FCC To Require Backdoor Network Access for Feds

humankind writes "The EFF is reporting that the Federal Communications Commission issued a release [pdf] announcing its new rule expanding the reach of the Communications Assistance to Law Enforcement Act (CALEA)." From the article: "Practically, what this means is that the government will be asking broadband providers - as well as companies that manufacture devices used for broadband communications - to build insecure backdoors into their networks, imperiling the privacy and security of citizens on the Internet. It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements."

This is a good idea?

[hobbesmaster]

If you have a backdoor - how long before somebody malicious has access? 30 minutes? If you can get into any box anywhere (because apparently everything will have to have this) then couldn't one little malicious script bring down everything connected to the internet?

Re:This is a good idea?

[Sancho]

I'm sure the implementation would be a little more secure than requiring the username/password "fbi/fbi" to grant full access on the box. More likely, companies would be required to have a login/secure password (if not some sort of public key encryption) access on the boxes, preferably through firmware. Each manufacturer would have a different password/key. Possibly each unique model would have a different password/key. Any time a leak occurred or someone discovered the backdoor, a new firmware could be issued as a "security fix", which would revoke the old method of access and create a new one. Thus breakins would be limited to companies (Cisco) or specific devices (2950t line). Any time a breakin does occur, a firmware patch would be all that is required to seal the breach.

Additional security could be implemented to prevent the entire Intarweb from being owned by a single leak. For example, there is no good reason that the FBI should have write-access on these devices. That in-and-of-itself should be enough to prevent worms from spreading. Also, certain key files should be unreadable, such as password lists, in order to prevent the spread of worms.

Now, all that said, I do not think this is a good idea. Nevertheless, backdoors can be created securely.

Re:This is a good idea?

[myov]

You're assuming they'll manage the passwords properly. Why spend the effort when you can be lazy?

  I know of field techs at numerous companies who use a password based on the serial or model number. One of my clients with a number of higher end printers/copiers has a password of "1111" or "0000". It's set that way so that all the techs know how to get in. In some cases, there isn't a password - only a key combination (like stop-*-1)
Of course, many others quickly figure it out. I can get into maintenance menus of many photocopiers knowing this trick.

Instead, passwords should be based on something like a site number. Still accessable to the techs, but not to the random users.

Why is it dangerous to have a bad password? One tech told me a trick for free copies - either using the maint menu to "test" the machine, or going as far as to disable the pin menu or coin collector. Other machines now have many interesting options to play with - including watching an email address and printing automatically to things like LDAP lookups. Somebody could social engineer your network and get your company directory using the photocopier!

Re:This is a good idea?

[MourningBlade]

I think the fundamental problem here is not one of incompetence but one of interest.

When you have ways to get unlimited access into the phone network, some very unscrupulous people with lots of money begin to think that maybe they should have access to it as well.

In Columbia, they ran a "drug tip hotline" that was supposed to be anonymous. They got a few leads, then it dropped off. Why? Because the drug cartel had someone in the phone company feeding them the numbers of everyone who called in - whom they then killed.

They switched it up and told people to call from a pay phone. Cartel solution? They tapped the line and started identifying people by voice.

The program was eventually shut down.

There's not much you can do about some of these things - but having back doors like this hurts more than it helps, and with enough resources you can get the keys.

Another problem is that law enforcement likes as few barriers as possible to do their work (no surprise there, I'd hate to have red tape to cut through just to start up vi), so they tend to avoid solutions with things like...logging.

I'm told that the older CALEA systems do not track their uses, and there were some very odd occurrences in NJ several years ago regarding a mafia case that suggested that someone had a way into the system - specifically confidential informants who discussed some things over the phone were then killed.

Of course, no way to tell - there's no logs.

My point is that when you set something like this up, you are point-balancing a sword with many edges.

so go with a router you can run Linux or BSD on.

[artifex2004]

If you use open source router software, and tunnel or SSL or SSH to everything, this should not be a problem.

The question is, why aren't people assuming that plaintext is a bad thing already?

And?

[roybadami]

AFAICS, all the linked press release says is that VOIP should be subject to the existing laws on telephone tapping....

Or am I missing something?

What's a broadband device?

[ChiralSoftware]

If I use a Linux box as my broadband router, is that a regulated device? What I'm wondering is, where does this law stop? If there is a Linux distro that is specifically designed as a "broadband router on a CD", would that fall under the regulation? What if I have a broadband card plugged directly into my computer? Is the broadband card the device, or is the whole computer the device? What about if the broadband card does everything in drivers which are part of the kernel?

Even regular consumer devices like Linksys routers are running Linux, so that makes me wonder if the changes have to be hardware or software changes. It's my impression that on a Linksys router, basically everything important is done in software, so I don't see how this could be implemented in hardware.

And obviously, if this means that Linksys routers need to have a patched kernel, will they have to be locked in some way to prevent changes to the kernel? What about the GPL? If the backdoor is implemented as a part of the kernel, and then that kernel is redistributed, then the backdoor code would need to be published, right?

Back in the days when everything was hardware, regulations like this would be cleanly enforceable, but now that the work is done almost entirely in software, it's a mess.

-----------------
mobile search

Re:Awesome.

[Surt]

Interesting that they sought these powers all through the clinton administration, yet didn't receive them until the bush administration.

Re:right to privacy

[bezuwork's+friend]

Just finished the bar. Don't remember it from Constitutional law but for the bar, we studied the fundimental rights pretty thoroughly. The right to privacy is a fundamental, if implied, right which in turn leads to other rights - the right to marry, to procreate, to use contraceptives, to have an abortion, etc.

So for now, it is alive and well in theory.

But scotus has taken rights that once were fundamental and reclassified them as not (forget which ones right now). So it comes down to what the scotus du jure thinks.

There was a guy in my law classes who, after 911, kept saying that we may have passed into an era where privacy must be sacrificed. I don't think it is necessary and hope he was wrong.

Related comment - last year I reported some vandalism on my property. I refused to fill out the fields for age, race, hair and eye color, etc. The police called me and refused to enter the report (I did it online) unless I provided that information. I said "why? You know where I live and I was the victim (sort of - my property was)" Their reply? "The FBI won't like it." Scary.

I'm doin some homework

[2ainman]

... rather than just taking everything I hear from the internet (interpreted thanks to eff.org). Kudos to people like sheetrock, teilo, and others for doing the same. Im not going to bother reiterating some of their previous points regarding "backdooring our routers!". If you're confused ... lookup "backdoor" and "wiretap" on some jargon files or something.

Heres a link to the fcc announcement (NOT eff.org's) http://hraunfoss.fcc.gov/edocs_public/attachmatch/ DOC-260434A1.pdf

Ooooh theres some big telco words in there that I had to look up.

facilities-based isp: isp owns the switches and access servers.

Many isps are non-facilities based or hybrid based, meaning that they buy some access from other facilities-based isps, and have some equipment of their own. It only makes sense that the fcc would want access to the equipment through the people that actually own them.

More specifically the announcement mentioned that they would target the facilities based isps / voIP carriers that allow connection to pstn (public switched telephone network).

You guys have all seen those cop movies where they sneak into the bad guy's house and tap his phone. Well, if a bad guy is using voIP, you can hardly do that. (Well you can, because voIP's standard is not encrypted, although some like skype claim to). So rather than try to tap at the source, which could possibly be encrypted (as teilo said), they just tap it at the point at which it is just pstn traffic again. (Remember they were focusing on services that allowed communication to pstn from voip). So if bad guy A tries to do voIP to bad guy B whos just on pstn, then fbi can listen in, without knowing the location of bad guy B.

This leaves the idea of the bad guys just talking voIP to voIP with encryption. People say that the government can already sniff our traffic and see everything we do, so whats the point of this new legislation? Where are they sniffing from? As of now, I don't think its via these ISPs who are commercially owned with little to no regulation. So maybe this is the government just moving their pieces in to better position on the board.
Just my 2 cents.

Yeah....this one is going to get interesting...

1: RIAA/MPAA sniffs out a pirate on a P2P network, they send an automatically generated electronic form to the Department of Homeland Security, which has an Intellectual Property enforcement team, complete with IP address. In moments, the DHS automatically fills out another form, which is stored on a computer, then sends the hack signals to the cable box in question to begin sniffing network packets. This system then automatically checks the data of the packets to see if the data is similar to any files the RIAA/MPAA doesn't want provided.

Or anything else the government doesn't happen to like.

The DHS then begins seizing computers out of homes with search warrents obtained with said data, at gunpoint.

Depending on the dissident or resident, they then go in unnannounced and when they raise their hand above to block the light from going into their eyes during a night raid, they get shot for making a wrong move...

2: A political dissident radio network, TV network, website, ect is broadcasting all over the world wide web. The ADL, APAIC, Oil corporation, wood corporation, ect doesn't like this. DHS gets a sniffer on the line going from their place, then sniffs IP address and begins sending hack signals to the IP's requesting services to the box they are sniffing. They then systematically send signals to each box in line to shut it off or ban it from getting onto said website, radio network, ect.

3: Is there such a thing as secure transmissions on that kind of a line if they can intercept the encryption key going over it?

4: You are now on a "Internet Terrorist Red List" where if you don't do what we will just keep sending disconnect packets to your cable modem every 10 seconds so you can't get on. ...Is there any good use for this?... ... ... ... ...

The ISP's already have to oblige by federal regulations regarding searches and seizures. So if they've got the evidence they go over the CO, hook a tap on the DSL or tap the phone line itself.....a phone tap works for any residential or other internet service if you've got access to the other end.

Re:...WTF?

[demachina]

"but I really don't care as I'm not going to do something to bring him down on me."

Forgot to add I'd laugh my ass off if you were communicating with someone who is doing something that the man doesn't like, and who is a target of an investigation. If you are you fall under guilt by association and you wouldn't even know it.

For example you may remember the programmer who was a citizen of Canada, who was snatched by the Feds, questioned and then deported to Syria where he was jailed and tortured for over a year. His crime as I recall, someone in his family asked him to sign as a reference on a lease of this other guy, who had been targeted in a terrorism investigation. His second mistake was he flew through New York on his way from Europe home to Canada.

You see you don't have to be guilty of anything in this wonderful world we live in. You can be targeted for just communicating with someone under suspicion, or you can be falsely accused by someone being pressured through interrogation and threats. For example in the UK now its a crime to withhold information about a terrorism investigation. Three people in the UK are being charged for just this in the wake of the London bombing. If they are falsely accused the only way they can escape this charge is to make up false information to give to the authorities and the easiest thing to do is falsely accuse someone else.