Most active commenters
  • skissane(4)
  • immibis(3)

←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 15 comments | 20 Oct 23 20:31 UTC | HN request time: 1.532s | source | bottom
Show context
abigail95 ◴[20 Oct 23 22:43 UTC] No.37962300[source]
> What would a perfect attacker do?

If you had physical access to the computer, some sort of bus interception to exfiltrate data from the machine.

replies(2): >>37962373 #>>37963714 #
whalesalad ◴[20 Oct 23 22:52 UTC] No.37962373[source]
extremely difficult to get physical access in a datacenter
replies(5): >>37962416 #>>37962421 #>>37962655 #>>37963217 #>>37963509 #
1. LeoPanthera ◴[20 Oct 23 22:58 UTC] No.37962421[source]
I would suggest that if you are the police, you can break into a datacenter with a flash of a badge. I can't imagine many would attempt to stop you.
replies(3): >>37962600 #>>37963230 #>>37964311 #
2. mjevans ◴[20 Oct 23 23:23 UTC] No.37962600[source]
I would hope they at least:

* Require a copy of the badge number, and verify that this officer is assigned and expected to be at this business right now.

* Require them to sign into and out of the site.

* Annotate which systems / compromises are in place.

- That all of the above MIGHT be sealed under a court order; I would hope any such order has an automatic 'sunset' date, and possibly renewal upon review by a different judge.

replies(3): >>37962663 #>>37963155 #>>37974369 #
3. LeoPanthera ◴[20 Oct 23 23:32 UTC] No.37962663[source]
Those are some very optimistic hopes!
4. skissane ◴[21 Oct 23 00:57 UTC] No.37963155[source]
A business can request visiting law enforcement to do all those things, and hopefully law enforcement complies. However, if they refuse to comply, realistically you just have to let them in anyway. Document their non-compliance and provide it to your lawyers, who can decide what action to take (lodge a formal complaint to the law enforcement agency, apply to a judge for an injunction to compel their compliance, etc)

Well, that’s true in countries like Germany or the US. I suspect in somewhere like Russia or China, formal complaints are unlikely to achieve anything except invite government retaliation.

replies(2): >>37964602 #>>37968642 #
5. jacquesm ◴[21 Oct 23 01:12 UTC] No.37963230[source]
I highly doubt it is that simple for LE to enter a DC without a warrant signed by a judge, but insiders have all of that access and plants in DCs can and do happen.

I was present when Dutch LE seized a bunch of servers on behalf of an FBI liaison officer in NL and everything went 'by the book', there is no way an LE officer without a signed order from a judge would have been granted access.

6. bsder ◴[21 Oct 23 05:23 UTC] No.37964311[source]
> I can't imagine many would attempt to stop you.

You would be 99% wrong. Even if law enforcment presented proper paperwork, every colo I have ever used would call and verify the paperwork. They might not call me, but they sure as hell would call their own lawyers. Once law enforcement is on the other side of the cage, important customers who pay real money could get compromised.

There is a massive difference between getting physical access to your server in a data center and coughing up everything about your server by simply emailing a minion in a cloud provider.

7. leosarev ◴[21 Oct 23 06:35 UTC] No.37964602{3}[source]
Latter is not correct. It's well known difference in Russia between companies that willingly cooperate with government agencies informally, and those who just provide information upon formal request according to law.
replies(1): >>37971737 #
8. chatmasta ◴[21 Oct 23 17:12 UTC] No.37968642{3}[source]
> realistically you just have to let them in anyway

No, you don't. If they have a warrant then you need to let them in for the purposes specified in the warrant. Otherwise you're free to tell them to piss off. Unfortunately you're also free to acquiesce to any of their demands.

This kind of passive, default-compliant attitude from service providers, while understandable from a "path of least resistance" standpoint, is exactly the kind of behavior that allows the third party doctrine to circumvent so many of our basic rights. As a service provider, often the more difficult path is to challenge authority, rather than to cooperate with it. And unfortunately that means that most service providers will simply cooperate.

replies(2): >>37971696 #>>37974552 #
9. skissane ◴[22 Oct 23 00:14 UTC] No.37971696{4}[source]
> No, you don't. If they have a warrant then you need to let them in for the purposes specified in the warrant. Otherwise you're free to tell them to piss off.

Any lawyer will tell you - if law enforcement attempts a warrant-less search, you tell them you do not consent to it, but you do not attempt to physically stop them from performing it. Tell them they are unwelcome and to come back with a warrant, but if they insist on entering in spite of that, you let them in.

replies(1): >>37974559 #
10. skissane ◴[22 Oct 23 00:20 UTC] No.37971737{4}[source]
How do you know for sure the people who “just provide information upon formal request according to law” aren’t covertly engaging in informal cooperation?

If one morning the CEO gets an unexpected visit at home from a group of FSB agents asking for some favours, is the CEO going to say “no”? And if the CEO says “yes”, are you going to hear about it, or are they going to let the CEO continue that pretence?

Western CEOs don’t have the same worry about “accidentally” falling out of hospital windows.

replies(1): >>38035621 #
11. immibis ◴[22 Oct 23 11:06 UTC] No.37974369[source]
You would expect that at AWS, but Hetzner is a low-cost operation.
12. immibis ◴[22 Oct 23 11:48 UTC] No.37974552{4}[source]
Non-compliance with a law enforcement order is a good way to get shot (in America) or arrested (in most countries) even if there is no legal basis for the order.
13. immibis ◴[22 Oct 23 11:49 UTC] No.37974559{5}[source]
"Letting them in" is another way of saying you consent. Don't "let" them in... just don't physically stop them coming in.
replies(1): >>37979279 #
14. skissane ◴[22 Oct 23 21:32 UTC] No.37979279{6}[source]
If you unlock a door for someone but simultaneously say “I don’t consent to you passing through it”, the first act does not cancel out the second. Whereas, if you don’t unlock it, if they really want to go in they’ll knock it down, causing damage in the process. Unlocking it for them is about avoiding damage to property, it is not a form of consent if accompanied by a clear verbal refusal of consent
15. leosarev ◴[27 Oct 23 07:15 UTC] No.38035621{5}[source]
Actually, that's happen to some people that I know.

Roem.ru site (small but ifluential at time) recieved official, but illegal request from high level FSB agent to disclose commentators identities. They send formal complaint to a FSB own security and to public prosecutor office. Former officially warned FSB to stoppes illegal actions.

Funny thing: 7 years later FSB agent was convicted for being CIA asset.