FCC To Require Backdoor Network Access for Feds

humankind writes "The EFF is reporting that the Federal Communications Commission issued a release [pdf] announcing its new rule expanding the reach of the Communications Assistance to Law Enforcement Act (CALEA)." From the article: "Practically, what this means is that the government will be asking broadband providers - as well as companies that manufacture devices used for broadband communications - to build insecure backdoors into their networks, imperiling the privacy and security of citizens on the Internet. It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements."

...WTF?

[Pantero+Blanco]

Wasn't there a ruling just a few weeks back that the FCC didn't have the authority to regulate the Internet, which would include things like VoIP? Did that get overturned at some point?

Re:...WTF?

[twiddlingbits]

It's the actual networks the telco's own, which technically IS the Internet and technically IS not as some data (such as corporate data) travels on the networks mixed in with Internet data (i.e. a VPN over the Internet). It's really a gray area as to where the Internet stops and the carrier newtworks begin. A private, seperately routed network for say Wal-Mart using dedicated SBC/Wilco/Sprint/MCI lines would NOT be the Internet, but if they sent the data via the public side of a network then it is the Internet. Next thing ya know the Feds will want all the corporate encrypt/decrypt keys and all of our PGP keys so if the data the monitor from those they deem are suspicious they can unlock the data. Of course since they don't know in advance WHO will need to be monitored we have to err on the side of caution and EVERYONE has to give over thier keys. Even with the Patriot Act (which is well intentioned but very flawed in execution) I think this goes too far. I expect this one to be ruled on by the Supreme Court before too long. In the meantime, I guess we should all be very careful.

Re:...WTF?

[tomhudson]

Sure they did - they were called scissors, iirc :-)

Re:...WTF?

[Flamsmark]

If you are of the opinion that limiting the rights of americans to privacy and to the liberty to act normally without suspicion is a good intention, then, by all means, the Patriot Act has good intentions. However, if you think that any breach of privacy must be preceeded by justification; or that 'security' is not automatically created by loss of liberty - as I do - then the patriot act has intentions which could even be classed as malicious.

Re:...WTF?

[zerus]

"Looks to me like more and more people are going to gt into wireless mesh networks and pgp/gpg just to avoid big brother."

If only people would take that much of an active approach to conceal their privacy. In practice, people are lazy. With the exception of a few groups of people, the vast majority of people on the internet in the US hold the idea that "I have nothing to hide, so why not?". That is very unsettling to me and probably everyone else on /. People already don't conceal their privacy offline. If you want to shat yourself, try looking up yourself/friends/family on www.zabasearch.com and you'll see what I mean. Privacy is unfortunately becoming less and less and the vast majority of people don't care because the invasions of privacy are relatively transparent. If the FBI viewing their entire internet habits/emails doesn't interfere with their daily lives, then they won't complain so long as they're told that it's being done to "stop the terrorists." This is becoming more and more an invisible war where the enemy is the ideal of freedom.

Re:...WTF?

[demachina]

"Nobody is at this time limiting your rights, your privacy or your liberty"

WTF are you talking about. If you are taking a subway in some major American cities today you can now be stopped and searched for no reason and with no warrent. If they catch you with a couple of joints I'm curious if you are going to jail and if they can make the charges stick since it is a blatantly illegal search. There is no probable cause and there is no warrant for these searches. They are about as illegal as they get when they start applying them to people commuting to work everyday.

In the UK the police drew guns and started shouting at a Brazilian electrician because he was dark skinned and wearing a heavy coat in summer. He paniced which is not a surprise when people start yelling at you and drawing guns. They tackled him pumped him full of lead, though he had no weapon, purely on the vague suspcion he might have a bomb. The Brits responded with, oops, sorry.

Its something of a fact of life you are surrendering your privacy to get on an airplane but last time I did it they hand frisked, intrusively, a 70 year old man in front of me. The look on his face was sickening and it was worse because they were intimately searching him in front of everyone with a little table being the only thing blocking the worst of it. At this point I'm thinking, how has America fallen this far. He didn't fit the "Terrorist Profile" either and it was probably the first time in his life he'd been frisked. The lady at the metal detector said he looked "nervous" which is apparently why he was one step away from strip search. He was nervous but only because he was deathly afraid of the security shakedown and amazingly he had reason to be.

There is a fair chance you will soon see millimeter wave scanners in airports which will in effect let total strangers see you naked everytime you go to an airport. If they work there then there is a fair chance they will eventually appear in mass transit.

"If I want to keep something private, I sure don't send it via the Internet, snail mail still works good in that respect"

You are totally delusional at this point if you think the Fed's wont open your mail if you or whomever you are communicating with is the target of an investigation.

" The fact that the Patriot Act got pretty much unanimous reapproval in the House and Sentate says it not a bad deal on the whole."

No it says the political climate is such that politicians will vote for almost any piece of security legislation, no matter how bad. If they don't their opponents will pummel them in the next election for being soft on terrorists and it will work. The quality of the legislation has nothing to do with it. The National Intelligence reform act passed by a wide margin and it instituted the first step towards nation ID cards which Americans would have never tolerated 5 years ago. It eliminated most of the safeguards against intelligence agencies spying on Americans which were instituted because J. Edgar Hoover and Richard Nixon were massively abusing those powers to spy on, blackmail and general destroy their political opponents.

" I really don't care as I'm not going to do something to bring him down on me."

Thats the spirit. I'm sure thats how most American's rationalize it. These news powers are currently only being used to hammer Muslims, most of whom appear to be innocent. You aren't Muslim, you don't fit the "Terrorist Profile" so why should you care. Germans didn't care either as long as it was only they Jews that were being persecuted because they weren't Jewish.

Awesome.

[ThatDamnMurphyGuy]

More regulations to drive up costs and actually lower security. That's our government. I can't wait for the first time that a feds-access method is discovered and published. Of course I'm sure they'll label that discovery person a terrorist.

Re:Awesome.

[paulproteus]

It's so nice to have market-loving, freedom-creating, innovation-pushing Republicans in power. And we all know Republicans are all for limiting the size, scope, and expense of government.

Wait - you're saying they added regulation that limits busineses' freedoms to innovate with broadband and adds invisible costs to the consumer? I thought that was what commies and big-government Democrats do!

Re:Awesome.

[i_am_not_a_bomba]

Wait,

So your saying that the republicans shouldn't be blamed because they have caved in where the democrats didn't?

Seriously, that's what you've just said in that post.

Sometimes i wonder if you lot would *ever* condem your partys actions, then i read posts like yours and think "no".

(I am not an american)

Re:Awesome.

[HangingChad]

The FBI has been seeking this type of capability for a LONG time, including during the entire Clinton administration.

But the Republican controlled Congress gave it to them.

It's time to stop apologizing for Republican misdeeds and failed policy. It's my party and it's time for an overhaul.

Re:Awesome.

[Jah-Wren+Ryel]

I had a discussion with a friend who was the CEO of a networking company (before it got bought by Alcatel...) He told me that the companies build this type of backdoor into the routers, etc. for their own reasons anyway. .

Since when did a CEO ever understand the technical intricacies of his own company's product? Particularly the undocumented parts?

There is a huge difference between leaving a backdoor service account -- which is pretty much all that the developers may ever do on their own -- and providing fully automated remote sniffing, tracing and logging capabilities that report to a centralized command-and-control center that is offsite and not under the control of the customer who owns and manages the router.

right to privacy

[garstka]

It's funny how you never hear the phrase 'right to privacy' nowadays. Is privacy no longer a concern to people now that we have terrorists to worry about? The things I think about and read and what I do in my personal space (yes, my computer is MY space) is frankly not the business of anybody except me. Get a warrant, then search me - I'll live with the fear of a terrorist attack, I can handle the responsibility.

Re:right to privacy

[dratox]

"Is privacy no longer a concern...?" People don't know enough to be concerned. Most people happily ignore politics; their right to privacy is just a subset of this. The government tells them its good for them, and they'll blindy buy into it, to lazy or too stupid to actually see the facts. should the government tell them that losing their freedoms is a good thing, then they'll buy right into it, no questions asked

Re:right to privacy

[spagthorpe]

You're right, it is your space. Pull out that little network cable at the back of the machine. There, nobody has access to it anymore. See how easy that was?

Some of us remember what it was like to use a computer before the internet. Strangely, they were still pretty useful for a lot of things.

Re:right to privacy

[demachina]

"Is privacy no longer a concern to people now that we have terrorists to worry about?"

The stock response is if you aren't doing anything illegal why would you care about privacy. This is only to catch bad people doing bad things. You aren't a bad person doing bad things are you? At this point you can see why only activists will fight it. Your average citizen isn't going to complain because that just makes you ripe for further attention by the authorities. The man in the suit might come knocking and ask, "Why are you wanting to use encryption and hide your activities from us Mr. Garstka."

American's don't really have much of a sensitivity, at present, as to why police states are bad. They aren't likely to start caring until its to late. At the moment its really only Muslim's that are taking the brunt of it and most Americans aren't Muslim. For example two men in Detroit were convicted on terrorism charges by the DOJ. The two main exhibits:

- A homemade video of their trip to Disneyland which the government insisted was really a surveillance tape to plan for a terrorist attack, and just cleverly made to look like a tourist video.

- A conman up on fraud charges was offered a reduced sentence if he testified against them. Predictably he took the offer. Unfortunately for the DOJ he started talking to cell mates and admitted he lied to get his charges dropped and the case was overturned, but not until two Muslim men and their families had been put through living hell for having video taped their Disney vacation.

This instance is covered in the fascinating BBC documentary The Power of Nightmares. If you want a primer on why your right to privacy is being eviscerated by the powers that be, its a good starting point. It also highlights some fascinating similarities between the neoconservatives currently running America and Britain and Islamic fundamentalism. In many respects they need each other and are using each other to attain their goals, the end of western liberalism and liberties. They both want a return to regimented societies dominated by their respective religion's concept of law and order.

Re:right to privacy

[vettemph]

You have the right to be secure in your "persons, houses, papers, and effects"

You have the right to assemble.

You do not have the right to be secure in your "persons, houses, papers, and effects" while being added with you PC to assemble in a timely and organized fashion. This new efficiency would give you the ability overthrow a tyranny. We can't have that.

Re:right to privacy

[silverkniveshotmail.]

I actually have the rights to the first one, and my girlfriend has the rights to both. We're using the first so the second isn't used, but there is a zero baby policy in our life.
Doesn't your religion even accept that we have the right to sin(free will)? and that we are to choose the 'right' path?

SSH tunneling

[paulproteus]

I was going to reply to this with, "Well, I can tunnel my connections via SSH to add instant magic security powder," but then I realized - the server I'd be doing the tunneling *to* is on a cable modem, and it'll have all the same backdoors.

I wonder if I can trust my university's networks; maybe I should SSH tunnel to my computer science department account.

Huh.

huh?

[zappepcs]

How does this hobble technical innovation? It is a logical extension of CALEA.

I see problems with it, like Skype is not a US company and implementing CALEA functions for monitoring on Skype servers would not be legal in other countries?

I don't think that the government has a clear grip on what the Internet is yet, but by allowing VoIP to replace traditional switched circuit voice networks, they lose monitoring functions for legal wiretap operations. This just gives it back to them, though I'm not sure how they will implement it worldwide, nor do I think it can be done simply within the borders of one country since it is run over the Internet in many cases. Sure, if Comcast offers VoIP, then CALEA would apply, but I see trouble with Skype and Gizmo services.

Also makes me wonder how far the reach of CALEA will go, given the current state of anti-terrorism and related activities.

I just don't see how this hobbles innovation.

Re:huh?

[laffer1]

Innovation is hampered because US companies have the additional burden of providing the back door in their products. Its an added cost, and security hole. If I lived in another country, I would not buy American products now. As an american, i may consider buying foreign products without the back doors. Obviously i'd have to mail order them for a less than reputable source as products imported will probably need the lame back doors too!

Re:Why do they always have to be insecure?

[paulproteus]

When there's one key to the whole American Internet infrastructure, that sounds pretty insecure to me.

One malicious Fed with the access key can leak it, or eavesdrop on anyone at will. Perhaps he was blackmailed by the mafia, or wants extra money by selling info to spammers, or incentives are otherwise skewed.

Time and time again, we see that eavesdropping systems are abused by insiders. That's why limiting the availability of eavesdropping technology to exactly what's required is the most secure choice.

a diaster waiting to happen

[MrLint]

Well since companies like Linksys use linux in their devices, they still have to comply with the gpl. meaning if they keep using Linux they will be revealing all the back door code, or they'll have to stop using it or get sued.

Of course knowing our govt, the spec will be sooo poor and it'll get out and the internet will have huge security holes and hackers and spammers will get a hold if it.. and *foom* govt facilities zombies!

mebbe its time to switch to a bsd router.

Freedom in the US, and implications for business.

If the goal of terrorists was to destroy our freedoms and way-of-life, it is starting to look like they are winning -- and while I sure terrorism is the excuse for this law, I'm really not sure I trust the intentions or our current government.

In addition to the immediate 'what kind of country are we becoming?' blood-curdling privacy implications of this law: what is this going to do the competitiveness of American manufacturers? Other countries are not going to accept back-doors for the US government in their network products.

words from a clec employee on this subject.

hey all,

yes the fbi have the ability to monitor calls on a class V voice switch for years due to this law.

it is normal. we take it for granted.

just like i have the ability to take my t1/ds3 test set and listen to any ds0 channel i want. Anywhere along the line i have easy access too.

well, now they want easy access to other methods of making calls. the problem they will run into is that the tech is constantly changing. Voip calls are going through cheap x86 boxes. It will have to be a software hack that allows it.

or they could just setup a transparent bridge with whatever interfaces they want. Sniffing the line in that fashion...

all i can say is good luck to them. they seem to have forgetton the paridigm shift in power with PCs hitting the mass consumer market. They can no longer eavesdrop the way they want.

just my 2 cents

Re:9/11 changed everything..

[keyrat+rafa]

The terrorists won already. Just look how many rights we have to give up to protect ourselves.

Re:9/11 changed everything..

[SpaceLifeForm]

The terrorists have not won already. They are maybe winning because of the losers in government.

But, they have not won. They will have won when the US no longer exists.

Re:This is a good idea?

>a firmware patch would be all that is required to seal the breach.

Because we all know, especially when it comes to Routers/firewalls and other infrastructure, Joe Six-Pack Owner *Always* keeps up with the latest firmware releases. :)

Re:9/11 changed everything..

[Oktober+Sunset]

If you give up all rights that the US stands for, then the US may as well not exist.

Re:This is a good idea?

I am once again surprised with the high mod points here. This guy is as niave as hell. It's pretty damned hard to design a secure front door leta alone a back door. This may be flame bait but it goes to show the level of technical knowledge on slashdot is dropping like a rock.

Re:This is a good idea?

[clamhan]

This sounds very US-centric. Building backdoors into networks? The rest of the world will be very interested in buying equipment which the US Government can tap into any time. The question, "Is it American built?", will be answered by, "Don't touch it with a bargepole, it's got US backdoors in it". I can see American companies going for this one big time.

Re:9/11 changed everything..

I wouldn't say that they're winning just because Americans are giving up rights. It just means we (the normal citizens, not the politicians or corporate big-wigs) are losing. The terrorists aren't necessarily winning either because our inept foreign policy hasn't changed at all.

Anyone who believes that "terrorists want to take away Americans' freedoms" is deluding themselves. They likely just interpret our foreign involvement as bullying and wish us to stop.

Government support of cisco?

[ediron2]

Heh, perhaps this is being done so that the Government can cause a catastrophic security event so big it'll make Cisco's looming problem look trivial.

After all (and I do government security work), Uncle Sam usually does mediocre to terrible infosec...

Seriously, this idea is terminally stupid to the point where I doubt it'll succeed. Even if we dodge the risk (hah!), and the letter of the rule is implemented, grunts like me will just be required to implement secure tunnels to hide stuff that is too important to risk (they add a key, so we add another lock).

We need to fix this... Here's how.

The American public needs to put aside their petty differences, and force through a constitutional amendment that garuntees the right of privacy. There will be discussion on how to word it, but it needs to be worded strongly, or else we will fall into totalitarian facsist bureacractic rule, from which we might not soon recover.

Folks, Linux Router Project

[the_REAL_sam]

Don't you remember the good old LRP?! It was an open source implementation of a firewall router that fitted onto a floppy, ran on an old 486 with 2 network cards, no cooling fan, no monitor. Most importantly, NO BACKDOORS.

Barring that there would always the option of circumventing the commercial "spook" internet with a homespun wireless routing or "pringles can" internet.

There is no way that the spooks can bypass determined ingenuity for freedom.

firewall your internal network yourself

[MMHere]

I consider the port out of my home office to be inherently insecure.

None of my machines on my network get to send to/from that port without first going thru my NATting and rule-driven Linux firewall machine.

They can hack the DSL modem thru its "insecure backdoor" all they like, but they'll meet only my silent firewall -- just like everyone else.

Slippery slope is the real problem

[CurbyKirby]

As others have mentioned here, assuming that the Internet is confidential is dangerous and naive. With the rise of cable modem networks and Wifi networks, the zone of trust is even smaller.

I don't have a problem with the general idea of governments being able to tap the Internet in the same way as they tap phones, if and only if the system is secure and regulated at least as rigorously as phone taps. In fact, given the choice I'd rather they tap the Internet than phones (where things like encryption are expensive/difficult to employ).

While the general idea of a net tap isn't so bad, the implications are more distressing. Once they get their mitts on the first few layers of the network stack, they'll naturally work their way up. The next logical step is key escrow for encryption. For an old yet relevant paper on this, see:

http://www.cdt.org/crypto/risks98/ [html]

Among the risks and problems cited in that paper are things that will also be relevant in any sort of network tap, including higher costs pushed onto end users, inherent insecurity in having extra access vectors, and difficulty in preventing abuse of the system.

In the end the idea of a network tap isn't so bad. What bothers me is the difficulty (impossibility?) of doing it right, and the other things that this will set a precedent for.

Re:Right to what?

[Legion303]

"right to privacy is an urban legend. Read the constitution if you don't believe me."

You first. You can start with the 9th amendment.

Re:9/11 changed everything..

[87C751]

The sad part is that the US finds that limiting personal freedoms is a viable way to combat terrorism.

No, they find that limiting personal freedoms is a viable way to limit personal freedoms. That's the real agenda. Combatting terrorism is just this year's excuse.