Slashdot Mirror

← Back to Stories (view on slashdot.org)

Monday is Wiretap the Internet Day

Posted by Zonk on from the i-had-other-plans-but-okay dept.

Alien54 wrote with a link to a Wired blog entry noting that May 14th is the official deadline for internet service providers to modify their networks, and meet the FBI and FCC's new regulations. The Communications Assistance for Law Enforcement Act requires that everyone from cable services to Universities give them access, within certain parameters, to the usage habits of customers. "So, if you're a broadband provider (separately, some VOIP companies are covered too) ... Hurry! The deadline has already passed to file an FCC form 445, certifying that you're on schedule, or explaining why you're not. You can also find the 68-page official industry spec for internet surveillance here. It'll cost you $164.00 to download, but then you'll know exactly what format to use when delivering customer packets to federal or local law enforcement, including 'e-mail, instant messaging records, web-browsing information and other information sent or received through a user's broadband connection, including on-line banking activity.'"

6 of 264 comments (clear)

  1. Bot me up, baby... by Itninja · · Score: 4, Interesting

    I want to create a bot will do nothing but search for, and then go to, 'illegal' sites. I figure if it hits a few porn sites, maybe an offshore gambling site, and *any* site in Arabic that should be enough. If we get enough of these bot going it should create so much white noise that the g-men couldn't tell the real stuff from the botted stuff. Or maybe I won't. y'know, whatever...

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  2. Re:So the next step by J'raxis · · Score: 4, Interesting

    This law actually makes a special exception for encrypted data:

    Section 103(b)(3) ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

    Full text here.

    --
    Liberty in your lifetime
  3. Re:$164 by Anonymous Coward · · Score: 5, Interesting

    It's not that uncommon. Here in SC you have to pay to have access to the law. It is copyrighted and the state vigorously protects that copyright. In 1998 I was threatened by the state AG's office for having a copy of a .doc file on my web site that quoted a section of the state's vehicle laws. Us peons aren't allowed access to the laws. Knowledge of the law is only for the protected lawyer class.

    I still find it amusing that a friend of mine at the time disagreed with the thuggish tactics they used but is now OK w/ denying commoners access to the law. The difference is that he recently graduated from Duke law school. He is now very anti-Constitution, anti-EFF (despite having donated money to them several years ago!), and very pro-Democrat.

    The text from the SC law:

    "The State of South Carolina owns the copyright to the Code of Laws of South Carolina, 1976, as contained herein. Any use of the text, section headings, or catchlines of the 1976 Code is subject to the terms of federal copyright and other applicable laws and such text, section headings, or catchlines may not be reproduced in whole or in part in any form or for inclusion in any material which is offered for sale or lease without the express written permission of the Chairman of the South Carolina Legislative Council or the Code Commissioner of South Carolina."

    They consider distribution for free on a web site a sale for $0 so that makes it illegal without written permission. I tried to obtain permission and after making around four dozen phone calls and two trips to Columbia, SC, I finally gave-up.

  4. Re:suggestion by Antique+Geekmeister · · Score: 4, Interesting

    SSL private keys and SSH private keys can and have been stolen from remotely deployed systems and used for man-in-the-middle monitoring. And a penetrated router or smart switch on the *internal* side of the OpenVPN is a common approach for really sophisticated crackers to tap all your traffic *after* it's been decrypted by the VPN system.

    Weven where communications are more secure at the application layer, most people simply click on the "do you accept this key" buttons when making an encrypted connection, which makes such monitoring even easier because the user in the field winds up using the man-in-the-middle's public keys, instead of the target destination's public keys. I saw this about six years ago in a rather clever router reconfiguration to minotor all SSH traffic to a victim's internal network administration servers. We only noticed it when I got brought in to see why there were such large latencies on incoming traffic, and dumped the configuration to plain text and actually *read* it, along with noticing that the previous admin had never bothered to install and enable the SSH tools. Then I found out he had been programming it, via telnet, from his laptop on the road.

    We had a long, private talk before I went to the company president with the analysis. He hadn't been allowed the time or resources to do things more securely, and his manager had been saying "we have a firewall, we can trust people inside the network" and had denied this engineer's attempts to do things more securely. It would have been a lot cheaper to do it right than to have me try to clean up the mess later, but it's often difficult to get people to do things right.

    If you think a colo service is robust protection, then go ahead and check how many of your colo setups have encrypted file systems, password protected boot loaders, and password protected BIOS's, just to start with. Then compare what you could do with the same money and resources to secure your systems against rootkits, implement proper password management, etc.

  5. Re:misunderstood by Antique+Geekmeister · · Score: 4, Interesting

    I'm sorry, but you are sadly mistaken. Go actually read the unclassified parts of the Patriot Act. Then take a look at the existence of the secret NSA wiretap rooms in on the core internat backbone providers such as AT&T, rooms whose existence was revealed by a company whistleblower and for which AT&T is being suied now by the EFF and other civil liberties groups. The NSA certainly can and does monitor international traffic legally, with no authorization required. It's their *job*. Unfortunately, so do other countries. And the NSA trades with them to get domestic materials.

    The three branches are *not* involved in this. The handling of the monitoring does not require warrants, and is thus executive policy, without court involvement or even notification of what is beiing monitored. And even if the three branches are involved, the people being monitored are *not* being notified of the monitoring!!! There is no warrant served: even libraries are prohibited by the Patriot Act from telling book borrowers that they've been forced to turn over records, without warrants, under the Patriot Act.

    Yes, it's been going on for years. It's going to happen again and again, and it needs to get slapped down each time it occurs to prevent it becoming ubiquitous and a means of interfering with public policy or personal lives of the innocent. Given the documented monitoring of Martin Luther King by the FBI, the McCarthy era files of who was a communist and forced confessions of other potential "communist" americans, and stupidities of federal raids with warrants such as the "Operation Sundevil" raids on Steve Jackson games, there is just no reason to trust federal investigations or monitoring without public exposure and review.

  6. Re:So the next step by Bob+Gelumph · · Score: 5, Interesting

    So when will slashdot enable https://slashdot.org?

    --
    I'm gonna need a spec.