Slashdot Mirror
Security Threat In the New Wiretapping Law
The NSA wants automatic surveillance capabilities in telephone switches. But once such capabilities are built in, others could use them to intercept communications. Within 10 years this could render the US vulnerable to attacks from terrorist groups across the globe, as well as from the military establishments of other nations. "Such threats are not theoretical: In April 2004, phones belonging to members of the Greek government, including the prime minister, were spied on with wiretapping software that was misused."
Only Communist China and North Korea have such interests in implementing technology like this. Hell Bejing already is monitored 24x7.
I remember a quote from Reagan: "Freedom is never more than one generation away from extinction. We didn't pass it to our children in the bloodstream. It must be fought for, protected, and handed on for them to do the same, or one day we will spend our sunset years telling our children and our children's children what it was once like in the United States where men were free."
My oh my has that come true. Sadly from the leader of his own party. Something needs to be done?
http://saveie6.com/
Isn't having 'automatic wiretapping' just as great of an idea as having a firewall with a deliberate backdoor?
...if you have nothing to hide, what are you afraid of?
If you're arguing that mandatory wiretapping ports are a bad idea because they make the system vulnerable to attack, are you then saying that you would not be opposed to such ports if there were no security threat posed by them?
When you muddy the waters to fight only the battle right in front of you, you risk losing sight of the bigger goals and make yourself vulnerable to counterattacks.
Revolution.
They are wiretaping family phones to prevent Chinese from stealing military plans?
We need this in order to protect our children from online predators! Once they track your children down they almost always attempt to call them first. We NEED safeguards for our children. To think otherwise must mean that you support child predators.
The answer is obvious : demand that the telco's create two physically seperated phone networks : one for all those politicans and other citizens of unspoken behaviour (that won't be tapped in any way), and the other one for all those possible terrorists ...
If those implementing this type of thing know what they're doing, there is really no reason it can't be done securely. Simply require all "intercept-this-communication" messages should be digitally signed, etc, and keep the private key under lock and key, both physically and electronically. If it's leaked, have an update-key command on the switches to replace the old key with a new one, and replace any switches that attackers get to first. I absolutely agree that this is a serious invasion of privacy and is inevitably going to be abused. But arguing against it because it has been poorly implemented and misused in the past is counterproductive.
The article does not once mention CALEA, a law dating back to 1994 that mandates that phone companies provide a means for tapping your phone which is integrated into the switch and cannot be detected by the party being tapped. Also full records of the call must be maintained.
Is this an Internet-level CALEA-like law at the TCP/IP switch? Or is this something different (TFA talks about fiber vs over-the-air communication.. huh?)
As seen on Bruce Schneier's blog.
I should add that a few years back there was a story about an apparently flaw in one popular implementation.
It's topics and comment like this that turn Slashdot into a comic. In Britain, the security services have a similar level of access to telephone calls. The American tendency to yap did catch on but new guidelines for the military have clamped down on sraying your soul into blogs, books, and the media. "Freedom" is a two edged sword. It helps people learn and holds people accountable but also informs enemies and gives them encouragement.
I can't be bothered with freedom or repression, or many eyeballs versus obscurity anymore. The black and white game people are playing is simplistic, winner takes all, pick-your-deity ass kissing. It's the narrow minded and insular approach I've got used to seeing from America. Sure, you guys can build stuff and are friendly enough but it's a high stress game and the downside isn't worth it. Developing a calmer and more nuanced approach would help.
Speaking as a foreign national I'm more than a bit pissed that America takes such a full throttled approach to eavesdropping on communications traffic in the rest of the world. I've got no illusion that it's over commercial traffic like a rash and doesn't hesitate to use it. Between the happy Hollywood front and the unblinking eye of the NSA you've got your bases covered but I can't say it's likable. It's just like being sweated by a good cop bad cop routine.
This is not good. What happens when people know that other people can listen to their conversations is that they watch what they say, which makes democracy (if that is your thing) loose its value. Democracy can only exist as long as there is free speech. When free speech disappears, so does democracy. In addition I believe that this will have negative consequences for gays, political activists, people with illnesses etc. No one but you and the people you tell something, have any right to know what that something is. There will be leaks, you can not prevent that without taking extreme measures.
> Within 10 years this could render the US vulnerable to attacks from terrorist groups across the globe, as well as from the military establishments
> of other nations.
As suggested in Seven Days In May, Dr Strangelove or James Bamford's excellent book "Body Of Secrets", it's not just military establishments external to the US which should be worried about.
There is nothing to fear but fear itself - FEAR FEAR
Now don't you feel stupid ??
The U.S. government should not be concerned if they have nothing to hide... Right?
Within 10 years this could render the US vulnerable to attacks -- Doesn't anyone else think that this is actually the intention?
Considering the US telephone 'system', it's like building your house out of wood and then giving bottles of petrol and packs of matches to all the local kids.
Daftest idea I've read today, but it's still early.
threadeds blog
Didn't Hollywood teach you about the consequences of speaking about secret things over the phone?
Sure, with the electronic surveillance systems phone spying may be easier to accomplish en masse, bringing us one step closer to Old Bro (which requires not only monitoring to be -possible-, but to be efficient enough to be performed, analyzed, and acted upon on a regular basis...
But the truth still remains that phone networks were never, ever, EVER secure to begin with, and it would be naive to think that we were living in a safe and secure communications era until today.
It has been a long standing tenet in communications security, from CIA-level to your local small business, that there is no such thing as a secure (physical) comms. line, and the only way to ensure security is to use encryption (at which case your security is as good as it's weakest link, be it the key strength, random gen. quality, social factor, or w/e). Well newsflash: that doesn't work in the analog phone system, and never has.
If you need things kept secure, send them digitally encrypted. If you need things even more secure, don't transmit them at all. The public phone system has never been secure, nor will it ever be, whether against government interceptors or a teen phreaker. Live with it.
>Within 10 years this could render the US vulnerable Why ten years?
In either case, here at Microsoft, we feel standards are important. And we have fun, too. Doug Mahugh, Microsoft
Frightfully obvious. Once the hardware is installed, it opens up potential for massive abuse.
The future will indeed be interesting.
--postmodern
DON'T try to warn anyone about this!!
If they listen to you now, they WON'T LEARN.
We want them to really have a catastrophe. It's the only way they can learn. So keep nice and quiet, wait for the big day, wait a little longer to get them all hooked...
and then PULL THE PLUG!
The NSA already installed such a system in their "does not exist" fibre patching room inside the AT&T fibre facility.
They're using their grammar skills there.
Comment removed based on user account deletion
It has always been the case that those with enough money
can buy the personal security they need. In a large enough
society, a combination of anonymity and privacy gives the
non-rich a measure of personal security. By dimishing them
both, the modern "security" posture of the US has had the
ironic side-effect of decreasing the personal security of
non-rich people (most of us).
IMO.
Phil Zimmermann + PGP-like implementation + VoIP = Zfone! Hopefully it's not vulnerable to kryptonite meteor showers.
http://en.wikipedia.org/wiki/Zfone and http://zfoneproject.com/
I've been wanting to set up an experimental install with this with a friend in Mexico to check this out, though I need to see if it does conferencing yet. Pity it doesn't work under Skype, but that's Skype's implementation that's screwing that up.
When you sympathize with stupidity, you start thinking like an idiot.
...as they snoop onto us.
Slashdot Burying Stories About Slashdot Media Owned
Its always been about controlling the masses, sure they want you to think about all the wiretapping going on, but even in a perfect world, to have wiretaps on everybody 24/7 ...after a week, you would break the datawarehouse piggy bank. What this does, is dissuade any would be terrorist from getting any ideas going into fruition, and leaves the really bad ones in that category. By controlling the masses by fear (yet again amercia) we avoid the masses from sheeping too many bad ideas. Any idea which is different then the governments is a bad idea.
Now that the REAL terrorists are still needing to communicate and have heard this, they will implement even more cryptic ways of communicating. Which will in turn keep the big monster wheel going... making our good guys figure out new ways to counter that etc...
We are heading a dark road into even darker territory, soon our children may have to take polygraphs everywhere they go.....
When your weapons are used against you, you have to wonder if you really needed that weapon in the first place. And people should question why we let you have that weapon. Of course this all assumes that people have an influence on the government, which seems like we haven't for quite a long time, if ever. But I digress, this can all be summed up by a child in a cartoon:
Calvin and Hobbes
I work with PBX technology, and every telephone line in DC runs (or at least used to run) through one ugly building on K Street where Bell (Atlantic at the time?) had their switches.
Mu law coding has done wonders for being able to search for key words (or close approximations) in millions of conversations. Ever hear of a company called Magnasync?
That is why one of my anti-social libertarian type friends starts all conversations with "Bomb God Jihad Allah."
Clearly, this isn't a partisan issue. The bill that just passed did so with the approval of the democratic controlled congress. People are playing partisan games over this because, unfortunately, it makes political sense to do so. Politics don't help anyone make rational decisions, though, so let's get them out of the way.
Clearly, there is a security case to be made for listening to phone calls without warrants. If a known member of al-Qaeda makes a call into the united states, there isn't time to ask a judge to approve a wiretap. Even more clearly, the power to tap phones could very easily be abused. This is slashdot; we're all paranoid here. Having phones with built in mechanisms for wiretapping is just asking for all kinds of trouble.
I think the most rational response to this is to recognize the usefulness of such a program, and then attempt to design one that is as impervious to manipulation as possible. General rules that have proven useful for this sort of thing in the past:
Ultimately, though, it's not our laws that keep us safe. It's not the Constitution that protects our liberties. We are free because we have a culture that values freedom above almost all else. Personally, I think it's a culture worth aggressively defending. Will we sacrifice some freedom in the defense of freedom? Of course. From a historical perspective, all American wars have resulted in the citizenry being less free. Lincoln and Wilson both threw detractors in jail. Nobody is proposing that here. The loss of freedom is extremely mild from an historical perspective. When the struggle is over, the freedoms will return like they always have in the past, as long as we demand them, which we will. If you think the struggle is never going to be over; you're absolutely right. Until we get everybody in the country as committed to destroying al-qaeda as they are to protecting moslems from being offended and suspected terrorist's phone calls from being interpreted, nothing is going to get accomplished.
My blog
This whole thing is crazy...
:-p ) If it's an ib-band method of flagging a call/connection not to be tapped, it can be reproduced.
The ??? (Insert 3 letter agency here) wants to be able to sit in their "cushy" cubicle and monitor phone calls at the push of a button. I can understand that they don't want to have to travel to the ends of the country to sit in a cramped switching station to monitor phone calls. (oh yeah, add internet connections to the list too) But I can see a few problems:
1) Any sort of remote access tool is vulnerable. Period. This is a simple mathematical fact. All authentication schemes can be broken, some more easily than others. If it's a password, it can be guessed, if it's a strong private key based auth, the key could leak, or be brute forced (Over time) If the system locks out remote access after a certain number of failed attempts... it's vulnerable to DoS. I won't get into quantum encryption, because I don't think that's viable *yet*, and I don't know enough about it.
2) Somehow the data from the remote site must get back to the cushy cubicle. with targeted "Surveillance" that's not an issue, but if they start "tapping EVERYTHING" they could be in for some fun times. Unless these remote access ports have dedicated copper/fibre/etc/ run to the central location, at some point the data needs to run over the same wires. Ever done a tcpdump when connected to a machine over ssh? try it some time, and you'll see what I mean s/n rapidly approches 0, becuase you start monitoring the monitoring feed.
2-a) This could mean that they have a way to avoid tapping their own connections (EVIL bit anybody
2-b) If they don't, and they decide to tap everything, they'll be responsible for the largest DoS attack on the phone system EVER.
3) If the FBI/NSA/CIA/DoJ/etc. needs to tap a phone in a remote place (let's use Podunk'sville Alaska, as an example) a) Each state has FBI offices, so an agent is never too far away, all states have state police that are spread throughout the state, and on top of that local sheriff/town police could also be used to start the tap before an agent gets there. This would allow for greater monitoring of how this gets used. Before a law enforcement agent gets access to tap a line, they must present a valid warrent at the physical point where the tap is to take place.
I don't care if the contents of the tap are sent back to some "cushy cubicle" somewhere to be monitored, analysed, or whatnot. as long as any setup/changes to the tap must be made in person at the local switching station.
------
Those were the technical arguments, now for the privacy arguments
<rant style="flaming lunatic" strength="100%">god-damn it, get a freaking warrent before you decide to tap any phones/internet connections/tin-cans with string. don't we have this thing called a constitution? </rant>
This whole idea very much so makes it sound like
a) they want to be able to tap without *anyone* knowing
b) they want the phone companies/ISPs to have plausible deniability
a) someone pushes a button and is listening to my conversations without anybody knowing, or there being any proof. Something about a 4th amendment comes to mind. but what if I'm running for office? *cough*watergate*cough* If I'm running against someone with no moral fiber (such as 99.99% of politicians) what's to prevent them from tapping my lines?
b) There was a big hoopla in Maine a while ago with the State PUC asking verizon to state under oath that they did not participate in any warrentless wiretapping. the Federal Government steped in and sued the state of maine to prevent them from suing verizon to get that statement under oath. (even though the statement that they made not-under-oath that they were being asked to repeat under oath was that they didn't) If they can just press a button, and start monitoring, the phone companies would't know if any customers' information/conversations are being monitored.
I'm running out of time,
I will not give in to the terrorists. I will not become fearful.
The security threat lies in giving the NSA the ability to tap people's phones at all.
Gee, it's really nice to see an Orwellian initiative take a confidence hit due to paranoia over the very thing it's allegedly supposed to prevent. Ahh, the system works.
- First they ignore you, then they laugh at you, then ???, then profit.
More and more illegal wire-tapping, yet another infringement on our rights by the gov't. Add it to the ever-growing list of violations:
They violate the 1st Amendment by opening mail, caging demonstrators and banning books like America Deceived (Book) from Amazon.
They violate the 2nd Amendment by confiscating guns during Katrina.
They violate the 4th Amendment by conducting warrant-less eavesdropping.
They violate the 5th and 6th Amendment by suspending habeas corpus.
They violate the 8th Amendment by torturing.
They violate the entire Constitution by starting 2 illegal wars based on lies and on behalf of a foriegn gov't.
Support Dr. Ron Paul and end this madness.
People should not be afraid of their governments. Governments should be afraid of their people.
You would know that it is not the CIA who does the listening. They have some minor monitoring, but nothing like the NSA. And yes, Greece does listen in, just like the others.
Can you say V for Vendetta anyone?
"Technology that makes communications interceptable by Good Guys probably makes communications interceptable by Bad Guys." Obvious, when you think about it.
If you want to create some scary implications, Blackwater is starting its own "intelligence" agency. Being a private entity, 4th and 5th Amendment rules about search warrants and self-incrimination do not apply, although one must assume that any local/state/federal laws regarding monitoring and/or recording of communications would apply. You know, if they get caught. And since Blackwater has done contract work for the United States government in the past, one must assume that the United States is a potential customer of Blackwater Total Intelligence Solutions.
-- I Am Not A Terrorist.
I think what the GP was possibly implying was that Ron Paul may never make it to office. You can get all the votes you want, but that doesn't necessarily change a control structure that has entrenched itself so deeply as to be immobile. If Mr. Bush sees some kind of terrorist threat, what's to keep him from invoking emergency rights using fear as a driving force, Hitler/Palpatine style?
Menus: Linux=function, Windows=vendor, OS X=as little as possible. Makes a statement, don't you think?
Forget (for a moment) who is doing this, and the hypocrisy of making things less secure in order to make us more secure. The "reasons" for it aside, it's happening. Communications were already insecure, but now it's just more "in your face" and a deliberate misfeature of the design.
Society must deal with the fact that the networks can't be trusted, and as the segment of society who actually understands this stuff and knows how to solve it, the responsibility ultimately falls on us, the computer nerds. If you are aware of what's happening, then you ought to have an OpenPGP key by now, and you should be having keysigning meetings. (And if you fucked up or dropped the ball, don't worry. It's never too late to start.) We can build up a damn good WoT. As the insecurity issue gains more and more exposure in the mainstream (and take heart: this really is happening, if slowly), the nerdiness threshold for actually giving a damn, will slowly drop. Nerds, you know some non-nerds. It's up to you to explain PK crypto to them and connect them to your (hopefully very strong) node of the WoT.
And yes, it's hard. I don't know about the rest of you, but I'm not the most charismatic and persuasive person. Some of my failures in getting the point across have been almost comical, and some of the apathy I've encountered has been very discouraging. But whether it's hard or not, we have to do it. Nobody else knows what to do. Nobody else can. Either we do it, or we're going to live in a luddite hell where private communications can only happen face-to-face.
Once the WoT covers enough people, the applications that can be built on it, are limitless. It's not just about email; there's no reason your phone's directory can't contain public keys in addition to addresses. The phone networks and governments will fight us, but that's actually a relatively easy battle compared to getting Joe Schmoe onto the WoT.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I'm sure the NSA's requirement only applies to US telecom systems. Foreign systems are free to install equipment without this capability. If I was CEO of a foreign telecom company, possibly in a country with more stringent privacy laws on the books than the USA, I wouldn't risk buying gear with possible back doors.
Furthermore, I'd think twice about routing calls through systems owned by US companies, either on US or foreign soil.
Have gnu, will travel.
Telecom switches have had wiretapping capability for decades. CALEA has been in place since 1994. There is a string of complaints in various forums, but not one of them actually cites what the new law is.
I don't think there is a new law. This is just the NSA trying to get an improvement in it's existing infrastructure.
Where is this law?
But with enough personal information, "they" can manufacture some incriminating lie out of whole clothe, and you will be powerless to deny it.
Enough personal information will allow police agencies to create the perfect imposter. You may complain that you have nothing to do with this manufactured identity, but it will be so seamless your complaints will be in vain.
Think of how damaging identity theft now is and multiply that many times over.
They'll probably hire an Israeli company to do it.
And Israelis have already been caught selling CALEA wiretap info to organized crime in LA in one case. According to Carl Cameron at Fox News (normally not the sort of place I'd go for news, but in this case...), departments in the FBI were highly upset that Israeli companies had excessive access to the software and systems running CALEA wiretaps.
Israel has learned that the best way to spy on the world is to be the country who supplies the world with spying equipment.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Maybe you misunderstood, but there's no way to make it secure. So there's no muddying of the waters, it is just that your view is clouded.
The reasoning is simple: programs don't care who runs them or why. They can't care and they don't know. Further, too many people need access to the means to create these taps. Lastly, these taps are done in absolute secrecy.
Therefore, these taps will be abused by people acting in excess of their authority and thanks to the secrecy, it is unlikely that anyone will find out about it in order to hold them accountable.
So because there is no way to make it secure and no good way to manage something like this, not even in theory, we don't have to worry about them coming up with a secure version because that is NOT POSSIBLE. Of course, they will call it secure, but I have no doubt whatsoever that it will be misused.
When you have too many people in a position of trust and without any accountability, someone will abuse their authority. This is a people problem, not a technological problem, and because of that there is no fix.
The title is an old United States Air Force poster slogan about telephone security. Then as now the telephone was universaly recognized as a security hole. More so now with this new 'software'. Kind of like the military allowing the Chinese to manufacture our military uniforms with RFID tags in them that can be read at long range. This is so GPS systems can access them and present locations of a commander's tactical screen for command and control. Course if we fight the Chinese this info will be on the Chinese enemy commander's screen as well as so many potential targets. Is'nt it wonderful what our government does to help you troops. Hey, wonder if the Chinese are sellling this stuff to the Rotten '(i)raqees so they can spot and target our trooops in Iraq....oooooooooooooooooops. Makes ya wonder why the high command was so reluctant to give you guys bulletproof armor vests.....payoffs?! O the wonders of technology!?? All you military types check your clothes, ya hear! Listen up, if the colonels tell ya you'll get an artical
fifteen for removing the tags, if this saves your lives..would you rather be judged by twelve or carried by six?
Comment removed based on user account deletion