadcast. Such broadcast storms quickly occupy the largest part of the available transmission
bandwidth over long periods of time and severely disrupt the functionality of the affected networks.
In this context, it is also important to investigate how the network components used behave in the ev
ent of extreme overload in order to prevent attacks during such situations.
The IP - Fragment - Attack
The fragmentation of IP data packets is usually used to overcome network sections that only su
pport a certain maximum packet length. The maximum payload that an Ethernet packet can carry is
1500 bytes, while the maximum IP packet size is 65535 bytes. The affected data packets are there
fore (if necessary) divided into fragments by the respective gateway. After transmission, the in
dividual fragments are not immediately reassembled, but are first transferred to their final des
tination. Only there is the composition of the original IP packet. Each packet fragment contains
an identification number, a fragmentation flag and a fragment offset in the IP header, whereby th
e identity and sequence of the fragments are clearly defined. For packet filtering based firewal
l systems, which make switching decisions based on TCP port numbers, fragmented packets are a pos
sible danger, because only the TCP port number is contained in the first fragment and fragments w
ithout TCP port cannot be filtered out. However, if the first IP packet is so short that the TCP
port number only appears in the second packet, packet filters have great problems. Besides the po
rt number, packet filters control the TCP flags. So frequently incoming connections (SYN - flag se
t) are only allowed from certain IP - addresses. With two overlapping fragments of a SYN - packet (
negative offset) the IP - packets pass the firewall - system. IP - fragments can also trigger a
myriad of Denial of Service attacks. One of these attacks is e.g. the "Ping of Death". Many othe
r variants of irregular fragments are conceivable, which can lead to problems during assembly (depe
nding on the implementation of the IP stack). Afterwards some examples of this large class of att
acks are shown, whose representatives have such illustrious names as teardrop, newtear, bonk or b
oink. These attacks can only be fought by careful programming of the IP - stack. The control of fr
agments before assembly should have a higher priority than the speed of processing.
IP - Bombing
An effective sabotage technique, which usually serves to prepare an attack, is the bombing
of foreign computers with IP packets according to the motto: The larger bandwidth wins.
For this purpose, a number of attack tools have been programmed (barbed wire, Trin00, etc.),
which all work according to the same principle. First of all, one has to look for computers
on the Internet on which small programs can be installed (taking advantage of security hole
s), the so-called agents. These are usually computers from universities or other organizati
ons with insufficiently secured networks. These agents wait on certain TCP or UDP ports for
the signal to attack. They are activated simultaneously by the attacker via certain messag
es and send network packets to victims. Since these attacks are distributed, they are also
known as "distributed denial of service" attacks (DDoS). Only filter programs that search
for waiting agents and deactivate them offer protection.
The TCP - sequence numbers - attack
This is one of the most dangerous and effective methods of overcoming firewall systems
based on packet filtering technology. By exploiting this security hole, which was already r
ecognized in 1985, ALL security systems whose access management is based on the evaluation
of IP - send addresses can be overcome. The starting point of this attack lies in the hands
hake sequence consisting of three steps during a TCP connection setup. The prerequisite is
that, as described, fake IP packets can be sent from outside into the internal data networ
k with the help of IP address spoofing. A TCP handshake sequence works in detail as follows
: If a connection is to be established from client A to the remote shell server B, this i
s initiated with the data packet A > B: SYN, A_SNa, in which the synchronization bit SYN
is set by A and B is informed of the initial sequence number (Initial Sequence Number IS
N) of the TCP connection to be established A_Sny. Server B responds to this with B > A:
SYN, A_SNb. The initial sequence number A_SNb is transmitted to client A and at the sam
e time its sequence number A_SNa is confirmed. A ends the handshake sequence with the
confirmation A > B: ACK (A_SNb). The new sequence number or confirmations that occur f
rom now on during the connection are calculated from the two initial sequence numbers
and the previously transmitted data, so that an attacker who knows the initial sequenc
e numbers and the data can easily calculate the remaining sequence numbers. The choice
of the initial sequence numbers is random, is actually determined by a simple algori
thm. RCF 693 specifies that a 32-bit counter must be incremented by the value 1 ever
y 4 µs at the least significant position. In the Berkeley TCP implementations, howev
er, the increment is only every second, by the value 128 within a connection and by
the value 64 for each new connection. This makes it possible to predict with a hi
gh probability which sequence number a system will use for its next connection set
up. This is exploited in the sequence number attack. Attacker X first establishes a valid preparation connection to a harmless TCP port (25,79, etc.) of the target system using any send address: X>Z: SYN , A_SNx. The target system responds with Z > X: SYN, A_SNz , ACK(A_SNx). Now the attacker pretends the identity of an internal system A (IP spoofing; send address A) and sends to a "critical" TCP port like the login server (port 513): A > Z: SYN, A_SNx. To which Z responds with Z > A: SYN, A_SNz+, ACK(A_SNx). Although this last message is directed to the internal station A and is not visible to the external attacker, the external attacker can calculate the start sequence number A_SNz+ of the target system, starting from the value A_SNz of the preparation connection, and reply to the internal system A again in simulation with A > Z: ACK(A_SNz+). The target system now assumes a secured connection to the internal station A. The attacker can continue to act as station A and perform any operations on the target system. The only restriction is that the respective replies of the target system are not visible to the attacker, since they are sent to the internal client A. Now a short excerpt from theTCP Sequence Number Guessing attack by Kevin Mitnick on the workstation of Tsutomu Shimomura. Even if the attacker can only roughly predict the victim's initial sequence number, the attack is still promising. The attacker always sends a whole series of IP packets with the same content but different sequence numbers after his TCP -SYN packet with the spooted address, so that all potential numbers are covered. All packets except the correct one are rejected by the victim.
The following strategies can be used to counter these attacks.
Configuration of the packet filter (input filtering). Avoiding the a
uthentication of a user on the basis of IP addresses. Firewall systems based on
this are considered problematic. User authentication with the help of crypto -
systems. In case of a connection establishment the client (if he is authorized
to do so) receives a session key in encrypted form, with which a one-time con
nection can be established. Implementation of a real random generator to calc
ulate the initial sequence numbers
Termination and acceptance of TCP connections
The completely TCP - sequence number attack is difficult to perform.
A simpler attack scenario using the sequence number is the involuntary termination of
TCP connections. Here (in the middle of an active TCP connection) a packet with the appropriate sequence number and set RST or FIN flag is sent to one of the two partners. The connection is terminated, the incoming packets of the unsuspecting second partner are ignored (Denial of Service). In this attack, the packets must pass the hacker's computer, which means that these attacks can preferably be carried out from the intranet or from large providers. A variant of connection termination is the complete takeover of the connection by the "hacker" (hijacking). In this case, no RST or FIN packets are sent, but ordinary data packets with the correct sequence number. If the packets of the "hacker" arrive earlier at the target computer than those of the regular partner, these are accepted as valid and the regular packets are discarded. The attacker is in the middle of the currently active TCP session. If this is an ASCII transmission like Telnet or Rlogin, commands can be sent with the access rights of the user who is currently booted out. Good hijacking programs try to synchronize the two original partners by sending packets with matching sequence numbers. Apart from a brief standstill, the victim does not notice anything about the "hacker" taking over the session for a short time. Hijacking loses its value with encrypted connections, since no meaningful takeover of the session is possible here.
UDP - Spoofing
Communication partners in the context of UDP connections are always to be classified as untrustworthy, since this protocol can be simulated extremely easily. Since neither sequence number nor confirmation packets are provided, applications based on these should definitely subject the network addresses of the respective hosts to an authentication process. Potential attackers are otherwise able to use synthetic UDP - data packets with a falsified Internet address - to pretend to be an internal user and use the corresponding applications. A tricky simulation of handshake sequences as in the case of the TCP sequence number attack is not even necessary with UDP. In the same way, existing UDP connections can be taken over by attackers without the server application having the possibility to notice this. On exposed systems the UDP protocol should therefore be avoided completely.
Security risk DNS
In most cases, DNS attacks are performed in preparation for a subsequent intrusion using the remote service (rsh, rlogin, etc.). If an attacker succeeds in modifying the "in-addr.arpa" table of the DNS concerned in such a way that the domain name of the trusted host he wants to pretend is assigned his own, actual Internet address, he can then successfully attack the target system with rlogin or rsh. If the relevant "r - application" checks the Internet address again in the opposite direction, and requests the assigned domain name via DNS also based on the determined numerical address, as is often the case in current versions, this deception can be detected. To circumvent this barrier, clever hackers therefore also gain access to the DNS cache. With a corresponding entry, the authentication of the attacker's Internet address can withstand the double security check, and the attack can continue. Authentication procedures should therefore not be based on domain names, but on Internet addresses. Although this does not offer any security guarantee, it does make potential break-in attempts more difficult. The second target of DNS attacks are the zones - data that provide attackers with valuable information about the structure and addressing of the internal network. Access to the zone files (TCP port 53) should therefore only be possible on the defined secondary DNS server(s).
Security risk SMTP
The Simple Mail Transport Protocol is used on the Internet to transmit electronic messages. One of the most obvious security problems when analyzing the protocol is the fact that the authenticity of the sending address cannot be verified. Another potential vulnerability of this service has been identified in recent years by the widespread Unix implementation of the SMTP daemon, the "sendmail" program. The reliable identification of electronic messages is thus only possible by using electronic signatures, as they can be realized with the help of public key procedures (PGP, etc.). Other attack methods in which the e-mail service plays a decisive role are MIME and Postscript attacks as well as the smuggling in of Trojan horses and possibly viruses.
Old and still dangerous
Telnet - Attacks
Telnet is based on the transmission of ASCII sequences. The entire sequence of a Telnet connection is therefore transmitted in plain text. This makes it easy for an attacker to gain access to Telnet logins and passwords using monitor programs (Ethload, Esniff, Snoop etc.). If such a protocol monitor is installed on a network backbone, a large number of access authorizations can be exposed in a very short time. Another attack method is to replace the client Telnet application with a Trojan horse. Such a trojanized Telnet version records user identifications and passwords unnoticed by the user and stores them in a disguised file. The only effective remedy against this type of attack is the use of a powerful authentication mechanism. Such a mechanism can either be created with the help of a one-time password system or by using an authentication server.
FTP - Attack
FTP is based on the Internet protocol TCP and requires two simultaneously active connections to carry out a file transfer. For each further data transfer, a new connection must be established, which, due to a peculiarity of the TCP protocol, must have a different (client) port number. This means that it is no longer possible to predict which port will be used for an FTP data transfer, which makes the implementation of the FTP service across firewalls considerably more complicated. Further potential security problems of the FTP service are:
The server uses the privileged port 20 for data transfer and is therefore started as "root", this security gap can be closed by passive FTP. Over the years, a number of security holes have been discovered in various FTP server daemons, which have led to massive break-ins time and again.
Error in the configuration as "Anonymous File Server" The most important security measure against FTP - attacks is to protect the data area for anonymous FTP from any write access. If this is not the case, it is sufficient under Linux to copy a rhosts file to the target system in order to penetrate it via a subsequent rlogin attack. Furthermore, as already mentioned in the section on access permissions, an authentic version of a password file should never be within reach of the anonymous FTP service. A devastating implementation error in the widely used FTP server program "wuftpd" became known in mid-1994. A telnet connection to FTP port 21 and the entry of the command SITE EXEC immediately allowed superuser rights to be obtained on the system in question.
Attacks on servers and clients
application design and programming errors
Unfortunately, not only the network is an infinite source of security holes and attack possibilities, but also at the application level, sloppy design or insufficient care in programming opens up numerous possibilities for unauthorized access for hackers. The boundary between network and applications is fluid, and some problems directly affect the network. In the following section, the recurring mechanisms for attacks on applications will be examined in more detail. However, some of the scenarios described can also be found when problems occur in the network stack (ping of death or buffer overflow).
The buffer overflow
Buffer overflow is an easy to understand phenomenon, although programming such attacks is often very difficult. It is based on the fact that certain lengths are reserved for variables at countless points in a program, but the maximum length of the variables is not adhered to, thus overwriting adjacent areas of the memory. If this behavior can be provoked from outside, an attack based on buffer overflow is present. Buffer overflows are always caused by a poor programming style in which inputs from outside are not checked for their maximum length before the data is moved into the buffer. The first problem when developing a buffer overflow-based attack is to find the error in the program. The buffer must be accessible from outside and must not be protected by length controls. The simplest attack is to overwrite the buffer with meaningless data, whereby the attacked host or service usually stops its service. However, the fine art of buffer overflow is not the uncontrolled destruction of data structures, but the manipulation of the buffer so that it contains executable code after overwriting. This code is then executed by the attacked system, with the respective privileges of the process. Since many server processes run with root or admin privileges, the system can be manipulated in this way at will. The controlled buffer overflow is therefore considered a "high art" of attack scenarios and should therefore be examined in more detail. The memory area of the program affected by an attack is almost always the stack, rarely the heap. Both areas have the advantage that they can be written to at program runtime and executable commands can be located there. The other memory areas of a program do not have these advantages, the text area (program code) is always read-only and the data area is writable but cannot contain executable code. The stack contains the return address for returning after the subroutine has finished, an area for local variables, which disappear again after the program returns. The aim of the attack is to overwrite a local variable by input from outside the program so that the return address is changed. This then no longer points to the calling program, but to the buffer itself, which has just been overwritten. There is a suitably sized piece of program code there, which is processed by the processor without hesitation. Attack programs are very difficult to program in practice, since the program code inserted from outside must fit exactly to the bit, otherwise the result is only a DoS. Only very few hackers are able to program such an attack themselves. Once such tools have been developed, however, they are published on the Internet and even the so-called "script kiddies" can use them. Buffer - overflow - programs are always programmed in the same way. They consist of three parts with different functions:
Encoding of the attack program that is to run on the victim Structure of the buffer, which contains other bytes besides the pure program code, e.g. NOP - commands, if the position of the buffer in the memory is not exactly known Allocation of the buffer to a parameter and start of the attack.
Poor syntax - Check
If the buffer overflow is due to a lack of control over the length of external inputs, another source of potential attack is insufficient checking of the syntax of external inputs. This check is performed by so-called parsers, which examine the external byte stream and break it down into commands and parameters. Unfortunately many of these parsers are poorly programmed. Especially when dealing with special characters. If the decomposed input stream still contains special characters, these can cause undesired side effects during the subsequent operations of application and operating system. In some versions of the Apache or NCSA web server the characters %A (newline) and %20 (space) were not filtered out, which led to fatal consequences when executing the subsequent CGI script.
The passwd file with the password hashes was thus displayed on the attacker's browser. The conceivable attacks using errors in the parser are manifold. Another known problem of many web servers is that they interpret the input of ..\ or ../ as a change to a higher directory. This allows the attacker to break out of the virtual root directory on the web server and inspect the victim's disk. The characters | and ; are also often overlooked and then interpreted by the OS in an unpleasant way as output redirection or the start of a second program. CGI scripts, which are often created by insufficiently trained programmers, are particularly at risk.
As the name suggests, a race takes place, here between two programs. One program occupies certain resources (files, memory areas, interrupts, etc.), but does not protect them sufficiently against misuse. A second program, started by the attacker, uses this resource in an improper way. However, the access must occur at exactly the right moment. A classic example is access to temporary files that are temporarily filled with data by an application but are later deleted. Access from these files is often possible without special privileges, so that the data can be read and/or changed.
Cryptography and cryptology has always been my passion and as I am not blessed with the blessings of
Cryptography is a science for the development of cryptosystems and, along with cryptanalysis,
a subfield of cryptology. With the help of cryptographic procedures such as encryption, data
is to be protected from unauthorized access and securely exchanged.
confidentiality, integrity, authenticity and commitment
1. confidentiality: it should be ensured that only those who receive and read the message are able to do so
2. integrity: The recipient should be able to determine whether the data or the message has been modified after its creation.
3. authenticity: the sender or originator of data or messages should be identifiable, or the recipient should be able to verify who the originator is.
4. liability: the originator should not be able to deny that he is also the originator of the data/message.
Ten key questions of cryptography
How does encryption work?
Simple encryption methods already existed thousands of years ago. The Roman Emperor Julius Caesar, for example, developed a method as early as 50 BC in which each letter is replaced by the one that comes 13 digits later in the alphabet. A text converted in this way is unreadable for anyone who does not know the encryption method or, in short, the key. This method, later called "Caesar encryption", is based on a symmetric encryption. The text is encrypted and decrypted in the same way. The catch of such methods: All parties involved must know the key. To do this, the key must be passed on as securely as possible. Because as soon as a spy gets it, the encryption is worthless. Then the old key has to be changed - and everyone has to be informed about it in a secure way.
To avoid these problems, asymmetric procedures are used today: The data is encrypted with a key that is publicly accessible and decrypted with a private key that only the recipient of the message has. You can imagine it like a box with an open padlock: Anyone can put something into this box and press the lock without a key. But only the recipient can open it with his key.
In mathematical terms, this works in a simplified way via calculations that are very easy to solve in one direction and difficult to solve in the other, such as the multiplication of prime numbers. The public key is the result of the multiplication. But to decrypt the data, you need the two initial prime numbers. These are the private key. Even with small numbers, the effect becomes clear.
What does end-to-end encryption mean?
With end-to-end encryption, the data is encrypted at the sender's end and only decrypted again at the recipient's end. If they are intercepted on the way, they are unreadable without a key. And even the provider itself, on whose servers the data is stored, only has it in encrypted form. So if authorities request the data from the provider, the provider can only provide worthless encrypted information - whether he wants to or not.
The counterpart to this is transport encryption, also known as point-to-point encryption. This method is often advertised as adequate for end-to-end encryption, although only the path between the individual points - for example, between two devices in a computer network - is secured. On the servers of the providers, on the other hand, the mails are not encrypted.
What factors make encryption secure?
The length of the key plays a role in how complicated it is to guess and therefore how computationally intensive. With larger prime numbers, the effort to crack the code generally increases. But nowadays, the problem is not so much the encryption itself, but the right application and a good implementation. An encryption algorithm can be as good as it can be: If it is poorly translated into "machine language" that computer processors understand, it has gaps. The next hurdle is errors in use. Encryption only works if you also use the right key (see also the section "What is a man-in-the-middle attack?"), which you would actually have to verify by meeting the contact in person or by some other means verifying that the key belongs to the person you suspect.
Objective factors that make for good encryption are also: end-to-end and not just transport encryption that the provider cannot break, the ability to verify contacts, and a method that prevents an attacker from using stolen keys to decrypt communications from the past. In addition, any measure to make the code verifiable is a good sign, such as publishing the source code.
What can encryption not protect against?
A major weakness for security that cannot be eliminated simply by encrypting messages is the so-called metadata.
This data accompanies every digital communication and describes, for example, between whom, when and,
if necessary, from where the participants are talking. This can be more interesting for secret services
than the content of the many messages, which is difficult to evaluate.
Just how much these metadata reveal about our lives is shown by an experiment by the Green politician Malte
Spitz in cooperation with the data journalism office Open Data City and "Zeit Online", which has since bec
ome famous: Spitz voluntarily allowed himself to be sounded out; he made the metadata of his mobile phone a
vailable to data journalists. The result was a pretty perfect personality and movement profile - without th
e data spies even having to look at the content of SMS, e-mails or messenger chats. In the case of Spitz, e
veryone involved knew about the bugging operation. It becomes unpleasant if someone records the transmitted
information without the spies even noticing. If you want to avoid this danger, you have to meet in a different
way and exchange the keys. Some messengers solve this by means of a QR code, which is scanned from the other
person's smartphone and then matched. The public key is encoded in it. Or there is an electronic checksum of
the keys in a few characters, which can be compared over the phone, for example.
What good is open source code?
Disclosing the source code is regarded as a central security measure, as only then can experts and hackers
check the quality of the encryption. Not only can they test whether there really is no backdoor
for secret services, they can also search for other weaknesses and thus constantly improve the software.
Many companies refuse to do this for reasons that are sometimes understandable, for example because the
software is their core business and they consider it to be covered by company secrets. This does not nece
ssarily mean that these companies have something to hide.
"An open source code helps dramatically with security". On the other hand, it is of course no
guarantee that there are no backdoors: "There is no perfect way to automatically check a code for
backdoors or other vulnerabilities. That leaves only the voluntary hard work of the hacker community.
After all, code lines don't see their problems right away.
Software defined Radio
What not so long ago could only be achieved with considerable effort (high quality broadband receivers)
can now be achieved quite easily and inexpensively thanks to modern digital technology by combining
a small HF receiver module (DVBT stick) with the appropriate software. There are both pure receivers
and real transceivers available, albeit with very limited transmission power, at prices ranging from about
15€ for a RTL-U28 DVBT stick to several thousand euros for an ETTUS USRP with the corresponding boards.
"Software Defined Radio (SDR) is the term used to describe concepts for high-frequency transmitters and
receivers in which smaller or larger portions of the signal processing are implemented with software.
The analog component can be a straight-line receiver or a superhet receiver. Above all, selection and
modulation/demodulation are realized in an SDR by means of digital signal processing. Wikipedia
They are as old as mankind and as fascinating as no Hollywood thriller could be. Some of their secret operations became legendary, others are still under lock and key. Some of them are familiar to us, others we hardly know their names but they all have one thing in common - scruples are rather foreign to them, blackmail, lies and murder are part of their craft and even the poorest
countries afford at least one.
I have taken the following from the international press:
Secret services are usually public authorities and are organized in different ways in the various countries of origin. What they all have in common: They collect information through intelligence gathering and analysis. This usually involves foreign, domestic or security policy issues. Time and again, criticism is voiced against the services. Secret services such as the American NSA spy on millions of people without regard for data
protection or personal rights.
Here is a small selection of the most famous representatives of this guild
Ministry of State Security
Strange incidents and research projects
Operation Artichoke was an extensive, secret research program of the Central Intelligence Agency (CIA) on possibilities of mind control from August 20, 1951 to April 20, 1953, preceded by the BLUEBIRD project and followed by the MKULTRA project.
Operation Mincemeat was a successful British deception operation of the Second World War to disguise the 1943 Allied invasion of Sicily.
The scientist Frank Olson
worked for the CIA on mind control experiments. In 1953, he fell from the 10th floor of a hotel in New York City.
Did the Secret Service kill him?
False flag operations
False flag operations are nothing new and have always been carried out by governments around the world to manipulate the course of events for their own purposes. Usually these inside jobs are only admitted decades later or never at all, and in some cases high-ranking members of parliament, military or other insiders accidentally slip out statements about them. The following is a list of officially confirmed False Flag Ops, which were admitted afterwards, voluntarily or involuntarily.
Japanese troops caused a small explosion on a railway line in 1931 and pushed it on China to justify an invasion of Manchuria. This is known as the "Mukden Incident". In an international court it was found Some of the participants in the plan, including Hashimoto [a high-ranking Japanese officer], explained their role on various occasions and confirmed that the target of the 'incident' was the Mukden.
Soviet Union, 1939
Soviet leader Nikita Khrushchev admitted in writing that the Red Army itself bombarded the Russian village of Mainila in 1939 and that it was blamed on Finland as the basis for the "Winter War" against Finland. Russia's President Putin and his predecessor Boris Yeltsin confirmed that Russia was the aggressor.
Soviet Union, 1940
The Russian parliament conceded that Soviet leader Josef Stalin gave his secret police the order to murder 22,000 Polish officers and civilians in 1940 and blame it on the Germans. Both Putin and former Soviet leader Gorbachev confirmed that the Soviets were responsible for the Katyn massacre.
Israel admitted that bombs were placed in several buildings during the war against Egypt, including US embassies, and evidence was subsequently provided to blame it on Arabs.
The CIA admits that in the 1950s it hired Iranians to pose as Communists and bomb targets in Iran in order to turn the population against the elected president.
The Turkish Prime Minister has admitted that the Turkish government carried out a bomb attack on a Turkish consulate in Greece in 1955, which also damaged the birthplace of Atatürk, and blamed it on the Greek government.
Great Britain, USA, 1957
The British Prime Minister said that his Secretary of Defense and the American President Dwight D. Eisenhower had completed a plan for attacks in Syria in 1957. They wanted to blame the Syrian government and bring about regime change.
The former Italian Prime Minister, an Italian judge, and former head of Italian counterintelligence confessed that NATO, with the help of the Pentagon and the CIA, carried out terrorist attacks in Italy and other European countries in the 1950s, blaming the Communists. They wanted to create an anti-communist mood in Europe. It is said: "One had to attack civilians, men, women, children, innocent people and unknown people who were far from the political game. The reason was very simple: they wanted to force these people, the Italian public, to turn to the state for more security.
Terrorist attacks have also been staged in France, Belgium, Denmark, Germany, Greece, the Netherlands, Norway, Portugal, Great Britain and other countries.
In 1960, the American Senator George Smathers proposed that the USA stage an attack on Guantanamo Bay to bring about an armed conflict in order to give the USA legitimacy for overthrowing Castro.
In 1961, senior U.S. government officials discussed blowing up a consulate in the Dominican Republic to justify an invasion. The plans were not implemented.
In 1962, US planes were to be blown up and terrorist activities staged on American soil in order to blame Cuba and to obtain a reason for war.
USA, Operation Mongoose, 1962
At that time, the US Department of Defense had proposed to pay some people from the Castro government to make Cuba attack the United States.
In 1963, attacks were to be carried out on American states such as Trinidad-Tobago or Jamaica in order to blame Cuba.
Wie der Westen im Netz trickst und täuscht
Russland manipuliert soziale Medien? Westliche Geheimdienste nutzen die gleichen Methoden. Mustafa Al-Bassam
hat es selbst erlebt, als er Ziel einer britischen Undercover-Aktion wurde. US-Geheimdienste sagen: Russische
Trolle haben 2016 Debatten im Internet manipuliert, um Donald Trump zu helfen, Präsident zu werden. Getarnt hinter
falschen Nutzerkonten sollen sie Vorwürfe gegen Hillary Clinton ins Maßlose übertrieben und versucht haben,
die USA innenpolitisch weiter zu polarisieren. Angeblich geschah all das mit Rückendeckung des Kremls. Dabei
greifen westliche Staaten zu ähnlichen Mitteln, um politischen Einfluss im Ausland auszuüben. Sie arbeiten mit
falschen Identitäten und manipulieren Webseiten.
Joint Threat Research Intelligence Group (JTRIG) heißt die Unterabteilung des britischen Geheimdienstes GCHQ,
die Al-Bassam für die Tricks verantwortlich macht. Ihre Existenz wurde 2013 von NSA-Whistleblower Edward
Snowden enthüllt. Dokumente zeigten, dass die Einheit vor praktisch nichts zurückschreckt: Infiltration
und Aktionen unter "falscher Flagge", "Disruption" und "Diskreditierung" stehen im Mittelpunkt ihrer Aktionen.
Auch sexuelle "Honigfallen" gehören demnach zum Repertoire der Einheit. Außerdem bauten sie Facebook-Gruppen
oder andere Online-Foren auf, um dort Debatten zu überwachen und zu steuern. Es gehe darum, "Misstrauen zu säen,
Hitler's Man on the Bosporus
Codename Cicero: Elyesa Bazna is considered the most famous Turkish spy, a new film has more legends about him. Who was the aria singing agent really who died 50 years ago in Munich? Born in 1904 in Priština, now the capital of Kosovo, died in Munich in 1970. As an unemployment benefit recipient who felt cheated of his wages, the wages of fear - and was himself a fraud. A life like a picaresque novel or an oriental shadow play. And a forgotten chapter in German-Turkish history. At the cemetery in the south of Munich there are also two groves of honour for victims of the concentration camps and graves of Polish soldiers from the Second World War. This was not Elyesa Bazna's war, but in this war he became perpetrator - and victim.
"My lust for life was insatiable: pleasure, greed and secret power" Bazna was valet to the British ambassador in Ankara in 1943. Turkey was a neutral country whose favour was sought by many: The British, they would have liked to win Turkey over to their side; and the Germans, who wanted to prevent exactly that and threatened to bomb Istanbul and Izmir, should Turkey declare war on the Third Reich. The Turkish capital was full of agents at the time, and Eylesa Bazna discovered that he had the best qualifications for the job. Nobody recruited him, he did it himself, and he sold his knowledge at a very high price to a country with which he had no real connection. Bazna was not a Nazi, but he supplied the Hitler regime with the most secret documents of the Allies. To his source, the British Ambassador Sir Hughe Knatchbull-Hugessen, he gave every morning a freshly ironed pair of trousers and a brushed jacket and every evening pyjamas and a strong sleeping pill. Then he took the secret documents from a cassette by the Ambassador's bed, photographed them in the servants' room and put them back on the bedside table. Or he opened the diplomat's safe with a duplicate key he made himself. Bazna always had the fear of being discovered. Had that happened, he might not have survived. The spy in the butler's uniform knew this, he finally recognized the explosive nature of the papers he copied and passed on to the German ambassador in Ankara, the former Reich Chancellor Franz von Papen. Why does someone risk everything for warlords who mean nothing to him? Out of a thirst for adventure, the greed for money? There are many versions of this story full of secrets - and recently a Turkish feature film called "Çiçero". It tries to make a hero out of the spy without making the Nazis he served look good. That's why the agent here is acting in a higher capacity. Kemal Ataturk, the founder of the republic, appears in shadowy form at the end. He died in 1938, but as the film tells us, he is said to have personally instructed Bazna to keep Turkey out of a new "dirty war", as a member of "the national secret organisation". Bazna, played by the dazzling Erdal Besikçioglu, who is popular in Turkey, answers Ataturk: "Yes, my Pasha." So was Cicero really a Turkish spy? Or a double agent? Bazna writes in his memoirs what a "strange way" this money went, it began and ended in Turkey: "At the beginning of the war, Turkish weavers delivered linen to Germany. The same quality of linen could not be found elsewhere. This Turkish linen was then processed into paper of the same type used by the Bank of England. But Bazna only found out about this after the war, when he was actually busted for the flowers, in Istanbul. He also talks about this in his memoirs entitled "I was Cicero". It was recorded by the German author Hans Nogly in Munich, first for the Illustrierte Revue. The book was published in 1964 by Lichtenberg Verlag. The first sentence of this autobiography sounds like a confession: "My lust for life was insatiable." And Bazna tells in 320 pages what moved him: "Pleasure, money, secret power." He describes himself as "ugly", small, with a bulky nose, "boorish and at first sight clumsy". But he loved women, many women - too many for the Turkish screen epic, which is modestly limited to a single love story.
Pegasus, Trojan, Exodus - How states spy on mobile phones
Wolfgang Schäuble was suddenly everywhere. In 2007 his head appeared in the streets, sprayed
on walls, printed on T-shirts. In addition the polemic slogan: "Stasi 2.0". A media designer
had created the "Schäublone" - the Schäuble stencil - and with it a viral campaign that spilled
out of the net into analogue Germany. It was directed against the plans of the then Federal Minister
of the Interior for so-called online searches. Investigators were supposed to be able to infect computers,
and later also mobile phones, with software in order to read data from the devices. Schäuble's ideas are n
ow anchored in German laws. The Federal Criminal Police Office alone has three forms of Trojan
software available to read out smartphones and computers. New police laws also enable states such as
Bavaria or Baden-Württemberg to use such technology. After all, it is not only in states such as
China that politicians are interested in secretly smuggling software onto people's mobile phones to interrogate them. The German state Trojan is used in two ways: During online searches, the software inspects the mobile phone like an apartment - without the person concerned noticing anything. Another variant records the communication practically live, without taking photos and documents from the device's memory - at least that's how the people in charge see it. This so-called source telecommunication monitoring has the advantage for the monitors that they can, for example, pick up Whatsapp messages before the chat app sends them encrypted and unreadable to the conversation partner. The Ministry of the Interior has taken a stand against the use of the term "Trojan" - which is used to describe "usually malicious programs that are illegally executed on information technology systems". And the BKA only uses it legally, the Federal Constitutional Court has regulated its use. Also against the new version of the Code of Criminal Procedure of 2017 the highest court has again received constitutional complaints. The amendments allow the method for a long catalogue of crimes, including not only high treason, rape, murder, drug trafficking, war crimes. The complaint of the Society for Civil Liberties is against the fact that violations of the Asylum and Residence Act as well as receiving stolen goods and counterfeiting money have also been included. The offences are not serious enough to justify the monitoring of private data. The person concerned unlocks his or her mobile phone with a pin or fingerprint. Then the device is connected to your special terminal that the Ministry of the Interior has purchased from an IT forensics company. Now the data flows out. In order to check the origin and travel route of an asylum seeker, the officials use, among other things, the language in which messages are written, the country codes of the stored contacts, and geo-data that provide information about where the person - or more precisely: the mobile phone - has been and when.
Operation Honeybee The border police raid the smartphone, then an app extracts a lot of private information. An investigation from an unprecedented surveillance state. Peter H has to unpack his suitcase. Laundry, shower gel, souvenirs of his journey so far on the old Silk Road through Asia. Peter H, whose real name is different, wants to cross the border into China, Chinese officials frisk him and his luggage. H is nervous, his hands tremble when he brings out postcards of a mosque. "Where is this?" asks one official while another one is filming Hart. Next, the border police officer discovers a "Lonely Planet" travel guide that Hart has with him; inside it is a man in a turban, apparently a Muslim. "Do you know this man?", the police officer asks him in Chinese and points to the photo. Like many other tourists and business travelers, H assumed that only individuals were affected by the massive Chinese surveillance in the region. In any case, he did not want to let it ruin his holiday. But then everything turned out a bit different. The control at this checkpoint is so complex that the Chinese police built a hall for it. H has already had to turn three times in the nude scanner to be captured from all sides. Then the luggage: For his several weeks in Asia he only has a small suitcase with him, after a quarter of an hour the officers are finished with it. But the most important search still follows: that of the smartphone. A border police officer demands H Handy, lets him type in the PIN number and leaves the room. On the wall is the slogan of the Chinese border police, who call themselves "sunshine service" and promise a "comfortable, immediate and intelligent" entry. Peter H Handy weighs only a fraction of what his suitcase weighs, but it reveals more about him than a piece of luggage ever could. It reveals who he loves and who he hates. It reveals when he got up, where he is travelling to, who he has met and who he wants to meet. No invention has made people as transparent as the permanently networked smartphone, to which everyone confides so much. H Smartphone now lies in a room not much bigger than a storage room. Hart is not allowed to enter this room, but an SZ reporter does. A dozen mobile phones are lying on a table, each device on the passport of its respective owner. More than a dozen people crossed the border this morning - European and Asian tourists, Kyrgyz truck drivers and Chinese entrepreneurs had to hand in their smartphones, tablets and computers. Because the policeman is working on many devices at the same time, he often mixes them up, and later he has to ask travelers to help him assign them. A border guard connects Hart's mobile phone to a Wlan network and loads an app on the device, 3.9 MB, the size of two photo files. A white surface with two fields appears on Hart's screen. One says "start search", the other "uninstall". The policeman taps on "Start search". The flow of personal data to the Chinese state begins.
But is this state itself becoming a bit more transparent now?
For the first time, the Chinese surveillance app has been successfully screened. The app shows how easy it is to search through a person's life by tapping their mobile phone. And it gives an insight into the methods and the way of thinking of the Chinese state, which operates what is probably the largest surveillance apparatus in the world. China's President Xi Jinping has recently expanded this apparatus massively. The Chinese Internet is one of the most heavily censored networks in the world. The government has put up cameras all over the country. With the help of a social credit system, China's government wants to evaluate people according to their performance, behaviour and finances. Millions of people have already been banned from riding the express train or flying the plane - as a punishment. The app is another component in this system. Ron Deibert of the Citizen Lab in Toronto calls it part of China's "dystopian plan" to use a combination of "technology and political and social control" to turn the Xinjiang region into a "digital prison". "Such apps are a great threat to civil society freedoms, freedom of expression and assembly," he says. The digital forensic experts at the Berlin-based company Cure 53, which was commissioned by the Open Technology Fund, came to a similar conclusion: the app could undoubtedly collect enormous amounts of very specific data. "This material can certainly form the basis for taking action against a specific group (or groups) of citizens," they say. This is a violation of human rights. Neither China's central government nor the provincial government in Xinjiang wanted to comment on requests for this research. The company Nanjing Fiberhome Starry Sky Communication Development, which developed the app, is also silent. It was previously known that Chinese authorities are forcing citizens in the western Chinese province of Xinjiang to play surveillance apps on their mobile phones. The German Foreign Office writes in its travel advice for the province that smartphones and cameras are likely to be checked. What is new is that the state is investigating all devices of foreigners entering the country by land - apparently without any initial suspicion. This affects business people and tourists from all over the world, including those from Germany, who enter the country via the border between Central Asia and the Chinese West. Including at least both border crossings in Kyrgyzstan. Five hours before H has to hand in his mobile phone, he has left the Kyrgyz settlement Sarytash, 70 kilometers west of the border. He does not want too many details about him to be revealed for fear of not being allowed to travel to China. The SZ editorial office has changed his name for his protection. At the beginning of his journey, H agreed to have a reporter accompany him, and he also wanted to be quoted. After all, the state surveillance in China was a mess, he said. In Europe, he said, one would never accept such a thing. H got up at six in the morning that day, ate a bowl of sweetened rice porridge and got into the car. To get to China, he chose the route over the 3700-metre-high Irkeschtam Pass. The road is icy, it is snowing. Some trucks have broken off the dangerous journey along the gorges at night and waited at the roadside for daylight. There are twelve checkpoints between H and China. The first four checkpoints are on the Kyrgyz side, where usually one or two bored soldiers lean on their machine guns or ask Hart to take coke bottles to the next border post. Only the last few metres to China seem like the way to the surveillance state. After H has left Kyrgyz soil, he has to walk several hundred metres. He is greeted on the other side by three armed police officers. From now on he has to have his face, passport and luggage scanned at every checkpoint. The officials show much more respect for the western foreigner than for the Kyrgyz truck drivers, who usually just yap at them. But the distrust is the same. It will take Hart twelve hours in the end to cross the border corridor, which is 140 kilometres wide and one of the most remote and heavily guarded borders in the world. And hardly anywhere else in the world are people so tightly controlled as in the province where H enters. China's central government fears that the ten million or so Muslims of Turkic origin who live here could seek independence. In Xinjiang and other parts of China, there have been repeated attacks by Islamist terrorist groups and separatists on security forces and civilians because of the repression. In order to bring the province under control, Beijing has transferred Tibet's ex-party secretary, Chen Quanguo, to the region. Since taking office,
he has spent over 90,000 new positions in the security apparatus were created and filled. A decade ago, not even a tenth of those jobs existed. The population is permanently monitored by cameras, the movement profiles are stored. People are forced to give voice and DNA samples. Mosques have been demolished, others are under surveillance. Islamic instruction is forbidden, as are religious signs such as beards and headscarves. At least one million people are to be held in labour camps - without trial, according to UN estimates. In the camps they are forced to speak Chinese, learn President Xi's speeches by heart and "sin", as the CP calls it. This means that they are to adapt to the way of life of the Han Chinese, who make up 90 percent of the population. The organization Amnesty International speaks of one of the "greatest human rights violations worldwide". China calls it a contribution to the fight against terror. The tourist Hart, however, is not a terrorist, but only a traveller who is interested in Central Asia, in the mosques, the people and the food. The app, which is installed on his mobile phone when he enters the country, is only recognizable to him at second glance. It appears on his screen amidst other apps, between Facebook and Whatsapp. The app's logo is inconspicuous; it is the green robot with antennas on its head, symbolizing Google's Android operating system. It looks as if the Chinese spy program is part of the usual equipment of his smartphone. If you look closely, you can see the name of the app under the robot, Fengcai, which roughly means "collecting honey bees". Travel agencies in Kyrgyzstan report that this software has been installed on tourists' mobile phones at least since 2018. The SZ has spoken to people whose entry into the country was more than a year and a half ago. So what do honey bees collect? The short answer: just about everything. The app asks for 20 authorizations; in fact, it then uses access to calendar, SMS, contacts, memory, location, call lists, phone number. These are almost all the essential functions. Like a swarm of bees in a flower meadow, the Fengcai app buzzes around the device and sucks as much honey as possible. The app, which SZ investigated, only runs on devices with Google's Android operating system. The state apparently reads iPhones by connecting an external unit to the mobile phone's charging socket, according to observations at the border post. The app sorts the data obtained, compiles it in tabular form and sends these overviews to a computer already at the border post as part of a "report" via Wlan: At this computer, security officers can study the initial evaluation. This contains all calendar entries, call lists, contacts and SMS. The profile pictures of all contacts are also transferred to the smartphone. At the same time, the app prepares the information obtained in machine-readable form and sends these data records with the information of all apps installed on the device to the computer at the border post. It is unclear what happens with this, but it is possible that the data will be sent to a central police database and systematically evaluated there. This would make it possible, for example, to determine whether a contact person of the traveller has also entered the country. Part of the app also searches for log-ins from Chinese social networks and data from a navigation app. But the "honey bees" can do even more, as a test shows. At the Ruhr-Universität Bochum, the experts put a smartphone, on which the monitoring app is stored, in a metal box. This box is intended to shield the device from the German mobile phone network. Inside the metal box, a Wlan network was set up at the same time. This environment should correspond to the one at the Chinese border, the Chinese app should behave accordingly as it would at the border post. Now the technicians start the scan mode of the app. This is what the application looks like when you start it. And indeed, it immediately reports a result: a suspicious file that has been saved on the mobile phone. The app reports the find with a display on the screen and a beep, which could be from a computer game. This reveals another feature of the Chinese surveillance program. The "Collecting Honeybees" app also searches the smartphone for content that the Chinese government considers suspicious. To do this, the app takes a kind of fingerprint of files stored on the smartphone. It compares these so-called hash values with a database within the app, which contains 73 315 entries. All these 73 315 files are dubious from the point of view of the Chinese government. They include content that is clearly terrorist:
Pamphlets of the organization "Islamic state" or jihadist violence videos. The app searches for issues of the
jihadist magazine Inspire, which explains, among other things, how to make a bomb at home. There are also videos with
beheadings from Iraq and footage of German Islamist Denis Cuspert, who was probably killed in Syria more than a
year ago. Other videos show beheadings by members of Mexican drug cartels. If the app finds such a file on
the phone, it emits a beep to warn the border officials. It also shows on the smartphone screen with red
numbers how many suspicious files it has identified. The SZ and its partners have examined a good 500
of the 73 315 files classified as suspicious. Result: The Chinese state is not only looking for Islamist
or terrorist content. Some files in which Arabic is spoken or written in Arabic contain harmless recordings
of Koran suras that believing Muslims save on their mobile phones. Another file the app is looking
for is the recording of a Japanese metal band, one of their albums is called "Taiwan - another China".
Other files have to do with Tibet and the Dalai Lama, such as a biography published by an organization
in Taiwan. Tibet belongs to China from Beijing's point of view, but the status is controversial.
Taiwan is an independent state to which Beijing claims to be entitled. Consequently, the Chinese
app also searches for material that would be considered completely harmless in a European country,
for example about the three forbidden Ts - Taiwan, Tibet and Tiananmen (Tiananmen Square in Beijing,
where the Chinese state crushed a student uprising in 1989) - as well as for content that should
also be covered by religious freedom in China, at least officially. It is a collection that proves
how big the paranoia in the new China under President Xi Jinping has meanwhile become, and how it is
directed against more and more aspects of the social and cultural life of the country. Of course, Western,
democratic states also use software to spy on the private data of suspects and search them at the border.
To gain access to confidential communication on devices, German security authorities even use spy software,
such as the so-called Bundestrojan, which is played on the devices without the owner's knowledge and secretly
logs the communication. However, the use of this software is subject to guarantees under the rule of law.
Peter Hart, the tourist, has the Chinese border controls behind him after twelve hours. The app did not
find anything in his mobile phone. He is allowed to enter the country. On the streets of the city you no
longer see women with headscarves, men don't wear beards. There is a police station on every street corner.
In between, police march through the streets in teams of three. They wear helmets, shields and batons.
At night, blue light illuminates the sky. Hart takes a taxi towards the city of Kashgar, where he wants
to visit the cattle market. The driver had to get a special permit from the police to drive the foreigner.
Three cameras are mounted in the taxi, the conversations are recorded. The driver, a Uigure, remains silent.
After a few days in the province, art will no longer want to be quoted as saying what he thinks about the
system of comprehensive surveillance, and he later asks not to give his real name.
Exploding animal dung
During the Second World War, British agents learned about special weapons in a secret exhibition. The inventions were sometimes quite curious - as later in films by James Bond.
Special Forces for acts of sabotage
The special force was created in 1940 by Winston Churchill for acts of sabotage in Germany and in
occupied territories. It was considered his secret army. Because its headquarters were in Baker Street,
its members were also known as "Baker Street Irregulars", the Baker Street Special Unit, named after the
auxiliary detectives through whom Sherlock Holmes obtained information.
The SOE was able to operate by unorthodox means because of the secrecy level, unlike the official
intelligence service, the Secret Intelligence Service - Bond fans known as MI6. The latter repeatedly spoke out against the SOE, which he considered a botched operation. The SOE became known in the 1990s when the government released secret files from World War II. But the existence of Department XVb, the very same room in the Natural History Museum, was accidentally uncovered in 2004: Paul Clark, an expert on hermit crabs, followed up on his father's tip-off that he had once made secret supply flights for the French Resistance. Clark researched the museum's archives and came across photos of a wing of a building that had been closed down during the war and contained a secret spy exhibition. Prospective detectives were to find out about the "state of the art" equipment. At the same time, the collection was a PR tool for the unit, which had to constantly fight to survive. Photos of King George and Queen Elizabeth prove that they accepted the invitation of the SOE. An entry in the diary of diplomat Bruce Lockhart described the exhibition as a "good show". In six rooms, arranged according to themes, exhibits from such exciting sounding areas as "incendiary devices and explosive charges" or "camouflage of explosives" were shown: bombs disguised as coal or firewood that could be mixed under the fuel of trains, exploding animal dung - depending on the area of application, modelled on the excrement of horses, donkeys or camels; also dummies in the form of fruit and vegetables to be smuggled under real food. Among the more absurd inventions were explosives sewn into stuffed rats and shoes that left barefoot prints to confuse the enemy. New submachine guns, revolvers and limpet mines, as well as floating equipment and miniature parachute-dropping motorcycles were also on display. From the camouflage department came detailed replicas of country-specific clothing - no spy was to be exposed just because his collar buttonholes were sewn horizontally, as is customary in Britain, and not vertically, as on the mainland. Incredibly, the SOE kept an illustrated catalogue of available gadgets for agents to order directly from. Whether they had to state their alias or their clear name on the order card is not known. Of course, the equipment was important, but the agents also had to undergo special training to internalize their cover identity and maintain it as prisoners and under torture.
Honey traps and murder plans
During the Cold War, Berlin was considered a hub for secret services from all over the world. German intelligence officials like to point out that this is still the case. Thus, foreign services should continue to collect information about opposition members in their home country from the German capital. As in the film, in the past members of parliament were often blackmailed with secretly taken photos of intimate moments in order to get information.
In the world of the secret services there are many special terms: from A for "recruit" to Z for "access situation". This expression sounds a bit dusty, but it fits quite well to the case at hand.
The term "access situation" refers to the quantity and quality of information in a so-called observation object. Parliaments have always been preferred observation objects for spies and the Chinese secret services are considered very eager. In the milieu the "method honey trap" was also practiced in former times. Members of parliament were opened by sociable ladies and compromised after the love play with the secretly taken photos. They were blackmailed, eavesdropped, spied, disinformed, kidnapped and also murdered. During the Cold War, Berlin was the hub of agent services.
Especially active was the East Berlin-based GDR Foreign Intelligence Agency (HVA), which had various sources in the Bundestag. Several secretaries of members of the Bundestag also worked for the HVA. During the vote of no confidence against the then Chancellor Willy Brandt in 1972, the HVA was involved in saving the Brandt government.
Was Tehran plotting murder?
A serious domestic political crisis was soon triggered by the case of agent Günter Guillaume, who was commissioned by the East Berlin Ministry for State Security (MfS) to spy on the West and who had been a consultant in Brandt's office since 1973. After Guillaume's unmasking, the Chancellor resigned.
More than two decades ago, the Social Democrat Karl Wienand was convicted of secret service activities for the MfS. The former managing director of the SPD parliamentary group in the Bundestag was probably something of an influence agent, but he denied all accusations until his death, claiming that he was only a tolerated contact man.
German intelligence officials are happy to point out that Berlin continues to be the European capital of agents. Foreign services spy on German targets and enemy services from there, or they collect information against opposition members of their countries. Opposition members are sometimes kidnapped and abducted to their home countries, as in the movies, and German parliamentarians are sometimes spied on.
This happened, for example, to Reinhold Robbe, an SPD member of parliament and former president of the German-Israeli Society. An agent who was later sentenced to more than four years in prison and worked for an Iranian secret service had compiled movement profiles. Robbe accused Tehran of having had murder plans against him.
"The human factor"
an old novel by Graham Greene about the trade is called
but have upgraded all services enormously technically. Social networks are opening up new opportunities to recruit or siphon off people with access to valuable information. But the human factor still exists. Before cyber attacks, for example, services try to exploit human vulnerabilities. The supposedly friendly contact with someone who works in an interesting place is still drawing.
Espionage headquarters in Rome excavated
Italian investigators have dug up an espionage center. Business representatives and politicians are said to have been monitored from there. The main suspects are a brother and sister who lived in Rome and London. Whether they were acting for economic reasons or were part of a network is still unclear.
A grey garage door in Rome, behind it a room without windows, unplastered walls, a grey floor and: servers, computers, moving boxes full of confidential documents. The camp is said to be the headquarters of an espionage duo that is said to have "catalogued the entire Italian political system", as investigators of the Italian police have found out. Since 2011, the siblings Giulio and Francesca Occhionero, who were arrested today, are said to have recorded a total of 18,327 people. In more than 1,300 cases, the digital identities were accompanied by passwords that allowed access to mail accounts in particular. The most prominent case: the duo hacked the former Prime Minister Matteo Renzi's Apple account and thus had access to his smartphone, the accusation goes.
Thus, the two suspects captured "information of national security", according to the arrest warrant. The siblings were extremely organized, dividing the spy victims into 122 categories. The data was stored on a server in the USA, which was seized by the FBI.
"Economic Information" - or Masonic?
The focus of the Occhioneri siblings was on information that is "of particular i
nterest to people who work in certain economic circles", according to the Italian police.
If their head office was in Rome,
they were also said to have had a residence in London and connections in the world of finance; Giulio Occhioneri l ran an invThe focus of the Occhioneri siblings was on information that is "of particular interest to people who work in certain economic circles", according to the Italian police. If their head office was in Rome, estment company. The suspicion that the suspected perpetrators wanted to profit economically from their action is supported by the list of victims: In addition to the e-mail account of former Prime Minister Mario Monti, ECB boss Mario Draghi was also spied on during his time at the Italian Central Bank, the former head of the Italian tax authorities, General Saverio Capolupo, and various bankers.
According to the Bloomberg agency, the suspects allegedly tried to gain access to confidential data at the European Central Bank as well. However, the arrest warrant apparently does not mention the ECB. The ECB did not want to comment on the incident. According to investigators, the siblings intercepted at least some of the sensitive information, which was then processed into dossiers. They were thus able to trace the activities of several Italian ministries, the Italian Central Bank and numerous companies. At the same time, the judicial arrest warrant states that Mario Occhionero is a member of Italy's largest masonic group, the Grande Oriente d'Italia. Other members of the group were also under surveillance. As recorded conversations show, Occhioneri was in an internal power struggle - through his espionage activities he could have collected incriminating material to gain an advantage within the group. Whether the information was obtained for purely economic or political reasons remains to be clarified. In the same way, after the connections to the Freemasons, the question arises as to whether the siblings acted in isolation or as members of a larger organization. However, there are no indications that the Lodge is behind the activities of the siblings. Nevertheless, the discovery awakens bad memories: in 1981 it became known that a former masonic network under the name of Propaganda Due (P2) had infiltrated Italian politics.
USA release Israeli ex-spy Pollard
After 30 years in a maximum security prison, the USA releases the spy Jonathan Pollard in November.
Pollard had spied as a US Navy intelligence officer for the Israeli and now disbanded secret service Lakam.
His case had clouded the relations between the USA and Israel for years.
Jonathan Pollard, who had spied for Israel as a US Navy intelligence officer and has therefore been
sitting in a maximum security prison in North Carolina for 30 years, is to be released on November 21.
This was announced by his lawyers on Tuesday. Already a few days ago, the US Department of Justice had
confirmed that the 60-year-old could file a corresponding application in November. Pollard has been serving a
life sentence since he was arrested in the USA in 1985 and sentenced for passing secret documents to an
Israeli secret service. He is alleged to have divulged military intelligence about Arab forces and the names of
American agents in the Middle East. For this he is said to have received a monthly fee plus bonuses.
The details are not known because Pollard pleaded guilty in the subsequent trial.
Adored like a national hero in Israel
Since then he has been revered as a national hero in Israel, with various petitions demanding his release almost weekly. His case clouded the relations between the allies USA and Israel. Opponents and supporters of his release have argued for years whether Pollard was punished too severely. Pollard is the only person in the history of the United States who received a life sentence for spying for an ally. In 1995, he received Israeli citizenship. In recent years, there had been several indications that the Americans might release Pollard. The most recent speculation was in April 2014 about a deal between the USA and Israel. At that time, the faltering Middle East peace process was at stake; US Secretary of State John Kerry was supposed to signal his willingness to compromise by releasing Pollard. But this did not happen.
The release of Pollard at this point in time could be a political concession by the USA to reduce tensions with
Israel over the nuclear agreement with Iran. Relations between Washington and Jerusalem are at an all-time low.
However, Pollard's lawyers contradict the speculations: that the decision of the United States Parole Commission
was made "independently of other US government agencies" and not linked to "recent developments in the Middle East".
There is no statement from Pollard himself so far, but his lawyers may have spoken for him when they said:
"We are grateful and pleased that our client will soon be released. Pollard will have to remain in the United
States for another five years after his release under the terms of his parole
France, bug your own house
Hypocrisy? France is outraged by NSA espionage and at the same time extends the rights of its own secret services. Paris should put its own house in order.
Espionage is said to have been around since the Stone Age, allegedly the second oldest profession in the world. Its reputation always depended on the point of view of the observer. Most governments consider their own espionage to be necessary and quite honourable, foreign espionage as a breach of trust if not a crime. This ambivalence is particularly evident in France.
While the government wants to enforce a law that allows citizens to be spied on on an alarmingly wide scale, it has to learn that the US secret service NSA had French President François Hollande and his predecessors bugged. Paris reacts with routine outrage. But it must be asked whether this is not hypocritical.
France itself has a long tradition of espionage
The French government would be naive if it had not known that French politicians were being bugged by the USA. Why else would Washington have so stubbornly refused to enter into an espionage agreement with Paris? Even the affair involving the German chancellor's mobile phone had to teach the French that their presidential phone is not safe from the Americans.
Finally: France itself has a long tradition of espionage.
Cardinal Richelieu and Napoleon Bonaparte already consolidated their power through a network of spies. The highly esteemed François Mitterrand had a so-called black cabinet controlled from the Élysée Palace, illegally sounding out politicians, lawyers and journalists, friend and foe alike. The action was dressed up as an anti-terrorism measure. To this day, French politics has been overshadowed time and again by bugging scandals, most recently in connection with Nicolas Sarkozy. France reprimands the USA - and yet wants to listen more itself
So the French government should first of all bug its own house and make its planned intelligence law much stricter. After that, it would be all the more credible in advocating more fairness and decency among allies. After all, the criticism of the USA is essentially justified. How is trust in politics supposed to develop when closely allied democracies spy on and eavesdrop on each other? How are citizens supposed to regain confidence in politics when they experience that their governments seem to deeply distrust each other? Man is the wolf of man, Thomas Hobbes once wrote, referring to the relationship between states. But does that really have to apply among friends as well?
Yes, espionage is also and especially necessary for modern constitutional states to protect themselves from terrorists, mafia groups or aggressive autocrats. But it is reprehensible if it serves to create transparent citizens or to sound out friendly governments. It may well be that this has always been the case. But this habit does not create law. Not everything that works is allowed. France and the USA are nations with a sense of mission. They see themselves as champions of freedom and human rights. Ruthless espionage, internal or external, destroys this nimbus.
The spirit of Bad Aibling
In the past, the BND and NSA worked closely together in Bad Aibling. Bad Aibling used to be one of the most important listening posts of the Americans during the Cold War, thousands of US secret service agents worked there. Today only ten employees are stationed in a windowless room on the listening post. Nevertheless, recent revelations and statements by BND staff members suggest that the Americans, although they are in the minority and the Germans are the hosts, have great influence on the BND in Bad Aibling. Without the Americans, little goes on in Bad Aibling. Two or three times a day the BND fetches the search terms from an American server, which are then posted. In case of technical problems the NSA people are consulted again and again.
The German Federal Intelligence Service (BND) has about 6000 employees and also someone who takes care of data protection. There is "a data protection officer," an intelligence officer on the NSA investigative committee said, "a lady." The "lady" visited the Bad Aibling listening post in the summer of 2013, and after that she was obviously a bit unwell, as can be seen from a confidential three-page note from the service. "Despite a request to that effect" she was " not fully" informed about the work at the BND property 3D30, as Bad Aibling is called in-house. Important topics had been "excluded". She had "gained the impression" that the Technical Reconnaissance Department, which is responsible for Bad Aibling, had "intentionally or unintentionally withheld important information". An expert colleague had said that the department tended to "express sensitive matters in a very cryptic way, or to euphemistically formulate them". However, he did not assume "deliberate misinformation". The note on the visit by the Data Protection Commissioner is dated 20 August 2013.
Only six days earlier, an explosive discovery had been made. A BND case worker in Bad Aibling had discovered that thousands of e-mail accounts of European politicians and European institutions could be found in an active NSA search file. He had then asked the head of 3D30 in an e-mail what he should do with his find, and he had only written one word back: "Delete". That was it.
That's how kids sometimes do it
According to the assurances and declarations of the BND leadership and the Chancellery, the superiors were not
informed about the explosive find in their own station until March 2015. Mysterious BND, mysterious listening
post Bad Aibling. Of course it is easy to speculate about why things are the way they are supposed to be. Per
haps the significance of the event on site has been underestimated, or someone has said: deleted is gone. This
is what children sometimes do when they play hide and seek. They put their hands in front of their face so the
y can't be seen. It is possible that other facts may come to light during the investigation of this affair, w
hich has only just begun, but it all has something to do with the spirit of Bad Aibling. A sub-departmental h
ead of the BND has spoken of "Americanization" with regard to the events in Bad Aibling. A colleague of his u
sed the term "Stockholm" to explain the situation. In this context, the term means that the one takes over the
view of the other.
The NSA was already insatiable
Bad Aibling was once one of the most important listening posts for Americans during the Cold War.
of US intelligence operatives worked at the facility. The enemy was sitting to the east. The NSA
was insatiable even then. During the processing of the intercepted documents, the Washington P
ost once wrote, so much paper was produced that "even the good Lord couldn't see through and proc
ess it if he didn't already know what the Russian was up to".
The BND was represented in Bad Aibling since 1988. In 2004 the Americans returned the site to th
e city. There was a parade through the city centre. The area was ceremonially handed over into t
he care of the Germans. A small group of the NSA remained. In the organization chart of the BND
a new subject area appeared: BND and NSA formed a working group for joint technical reconnaissance
called JSA, which is the abbreviation for Joint SIGINT Activity, in German: gemeinsame elektron
ische Aufklärung. There was also the Joint Analysis Center, JAC for short, which jointly evalua
ted the intercepted signals.
The roles seemed to be clearly assigned. The landlords were the Germans. At the Bad Aibling site
, the BND has about 120 employees. Not even ten have the NSA there. The JSA and JAC groups were
dissolved a few years ago. But the NSA remained. The secret service employees work on the site
in a windowless building called "tin can". If BND employees want to get in, they have to rin
g the doorbell. That's the proper procedure.
How a German secret service wiretaps the whole world
Data monitoring by the BND must be approved by the so-called G-10 Commission of the Bundestag.
Several members of the committee feel betrayed in the meantime, however. The world's largest network node is located in Frankfurt. There the intelligence service intercepts masses of e-mails, chat conversations and conversations. So far, foreign data is not considered worth protecting. After fierce criticism, the federal government now wants to introduce a bill in the Bundestag that regulates the interception of foreigners.
Once a month, a secret committee meets in a tap-proof room in the basement of the Bundestag. Eight members of the so-called G-10 commission meet with top officials of the German secret services and, similar to a court, approve wiretapping measures. G-10 stands for the Basic Law article number 10 of the same name, which protects the secrecy of German telecommunications. Without a yes from the commission, suspected terrorists or arms dealers may not be monitored. The next meeting will take place this Thursday.
Traditionally, the relationship between the government, the secret services and the G10 Commission is considered good. Today, it must be said that it was considered good. For months now, government officials have been reporting increasingly dysfunctional relations, and there is talk of a real crisis of confidence. This is also how some members of the commission see it, such as former SPD member of parliament Frank Hofmann. Hofmann's criticism is harsh, he speaks of "trickery" and an "abuse of the Commission" by the federal government. "The BND legal experts have literally shot up the basic right to preserve the secrecy of telecommunications. If the G-10 Commission does not want to lose its considerable reputation, it should press for a new legal basis in this legislative period and negotiate a regulation with the Chancellor's Office for the transition that is in conformity with the Basic Law.
"The G-10 Commission is being misused as a Trojan horse"
Hofmann, once a senior criminal officer in the Federal Criminal Police Office, is anything but a critic of the secret service. He is not alone in his criticism; last year, Die Zeit reported on growing doubts in the commission. Now the situation is coming to a head: "The mood is clearly tense," says Berthold Huber, the deputy chairman.
The dispute is a direct consequence of the Snowden revelations, it leads deep into the equally complicated and controversial practice of mass surveillance. Billions of phone calls, chats and e-mails are tapped and routed through the computers of the secret services, which search them for useful information. The former head of technical intelligence of the BND compared this practice before the NSA investigative committee with the search for gold, he said that one would have to move tons of rock to find even one gram of gold. "It doesn't matter how powerful a searched data stream is, but how useful the yield is."
The number of critics and opponents of this method is growing, but nobody wants to do without it. BND president Gerhard Schindler once said in a confidential meeting, without a telecommunications investigation, "I can close the shop."
The data of foreigners is not considered worthy of protection
n the G-10 Commission, criticism is mainly ignited by two points: Like all other countries, Germany considers only the communication of its own citizens (and all those living in Germany) to be worthy of protection; nothing may be monitored without the approval of the Commission. But all others are outlawed. In the NSA investigative committee, a witness for the BND said that such telecommunications traffic was "cleared for shooting".
Lawyers like the former president of the Federal Constitutional Court, Hans-Juergen Papier, argued months ago that this practice was illegal. The protection of the Basic Law must also apply to foreigners, otherwise the BND would be no different from the NSA. At the request of the Commission, the government presented a brief expert opinion and defended its practice: after all, espionage was not prohibited under international law. Apparently, this did not convince everyone. Members of the G-10 Commission such as Hofmann and Huber stick to their criticism. And Hans de With, chairman of the commission for almost 15 years, also recently expressed doubts before the committee of inquiry. He said that the BND's actions "cannot be justified for much longer. One could and can accuse us: "Well, you also have a dragnet operation abroad."
Members of the Commission feel betrayed by the government
The second point is even more delicate, members of the Commission feel cheated by the government.
They have been deceived as to the true purpose of surveillance measures. Germany is one of the most important
transit countries for communications worldwide. Because of its central location, enormous amounts of data flow th
rough German lines every day from Africa, Asia, America and Eastern Europe. It's like summer on the German motorw
ays. The BND takes advantage of this location and taps data volumes, especially at the world's largest Internet
node DE-CIX in Frankfurt, where 1200 fiber optic cables from all over the world converge. Some of the so-called
traffic is "mirrored", as the BND calls it, a copy is made and searched for useful information. It was only t
hrough research by the Süddeutsche Zeitung, NDR and WDR that it became known last October that the BND for
warded part of the data tapped at another Frankfurt Internet node to the NSA as part of operation "Eikonal".
The G-10 Commission had approved access to the cables, but apparently never learned of the delicate coope
ration. The commission also believed that it was only a matter of searching the huge databases for German
suspects. Now, however, commissioners suspect that the federal government misused the approval to tap
the transit communications of foreigners passing through Germany. The BND files contain the phrase "do
or opener." The German government denies this, but some in the BND were well aware of the risk from th
e beginning. In a memo, the responsible department warned of what could happen if the matter was disco
vered: "Moratorium on G-10 interception and parliamentary referral with unforeseeable consequences for
FmA" (meaning the telecommunications intelligence, the Red.) of the BND.
Germany must now create a legal regulation for the wiretapping of foreigners
These unforeseeable consequences have now occurred. "The G-10 Commission is being misused as a Trojan horse,"
Hofmann claims, the whole thing is happening with the knowledge of the Chancellery.
There are alarmed about a proposal by deputy chairman Huber: The BND should only be allowed to access fiber optic cables in Germany if the BND gives written assurance that pure transit traffic of foreigners will not be tapped. Minister of the Chancellor's Office Peter Altmaier would have to countersign the guarantee. The BND would lose one of its most important sources of information. Because DE-CIX now announces that it will take legal action before the Federal Administrative Court and have the BND practices reviewed, the situation continues to escalate.
For a long time, the government had hoped to be able to sit out the discussion that broke out after Edward Snowden. Minister of the Interior Thomas de Maizière once got upset in front of confidants about the idea that the same standards should be applied to wiretapping Colombian drug barons as to German basic rights holders. In the meantime, the Chancellor's Office has given up its resistance, and work is underway on an amendment to the law, which should be ready before the summer. The fight is lost. The coalition partner SPD has also announced internally that it no longer supports the current practice.
Germany now faces the task of being the only country in the world to create an explicit legal regulation for the wiretapping of foreigners. Many in the government are angry about this, because they do not want to have their own practices equated with those of NSAs. A former head of the BND, who was indignant in front of the investigating committee, said he did not know "why it is all too easy to believe that the BND is an overpowering successor to the GDR's State Security or an association of thousands of criminals. " The Americans, as it were a "Google of the secret services", would intercept huge amounts of communication and store the data indefinitely. Who knows what it might be used for.
The Chancellor's Office does not want a regular espionage law
The BND - according to the German government - also intercepts a lot,
but the bulk of the data is sorted out immediately at the first filter.
BND experts argued before the investigative committee that the whole thing happens in
real time, as in an evaporation process - 99.9 percent of communications are destroyed
immediately. This should not be seen as a real interference with the freedom of communication.
One could see it differently, but the Chancellor's Office would prefer to settle the
uprising of the opposition, lawyers, G-10 Commission and DE-CIX with a simple sentence in the
BND law. The electronic reconnaissance of foreigners is expressly permitted. Under no
circumstances would one want a downright espionage law in which would be found what
and who may be monitored.
The SPD wants to upgrade the G-10 Commission
But a simple clarification is not enough for the coalition partner. She wants an upgrade of the G-10 Commission.
he BND should at least disclose in retrospect what and whom it is tapping. It would be the end of a decades-long practice in which only the government and the secret service decide to what extent they restrict the civil rights and freedoms of foreigners. In the SPD, the idea is circulating that the commission would be given extensive control rights and would be allowed to check the surveillance practice of the BND at any time. Even more far-reaching proposals were presented on behalf of the foundation "Neue Verantwortung" by the former Human Rights Commissioner of the Federal Government, Markus Löning. He wants the G-10 Commission to have to approve every interception measure worldwide in the future; a lawyer should ensure that fundamental rights are respected. Neither the government nor parliament will probably participate in this. But it is just as questionable whether the Federal Government will get through with its plan for a law amendment that is as silent and arid as possible. What is being sought is an answer to the question raised by the Snowden revelations: how can one ensure that secret services in democratic states fulfil their legitimate tasks without hurting the communications of millions of people. Hofmann is counting on the Bundestag: "This will be an extremely exciting legislative process, in which it can be shown how independent and strong the parliament is.
liability for contents
As a service provider, we are responsible for our own content on these pages according to § 7 para.1 TMG (German Telemedia Act) and general laws. According to §§ 8 to 10 TMG, we are not obliged to monitor transmitted or stored external information or to investigate circumstances that indicate illegal activity.
Obligations to remove or block the use of information according to general laws remain unaffected. However, liability in this respect is only possible from the time of knowledge of a concrete infringement. If we become aware of any such infringements, we will remove such content immediately.
Liability for links
Our offer contains links to external websites of third parties, on whose contents we have no influence. Therefore we cannot assume any liability for these external contents. The respective provider or operator of the sites is always responsible for the contents of the linked sites. The linked pages were checked for possible legal violations at the time of linking. Illegal contents were not recognizable at the time of linking.
However, a permanent control of the contents of the linked pages is not reasonable without concrete evidence of a violation of the law. If we become aware of any infringements, we will remove such links immediately.
The contents and works on these pages created by the site operators are subject to German copyright law. The reproduction, editing, distribution and any kind of use outside the limits of copyright law require the written consent of the respective author or creator. Downloads and copies of these pages are only permitted for private, non-commercial use.
Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is marked as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. If we become aware of any infringements, we will remove such contents immediately.