←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 2 comments | 20 Oct 23 20:31 UTC | HN request time: 0.001s | source
Show context
abigail95 ◴[20 Oct 23 22:43 UTC] No.37962300[source]
> What would a perfect attacker do?

If you had physical access to the computer, some sort of bus interception to exfiltrate data from the machine.

replies(2): >>37962373 #>>37963714 #
whalesalad ◴[20 Oct 23 22:52 UTC] No.37962373[source]
extremely difficult to get physical access in a datacenter
replies(5): >>37962416 #>>37962421 #>>37962655 #>>37963217 #>>37963509 #
LeoPanthera ◴[20 Oct 23 22:58 UTC] No.37962421[source]
I would suggest that if you are the police, you can break into a datacenter with a flash of a badge. I can't imagine many would attempt to stop you.
replies(3): >>37962600 #>>37963230 #>>37964311 #
mjevans ◴[20 Oct 23 23:23 UTC] No.37962600[source]
I would hope they at least:

* Require a copy of the badge number, and verify that this officer is assigned and expected to be at this business right now.

* Require them to sign into and out of the site.

* Annotate which systems / compromises are in place.

- That all of the above MIGHT be sealed under a court order; I would hope any such order has an automatic 'sunset' date, and possibly renewal upon review by a different judge.

replies(3): >>37962663 #>>37963155 #>>37974369 #
skissane ◴[21 Oct 23 00:57 UTC] No.37963155[source]
A business can request visiting law enforcement to do all those things, and hopefully law enforcement complies. However, if they refuse to comply, realistically you just have to let them in anyway. Document their non-compliance and provide it to your lawyers, who can decide what action to take (lodge a formal complaint to the law enforcement agency, apply to a judge for an injunction to compel their compliance, etc)

Well, that’s true in countries like Germany or the US. I suspect in somewhere like Russia or China, formal complaints are unlikely to achieve anything except invite government retaliation.

replies(2): >>37964602 #>>37968642 #
leosarev ◴[21 Oct 23 06:35 UTC] No.37964602[source]
Latter is not correct. It's well known difference in Russia between companies that willingly cooperate with government agencies informally, and those who just provide information upon formal request according to law.
replies(1): >>37971737 #
1. skissane ◴[22 Oct 23 00:20 UTC] No.37971737{3}[source]
How do you know for sure the people who “just provide information upon formal request according to law” aren’t covertly engaging in informal cooperation?

If one morning the CEO gets an unexpected visit at home from a group of FSB agents asking for some favours, is the CEO going to say “no”? And if the CEO says “yes”, are you going to hear about it, or are they going to let the CEO continue that pretence?

Western CEOs don’t have the same worry about “accidentally” falling out of hospital windows.

replies(1): >>38035621 #
2. leosarev ◴[27 Oct 23 07:15 UTC] No.38035621[source]
Actually, that's happen to some people that I know.

Roem.ru site (small but ifluential at time) recieved official, but illegal request from high level FSB agent to disclose commentators identities. They send formal complaint to a FSB own security and to public prosecutor office. Former officially warned FSB to stoppes illegal actions.

Funny thing: 7 years later FSB agent was convicted for being CIA asset.