After WW2 we (brits) sold enigma machines to the countries gaining independence from the empire and never mentioned we could read everything they were used to communicate. This is why no one should outsource vital functions to competitors...
This should be embarrassing for the Swiss intelligence services whose job it was to detect and prevent these sorts of shenanigans...
Also, have I misunderstood? The criminal case should be against the company executives surely, not "persons unknown". Or is that just to include whoever bribed them?
> This should be embarrassing for the Swiss intelligence services whose job it was to detect and prevent these sorts of shenanigans...
Some alledge that the NDB/FIS (Federal Intelligence Service) knew about the operation. [1]
> The criminal case should be against the company executives surely, not "persons unknown".
At this point, it is not known who was involved in what way exactly. Some executives? Definitely. All executives? Maybe not.
A former employee believes that only 2-3 executives knew about the whole scheme and maybe 10-15 technicians put two and two together or suspected something. [2]
tracking the history of CIA black operations e.g. Operation Gladio in Europe in the cold war, I'm almost sure that someone from the Swiss side knew this from the beginning.
Operation Gladio is the codename for clandestine "stay-behind" operations of armed resistance that was planned by the Western Union (WU), and subsequently by NATO, for a potential Warsaw Pact invasion and conquest in Europe. Although Gladio specifically refers to the Italian branch of the NATO stay-behind organizations, "Operation Gladio" is used as an informal name for all of them. Stay-behind operations were prepared in many NATO member countries, and some neutral countries.
> The criminal case should be against the company executives surely, not "persons unknown"
I don't know about Switzerland, but in some European countries this enables a judge to be designated to carry out a formal investigation and to then decide who to specifically go after. In addition, filing a complaint against a specific person opens you to be sued back if that person is then shown to have done nothing wrong. This means that it is very common for criminal complaints to be initially filed against "persons unknown".
Just a simple thought experiment... In light of those events, would you as, for instance, CIA, create your Certificate Authority and offer free certificates for servers, simplifying deployment to be as simple to use as possible? ;)
(I am just looking into certificate pinning, but CA can generate another certificate or wildcarded certificate that client trusts, which enables mitm, I am doing it all the time on https proxy (http://www.squid-cache.org/Doc/config/ssl_bump/). This way you can decrypt traffic - redirect traffic to your server and impersonate the right one while proxying data from original server)
To expand on this, and illustrate the dangers of speculation, would you not also establish a legitimate Certificate Authority when your lab geeks realized how critical they would or could someday be, then use your industry reputation to sell certificates like any other company in the industry?
Sure I could. Then I just need to convince ISPs (or Cisco :D) to channel traffic trough my equipment. On the other side, as a government agency with ties all over the world, decades of practice in eschelon, cryto ag, on-the-fly replacing chips on cisco equipment, unlimited founding,..
Considering that a majority of the Lets Encryot userbase would probably be running http rather than https if it weren't for free certs, it's still probably preferable to have only one
or a handful of malicious entities able to observe traffic. You're not wrong though overall, the certificate model doesn't have built in protections for malicious CAs.
Overall I would argue that companies that are dealing with sensitive data should be using EV certs anyway to help users defend against phishing attacks which Let's Encrypt doesn't offer to my knowledge. This is tangential to your point though.
Doing this completely undetected is actually harder than you think. Modern browsers check Certificate Transparency lists, and if the certificate is not present in at least two lists then they are simply rejected.
In addition to this you have Certification Authority Authorization (CAA) which uses DNS to tell what CAs are allowed to sign certificates for a certain domain.
There are services you can subscribe to that will tell you when a certificate signed by a (or anyone but) CA for a domain you want to monitor.
Towards which conclusion? Backdoors are common practice and so we have to assume their existance in foreign equipment? Or we did it first, so let's give the others a chance to deliver backdoors to us?
The problem is that 5g wasn't designed to be secure against malicious carriers & governments. It could have been, and modern cryptographic protocols used over it can be.
The assumption that you can trust communications infrastructure is outdated. It must not matter if an adversary has back doored a router or cell tower or similar to send copies of all traffic to them, since the data should be entirely encrypted (except for some minimal routing information). The 3GPP designed the 5G standards to allow back doors, so we get back doors.
Then you're programming Satan's computer[1] and need to start doing things like using a better trusted OS & compiler. Or go to a different vendor. Since end-user devices need to swap around a lot this tends to be a lot easier than replacing the underlying infrastructure devices.
> As Widman settled in, the secret partners adopted a set of principles for [Crypto AG's] rigged algorithms, according to the BND history. They had to be “undetectable by usual statistical tests” and, if discovered, be “easily masked as implementation or human errors.”
> In other words, when cornered, Crypto executives would blame sloppy employees or clueless users.
> Huawei savaged by Brit code review board over pisspoor dev practices
> "The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in Huawei's software engineering and cyber security competence," said the HCSEC oversight board in its annual report, published this morning.
Every country designing and making their own 5G equipment seems impractical (not to mention expensive, likely full of bugs=backdoors, etc), I think the correct conclusion to draw from that is that you need to use end-to-end (really point-you-trust-to-other-point-you-choose-to-trust) encryption.
It's like checksums, really ;) Point-to-point is helpful, but not sufficient.
I don’t think GP asked for every country manufacturing their own equipment, rather they should ask for significant insight and auditing into the design and making of critical infrastructure
I wonder what the outcome can be of filing a criminal complaint like this? What do they hope to achieve? I can't imagine anyone or any nation will ever be brought to justice over this ?
I think it's more of a gesture. There was also a similar action by the European Parliament against Operation Gladio back in 1990, which was also a gesture.
Exactly. If this wasn't persecuted the message would be "yeah, screw people over and ruin the swiss reputation, we don't really care". Now even if the evidence isn't court-proof, or it's not possible to attach it to specific people, it still shows that things like this won't be ignored.
If I was responsible for selling rigged encryption equipment, I'd be wary that this might backfire on me - even in a decade or two.
If they can identify people involved, they can issue arrest warrants and a red corner notice via Interpol. That can make travel very difficult for the people involved and they'll essentially be unable to leave their own countries without risk of arrest. They won't realistically ever be able to prosecute, but they can make life a bit uncomfortable as a gesture. And if relatives or friends of those people vacation in Switzerland, they can always pull them in for "questioning about a suspect" as another form of harassment.
Small countries can never threaten a big state realistically, however they have the ability to harrass people who work for these big states in the hope of discouraging future action
Why now, just to save face? Its not like people still buy cryptography equipment from the Swiss. They compromised various clients, including Iraq during the first gulf war.
When swiss newspapers reported on it in 1994, the cold war was still present in the minds of my fellow citizens and the US was seen as an ally and friend, so the general public probably just didn't consider it to be that important if the CIA maybe bugged some conversations. Also, the swiss government "preferred not to know anything" and obstructed investigations, despite some employees of Crypto AG coming forward with information to the federal police.
The world (or rather our view of it) is quite different today. Hidden data collection is a popular topic and it's harder to pretend that there are only friends in the west and only enemies in the east. It's also easier to share information worldwide and media coverage was much larger this time.
In the grand scheme of things it doesn't matter that you can read everyone's messages when your economy is growing at 1%, the economy of your supposed "friend" that you're selling the messages to is growing at 2%, and the economy of the people whose messages you're reading is growing at 6-7%.
Maybe they should have used the money to develop 5G instead, lol.
> Switzerland’s Prime Minister, Simonetta Sommaruga
For a supposed website about intelligence, strange of them to use the phrase "Prime Minister" to describe the President of Switzerland (who actually is just a figurehead with the same power as the other members of the 7-member Federal Council).
I'm not sure how GDP growth is relevant here, especially when those higher growth rates are in countries with much lower base GDPs. GDP growth is not an eternal structural characteristic of an economy and there is no reason to believe that it will not slow down as GDP/capita converges.
It was there like 20 minutes ago, quoting her saying (paraphrasing, from my memory) "We'll deal with this when we have all the facts". Maybe one of the editors is watching this thread.
Making that mistake for a layperson is understandable sure, but a website about intel, you have to lol. Probably why they fixed it up so quickly.
>Making that mistake for a layperson is understandable sure, but a website about intel, you have to lol.
The website is run by laypersons who actively deal in covering the president or prime minister of hundreds of countries. Covering intel doesn't really prevent this mistake.
I dunno man. Sports commentators deal with hundreds of teams all the time, I don't see them mistaking the owner vs manager of a club, and they would be laughed at if they did, even (especially?) the lay / hobbyist ones.
Also, at the very top of their website it says "a specialized intelligence website written by experts", and in the sidebar they list their qualifications - so they apparently want to claim they are not laypersons. Lol, but you are trying to claim it?
Granted it's pretty subjective, so whatever. I don't think my standards for this topic are much different from other people's standards for other topics with similar shapes.
>Sports commentators deal with hundreds of teams all the time, I don't see them mistaking the owner vs manager of a club
Sports commentators make mistakes on a regular basis, things like calling a defender a forward or mistaking a players name. They often correct themselves immediately or things move past it so quick nobody cares.
> - so they apparently want to claim they are not layperson
I took your use of the word "layperson" there to mean "not a professional in a field specialized in state politics." The authors of the site are professionals, just that doesn't prevent that mistake. Worded by me, but my point was that they are still normal error prone humans.
After WW2 we (brits) sold enigma machines to the countries gaining independence from the empire and never mentioned we could read everything they were used to communicate. This is why no one should outsource vital functions to competitors...
This should be embarrassing for the Swiss intelligence services whose job it was to detect and prevent these sorts of shenanigans...
Also, have I misunderstood? The criminal case should be against the company executives surely, not "persons unknown". Or is that just to include whoever bribed them?
> This should be embarrassing for the Swiss intelligence services whose job it was to detect and prevent these sorts of shenanigans...
Some alledge that the NDB/FIS (Federal Intelligence Service) knew about the operation. [1]
> The criminal case should be against the company executives surely, not "persons unknown".
At this point, it is not known who was involved in what way exactly. Some executives? Definitely. All executives? Maybe not.
A former employee believes that only 2-3 executives knew about the whole scheme and maybe 10-15 technicians put two and two together or suspected something. [2]
[1] https://www.srf.ch/news/schweiz/geheimdienstaffaere-cryptole... (german)
[2] https://www.srf.ch/news/schweiz/17-jahre-bei-der-crypto-ag-e... (german)
tracking the history of CIA black operations e.g. Operation Gladio in Europe in the cold war, I'm almost sure that someone from the Swiss side knew this from the beginning.
Operation Gladio is the codename for clandestine "stay-behind" operations of armed resistance that was planned by the Western Union (WU), and subsequently by NATO, for a potential Warsaw Pact invasion and conquest in Europe. Although Gladio specifically refers to the Italian branch of the NATO stay-behind organizations, "Operation Gladio" is used as an informal name for all of them. Stay-behind operations were prepared in many NATO member countries, and some neutral countries.
https://en.wikipedia.org/wiki/Operation_Gladio
I don't think anyone believes that the Swiss didn't know.
> The criminal case should be against the company executives surely, not "persons unknown"
I don't know about Switzerland, but in some European countries this enables a judge to be designated to carry out a formal investigation and to then decide who to specifically go after. In addition, filing a complaint against a specific person opens you to be sued back if that person is then shown to have done nothing wrong. This means that it is very common for criminal complaints to be initially filed against "persons unknown".
Just a simple thought experiment... In light of those events, would you as, for instance, CIA, create your Certificate Authority and offer free certificates for servers, simplifying deployment to be as simple to use as possible? ;)
(I am just looking into certificate pinning, but CA can generate another certificate or wildcarded certificate that client trusts, which enables mitm, I am doing it all the time on https proxy (http://www.squid-cache.org/Doc/config/ssl_bump/). This way you can decrypt traffic - redirect traffic to your server and impersonate the right one while proxying data from original server)
CAs cannot decrypt SSL traffic, or am I missing something.
CAs can issue a new cert for state-run MITM attacks.
How issuing free certificates makes it more probable?
You get a root certificate on all machines.
To expand on this, and illustrate the dangers of speculation, would you not also establish a legitimate Certificate Authority when your lab geeks realized how critical they would or could someday be, then use your industry reputation to sell certificates like any other company in the industry?
Sure I could. Then I just need to convince ISPs (or Cisco :D) to channel traffic trough my equipment. On the other side, as a government agency with ties all over the world, decades of practice in eschelon, cryto ag, on-the-fly replacing chips on cisco equipment, unlimited founding,..
Perhaps you don't even need to convince Cisco. Just find some vulnerabilities in their OS, sit on them and pull them out when you need.
I wonder what percentage of internet connections hops through a cisco device at some point...?
Considering that a majority of the Lets Encryot userbase would probably be running http rather than https if it weren't for free certs, it's still probably preferable to have only one or a handful of malicious entities able to observe traffic. You're not wrong though overall, the certificate model doesn't have built in protections for malicious CAs.
Overall I would argue that companies that are dealing with sensitive data should be using EV certs anyway to help users defend against phishing attacks which Let's Encrypt doesn't offer to my knowledge. This is tangential to your point though.
Doing this completely undetected is actually harder than you think. Modern browsers check Certificate Transparency lists, and if the certificate is not present in at least two lists then they are simply rejected.
In addition to this you have Certification Authority Authorization (CAA) which uses DNS to tell what CAs are allowed to sign certificates for a certain domain.
There are services you can subscribe to that will tell you when a certificate signed by a (or anyone but) CA for a domain you want to monitor.
This case should be quoted in every discussion about 5G mobile equipment here in Europe.
Towards which conclusion? Backdoors are common practice and so we have to assume their existance in foreign equipment? Or we did it first, so let's give the others a chance to deliver backdoors to us?
To maintain control over critical communication technology.
The problem is that 5g wasn't designed to be secure against malicious carriers & governments. It could have been, and modern cryptographic protocols used over it can be.
The assumption that you can trust communications infrastructure is outdated. It must not matter if an adversary has back doored a router or cell tower or similar to send copies of all traffic to them, since the data should be entirely encrypted (except for some minimal routing information). The 3GPP designed the 5G standards to allow back doors, so we get back doors.
What if the same company also provides the cellphones and computers used to do the encryption of the data being sent?
Then you're programming Satan's computer[1] and need to start doing things like using a better trusted OS & compiler. Or go to a different vendor. Since end-user devices need to swap around a lot this tends to be a lot easier than replacing the underlying infrastructure devices.
[1] https://www.cl.cam.ac.uk/~rja14/Papers/satan.pdf
[oops, misread comment.]
Making our own 5G equipment != Actually buying it.
> This case should be quoted in every discussion about 5G mobile equipment here in Europe.
Especially since the 5G situation even kinda smells the same:
https://www.washingtonpost.com/graphics/2020/world/national-...:
> As Widman settled in, the secret partners adopted a set of principles for [Crypto AG's] rigged algorithms, according to the BND history. They had to be “undetectable by usual statistical tests” and, if discovered, be “easily masked as implementation or human errors.”
> In other words, when cornered, Crypto executives would blame sloppy employees or clueless users.
https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversi...:
> Huawei savaged by Brit code review board over pisspoor dev practices
> "The work of HCSEC [Huawei Cyber Security Evaluation Centre]… reveals serious and systematic defects in Huawei's software engineering and cyber security competence," said the HCSEC oversight board in its annual report, published this morning.
Every country designing and making their own 5G equipment seems impractical (not to mention expensive, likely full of bugs=backdoors, etc), I think the correct conclusion to draw from that is that you need to use end-to-end (really point-you-trust-to-other-point-you-choose-to-trust) encryption.
It's like checksums, really ;) Point-to-point is helpful, but not sufficient.
I don’t think GP asked for every country manufacturing their own equipment, rather they should ask for significant insight and auditing into the design and making of critical infrastructure
I wonder what the outcome can be of filing a criminal complaint like this? What do they hope to achieve? I can't imagine anyone or any nation will ever be brought to justice over this ?
I think it's more of a gesture. There was also a similar action by the European Parliament against Operation Gladio back in 1990, which was also a gesture.
Exactly. If this wasn't persecuted the message would be "yeah, screw people over and ruin the swiss reputation, we don't really care". Now even if the evidence isn't court-proof, or it's not possible to attach it to specific people, it still shows that things like this won't be ignored.
If I was responsible for selling rigged encryption equipment, I'd be wary that this might backfire on me - even in a decade or two.
If they can identify people involved, they can issue arrest warrants and a red corner notice via Interpol. That can make travel very difficult for the people involved and they'll essentially be unable to leave their own countries without risk of arrest. They won't realistically ever be able to prosecute, but they can make life a bit uncomfortable as a gesture. And if relatives or friends of those people vacation in Switzerland, they can always pull them in for "questioning about a suspect" as another form of harassment.
Small countries can never threaten a big state realistically, however they have the ability to harrass people who work for these big states in the hope of discouraging future action
Why now, just to save face? Its not like people still buy cryptography equipment from the Swiss. They compromised various clients, including Iraq during the first gulf war.
Maybe that's exactly the reason?
I expect it is to imply they had no cooperation with the CIA as far as they know with their own Intelligence agency.
there is a good chance the Swiss intelligent apparatus knew what was going on so if this complaint vanishes or settles quietly we will know what is up
This was publicly known over 25 years ago. There was a 60 Minutes piece in it in the early 90’s. Why are they up in arms about it now?
That's a great question.
When swiss newspapers reported on it in 1994, the cold war was still present in the minds of my fellow citizens and the US was seen as an ally and friend, so the general public probably just didn't consider it to be that important if the CIA maybe bugged some conversations. Also, the swiss government "preferred not to know anything" and obstructed investigations, despite some employees of Crypto AG coming forward with information to the federal police.
The world (or rather our view of it) is quite different today. Hidden data collection is a popular topic and it's harder to pretend that there are only friends in the west and only enemies in the east. It's also easier to share information worldwide and media coverage was much larger this time.
Protip: Nobody knows who owns any business entity, if they dont want you to know.
Here German intelligence and US intelligence owned a Swedish entity. Thats how free trade works.
Swiss.
Whoops too late to edit
That has nothing to do with free trade - it's about privately held stocks. Which is a worldwide thing.
Yes but no capital controls on who can own what and where
This has been public knowledge for decades.
"Public"?
It was trending on Instagram and MTV/TLC?
i'm not really sure how much of a "conspiracy" is left here if even the former head of the BND admitted it...
Files criminal complaints in which jurisdiction?
Switzerland?
If so, what do they hope to gain from it?
In the grand scheme of things it doesn't matter that you can read everyone's messages when your economy is growing at 1%, the economy of your supposed "friend" that you're selling the messages to is growing at 2%, and the economy of the people whose messages you're reading is growing at 6-7%.
Maybe they should have used the money to develop 5G instead, lol.
> Switzerland’s Prime Minister, Simonetta Sommaruga
For a supposed website about intelligence, strange of them to use the phrase "Prime Minister" to describe the President of Switzerland (who actually is just a figurehead with the same power as the other members of the 7-member Federal Council).
I'm not sure how GDP growth is relevant here, especially when those higher growth rates are in countries with much lower base GDPs. GDP growth is not an eternal structural characteristic of an economy and there is no reason to believe that it will not slow down as GDP/capita converges.
"We're already ahead, we don't need to run any faster, we'll use our energy to do pointless things like spy on everyone instead".
Don't let me stop you thinking that but I'll keep running faster, thanks.
The idea that less developed economies have much faster potential growth is well studied in economics: https://en.m.wikipedia.org/wiki/Convergence_(economics)
I'm not sure what point you're trying to make here.
>For a supposed website about intelligence, strange of them to use the phrase "Prime Minister" to describe the President of Switzerland
I'm not seeing that quote used, but mistaking "prime minister" and "president" is an understandable mistake.
It was there like 20 minutes ago, quoting her saying (paraphrasing, from my memory) "We'll deal with this when we have all the facts". Maybe one of the editors is watching this thread.
Making that mistake for a layperson is understandable sure, but a website about intel, you have to lol. Probably why they fixed it up so quickly.
>Making that mistake for a layperson is understandable sure, but a website about intel, you have to lol.
The website is run by laypersons who actively deal in covering the president or prime minister of hundreds of countries. Covering intel doesn't really prevent this mistake.
I dunno man. Sports commentators deal with hundreds of teams all the time, I don't see them mistaking the owner vs manager of a club, and they would be laughed at if they did, even (especially?) the lay / hobbyist ones.
Also, at the very top of their website it says "a specialized intelligence website written by experts", and in the sidebar they list their qualifications - so they apparently want to claim they are not laypersons. Lol, but you are trying to claim it?
Granted it's pretty subjective, so whatever. I don't think my standards for this topic are much different from other people's standards for other topics with similar shapes.
>Sports commentators deal with hundreds of teams all the time, I don't see them mistaking the owner vs manager of a club
Sports commentators make mistakes on a regular basis, things like calling a defender a forward or mistaking a players name. They often correct themselves immediately or things move past it so quick nobody cares.
> - so they apparently want to claim they are not layperson
I took your use of the word "layperson" there to mean "not a professional in a field specialized in state politics." The authors of the site are professionals, just that doesn't prevent that mistake. Worded by me, but my point was that they are still normal error prone humans.
*poorly worded by me
She is a "minister" as well though, most ceremonial Presidents are not.