Slashdot Mirror
FCC To Require Backdoor Network Access for Feds
humankind writes "The EFF is reporting that the Federal Communications Commission issued a release [pdf] announcing its new rule expanding the reach of the Communications Assistance to Law Enforcement Act (CALEA)." From the article: "Practically, what this means is that the government will be asking broadband providers - as well as companies that manufacture devices used for broadband communications - to build insecure backdoors into their networks, imperiling the privacy and security of citizens on the Internet. It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements."
We can't sit back and let the terrorists win.. err wait, wtf am I talking about? Somehow this is a good thing.. yes.. maybe I should give the feds access to my webcams, this will make america safer :)
Wasn't there a ruling just a few weeks back that the FCC didn't have the authority to regulate the Internet, which would include things like VoIP? Did that get overturned at some point?
More regulations to drive up costs and actually lower security. That's our government. I can't wait for the first time that a feds-access method is discovered and published. Of course I'm sure they'll label that discovery person a terrorist.
Think of the children! It's for fighting terrorists and will never be used otherwise!
Cisco, for example, has complied with this new rule before it even existed.
If you have a backdoor - how long before somebody malicious has access? 30 minutes? If you can get into any box anywhere (because apparently everything will have to have this) then couldn't one little malicious script bring down everything connected to the internet?
It's funny how you never hear the phrase 'right to privacy' nowadays. Is privacy no longer a concern to people now that we have terrorists to worry about? The things I think about and read and what I do in my personal space (yes, my computer is MY space) is frankly not the business of anybody except me. Get a warrant, then search me - I'll live with the fear of a terrorist attack, I can handle the responsibility.
I was going to reply to this with, "Well, I can tunnel my connections via SSH to add instant magic security powder," but then I realized - the server I'd be doing the tunneling *to* is on a cable modem, and it'll have all the same backdoors.
I wonder if I can trust my university's networks; maybe I should SSH tunnel to my computer science department account.
Huh.
|/usr/games/fortune
How does this hobble technical innovation? It is a logical extension of CALEA.
I see problems with it, like Skype is not a US company and implementing CALEA functions for monitoring on Skype servers would not be legal in other countries?
I don't think that the government has a clear grip on what the Internet is yet, but by allowing VoIP to replace traditional switched circuit voice networks, they lose monitoring functions for legal wiretap operations. This just gives it back to them, though I'm not sure how they will implement it worldwide, nor do I think it can be done simply within the borders of one country since it is run over the Internet in many cases. Sure, if Comcast offers VoIP, then CALEA would apply, but I see trouble with Skype and Gizmo services.
Also makes me wonder how far the reach of CALEA will go, given the current state of anti-terrorism and related activities.
I just don't see how this hobbles innovation.
Support NYCountryLawyer RIAA vs People
When there's one key to the whole American Internet infrastructure, that sounds pretty insecure to me.
One malicious Fed with the access key can leak it, or eavesdrop on anyone at will. Perhaps he was blackmailed by the mafia, or wants extra money by selling info to spammers, or incentives are otherwise skewed.
Time and time again, we see that eavesdropping systems are abused by insiders. That's why limiting the availability of eavesdropping technology to exactly what's required is the most secure choice.
|/usr/games/fortune
Well since companies like Linksys use linux in their devices, they still have to comply with the gpl. meaning if they keep using Linux they will be revealing all the back door code, or they'll have to stop using it or get sued.
Of course knowing our govt, the spec will be sooo poor and it'll get out and the internet will have huge security holes and hackers and spammers will get a hold if it.. and *foom* govt facilities zombies!
mebbe its time to switch to a bsd router.
If the goal of terrorists was to destroy our freedoms and way-of-life, it is starting to look like they are winning -- and while I sure terrorism is the excuse for this law, I'm really not sure I trust the intentions or our current government.
In addition to the immediate 'what kind of country are we becoming?' blood-curdling privacy implications of this law: what is this going to do the competitiveness of American manufacturers? Other countries are not going to accept back-doors for the US government in their network products.
I hear the password is gonna be PENCIL... SHHH dont tell anyone.....
for more contraband. "Hey, buddy. Wanna buy a modem? Guaranteed secure. Only a thousand bucks. Buy two for eighteen hundred." This will turn our economy into a pure black market(I wish). Everything will be illegal. A pirate's paradise this will be. The hardware hackers have their work cut out for them. I hope they can handle it. Our new machines will be giant breadboards and wire wrap. All electronic engineers will be required to register. There will be a three day waiting period to buy soldering irons while they do a background check. God! what a bunch of freaks! And I'm not talking about the good kind...that hung out at the original Woodstock. You poor pitiful souls. Why do want to turn the earth into a prison planet? Never mind. I already know.
What?
"What if it means that the equipment will accept connections if it passes a rigerous sshv2-dsa key handshake, with a really, really big key size? I don't see that being insecure, setting aside concerns about the stupid feds being bitches in power games leaking the key. Technically, there's nothing stopping them from making it secure (as secure as you or I have our home systems, that is)."
The dominant SSH implementation (OpenSSH) isn't even based in the US, so the FCC doesn't have the power to mandate backdoors in it.
I rarely criticize things I don't care about.
I was just thinking, this is the point at which I stop buying US Robotics broadband routers and start pondering the benefits of using either a Mac Mini or a small-footprint intel PC as a linux router...
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Big deal. So anyone with a little bit of knowledge and desire can cripple the entire internet in one blow.
We can't let the terrorists win! We must comply with this obivously good idea.
Oh wait...
If you use open source router software, and tunnel or SSL or SSH to everything, this should not be a problem.
The question is, why aren't people assuming that plaintext is a bad thing already?
AFAICS, all the linked press release says is that VOIP should be subject to the existing laws on telephone tapping....
Or am I missing something?
This is true. I work for a telco, and I have received calls from FBI personnel stating that they need an entire switch tapped when entities like the President and VP are in the area. Most recently was Dick Cheney's visit to the Las Vegas area.
that make me give thanks for living in a 3rd world country... I think.
I think it's a great idea. As you point out, within 30 minutes someone will have malicious access. Within a month every script kiddie on the net will have access to every PC in America.
At which point, I welcome the government's attempt to successfully prosecute me for anything whatsoever: "No, that file of Dubbya, the underage pretzel salesgirl and the goat wasn't mine. You idiots left the backdoor to my system wide open. Literally anyone on the net could have used my PC to host it and you guys are responsible for that one. And may I just say thank you for establishing 'reasonable doubt.'"
The legal definition of guilt in a criminal case is beyond all reasonable doubt (as opposed to balance of evidence for civil cases). If they're absolutely determined to ensure it's completely impossible to achieve 'beyond all reasonable doubt', and thus any successful prosecutions, I'm all for it.
This is one where, legitimately, they can claim it's only for catching terrorists - because they've destroyed any legal standing for a successful prosecution (suspected terrorists not getting prosecutions, just export to a country that uses torture).
Even regular consumer devices like Linksys routers are running Linux, so that makes me wonder if the changes have to be hardware or software changes. It's my impression that on a Linksys router, basically everything important is done in software, so I don't see how this could be implemented in hardware.
And obviously, if this means that Linksys routers need to have a patched kernel, will they have to be locked in some way to prevent changes to the kernel? What about the GPL? If the backdoor is implemented as a part of the kernel, and then that kernel is redistributed, then the backdoor code would need to be published, right?
Back in the days when everything was hardware, regulations like this would be cleanly enforceable, but now that the work is done almost entirely in software, it's a mess.
-----------------
mobile search
They can put a backdoor on my OpenBSD box after they beat me to death with a cold, dead Model M keyboard. (Come to think of it... that would be easy to do.)
My other car is first.
... rather than just taking everything I hear from the internet (interpreted thanks to eff.org). Kudos to people like sheetrock, teilo, and others for doing the same. Im not going to bother reiterating some of their previous points regarding "backdooring our routers!". If you're confused ... lookup "backdoor" and "wiretap" on some jargon files or something.
/ DOC-260434A1.pdf
Heres a link to the fcc announcement (NOT eff.org's) http://hraunfoss.fcc.gov/edocs_public/attachmatch
Ooooh theres some big telco words in there that I had to look up.
facilities-based isp: isp owns the switches and access servers.
Many isps are non-facilities based or hybrid based, meaning that they buy some access from other facilities-based isps, and have some equipment of their own. It only makes sense that the fcc would want access to the equipment through the people that actually own them.
More specifically the announcement mentioned that they would target the facilities based isps / voIP carriers that allow connection to pstn (public switched telephone network).
You guys have all seen those cop movies where they sneak into the bad guy's house and tap his phone. Well, if a bad guy is using voIP, you can hardly do that. (Well you can, because voIP's standard is not encrypted, although some like skype claim to). So rather than try to tap at the source, which could possibly be encrypted (as teilo said), they just tap it at the point at which it is just pstn traffic again. (Remember they were focusing on services that allowed communication to pstn from voip). So if bad guy A tries to do voIP to bad guy B whos just on pstn, then fbi can listen in, without knowing the location of bad guy B.
This leaves the idea of the bad guys just talking voIP to voIP with encryption. People say that the government can already sniff our traffic and see everything we do, so whats the point of this new legislation? Where are they sniffing from? As of now, I don't think its via these ISPs who are commercially owned with little to no regulation. So maybe this is the government just moving their pieces in to better position on the board.
Just my 2 cents.
Heh, perhaps this is being done so that the Government can cause a catastrophic security event so big it'll make Cisco's looming problem look trivial.
After all (and I do government security work), Uncle Sam usually does mediocre to terrible infosec...
Seriously, this idea is terminally stupid to the point where I doubt it'll succeed. Even if we dodge the risk (hah!), and the letter of the rule is implemented, grunts like me will just be required to implement secure tunnels to hide stuff that is too important to risk (they add a key, so we add another lock).
New rules mandating($200 Mr. Bush) that all transmissions over TCP/IP(the now mandated internet protocol) be made in plain text. Any indecypherable info will be traced back to the source and the sender will be...umm...detained. In other news, the post office has now prohibited the use of envelopes, and all letters are to be written in English only. Any spelling and grammitical errors are subject to further investigation and may result in detention.
What?
Ok, so the for profit router manufacturers may be required to create back doors for the feds (which, of course, will be discovered & exploited by others). This will not stop, & in fact should encourage, the use of linux routers & firewalls without these holes. If I make it & don't sell it, I don't see how the feds can say shit about it.
Finding a dead Model M is _NOT_ an easy task.
1: RIAA/MPAA sniffs out a pirate on a P2P network, they send an automatically generated electronic form to the Department of Homeland Security, which has an Intellectual Property enforcement team, complete with IP address. In moments, the DHS automatically fills out another form, which is stored on a computer, then sends the hack signals to the cable box in question to begin sniffing network packets. This system then automatically checks the data of the packets to see if the data is similar to any files the RIAA/MPAA doesn't want provided.
...Is there any good use for this?... ... ... ... ...
Or anything else the government doesn't happen to like.
The DHS then begins seizing computers out of homes with search warrents obtained with said data, at gunpoint.
Depending on the dissident or resident, they then go in unnannounced and when they raise their hand above to block the light from going into their eyes during a night raid, they get shot for making a wrong move...
2: A political dissident radio network, TV network, website, ect is broadcasting all over the world wide web. The ADL, APAIC, Oil corporation, wood corporation, ect doesn't like this. DHS gets a sniffer on the line going from their place, then sniffs IP address and begins sending hack signals to the IP's requesting services to the box they are sniffing. They then systematically send signals to each box in line to shut it off or ban it from getting onto said website, radio network, ect.
3: Is there such a thing as secure transmissions on that kind of a line if they can intercept the encryption key going over it?
4: You are now on a "Internet Terrorist Red List" where if you don't do what we will just keep sending disconnect packets to your cable modem every 10 seconds so you can't get on.
The ISP's already have to oblige by federal regulations regarding searches and seizures. So if they've got the evidence they go over the CO, hook a tap on the DSL or tap the phone line itself.....a phone tap works for any residential or other internet service if you've got access to the other end.
Don't you remember the good old LRP?! It was an open source implementation of a firewall router that fitted onto a floppy, ran on an old 486 with 2 network cards, no cooling fan, no monitor. Most importantly, NO BACKDOORS.
Barring that there would always the option of circumventing the commercial "spook" internet with a homespun wireless routing or "pringles can" internet.
There is no way that the spooks can bypass determined ingenuity for freedom.
"Forgive us our trespasses, as we forgive those who trespass against us." -Jesus Christ The Lord's Prayer
In Russia the FSB (ex-KGB) apparently has (or at least had, the article is quite old) been forcing this on ISP's for years, but some are trying to fight it. I guess KGB is now considered as a good role-model...
http://www.libertarium.ru/libertarium/14424
I consider the port out of my home office to be inherently insecure.
None of my machines on my network get to send to/from that port without first going thru my NATting and rule-driven Linux firewall machine.
They can hack the DSL modem thru its "insecure backdoor" all they like, but they'll meet only my silent firewall -- just like everyone else.
It is doubtful that Clinton would have received all that was given in the Patriot Bill. His attack using cruise missles upon a camp in Afghanistan, when he had intelligence that bin Laden was there was often referred to as "wagging the dog". Ashcroft, as a Senator, helped to shoot down lawful roving wiretaps being inserted into crime omnibus bills, voting no to amendments on multiple ocassions. It is also doubful that the Clinton Administration would have had the audacity to claim they needed these extreme methods right after they had miserbly failed to perform their duty of defending America.
And even if my analysis is wrong, there is still no justifiable reason for the government enabling themselves with these extra powers.
It would be a shame if our elected politicians had to actually honor their oaths to protect and uphold the Constitution, wouldn't it? It seems that anyone who reads the Fourth Amendment to the US Constitution would have a difficult time justifying the legitimacy of this action by the FCC:
Our Congresspersons are, after all, a class of known liars who haven't even a small amount of honor within them; politicians.
The "terrorism" rationale just does not hold muster here. It is nothing more that a tool being used by politicians in a quest for power not rightfully theirs. The Rights of Humans are being eroded away, a byte at a time. The wellspring from which all legitimacy for the actions of our government flows is the Constitution. To act in a manner contrary to it, is to engage in tyranny. Each time our politicians make an exception to the Constitution, for any reason whatsoever, they have weakened all, and have made it easier for the future's politicians by giving them precedents to cite when they too tear away at the limitations rationally placed upon power, one thread at a time.
The Dreamtime America is fading away.
Rush Limbaugh is a perfect real world example of an oxycontinmoron
As others have mentioned here, assuming that the Internet is confidential is dangerous and naive. With the rise of cable modem networks and Wifi networks, the zone of trust is even smaller.
I don't have a problem with the general idea of governments being able to tap the Internet in the same way as they tap phones, if and only if the system is secure and regulated at least as rigorously as phone taps. In fact, given the choice I'd rather they tap the Internet than phones (where things like encryption are expensive/difficult to employ).
While the general idea of a net tap isn't so bad, the implications are more distressing. Once they get their mitts on the first few layers of the network stack, they'll naturally work their way up. The next logical step is key escrow for encryption. For an old yet relevant paper on this, see:
http://www.cdt.org/crypto/risks98/ [html]
Among the risks and problems cited in that paper are things that will also be relevant in any sort of network tap, including higher costs pushed onto end users, inherent insecurity in having extra access vectors, and difficulty in preventing abuse of the system.
In the end the idea of a network tap isn't so bad. What bothers me is the difficulty (impossibility?) of doing it right, and the other things that this will set a precedent for.
--
"Extra Anus Kills Four-Legged Chick" -- Headline
"right to privacy is an urban legend. Read the constitution if you don't believe me."
You first. You can start with the 9th amendment.
Actually, the rest of the world feels that the US foreign involvement has little to do with terrorism. I should know, i'm part of them :)
Actually I'd say it who you ask and how you ask, how the questions are phrased. The US has supported terrorists, bin Laden for instance. He is a terrorist the US supported along with the Taliban when they were fighting against the Soviet Union. President Bush gave the Taliban millions of taxpayer dollars shortly after entering office. In Kosovo, Serbia, the US supported the KLA terrorists again Serbia. In East Timor, former president Ford and Henry Kissinger, armed and supported Indonesia's Soharto invasion of East Timor in 1975-6 after Portugal who colonized East Timor granted then their independence. From the invasion to after the 1999 vote when East Timorese voted for independence 200,000 East Timorese were massacred, one third of the population. Ford and Kissinger again supported Chile's Gen Penochet's overthrow of a democratically elected government and started a dictatorship. Thousands in Chile simply disappeared, many were murdered and thousands more tortured.
There are many examples where the administrations of the US supported military dictatorships and the overthrow of democratic governments, Iran and Iraq amoung them. The only qualification for said support was the be anticommunist. And that's not even bringing up what was done to the Native Amnerican Indians with all the signed treaties the US broke.
Sure the US has done good and helped some in need but it has also supported those who violated human rights and committed atrocities.
FalconShould there be a Law?