this post was submitted on 02 Nov 2023
541 points (98.9% liked)

Programmer Humor

32396 readers
499 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] lukas@lemmy.haigner.me 8 points 1 year ago* (last edited 1 year ago) (1 children)

I'm curious why they want this instead of mTLS certificates? This smells like secret services counseled Europe using a front company. But that wouldn't surprise me, since similar events happened multiple times in the past.

[–] skullgiver@popplesburger.hilciferous.nl -1 points 1 year ago* (last edited 11 months ago) (1 children)

[This comment has been deleted by an automated system]

[–] lukas@lemmy.haigner.me 5 points 1 year ago* (last edited 1 year ago)

Why would the secret services need a front company?

Governments here must use public tenders to buy services, and they pick the offer with the lowest price. Secret services can eat operational costs to place an extraordinarily competitive bid, but governments usually have anti-spying regulations. Hence, secret services bid with front companies.

But why bid in the first place, you may ask? eGovernment services are an attractive target due to the sensitive information at stake, and the potential to influence laws related to the eGovernment services. Secret services implement eGovernment services in a way that allows them to gain intelligence.

But how can they implement services in such a way, you may ask? Ask forgiveness, not permission. Of course, bullshit justifications play an important role here. E2EE? Why do that? Do you not want to scan files that go through the system for viruses? Real justification for why De-Mail stores sensitives emails in plaintext.

Governments now have the following options:

  • Discard their paid work and forget about the initiative.
  • Discard their paid work and contract someone more expensive than the original bidder.
  • Pass laws to allow how the insecure service operates.

Remember De-Mail? Yeah, that exists. Exceptions that allow insecure storage of sensitive emails as long as it's De-Mail. Exceptions that allow De-Mail providers to send legally binding emails on behalf of everyone. No, I'm serious. If anybody comprises De-Mail providers, they can practically send legally binding emails on behalf of everyone, as long as they don't leave behind any trails of course.

But sometimes, like here I suspect, secret services hit the jackpot. They've got such an insecure implementation that the laws required to allow the service to operate nullifies the security of a large portion of the internet. Now, if enforced, they can intercept traffic like they used to back when everyone ran on http without the s. SIGINT is dead, long live SIGINT!