Slashdot Mirror
2002 US Wiretap Report
GMontag writes "Full report:2002 WIRETAP REPORT Administrative Office of the United States Courts
Leonidas Ralph Mecham, Director I especially like this part: 'Public Law 106-197 amended 18 U.S.C. 2519(2)(b) to require that reporting should reflect the number of wiretap applications granted for which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of communications intercepted pursuant
to the court orders. Encryption was reported to have been encountered in 16 wiretaps terminated in 2002 and in 18 wiretaps terminated in calendar year 2001 or earlier but reported for the first time in 2002; however, in none of these cases was encryption reported to have prevented law enforcement officials from obtaining the plain text of communications intercepted.'"
DES broken? The evidence mounts...
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
however, in none of these cases was encryption reported to have prevented law enforcement officials from obtaining the plain text of communications intercepted.
So are we talking ROT13 here, or real encryption? Seems a little unnerving if it's the latter.
End of lesson. You may press the button.
Here it is.
however, in none of these cases was encryption reported to have prevented law enforcement officials from obtaining the plain text of communications intercepted
Does this mean that all the communications were successfully decrypted? Or maybe it just means that failures were not reported?
-- Brian
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Roving Web-Teleoperated Robot
For those who don't RTFA, here's one interesting number: Average cost per intercept order = $54,586
I don't see any reference to how the number is determined, like if it includes parts of salaries for employees.
Developers: We can use your help.
This makes me glad I ordered a whole slew of phone tap warning stickers from CrimeThinc. I can't wait for them to arrive. Maybe it can help make a difference against the evil Patriot Act.
Love,
Jay and Silent Bob
Make what you will about this report, but consider this for a moment: In what other country in the world would this report ever see the light of day?
if that includes this. Or another situations where the wiretap failed, and the police were able to get the information in a more traditional or creative way rather than breaking the encryption.
I just noticed that for the NY Organized Crime Task Force's 7 intercepts, the average cost was $886,999. Yet for Special Narcotics it's only $8747. I suppose it's due to the duration of the intercepts.
Developers: We can use your help.
I tend to believe that the government is able to either break or circumvent levels of encryption at a much higher level than commonly thought. I mean, it's entirely possible that old devices were being used for communication, but it seems to be if you're going to be cautious enough to encrypt comms at least one or two would have done it properly.
I wonder: If encryption on the line prevents a court-ordered wiretap from obtaining useful information, is that enough cause to, say, break in and bug the room? The wording of the statement seems to suggest that...
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
You've got two ends of the pipe where the data winds up as plaintext. If either end was compromised, as would seem to be the case, then there's no need to worry about cracking the ciphertext.
It's not the encryption algorithm or perhaps even the implementation that's weak. It's how the user manages his or her data.
It looks like there were some 1350 odd state and federal authorised wiretaps. Anyone have any idea how credible this number is? Colour me paranoid but in the current climate I would have expected a much higher number. Or have I just misread the report (OK I admit I only glanced at it)
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
10 to 1, they either found other evidence to force the users to voluntarily cough up the keys, got a warrant to put a sniffer on the user's keyboard in the case of computer communications and then retrieved the keys from the computer after they got the password, or they physically copied the encryption keys out of the phones in the case of encrypting phones.
I've always wondered if they can get a password from you involuntarily by just hooking you up to a lie detector and asking questions like, "is the first letter a vowel? Is it 'A'? Is it 'E'? Is the second letter a number?... etc.
Anyway, most encryption is pretty useless if the cracker can own the machine or its keyboard for a while without the user's knowledge and almost all of it is useless if you own the user.
Only 16 taps were encrypted? Either the "bad guys" don't even try, or they're not tapping the right people.
lexbaby
"Be Brave, Be Loyal, Be True." -- Hawkeye Pierce
Believe me, right now I'm more worried about the bad guys getting my passwords than law enforcement. The bad guys might know what to do with the data I send around, law enforcement can't touch it without going to jail themselves. I'll keep using SSH, thank you very much.
I do find it interesting that most of the taps had to do with narcotics... what passwords do drug dealers use that are easy to guess?
Given that the average cost of a federal wiretap in 2002 was $75,659, I imagine there was a strong incentive for gov't wiretappers to get their money's worth. And given the feds' almost unparalleled codebraking resources, it would take pretty solid encryption to sneak one past them.
The supposed 100% success ratio in cracking encrypted communications is most likely because the individuals under surveillance (mainly drug smugglers and organized crime) lack the sophistication necessary to match wits with the feds.
I'd assume that the most elite, technically savvy criminals out there don't get caught by law enforcement wiretapping, for two reasons:
1. They are subtle enough that they never even come under suspicion, and are thus not under surveillance.
2. They are smart enough to communicate in ways that are not easily intercepted by the feds: private couriers, simple signals that were agreed upon in advance, etc.. Those that rely on electronic communications probably use steganography or other means to disguise the fact that a "message" is even being sent. Let's face it, a suspected drug dealer sending a simple, encrypted text message may as well be waving a big red flag and shouting: "look at me! I've got something to hide!"
Another interesting table is this one. It gives $/tap. The average cost is over $50K. That suggests that a wiretap is going to take a big bite out of almost any agency's budget (average cost for the Feds is $75K). The cost may be the best protection of our privacy. Certainly it seems a better bet than the judiciary.
Finally, there is the table which shows arrests and convictions. Slightly over half of the arrests related to wiretaps result in convictions. Does anyone know how that compares to investigations without wiretaps? It suggests that more than half of the wiretaps were in response to some broken law. Hopefully they were good laws, rather than DMCA-style disasters.
In short, one could almost imagine that the folks in the tin-foil hats are crazy to worry about the cops tapping their computers.
See what I've been reading.
- [source unknown, seen in .sig files for at least 10 years]
If ``higher level'' means ``arrest the guy you sent the encrypted message to, and get him to decrypt it'', I'm sure you're right.
The gov't may be able to do a bit more than they say, but keeping/learning secrets isn't generally a technological problem; it's a social problem. Governments have been solving the learning secrets problem for thousands of years. If they know you have a secret, they can learn it. If they don't know, they'll never try.
See what I've been reading.
Your right... in the U.S. They'd decrypt the message with you during a 20 year to life term in a maximum security prison without ever charging you with anything or giving you a trial by your peers.
The decryption sessions would occur in a a small dark room where you would be "inconvienenced" and "annoyed" and "harrased" by being forced to stand for LONG periods of time, having food and water withheld, being locked in a 3x3 room with no human contact for weeks on end, being woken up at random times just to be asked a question hoping that in a sleepy state you might divulsge something, having sound payed and near painful levels for hours/days on end.
Yea... the U.S. system is SOOO much better than the old Soviet system. At least the Soviets had the balls to make it common knowledge what they did, you knew what to expect. Here in the U.S. the government pussyfoots around the issue and makes you think that the "interviewees" are treated just like you and I when questioned by the local beat cop.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
/. If the government wants us to respect the law, it should set a better example.
'muffy' is NOT a good encryption key. Either that, or get a better name for your pet.
the polygraph is not a lie detector. A polygraph actually records a number of different signals. Respiration, persperation... A polygraph only detects your output, not your internal processes. That may eventually change with walk-through brain scanners at the airports...
The polygraph operator may be thoroughly trained to interpret this data, or they might simply have bought a polygraph and hired themselves out immediately. Training and certification varies greatly from state to state. It's claimed that they measure 'deceptive reactions' pretty well, (bear in mind that they also run on Windows..No, i'm not kidding.) If you really believe what you're saying, a polygraph won't pick that up. But on the other hand, it might. I would say that the jury's out on their effectiveness, but they don't let polygraph results anywhere near a jury. (we'll get to that.) Dweceptive behaviour is not the same as lying. If you give a patently false answer to every question, it messes with the baseline. If you give honest answers that mislead, it may or may not pick them up. If you tell the truth but think about something bad you've done lately, you might get a false positive. It's that messy.
Voice analysers promise similar results- the ability to pick up changes in a person's voice, microtremors, when deceptive intent creeps in... but have also been shown to be faulty. And then shown to be fine. And then faulty again. And so on.
The supreme court has ruled that polygraph tests can be administered- but that the data may not be used as evidence in court. Although it is illegal to make a polygraph test part of the private industry hiring practice, the feds can do this all they want, and are expanding their activities in this regard as more sophisticated, digital equipment becomes available.
It's more likely that brain imaging will evolve to replace the polygraph- and even then, it probably won't be 100%. There will always be those who can believe what they are saying to be true. It's all about confidence. So to answer the question- yes, they could try, but they might not be able to get anything useful from it, and if you know enough about how they work, you could give them enough false positives that they'd never work it out. Then they'd simply get a court order to bug your keyboard instead, out of sheer frustration. Unless you were deemed a REAL threat to national security- in which case they import you to egypt for 'questioning...'
sorry if i sound pessimistic. But the answer is that if it's that important, they'll use something more proven than a polygraph....
"I'd say 'Have a good time,' but arson is still illegal.
Or maybe I just need to check the shielding on my tinfoil hat, but history says that the above is probably much closer to the truth than anyone in the administration wants to admit.
Scientists restrict study to entire physical universe; creationist
Has anybody read about chaffing and winnowing? (http://theory.lcs.mit.edu/~rivest/chaffing.txt) What is its strength compared to normal encryption?
Anyway, the reason I was wondering is all the comments about extracting passwords from people. What would happen if something were encrypted in a way that different passwords revealed different content? It would be trivial with chaffing and winnowing, but I'm sure it could work with other types of encryption.
The key idea is that of plausible deniability. Say you interleave three streams of data: the real stuff, the decoy stuff, and some random garbage to mess with messages sizes. If you can give 'them' the password for the decoy stuff, and it works, aren't you pretty much off the hook?
- What's our "population"? Criminals (and from the looks of that report, primarily drug dealers.
- What are we trying to answer? Whether computer encryption is easily breakable by government wiretapping and other mechanisms.
- What info do we know?
- 1) Criminals are generally stupid (why else would they be breaking the law so blatantly to require an investigation that cost >$50k?!)
- 2) The government wiretaps did not encounter any problem with encryptions that prevented a wiretap from being successful
The primary problem with most of you is that you're making a mountain out of a statistical molehill. Considering 95% or more of all criminals are complete morons, why would you assume any of them would be using secure 128-bit encryption, steganography, and other such encryption tools to encode their communications? They're usually more interested in how they're gonna whack that jerkoff down the street for lookin' at their girl the wrong way.Lisa: But I don't see any tigers around, do you?
Homer: Lisa, I want to buy your rock.
Additionally, given the immense inertia of the government, could the Patriot Act even have an effect by now? My guess is that any successful intercepts of terrorist plans recently are still done the same way they would have been done five or ten years ago.
A good example of the inertia would be the Department of Homeland Security. They are progressing towards their goals, but I wouldn't be suprised if another decade goes by before any changes have really become effective. There are just too many people, too many departments, too many systems, etc.
Healthcare article at Kuro5hin
Not necessarily. Especially not when encrypting multiple times using the same algorithm. Read Bruce Schneier's "Applied Cryptography" book. Good stuff. He covers this question much better than I can answer here.
Even when using multiple different algorithms there is a chance of weaking the whole thing. Depends on which algorithms you're using and how you're using them. I think you are generally safe using different known-good algorithms though (say 3DES then AES). I would not encrypt multiple times with the same algorithm unless it has been mostly proven to be more secure.
The ratio of people to cake is too big
Not necessarily. Encrypting with key A and key B is often mathematically equivalent to encrypting with key C. It may not be any harder to crack.
Sort of, but the security gained can be gained in other ways, for less cost (in terms of operator time and computer time).
.
In general, assuming a rock solid algorithm, you will not gain anything by using two 1024 bit keys, over a 2048 bit key.
In practice, I suspect that with any actual algorithm, the 2048 bit key would be more secure. This is becuase there entropy in the key is not evenly distributed, but is concentrated in the higher order bits. So by having two sets of low order bits, you have less entroy than you think in the key - which translates directly into less time to crack. [0]
So, it won't improve the algorithmic security over a twice as large key. There are, I think, just two other reasons for considering this.
If you use two different algorithms, then you might be able to cover a weakness in one algorithm by wrapping it in another. Frankly, just use a better, single, algorithm. There are plenty that have been shown to be secure, and there's not advantage to faffing around like that, unless you believe that the NSA have s00p3r s3kret decrypters for a particular algorithm. In which case, grab a tinfoil hat, and hack PGP so that it does not ouput any framing information on the encrypted data at all (to prevent algorithm identification). I think all your achieve is to make it difficult for people to send encrypted information to you.
However, there is, I think, a reasonable algorithm for using two different keys. If you store them differently, and access them differently, then you can make it twice as hard for someone to steal your private key. So, for example, you might have a private key on a USB keychain, and the other on hard disk. If only one of them has a pass phrase, then it can be very difficult for, e.g. a keyboard sniffer, to identify that there are two keys.
There are other solutions to this, which would not require double encryption though. Primarily, you could encrypt one key with the other, achieving a similar degree of operator level security, without the overhead [1] on others, making it far more likely to be sucessful. If it's too complex for others, then they may well just skip the encryption altogether.
Encrpting one key with another is also how I would implement a 'need both people to decrypt' schema.
(Aside: Anyone know of a method that would allow for a 'any n of m keyholders needed to decrypt' schema? It's something that has advantages, but I've no idea how to go about it)
So, unless there is some purpose to the double encryption that I've missed (i.e. you ment something by 'secure' other than what I covered above), it nets you nothing over simpler methods.
[0] Note that this applies only to asymetric (public key) encryption schemes, such as RSA, DSA etc (key lengths around 1024 bits), not to symetric ciphers, such ad blowfish or 3DES, with key lengths of around 128 bits
[1] And remember that this overhead is not so much for yourself, who can cope with it - but for those who wish to send you messages. If you are just encrypting files for your own use, then alternative solutions (a symetric cypher, or one time pad) have advantages.
That, however, does not mean that he wasn't guilty as sin; only that he can't legally be punished for it. In any event, under no circumstances should he be serving in a senior Pentagon position requiring any level of security clearance.
There are two main problems at work here. Whom is listening in on your conversations, and who let them?
The person within the law enforcement community listening in on your calls may not be perfect. They could use this information to their own ends. They might tip off a friend as to when you are going on vacation and have the rob you. Or they might let that information slip in a public place, with the same result. They might be a childmolester in the making, or a murderer, or something else. Just because you get a government check does not make you a saint. I wish it did.
Problem one : Unknown people spying on you.
The second problem deals with lazy people. Mainly the public who hjave given our governemnt their passive approval of this abuse. The public agrees and maybe even likes this lack of liberty in their own home. They enjoy their temporary safety, at the expenses of some unseen freedoms.
Problem two : The people.
The people, meaning you reading this, if you want things to change need to change yourself first. Change. Become someone who takes an active role in the shaping of your community and become a letter writing machine. Vote! Get the word out. Get out of that chair. If you don't I really don't want to hear your complaints, because you are the problem.
I have faith in the people. I have greater faith in those that read Slashdot. They are people who "hack" things when they need it. The government needs to hear from us. We have to enlighten people as to the lost freedoms. I see that things will change. The dream of freedom must live in the United States at all costs for the simple reason that without that dream there is little need for the United States.
I know how stupid and corny that sounds, but it's true. When you drive by a school and see those kids playing, know that they are counting on you to correct these problems. Think about what you would tell them about maintaining freedom. What advise you might offer. Take your own advise.
Freedom is not free. It take time, effort, and sometimes lives. There are peolpe who lied bloody in a field as the life slowly drained from their bodies who all had the same thoughts in their minds as they died. They though that dying was not that high a price if others will live free and keep the dream alive.
With all that is happening sometimes I think that the dream of freedom and liberty will die with us, but then my faith returns. I wil take action. I hope you will also.
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
So if they got around the encryption to decypher the conversations, they violated the DMCA and should be punished. Right? Hillary where are you now, bitch!??
I agree that the GOVERNMENT has only our best interest in mind. However the government is not a friendly, father figure like a diety. Many people are under the impression that because of what our country (and government) stands for is good, the government can only do good.
Unfortunately the government is not a friendly, caretaker. The government is composed of people and people can be evil. It is men (and women) that will have access to our information via the PATRIOT act. It is these people that I believe have no right to my private information.
In a perfect world this would not be a problem. However in a perfect world, we would not have terrorists, governmental scandals, or war.
I do not oppose the PATRIOT act because I am a criminal or have something to hide. I oppose the PATRIOT act becuase I am NOT a criminal and have the right to be treated as such.
3m1n3m
pot
money
big_high
Or mabey the encryption was by financial insiders, but they wrote their passwords on notepads by their desks...