Another one.

November 15, 2007

TOR logoWell. I was expecting this. You know, there are people taking civil responsibility, running a Tor-node and all they get is nastygrams, kicked-down doors and ultimately, lawsuits.

So, what happened: There’s this German guy, a Tor-operator. In June the police send him a letter telling him that he’s accused of computer fraud combined with unlawful modification of evidences. He’s a law-abiding citizen nothing guilty of, just using his civil rights and quite fed up with all those silly accusations, so he followed Udo’s golden rule #1: “You have the right to remain silent“.

Months later he got a letter from a court order about a penalty order, telling him that he’s guilty on all counts.

He describes it in his own words:

In early September I received a penalty order ("Strafbefehl") - from the
court. A judge found me guilty of having ordered a gift voucher (value: 51
EUR) on amazon.de, providing address details of a living person (but not
myself obviously), and using a Web.de email address registered specifically
for this purpose. I was sentenced to pay a fine of 500 EUR.

He appealed and the whole case finally went to court, having the hearing today. What happened then is beyond all reason:

[...] the penalty order listed four witnesses (the person whose address
details had been used, a police officer in a cow town near that person's
home hometown, a local police officer, and an employee of amazon.de)

However, the trial listed no witnesses at all. That guy was a laymen-judge (lay assessor) himself, so he though that this trial is based on a very weak basis and didn’t bother about it to much. Then all hell broke lose.

The judge and the lawyer of the state realized quite quick that he was not the one who committed the fraud, but instead of dismissing the case entirely they started to construct accusations like “supporting a crime” – which is utter bullshit. The accusation of “supporting a crime” in Germany definitively states that you need to support actively a certain crime – and only especially that you’re accused of. There ain’t nothing like a “general support crime”, as the judge thought. This is just another stunt!

The judge really thought “someone needs to be punished, but we can’t accept you to help anyone else to comit a crime”:

The judge as well as the public prosecutor
refused to accept that I didn't do anything criminal, that I didn't and
still don't want to help anyone committing a crime.

Oh Lord. Where have we gone!?

Even worse. The whole lawsuit was so frightening and cumbersome to the Tor-guy that he decided to dismiss the lawsuit according to §153 StPO. That means that the accusations are dismissed because there’s no public interest in the case. But yet, that doesn’t mean that he wasn’t found NOT GUILTY!

Why did he do this? Because he didn’t want to pay for a lawyer, as I do – but I can afford it:

They offered me to dismiss the actual court trial according to paragraph 153
StPO which is not the same as an acquittal (no "Freispruch") which I
eventually accepted. It means, however, that I won't have to pay for the
trial. They also repeatedly said that this time I got off with just a slap
on the wrist - next time it wouldn't be that cheap.

It’s all a big mess. Judges and lawyers have no bloody clue what Tor is about. They ignore the fact that Tor is a legal tool in a civil society and that Tor-operators aren’t responsible for the actions of their users. Heck, no one ever sued Pan Am to let the Lockerbie-bombers on board, and no one ever sued the German Postal Service for transporting letter-bombs: Yet German courts think that operators of anomymizing services are responsible for the actions of the users.

Brave new new world. Where have we gone? Our elected leaders ratify laws which are stupid. The judiciary is as dumb as a piece of stale bread. Take me out of here.


nemo tenetur seipsum accusare^2

November 14, 2007

It didn’t even take a month.

The Registers reports about an animal rights activist who’s now asked to hand over her crypto-keys.

El Reg sums up the details:

An animal rights activist has been ordered to hand over her encryption keys to the authorities.

Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007, seven years after the original legislation passed through parliament. Intended primarily to deal with terror suspects, it allows police to demand encryption keys or provide a clear text transcript of encrypted text.
[...] she has been given 12 days to hand over a pass-phrase to unlock encrypted data held on the drive – or face the consequences. [Failure to comply can result in up to two years imprisonment for cases not involving national security, or five years for terrorism offences and the like.]

So what do we have here?

A dodgy law which is meant for serious crimes and terrorists.
A women engaged in animals rights.

I can see the plot!

Evil trrrsts meetin animal-rights activists to blow up Downing Street.

Oh, you’ve got nothing to hide? Sure mate.

Some people pointed out that this silly law could be circumvented by technology based on plausible deniability and hard crypto – but still I say, it’s the law that’s flawed!


nemo tenetur seipsum accusare

October 11, 2007

Well, not in the UK anymore.

Nowadays you got to hand over your encryption keys to the authorities if they ask you. Non-compliancy can be punished with up to two years for ordinary “crimes” and up to five for trrrsts.


Tor madness reloaded

September 16, 2007

TOR logoUpdate^4: If you comment doesn’t show up immediately, it probably ended up in the spamfilter (Akismet). As long as the the people keep posting I’ll continue to check the spam-folder regulary and will manually publish the posting. So don’t post twice or even more often. — alex.
Update^2: I want to point out one thing: The investigations about “computer fraud” are not related to the other case. It’s not that they try to find some other accusation to sue me in any case. Lots of people were raising that rumour: It’s not true. — alex.

As you, my regular reader, might now, I run a Tor-server in Germany. I already had some experience with the german Feds, the BKA, regarding the childporn-crackdown earlier this year. I blogged about it and even erlier I wrote a sentence – which was merley a superstition – from which I thought “this can’t possibly happen in Germany”:

“[...] the last thing I want to experience is the police kicking down my door, seizing my computer.”

I also wrote, in another posting:

“My TOR-server is still running, pushing 40GB/day around. I’m not going to shut it down for whatever reason.”

However, I have to retreat from my arguments.

On Sunday morning, 00:15 AM, July the 29th, someone knocked on my door very hard. I just came back from a pub-crawl with a friend from the UK, was quite drunk, opened the door and just heard “Police!”. They entered my appartment, cuffed me and started to search my flat. My wife was scared to death. I was held in my own kitchen for almost 30 minutes asking “WTF is that about?” when they just said “Calm down, we’ll explain everything later”.

Minutes later they explained me that I’m suspected of placing a bomb-threat at a german copper-forum called copzone.de – a forum I never heard about. They accused me of posting shit like “I’ll plant a bomb in the department of work” and that I was about to cut-throat (or something like that, I can’t remember, I was drunk) a worker from that department. (Edit: The posting at copzone.de doesn’t seem to be accessible. Since my lawyer doesn’t have the files yet, I don’t know what exactly was posted. The german police doesn’t hand over the files to the suspect, he has to hire a layer to see the files.)

I explained them that I was a Tor-operator and what Tor is about. I showed them the letters from the Feds from the earlier incident to proove that I’m not bullshitting them. However, the coppers weren’t not so much into Tech-stuff and told me that a forensic unit will care about all my equippment. They searched everything: My attic, my office, my car, they digged through my wifes underwear, they found my old chmistry books very interesting, the flak-vest I own which I use when I go to strange countries, they found the fertilizer which I use for my chilli-plants, my microcontroller-experiments looked like an IED to them: Basically, EVERYTHING was suspicious.

They installed a new lock on my office’s door, although I eplained them that my Tor-server was running in a totally different city, like 500 km away! Funny enough, that server wasn’t confiscated. Ah, and I’m supposed to pay for the new lock. WE’LL SEE ABOUT THAT.

Eventually – after 30 minutes maybe – they took off the cuffs and brought me to the police-barracks for interrogation. I explained there for hours what the hell I’m doing, what Tor is and all the crap. I spare you the details. I was drunk and the interrogation-protocol might be a bit embarrassing for me.

However. Hours later, on the same sunday, someone from the “Staatsschutz” (something like the DHS) of the city of Düsseldorf came to unlock my door, telling me something like “uh, we screwed up, sort of”. That’s not what he said, but that’s the bottomline.

So much for the incident.

The consequences: I’ve shut down my Tor-server. I can’t do this any more, my wife and I were scared to death. I’m at the end of my civil courage. I’ll keep engaged in the Tor-project but I won’t run a server any more. Sorry. No.

So, so much for my arrest. Now the same storyline continued.

I was at the Linuxbierwanderung 2007 in Crete last week. I held a talk about Tor and the legal implications running a server (slides here).

Thursday I was still sitting in the car driving through Austria back to Germany when my wife called me up “we have another letter”. This time the accusation is “computer fraud”. I don’t know any details yet, but I’m supposed to show up for interrogation next thursday. My lawyer is informed. Details when I can tell them.

So, so sum up everything: I was arrested. They scared my wife. They consfiscated all my equippment. They stopped the investigation. I’m sitting on a pile of bills from my lawyer no one except me has to pay. I’ll sue for compensation, but I don’t think that this will lead anywhere. I’m now accused of something else. Horray! Bloody hell. I still love my country, but it’s bitching around.

From my point of view the german police is even more than incompetent++. They aren’t able to do the most simple investigations. Pre-checks for plausibilty don’t exist. This is so stupid.

Ah, and on a sidenote: My lawyer is still waiting for the files of the bomb-threat incident. Although the investigations against me were stopped. Wonderful!

Düsseldorf, September the 16th,
Alex “Yalla” Janßen.

Edit^3: On a sidenote – some people accused me of not knowing what I’m talking about when I said that the police was incompent when it came to this incident. Let me get this straight: I’m qualfied to comment on this, I’m working in the computer security business and I know how to do real investigations. The first thing to check is if the server in question is an open relay or some anonymisation service. So stop this stupid bullshit. Just check the hostname “wormhole.ynfonatic.de” in your favourite search-engine and on the first hits it’s reveiled that this is a Tor-server. You don’t need to be a computer-expert to check on this. Incompetence++.


Schily, Schily, oy oy oy

February 9, 2007

My “favourite” politician, Mr. Wolfgang Schäuble, Home Secretary of Germany, was interviewed by the newspaper TAZ.

I almost spilled my coffee over my keyboard while reading the interview. I knew that he’s absolutely for Law and Order but I couldn’t imagine that he’s that ignorant about what the citizen think about his plans to introduce a governmental trojan horse, which should infiltrate terrorist’s computers. It’s about security, isn’t it? (And the children. And world peace. Are you against the children or what? Either your’re with us or the terrorist.)

Some examples:

TAZ: Mr. Schäuble, are you Germany’s highest ranked hacker?
Schäuble: No, I don’t get into any computer, and frankly I don’t really know how the police is doing that. I barely know what a trojan horse is.

TAZ: Are you afraid of those so called trojans, means e-spionage software?
Schäuble: No, in general I never open attachments in email, where I’m not sure about it’s origin. And also I’m a decent guy, the BKA [German Federal Police] doesn’t need to send trojans to me.

TAZ: 10,000 citizen are planning to file a constitutional complaint against the mandatory data retention. Don’t you get contemplative about that?
Schäuble: That doesn’t bother me any more.

Once again I’m totally convinced that the politicians don’t give a damn about the citizen’s opinion. They try to justify every surveillance measurement with the terrorism/child-porn/internet pirate argument.

To quote Kurfürst Friedrich Wilhelm v. Brandenburg:

“Es ist dem Untertanen untersagt, den Maßstab seiner beschränkten Einsicht an die Handlungen der Obrigkeit anzulegen.”
(Flaky translation: “It’s forbidden to the subject to apply the standard of his limited views to the acts of the authorities”)

Happy hacking.

Tech Tags:


Saxonian Education

February 8, 2007

A 16-year-old girl from Saxonia, Germany, was convited to two weeks of prison because she didn’t attend school.

Wow. At first I thought the Pisa-study showed that the german school-system needed an overhaul.

Now I know what’s wrong: It’s the pupil’s fault. And only prison helps. For the better good and the german future.

To Judge Andreas Pech: If you thought that prison helps children to learn then you should consider going to jail as well – just to learn the basics of comparativeness.

Irony intended.

I wonder if they’ll subpoena me now.

Tech Tags:


s/GI/FSFE

January 7, 2007

Fellowship of the FSFE logoRecently I quit my membership in the German Computer Science Society (“Gesellschaft für Informatik”), mostly because I think they don’t have a real perspective. For years and years I thought that they start to be a bit more pragmatic, but they kept insisting on the “one and only lore”. I know that they’re more about science and teaching, but they didn’t meet my expectations – especially when it comes to software patents. I was recruted by them when I was still a student so I feel quite sore and sorry to leave them – but we weren’t made for staying together.
So I resigned as a member in December, something I actually didn’t want to, for I believe that people like the Bitkom don’t really present us, the hackers, fiddlers and freelancers, in a true sense.The Bitkom is more about big corporate business, the GI more about science and teaching.
Nonetheless, the GI was to far off for me too. They got me as a student, nowadays we’re not aligned any more and they can’t offer me anything.

I had to find my own way, so I finally decided – after much lobbying from friends who were already active members – to join the European chapter of the Free Software Foundation as a Fellow.

And there I am, a new proud member of the Free Software Foundation Europe.

What do I want to achieve with it? Not sure yet, but I feel that my contribution – means my membership-fee of 120 EUR a year – is better with the FSFE than with the GI.

My goals? I’d like to establish a TOR legal-fund. Maybe the FSFE is the right platform for it, although I’d be better of with the EFF, but they don’t seem to have a well-organised European chapter. Considering my recent experience with the german Feds and my lawyer’s bill – just a mere 150 EUR though – I started to think how other people with no funds could defend themselves against ill accusations. Rabenhorst said that he doesn’t really agree with me that the Feds did the right thing how to prosecute evildoers who abuse TOR. I’m still not with his opinion since running TOR is one thing and prosecuting child-porn dealers is another one, but others pointed out correctly that there are other people running TOR who don’t have the funds to hire a lawyer as I have.

I can’t promise anything by now, I don’t have a real plan yet; but a TOR legal-fund for us German TOR-operators wouldn’t be too bad.

If you feel inclined to help me out with it, drop me a line, I’d be happy to discuss a legal fund as I have a lawyer handy who might be able to consult us.

Cheers, Alex, FSFE member #916.

Tech Tags:


TOR, the feds and me

January 4, 2007

TOR logoI run a TOR-server. Anonymity is not a crime. There are a million reason why you want to stay anonymous on the interweb. Lately there was quite a hassle about seized TOR-servers in Germany and I was waiting for my server to be seized too. Didn’t happen until now. Something quite unexpected happened instead.

On the 28th of December I got a letter from the BKA (Germany’s Federal Criminal Police Office). The content of the letter was something like that:

“The owner of the IP-Address $my_servers_address is suspected of posession of child pornography. Hereby we order you to tell us the real name of the owner and disclose all relevant logfiles according to §113 TKG in the time of the 26th of October, 7:00 PST. We also demand the names of all your customers which use your service and we inform you that disclosing our request to your customers may be punishable.”

Obviously I was a bit scared about the “the owner of the IP-address part” so I hired a lawyer. The overall text was also a bit far-off for my taste, but whatever. My lawyer sent out a fax yesterday to the BKA asking if I, as his client, am a suspect or a witness. He also stated that I’m running a TOR-server and that no relevant log-files according to §113 TKG exist. In case that I’m a suspect he asked for all the files dealing with the investigation.

That was last night, today, about 20 hours later, we already got an reply. The BKA acknowledged, that they understood my lawyer’s statement that the TOR-server does not create relevant logfiles and claimed that this information is enough for their ongoing investigations. Furthermore they say that they need no further “statements” from my side. (which can be read as thanks, we’re fine, but who knows…)

Hm, they finally seem to have come to their senses. They really scared the shit out of my wife and me, believe me. When I started running a dedicated TOR-server I had a chat with my wife and explained her what I’m up to, what TOR is and what consequences it might have – she never thought that this case would ever occur.

I have only two possible explanations why they wrote the letter in that way. Either they thought that I rented the server to someone else – doing business with that dedicated server – or they just wanted to spread fear among the German TOR-operators. Could be either way. However, they were quite polite, not threatening in a direct way. But enough to make me call a lawyer.

However, this is rather an improvement compared to what happened in the last couple of months, LEAs seizing random server without thinking. This LEA thought before taking action, followed the way of investigation what would be obvious to everyone.

A very warm Thank You very Much to Dr. Michael Stehmann, my lawyer.

TOR-operators in Germany: Don’t let the LEAs scare you. Remember: It’s not you. It’s criminals abusing your service. You’re not the criminals, it’s them. And don’t let the “If you’ve nothing to hide”-argument bother you. It’s us, the citizen, to observe the state, not the state to watch on us. And a hammer doesn’t make the tools-dealer a murder.

Cheers, Alex.

Tech Tags:


TOR roundup

September 12, 2006

TOR logoRegarding my posting probably unluckily named “Germany: Crackdown on TOR-node operators” (i wrote “on TOR-node operators” on purpose, not “on TOR“) I’d like to clarify a couple of things. Before i start blurbing around I’d like to quote Shava Nerad, executive director of the TOR-project:

“Last week, a few Tor exit-node servers were seized by the German police in a massive sting against child pornography. From our friends on the ground in Germany, we hear that dozens and dozens of machines may have been seized. So far as we know only six of those were Tor servers. We have heard from the server operators. None of them has been charged.

This is not a “crackdown” on Tor, as has been widely reported. We expect and hope that the volunteer Tor server operators in Germany will get their equipment back after this has blown over, and there will be no action against Tor.”

I have nothing to add here and I’d like to point out that we all should calm down a bit and to repeat what I said in my initial posting:

“Those servers were most probably configured to be TOR Exit-Nodes, so their IP-addresses might have shown up in the server logfiles of the child-porn servers in question.
[...]
I guess that the attorney of state is just after logfiles, they knew that those servers were operating as TOR-nodes. If you IP-address pops up in a child-porn case surely your IP looks interesting to the police.”

Maybe my words weren’t clear enough, maybe I underestimated the momentum of this news, and I probably didn’t take into account that lot’s of people didn’t actually read my posting completely and just picked up the news which seemed to be relevant to them. Also some people definitively interpolated those crippled news to justify their prejudices against Germany (“Nazis“), the police (“they’re after us!“), and the TOR-project (“They’re supporting child-porn and probably terrorists!“).

And clearly i made the assumption on Boing Boing where i saidApparently it’s about the proliferation of child pornography, although no charges have been pressed against TOR operators yet.” I shouldn’t have written that.
So let me put it in other words, restating what i posted as a comment earlier:

  • The seized TOR-servers were most probably TOR exit-nodes.
  • Their IP-addresses most probably showed up in the logfiles of the alleged child-porn server.
  • The police found out about that IP-address and the police must take action and seize the server.
  • The fact that the server was running TOR is of no actual value for the process of forensics itself.
  • So there’s no actual evidence at the moment which proves that this is a direct attack on the TOR-network or it’s operators in Germany.
  • We still don’t know if any charges are pressed against operators. Basically we’re all speculating, so please, let’s keep calm until we really know more. If i find out more, I’ll post updates here.

I learned from all the feedback I got in comments and trackbacks that there’re actually people in China and other countries in the world specifically asking not to shutdown our nodes. They said that TOR is one of their very little possibilities to get a decent internet connection at all. Considering that other websites like Wikipedia are banned in those countries we should make it our responsibility to give people from oppressive states the support they need – free communication.

Famous last words: My TOR-server is still running, pushing 40GB/day around. I’m not going to shut it down for whatever reason. I ask all other TOR-operators in Germany to do the same. There’s no sign that we’re going to be sued for whatever reason at the moment.

Let’s keep calm and not become hysteric.

Tech Tags:


Germany: Crackdown on TOR-node operators

September 10, 2006

TOR logoUpdate: TOR roundup

The public prosecutor’s office of Konstanz raided computing centres of seven providers in Germany, seizing ten servers because of the proliferation of child pornography. Nothing new, things like that happen all the time, the juicy detail is that some of the servers were merely running a copy of the TOR, a software to anonymize the usage of the internet to protect your privacy.

Those servers were most probably configured to be TOR Exit-Nodes, so their IP-addresses might have shown up in the server logfiles of the child-porn servers in question. One could argue that this is an attempt to frigthen german TOR-node operators, but I’d just keep calm for the moment. I guess that the attorney of state is just after logfiles, they knew that those servers were operating as TOR-nodes. If you IP-address pops up in a child-porn case surely your IP looks interesting to the police.

However, this situation is disturbing, really disturbing. I run a TOR-server myself (wormhole.ynfonatic.de) and the last thing I want to experience is the police kicking down my door, seizing my computer. (despite the fact that my server is rented and in Leipzig i don’t want them to raid my appartment. Child-porn, you know, the last reason. You could possibly justify everything with it.)

One operator whose server was seized as well wrote a letter to all the TOR-operators in Germany he was aware of, reaching me as well; he wrote that he is not aware of any charges pressed against him at the moment and that his provider, whose server-room was raided, was not avilable for a real comment on the weekend.

We just have to wait what’s going on, which charges are pressed – if at all, i somehow doubt that – and when the state will give that servers back. This is really something horrible for the TOR-operator – especially if you take into account that there will be no evidences at all to find on the harddrive. It’s just a hassle, stress which is put upon you.

But i guess we have to go through it. There was no lawsuit about TOR in Germany yet – i hope it’s not going into the direction of “supporting proliferation of child-pornography“. This would be the end of anonymizing services in Germany and probably everywhere in the EU.
I run TOR to get a certain level of privacy. Staying anonymous is no crime. I want my privacy.

Please morally support us, the TOR-operators.

Fellow Blogger rabenhorst also wrote a bit about it.

Update: Subscribing to the tor-talk list helps… There’s also a thread in english about the Razzia.

Tech Tags:


Follow

Get every new post delivered to your Inbox.

Join 120 other followers