robertgraham.com · Domains · Slashdot Mirror

Ever Heard of Carnivore? by sanspeak · 2004-06-30 19:19 · Score: 1 · on Appeals Circuit Ruling: ISPs Can Read E-Mail

Ever heard of FBI's Carnivore and its litigation. ??? This is been happening from a long long time. In todays modern and small planet you cannot expect privacy even inside your toilet. Somebody is already out there.

Re:You can't own Data. by kwandar · 2004-03-24 05:03 · Score: 1 · on RIAA To Subpoena Univ. of Michigan Names

The proper checks and balances are in place via a search warant.

To think that criminal communication wouldn't be encrypted, is niave. Given that, why extend law enforcement's powers, other than to allow then to snoop where they clearly don't belong.

If they have a judge's blessing, its simple enough to place a keylogger So if its reasonable to expect that communication to be encryped, and if there are already tools, to perform surveillance on unenrypted communications.

If you look at this and this perhaps you'll consider changing your viewpoint?

Canadians would appreciate it, as we'll undoubtedly be pressured into the same costly (both in dollars and in freedom) legislation up here.

Re:Good for them. by boicy · 2003-06-02 21:03 · Score: 1 · on North Korea's School For Hackers?

Hackers lexicon

And it says:

"Controversy: The computer-enthusiast community does not like using "hacker" to describe malicious people; they prefer "cracker". The security-community restricts the use of the word "cracker" to some who breaks encryption and copy-protection schemes.

Consequently, a journalist who writes about cybercriminals cannot use either word without hate mail from the opposing community claiming they are using the word incorrectly. If a journalists writes about hackers breaking into computers, they will receive hate-mail claiming that not all hackers are malicious, and the that the correct word is "cracker". Likewise, if they write about crackers breaking into computers, they will receive hate-mail claiming that crackers only break codes, but its hackers who break into systems. The best choice probably depends upon the audience; for example one should definitely talk about malicious crackers in a computer-enthusiast magazine like Linux Today."

This is one I've always been confused about too. But I reckon I'm on the side of "Crackers".

why it is so hard to find the right analogy by vls · 2003-03-06 11:51 · Score: 1 · on Bad Behavior on the 'Net - Who Pays the Bandwidth Bill?

In normal tort and contract law, there is a notion of 'reasonable' behavior and well understood 'duty.' Not so here. Thus, attempts at analogy do poorly.

In the 'real' world, it's clear who is supposed to do what. And if everyone is a good citizen, then everyone is pretty safe.

Example: If I sell you a sandwich, I have a duty to not poison it. I even have a duty to take reasonable steps to ensure that other people don't put poison into it. For example, if I saw someone lick it and put it back on the counter, it's reasonable to expect me to throw it away, and not resell it (and for me to get the perpetrator to pay me for it).

But that duty has reasonable limits. It is not reasonable to expect me to erect Fort Knox level security around my store, just to keep people from breaking in at night and adulterating the sandwiches.

These simple concepts apply to millions of practical applications, from product liability involving millions of consumers to simple traffic accidents. A few simple rules can actually implement a lot of what is required by 'common sense' or 'justice' or 'fairness' (thus, tort law is pretty efficient code).

But these concepts -- and our hence our analogies -- don't apply well to the internet, for two reasons. First, there is a notable lack of consensus as to what the duties of each party should be. Second, we have not identified what duties will actually protect us. As Graham and Staniford, Paxson, Weaver have pointed out, the pallative 'we all have a duty to keep everything patched' does not really help with fast worms. Even with a lot more patching going on, we remain very vulnerable to fast worms.

So, even if we are all good citizens, bad things can still happen (like expensive bandwidth being consumed by a fast worm). Thus, normal tort analogies will fall short. There are some extraordinary tort analogies that might work, like who pays for what after a tornado or other Act of God. (Your cow flew through my window, who pays?) But even those will rely on consensus views of what constitutes 'reasonable precautions' - views that have been forged over generations and generations. So that will take time.

In the meantime, we should consider new public services to protect society in ways that mere 'good citizens' cannot - like we do with epidemics, fires, and other Acts of God. Staniford, Paxson, Weaver have proposed a CDC of cyberspace. Seems like a very good idea.

Hmmm... possible problem... by Sgs-Cruz · 2003-01-28 17:06 · Score: 2, Funny · on Long Computer Sessions Could Cause Blood Clots

So... in the spirit of hacking and getting cool military surplus stuff, you do this.

Get one of the food patches discussed on here a while ago, and hack it to include some of these.

Instant success. Really. Really you won't die. Oh yeah IAMAD (doctor) or anything. Really, my knowledge of the human body is limited to the parts that give me pain. So try at your own risk :)

Re:Warning by GeorgeH · 2002-09-13 06:18 · Score: 4, Informative · on Using Snort Stealthily

A 10baseT patch cable with the TX wires clipped will get you a whole lotta nothing because the TX wires are used for heartbeat signals. You need to corrupt the outgoing frames instead, which is a PITA.

The easier method is to use a 10 Mbit AUI adapter with the TX pins cut. You can probably even find a 10baseT -> AUI adapter at a computer junk shop for a buck or three.

For more about creating a receive-only ethernet adapter check out http://www.robertgraham.com/pubs/sniffing-faq.html #receive-only or read up on Antisniff (weird, I can't find anything about it on @stake's site).

Carnivore? by Prof.Phreak · 2002-06-19 13:58 · Score: 1 · on DOJ Wants ISPs to Log User Traffic UPDATED

Isn't this what carnivore is already doing?

No it doesn't by RobertGraham · 2002-04-19 07:14 · Score: 2 · on Dartmouth Student Invents A Carnivore Leash

This doesn't leash Carnivore. The creator doesn't understand Carnivore.

First of all, the FBI gets a warrant for the DATA. If the ISP is unable to get the DATA themselves, the FBI can then insist that they install the Carnivore box. On the other hand, courts have ruled that if the ISP can indeed get the data, then Carnivore isn't needed.

Second of all, the reason the FBI created Carnivore was because existing tools could not get the data. This encryption device is based upon existing tools, and therefore does not help get the data at all. For example, if the warrant requires the ISP to deliver copies of the suspect's e-mail, this device cannot do it.

Third, people persist in believing that Carnivore is a keyword search engine like the rumored Echelon. This is false: no judge would grant a court order allowing the FBI the ability to search for keywords. (This encryption device is based upon a keyword search engine). A typical court order would be one that allows the FBI to get all e-mail to/from a named e-mail account. Another example would be a lesser court order allowing the FBI to record the e-mail addresses to/from the specified account, but not the contents.

I have written a Carnivore engine that has previously been written up in /. It, and a Carnivore FAQ, is at: http://www.robertgraham.com/altivore/.

Re:The Enigmail Plugin by The+Rev · 2002-03-27 20:56 · Score: 1 · on Can GnuPG Deliver?

I've been submitting bug reports and suggesting improvements to Enigmail for a few months now and I like it a lot!

One great thing about it is that it is a cross-platform solution. I can use it under WinBlows and linux; both with GnuPG and the same keyring. <grin>

One thing I like the sound of is Herbivore. Putting transparent, seamless and automatic encryption and signing into MUA's is the best solution to problems like Carnivore.

I urge people in light of the recent "demise" of PGP to lend their time & support to projects like Enigmail and Ägypten. Even if all you do is report bugs or make suggestions for improvements you'll help with getting these products ready for non-geek end users.

Come on guys & gals! Pitch in!

Craig.

Randomizing your NYTimes FreeReg Login by AngusSF · 2002-03-15 09:20 · Score: 1 · on Laptop Anti-Theft Devices

Found this page, it's a 'keeper':

Random NYTimes login form
The online New York Times site (http://www.nytimes.com) requires registration in order to access the site. However, I keep forgetting my registration information. Therefore, I have created this page to help me re-register. This webpage uses JavaScript to randomly fill in a form with new information.
http://www.robertgraham.com/tools/random-user.html

NAT usually directs DNS requests from ports 1024 by Anonymous Coward · 2002-01-24 16:31 · Score: 2, Informative · on Comcast Gunning for NAT Users

Found in a basic FAQ about firewalls at www.robertgraham.com:

Q: I've seen many DNS requests from many low port numbers below 1024. Aren't they supposed to be reserved? Aren't they supposed to use 1024-65535 range?
A: These are coming from machines behind NAT firewalls. A NAT doesn't necessarily have the concept of reserved port numbers.

Maybe they only have to examine the DNS packets looking for source ports below 1024?

Key points by RobertGraham · 2002-01-04 08:09 · Score: 5, Informative · on Judge Upholds FBI Keyboard Sniffing

The ruling centers around the question whether this was a wiretap of the phone line. The FBI had search warrants to obtain the passwords, but they did not have a wiretap order for his phone (Scarfo used AOL dialup). Thus, if the keystroke monitor was active while he was chatting on IRC, then it would be the equivalent to a phone wiretap of his AOL communications.

In order to combat this, the FBI designed their keylogger to go innactive while the modem was connected. I still have some lingering questions about this. E-mail is asynchronous. With many e-mail services (Eudora, Outlook, and AOL), the underlying software lets you compose e-mail offline and store it to disk, automatically transferring it at a later date. Personally, I compose a lot of my e-mail when my computer is offline -- these days, I spend half my time on airplanes, it is when I get the most e-mail written, I sync when I land at the next destination.

Another worrisome trend is that the hearings were "ex parte in camera" -- meaning in the judges private chambers without the presence of defense attornies. The FBI claims the details must remain a secret for national security reasons. The defense attornies are only provided a sanitized summary of the keylogging features, not the full details. This is worrisome because it prevents the public from understanding the details of what is really going on. As we saw in the Carnivore case, the FBI was free to define its own boundaries. For example, when Carnivore grabs e-mail summaries, I would interpret the court order as allowing capture of only the SMTP "envelope" containing the TO/FROM addresses -- the FBI interprets this as capturing the full e-mail headers. I think this is a gross violation of civil liberties, but there is no way to challenge this. Likewise, the keylogger details may show similar gross violations of civil liberties, but the FBI hides behind its cloak of "national security".

The thing is, there are no important details to keylogging. You can go to http://www.keyghost.com for your own hardware-based keylogger, or you can download numerous keyloggers off the Internet. There are some difficult problems. For example, PGP 6.0 introduced a keyboard driver that intercepts your keystrokes: when you type your password, this driver routes them around Windows. Thus, while it appears that you are typing in a dialog box, this is only an illusion. Standard software keyloggers for Windows will not capture the passwords. (This is why PGP 6 doesn't work well with Win2k -- it doesn't have the power management features, so it prevents Win2k from going into "suspend/hibernate" mode).

Anyway, I'll be posting some more detailed analysis later this month on my personal website. In addition, I'm providing a $10,000 bounty for anybody PC containing an "interesting" keylogger -- maybe one from the mafia doing industrial espionage, maybe one from the FBI, I don't care. I'll be posting the full details to my website (http://www.robertgraham.com).

Cyberanarchy papers by RobertGraham · 2001-12-03 15:22 · Score: 2 · on Bruce Sterling on Geeks and Spooks

You may find it boring, but here are some of my cyberanarchy papers: http://www.robertgraham.com/cyberanarchy/. I put a lot of work into the speaker notes for this presentation.

firewall-seen.html by Anonymous Coward · 2001-11-19 09:39 · Score: 0 · on Museum Of Broken Packets

Check out the FAQ at http://www.robertgraham.com/pubs/firewall-seen.htm l. It explanes a lot of the detritus that washes up on the shores of firewalls.

nah, install from source.. by Jose · 2001-08-27 08:38 · Score: 2 · on New Release Of NSA SELinux

grab it here http://www.robertgraham.com/altivore/

Deredoc by RobertGraham · 2001-08-10 09:28 · Score: 2 · on Code Red III

http://robertgraham.com/tools/deredoc

Source compiles on Windows and Linux, binaries available, works with libpcap, can respond back to a range of addressses.

BTW, this technique has been used since the early-1990s (i.e. I wrote a plugin for the ProTools sniffer that did something like this).

I've done some of this by RobertGraham · 2001-08-08 04:47 · Score: 4, Interesting · on Fight Virus With Virus?

I created a program that automatically checked for the backdoor upon receipt of a /default.ida attack (/scripts/root.exe?). It didn't work: the CodeRedII worm is DoSing itself - after enough reinfections, the server stops being able to respond with requests.

As a more casual defense, I've written stuff that causes the worm to hang in its receive function: http://robertgraham.com/tools/deredoc. It's kind fun, I've got hundreds of worm threads waiting for me to respond back to them.

You can create benign anti-worms. You can setup a worm to only counterattack when attacked itself. Such a worm would not bother innocents, and would only spread to infected systems, cleaning as it went. In other words, it wouldn't be 'scanning' -- it only responds upstream to infected systems. There are two problems to that approach: the first is that CodeRedII self-DoS itself, so the systems cannot be exploited, either with the .ida attack or the backdoor. The second problem is that a heck of a lot of these systems are behind firewalls, and you cannot directly contact them on port 80 (CodeRedII has been extremely effective about worming its way around firewalls).

You can evade legal constraints. Post the source of your anti-worm to Usenet as an example how an anti-worm is constructed. This is legal free-speech -- as long as you don't encourage others to run it.

CodeRedII is raging inside corporations. It would be extremely ethical to put something on your own machine to help stop it. One example would be a script (CGI, PERL, PHP, ASP) named /default.ida on your system that did something like "/scripts/root.exe?/c+net+stop+w3svc" back at the attacker.

The ASN.1 faithful just don't get it by RobertGraham · 2001-08-07 14:29 · Score: 5, Insightful · on Old Protocol Could Save Massive Bandwidth

Preface: I've written parsers for ASN.1 (esp. SNMP MIBs, but also generic), BER/DER (same thing), PER, HTML, XML, and while we are at it, XDR and CORBA IDL. I've written a BER decoder that can decode SNMP at gigabit/second speeds.

There are a vast number of differences between ASN.1 and XML. To think that ASN.1 is in any way related to XML demonstrates that they just don't "get it".

1. Why not XDR or just raw binary?
Why not just specify your own binary format for you application? The thing that the ASN.1 bigots don't understand is that in most real-world applications, the ASN.1 formatting provides only overhead but no realworld value. This happens in XML, too, but the value proposition for XML is much clearer. A good example is the H.323 series PER encoding which is just plain wrong: well-documented custom encoding would have been tons better.

2. DTD or no DTD
The ASN.1 language is essentially a DTD; it gets encoded in things like BER. The trick is that I can parse "well-formed" XML content without knowing the DTD. This is impossible with current ASN.1 encoding. The idea of DTD-free "well-formed" input and DTD-based "valid" input is at the core of XML. Yes, both ASN.1 and XML both format data, but proposing ASN.1 as being a valid substitute means you just don't grok what XML is all about

3. Interoperability
The Internet grew up in an environment that parsers should be liberal in what they receive. This was important in early interoperability, but now is a detriment. For example, it is impossible to write an interoperable HTML parser. XML took the radical zen approach of mandating that any parser that excepts malformed input is BAD. As a result, anybody writing an parser knows the input will be well-formed. There is one-and-only-one way to represent input (barring whitespace), so writing parsers is easy. ASN.1 has taken the opposite approach, there are a zillion ways to represent input.

As a result, non-interoperable ASN.1 implementations abound. For example, most SNMP implementations are incompatible. They work only "most" of the time. Go to a standard SNMP MIB repository and you'll find that the same MIB must be published multiple times to handle different ASN.1 compilers.

The long and the short of it is that ASN.1 implementations today are extremely incompatible with each other, whereas XML libraries have proving to extremely interoperable. Right now, XML has proven the MOST interoperable way to format data, and ASN.1 has proven to be the LEAST.

4. Bugs
Most XML parsers have proven to be robust, most ASN.1 parsers have proven to be buggy. You can DoS a lot of devices today by carefully crafting malformed SNMP BER packets.

5. Security
You can leverage ASN.1's multiple encodings to hack. For example, my SideStep program shows how to play with SNMP and evade network intrusion detection systems: http://robertgraham.com/tmp/sidestep.html At the same time, ASN.1 parsers are riddled with buffer-overflows.

Anyway, sorry for ranting. I think XML advocates are a little overzealous (watch carefully your possessions or some XMLite will come along and encode it), but ASN.1 is just plain wrong. The rumor is that somebody through it together as a sample to point out problems, but it was accidentally standardized. It is riddled with problems, it should be abandoned. An encoding system is rarely needed, but if you need one, pick XDR for gosh sakes.

Not that Theoretical - Mitnick did just this by Frums · 2001-03-12 05:20 · Score: 3 · on Security Hole In TCP

Unfortunately I do not have my source, but if I remember right Mitnick did a smurf just like this to execute a blind man in the middle attack.

It was a case of IP spoofing against Shimomura. While he couldn't see results (IP spoof after all) the ability to guess ISN's allowed him to play the role of one of the computers involved in the transaction.

Not my original source, but it does make mention of the story

Re:I think @HOME is blocking Port 31337 as well. by JestersPet · 2001-01-20 15:50 · Score: 1 · on Contacting Network Admins Of Large Internet Companies?

Check here for other commonly trojan'ed ports.

Re:DHCP? Yes. Changing IP? No. by Enigma2175 · 2000-10-23 11:19 · Score: 2 · on Excite@Home Claims Broadband 'Safe'

Sunrpc is remote procedure call, which is a VERY DANGEROUS service to leave open. It is used primarily for NFS(Network Failure^H^H^H^H^H^H^ile System)and NIS(Network Information System), which is basically the same as windows file shares. Usually you don't have NFS mounts available by default, but on some systems you might. Yes you should learn about IP chains. Here is a great site that will custom-build you a firewall on the fly. Firewall Forensics is also a great page to find out what port scans are looking for. Be careful, I see quite a few scans for RPC in my logs, if you leave it open, you will be comprimised sooner or later.

Enigma

Re:It's true, what goes on "out there" is horrendo by Enigma2175 · 2000-10-23 11:00 · Score: 2 · on Excite@Home Claims Broadband 'Safe'

If you can't differentiate between a ping request and a portscan, maybe you need to read up a little on TCP/IP. Here is a great place to start: The firewall forensics page It is chock-full of commonly scanned ports (and tasty goodness!).

Enigma

Some experiences I've had by RobertGraham · 2000-08-30 01:07 · Score: 3 · on Protecting Your Company While Protecting Privacy?

You can't avoid lawsuits in America; don't pretend there is a magic pill that will solve your problems. As for monitoring e-mail, there are no good standards yet. You cannot monitor all e-mail, but if an employee comes to you with a harassment complaint, you had better be prepared to start monitoring the offender's e-mail.

I've documented similar experiences at: http://www.robertgraham.com/pub s/firewall-pr0n.html

Re:And when this goes mainstream.... by interiot · 2000-08-23 00:37 · Score: 2 · on The Invisible Man? Kinda.

(does this sort of low-tech communication still have a place in today's espionage?)

IANASA, but there's an infinite number of covert channels available via the internet that would allow for instant communication that's almost undetectable, so I don't know why they wouldn't use something in meatspace that's slow and more detectable.

Re:*sigh* - use cables with Tx lines snipped by John+Jorsett · 2000-07-30 04:17 · Score: 4 · on Preliminary Ethereal User's Guide

I agree that anyone who is knowledgeable and wants to remain undetected can probably do so. My warning wasn't addressed to the hackers/crackers out there (who, after all, don't need me to tell them about the dangers) but rather those who out of curiosity might run out and install this software on their work machine running, for example, Win98. If their network administrator suddenly notices that they're sniffing the local net, there're are going to be some questions asked. And legitimately so. There a are a number of ways, some easier to implement than others, to tell when there's a packet sniffer on your net. For a list, take a look here (scroll down to 2.5 - "How can I detect a packet sniffer?").

Sniffing FAQ by Mark+A.+Rhowe · 2000-07-30 00:15 · Score: 5 · on Preliminary Ethereal User's Guide

A great resource that I refer to alot:
Sniffing (network wiretap, sniffer) FAQ

Security Course Offerings and Resources by _hAZE_ · 2000-06-12 04:48 · Score: 1 · on A Network Security Class?

There was a recent post on regarding security courses. The poster was kind enough to reply back to the list with a list of responses to his question. I've included some of that list below.. my hands hurt from typing all day, so I don't feel like typing out the rest. Maybe I will tomorrow..

http://www.isc2.org/
http://www.brainbench.com/
http://www.robertgraham.com/
http://www.r00tabega.com/
http://www.sans.org/
http://www.csc.com/
http://www.ey.com
http://www.securityfocus.com/
http://astalavista.box.sk/
http://neworder.box.sk/
http://blacksun.box.sk/tutorials.html
http://www.prosofttraining.com/

Don Head
Linux Mentor

Philosophy? by RobertGraham · 2000-05-02 06:29 · Score: 3 · on Ask Douglas Adams About...Everything

I believe that nobody influenced me as a child (each of my parents refuses to take responsibility, claiming that I was raised by the other :-). But thinking things through, I must admit that HHGttG did fundamentally alter my thinking in a zen-like fashion. From the koan of the Answer=42, the social-engine ering hack of knowing where your towel is, to the self-awareness that my unease that something important is going on that I'm not aware of is just natural paranoia (everyone has that). I mean, the majority of readers of Slashdot have extreme paranoia about the role of government/big-business/big-religion ruling our lives, but your description of who really runs the galaxy gives me a much more laid back attitude.

It seems that you just tossed out the most outrageous things you could think of, and are amused that people read more into it than is there. But, can you cite any philosophical influences of your work? Zen? Nietsche?

Re:Simulated environment is not a good idea by tiny69 · 2000-04-06 20:24 · Score: 5 · on Security-Why Not Watch The Crackers?

2. Isn't a honeypot considered entrapment?

No. Here is a good explanation.

Some good links on the sublect:

http://www.robertgraham.com/pubs/network-intrusion -detection.html#11

http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ .htm

Re:Simulated environment is not a good idea by tiny69 · 2000-04-06 20:24 · Score: 5 · on Security-Why Not Watch The Crackers?

2. Isn't a honeypot considered entrapment?

No. Here is a good explanation.

Some good links on the sublect:

http://www.robertgraham.com/pubs/network-intrusion -detection.html#11

http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ .htm

On religious wars and a plea for peace by RobertGraham · 2000-02-15 05:34 · Score: 2 · on Jargon File 4.2.0 Out

Just the other day, some user sent me e-mail about how our personal-firewall product had been "cracked". The user though this meant that somebody had found a way of penetrating the firewall, when in reality it meant somebody had found a way pirate the software.

The confusion stems from ESR's guide. He insists that the proper word for cybercriminal is "cracker", not "hacker". This is true in the geek community, but it is not true in either the general community or the security community. In the security community, the word "crack" has specific connontations about breaking passwords and/or copyright restrictions.

Journalists who use the word "hacker" to refer to the recent DDoS attacks gets flames from nerds insisting that they use "cracker". When they use "cracker", they get flames from security people who tell them what an idiot they are for using the wrong word since no passwords were cracked in these attacks. Most journalists I know try "cracker" a few times before they get sick of the complaints from the security other side. They also realize that their audience (the general population) just doesn't understand the word cracker as well as hacker.

I only post this because I'm tired of religious wars on the "meaning" of words. Words don't have any particular meaning; there is only what people understand when they hear a word. By creating a dictionary that defines a word contrary to how most people use it, ESR is perpetuating a religious war.

One might want to consider this alternate definition of "hacker".

On-line IDS info by foo12849 · 2000-01-27 13:56 · Score: 1 · on Intrusion Detection

You should check out the IDS FAQ. It has tones of easy to understand, but technical information. The site has a bunch of other infosec information.

On-line IDS info by foo12849 · 2000-01-27 13:56 · Score: 1 · on Intrusion Detection

You should check out the IDS FAQ. It has tones of easy to understand, but technical information. The site has a bunch of other infosec information.

On-line IDS info by foo12849 · 2000-01-27 13:56 · Score: 1 · on Intrusion Detection

You should check out the IDS FAQ. It has tones of easy to understand, but technical information. The site has a bunch of other infosec information.

technology of wiretapping by RobertGraham · 1999-11-11 14:06 · Score: 3 · on IETF Rejects Wiretapping

I noticed that most of the replies were long on paranoia by short on details.

First of all, there already is a wiretapping standard called RMON. In particular, RMONv2 provides most of what law enforcement would want. RMON allows filtered packet capture, so it would be easy to configure the system to filter for a specific IP address and shunt it over to a buffer. One could easily monitor dialups this way. RMONv2 allows for fairly efficient monitoring (in its alMatrixTable) of source-destination address pairs along with an identification of the protocol (Something Japan requires, and which could easily be used to track down hackers who attempt to bounce attacks through chains of machines designed to conseal the true source).

A non-RMON solution would presumably copy packets destined to a certain IP address to be copied to another location. Presumably, this would entail simply encapsulating the IP packet inside another and shipping it off to FBI headquarters.

It seems interesting that most /.ers are against it. It seems that natural geek paranoia is winning out over geek superiority. I generally would support it, simply because I use encryption, but I know that stupid people don't. Stupid criminals really annoy me, and such constraints have no effect on ubergeeks who use encryption anyway.

Finally, there is a really good FAQ on the technology of wiretapping at: http://www.robertgraham.com/pubs /sniffing-faq.html. The information in this document could help you wiretap your own network and spy on your neighbors, though of course such activity is completely illegal and I would never encourage it.

Intrusion Detection FAQs by RobertGraham · 1999-09-28 00:20 · Score: 4 · on Network Intrusion Detection: An Analysis Handbook

If you are interested in this book, you might like the FAQs on my site. These documents describe intrusion detection in detail, and are really useful in "forensics", studying the evidence of the attack.

Network IDS FAQ
This document explains how network intrusion detection systems works and how to use them.

firewall-seen FAQ
This document answers the age old question "I'm seeing XXXX on my firewall, what does it mean?". It also applies to intrusion detection system, it describes today's most common attacks, why the attacker is doing them, and which ones may be false-positives.

Sniffing/wiretap FAQ
Describes how "sniffing/wiretap/eavesdropping" works, which is the technology that IDS is base upon. Also describes how to analyze packets in detail, because when you get attacked, you NEED to be able to pull out a protocol analyzer and look at the attack.