Net Taps Without Warrants?

disappear writes "In the wake of yesterday's threats to cryptography, more ominous news: Wired News reports that a bill permitting warrantless Internet surveilance has been passed by the Senate." This is just part of the expected and unfortunate backlash from tuesday. The terrorists are winning simply because the govt. can use their threat as a blank check to take away our rights. The worst part is that this will do no good whatsoever. Does the govt really think that crypto export restrictions have prevented terrorists from having strong crypto?

Hell no

Is it going to get to the point where I have to use a SSL tunnel for everything I do online? I already use SSH exclusively for remote access to my other off site machines.... this is just getting plain wrong.

What we need to have is secure ftp (ya it exists already but it is not standard), secure web (encrypted all the time, some sort of public key encryption), encrypted chat, encrypted email... encrypted everything.

I don't know about everyone else but I am pretty paranoid... I already use an encrypted partition for all of my sensitive data and wipe freespace & swapfile regularly. I've been considering getting a smartcard reader/writer and writing some custom software so that it must be inserted at all times in order to use my computer(s).

Big brother scares me....really scares me. I know that in light of this past week's events it is in poor taste to be unpatriotic but what the hell.... if something like this passes and it gets abused I will move to another country.

Re:Question:

[M-G]

Even if those who support legislation like this don't have bad intentions, we end up getting hurt. The problem is that once something is available to the government without any checks in place, it becomes very easy to abuse.

This sort of thing has happened repeatedly throughout history, and it's one reason why the founders insisted on a Bill of Rights to explicitly protect citizens from the government.

Bye, bye war on drugs

[asmithmd1]

Hello constant state of war. "We have to take these actions but only until we win the war."

"1984", author George Orwell, 1949, ISBN 0-679-41739-7

Winston could not definitely remember a time when his country had not been at war...war had literally been continuous, though strictly speaking it had not always been the same war. The enemy of the moment always represented absolute evil.

Benjamin Franklin said it best...

[GeneralEmergency]

"They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."

- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

Re:This is a bunch of CRAP.

[Once&FutureRocketman]

Already did it. Here's a generic version of the letter I am writing. It is intentionally short and non-specific -- customize it to discuss the issues that concern you.

Dear XYZ,

Like you, I am aggrieved at the tragic loss of life resulting from the horrendous events of Sept. 11. Every American has been touched by this trauma which will linger forever in the memory of our nation.

Though I want to see the perpetrators of these acts brought to justice, I must beg you not to compromise American civil liberties in your pursuit of justice. The loss of American citizens' ability to move and communicate freely would be a greater casualty than the thousands killed Tuesday morning.

Benjamin Franklin said that those who give up necessary liberties for security deserve neither security nor freedom. I must echo his sentiment. Do not allow our sacred rights of freedom of speech, association or movement to be abridged in the coming days of difficult choices. America's enemies hate us precisely because we are a free and open society, and they fear the potential that that represents. Do not give them the victory they cannot themselves win by destroying the core of our society, our beloved liberties.

God Bless America,

Who exactly

[roystgnr]

who exactly is gonna make the terrorists all upgrade to the new version?

Simple: The FBI is, when they knock on the terrorist doors.

If your computer is caught sending packets that are labeled (e.g. GPG headers) as encrypted, your computer will either be bugged to get your password or seized to search for plaintext secrets. In theory, this will allow terrorists to be subjected to legal scrutiny while they are still conspiring about acts of terrorism but before those acts are committed.

In reality, it won't work that way:

• Steganography will defeat this. Perfectly compressed data looks like white noise, and the amount of white noise speeding around the internet as pornography alone (where I have already seen it speculated that terrorist messages have been exchanged, in low order bits) is billions of times greater than the amount of data terrorists need to exchange. Will the government replace the internet by something that proxies every webserver , P2P network, and email with a watermark-scrambler?
• Codes will defeat this. Forget the "little black book" codes, where "picnic" => "New York City" and "ants" => September. Imagine codes where your choice of synonyms in an email supplies a bit or two per word, and a few CD-Rs of one time pad data (yes, I've heard terrorists occasionally meet face to face!) supply an effectively unlimited amount of unbreakable encryption even against those who figure out the synonym code.
• Those CD-Rs will make the steganographic watermarks undetectable, as well - maybe PGP output can be distinguished from random noise somehow, but a one-time pad's output can't.
• Let's not limit those face-to-face meetings to passing CD-Rs, either. There was nothing about this attack that was difficult, just unthinkable. They didn't need videoconferencing to pull it off, just a few conferences in rooms without hidden mikes!

In otherwords, we're giving the government authority to review every law abiding citizen's digital communications, without judicial oversight (the FBI had your email, and you're going to take their word for it that nobody, with or without official permission, looked at it?), and without impairing the ability for lawbreakers to engage in undetected low-bandwidth communications (and you don't exactly need to videoconference to plan a terrorist attack) at all.

Did I miss anything?

Re:Not as bad as it sounds

[Dr.+Awktagon]

Circumstances that don't require court orders include an "immediate threat to the national security interests of the United States, (an) immediate threat to public health or safety or an attack on the integrity or availability of a protected computer."

I wonder if "an attack on the integrity of a protected computer" could conceivably include technological access controls on a copyrighted work?

Re:FUD from Wired. Notice the "?" in the Headline.

The NPR reporter obviously didn't read the bill, then, and neither did you, nitwit. Do it now: http://www.politechbot.com/docs/cta.091401.html

If you look at sec.832, you'll see it amends the U.S. Code to include electronic communications such as the Internet. Before it was just wire communications. The Wired article is right, and even underplays how dangerous this is.

where was ECHELON during all of this?

[piccardn]

Maybe the idiots who post all of these trigger words (i.e. bomb, coup, iraq), really did screw up echelon. otherwise you think they would of caugh something like this. Maybe those arabs were using smoke signals? for those that don't know what echelon is:Echelon is perhaps the most powerful intelligence gathering organization in the world. Several credible reports suggest that this global electronic communications surveillance system presents an extreme threat to the privacy of people all over the world. According to these reports, ECHELON attempts to capture staggering volumes of satellite, microwave, cellular and fiber-optic traffic, including communications to and from North America. This vast quantity of voice and data communications are then processed through sophisticated filtering technologies. This massive surveillance system apparently operates with little oversight. Moreover, the agencies that purportedly run ECHELON have provided few details as to the legal guidelines for the project. Because of this, there is no way of knowing if ECHELON is being used illegally to spy on private citizens HERE IS THE LINK: http://www.echelonwatch.org/

Sunset Clause?

[Dante333]

Now would be a good time to write your representative and push for a sunset clause to the House version of this bill. If they are going to let the emotion of the moment get the better of them, the least they can do is write an out in the bill. Let them vote on this again when cooler heads prevail.

Of COURSE they don't

Does the govt really think that crypto export restrictions have prevented terrorists from having strong crypto?

Of course not. But they will pretend that it is so, because it gives them a pretext which cannot easily be argued against in the present climate of public opinion (bomb the bastards etc.). The real motive has to do with the ruling elite's passionate desire to improve monitoring and control of citizens by the state. This is something I think is common to all governments unfortunately.

Ironic, isn't it. The one thing every democratic government fears is an informed and empowered electorate since that is the one thing that can remove them from their comfortable position. They can only remove the threat by centralizing control and keeping the public in the dark about what's really going on.

Under normal circumstances a democratic government can't get away with this easily (at least not in one fell swoop) but given a dire enough disaster they can blow it up into an national emergency and invoke all sorts of "special provisions" that were quietly sneaked onto the statute books but that most people never thought would see the light of day even if they knew.

What you are now beginning to see is the spooks coming out of the woodwork to seize what they no doubt see as a god-given opportunity before the sense of panic fades away and the people regain their senses.

It's not just the US either. Why do you think just about every other government jumped on the bandwagon? Most people in these countries are a bit shocked by the week's events but they're already used to terrorism much closer to home and an attack in New York is, well, thousands of miles away. Just something they saw on TV, like the civil war massacres and famines in Africa, the earthquake in India and so on. No, the reason these governments rushed to jump on Dubya's bandwagon is that they want a piece of the action too, so they can find a pretext to clamp down on their own populations.

I mean, there is Bush talking about an international collaboration to fight those prosecuting a war against "freedom and democracy" and yet even the Chinese government, author of the Tiannanmen massacre, is signing up for it.

Figure it out for yourself.

The meat of the issue (for me)

[(H)elix1]

I posted on this last night, but I saw the debate on cspan. According to the only two folks who I saw mention "this might not be a good idea" - Ah, found it....

Mr. LEAHY.....
In here it says, on wiretapping, pen registers, trap and trace
devices, if the court finds that a State investigator or law
enforcement officer--it could just be an investigator; I don't know if
this means a private investigator, a licensed PI--if they certify to
the court that the information is relevant, if they just came in and
said: Your Honor, I certify this is going to be relevant; I am a State
investigator; I am the deputy sheriff of East Washtub--I apologize to
anybody if there is such a town, East Washtub. Let's say I am a deputy
sheriff on weekends and a mechanic the rest of the time, and I certify
we need this, a State officer. Does that mean a Federal judge is going
to stop things and give them the order?
I have worked with some very good deputy sheriffs in my time. I am
not sure that even with the best--some of them were darned good when I
was a prosecutor--any of them are going to go into Federal court and
say: I want to certify I need this wiretap or this pen register, trap
and trace.
I think we ought to at least know what that is, going into people's
computers because the local investigator says, "I want to." I am not
sure if the authorities, under normal going into court, asking for a
court order, having a hearing, can go into my computer; that is one
thing. But if somebody goes out there, for example, and sees me having
target practice outside my house--I have a pistol range out back of my
house--and they say: I wonder how many guns he has; I want to go into
his computer to find out just in case he has listed his ammunition
purchases. Should they be allowed to? I would think some of those who
are concerned about the rights of gun owners might be a little bit
concerned about this provision. I am a gun owner. I am concerned.
Authority to do wiretaps. It says here that we will redesignate
paragraph (p), as so redesignated by section 434(2) of the
Antiterrorism and Effective Death Penalty Act of 1996, Public Law 104-
132; 110 Stat. 1274, as paragraph (r); and (2) by inserting after
paragraph (p) as so redesignated by section 201(3) of the Illegal
Immigration

[[Page S9376]]

Reform and Immigrant Responsibility Act of 1996, division C of Public
Law 104-208; 110 Stat. 3009-565, the following new paragraph:

(q) any criminal violations of sections 2332, 2332a, 2332b,
2332d, 2339A, or 2339B of this title (relating to terrorism).
. . .

Does anybody want to tell me what that means? I thought we were here
to give help to our law enforcement and our antiterrorist authority to
go after people. I thought we were here to try to finish up a bill that
the Senator from South Carolina and the Senator from New Hampshire have
worked on very closely--and the Senator from West Virginia and the
Senator from Alaska--that would give money to our law enforcement
agencies so we could go ahead and work and try to get the money which
the city of New York and the State of New York desperately need after
the horrific, murderous terrorist acts in that city. I thought that was
what we were here for.
I will not reread what I said, but to do something that nobody here
on the floor can understand or explain, including the people who
introduced the amendment.

Now maybe somewhere there is a press release in there. Why don't we
all send out a press release, a generic one that says we are against
terrorists? No Member of the Senate is for terrorists. Why don't we say
we are against murder? Of course we are. But then why don't we say what
we are doing here? We are going to amend our wiretap laws so we can
look into anybody's computers.
If we are going to change all these things, if we are going to direct
the Director of the CIA and, in effect, direct the President to change
the rules of the CIA, something the President could have them do just
like that, if the President really wants to--if we are going to do all
that here, with no hearing, what does this do to help the men and women
who were injured or killed in the Pentagon--and their families? What
does this do to help the men and women in New York and their families
and those children who were orphans in an instant, a horrible instant?
Hundreds, perhaps thousands, of children became orphans
instantaneously. What does that do for them?
Somewhere we ought to ask ourselves: Do we totally ignore the normal
ways of doing business in the Senate? If we do that, what is going to
happen when we get down to the really difficult questions?
Maybe the Senate wants to just go ahead and adopt new abilities to
wiretap our citizens. Maybe they want to adopt new abilities to go into
people's computers. Maybe that will make us feel safer. Maybe. And
maybe what the terrorists have done made us a little bit less safe.
Maybe they have increased Big Brother in this country.
If that is what the Senate wants, we can vote for it. But do we
really show respect to the American people by slapping something
together, something that nobody on the floor can explain, and say we
are changing the duties of the Attorney General, the Director of the
CIA, the U.S. attorneys, we are going to change your rights as
Americans, your rights to privacy? We are going to do it with no
hearings, no debate. We are going to do it with numbers on a page that
nobody can understand.

Problems with Crypto Backdoors

[Lostman]

I explained this to someone else today when asked why I am staunchly against a backdoor/etc in a crypto program.

A good crypto program is based on a function f[x] such that f[x1] = k, and you cannot find x1 if you know the function f[x] and the encrypted k. This, folks, is hardcore advanced mathematics!

To add in a regulation that there be some "backdoor" (eg: some function that will always take g[k] = x1 for an encrypted value k). Once that function g[x] is known by anyone (f[x] would have to be made in a way such that g[x] must exist btw.. it doesnt just happen) then the communications of everyone that uses that encryption algorithm is compromised.

Think of the problems -- no secure transactions (haulting "e-business"), no secure transmissions of trade secrets (look at france -- the companies just moved to a different country), and generally no information is secure.

Now.. to find a way to convince/explain this all in everyday words...

ideas?

Re:Backdoors.

[gweihir]

The counterpoint to that is that they can detect whether or not your data is encrypted. If it's encrypted, they'll decrypt it, and if they can't decrypt it, they've got you on a violation for not using back-doored software.
The counter-counterpoint to that is to just use the backdoored software, but to encrypt what you send through it (2 layers)

Or send some true random data or claim that was what you sent. It is almost impossible to distinguish hard crypto without headers from true random data. It is impossible to distinguish an one-time-pad encrypte message from true random data.

Would that mean that creation, possession and transmission of random data would also be outlawed? Possession of a dice or a coin get you sent to prison for "owning illegal munitions"?

Fools...

Whats it going to take for you people to realize that you're not national security experts, and are in no business to question their work.

You people bitch and complain that the NSA, and other national security agencies weren't able to prevent this (Tuesday's attacks), and then when they suggest certain changes to security protocols, you tell them they're taking away your freedom.

I mean come on, the rest of us have the freedom to live and not be killed by terrorists don't we? Why should we listen to you idiots that would rather have more people killed and not have the terrorists aprehended, all in the name of encrypting your stupid little email with your secret internet lover so your wife doesn't find out, etc. Oh no, big brother is watching you, ever think there's a good reason for that?

You fools...

Bi-parisan

I am surprised that both sides jump on the band wagon without hesitation.

"During Thursday's floor debate, Sen. Patrick Leahy (D-Vermont), head of the Judiciary committee, suggested that the bill went far beyond merely thwarting terrorism and could endanger Americans' privacy. He also said he had a chance to read the Combating Terrorism Act just 30 minutes before the floor debate began."

If Leahy didn't agree with it and didn't have enough time to read it, then why did he approve it.

When you have moderate republicans and moderate democrats, then you have a one party system.

Still serving the purpose of democracy?

[Futurepower(tm)]

CmdrTaco: "Does the govt really think that crypto export restrictions have prevented terrorists from having strong crypto?"

This is such an obvious and sensible objection that it makes me wonder. My guess, and it is only a guess, is that a large part of the U.S. government no longer serves the purpose of democracy. The war may be, not on terrorists, but on the American people. My guess is that it is not conspiracy, but widespread government corruption.

That's the only conclusion that supports all the information. For example, the U.S. CIA trained Osama bin Laden. See the 1998 MSNBC article referenced in the first paragraph of What should be the response to violence? where I've tried to pull together some of the facts.

Whenever there is a problem, there seem to be two situations that go together: 1) The U.S. government intelligence agencies say they did not foresee the problem, and 2) the intelligence agencies had a years-long prior involvement with the person who caused the problem. Osama bin Laden is one example of this.

Another example is General Noriega of Panama who had a working relationship with the U.S. CIA for years before he was accused of drug trafficking. Was the exposure of Noriega caused by his not taking orders? A quick Google search on "Noriega General Panama CIA" gave a link to a chapter in a book by Noam Chomsky, The invasion of Panama. Chomsky's book is called What Uncle Sam Really Wants.

Another link on the first Google page was, The Real Drug Lords, A brief history of CIA involvement in the Drug Trade by William Blum.

I hope not

[einhverfr]

Back when DES was being developed, the NSA helped make it secure-- but under the condition that the key length was reduced from 64 bits to 56 bits (which the NSA at the time probably could crack through brute force if they REALLY had to).

The problem with backdoors is that the terrorists might get access to them too, or enemy nations, etc. Or even criminals. Just think, with these master keys, they could eavesdrop on e-commerce transactions protected with SSL and steal credt card numbers...