lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F45D952.2060900@uni-oldenburg.de>
Date: Fri, 22 Aug 2003 10:50:26 +0200
From: Michael Schlenker <schlenk@...-oldenburg.de>
To: "Thomas C. Greene" <thomas.greene@...register.co.uk>
Cc: Florian Weimer <fw@...eb.enyo.de>, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: Re: Popular Net anonymity service back-doored


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas C. Greene wrote:

 >
 > It's likely were legally prevented from issuing a clear warning,
 > which is why I say they should have taken the service down in
 > protest. I don't know German law, but I'd be surprised if the
 > courts can force you to provide a communications service just so
 > the Feds can use it.

IANAL, but can say the following:
German law makes a distinction between a provider of communications
services and teleservices. Privacy protection for Teleservices is
regulated in the very strict  Teleservices Data Protection Act
(TDDSG, Teledienstedatenschutzgesetz), while privacy protection for
general communcations services is regulated in the TKG
(Telecommunications Act). Only for services regulated by the TKG the
law enforcement agencies have a quite impressiv set of rights to
request interception of communication and data about the
communication. This includes installation of real time capabale
backdoors at service providers cost and other cruelties. (Secret
service agencies have further rights, not of interest here).

The main problem in nearly any case is the distinction between a
service that is governed by the Teleservices Act and a service that
is goverend by the Telecommunications Act. The Telecommunications Act
defines its area of responsibility like this:

§3 TKG
16. ist "Telekommunikation" der technische Vorgang des Aussendens,
    Übermittelns und Empfangens von Nachrichten jeglicher Art in der
Form von
    Zeichen, Sprache, Bildern oder Tönen mittels
Telekommunikationsanlagen,
17. sind "Telekommunikationsanlagen" technische Einrichtungen oder
Systeme,
    die als Nachrichten identifizierbare elektromagnetische oder
optische
    Signale senden, übertragen, vermitteln, empfangen, steuern oder
    kontrollieren können,

16. "Telecommunication" is the technical event of sending,
transmitting and receiving of messages of any type in the form of
characters, speech, pictures or sounds  via "Telecommunication
systems".
17. "Telecommunications systems" are technical systems capabale of
sending, transmitting, arbitrating, receiving or controlling
electromagnetic or optical which are identifiable as messages.

While the Teleservices Act defines its responsibility like this:
§ 2 TDG (2)

3.  Angebote zur Nutzung des Internets oder weiterer Netze,

3. Services for usage of the Internet or other networks

but in contrast:
§2 TDG (4)

(4) Dieses Gesetz gilt nicht für
1.  Telekommunikationsdienstleistungen und das geschäftsmäßige
Erbringen von
    Telekommunikationsdiensten nach § 3 des
Telekommunikationsgesetzes vom 25.
    Juli 1996 (BGBl. I S. 1120),

(4) This act does not regulate
1. Telecommunication services and the buisnesslike providing of
telecommunication services according to § 3 of the Telecommunications
Act ...

Anyone with a barely awake mind sees that the wording of the law is
outright stupid.
Now decide for yourself if an anonymizing HTTP Proxy is a
telecommunications service or a teleservice and take a wild guess
what a court thinks a telecommunications service is. By the wording
of german law nearly anything is Telecommunication,  so the TDG has
not a single case in which it would be applicable... ;-) (not even an
implementation of  RFC 1149 would be exempted  ;-))

In the reality of german law practice the distinction between the two
service types is drawn somewhat analogous to the OSI network layer
model, the only discussion is on what level the line should be drawn.
Law enforcement agencies naturally want the line drawn above the HTTP
protocol, or even above that, so they can lawfully intercept email
etc and don't have to reassamble single ATM frames or TCP/IP packages
to get their information.

Michael Schlenker

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP0XLLd2FxreVbySNEQITuQCg/jh86mDd71+FRNRCm2oD7SesKL8AnRPG
rB0Ya2KdPWwFydG3BX7EIVk1
=WfEY
-----END PGP SIGNATURE-----


 




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ