FCC To Require Backdoor Network Access for Feds

humankind writes "The EFF is reporting that the Federal Communications Commission issued a release [pdf] announcing its new rule expanding the reach of the Communications Assistance to Law Enforcement Act (CALEA)." From the article: "Practically, what this means is that the government will be asking broadband providers - as well as companies that manufacture devices used for broadband communications - to build insecure backdoors into their networks, imperiling the privacy and security of citizens on the Internet. It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements."

9/11 changed everything..

[Adult+film+producer]

We can't sit back and let the terrorists win.. err wait, wtf am I talking about? Somehow this is a good thing.. yes.. maybe I should give the feds access to my webcams, this will make america safer :)

Re:9/11 changed everything..

[infonography]

Considering your nick here is Adult film producer (866485) just giving me access to your webcams would be fine. However IMHO 9/11 changed NOTHING!

Re:9/11 changed everything..

[Oktober+Sunset]

If you give up all rights that the US stands for, then the US may as well not exist.

Re:9/11 changed everything..

[Lisandro]

Not to rain on your parade, but check the definition of terrorist: it's well accepted that a terrorist is someone who employs terror as a political weapon.

    The more the US resorts to giving up freedoms in order to "combat" terrorism, the more terrorists win. It's simple, sadly enough.

Re:9/11 changed everything..

I wouldn't say that they're winning just because Americans are giving up rights. It just means we (the normal citizens, not the politicians or corporate big-wigs) are losing. The terrorists aren't necessarily winning either because our inept foreign policy hasn't changed at all.

Anyone who believes that "terrorists want to take away Americans' freedoms" is deluding themselves. They likely just interpret our foreign involvement as bullying and wish us to stop.

Re:9/11 changed everything..

[EvilAlien]

They don't want us infidels to convert. This isn't about spreading or enforcing a religion. That is a christian tactic.

This is about engineering the creation of a hardline Islamic theocractic regime (i.e., the return of the caliphate), and the best way to do that is to terrorize the enemy that works to westernize (read "support freedom") predominantly muslim nations. There is a long history of terror and assassination used as a tactic against western incursion:

As early as the last years of the eleventh century the Assassins had succeeded in setting firm foot in Syria and winning as convert the Saljug prince of Aleppo, Ridwan ibn-Tutush (died in 1113). By 1140 they had captured the hill fortress of Masyad and many others in northern Syria, including al-Kahf, al-Qadmus and al-'Ullayqah. Even Shayzar (modern Sayjar) on the Orontes was temporarily occupied by the Assassins, whom Usamah calls Isma'ilites. One of their most famous masters in Syria was Rachid-al-Din Sinan (died in 1192), who resided at Masyad and bore the title shakkh al-jabal', translated by the Crusades' chroniclers as "the old man of the mountain". It was Rashid's henchmen who struck awe and terror into the hearts of the Crusaders.

- from HITTI: THE ASSASSINS

We are seeing the modern version of a conflict that is hundreds of years old, and it has nothing to do with Usama bin Laden wanting George W. Bush to convert to Islam.

Re:9/11 changed everything..

[87C751]

The sad part is that the US finds that limiting personal freedoms is a viable way to combat terrorism.

No, they find that limiting personal freedoms is a viable way to limit personal freedoms. That's the real agenda. Combatting terrorism is just this year's excuse.

...WTF?

[Pantero+Blanco]

Wasn't there a ruling just a few weeks back that the FCC didn't have the authority to regulate the Internet, which would include things like VoIP? Did that get overturned at some point?

Re:...WTF?

[twiddlingbits]

It's the actual networks the telco's own, which technically IS the Internet and technically IS not as some data (such as corporate data) travels on the networks mixed in with Internet data (i.e. a VPN over the Internet). It's really a gray area as to where the Internet stops and the carrier newtworks begin. A private, seperately routed network for say Wal-Mart using dedicated SBC/Wilco/Sprint/MCI lines would NOT be the Internet, but if they sent the data via the public side of a network then it is the Internet. Next thing ya know the Feds will want all the corporate encrypt/decrypt keys and all of our PGP keys so if the data the monitor from those they deem are suspicious they can unlock the data. Of course since they don't know in advance WHO will need to be monitored we have to err on the side of caution and EVERYONE has to give over thier keys. Even with the Patriot Act (which is well intentioned but very flawed in execution) I think this goes too far. I expect this one to be ruled on by the Supreme Court before too long. In the meantime, I guess we should all be very careful.

Re:...WTF?

[demachina]

"Nobody is at this time limiting your rights, your privacy or your liberty"

WTF are you talking about. If you are taking a subway in some major American cities today you can now be stopped and searched for no reason and with no warrent. If they catch you with a couple of joints I'm curious if you are going to jail and if they can make the charges stick since it is a blatantly illegal search. There is no probable cause and there is no warrant for these searches. They are about as illegal as they get when they start applying them to people commuting to work everyday.

In the UK the police drew guns and started shouting at a Brazilian electrician because he was dark skinned and wearing a heavy coat in summer. He paniced which is not a surprise when people start yelling at you and drawing guns. They tackled him pumped him full of lead, though he had no weapon, purely on the vague suspcion he might have a bomb. The Brits responded with, oops, sorry.

Its something of a fact of life you are surrendering your privacy to get on an airplane but last time I did it they hand frisked, intrusively, a 70 year old man in front of me. The look on his face was sickening and it was worse because they were intimately searching him in front of everyone with a little table being the only thing blocking the worst of it. At this point I'm thinking, how has America fallen this far. He didn't fit the "Terrorist Profile" either and it was probably the first time in his life he'd been frisked. The lady at the metal detector said he looked "nervous" which is apparently why he was one step away from strip search. He was nervous but only because he was deathly afraid of the security shakedown and amazingly he had reason to be.

There is a fair chance you will soon see millimeter wave scanners in airports which will in effect let total strangers see you naked everytime you go to an airport. If they work there then there is a fair chance they will eventually appear in mass transit.

"If I want to keep something private, I sure don't send it via the Internet, snail mail still works good in that respect"

You are totally delusional at this point if you think the Fed's wont open your mail if you or whomever you are communicating with is the target of an investigation.

" The fact that the Patriot Act got pretty much unanimous reapproval in the House and Sentate says it not a bad deal on the whole."

No it says the political climate is such that politicians will vote for almost any piece of security legislation, no matter how bad. If they don't their opponents will pummel them in the next election for being soft on terrorists and it will work. The quality of the legislation has nothing to do with it. The National Intelligence reform act passed by a wide margin and it instituted the first step towards nation ID cards which Americans would have never tolerated 5 years ago. It eliminated most of the safeguards against intelligence agencies spying on Americans which were instituted because J. Edgar Hoover and Richard Nixon were massively abusing those powers to spy on, blackmail and general destroy their political opponents.

" I really don't care as I'm not going to do something to bring him down on me."

Thats the spirit. I'm sure thats how most American's rationalize it. These news powers are currently only being used to hammer Muslims, most of whom appear to be innocent. You aren't Muslim, you don't fit the "Terrorist Profile" so why should you care. Germans didn't care either as long as it was only they Jews that were being persecuted because they weren't Jewish.

Re:...WTF?

[demachina]

"but I really don't care as I'm not going to do something to bring him down on me."

Forgot to add I'd laugh my ass off if you were communicating with someone who is doing something that the man doesn't like, and who is a target of an investigation. If you are you fall under guilt by association and you wouldn't even know it.

For example you may remember the programmer who was a citizen of Canada, who was snatched by the Feds, questioned and then deported to Syria where he was jailed and tortured for over a year. His crime as I recall, someone in his family asked him to sign as a reference on a lease of this other guy, who had been targeted in a terrorism investigation. His second mistake was he flew through New York on his way from Europe home to Canada.

You see you don't have to be guilty of anything in this wonderful world we live in. You can be targeted for just communicating with someone under suspicion, or you can be falsely accused by someone being pressured through interrogation and threats. For example in the UK now its a crime to withhold information about a terrorism investigation. Three people in the UK are being charged for just this in the wake of the London bombing. If they are falsely accused the only way they can escape this charge is to make up false information to give to the authorities and the easiest thing to do is falsely accuse someone else.

Awesome.

[ThatDamnMurphyGuy]

More regulations to drive up costs and actually lower security. That's our government. I can't wait for the first time that a feds-access method is discovered and published. Of course I'm sure they'll label that discovery person a terrorist.

Re:Awesome.

[paulproteus]

It's so nice to have market-loving, freedom-creating, innovation-pushing Republicans in power. And we all know Republicans are all for limiting the size, scope, and expense of government.

Wait - you're saying they added regulation that limits busineses' freedoms to innovate with broadband and adds invisible costs to the consumer? I thought that was what commies and big-government Democrats do!

Re:Awesome.

[Surt]

Interesting that they sought these powers all through the clinton administration, yet didn't receive them until the bush administration.

Re:Awesome.

[i_am_not_a_bomba]

Wait,

So your saying that the republicans shouldn't be blamed because they have caved in where the democrats didn't?

Seriously, that's what you've just said in that post.

Sometimes i wonder if you lot would *ever* condem your partys actions, then i read posts like yours and think "no".

(I am not an american)

Aww!!

[hypergreatthing]

Think of the children! It's for fighting terrorists and will never be used otherwise!

Some companies are different that others.

[Rosyna]

Cisco, for example, has complied with this new rule before it even existed.

This is a good idea?

[hobbesmaster]

If you have a backdoor - how long before somebody malicious has access? 30 minutes? If you can get into any box anywhere (because apparently everything will have to have this) then couldn't one little malicious script bring down everything connected to the internet?

Re:This is a good idea?

[Sancho]

I'm sure the implementation would be a little more secure than requiring the username/password "fbi/fbi" to grant full access on the box. More likely, companies would be required to have a login/secure password (if not some sort of public key encryption) access on the boxes, preferably through firmware. Each manufacturer would have a different password/key. Possibly each unique model would have a different password/key. Any time a leak occurred or someone discovered the backdoor, a new firmware could be issued as a "security fix", which would revoke the old method of access and create a new one. Thus breakins would be limited to companies (Cisco) or specific devices (2950t line). Any time a breakin does occur, a firmware patch would be all that is required to seal the breach.

Additional security could be implemented to prevent the entire Intarweb from being owned by a single leak. For example, there is no good reason that the FBI should have write-access on these devices. That in-and-of-itself should be enough to prevent worms from spreading. Also, certain key files should be unreadable, such as password lists, in order to prevent the spread of worms.

Now, all that said, I do not think this is a good idea. Nevertheless, backdoors can be created securely.

Re:This is a good idea?

[sgant]

At the very moment, the FBI is cursing under their breath as they change their passwords from "fbi/fbi" to something else.

DAMN YOU SANCHO!

Re:This is a good idea?

I am once again surprised with the high mod points here. This guy is as niave as hell. It's pretty damned hard to design a secure front door leta alone a back door. This may be flame bait but it goes to show the level of technical knowledge on slashdot is dropping like a rock.

Re:This is a good idea?

[myov]

You're assuming they'll manage the passwords properly. Why spend the effort when you can be lazy?

  I know of field techs at numerous companies who use a password based on the serial or model number. One of my clients with a number of higher end printers/copiers has a password of "1111" or "0000". It's set that way so that all the techs know how to get in. In some cases, there isn't a password - only a key combination (like stop-*-1)
Of course, many others quickly figure it out. I can get into maintenance menus of many photocopiers knowing this trick.

Instead, passwords should be based on something like a site number. Still accessable to the techs, but not to the random users.

Why is it dangerous to have a bad password? One tech told me a trick for free copies - either using the maint menu to "test" the machine, or going as far as to disable the pin menu or coin collector. Other machines now have many interesting options to play with - including watching an email address and printing automatically to things like LDAP lookups. Somebody could social engineer your network and get your company directory using the photocopier!

Re:This is a good idea?

[MourningBlade]

I think the fundamental problem here is not one of incompetence but one of interest.

When you have ways to get unlimited access into the phone network, some very unscrupulous people with lots of money begin to think that maybe they should have access to it as well.

In Columbia, they ran a "drug tip hotline" that was supposed to be anonymous. They got a few leads, then it dropped off. Why? Because the drug cartel had someone in the phone company feeding them the numbers of everyone who called in - whom they then killed.

They switched it up and told people to call from a pay phone. Cartel solution? They tapped the line and started identifying people by voice.

The program was eventually shut down.

There's not much you can do about some of these things - but having back doors like this hurts more than it helps, and with enough resources you can get the keys.

Another problem is that law enforcement likes as few barriers as possible to do their work (no surprise there, I'd hate to have red tape to cut through just to start up vi), so they tend to avoid solutions with things like...logging.

I'm told that the older CALEA systems do not track their uses, and there were some very odd occurrences in NJ several years ago regarding a mafia case that suggested that someone had a way into the system - specifically confidential informants who discussed some things over the phone were then killed.

Of course, no way to tell - there's no logs.

My point is that when you set something like this up, you are point-balancing a sword with many edges.

right to privacy

[garstka]

It's funny how you never hear the phrase 'right to privacy' nowadays. Is privacy no longer a concern to people now that we have terrorists to worry about? The things I think about and read and what I do in my personal space (yes, my computer is MY space) is frankly not the business of anybody except me. Get a warrant, then search me - I'll live with the fear of a terrorist attack, I can handle the responsibility.

Re:right to privacy

[n6mod]

It's been ruled as implicit in the US Constitution (the basis of Roe v. Wade) and is explicit in the California Constitution. This, by virtue of the 10th Amendment, should trump the Feds. I say "should", because like much of the rest of the document, the Supremes seem to be unable to read or comprehend the 10th amendment.

Re:right to privacy

[bezuwork's+friend]

Just finished the bar. Don't remember it from Constitutional law but for the bar, we studied the fundimental rights pretty thoroughly. The right to privacy is a fundamental, if implied, right which in turn leads to other rights - the right to marry, to procreate, to use contraceptives, to have an abortion, etc.

So for now, it is alive and well in theory.

But scotus has taken rights that once were fundamental and reclassified them as not (forget which ones right now). So it comes down to what the scotus du jure thinks.

There was a guy in my law classes who, after 911, kept saying that we may have passed into an era where privacy must be sacrificed. I don't think it is necessary and hope he was wrong.

Related comment - last year I reported some vandalism on my property. I refused to fill out the fields for age, race, hair and eye color, etc. The police called me and refused to enter the report (I did it online) unless I provided that information. I said "why? You know where I live and I was the victim (sort of - my property was)" Their reply? "The FBI won't like it." Scary.

Re:right to privacy

[hazem]

The 4th Ammendment covers it pretty well:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Now, maybe I'm just a crazy left-wing wacko, but I think one should be able to reasonably extraplotate "papers and effects" to include their own computer networks and files.

Re:right to privacy

[demachina]

"Is privacy no longer a concern to people now that we have terrorists to worry about?"

The stock response is if you aren't doing anything illegal why would you care about privacy. This is only to catch bad people doing bad things. You aren't a bad person doing bad things are you? At this point you can see why only activists will fight it. Your average citizen isn't going to complain because that just makes you ripe for further attention by the authorities. The man in the suit might come knocking and ask, "Why are you wanting to use encryption and hide your activities from us Mr. Garstka."

American's don't really have much of a sensitivity, at present, as to why police states are bad. They aren't likely to start caring until its to late. At the moment its really only Muslim's that are taking the brunt of it and most Americans aren't Muslim. For example two men in Detroit were convicted on terrorism charges by the DOJ. The two main exhibits:

- A homemade video of their trip to Disneyland which the government insisted was really a surveillance tape to plan for a terrorist attack, and just cleverly made to look like a tourist video.

- A conman up on fraud charges was offered a reduced sentence if he testified against them. Predictably he took the offer. Unfortunately for the DOJ he started talking to cell mates and admitted he lied to get his charges dropped and the case was overturned, but not until two Muslim men and their families had been put through living hell for having video taped their Disney vacation.

This instance is covered in the fascinating BBC documentary The Power of Nightmares. If you want a primer on why your right to privacy is being eviscerated by the powers that be, its a good starting point. It also highlights some fascinating similarities between the neoconservatives currently running America and Britain and Islamic fundamentalism. In many respects they need each other and are using each other to attain their goals, the end of western liberalism and liberties. They both want a return to regimented societies dominated by their respective religion's concept of law and order.

Re:right to privacy

[vettemph]

You have the right to be secure in your "persons, houses, papers, and effects"

You have the right to assemble.

You do not have the right to be secure in your "persons, houses, papers, and effects" while being added with you PC to assemble in a timely and organized fashion. This new efficiency would give you the ability overthrow a tyranny. We can't have that.

SSH tunneling

[paulproteus]

I was going to reply to this with, "Well, I can tunnel my connections via SSH to add instant magic security powder," but then I realized - the server I'd be doing the tunneling *to* is on a cable modem, and it'll have all the same backdoors.

I wonder if I can trust my university's networks; maybe I should SSH tunnel to my computer science department account.

Huh.

huh?

[zappepcs]

How does this hobble technical innovation? It is a logical extension of CALEA.

I see problems with it, like Skype is not a US company and implementing CALEA functions for monitoring on Skype servers would not be legal in other countries?

I don't think that the government has a clear grip on what the Internet is yet, but by allowing VoIP to replace traditional switched circuit voice networks, they lose monitoring functions for legal wiretap operations. This just gives it back to them, though I'm not sure how they will implement it worldwide, nor do I think it can be done simply within the borders of one country since it is run over the Internet in many cases. Sure, if Comcast offers VoIP, then CALEA would apply, but I see trouble with Skype and Gizmo services.

Also makes me wonder how far the reach of CALEA will go, given the current state of anti-terrorism and related activities.

I just don't see how this hobbles innovation.

Re:huh?

[laffer1]

Innovation is hampered because US companies have the additional burden of providing the back door in their products. Its an added cost, and security hole. If I lived in another country, I would not buy American products now. As an american, i may consider buying foreign products without the back doors. Obviously i'd have to mail order them for a less than reputable source as products imported will probably need the lame back doors too!

Re:Why do they always have to be insecure?

[paulproteus]

When there's one key to the whole American Internet infrastructure, that sounds pretty insecure to me.

One malicious Fed with the access key can leak it, or eavesdrop on anyone at will. Perhaps he was blackmailed by the mafia, or wants extra money by selling info to spammers, or incentives are otherwise skewed.

Time and time again, we see that eavesdropping systems are abused by insiders. That's why limiting the availability of eavesdropping technology to exactly what's required is the most secure choice.

Freedom in the US, and implications for business.

If the goal of terrorists was to destroy our freedoms and way-of-life, it is starting to look like they are winning -- and while I sure terrorism is the excuse for this law, I'm really not sure I trust the intentions or our current government.

In addition to the immediate 'what kind of country are we becoming?' blood-curdling privacy implications of this law: what is this going to do the competitiveness of American manufacturers? Other countries are not going to accept back-doors for the US government in their network products.

Re:Why do they always have to be insecure?

[ArbitraryConstant]

"What if it means that the equipment will accept connections if it passes a rigerous sshv2-dsa key handshake, with a really, really big key size? I don't see that being insecure, setting aside concerns about the stupid feds being bitches in power games leaking the key. Technically, there's nothing stopping them from making it secure (as secure as you or I have our home systems, that is)."

The dominant SSH implementation (OpenSSH) isn't even based in the US, so the FCC doesn't have the power to mandate backdoors in it.

so go with a router you can run Linux or BSD on.

[artifex2004]

If you use open source router software, and tunnel or SSL or SSH to everything, this should not be a problem.

The question is, why aren't people assuming that plaintext is a bad thing already?

And?

[roybadami]

AFAICS, all the linked press release says is that VOIP should be subject to the existing laws on telephone tapping....

Or am I missing something?

What's a broadband device?

[ChiralSoftware]

If I use a Linux box as my broadband router, is that a regulated device? What I'm wondering is, where does this law stop? If there is a Linux distro that is specifically designed as a "broadband router on a CD", would that fall under the regulation? What if I have a broadband card plugged directly into my computer? Is the broadband card the device, or is the whole computer the device? What about if the broadband card does everything in drivers which are part of the kernel?

Even regular consumer devices like Linksys routers are running Linux, so that makes me wonder if the changes have to be hardware or software changes. It's my impression that on a Linksys router, basically everything important is done in software, so I don't see how this could be implemented in hardware.

And obviously, if this means that Linksys routers need to have a patched kernel, will they have to be locked in some way to prevent changes to the kernel? What about the GPL? If the backdoor is implemented as a part of the kernel, and then that kernel is redistributed, then the backdoor code would need to be published, right?

Back in the days when everything was hardware, regulations like this would be cleanly enforceable, but now that the work is done almost entirely in software, it's a mess.

-----------------
mobile search

I'm doin some homework

[2ainman]

... rather than just taking everything I hear from the internet (interpreted thanks to eff.org). Kudos to people like sheetrock, teilo, and others for doing the same. Im not going to bother reiterating some of their previous points regarding "backdooring our routers!". If you're confused ... lookup "backdoor" and "wiretap" on some jargon files or something.

Heres a link to the fcc announcement (NOT eff.org's) http://hraunfoss.fcc.gov/edocs_public/attachmatch/ DOC-260434A1.pdf

Ooooh theres some big telco words in there that I had to look up.

facilities-based isp: isp owns the switches and access servers.

Many isps are non-facilities based or hybrid based, meaning that they buy some access from other facilities-based isps, and have some equipment of their own. It only makes sense that the fcc would want access to the equipment through the people that actually own them.

More specifically the announcement mentioned that they would target the facilities based isps / voIP carriers that allow connection to pstn (public switched telephone network).

You guys have all seen those cop movies where they sneak into the bad guy's house and tap his phone. Well, if a bad guy is using voIP, you can hardly do that. (Well you can, because voIP's standard is not encrypted, although some like skype claim to). So rather than try to tap at the source, which could possibly be encrypted (as teilo said), they just tap it at the point at which it is just pstn traffic again. (Remember they were focusing on services that allowed communication to pstn from voip). So if bad guy A tries to do voIP to bad guy B whos just on pstn, then fbi can listen in, without knowing the location of bad guy B.

This leaves the idea of the bad guys just talking voIP to voIP with encryption. People say that the government can already sniff our traffic and see everything we do, so whats the point of this new legislation? Where are they sniffing from? As of now, I don't think its via these ISPs who are commercially owned with little to no regulation. So maybe this is the government just moving their pieces in to better position on the board.
Just my 2 cents.

Yeah....this one is going to get interesting...

1: RIAA/MPAA sniffs out a pirate on a P2P network, they send an automatically generated electronic form to the Department of Homeland Security, which has an Intellectual Property enforcement team, complete with IP address. In moments, the DHS automatically fills out another form, which is stored on a computer, then sends the hack signals to the cable box in question to begin sniffing network packets. This system then automatically checks the data of the packets to see if the data is similar to any files the RIAA/MPAA doesn't want provided.

Or anything else the government doesn't happen to like.

The DHS then begins seizing computers out of homes with search warrents obtained with said data, at gunpoint.

Depending on the dissident or resident, they then go in unnannounced and when they raise their hand above to block the light from going into their eyes during a night raid, they get shot for making a wrong move...

2: A political dissident radio network, TV network, website, ect is broadcasting all over the world wide web. The ADL, APAIC, Oil corporation, wood corporation, ect doesn't like this. DHS gets a sniffer on the line going from their place, then sniffs IP address and begins sending hack signals to the IP's requesting services to the box they are sniffing. They then systematically send signals to each box in line to shut it off or ban it from getting onto said website, radio network, ect.

3: Is there such a thing as secure transmissions on that kind of a line if they can intercept the encryption key going over it?

4: You are now on a "Internet Terrorist Red List" where if you don't do what we will just keep sending disconnect packets to your cable modem every 10 seconds so you can't get on. ...Is there any good use for this?... ... ... ... ...

The ISP's already have to oblige by federal regulations regarding searches and seizures. So if they've got the evidence they go over the CO, hook a tap on the DSL or tap the phone line itself.....a phone tap works for any residential or other internet service if you've got access to the other end.

Re:Right to what?

[Legion303]

"right to privacy is an urban legend. Read the constitution if you don't believe me."

You first. You can start with the 9th amendment.