Blackboard Campus IDs: Security Thru Cease & Desist 853
Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."
The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.
For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).
At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.
A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)
The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."
Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.
Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.
So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?
If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?
This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").
So, assuming that's not possible -- is the DMCA a viable tool to ensure security?
P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.
P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:
"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."
I say publish all the details overseas (Score:3, Interesting)
While this may be an inconvenience to students, they can get by without buying coke with a swipe of a card for a while.
No, it doesn't. (Score:3, Interesting)
If we lived in a police state, armed thugs would not tell you, "You can't detail the flaws of our product." They'd just beat the living crap out of you and then go home, kick back, and drink a cold Coors 20 ouncer.
I know a little about this... (Score:5, Interesting)
Re:I say publish all the details overseas (Score:4, Interesting)
Re:Again? (Score:3, Interesting)
Most people in their daily lives aren't directly affected by it (or not to their knowledge at least).
Most of the places that bump into the DMCA right now are the academics. Why? Because they are a bit ahead of the curve, the idea to undstand things is integral to them. Most people though are just consuming the final product, as such they won't be affected for a while.
Wait a bit longer until the product Johnny wants to buy (or an update to a Software he is using) can't be had anymore because the developer wasn't allowed to incorporate the functionality because of the DMCA.
Of course by then the question is if the masses will still care (I bet not).
M.
Is this SLAPP? (Score:3, Interesting)
"Power Point" is a trade mark, not a thing (Score:2, Interesting)
Why so Microsoft centric? does that mean they can use OpenOffice.org "Impress" presentation slides instead? Does that also mean Microsoft can sue the lawers for use of their trademark in their document?
Comment removed (Score:5, Interesting)
Is this the most correct channel? (Score:5, Interesting)
As my good old Uncle Scrooge always said: Work Smarrrrrterrrr not harrrrrderrrrr
Oh no! Not again! (And again, and again, ...) (Score:5, Interesting)
Probably a couple per week until the damned thing is repealed or struck down.
When will the DMCA start getting some media attention outside of
When there are media outside of
The DMCA strikes down a lot of rights that many people hold near and dear. I don't know about the rest of
Your opinion is widely shared.
Re:No, it doesn't. (Score:4, Interesting)
Re:I know a little about this... (Score:2, Interesting)
Re:What about this analogy (Score:4, Interesting)
Amazingly, the people on the other end gave me attitude when I called to tell them that their ATM was broken open - the attitude switched between "it's not my problem" and "you must have done it." At no time did I believe that they were actually going to do anything about it.
Two months later, when I was back in that town, I went to the same ATM, and the lock was still jimmied - it was closed, but obviously broken so that it would be a matter of prying with a screwdriver to open it again. I guess a couple of thousand bucks in cash and whatever private details can be gleaned from endorsed checks and deposit slips are unimportant to bancs of, um America.
not only that (Score:4, Interesting)
my experience with it... (Score:5, Interesting)
It does offer some advantages, for instance, all people could be allowed into the dorms at some parts of the day, but other times of the day only people who live in that dorm could gain entry.
Though there are some interesting caveats
*the first one, which I didn't really know well at the time, is the fact that making a copy of the card is far easier than making a copy of the key. Remagnetizing magnetic stripes is not the hardest thing in the world.
*the campuswide system runs off of ethernet to the AT&T9000 computer which administers everything. If a particular door gets disconnected with the central computer, it's default setting is to pretend like everything is normal, and let everyone in, and it has a cache of swipes which it would then transmit back to the central computer when the connection was restored. That seems like a sensible kludge given the circumstances, given a network failure it would be more sensible to allow all in as opposed to all out, especially at a dorm. (Higher security places would have their door failure mode set to allow no one.) On the other hand, as a security concept, it just bugged me. (this is explained in the powerpoint presentations.)
*my big concern at the time was the tracking and auditing abilities, and it still is. the key system had no tracking and auditing. The swipe system allowed the university to keep a record of when students come into the building (and implicitly, when they go.) I pointed out that Ohio law prohibited a government institution from collecting information which were not authorized by law, nor required to achieve a particular purpose...and that the system need not perform the tracking, it only needed to perform the authorization.
The response I got was that the system was not designed with a zero tracking/auditing setting, it needed to perform tracking and auditing as part of its authentication mechanism. I pointed out that I can't help that the university bought a dumbass product, and I threatened to sue them, but I was young, and I threatened to sue everyone.
I got a letter from the university lawyers saying "While we ourselves certainly hope never to need the archived data -- and, fortunately, rarely do -- it can be of unquestionable value in
investigating incidents in the residence halls. It is for this very reason that similar systems are in use at numerous colleges and universities
around the country."
I've however pointed out that any idiot who was gonna do something in the dorms would do what everyone else does, and that is follow someone who swiped before you, and not swipe themselves.
I still hope to work on this issue at some point.
How dangerous will this get? (Score:2, Interesting)
If someone can gain entrance as John Doe, then they could gain entrance as Jane Doe. But with the intent of harming, raping, or killing someone. Whether its someone unknown or a jealous ex-boyfreind, the court should be focusing on the company that made this and forcing them to fix the problem instead of ignoring the danger it poses to students on campus.
Its been nearly 20 years since I was at college and I remember using a lock system were you had to remember the 5 digit key sequence to get into your room. Thats a hell of a lot more secure than this card system, and its 20 years old.
The best intermediate solution to the DMCA should add a provision that recognizes when violations of the DMCA poses a clear threat to the safety and security of people. Then later they can tear the whole thing down.
A gagged presentation. (Score:2, Interesting)
rob
Re:it's over (Score:3, Interesting)
The same could be said of cameras, chef's knives, wood chippers, and table saws. Does this mean that photographers should live in fear of accidentally creating child pornography, or chefs of accidentally dismembering their lovers? Nope. C'mon, buddy, you've got free will, you may recall. If you're not interested in fighting the laws, then just keep your nose clean. It's not rocket science, and it ain't the end of the frickin' world.
Re:I say publish all the details overseas (Score:5, Interesting)
Re:You Americans should have another civil war.. (Score:3, Interesting)
I think you may have just hit upon the solution for getting the public to notice the problems with the DMCA. What if a researcher found flaws in, say, a city's 911 phone handling system or a medical device of some kind. Those flaws (think Therac-25 [mit.edu] here) would be kept hidden by a cease and desist letter or other legal action. The researcher than goes to the media saying that the device's manufacturer is creating a threat to public safety and hiding behind this law.
Re:well (Score:5, Interesting)
Yes, the possibility with getting slapped with a huge lawsuit and/or criminal charges is pretty scary. Somewhat scarier, on the other hand, is a society where people comply with the demands of other people even though those other people aren't really authorities at all.
Police states are pretty bad. Worse, IMHO, is a people governed by the Will of f*cking Landru...
Re:I say publish all the details overseas (Score:5, Interesting)
A guy figured out how to manipulate the chip on the smart cards used for credit cards. He contacted whatever company makes the cards to try to get them to hire him. They didn't believe him, so to prove his point he bought about $7.00 worth of metro tickets from an automatic distributor.
And then what?
They busted his ass big time. I think it totally destroyed the guy's career, life, etc. Then the company upgraded their encryption...
DMCA how? (Score:5, Interesting)
If it's something within the school, then the makers of the system wouldn't really have a DMCA complaint against researchers; the school (user of the blackboard product) would. (Just as MPAA, not DVDCCA, are the ones who had DMCA complaints when knowledge of bypassing CSS got out. It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)
Assuming the blackboard lawyers actually see a way to use DMCA and aren't just trying to intimidate (hell of an assumption), then the copyrighed content must be some artistic expression within the Blackboard system itself, rather than something the system is intended to protect.
If the copyrighted expression turns out to just be the serial number on a card, or something like that, then that would be very (*cough*) interesting.
Re:silly response (Score:3, Interesting)
That's because you're assuming that the goal of the company is to provide a secure system.
The goal of the company is to sell their system.
Even if they fix the security holes, sales are affected by people talking about them.
As long companies do better by covering up rather than by fixing things, they'll keep doing it.
What we need isn't so much a repeal of the DMCA, but tremendously harsher penalties for companies that restrict information.
I.e. if the liability for a security hole was limited to $1,000,000 for undisclosed problems,
but only $100 once you've been informed, there'd be a lot more disclosure.
-- this is not a
I presume Blackboard is a technical company? (Score:3, Interesting)
There sounds like there is enough information in the letter so that somebody that knows what a 75176 is (I would disagree with the assertions in the paper about RS-485's obscurity), can program a PIC or an 8051 and can use an oscilloscope can reproduce the work done by Messrs. Griffith and Hoffman. Along with this it sounds like the readers are connected to standard cabling via standard connectors.
So, the result I would expect from this letter is, 1) it will be put on the Internet for all to read, 2) boxes throughout the different colleges and universities that use the system will be pulled out of walls and vending machines with many of them stolen or vandalized to see what's actually inside them, next 3) The protocol and hardware will be distributed on a variety of web sites (probably ending with
This begs the question on what Blackboard should have done. (next reply).
myke
What a strange filename (Score:5, Interesting)
Re:I say publish all the details overseas (Score:2, Interesting)
How much of a story would it be if the NYT and 60 minutes aren't able to disclose any details?
So you are saying... (Score:2, Interesting)
Re:What a strange filename (Score:5, Interesting)
Doesn't the DMCA have exemptions for this? (Score:3, Interesting)
Why did they desist? (Score:3, Interesting)
1) Get the information they wanted presented to the public.
2) Get media attention
3) Bring the insanity of the DMCA to the courts.
free printing (Score:5, Interesting)
People also spent time sniffing the one card network, but as far as I know no one had found anything interesting yet. this was 4 years ago, so I'd assume the entire thing is solved by now.
Re:Disgusting (Score:3, Interesting)
This is not about protecting the students. This is about Blackboard being too lazy/stupid to fix a flaw that they know about.
Acidus has tried since 2001 to get them to fix this. I'm pretty sure that if I dropped my credit card in 2001 and you told me about it, I would have things fixed by now. By this point, it is obvious that Blackboard is being negligient and is thus putting students at a greater risk.
To put this all in context for you, my school uses Blackboard for our grading system as well as dining services, housing access, etc. I know for one that I am NOT happy about this C&D and feel much less safe now.
On a lighter note, you know the worst damn part about this? We are a stupid Pepsi campus so stealing from the vending machines is pointless!
Re:I say publish all the details overseas (Score:1, Interesting)
I don't even know why BlackBoard bothered with a cease-and-desist. The system is no more insecure than many other systems designed decades ago, despite the insecurities there's been remarkably little fraud, and their new products don't send anything in the clear. If anything, this'll just help them sell upgrades.
Say, maybe they want this publicity...
Re:I say DON'T publish the details AT ALL! (Score:5, Interesting)
My solution is pick one university, find a specific solution, and have about 1000 people get free cokes, free lunches, free access, all on one particular day only. Create a financial incentive, but more importantly a social incentive to open up the conversation.
I am NOT a big fan of breaking the law purely for protest means. (see my many other posts on this subject) However, considering the DMCA itself is a violation of free speech, it may be warranted. Not to rip off large amounts of money, or do serious damage, just nickel and dimed for ONE day where it is OBVIOUS that it is a security breach that can not be overlooked. Then do what you suggested, say you can't tell them how it was done due to DMCA. ('you' being someone who didn't participate but knows how it was done)
My response... (Score:1, Interesting)
2600 Magazine (Score:4, Interesting)
If I can remember which issue it was I'll post it here. If anyone else remembers, feel free to remind me. I remember though it basically showed how with no effort the system can be cracked.
** To avoid DMCA lawsuits, etc. I did not write this article or am involved with it's creation whatsoever. **
Re:How do you know? (Score:4, Interesting)
Look for an AT&T or Blackboard logo on the devices that you swipe your ID through. (Soda machines, POS terminals, dining halls, copy machines...)
My university (University of Missouri) has TONS of these things. And most of them are totally unsecure. The RS-485 lines are there, ripe for the picking. I've seen many soda machines and copiers, many in low-traffic areas, simply plugged into an RJ11 jack in the wall with no conduit protecting it. It's ridiculous.
Re:DMCA how? (Score:1, Interesting)
Books at the school bookstores.
It's the copyright holder of content who gets to use DMCA, not the inventor of a protection mechanism.)
Please read 17 USC 1203 (a) again:
Any person injured by a violation of section 1201 or 1202 may bring a civil action in an appropriate United States district court for such violation.
Re:Can you say 'Ford Pinto'? I knew you could! (Score:3, Interesting)
Can you say "I know they are trustworthy because they trust me."?
Can you say: "The only powers the Governemnt has are those we the citizens GIVE to them" and if we decide to tkae those rights away, there is not much the Governement can do short of starting a MAJOR civil war" ?
It is true that the apathy of the american people is the only thing protecting the government. But you should realize the power lies in us, even if we are too lazy and scared to use it.
Re:1v1 slashdot shibboleths. (Score:1, Interesting)
One one hand, there is the party line that any security / encryption measure CAN be broken, so that social measures are really what's necessary to achieve desired aims.
Wait a minute, you're basing your argument on a false assumption. We're not talking about DRM here. When I get an encrypted CD, I have to get the unencrypted content at some point so I can listen to it. That's what makes it an unworkable system.
The security for this card system is much different. You simply need to authenticate a person and transfer a piece of information to a centralized computer in such a way that it can't be tampered with or replayed.
That's a solved problem, while the DRM solution can never be solved (unless you put a trusted encryption module in people's brains).
What makes these company's actions so shameful is that it is possible to pull parts off the shelf (hardware, software, etc) and put together a workable secure system, but they choose to do things "the easy way" and then not even reveal the details to the public.
In our society today, we are highly dependent on technology and computers. We absolutely have the right to know exactly how these things work.
Imagine you bought a shoddy-built car. You pop the hood and you see exactly what's shoddy about it. So does Consumer Reports and CNN. They all report that the hoses are loose and the gas tank leaks. Another car company comes along and makes a n equivalent well-built car, and people start buying it instead. Free markets and capitalism work their magic because people KNOW what they are buying. They are informed about the products available in the market.
Why can't computer and security systems have the same openness? Well, right now, BAD laws like the DMCA make it possible for these companies to simply "blow off" these kids, knowing full well they can sue them later.
The fact of the matter is...
Ah, my favorite phrase. I hear it all the time on TV talk shows. The more assertive the speaker is that he is speaking "facts", the more subjective and arbitrary they are.
It's also evident that without their information being made public, the security systems do a reasonable job of protecting what they need to protect.
I'm sorry, but if it is possible to make a secure system, they really should make a secure system, and not rely on "wishful thinking".
I guess that's the way it is in this country these days: nobody installs a burglar alarm until they've been robbed, nobody shreds their credit card receipts until someone's taken them from the trash can, and nobody does background checks on people from known terrorist-supporting countries until after they've been attacked. "It won't happen to me", "It can't happen here", "Why would someone want to go through MY trash?", "There's nothing of value on my home computer".
I work in computer security and the first thing I do is try and "cure" people of this belief that "bad security is good enough". If they don't believe me at first, they usually call me up later after they get hacked.
Oh well. Maybe these kids really should keep it to themselves. When I was in college in 1997, we had a card-swipe system to unlock the dorm doors. I figured out a simple way to unlock the dorm doors without my ID card (which I forgot all the time). Each time, I hoped nobody else figured it out and told the school...these days, I wouldn't even think about it, since I have fear of the DMCA.
Just hold security conferences in a safer country (Score:4, Interesting)
Still another fine example of the DMCA at work, protecting the right of corporations to ensure that even the daftest of terrorists can break US security, and stop for a free canteen lunch on the way.
Spend your meal card cash on Beer! (Score:4, Interesting)
At my school, the recently mentioned [slashdot.org] McMaster University [mcmaster.ca], our residence meal plan could be used at local restaurants which had a deal with the Univerisity, like East Side Marios, Pizza Hut, and equivalent places.
Thing was, while they were mainly restaurants, some of these restaurants had bars in them, and we found early on that the system did not discriminate between what one ordered from these places.
So basically, one could use mommy and daddy's meal plan money. I think they eliminated this loophole since my first year, but it was good(by which I mean very very bad) while it lasted :)
Re:Restraining Order (Score:3, Interesting)
18 USC 1029 (Score:2, Interesting)
In this case, as in mine, the card number would be the "access device" and the computer (or even a laundry iron) would be "access device making equipment." Since this is a computer network one would also be well advised to read 18 USC 1030, which deals with computer hacking. Did you ever wonder why the phone company hands out cards in the first place? It was to promote the idea that phone card phracking was the same as making your own Visa card (the original intent of the law.) Why else would they embose your phone number on a slab of plastic when there was never a valid reason to run it through a credit card imprinter?
ID Card "Security" at UCLA (Score:3, Interesting)
After we went public, the admin. apologized, but said this was not a security risk because each student's account was protected by not only that 9 digit (now public) number but also a 4 digit numerical password. This didn't make me feel very secure. The ID + passwd combination was used to add/drop classes, find out grades, administer financial aid, etc.
The cards themselves were made by AT and T; you could put money on them over the web using your credit card, then buy food, etc.
DMCA is worthless (Score:2, Interesting)
So, in effect, DMCA really didn't do anything. Actually DMCA made it worse, since this information probably wouldn't have shown up on
The DMCA just fucked itself. Should have just kept DMCA out of it, let the news lauch quietly, then the owners of Blackboard could have announced a "patch" a week later. Even if there wasn't a patch some people wouldn't bother attempting to hack the system after hearing a patch was made.
Tried that, went to jail. (Score:5, Interesting)
In 1997, after four years of research, a French cryptographer, Serge Humpich, found a flaw in the widely used French smart card, which requires owners to type a PIN on a payment terminal for all credit card and ATM transactions. He found that 1.the PIN was verified by the chip on the card, 2. some terminals didn't really check what chip they were talking to, and 3. If the chip told the terminal "yes, the PIN is right", the terminal would blindly accept the confirmation and allow the transaction. Such a card is called a "yes-card"
Humpich contacted the Carte Bleue consortium, an association of 200 banks managing the French smart cards, and told them about the flaw. They refused to believe him. So he made a yes-card out of spare parts and went to a Parisian metro station. There, he bought a few metro tickets and send them, along with the payment receipt, to the Carte Bleue people. They immediately contacted the police.
Humpich was arrested in September 1999 and jailed for several months. In 2000, he was given a suspended 10-month jail sentence and a $2600 fine. All his equipment and documentation was confiscated. Now he has a criminal indictment that bars him from a number of jobs.
Of course, the French and US laws are different. But if anything, I suspect a US court will actually be harsher, especially now that the DMCA has been used in several precedents. Heck, the DMCA makes it almost mandatory to jail you if you figure out a way to program your VCR without reading the obviously encrypted documentation!
So I really don't think it's a good idea to show the problem exists. Blackboard knows, the people who selected them as a supplier know, and if you show them that they're effectively slobs, they'll crush you to cover their asses.
Re:I say publish all the details overseas (Score:3, Interesting)
GT Buzzcard flaws (Score:1, Interesting)
You don't even have to try and hack the buzzcard system. A few friends of mine discovered that certain Clayton College and State University id cards (same Blackboard system? I don't know) can be swiped in Georgia Tech vending machines. Apparently, whoever last used their buzzcard on the machine gets charged. GT doesn't lose any money on it, but students can get screwed. Hence why I keep $20 on my card now instead of $200.
Bad Company (Score:1, Interesting)
We run Blackboard LS 5.6 at the institution where I work, and I can honestly say that they are the worst company I have ever had to deal with. Not only is the customer support useless and they fail to deliver ALL products on date but when they do claim they have a fix (as posted in their own knowledgebase) they send an excuse and say that they made a mistake and the bug still exists. If it wasn't for the fact that we have been using the system for two years know I'd say stuff them and keep the 2 x $50000 we are paying them PER YEAR!!!
Cheers
Re:Duh... (Score:3, Interesting)
And, according to the story, they did that and... THE FUCKING COMPANY BLEW THEM OFF when they told them about the flaw months ago!
So... what do you do then? The company doesn't want to hear that it has an insecure product. And people are still using the product as if it were secure.
What do you do then? Simply shrug your shoulders and say, "Well, I tried to tell them. Let others worry about it, now." It's a sad fact that most people would actually do this... they are afraid of sticking their necks out for this very reason... it gives a very nice target for the lawyers' guillotines. Amerikan citizens have turned into domesticated puppies.
But the people that are willing to stand on principle... they are the unfortunate target of the DMCA: people that are actually tring to do the right thing!
I think the fact that this can happen is a sad state of affairs in the United Coporate States of Amerika.
Re:No, it doesn't. (Score:3, Interesting)
You alreay do live in a police state. Welcome to the real world.
Nazi Germany, which my grandparents and the older ones among my aunts and uncles lived in and can still talk about, was a police state. I guess you'd agree with that. It had thugs, sure, and beatings, sure, but most of the oppression in the first years of Nazi Germany was done through laws and intimidation.
Nazi Germany is known for its slaughter of its German-Jewish population, but they didn't go for that right from the start. First, they stripped the Jews and other unwanted individuals such as communists and members of the opposition from their jobs, their offices, their personal belongings, etc. It was a subtle step-by-step way of humiliating them, to take away their rights as citizens of a formerly democratic country. Because the Nazis could. Through laws.
Remember that while there was a majority of Germans who supported Hitler (I know that my grandparents were Nazis, and I'm not exactly proud about it), the German population was nonetheless afraid of being the next ones the state put an eye on. State-organzied neighbourhood watch was an easy method of intimidating the population into following party orders. Suddenly, your neighbours could turn you in, and the laws were broad enough that simple things became violations of the law. At some time it was forbidden to listen to non-German radio and news. Older Germans still talk about how afraid they were each time they listened to news or jazz music on the BBC, afraid that some neighbour might tell the police about it.
Watching what is going on the United States right now is a very frightening thing for someone who has a personal perspective on fascism.
I consider the US a great country and a great concept, I have the highest respect for the US, but never have I been more afraid of your government than now. The laws and rules that your government is putting into effect now - with surprisingly little complaining by the general population - is indeed the road to a police state. You're already halfway there, and it is getting worse.