Kazakhstan Decides To Break The Internet, Wage All Out War On Encryption
from the mandated-middle-men dept
Starting on January 1, the country of Kazakhstan has formally declared war on privacy, encryption, and a secure Internet. A new law takes effect in the new year that will require all citizens of the country to install a national, government-mandated security certificate allowing the interception of all encrypted citizen communications. In short, the country has decided that it would be a downright nifty idea to break HTTPS and SSL, essentially launching a “man in the middle” attack on every resident of the country.
While it has since been removed, a statement posted to the website of the country’s largest ISP KazakhTelecom (Google cache and rather sloppy translation) stated that the ISP was required to intercept encrypted traffic to “secure protection of Kazakhstan users” who have access to encrypted content from “foreign Internet resources”:
“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources…Detailed instructions for installation of security certificate will be placed in December 2015 on site www.telecom.kz.
Of course, such an effort will wind up doing the exact opposite of protecting the country’s residents — instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands. Oddly, while the notice states that all Windows, OS X, iOS and Android devices must adhere to the new law, Linux isn’t mentioned, giving privacy conscious residents and journalists ample time to install their Linux distro of choice. Security experts are quick to point out the entire, ham-fisted affair is not only ethically idiotic, but likely impossible to fully implement and enforce:
“There are obvious, myriad ethical issues with this sort of mandated state surveillance,” said (Security researcher Kenneth) White. “But I suspect that the political forces pushing these measures have grossly underestimated the technical hurdles and moral backlash that lay before them.” “The best case scenario is that the regime will seriously weaken the security of only a subset of their citizens,” said White.
Bang up job, team! Last month, Human Rights Watch described Kazakhstan as an authoritarian dictatorship with “few tangible and meaningful human rights.” Freedom House, meanwhile, ranks Kazakhstan poorly when it comes to Internet freedom, noting that the country’s war on religious extremists has resulted in an increase in Internet filters, a total blockade of Live Journal, intensified surveillance at cybercafes, and a spike in “physical assaults on bloggers and online journalists.”
It’s easy to dismiss what Kazakhstan is doing as the drunken stumbling of a tin pot dictatorship, until you remember that the UK is proposing something not entirely dissimilar, and both current leading U.S. Presidential candidates dream of waging their own war on encryption and common sense.
Filed Under: encryption, kazakhstan, man in the middle, privacy, security, surveillance
Comments on “Kazakhstan Decides To Break The Internet, Wage All Out War On Encryption”
Not 'if', 'when'
Of course, such an effort will wind up doing the exact opposite of protecting the country’s residents — instead opening the door to rampant surveillance and potential security vulnerabilities should the certificate fall into the wrong hands.
That someone with less than noble intentions will get their hands on what they need to take advantage of the mandatory malware is a given, there’s no question about that, the only thing up for question is how long it will take. Personally I’d guess a month at most, given you’re talking about something that creates vulnerabilities in the computers of everyone within the country.
Of course with regards to the surveillance aspect falling into the ‘wrong hands’, that will take all of zero days, given the government will be using it in that manner from the get-go.
Re: Not 'if', 'when'
Re: Re: Not 'if', 'when'
Last time I looked, Microsoft did not incarcerate and execute people. I have to admit that I stopped reading EULAs some time after I stopped using Windows, and the trend was clearly going in that direction. But I suppose if they had acted on such provisions already, it would have been in the news.
Re: Re: Re: Not 'if', 'when'
“Last time I looked, Microsoft did not incarcerate and execute people”
you are right
Microsoft does not murder and torture people,
THE US GOVERNMENT does.
Re: Re: Re: Not 'if', 'when'
The context was, if they don’t keep the cert secure, folks could be subject to hacking from online criminals.
Reading: It’s fundamental!
Re: Re: Not 'if', 'when'
Such a certificate requires a root certificate be given to all ISP’s or whoever is doing the man in the middle attack. This is required so that they can sign certificate for sites that users want to visit. Time to leak for such a certificate will likely be measured in hours or days.
What are the odds that it is also a software signing certificate, to make installing of spyware easier?
Re: Re: Not 'if', 'when'
Not in the slightest. Corporations do not have the power of coercion over the people the way the governments do. A cert issuer doesn’t have (unreasonable?) laws or armed police or courts or prisons.
Re: Not 'if', 'when'
Not just the government, but government contractors, too. Including those contractors that have ‘contracts’ with other governments.
What would be interesting to follow but we will probably never hear about is how long it will take residents to learn to create virtual machine images that can spin up without the “mandated” encryption bypass. Then they can spin up an image, do there private business that can be kept private, then delete that session as though nothing happened.
In related news … Brick and Mortar businesses across Kazakhstan hailed the decision as a great idea.
Re: Re:
Exactly.
The ‘president’ (completely fake elections where people are forced to vote at gun-point and often they just make up entire villages of voters) Nursultan Nazarbayev took MASSIVE bribes from various anti-internet companies that want to go back to the ‘old way’ of doing things via going to a physical bricks & mortar store, and this is the result, a blatant and obvious attempt to make online banking/purchasing extremely risky.
Re: Re:
In later news Australia does the same as the financial donors to the current right wing government are B&M owners who have tried for years to stop internet shopping so they can continue to price gouge the citizens. And to think that this week we have been told we must be innovative to prosper after the mining boom. This new law sure is innovative for the dinosaurs of business, Australia style.
Don’t give our politicians any ideas…
This will not stop terrorists and criminals using their own secure encryption, but will be very useful for spotting any signs of political dissent by everyday citizens.
Re: Re:
Actually, Kazakhstan is an edge case where, with regards to encrypted TCP and UDP flows at least, it might.
Kazakhstan is a relatively small country, and their telco’s and ISPs likely have a small number of connections to ISP’s outside Kazakhstan.
The ability to analyze and shut down traffic flows you can’t decrypt is well within the capabilities of most “next-gen” firewalls.
Next-gen firewalls won’t necessarily help with encrypted data that’s transferred over non-encrypted sessions, but there are systems on the market that can catch that in most cases.
It’s unlikely they could actually shut it down 100%, but 95%+ efficiency is probably possible for them. Couple that with period, high-visibility arrests and you could call it “close enough”
this is a dream if you want to plant evidence
the thing i’ll never understand is why wage war and get millions of people killed trying to stop the same sort of thing from encroaching the planet 70 years ago, only to insist that the same thing must happen now to prevent what is happening which is the same as then? do the politicians in charge now think things will be any different? it’s self-interested bullshit expectations if they do!
i still think that what is going on is instigated to get the planet run like a massive corporation, where the only people with rights are the dozen at the top of the tree, the ones who actually want this and have never had a better chance of getting it! these surveillance laws are meant to ensure that the people and/or security forces cant do a damn thing without it being known and measures put in place to either prevent, stop or dispel any counter action to what the dozen want!!
Followed by the US, UK, France and other “democratic” countries who are now all saying in choir:
“If Kazakhstan, China or Russia do that, why aren’t we doing it, too?!”
Although Kazakhstan a glorious country, it have a problem, too: economic, social, and human rights.
Open the floodgates!
A subset of their citizens
And guess which subset that will be?
The very same subset that actually puts their faith and trust in the government.
The jaded, disenfranchised, cynical and downright frustrated citizens will not have faith in this scheme. Those who understand the technological ramifications of this will not have faith in this scheme.
No, it is those the government relies on most. Those that put some measure of faith in the government. Those who are loyal and patriotic. Those the government wants most to keep safe… who are going to be affected, attacked and harmed by this.
Governments wonder why they face rising dissent while simultaneously destroying public trust over and over…
and over…
and over…
The USSA started using One time pads in 1930. Anyone want to bet that they will making a comeback.
BTW, there are easy methods of transmitting one time pad keys in the clear to facilitate such comm.
Re: Re:
BREAK THE INTERNET OH NOES!
Good News
Hopefully this will fall apart quickly enough to serve as a warning to others.
Kazakhstan should try Kickstarter, i’m sure the US & GB would help fund this new business.
Time to go grab some popcorn and watch the clusterfuck unfold. Let’s see how Feinstein, et al. try to defend their propositions when Kazakhstan will fail horribly or be such a success that it is condemned by the world.
How is this even practical? There must be hundred of thousands of embedded devices that cannot be updated.
There’s a Borat joke in there somewhere.