back to article Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact

The Dutch government has formally opposed the introduction of backdoors in encryption products. A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt …

Dutch government and IT (Security) in general

whilst I must give kudos to my own government (or at least the given ministery which also houses the national cyber security center btw) I am far from convinced that the same reasons of privacy and security of communications play any role in the way the Dutch government is itself handeling private and sensible data in the first place.

On the contrary, I have seen enough examples in which the opposite is true (either by lack of knowledge and understanding or just because it seems unnecessary).

Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture.

14
0
Silver badge
Childcatcher

Re: Dutch government and IT (Security) in general

"Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture."

ISTR that the Dutch govt settled on OpenVPN as their VPN of choice and after auditing the software created their own distribution of it. OpenVPN uses OpenSSL, so this sponsorship would logically help to improve their security.

As OpenSSL is open source, then we all benefit - thanks Netherlands. Mind you I can't help but notice the lack of a padlock in my browser at the moment 8)

22
1
jap

Re: Dutch government and IT (Security) in general

Actually, OpenVPN-NL (the VPN distribution vetted by the Dutch government) doesn't use OpenSSL at all - it makes use of PolarSSL^WmbedTLS. This because polar's codebase was readable and small enough to audit, as opposed to OpenSSL... and this all happened before everybody + dog started hating OpenSSL.

7
0
Silver badge

Re: Dutch government and IT (Security) in general

PolarSSL being from a Dutch company can't have hurt either.

4
0
Anonymous Coward

Re: Dutch government and IT (Security) in general

PolarSSL being from a Dutch company can't have hurt either.

That's not good. That means the Dutch government could have pulled an NSA on them - introducing a backdoor and also stopping them notifying anyone about it.

1
0

This post has been deleted by its author

Anonymous Coward

Re: Dutch government and IT (Security) in general

On the contrary, I have seen enough examples in which the opposite is true (either by lack of knowledge and understanding or just because it seems unnecessary).

Let this be a step for the Dutch government not only to sponsor a good opensource project but to really improve their own security posture.

This may indeed change soon. This year will see an enormous amount of activity re. privacy and security, mainly prompted by the shenanigans surrounding Safe Harbor and the still pending decision of Microsoft vs DoJ (at least, I THINK it's still pending - I would welcome any update anyone may have as I predicted last year that this case would quietly go away as either outcome would cause problems).

As for the lack of scaremongering, it's an indication that the far right has had no say in this. Scaremongering isn't very Dutch. The nation used to be fairly levelheaded but the far right has started to bring in US style tactics and, embarrassingly for us slightly older folk, they seem to work, leading to polarisation in an otherwise fairly relaxed attitude towards the world (even without drugs :) ).

The result is a sharp ramp up in internal conflict, making the doom & gloom predictions of the far right a self-fulfilling prophesy...

1
0
Anonymous Coward

Re: Dutch government and IT (Security) in general

That means the Dutch government could have pulled an NSA on them - introducing a backdoor and also stopping them notifying anyone about it

But presumably OpenVPN-NL is for their own use and not for adoption by citizens other than for when they're interacting with government services. Arguably PolarSSL might be tainted but the NSA have nobbled general purpose crypto used by world+dog.

0
0
Silver badge
Happy

Re: Dutch government and IT (Security) in general

Now that ARM took them over, maybe the backdoors were transferred to GCHQ...

0
0
WTF?

Re: Dutch government and IT (Security) in general

Why would they build a backdoor in software that they use?

0
0

Re: Dutch government and IT (Security) in general

unfortunately you will see that in Europe in its entirety at the moment. But that is somewhat besides the point discussed here.

As for right wing politics in the Netherlands, we'll see what happens at the next elections in probably 2017.

0
0

Re: Dutch government and IT (Security) in general

besides the fact that openVPN or openSSL or whatever similar stuff build by any company is transport layer security only.

This simply means that data is protected on the cables and wireless internet links, not in storage or in use or in any other way whatsoever.

So nice of the Dutch government to protect data in transit (that's the bloody least they should do) but that's far from a total security posture including securing servers, authentication on basis of need-to-know and least privilege etc.

As for that openVPN NL-style? That's certainly not used by citizens communicating with the government and looks to me like their attempt to rewrite the ISO27001:2005 to their own "security" standard.

0
0
Anonymous Coward

Cue all the comments suggesting that the Dutch government might have a different view once they suffer a major terror attack of their own.

The problem with the above position is that laws made after such an event are often far from proportionate or well thought out.

We must make these legal determinations during peace time as the media and partisan politicians make incredibly bad government when under duress.

I applaud the Netherlands for making such a nuanced and thought-out study of this topical subject amidst their peers making rash and illiberal pronouncements.

32
0

You'd be surprised how much violence there currently is in the Netherlands. There's been a particularly violent criminal turf war going on , including public "executions" , the immigrant/refugee issue has come to the boiling point, and the number of murder/suicide "family tragedies" is at an all-time high.

I'm not familiar enough with UK legislation to know whether or not the dutch situation applies, but here it's possible to suspend an individuals' rights on Ministerial Authority in individual cases for specified reasons in law. This allows for "sensible and balanced" laws that apply to Joe Average, while ensuring a paper trail in case the Government feels the need to pay Special Attention to someone/thing. This is enforced by the Judiciary, who've proven to be more than willing to toss out cases where Proper Procedure has not been followed.

As with any system, it's not perfect, but it works.

13
0
Anonymous Coward

while ensuring a paper trail in case the Government feels the need to pay Special Attention to someone/thing. This is enforced by the Judiciary, who've proven to be more than willing to toss out cases where Proper Procedure has not been followed.

This is the exact bit that is missing from much of what is happening in the US and the UK. Oversight, transparency, and actual consequences when someone has been wilfully creative with the rules. Although, as far as I know there isn't much transparency to the working of the Dutch secret service (BVD) either.

I'm OK with secrecy, provided there is credible oversight. The "credible" is where the problem lies..

1
0
Silver badge
Stop

Saying 'no' to backdoors means nothing

A government saying it won't require back doors is meaningless unless that government also outlaws the presence of back doors that are not disclosed to the end user.

6
1

Re: Saying 'no' to backdoors means nothing

You seem to forget the cardinal rule;

All the laws we pass apply to all of you all the time. We passed them, so we can ignore them.

At least that is how it seems to work here...

0
0

Re: Saying 'no' to backdoors means nothing

plus they don't count for our intelligent agencies because we have a committee watching over them so they don't do something really stupid (yeah right)

0
0
Anonymous Coward

"But the most important debate rests in the United States, where the majority of the products and services used online stem from."

LMFTFY:

"The most insidious debate is occurring in the United States, where the majority of snooping and prying into other people's business stems from."

The "importance" of the debate in the US concerns the degree to which the rest of the world will continue to trust online products and services based there with their data (read: business).

15
0
Silver badge

Those global products only stem from there at the current time. Make the wrong law and wait for the exodus - it'll either be the companies or the users.

11
0
Silver badge

You know how the rest of the world does not allow US-made guns to be sold to its citizens.

You know how much of the world uses 220 V 50 Hz electrical equipment.

You know how the USA is NTSC while much of the world is PAL.

Then you know that the US position of writing most of the world's software and designing a fairly large percentage of its hardware is a tenuous position that will inevitably change over decades, and could be made to change even faster.

4
0

Quote: You know how the USA is NTSC while much of the world is PAL.

Not sure if you've noticed, but most placed had a bit of a digital switch over a few years back.

Most of the world is now using DVB-T, especially in the developed world, the remaining PAL countries are mostly limited to 2nd or 3rd world ones, with many of those in the process of switching, or at least planning to switch, to DVB-T.

The USA of course, decided to do its own thing, and now uses ATSC rather than NTFS.

1
0
Silver badge

"Not sure if you've noticed, but most placed had a bit of a digital switch over a few years back."

OK, to update that for those that have switched, most of the world uses 50Hz display standards while the USA is still stuck on 60Hz. That's why cinema films look so crap (juddery) on screens set to US settings - they have to do 3:2 pulldown....

"now uses ATSC rather than NTFS."

I think you mean NTSC (Never Twice the Same Colour as we call it).

4
0
Anonymous Coward

"now uses ATSC rather than NTFS"

There's their problem, using a 20 year old knackered filesystem to encode the video stream!

1
0
Silver badge

@WatAWorld - So of the differences have to do with when the national standards were set. Some the differences are relatively easy to handle (change the power supply for 110/220) others are not so easy.

As far as losing technical leadership, the US certainly will be facing a much more competitive landscape in the future - there are plenty of very bright engineers, scientist, etc. outside of the US that this will happen as their home countries develop.

0
0
Bronze badge

NTFS ?

Is that the (revolutionary, for its time) color system that is Never Twice the F-cking Same, or do you work in IT?

0
0
Silver badge

Augh, encryption and Paris.

I think that "possible use of encryption" lets law enforcement off the hook.

As the Columbia Journalism Review noted,

"What have we learned since the 'ban encryption' movement gained full steam on the first weekday after the [Paris] attack? It turns out that most of the attackers were already known to intelligence agencies. Within a week of the attack, we found out they had used Facebook to communicate, as well as normal SMS text messaging. The ringleader even bragged about infiltrating Europe and planning an attack in ISIS’s English language glossy magazine, complete with a photo spread. ... The terrorists used their real names and identification cards for hotel and rental car reservations and did not noticeably try to cover their tracks."

If law enforcement and security organizations cannot catch terrorists who advertise on Facebook and in magazines, complete with photos of themselves, then giving those same agencies backdoors to encryption is not going to help.

55
0
Silver badge

Re: Augh, encryption and Paris.

...and the same pretty much applies, at least, to all the more recent attacks. All were "known" to the security services and none were using encrypted comms. This whole "ban encryption" band wagon is just grandstanding so governments can be seen to be doing something while satisfying the spooks wet dreams.

23
0
Silver badge

Re: Augh, encryption and Paris.

Well said. Many of us have been saying that for quite awhile. Those who believe that the government will provide security in exchange for freedom are obviously idiots as the governments (world-wide) can't provide what they call security with the information they do have. I can't say all the attacks in the last year were not stopped because "encryption" but the ones where comms were in the clear and publically available sure as hell weren't stopped.

This is to the governments:

<rant on> You want my freedom in exchange for security? Fine... show me that you can handle the info you get in the clear first. As it is, your arguments for backdoored or no-encryption are a low grade of BS when the very thing you claim you want my freedom for is happening.. and you do nothing except to say "oh yes, we knew about them."

A bigger problem than terrorists are the miscreants who would take our savings, our identities. Stop them and again, then maybe we can talk about taking "freedoms for security". <rant off>

12
0
Silver badge

Re: Augh, encryption and Paris.

You're 100% correct that our security agencies do not need backdoors and global spying on peaceful civilians to keep terrorists out. It is a pointless distraction in that regard.

I believe the main use of backdoors to encryption by our security agencies will be for keeping our current and future politicians under control, to keep security agencies' budgets up, to turn our countries into mini-Russias, mini-Chinas and mini-Soviet Unions, where current and past members of security agencies control (and own) both government and industry.

5
0

Re: Augh, encryption and Paris.

And the worrying thing - Reg readers apart - no-one seems to give a shit.

6
1
Coat

Re: Augh, encryption and Paris.

<rant> </rant>... unless you are using some MS "Standard"?

0
0
Silver badge

Re: Augh, encryption and Paris.

George Orwell was an extreme optimist. The neo-aristocracy wants to expand its power at the expense of the plebes. The whole effort to weaken computer security has more to do with political power than catching terrorists.

1
0

Re: Augh, encryption and Paris.

I think I only have to quote Benjamin Franklin here:

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Enough said.

0
0

Bravo

That's got to be one of the funniest El Reg titles I've seen.

5
0
Silver badge

And yet another useless effort

Now, the funding of the OpenSSL project is a good one, though I can't help wonder if that money would have been better spend on trying to fix our own economy (when at least 5 large Dutch public shops and businesses which have been around for at least 30 years all go bankrupt under the reign of a certain prime minister then something is not going right here).

But in the end this whole encryption thing is kind of useless. Because we also have European laws to content with. And with that in mind I think the whole thing is a bit hypocritical. Because during the last European vote on encryption and backdoors our government voted in favor. So its kinda easy to try and make it sound as if they're now against the whole thing; especially since nothing they (can) do would change anything.

2
3
Silver badge

Re: And yet another useless effort

It's still refreshing to not hear complete bollocks whenever encryption is mentioned.

2
0
Silver badge

Re: And yet another useless effort

A lot of those shops going under has little to do with the economy or government policy and everything with their inability to keep up with the new technology and "shopping experience" people have come to expect.

0
0
Silver badge

Re: And yet another useless effort

Do you know that lack of encryption did not contribute to those five companies failing?

Let us face it, large companies have many secrets that they strive to keep from competitors. Without encryption mining, finance and high tech companies are vulnerable to spying by competitors and by those foreign governments who charge their security agencies with economic spying (the UK, at least, admits GCHQ has this duty too).

http://www.theguardian.com/world/2013/jun/16/uk-intelligence-agencies-spy-commonwealth-delegates

http://www.nytimes.com/2014/02/16/us/eavesdropping-ensnared-american-law-firm.html

0
0

Re: And yet another useless effort

"when at least 5 large Dutch public shops and businesses ..... all go bankrupt"

But....not Albert, Dirk, or Freddie, Shirley?

0
0

Confused as usual

Correct me if I'm wrong, but is the linking of backdoors and SSL not confusing the issue?

The only way to hide info from prying eyes would be to encrypt data at source before sending it over the wire. I can see how backdoors in encryption software at this stage would be a problem, but what has that to do with SSL?

If my understanding is right, putting money into SSL is a red herring anyway. Any government big enough could force ISPs (or telcos) to route SSL communications through proxies for MITM purposes.

0
0

Re: Confused as usual

MITM should not be possible unless you can forge (actually, the only practical way is to get some shady CA to issue it for you) the certs.

2
0
Silver badge

Re: Confused as usual

You're making the assumption that the big cert providers aren't already compromised.

3
0

Re: Confused as usual

correct on the confusion of issues.

Partially on the proxy systems, because if certificate chains are setup correctly this would be detectable.

And yes their are workarounds to make this type of proxy work too (only think back to the Diginotar incident and why a certain government allegedly broke in to get certificates to spy on their own people).

0
0
Silver badge
Thumb Up

No holes thanks, we're Dutch!

The Netherlands has a history of stopping-up unwanted holes.

https://youtu.be/STGXpq8JGIg

Work safe!

2
0
Silver badge
Childcatcher

For Now

But the most important debate rests in the United States, where the majority of the products and services used online stem from.

Yes and every time the US tries to force its thinking on world-wide consumers, it loses custom. Since the majority of those who are currently fear-mongering in Congress are also "pro-business", we can look forward to backtracking on the issue after the legal system has been thoroughly screwed up.

6
0
Anonymous Coward

It needs to be compulsary encryption

They need to make it compulsary to encrypt wherever private data is handled.

Otherwise bad countries will REQUIRE backdoors, which will also be in the Dutch version, and those countries (that have had a commercial and political advantage from the spying) will continue to have a free for all with dutch private secrets.

China is only the lastest to pass laws to get access to these backdoors. In USA, it seems FBI asked Microsoft for the disk encryption keys, which on Windows 10 now backs up the keys to Microsoft servers by default. FBI has no legal jurisdiction over The Netherlands, and had no legal authority to demand back doors, they simply did it anyway.

Surveillance transfers secrets from target to spy. Spy gains an advantage over target. That is true whether its NSA spying on governments, GCHQ spying on their political bosses, Cameron and May spying on their opponents. It undermines the basic democracy if a foreign power can leverage leaders to ensure outcomes it wants, not the electorate want.

It's unlikely that we will ever be allowed to elected a pro-privacy leader in the UK again. The pro-surveillance lot simply have too much leverage over the UK political system. DO NOT LET THAT HAPPEN TO YOU. Cameron was anti-nanny state, and has now turned into supernanny surveillance Cameron, spying on all brits.

UK GCHQ was prevented from spying on Brits, and now spies mostly on Brits. If it crosses the border they'll spy on it, even if its UK to UK data, even if they routed it off shore themselves! And our Parliament had its emails moved offshore too, by the same group of ministers behind the surveillance. So you see how bad things are in the UK.

Once it starts, you cannot stop it, so you need to nip it in the bud.

Make encryption compulsary and block services as the backdoors are revealed, to protect your core rights.

6
0
Silver badge
Headmaster

Re: It needs to be compulsary encryption

Make encryption compulsary ...

Yes ... and start by learning to spell "compulsory"!

0
0
Gold badge
Unhappy

I wonder if Cameron uses E2E encryption.

The true answer is of course "I don't know. I'm far too important to worry about such thinks. That's for the oiks to deal with"

End to end encryption.

You'll miss it when it's gone, Mr Cameron. *

*Especially if (for example) someone were to snag a copy of your memoirs in transit and dump them to the public a day before publication,

2
0
Silver badge

Like the 5 Eyes gov'ts, The Dutch gov't has a choice. But it picked the correct option

"Or in other words, there is nothing Holland can do about Google, Microsoft, Facebook or any of the other countless products used by its citizens to communicate online."

Being small does not mean Holland lacks choice. Israel is small. New Zealand is small.

The easiest thing for Holland to do if it wanted to spy on its citizens would be to become a closer affiliate of the Five Eyes.

So the Dutch government does have a choice. But unlike our governments the Dutch government is rejecting Chekism. It is rejecting turning Holland into Chekist regime run by its current and past members of its security services.

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017