FBI's Wiretapping Demands May Nix Verio Deal

An Anonymous Coward pointed to a story on the AP wire, writing: "Why does the FBI and US government have problems with this merger? Is there some sinister wiretap access deal between the current US ISPs ? [From the article:] 'An NTT spokesman told the Journal a pending U.S. government review of the deal is a response to FBI and Justice Department concerns that law-enforcement agencies maintain access to Verio's Internet structure to obtain wiretaps and serve subpoenas for information. ... In telecommunications deals, the FBI has asked for assurances that only U.S. facilities be used to handle U.S. traffic. The FBI has insisted the companies employ U.S. citizens to handle wiretapping activities.'" A fellow-traveling A.C. points to coverage on CNNfn. Does this bother anyone?

Anti-paranoia post

[chriscrick]

I notice a lot of fearmongering in this thread about the CIA and NSA snooping around the affairs of the American public. One of the hats I wore in my last job was as Intelligence Oversight officer for a unit within one of our intel agencies. As such, it was my responsiblity to make sure that my department conducted itself with complete probity under Executive Order 12333, which absolutely forbids covert intelligence collection activities against "United States persons" (defined in the Order) by any agency except the FBI, and by them only for valid law enforcement reasons, possibly requiring warrants and court orders.

I'm certainly not saying that it never happens, by any agency, at any classification level (no matter how deep you make it into the TS-SCI world, there's always weird stuff going on somewhere above), but it never happened in my department, and never to my knowledge anywhere else.

Chris

No surprises here.

[isaac]

The FBI (and the NSA, either directly or by proxy) have been in bed with the telecoms industry in the USA since the very beginning. In 1994, Congress passed CALEA (the Communications Assistance to Law Enforcement Act) which explicitly mandated that tap-and-trace functionality be built into digital telecom networks.

Now, this is just my gut feeling, but I think the FBI's concerns over access are just a ruse. The real concern (from a national security standpoint) is more likely that NTT (the buyer, Japan's national telephone monopoly) will use the tapping capabilities built into Verio's networks for gathering of intelligence (economic or otherwise) as an agent of the Japanese gov't or corporations.

-Isaac

Encrypt Casually and Regularly

[goingware]

If you worry as I do that people snoop on the Internet, then you should use encryption. Don't just use encryption for important secret messages, use it all the time so that the snoopers won't be able to tell when you're up to something they should be paying attention to. Even if you have nothing to hide, generating encrypted traffic on the net improves its overall security because it makes it more difficult for crackers to focus on those who appear to have something going because they use encryption (even encryption is subject to traffic analysis).

Please read my page Why You Should Use Encryption.

If you get your mail from and put web pages on a hosting service, then at a minimum you should use one that provides secure shell (ssh) and secure copy (scp) access. One such hosting service that does is Seagull Networks. Does anyone know any others?

When you retrieve your email via POP or load a web page via FTP your password is being transmitted in the clear. You have no control over which routers and cables it passes through in the process, so you have no way of knowing if someone's running a sniffer on a compromised host. Usually you have no knowledge even of the route, unless you go to the trouble to run traceroute regularly.

You can download your email via an encrypted channel with ssh port forwarding if your mail host provides ssh. The instructions given are oriented to the BeOS but apply in general to any OS for which an SSH client exists.

If you run a website that uses passwords please consider allowing the users to enter their passwords via SSL (https).

If you use websites that require passwords, please use a different password for each site. At the very least, use a unique password for your important sites, like your email, web pages and financial sites. If you keep the passwords in a file (which you may have to do because there are so many sites that take passwords), encrypt the file.

Be aware that most sites that have passwords do not encrypt them, otherwise they wouldn't be able to send you your password reminder in clear text. I've even used sites that mailed out password reminders in the clear every couple months just to prompt me to use the service. Note that anyone at the site who has root access, anyone who compromises the site or anyone running a sniffer on or near the site will be able to catch your passwords.

Also I think it is very likely that many websites are provided for no other purpose than to collect passwords for later use by crackers - beware of that free trial and use a unique password if you must accept the offer!

Use the anonymizer or, if you have Windows 95 or 98, Freedom to protect your privacy while you web surf.

Finally, do you use a laptop computer? Do you have files on it that you don't wish to share with the random stranger who might steal it someday? How about your competitors? A thief won't likely be in the direct employ of your competitors but they may recognize the value of the information and sell it to them, or even post it on the net for fun.

And remember in this information age the information on our computers is more valuable than the hardware itself, and unlike car stereos can continue providing value to a thief because, once it is fenced, it is still available to be fenced again.

Depending on your OS, you should use PGPDisk or the Linux encrypting kernel on your laptop.

Consider encrypting important information on your desktop too. A friend of mine who is a software developer lost every machine in his company in a robbery - source code, strategic plans, and the customer database.

I know of two cases where laptops were stolen from intelligence agents, once during the Gulf war, and once from an MI5 agent while he'd set it between his legs at a train station. Good thing they used encryption!

Finally, read the Forum on Risks to the Public in Computers and Related Systems available on the Usenet News as comp.risks and on the web at http://catless.ncl.ac.uk/Risks

Tilting at Windmills for a Better Tomorrow

George Washington vs. FBI ding ding ding

Ok, I might be going out on a limb here, but I'm pretty sure that this is wrong. I can just picture the head of the FBI trying to convey his argument to George Washington... it might go a little something like this: FBI: Yeah, were going to have to nix this deal... it compromises National Security.... Washington: Really, how's that? FBI: Well, ya see, we can't listen in on peoples conversations, and that presents a security risk to the American people.... Washington: So what your basically saying is that innovation , and people's rights to privacy should be waived when face with a possible security risk? FBI: Basically yes... Washington: You don't see any problems with this? FBI: Not really no.... Washinton: So, if I read you right, what your saying is that your right to the ability to listen in on private communication supercedes the right of the American public to engage in private communications.... FBI: Yep. Washinton: Here we go again... Now, I don't think this is in the best interests of the American people... this is in the best interests of law enforcement. Correct me if I'm wrong by shouldn't the FBI exist to serve the best interest of the American public?

Re:The people I know at Verio..

You think any of us working at Verio would even dare answer this on the grounds of it being forwarded to our supervisors? Right. As a disclaimer, I'm speaking personally (off the record, and off the clock). There are no company secrets being released here.

As you may or may not know, approximately a year ago, Verio purchased 56 (or so) companies around the United States and has been trying to "integrate" them into their Borg collective, so-to-speak. No harm intended.

The buy-outs of these companies resulted in Verio handing over (to managers or higher-ups only) very VERY large sums of stock at a very VERY miniscule stock price. Therefore, these managers will be quite pissed if the NTT deal does not go through.

I personally know of a few individuals (again, managers) who are already making plans to buy houses and other expensive investments with their stock money. Hence why the NTT deal is so important to them.

As for employees, well, let's just say that Verio believes strongly in EBITDA (search for the word if you don't know what it is). The concept of EBITDA is "profit before expense," which basically boils down to that full-time employees are "expensive" (and affect profit severely), but that contractors are not. Verio writes off contractors as a business expense (yeah, interesting, isn't it), while full-time employees who are either fired or leaving are not being replaced. I still do not understand how a company can morally (or legally) work like this. As stated by hundreds upon hundreds of economic analysts, EBITDA DOES NOT WORK. Period.

Onto the NTT aspect...

To be entirely honest, I met personally with the two Japanese individuals who originally proposed the NTT-Verio deal be done. I have to say that both of these individuals are EXTREMELY friendly, and they respect their employees greatly. Employees in Japan are NOT expendible, and both of these individuals made it very clear to myself that without employees the company wouldn't be anything at all. Verio, however, takes the entire opposite approach.

So, honestly, as an employee, the NTT deal means nothing. We get nothing out of it; our management doesn't change, we don't get raises, we don't get better benefits (or worse benefits). Nothing changes.

I'd love to work for NTT (in Japan) though. They have a lot of respect, not to mention (something any geek will appreciate) last year they spent over 3 billion (yes, billion) on just R&D. That's pretty damn cool.

But... if you're a manager, you'll be seeing the word "PREMIUMS" all over the inside of your eyelids while sleeping.

So, back to the issue of stock. That's what this whole thing is all about. It seems the Slashdot goons are unable to focus on what the real point of government involvement is about -- it's not about wiretapping, it's simply about penis length.

The US government is "scared" that Japan would be able to invest in American stock (Verio), but that Americans would not be able to invest in Japanese stock (NTT).

Like I said, it's a penis war. Leave it to America to be excessively paranoid.

Leave it to Slashdot to blow it out of preportion and focus on the wrong aspect of the merger.

Just my $0.02.

Its CALEA related

[scott@b]

The FBI and other LEAs are worried because of the potential of moving the actual servers outside of the US. If the email resides on servers elsewhere, then the US laws don't have much effect.

A LEA could get "taps" on the dial-up or other connection points, but it makes it much tougher to snag that email as the monitored person could dial in from anywhere to any connection point to get their mail. The FBI much rather be able to have the server capture all mail traffic, so they have only one place to go.

This general concern holds for other telecommunications providers. CALEA is the requirements for providing access to telephone, paging, two-way radio, and cell phone systems for "tapping" by law enforcement agencies.

With fines of up to 10K $US per day to service providers who can not provide a CALEA port when served with a tap request, the government is serious about being able to monitor all communications of someone they are investigating. Moving the servers of a US provider outside of the US makes it harder to use that hammer.