In defense of a Minority Government

It’s day one after seven weeks of negotiations for forming a Jamaica coalition of Christian Democrats, Liberals and the Green Party in Germany have failed. Following the rise of the AFD on the far right and the losses of the Social Democrats, the political landscape looks a lot different from what it used to. The typical constellation used to be one where a larger party teamed up with a single smaller party to get a majority in parliament. That no longer works, and even for coalitions of three parties, given how the parties on the far right and left are not considered viable partners by most other parties, the options are few. After four years of being part of a grand coalition, the Social Democrats have ruled out joining another. Hence Jamaica seemed like the only realistic possibility. Now it has failed before it even started, and everybody is talking about a new round of elections.

Everybody except the Bundespräsident. Mr. Steinmeier is appealing to the other politicians’s sense of duty, when he asks them to get their act together and not pass the buck back to the electorate. And while most people seem to focus on how that applies to his own party as well, as some kind of request to the Social Democrats to reconsider their refusal to join a grand coalition, I’m hoping he means more than that.

The Social Democrats are actually acknowledging the voters’s request for change. Voters who would traditionally have voted for them did not, this time around, explicitly to not have another grand coalition. And I am personally one of them. It actually a good thing to acknowledge the voters’s voice like that. And, like the Liberals who were the camel to  break the neck of the would-be Jamaica coalition, the Social Democrats are not obliged to join any coalition. There is no moral obligation to do so, because a majority government is not mandatory. Just because post-war Germany has always had one, that does not mean it has to. It also does not mean not having one is a bad thing.

Yes, a government is more stable, when it is backed by a stable majority in parliament. But hey, why be so lazy?

A minority government has to struggle to find majorities for every law it want to pass. Is that a bad thing? It may seem so, if your first concern is for stability. However, what’s a more stable form of majority than a grand coalition? And people have just made it clear that they do not want that for another four years. They do not want stability at all cost, not if it equals stasis and a government that can basically do whatever they want, because they don’t have to care about any objections. I am personally convinced that both a grand coalition and reelections would damage democracy in Germany. Forming another grand coalition would tell people that even the key form of political participation, an election, is no means of bringing about change. What else is left, after that? To what extremes do you want people to go when they want to see change? What gets the message across to politicians?

Passing the buck back to the voters is also disrespecting what they already said. It is not the politicians’s job to question the outcome of an election or to pout when they do not like it. And it is not their job to go back to the electorate and tell them to vote for something better or different. That also undermines trust in the fact that a democracy can work. The voters already did their job. I may not like the outcome, either, but it is what it is.

Accepting the vote, on the contrary, and going ahead with a minority government, would tell the voters that politicians actually accept the cards they have been dealt. And what is more, the need to find possibly changing majorities for every law to be passed might in fact help returning to a mode of operation where you actually talk about those laws, where you actually have a public debate about such things, where you give people a chance to participate, where you try to convince people, instead of just forcing your party members do agree to whatever the head of the party suggests. Yes, it might be more work to convince people. It is more difficult, when you have to convince every individual member of parliament to join your cause. But that might actually be just what this democracy needs, right now. Somebody who tries to convince me, because he seems convinced, himself. Also, members of parliament that you can go to and voice your opinion to, because they actually matter and not just the party they have signed up with. Can we please have politicians who do not pout because they did not get the toy they wanted but roll up their sleeves and accept that things are going to be harder than expected and instill confidence that they can still make it, just because they have compelling ideas?

Advertisements
Tagged , ,

Deutsche Bank and TAN lists

So, my daughter needs a new phone. I feel really old-school with my iPhone 5SE, but whatever. She has earned money from video editing for a local business and also saved some pocket-money, so fine. She wants to spend almost 800 € that are all her own on a new phone, so be it. Turns out the phone is cheaper on Amazon than in the Apple Store, directly, even when you throw in an AppleCare protection plan, and of course I go order it online and suddenly find myself with a lot of cash, that I feel way to uncomfortable with to not bank it.

My account has been with Deutsche Bank forever for mostly historical reasons, but you know how long-term relationships go with banks, especially after stuff like a mortgage on a house happens and all that. So, between dropping my daughter off at school and running other errands, I hop into their nearest branch office to deposit the money. When I head to that one ATM that also takes deposits, there is this marketing guy chatting up another customer and I already cringe when I hear him explain how printed TAN lists are a security risk. The yarn he spins is how the frequency of burglaries is increasing and somebody could steal the list of TANs. He even has the nerve to mention that he has no idea why, but some people blame it on the influx of refugees!

Inside I keep going, damn, I don’t have time for that kind debate, when he explains how that is why they are planning to discontinue offering printed TAN lists around summer next year and people should get used to the photoTAN method. Screw you, methinks, and I do sincerely hope Deutsche Bank is not pushing photoTAN to protect us from refugees who are after our bank accounts. Or else I might have to reconsider my choice of bank. This story was bullsh!t on so many levels.

Yes, printed TANs do not solve every security issue that exists with online banking. But generally speaking, the TAN mechanism as a form of one-time-pad is one of the better ideas people have come up with. It offers a practical form of two-factor authentication where you have to have something and to know something to get access to your account. Somebody can steal your TAN list and without your online banking PIN it is useless and vice versa. The remaining security concerns that do exist largely revolve around (1) man-in-the-middle attacks and (2) a responsible use of TANs / convenience.

Traditional TANs (and iTANs) are agnostic of the kind of transaction. Neither for the user nor for the bank is there a way to ensure the TAN is actually used for the transaction the user intended it to be used for. If somebody can get between the bank and the client, he might be able to catch a TAN that was meant for a 5 € payment and use it to transfer a million to his own account (if you don’t have a set limit for online transactions.) Seriously, though, phishing attempts aside, and people clicking on stuff they should not be clicking on and not paying attention, that is a pretty hard thing to do. Having somebody present me a webpage that comes from the deutsche-bank.de domain, has a valid SSL certificate that my browser trusts, gets me through the regular PIN-based login and the whole workflow of ordering a money transfer up to the point where I have to enter a TAN, and still being able to see through the encrypted channel, is something my employer could do on hardware where he controls my browser’s proxy settings. And yes, somebody who similarly pwned my personal computer could do it. But using online banking from a piece of equipment that has been pwned, one way or another, is generally a bad idea. And we will come back to that line of thought.

The other problem with printed TAN lists is, of course, mobility. They are really not intended to be carried around at all times. If you do, the chances of them getting into the wrong hands obviously increases, a lot. As a matter of fact, traditional TANs even lent themselves to being used on the go a bit more than the current iTANs, because you could just copy three or four TANs from the list you kept stored safely at home and take them along on a trip. With iTANs that is no longer possible, because you do no know in advance which TAN you will be prompted for. On the other hand, people are getting used to doing everything mobile, and thus there is the risk of people not using TAN lists carefully enough. But that is just as true for many other forms of TAN, such as mTAN, photoTAN, or whatnot. Like, having an app on your phone to login to your account which potentially even saves your online banking PIN in a keychain, and then getting an mTAN as text message to that same phone entirely defeats the purpose of having a two-factor authentication. All somebody needs to do after that is to steal the phone. And Deutsche Bank even advertises on their webpage that, if you have both the banking app and the photoTAN app on your device, you do not need anything else. Am I the only one thinking there is something wrong, here?

I get convenience. I mean, I personally feel like convenience is the the thing that makes many people on the internet hang the noose around their own necks, but I do get it. I also get how banks want to get rid of having to print those TAN lists and keep mailing them to people. Just don’t try to sell it to me as a security feature. The one-time-pad’s security hinges on the safe channel through which the communicating parties pre-share their keys. And the sealed blackened envelope my printed TAN lists arrive in is something I as a person feel much more capable of handling securely than anything that involves electronic communication. Also the risk of them getting stolen: I don’t carry them around. I keep them tucked away somewhere, at home. And burglars just don’t break into your house and go search for your TAN list. They don’t! They don’t even steal your flat screen television anymore, these days. They want easy cash. Given that, again, I feel a lot more capable of finding a safe spot back home to store my TAN lists than of keeping my mobile devices safe.

And here we’re coming back to the idea of doing online banking from an pwned device. Seriously? After all the recently discovered vulnerabilities, from BlueBorn to KRACK to whatnot, can anybody seriously believe they have enough control over their mobile devices to ensure they are safe to be used for online banking? I may be paranoid again, but, micropayment for all I care, but access to my one important bank account? I don’t want my mobile phone to play any part in that, whatsoever.

Sure, photoTAN also works with a dedicated scanner device, and I’ll probably opt for that, when they stop offering printed TAN lists. And it will be a little safer, because the TAN will be tied to the actual transaction. But does this, in any way, protect me from the scanner being stolen after it has been activated? Of course not. If that thing gets stolen from my house, I have to call my bank in exactly the same way that I would have to, if my current TAN list gets stolen. So please, Deutsche Bank, if you want to save yourself the effort of sending me TAN lists via snail mail, just say so. Don’t try to tell me you’re protecting me from wicked refugees breaking into my house.

 

 

Tagged , ,

StrongSwan Client with Ubuntu 16.04 LTS

So, I’m a regular user of public WLAN hotspots, those of Deutsche Telekom among others. Being the paranoid digital self-defense person I am, I’ve been using a VPN service for quite some time now. I recently noticed that my PPTP client setup stopped working at hotspot locations run by Deutsche Telekom that I regularly use, when it still worked from home or some other hotspots I use. I embarked on a journey to teach my Ubuntu laptop some more VPN protocols. OpenVPN worked like a charm with just installing the obvious packages for network-manager. StrongSwan, however, didn’t cooperate quite as easily, due to Ubuntu 16.04 having packages in its repository which are known to not work with the version of network-manager also in that version.

OK, use the source, Luke …

But rather than compile from source tarball and clutter my system with stuff, I found the repositories for zesty have the versions I need. So, I decided to backport that:

  1. Edit /etc/apt/sources.list
    1. uncomment all deb-src lines and insert one line: deb-src http://de.archive.ubuntu.com/ubuntu/ zesty main restricted universe multiverse
  2. apt-get update
  3. apt-get install build-essential
  4. mkdir strongswan
  5. cd strongswan
  6. apt-get build-dep strongswan
  7. apt-get source strongswan
  8. export DEB_BUILD_OPTIONS=nocheck
  9. dpkg-buildpackage -us -uc
  10. dpkg -i strongswan-nm_5.5.1-1ubuntu3_amd64.deb libstrongswan_5.5.1-1ubuntu3_amd64.deb strongswan-libcharon_5.5.1-1ubuntu3_amd64.deb
  11. cd ..
  12. mkdir nm-strongswan
  13. apt-get build-dep network-manager-strongswan
  14. apt-get source network-manager-strongswan
  15. dpkg-buildpackage -us -uc
  16. dpkg -i network-manager-strongswan_1.4.1-1_amd64.deb

Then configure as per wiki page.

Now, I only need to find out how to trust the VPN provider’s certificate when their IKEv2 configuration howtos all seem to rely on turning certificate verification off.

Tagged , , , ,