Inside Comcast's Surveillance Policies

Monk writes "The Federation of American Scientists has obtained a recently disclosed Comcast Handbook for Law Enforcement which details its policies for divulging its customers' personal information. (Here's the handbook itself in PDF form.) All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records. According to the handbook, Comcast keeps logs for up to 180 days on IP address allocation, and they do not keep all of your e-mails forever (45 days at most). VoIP phone records are stored for 2 years, and cable records can only be retrieved upon a court order. The document even details how much it costs law enforcement to get access to personal data (data for child exploitation cases is free of charge)."

Secure your email

[MacDork]

I'll trot this pony out one more time:

(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx

Re:Secure your email

[waa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

re: http://www.joar.com/certificates/

I read your MAC OSX article/how-to.

What? Not one mention or link to information on GPG http://www.gnupg.com/

and/or PGP???

http://www.pgp.com/

I support and use the former and recommend the latter to my Microsoft locked-in friends.

What about enigmail http://enigmail.mozdev.org/for Thunderbird

or firegpg http://firegpg.tuxfamily.org/ for firefox?

Open your mind. .mac is not the end-all and be-all...

P.S. Note that this post is signed with firegpg.
- --
Bill Arlofski
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: 'email gpgpublickey@revpol.com for my public key'

iD8DBQFHFDNKcBKMMWOpTtwRAnvtAKCSio6bcxucHd+pMxemwtkb3hwF1ACg5f0E
wdrDjE0Jh0R9szqcerv0OOQ=
=nlx9
-----END PGP SIGNATURE-----

Re:Secure your email

[ArcherB]

I'll trot this pony out one more time:

(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx

While I appreciate the idea and all, why? It's really not worth the time to encrypt my email. Do you think that if the feds are monitoring your line, they are just going to say, "Damn! He's encrypted. Let's move on to the next." I'm going to guess not. If anything, seeing that you email is encrypted might be enough to peak their interest to make you MORE watched, not less. This also takes precious manpower away from the people who are trying to stop the next terror attack in the US. Regardless of you political opinions, I don't see how anyone could think that impeding these guys is a good thing.

Me on the other hand, I don't care. There is nothing incriminating in my email beyond sending stupid YouTube links to a buddy or bitching to the wife about who chooses whats for dinner. I'm really not interesting enough for the Feds to care about. Please take no offense when I say that I doubt anyone else here is either.

Re:Secure your email

[frdmfghtr]

If you have OS X 10.4, you can make your own certificates.

Re:Secure your email

[waa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nothing incriminating in your email? Not worried about 'them' monitoring your emails? Think again.

"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety"
Ben Franklin

And BTW, encrypting email only takes a few minutes to set up and no (perceptible) time when signing/encrypting a message.

- --
Bill Arlofski

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: 'email gpgpublickey@revpol.com for my public key'

iD8DBQFHFDdxcBKMMWOpTtwRAm7SAJ9sk5L6zOiACP91e8T2OJwMAl1xrQCbBxOS
z/z40E7hPJkxLSBUE1WuMDg=
=VH+Y
-----END PGP SIGNATURE-----

Re:Secure your email

[spud603]

There's a strong argument to be made to encrypt specifically because you have nothing to hide.
This is similar to the idea that you should not let the cops search your home without a warrant even though you don't have anything illegal inside. The more it becomes assumed that only the "bad guys" that are asserting their rights and/or privacy, the more likely such assertions will be thought of as indicative of bad behavior in and of themselves. If the feds assume I'm a criminal simply because I encrypt my email, then they are not doing their job effectively.

Re:Secure your email

[waa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree completely. Excellent point...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: 'email gpgpublickey@revpol.com for my public key'

iD8DBQFHFDmYcBKMMWOpTtwRAq7UAKCwK8z82/ZijTot5Vr3Fjd6TUa4aQCgrvvK
5KnXXA9BewVkH+F7J4Voy8g=
=T/fD
-----END PGP SIGNATURE-----

Re:Secure your email

[Kadin2048]

I have the capability of using both S/MIME and GPG for email (using Apple Mail, it's a matter of installing gpg, getting the Sente Software gpg addon for Mail, and getting a S/MIME certificate to activate the built-in S/MIME support), but overall I think S/MIME is probably better positioned to succeed in the marketplace. It's more idiotproof.

As much as I really despise the centralized philosophy behind S/MIME and x.509, there's something to be said for avoiding the 'web of trust' models that lie underneath GPG as its currently used, because most users just don't want to have to deal with it.

Getting people to use encryption is always a tough sell, because most people, to be perfectly frank, lead lives that are so completely boring that nobody would ever want to read their mail, and they know it. Therefore, they're not going to expend much effort getting it working. Either it works all automagically, or they don't use it at all.

I've yet to see a GPG implementation that comes as close to being foolproof as some S/MIME implementations (like Apple's), once you get the certificates set up. Once you've received a signed message from someone, you have their public key. Once you have that, the encryption button is magically enabled, and you can send encrypted stuff to them. Even Sente's Mail frontend to GPG isn't that easy to use.

Re:Secure your email

[ArcherB]

Nothing incriminating in your email? Not worried about 'them' monitoring your emails? Think again.

"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety"
Ben Franklin

And BTW, encrypting email only takes a few minutes to set up and no (perceptible) time when signing/encrypting a message.

Uh, do you have something better than an overused Ben Franklin quote from over 200 years ago? How about something a bit more current, from someone who understands what we are up against today. Someone like Richard Marcinko, author or Rogue Warrior and founder of the Navy's top-secret counterterrorist unit: Seal Team Six.

"Change hurts. It makes people insecure, confused, and angry. People want things to be the same as they've always been, because that makes life easier. But, if you're a leader, you can't let your people hang on to the past." and

"Popularity is not leadership." Also, most of my emails don't take a minute to write. Why would I take triple the amount of time spent so I can have my wife call me and ask, "what is this crap?" Of course, we won't even talk about the two hours that would need to be spent trying to teach her how to uncompress. And then when I explain why, she would say something like, "I'll print it out and hand it to them before I have to go through this shit again."

Re:Secure your email

[Ucklak]

Do I have anything incriminating in my email?
No

Do I care if they snoop in my email?
Yes

Will I encrypt my email because they're snooping?
No - in the case of confidential messages, they have always been dealt with cryptically.

Can I do anything about them snooping in my email - regardless if it's encrypted or not?
Absolutely not

Can we do anything about them snooping in my email?
We can try

I am such a low priority for them that as long as it doesn't disturb my day to day routine, I really don't worry about it. I don't even notice if they are even sniffing my packets.

It's like being robbed in your home when you're out. It doesn't matter if you have an alarm system or not, if someone wants property of yours, they will get it.
You can double lock your doors, put bars on the windows, pay for a monitoring service, or whatever, it will not stop a determined person from getting whatever they want to get.

That hassle of behavior is not worth it to me. Supporting a group or honest politician to stop the snooping is worth the hassle.

I'm not going to go downtown and walk across the street out of my way just to avoid the town crier (you know, every town has one, a crazy coot parked in the center of town that says the end of the world is coming). I will confront him if he confronts me.

Re:Secure your email

[ArcherB]

There's a strong argument to be made to encrypt specifically because you have nothing to hide.
This is similar to the idea that you should not let the cops search your home without a warrant even though you don't have anything illegal inside. The more it becomes assumed that only the "bad guys" that are asserting their rights and/or privacy, the more likely such assertions will be thought of as indicative of bad behavior in and of themselves. If the feds assume I'm a criminal simply because I encrypt my email, then they are not doing their job effectively.

Sure, but that is because having the police enter my house is intrusive. They track mud in, can drop anything anywhere and say that they found it there. That can't be done with email. Also, a warrant specifies exactly what they are looking for. Finally, items found in a house search is enough for prosecution. A quote from an email is not. Besides, these guys are not looking for prosecution, they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack. They are looking to intercept supplies such as bomb making materials and replace them with something inert. Yes, an email will be evidence, but when it comes to terrorism, they require a open and shut case with multiple arrests. They don't want to pop you for looking for weed.

If the feds assume I'm a criminal simply because I encrypt my email, then they are not doing their job effectively.

I never said that. I said they would take a close look, wasting their time and doing MORE of what you didn't want them to do in the first place. If they can't get your email, they may listen to your phone calls. They may start tailing you. They may start investigating the people you email. Why? Because you thought it would be super cool spy stuff to encrypt your email to keep the evil G-Men out.

Besides, even the SS didn't really need to evesdrop. If they wanted information, they'd kick down your door, torture your little girl until YOU cracked, and put you on a train somewhere with a bunch of people with stars sewn into their clothing.

Re:Secure your email

[Technician]

There is nothing incriminating in my email beyond sending stupid YouTube links to a buddy or bitching to the wife about who chooses whats for dinner.

My stock trades are not incriminating either, but they are not sent plaintext. They are also not sent on my ISP mail servers. Sometimes data security is simply data security to prevent mis-use in the wrong hands. There is nothing incriminating, but my credit card order details is not to be made public.

There is a reason to encrypt some sensitive data. ID theft of credit card information is just one of the many reasons.

Re:Secure your email

[Kartoffel]

wtf? GPG works just fine with Outlook. See http://www.gpg4win.org/

Re:Secure your email

[ArcherB]

y stock trades are not incriminating either, but they are not sent plaintext. They are also not sent on my ISP mail servers. Sometimes data security is simply data security to prevent mis-use in the wrong hands. There is nothing incriminating, but my credit card order details is not to be made public.

There is a reason to encrypt some sensitive data. ID theft of credit card information is just one of the many reasons.

Very well put. Personally, I can't say my rights are being violated when nothing in my life has changed.

I use SSH to VNC into my home machines from work, if for no other reason than I don't want my boss to have enough "proof" to fire me. All my banking transactions and bill transactions are also encrypted. But these are different than encrypting your email because you think the Feds might be watching. Trying to stop thieves is a valid reason to encrypt data. Trying to trip up the men and women who are tasked with preventing the next 9-11 is not, IMHO.

Re:Secure your email

[slashqwerty]

I trot out this old quote from the postal museum in Washington, D.C.

At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

In England, for centuries, the mail was frequently scrutinized by agents of the Crown or of the Parliament. It could be worth your life to write a letter that might be seen as having the seeds of treason. This did not happen here. From the beginning, by and large, the U.S. mails have been free of eyes other than our own and those of the sender.

To the framers of the Constitution, the mail made the engine of democracy run--along with the newspapers. And newspapers then printed a good deal of correspondence. Rufus Putnam, a key military figure in the Revolutionary War, said, "The knowledge diffused among the people by newspapers, by correspondence between friends" was crucial to the future of the nation. "Nothing can be more fatal to a republican government than ignorance among its citizens."

As a journalist, I have sometimes been asked where my leads for stories come from. Much of the time, they come from opening the mail. Readers from all over the country send personal stories, newspaper clippings, local court decisions, and student newspaper editorials arguing for the First Amendment rights of students. There is no other way I would have known about these stories except through the mail. It is through letters that I often receive highly confidential stories about unfairness in the justice system from people who would not trust any other form of communication.

The framers of the Constitution knew how vital the mail would be when Article I was written to protect privacy of communication through the mail.

Nat Hentoff is a columnist for the Washington Post and the Village Voice, and the author of Free Speech for Me, but Not for Thee. How the Left and Right Relentlessly Censor Each Other.

Re:Secure your email

[greg_barton]

They track mud in, can drop anything anywhere and say that they found it there. That can't be done with email.

You're kidding, right?

Re:Secure your email

[Bill,+Shooter+of+Bul]

I'm afraid thats a little naive. Terrorism laws have been used quite frequently to prosecute ordinary crime. So you might not be building a bomb, but have you been downloading copyrighted material without the permission of the copyright holders? That might also be of note at some point to someone that may believe they own said copyright. I don't like terrorism, and I disagree with many people here about the ethics of downloading music, movies and tv shows with out explicit permission of the copyright holders, but I don't want to throw out the wisdom embedded in the bill of rights. I would rather 10 guilty persons go free than one innocent one.

Re:Secure your email

[MacDork]

It's really not worth the time to encrypt my email.

It's free. It takes less time to get a key than it took you to respond to my post. Once you have a key, the email client encrypts for you automatically. Your time argument is extremely weak.

If anything, seeing that you email is encrypted might be enough to peak their interest to make you MORE watched, not less.

Terrorist this, al Qaeda that... you're using extremely tortured logic. (Pun intended)

1. They aren't supposed to be looking at my email unless I am a suspect.
2. If I'm not a suspect and they are looking when they aren't supposed to, then they are already wasting their time and resources. If I weren't encrypted, nothing found would be admissible in a court of law because the initial search was illegal. Shame on them for wasting time and resources when they are supposed to be trying to catch terrorists.
3. Terrorists use encryption. Pro basketball players are tall. It does not logically follow that using encryption indicates you are a terrorist any more than being tall indicates you are a professional basketball player. Encryption is not probable cause for a search warrant.
4. Suspects are innocent until proven guilty. Suspects are not compelled to provide evidence of guilt thanks to the 5th amendment, but that's beside the point. The 5th is just a common sense statement of fact. Expecting suspects to provide evidence of guilt on behalf of the police would be extremely naive. If your police force expects the suspects to do the police work for them, you need a new police force.

Regardless of you political opinions, I don't see how anyone could think that impeding these guys is a good thing.

If they are obeying the law, I'm not impeding anyone. Are you suggesting they are breaking the law? Encryption protects you from law breakers. Hackers can snoop on sensitive information you send via email if you don't encrypt.

There is nothing incriminating in my email

Who said email had to be incriminating in order to be worth protecting? S/Mime is to email what SSL is to the web. Would you suggest that using SSL makes you a criminal? Are you suggesting that buying goods from retailers online is a terrorist activity because the process uses encryption? You're argument is so ridiculous, it's difficult to refrain from ridiculing you for making it.

Re:Secure your email

[ArcherB]

And this part is the key:
It could be worth your life to write a letter that might be seen as having the seeds of treason.

George Bush is not going to have you executed if you look like you may be "seeding the seeds of treason". Hell, if that were the case, all he'd have to do is show up at a anti-war rally and shot the people carrying the signs calling for revolution! Why bother paying Comcast? The King of England read mail to keep himself in power. The feds read mail to prevent a terrorist from killing hundreds, thousands or possibly millions of people while crippling the world's economies. One was a group of freedom fighters trying to gain independence and human rights from a dictator. The other is a government trying to save the lives of its population from those who want an oppressive religion based world government. To compare the two really isn't valid.

Also, I could not find that quote you mentioned, although it seems more of an argument for freedom of the press than anything else. A search for the first paragraph only links back to an earlier slashdot post of yours. Although I'll go ahead and take what you say at face value, and it does seem to be something that Hentoff would say, but it seems odd that it's not posted anywhere on the web.

I searched for the author and found this about Nat Hentoff from his Wiki page:

In February 2003, Hentoff signed a letter circulated by Social Democrats, USA advocating the removal of Saddam Hussein from power in Iraq on human rights grounds, citing reports detailing Hussein's disregard for fundamental liberties. In March and April of that year Hussein was deposed by a US-led invasion, launching the ongoing Iraq war. In summer 2003, Hentoff wrote a column for the Washington Times in which he supported Tony Blair's humanitarian justifications for the war. He also criticized the Democratic Party for casting doubt on President Bush's pre-war assertions about Iraq's alleged weapons of mass destruction in an election year. So I guess you are pro-life and support our presence in Iraq too?

Re:Secure your email

[Technician]

But these are different than encrypting your email because you think the Feds might be watching.

How is the feds going to know any different? Often the only clue is the reciepent is orders@ameritrade.com or Ghadactv8st@gmail.com

Re:Secure your email

[ArcherB]

Terrorism laws have been used quite frequently to prosecute ordinary crime.

And that I disagree with 100%! Fortunately, I have not heard of a case where terrorism laws have been used to prosecute non-terror related crime. The second that they are, the prosecutor should be tossed out on his ass, not the laws. Punish those that abuse the tools, not the tools themselves.

As for copyright, do you think that its right that the RIAA has more power to spy on you than the federal government? At least the government is elected and has motives are more noble (saving lives as opposed to making Lars more money)

I would rather 10 guilty persons go free than one innocent one.

What if those 10 guilty persons want to kill 1000 innocent ones? Again, we are not talking about arresting people here, but searching for evidence and trying to prevent a crime from happening. Email is not enough to convict. For that matter, I don't think that email read without a warrant is admissible in court at all. (IANAL) The goal is not prosecution, but prevention.

Re:Secure your email

[ArcherB]

How is the feds going to know any different? Often the only clue is the reciepent is orders@ameritrade.com or Ghadactv8st@gmail.com

The GGP was stating that he would encrypt his email because the gov't may be listening. I said that was a stupid reason and actually counter productive.

Besides, I think the address is a pretty good clue! Also, I think the physical location of the recipient, say, Tora Bora Afghanistan, would be another pretty good clue to go on.

Re:Secure your email

[Brikus]

Yeah, if you don't have anything to hide, then why would you mind people snooping in your things. Your next post should include your entire medical history, credit card and bank statements with full account numbers, and your last seven tax returns.

Alright, that's a big extreme, but according the the current U.S. constitution, we still have a right to privacy and protection from unwarranted searches. Just because I don't feel like airing my dirty laundry doesn't mean that I'm one of the terrorists. There are many legitimate reasons why someone would want to encrypt their e-mails, as some others have pointed out, that don't include anything like plotting terrorist attacks.

If you want the government to track all your actions, then have a ball, but don't criticize us for doing anything that might happen to inhibit them by some small amount.

Re:Secure your email

This also takes precious manpower away from the people who are trying to stop the next terror attack in the US. Regardless of you political opinions, I don't see how anyone could think that impeding these guys is a good thing.

Oh kiss my ass -- if "these guys" were more concerned about our civil liberties and less about engaging in what is pure (and illegal) security theater, I might give a shit. Until them, the more time spent investigating poor, boring little me, the better I like it.

Me on the other hand, I don't care. There is nothing incriminating in my email beyond sending stupid YouTube links to a buddy or bitching to the wife about who chooses whats for dinner. I'm really not interesting enough for the Feds to care about.

So you've drunk the old, "If you have nothing to hide" KoolAid. I'll pass.

Please take no offense when I say that I doubt anyone else here is either.>

I take great offense. What the fuck do you know about anyone living outside your mother's basement, you pompous, "I am the measure of all men" jackass?

Re:Secure your email

[Jah-Wren+Ryel]

Besides, these guys are not looking for prosecution, they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack. They are looking to intercept supplies such as bomb making materials and replace them with something inert. Yes, an email will be evidence, but when it comes to terrorism, they require a open and shut case with multiple arrests. They don't want to pop you for looking for weed. Could you be any more naive?

Just how many terrorists attacks have we had in the US? Why are you still knee-jerking on a crime that kills less people world-wide (including Israel) than drown in bath-tubs?

As for "they require a open and shut case with multiple arrests" WTF are you talking about? Do you know how many people in Guantanamo are part of "open and shut cases?" NONE. Do you know how many were even "picked up on the battlefield?" Hardly more than 5%.

How about the thousands arrested in NYC during the republican convention who were then just conveniently released without charges?

Recent history is chock-a-block full of cases where OUR government abused civil rights - when they couldn't find something legit to bust someone for, they stretched to find anything to pin on them - like popping you for looking for weed.

I never said that. I said they would take a close look, wasting their time and doing MORE of what you didn't want them to do in the first place. If they can't get your email, they may listen to your phone calls. They may start tailing you. They may start investigating the people you email. Why? Because you thought it would be super cool spy stuff to encrypt your email to keep the evil G-Men out. Yeah, and if enough people do it then this goddamn fear-mongering will have to end because there won't be enough people in the world to take it to the next level for every one of them.

Besides, even the SS didn't really need to evesdrop. If they wanted information, they'd kick down your door, torture your little girl until YOU cracked, and put you on a train somewhere with a bunch of people with stars sewn into their clothing. You make that statement as if it is some kind of justification to bow down to the man because he'll do whatever he wants anyway. You have got to be trolling, either that are you are some kind of Martin Niemöller wannabe.

Re:Secure your email

[shmlco]

"Getting people to use encryption is always a tough sell, because most people, to be perfectly frank, lead lives that are so completely boring that nobody would ever want to read their mail, and they know it."

Or the flip side of the equation. Many are already placing already anything and everything about themselves on MySpace and Facebook. With so much information already public and available, what's to hide?

Re:Secure your email

[shawb]

And the bill gives law enforcement new tools to combat threats to our citizens from international terrorists to local drug dealers." -- President George W. Bush - March 9, 2006, regarding USA PATRIOT Improvement and Reauthorization Act

The Patriot Act Reauthorization Includes The Combat Methamphetamine Epidemic Act Of 2005. This bill introduces commonsense safeguards that will make many ingredients used in methamphetamine manufacturing more difficult to obtain in bulk and easier for law enforcement to track. For example, the bill places limits on large-scale purchases of over-the-counter drugs that are used to manufacture methamphetamines- and requires stores to keep these ingredients behind the counter or in locked display cases. It increases penalties for smuggling and selling methamphetamines.

-both from www.whitehouse.gov

The STATED INTENT of the PATRIOT Improvement and Reauthorization Actact is to go after more than just terrorists.

Re:Secure your email

[shawb]

And I forgot to post a link to this article

Re:Secure your email

The more it becomes assumed that only the "bad guys" that are asserting their rights and/or privacy, the more likely such assertions will be thought of as indicative of bad behavior in and of themselves.

Exactly. In just the same way as the word "public", thanks largely to the efforts of fuckwads like that self-serving piece of shit, Larry Ellison, has come to be circumscribed to mean "anywhere outside your own locked toilet". Once we buy into law enforcement's head game where failure to kowtow to their most illegal demands makes "suspects" of us all, we're on the road to the complete police state. One thing that would be helpful would be complete, mandatory audio and video recording of all police-civilian contacts, with a certified-accurate copy being provided to the civilian in a VERY timely manner. Then we might see less of the shit where they try to trap you up into being docile based on bullshit charges. We need an end to the situation where they look for the slightest inconsistency in what you say, then threaten to charge you with multiple charges of lying to a fucking cop and impeding "the course of justice", both for the same error. At seven years per charge.

This actually happened a few months ago to someone in my community. Some guy wasn't exactly forthcoming about the whereabouts of one of his (admittedly) unruly sons. Within two minutes, the butt-fucking "city's finest" were threatening the guy with three separate charges totaling twenty-one years. They made him believe they could, on a whim, send him to jail long enough to destroy his job, his house, his marriage and his whole fucking life -- just because he didn't want to knuckle under to their bullying. They backed off on that shit when he turned the kid out. This is nothing short of mafioso-style extortion and the bastards get away with it every goddamned day of their lives.

Remember, to a cop, there are three only kinds of people in the world -- cops, cops' families and suspects.

Re:Secure your email

[Zardus]

They track mud in, can drop anything anywhere and say that they found it there. That can't be done with email.

Sure they can. They just create a nice real-looking email and paste it into their log. Maybe fix a few TCP sequence numbers and all set. On the other hand, if you encrypted your email, they wouldn't be able to do that without the key, which presumably you would only be forced to hand over once all the evidence was already on the table (ie, by a judge).

Finally, items found in a house search is enough for prosecution. A quote from an email is not.

Yet.

Besides, even the SS didn't really need to evesdrop. If they wanted information, they'd kick down your door, torture your little girl until YOU cracked, and put you on a train somewhere with a bunch of people with stars sewn into their clothing.

If our society reaches that point, we'll obviously have other things to worry about. For now, we might as well keep defending our email privacy.

Re:Secure your email

Terrorism laws have been used quite frequently to prosecute ordinary crime.

Just as one example of the abuse which so many in law enforcement are willing to undertake in this regard:

A few years back, there was a telecomm workers' strike in the San Francisco Bay Area. During the strike, a few wires were cut in a couple of B-boxes. The first thing the bastard, rogue cops trumpeted in the newspapers was, "If we catch the guys who did this, we're going for the four year "terrorism enhancement".

That's a long fucking way from simple vandalism.

And don't give me any of your shit about "but what if someone couldn't call the doctor for their sick child?" You can parlay any situation, even jaywalking, into a "what-if" where the simplest action can result in death.

That's just life on earth. Get over it. Or just hop into your coffin and check out.

Re:Secure your email

This must be a troll. Seriously. Anyone who says "they don't want to pop you for looking for weed" is just yanking your chain.

The FBI and DEA, in addition to being unconstitutional agencies, are prime movers behind the War On Some Politically Incorrect Drugs. Here's a list of them slapping people in prison for their weed (this is just recent California cases): http://www.canorml.org/news/fedmmjcases.html

And anyone who thinks there are nests of terrorist cells in the U.S. is also trolling. Syracuse University's TRAC came out with a report this week that says only four terrorist cases *since 9/11* have dealt with allegations of domestic attacks.

Posters like the parent have a greater chance of choking to death on their own bile than dying in a terrorist attack.

Re:Secure your email

Dude, lay off the fucking signed messages already. You're a fucking idiot. No one in the world cares whether your shit has been tampered with; we don't know or even like you to be honest. If they tampered with your shit and made it all disappear, so what if the hash doesn't match? They'd be doing us a favor. Sure, there are plenty of fucking idiots here on Slashdot, but even they have the sense to understand hashing your shit is dumb as fuck. Cut the crap: null your idiotistic predilictions or piss off elsewhere. Thanks.

Re:Secure your email

[shaitand]

'Do you think that if the feds are monitoring your line, they are just going to say, "Damn! He's encrypted. Let's move on to the next." I'm going to guess not. If anything, seeing that you email is encrypted might be enough to peak their interest to make you MORE watched, not less.'

You are probably right, IF you have been tagged by authorities and they have reason to believe you've committed a crime or great reason to want to snoop in on you then they will probably scrutinize you more closely if you have encryption. However, encryption represents a substantial barrier. There is no 'bypass encryption' button at the FBI, it takes serious computer and manpower to read messages when strong encryption has been used. While statistically small, there are a lot of people using encryption and the feds can't just investigate all of them, they have mass surveillance programs snooping on internet traffic and encryption is effectively opting out of those. You've just taken the odds of you being a false positive in these programs and reduced it to zero.

Using enough resources the feds can get around your encryption but it isn't cheap or easy, they aren't going to do it unless they already strongly believe you are a serious threat. If you are innocent then you should have nothing to fear from encryption.

'This also takes precious manpower away from the people who are trying to stop the next terror attack in the US.'

Enough with this nonsense already. The current executive branch and law enforcement represent a far greater terrorist threat to the people of the United States than any foreign group. Law enforcement and the executive branch as a whole are throwing away the freedoms that represent the backbone of this nation and doing so with nothing more than the hollow promise that we should be more terrified of someone else than of them. This line of thinking also shows support for the current religious wars the executive is engaging in and the previous support of religious wars that have excited foreign extremists against the US in the first place.

'Regardless of you political opinions, I don't see how anyone could think that impeding these guys is a good thing.'

Law enforcement are literally individuals who want to dictate how you should behave at gunpoint. These are not the good guys, they have never been the good guys, and they never will be the good guys. These guys existing makes for a good threat that stops otherwise honest people from crossing the line but we don't really want these vicious and incompetent authorities to actually act. The bad guys aren't as bad as the authorities.

'Me on the other hand, I don't care. There is nothing incriminating in my email beyond sending stupid YouTube links to a buddy or bitching to the wife about who chooses whats for dinner. I'm really not interesting enough for the Feds to care about. Please take no offense when I say that I doubt anyone else here is either.'

What is in my mail is beside the point. I know several people who are afraid to discuss the political climate on the telephone or internet because they are afraid of retribution. I am not just speaking of those who like conspiracy stories, I am talking about normal everyday people. People like my mother and grandmother.

Re:Secure your email

[shaitand]

'Sure, but that is because having the police enter my house is intrusive. They track mud in, can drop anything anywhere and say that they found it there.'

The same is true of tapping my phone lines, it requires a warrant and for good reason. The same is true of requesting my DNA. You do not give the police or any investigating authority any intelligence voluntarily because when they are investigating you they are your enemy. It is estimated based on after the fact DNA testing that 30% of the people in prison are innocent, think about that.

'A quote from an email is not.'

You are mistaken.

'Besides, these guys are not looking for prosecution, they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack.'

That is particularly naive. They may be looking for terrorism, but they are certainly looking for political dissidents.

'Besides, even the SS didn't really need to evesdrop.'

But they did. Even the SS didn't have infinite manpower. It is easier to have computers scan millions of phone calls, email, and web traffic than to kick down a million doors. You are also a lot less likely to meet any sort of armed resistance.

Re:Secure your email

There's a strong argument to be made to encrypt specifically because you have nothing to hide.

All you have to do is turn the strawman upside down: What kind of a sick individual would want to spy on a person who has nothing to hide?

Answer: the kind of person who gains something from spying on people with nothing to hide. In other words, a person in the business of government: the business of controlling people, taking their money by force, spending it, and ultimately, making a living -- or better yet, a fortune -- off doing all of this.

Re:Secure your email

Besides, these guys are not looking for prosecution, they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack.

You have just proven yourself to be a mindless moron. Stop with the "24" propaganda and realize the government has no interest in protecting you.

Re:Secure your email

Fortunately, I have not heard of a case where terrorism laws have been used to prosecute non-terror related crime.

The latest averted school shooting incident in which the accused, a teenager, had a weapons cache at his home is one such situation wherein the prosecutor and/or law enforcement officials trotted out the "charges of terrorism" phraseology.

So you sir are wrong. THE TERRORISTS HAVE ALREADY WON!

Re:Secure your email

[Lumpy]

I'll add one more thing.

If you bittorrent, use a client that encrypts. and force it to only accept encrypted. Comcast techs are usually way way behind the ball and are easily fooled if you do a few things to protect yourself. Also, if you are not running it, get a copy of peer guardian and install it. every little bit helps. Their Internet Security goons are typically Ex-Cops first and IT people last.

another way to limit P2P detection, set your download and upload to be near identical. Yes it takes longer to get your tv shows but you look a lot less like P2P traffic that way.

Finally if you want some good palusable deniability. Open up a wireless router to defaults and only P2P from a live CD to a usb hard drive. It will leave no traces of evidence on your PC when they supeona you. If they don't have evidence on your hard drive it is a whole lot more difficult to prosecute you. Have lots of ways to limit evidence and deliver reasonable doubt.

Re:Secure your email

... they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack. They are looking to intercept supplies such as bomb making materials and replace them with something inert. Yes, an email will be evidence, but when it comes to terrorism, they require a open and shut case with multiple arrests. They don't want to pop you for looking for weed.

Awww, fuck -- my patriotic music player is on the fritz so I can't hear a fucking thing you're saying. What the hekk did you major in -- elementary school civics?

I said they would take a close look, wasting their time and doing MORE of what you didn't want them to do in the first place. If they can't get your email, they may listen to your phone calls. They may start tailing you. They may start investigating the people you email. Why? Because you thought it would be super cool spy stuff to encrypt your email to keep the evil G-Men out.

Shit, that's a really long-winded way of saying exactly what the other guy said -- not doing their job effectively.

If they can't do their jobs without assuming that simple assertion of Constitutional rights is indicative of criminal behavior, then they have no business doing their job in this putatively free country. They should be taken out on the back lot and executed -- painfully -- as an example to those who follow them.

Re:Secure your email

[gwbennett]

offtopic maybe, but how can you be "robbed in your home" while you're out? You can only be robbed wherever you are at any given time.

Re:Secure your email

[ArcherB]

The same is true of tapping my phone lines, it requires a warrant and for good reason. The same is true of requesting my DNA. You do not give the police or any investigating authority any intelligence voluntarily because when they are investigating you they are your enemy. It is estimated based on after the fact DNA testing that 30% of the people in prison are innocent, think about that.

I remember a quote from a police officer who was giving a speech to us soldiers at Ft. Hood about the dangers of drunk driving. While talking about a blood test, he said, "When it's in you body, it's yours. But when it hits God's clean air, it becomes state evidence."

That is particularly naive. They may be looking for terrorism, but they are certainly looking for political dissidents.

This is the laugher of the day! Why would the feds go through all the expense and hassle of reading your email looking for political dissidents when they could just go to the nearest Code Pink rally or raid the offices of MoveOn.org!!!

However, I am worried if we have another Clinton presidency. It is common knowledge that they used the FBI to dig up dirt on political opponents. Now it is coming to light the they intercepted wireless phone calls of political opponents to listen in. At least this administration lets you know they are doing it.

Re:Secure your email

[skulgnome]

How's the brigade doing these days? It's been so long since I left, but I'd quite like to hear back from some of you guys. Wanna get together for a pint or something sometime, revisit the old days, go on a three-day binge like we used to?

Re:Secure your email

[NodeZero]

Yup, when someone steals something from your house while you are out it is called burglary, not robbery. I believe robbery requires some sort of force or fear involved against someone in order to obtain something.

Re:Secure your email

[marmoset]

To be fair, if his wife is using the same mailer he is, then there literally isn't anything to set up -- when she receives an email from him, she sees an extra checkmark and the word "signed". If he's taken the 10 or so minutes it takes to set her up the same way, it's literally only one extra click for her to encrypt her emails to him. Though Mail.app is far from a great mailer, the way it handles S/MIME is truly as transparent as it could ever possibly be.

Re:Secure your email

[Kadin2048]

Can I do anything about them snooping in my email - regardless if it's encrypted or not? This is where I think you are wrong. There is strong evidence to suggest that modern, widely-available encryption techniques provide a substantial barrier to snooping, and make the process of snooping far more difficult than it would otherwise be. It's certainly possible that someone has the capability of decrypting 2048-bit ElGamal or other modern PK encryption, if they do it's a closely guarded secret, unavailable to the vast majority of would-be snoopers. (I.e., if the NSA does have some unimaginably powerful quantum computer in its basement, which I frankly don't think they do, they're only going to use it on very high-value targets; anything more risks revealing their capability. It's not a tool you could use for the most oppressive kinds of mass surveillance.)

Therefore the aggregate effect of large numbers of people using encryption would be to render large-scale electronic surveillance systems useless, since they are only practical for plaintext traffic. (In fact, you don't really even need to be using state-of-the-art crypto; if everyone were using even keys that took a few days to break on a supercomputer, it would prevent most types of high-speed/real-time analysis and force authorities to take much more fine-grained, targeted approaches.

Your argument against taking an individual step to prohibit mass surveillance is the same argument that many people make against voting: your action, taken singularly, has virtually no effect. It is only as part of a group that it is significant. But just as many people deciding to vote the same way can change a government, a large number of people deciding to make the snoopers' jobs (even slightly more) difficult would quickly outpace their resources available for the task.

I don't think the solution is either-or, personally. As concerned citizens, we need to vote. As people with technological knowledge and capabilities, we have a responsibility to not make it easy for those in power to abuse it, through our passivity.

Re:Secure your email

[vertinox]

Getting people to use encryption is always a tough sell, because most people, to be perfectly frank, lead lives that are so completely boring that nobody would ever want to read their mail, and they know it

Just because you think its boring doesn't mean the powers that be don't. (Your employer, random stalker, marketing company, and of course the government)

Its usually the mundane stuff that they could use against you ambiguously. Everyone breaks the law one way or another due to the nature of our complex legal system. This could be anything from something as mundane as describing the time frame frame of picking your kids up at school and then describing the time it took you to get home or to the grocery store and if someone pulled out Google maps and took your email literally you would have have to have been speeding and therefore breaking the law even if you gave the wrong times in your email (you weren't actually looking at the clock after all).

Now I really doubt anyone would go that far to get you, but the whole point of privacy is that it prevents everyday information from being used against you if a scenario like that every happened.

Its not about "If you have something to hide you have nothing to fear" but rather "If you haven't hidden anything than you should be afraid". Imagine if your employer wanted to fire you and then subpoena Comcast for any evidence they could get rid of you and got a hold of your VoiP record of casually bitching to your wife about how bad your job sucks and how you hated them.

Yeah... It was mundane to your, but not your employer.

"If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." -Cardinal Richelieu

Re:Secure your email

[vertinox]

It's like being robbed in your home when you're out. It doesn't matter if you have an alarm system or not, if someone wants property of yours, they will get it.
You can double lock your doors, put bars on the windows, pay for a monitoring service, or whatever, it will not stop a determined person from getting whatever they want to get.

But in this instance it is like having someone in your house at all times who is allowed to go through your stuff at any given time for any particular reason. They aren't supposed to steal anything or do anything illegal to your home, but the thought of having them there and having that ability is what annoys me.

As they say... Locks are there to keep honest people honest. When you don't have any at all or have someone on the inside who you can implicitly trust is when things get hairy.

Re:Secure your email

Don't bother. GPP is a chest-pounding right wing moron, who can't conceive that perhaps there are people out there who don't have his best interests in mind.

Re:Secure your email

[BalanceOfJudgement]

This is the laugher of the day! Why would the feds go through all the expense and hassle of reading your email looking for political dissidents when they could just go to the nearest Code Pink rally or raid the offices of MoveOn.org!!!

You cannot possibly be so naive as to actually believe that.

And that's just one incident. HE PERSONALLY has experienced and documented dozens more. You really don't see what's right in front of your face, do you?

It is common knowledge that they used the FBI to dig up dirt on political opponents. Now it is coming to light the they intercepted wireless phone calls of political opponents to listen in. At least this administration lets you know they are doing it.

You say that as though it justifies it. How about "they're both wrong, let's string BOTH of them up for treason"?

Re:Secure your email

Ah, so you're the guy we laugh about down at the postoffice. You know, you really shouldn't send the correspondence to your doctor about your genital herpes problems on the back of a postcard. Most people use an envelope these days!

Re:Secure your email

[Shakrai]

The other is a government trying to save the lives of its population from those who want an oppressive religion based world government.

Oh, give me a fucking break.

For starters, cough up some evidence that the "terrorists" want this world based Government you are talking about. And which "terrorists"? Many movements that our Government considers to be "terrorists" have no interest in the United States beyond our meddling in their affairs for whatever reason.

And once you've done that, convince me that we really need to sign away our rights to stop the "terrorists". You realize we have a few thousand nuclear weapons that can be delivered anywhere on Earth, less then an hour after we decide to do it, right? Given that fact, I'm not real worried about the United States (or the Western World for that matter) falling to the new Caliphate...... hell, like Christians, the Muslims are too busy fighting each other to unite and try and take over the World. Hell, they can't even put aside their differences long enough to unite against the US and force us out of Iraq.

Re:Secure your email

[JourneymanMereel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wanna like PGP, I really do... but tell me this comment isn't ugly. OK, now stop lying. Every time I see a PGP signed message I can't help but think how aweful it looks. What is the average user gonna wanna put up with that. Sure, you have the right software/plugins/whatever, it can be made to look better and be non-obtrusive, but the fact of the matter is, but default it's ugly.

IMHO, the biggest problem with X.509 certificates is cost. Sure, you can get a free one from Thawte, but then it doesn't include your name. There's another set of hoops you have to jump through to get that part which may or may not be free. I've intended to do it a couple times, but just have yet to make contact with an assurer in my area... and the cost of using the third party verification is just too much. Yes, I'm cheap.

CAcert could make some strides in that area... if they can ever get their root certificate include by default in mainline browsers/mail clients.

The second biggest obstacle for X.509 is webmail... and a lot of people use that exclusively. While it's possible to use a plugin like firegpg for webmail to get GnuPG working, I don't know of any way to make that work for X.509.

And of course, never underestimate the chicken/egg issue or the ignorance issue. People don't realize that email is sent from server to server in the clear and stored in a way that other people can read their email. They think that little password they have to enter keeps everybody out... you know, they one they use on every other site in the world and just entered into the eBay/PayPal/MySpace/whatever phish.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

iD8DBQFHFQUlPFshtZHeR6kRAoZGAJ9RP73L5dfsD3c932m7QWHN2lMO/ACaAkIU
oGHY2KM6V3Ua54O6UptbCJg=
=lNNR
-----END PGP SIGNATURE-----

Re:Secure your email

[shaitand]

'However, I am worried if we have another Clinton presidency. It is common knowledge that they used the FBI to dig up dirt on political opponents. Now it is coming to light the they intercepted wireless phone calls of political opponents to listen in. At least this administration lets you know they are doing it.'

I highly doubt there has been an administration that hasn't done it to be honest. But there was a time when they did so in shadows afraid of the power wielded by the people. Bush and company have just shown that no matter how outraged the people they have been disarmed and no longer have the spine to retaliate even if they had not.

No matter how much flowery language and fine ideas we wrap it up in, today is no different than the feudal times. All power is derived from force, the people have been disarmed (does some idiot believe that the arms mentioned the in the second amendment weren't intended to refer to military capable weapons?) and all units of government and military capable of wielding force are under the jurisdiction of the executive. The last hope of putting a stop to this madness and putting the executive in check is for the individual states to act, they still have their own police and military forces.

Being better than some makes them good ?

So they follow the letter of the law isn't the law what is preventing privacy ?

How much it costs?

[aeschenkarnos]

That's odd. I'd have thought it cost "do it or be fined/arrested".

Re:How much it costs?

[T-Bone-T]

I found that interesting as well. What if the law enforcement agency can't afford it?

Re:How much it costs?

[ScrewMaster]

What if the law enforcement agency can't afford it?

They'll just ask for a bigger budget next year.

Re:How much it costs?

[Burdell]

IIRC, when a subpoena is issued for information from a third party, that party can charge a fee to cover the costs of gathering the requested information.

Re:How much it costs?

[the+unbeliever]

Most law enforcement budgets have a clause for "emergency funding for investigative purposes"

Comcast's charges don't seem unreasonable either, considering the amount of data they'll have to sift through to provide the information.

Re:How much it costs?

[nateb]

paying a guy for a week to come up with a webpage that aggregates a bunch of selects and some greps doesn't seem like that much to me. oh and better pay a support guy or ten to answer the phone.

Re:How much it costs?

[computational+super]

What if the law enforcement agency can't afford it?

That's why they always say it's for a child exploitation case.

The law doesn't protect you

[MacDork]

The law doesn't protect you. You protect you. Encrypt.

Re:The law doesn't protect you

[Hijacked+Public]

Also buy a rifle.

Re:The law doesn't protect you

[megaditto]

And when they ask you for your key and you won't give them, they throw you in jail and keep you there. Already happened to a few people.

Re:The law doesn't protect you

[biocute]

And when they ask you for your key and you won't give them, they throw you in jail and keep you there.

And the worst part is, when you ask them for the key to get you out of jail, they won't give you.

Re:The law doesn't protect you

[arthurpaliden]

Funny, rifles do not seem to be protecting the Iraqi people....

Re:The law doesn't protect you

[kylehase]

How secure is encryption? Say for instance Truecrypt, SSH/SCP, SSL, SMIME, GPG etc? How easy is it for criminals or governments to break? In books like Dan Brown's "Digital Fortress" or the TV show 24 it seems that breaking consumer grade encryption even with strong passphrases and certificates/keyfiles is all that difficult with enough processing power.

Re:The law doesn't protect you

Fine, don't get a rifle. Baby.

Re:The law doesn't protect you

[buswolley]

Then you offer to exchange keys.

Re:The law doesn't protect you

[WilliamX]

Not in the US, the right against self-incrimination is absolute, and has resisted any attempt to weaken it.

Re:The law doesn't protect you

[hax0r_this]

As far as I can tell they're doing a pretty good job of protecting them from successful US rule.

Re:The law doesn't protect you

But encryption, that is working well for them?

Re:The law doesn't protect you

[Eskarel]

Well it really depends on a couple of things, presuming that your encryption method of choice has no weak points(ie backdoors or algorithm faults) and P!=NP and the government doesn't have a quantum computer and factoring is indeed hard, then breaking your encryption basically involves a brute force approach. Since for most reasonable encyrption methods these assumptions are valid(at least at the moment), we'll presume that brute force is the only way to crack it.

They did a distributed computing project a few years back to break a 64 bit encryption method and it took them a little over 5 years. Most encryption keys these days are 128 bits or higher and every bit you add doubles the number of possibilities they'd have to check, so for 128 bit using the same level of resources brute force would take 92,233,720,368,547,758,080 years(assuming that the five years case was an average case). Computers are a lot faster than they were, but not that much faster.

To sum up, if encryption works at all, no one is going to get in without knowing your password, and the shows are bollocks. That said some encryption algorithms do contain backdoors for the US government, and some algorithms are badly written(WEP for instance), P may equal NP and the US government will probably have a quantum computer as soon as they're available so YMMV.

Re:The law doesn't protect you

As far as I can tell rifles are actually helping the citizens of Iraq -- not against "US rule", but against foreign criminals sponsored by by Iran. Look up the latest news about Iraqi citizens fighting Al Qaeda.

Re:The law doesn't protect you

[littlerubberfeet]

hmm...What if my key itself is incriminating? My key might be a list of all the illegal things I have done.

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux) ...Run a red light, key the Bentley that almost drove me over in a crosswalk, music/movies I have downloaded, item 1 with unexpired statute of limitations, item 2 with unexpired statute of limitations...

- -----END PGP PUBLIC KEY BLOCK-----

By handing it over, it would be a violation of my 5th amendment rights.

Yes, perhaps they would merely make the key contents inadmissible in court, but it would still throw a major wrench into the works.

Re:The law doesn't protect you

[Fulcrum+of+Evil]

Of course, if you really want the key, you can usually get it with a set of pliers. This assumes that your subject knows the key at all.

Re:The law doesn't protect you

If it's the government you are worried about, I wouldn't be concerned with how long it would take them to brute force.

They'll just sneak into your house when aren't there and install a keylogger on your computer to get your passphrase. It's not like they haven't done it before

With that kind of power, why even worry about brute force attacks?

Re:The law doesn't protect you

[jonwil]

There is an answer to that:
Use linux with security options that would prevent the installation of a software keylogger. Then switch to Dvorak (or something else funky) and use a Das Keyboard (or leave the keys in QWERTY).

Unless they can gain access to your PC and bypass the security, they wont have any idea that its not QWERTY. Any hardware keylogger or bug they insert will produce "garbage" since they have no way of knowing that will produce 'x' instead of 'q'.

Oh and combine this with good home security so that the G men cant get near your PC in the first place.

Re:The law doesn't protect you

[EugeneK]

I guess that we're good unless the Al Qaeda guys were to get rifles...wait, they have some already? And so do the Sunni insurgents that are fighting them and also fighting the Shiite militias and army? Well, crap.

Re:The law doesn't protect you

Unless they can gain access to your PC and bypass the security, they wont have any idea that its not QWERTY. Any hardware keylogger or bug they insert will produce "garbage" since they have no way of knowing that will produce 'x' instead of 'q'.

You really don't know how hardware keyloggers work, and you do not understand how easy it is to crack a replacement cipher (which is what a random keyboard would essentially be equivalent of)

And by the way, it's easy to pick up the electric currents generated by your keypresses from a distance of about 100m. Google for tempest and you'll learn why your physical security needs to include tinfoil.

Re:The law doesn't protect you

[MadMidnightBomber]

A Shia country sponsoring a Sunni terrorist organisation? Really?

Re:The law doesn't protect you

There are approaches faster than brute force, in which a 128-bit key does not mean 2^128 possible combinations. Depending on the algorithm, the key space is smaller than the key size (parity bits, weak keys, etc).

Re:The law doesn't protect you

[Hijacked+Public]

One would think the occupying military would just ban private ownership of firearms, like the dictatorship before them did, and that problem would be solved.

Like in Washington, DC.

Re:The law doesn't protect you

[Attila+Dimedici]

A Shia country sponsoring a Sunni terrorist organisation? Really?
Yes, really. Ever hear the proverb, "The enemy of my enemy is my friend"? It applies here. The Iranians will give money and guns to anyone fighting the Americans and/or the current Iraqi government. The people fighting the current Iraqi government and the American forces in Iraq will take money and guns from whoever will give it to them. That's really not that hard to understand.

Re:The law doesn't protect you

[MadMidnightBomber]

The Iranians will give money and guns to anyone fighting the Americans and/or the current Iraqi government.

Bollocks. There's a fucking civil war going on in Iraq where Sunni groups are killing Shiites - and vice versa. Why the fuck would Iran want to fund the killing of Shiites?

See http://www.cfr.org/publication/9362/#4 - "Some reports also suggest that Iran's interference in Iraq has included funding, safe transit, and arms to insurgent leaders like Muqtada al-Sadr and his forces", and also says Iran funds/has funded Hezbollah, Islamic Jihad and Hamas. I haven't seen anyone credible claiming they are directly funding Al Qaida. Please note all the groups above are Shiite.

Re:The law doesn't protect you

home security so that the G men cant get near your PC

Ha, ha! Good one! LOLROTFL!

Re:The law doesn't protect you

[flosofl]

Unless they can gain access to your PC and bypass the security, they wont have any idea that its not QWERTY. Any hardware keylogger or bug they insert will produce "garbage" since they have no way of knowing that will produce 'x' instead of 'q'.

And with a large enough sample of this "garbage" (which is smaller than you would think) combined with a *simple* frequency analysis would defeat this in no time flat.

Relying on a substitution cipher for securing information is the equivalent of thinking Kwikset locks will secure your house/apartment/condo. Naive at best.

Re:The law doesn't protect you

[darkfire5252]

And when they ask you for your key and you won't give them, they throw you in jail and keep you there.

Right, this is absolutely true. However, it doesn't matter a bit, because let's look at how encryption has changed the equation...

Situation 1 - No encryption. This offers no protection whatsoever, except for the 'small fish in a big pond' situation which may or may not be true. Your e-mails can (and will) be monitored, most likely not individually but by automated process. Computer programs will be able to data mine/archive/print out and send to your grandmother/etc absolutely all of your e-mail communications with nothing in the way. Everyone from the 14 year old next door who's leet-in-training and discovered you didn't change your Linksys password to the TLAs can do what they like with your communications and you will not be aware or able to detect it.

Situation 2 - With encryption. Automated monitoring is right out, your communications are nothing but gibberish and all that can be determined is 'there was a mail from A to B, it was encrypted'. This may get you tagged as a person of interest, but the odds are against it. The more people that use encryption to hide boring communications, the less interesting encryption makes communications. You are no longer 'a small fish in a big pond' but 'a possible fish in a medium-sized pond'. Absolutely no one except the holder of the private key you've encrypted to can read the communications (flawed algorithms and quantum computing aside, the purpose of encrypting never was to guarantee secrecy forever anyway and quantum computing is still a ways off). If a government agency decides that it's likely they have an interest in knowing what you've written in that e-mail (which they had to have done by virtue of who it was to or other outside information), they must _contact you_ and _ask_ you (or the other party) to reveal the communications. This is either done with a search warrant or with illegal coercion. If you had been discussing your various drug deals, then you're boned and you probably should be because they knew you were doing it without reading that e-mail and now they're just building a case. If it's just legitimate communications, you reveal the message and they learn a lesson (maybe) from the time and money they wasted. If it's so secret that prison is not as bad as the consequences of revealing the message, you go to prison, secure in the knowledge that the e-mail is safe for X years (X depending on key size and method, and whether party B cracks).

What's the difference? If the gov't really wants to know, and you don't want to go to jail, then they still end up knowing. But they had to _ask_ through _legitimate_ channels. The difference is in the power that you have over the secrecy of your data. In situation 1 you have no power whatsoever. In situation 2, you (and the other party) have absolute power, and can even go to jail to protect the secrecy of the data.

Unless you're talking to your tech-impaired grandmother, why would you not want control over the flow of your communications?

(An un-related side note: Is the slashdot captcha _always_ 'ferocity', or is that just my own personal word?)

Re:The law doesn't protect you

[Redwin]

Also don't forget that if you have a weak password (eg using your username for the password or something) then anyone serious about breaking your encryption will have a much easier time. Dictionary attacks and trying lists of common passwords (p455w0rd for example) can make a successful match quite quickly.

Re:The law doesn't protect you

[couchslug]

The US allows householders to retain one battle rifle because they ARE of use against armed attackers, and the risk of getting shot is a valid deterrent to home invasion. Attack by armed people is not the same as a car bomb. Neighborhood groups can and do use firearms for the valid purposes of protecting their neighborhoods from criminals and Al Qaeda members.

That there is violence in Iraq does not logically imply that any/all measures against some varieties of violence are useless.

Re:The law doesn't protect you

[Kadin2048]

This won't work for the reasons that other people have noted.

The best security precaution is continual awareness. If you're intimately familiar with all of your hardware and software, it's a lot harder for someone to install a keylogger. Would you know if someone came into your office and moved something around? You should. It requires an effort, though, to start paying attention to little things, so that you'll notice if something is amiss. And if you have a bad feeling, you need to act on it immediately.

Would you notice if someone swapped your keyboard with one of an identical make and model and approximate age? And if you did notice something odd -- maybe a little stiffness in the keys that wasn't there before, a difference in the wear patterns from where your fingers normally lie -- would you just shrug it off or would you immediately stop using it? How often do you actually look behind your desk to see if someone has shoved one of these in between your keyboard and CPU? Those are the things you have to take into consideration.

It's similar with software. A while back I read about a guy who only discovered he'd been rooted because of an oddly misbehaving "ls" command when it was invoked with certain switches. Lots of other intrusions are only discovered because of similar, very subtle, signs. (Most of which boil down to the intruder making a mistake somewhere.)

Most people don't want to have to pay attention to security, and thus look for easy ways out. This is generally where they become most vulnerable. Automated and procedural security is good, but ultimately any 'fire and forget' approach is fatally flawed. There's no replacement for vigilance.

Re:The law doesn't protect you

I sure as hell would -- I'm using a laptop!

Re:The law doesn't protect you

[Eskarel]

I'm well aware of this, but the original post asked about strong passwords. And my post presumed you don't have a broken algorithm like WEP.

Misleading article

Complying with requests from "Law Enforcement" is quite a bit different from complying with requests to assist a US government agency with an anti-terror program. Local law enforcement is far removed from the latter.

Is this an attempt to improve Comcat's poor reputation among /.'ers? They still haven't changed thier undocumented policies related to bandwidth limitations on "unlimited bandwidth" accounts.

Re:Misleading article

[rootofevil]

ill take sane customer privacy action over limiting my bandwidth to a somewhat vague and mildly unreasonable policy that wouldnt potentially land me in jail if i violated it.

seriously, if this is the case i hate comcast quite a bit less. i just sort of assumed they were doing the same thing as att and verizon and rolling over for uncle sam.

Re:Misleading article

[bakana]

There are no such things are unlimited bandwidth accounts. There has not been any commercials that state unlimited bandwidth for accounts. This is made up by consumers such as yourself. The document has not recently been updated, that has been comcast policy for a long time. Before you write something, get your facts right.

Re:Misleading article

[urcreepyneighbor]

Local law enforcement is far removed from the latter. While there is some truth to the common perception of local (eg, Middle-of-Nowhereville, MT) law enforcement having more in common with the Keystone Kops than the Feds, the majority of urban police departments are quite professional and will continue to evolve.

They still haven't changed thier undocumented policies related to bandwidth limitations on "unlimited bandwidth" accounts. As someone who lives in fear of the dreaded call, the policies and procedures described in the handbook didn't even raise an eyebrow. It all seemed rather, well, mundane. The frontpage of /. elicited more of a reponse, for me.

btw - How would we know if they changed their usage policy if it's undocumented? ;)

Re:Misleading article

Is this an attempt to improve Comcat's poor reputation among /.'ers? They still haven't changed thier undocumented policies related to bandwidth limitations on "unlimited bandwidth" accounts. Meh. I've downloaded well over 50 gigs in a month from Comcast in a small town in New England. I could care less what they do to the poor saps in the rest of the country. In my experience, there is no limit.

Re:Misleading article

[Hatta]

50 gigs in a month is pretty small potatos.

comast high speed

[gadzook33]

Internet, Voice, TV. All on one subpoena.

Re:comast high speed

[gad_zuki!]

I think its funny and very telling about americans that you can get voip, email, and IP records but they say hell no to your tv watching habits. Incredible.

Quick and Dirty Summary

[value_added]

Interesting read, especially considering the "Comcast Confidential" footer at the bottom of every page. That said, it's informative only insofar as it states there's laws to be considered, and makes clear the folks at Comcast insist on following them. Nothing in that document is very different than a typical publically-available TOS. Here's an excerpt:

Generally, the following information, when available to Comcast, can be
supplied in response to the types of requests listed below. Each request
is evaluated and reviewed on a case by case basis in light of any
special procedural or legal requirements and applicable laws. The
following examples are for illustration only.
 
- Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena
- Judicial Summons
- Court Order
- Search Warrant
- Preservation Request/ Backup Preservation Request
- Pen Register / Trap and Trace Device
- Foreign Intelligent Surveillance Act of 1978
- National Security Letter
- Child Abuse
- Emergency Disclosure

As for the email policies referred to in the summary, Comcast does not store emails any longer than the subscriber chooses keeps them.

Comcast's Webmail service permits customers to change their email
deletion policies, but the current default settings are described below.
 
- Inbox (Read Mail No automatic deletion policy)
                    (Unread Mail 45 day retention period)
- Trash (Read Mail 1 day retention period)
                    (Unread Mail 1 day retention period)
- Sent Mail (Read Mail 30 day retention period)
                    (Unread Mail 30 day retention period)
- Screened Mail (Read Mail 3 day retention period)
                    (Unread Mail 3 day retention period)
- Personal Folders (Read/Unread No deletion policy)
- Popped Mail (Deleted immediately from web mail servers)

Put another way, Comcast doesn't store your emails. You do.

Re:Quick and Dirty Summary

Put another way, Comcast doesn't store your emails. You do.

Well, you can choose to not store your emails on their server. As you quoted, if a user POPs their email (and doesn't check save-copy-on-server or whatever), then their email is not saved on Comcast's server. But if they use webmail (or check save-on-server) then....

What cracked me up is that they can read your email (if you store it on their server) with almost any kind of request, but it takes permission from God (ok, court order) to see your cable viewing habits.

Re:Quick and Dirty Summary

[Technician]

Comcast does not store emails any longer than the subscriber chooses keeps them.


You left out the part where a subscriber may elect to not use Comcast mail at all and elect to use another providers service such as Hotmail or Yahoo mail. Comcast does not have any record of these. It's hard to retrieve records that don't exist. I fall in that catagory. I don't use my ISP's email at all.

Quick and dirty is if you receive all services from Comcast. However if you only subscribed to Internet and used Broadvoice, Skype, or Vontage, and used email from some small obscure server somewhere, the one stop shop is now a find all the scattered pieces.

Can Comcast put a pen recorder on a Vontage VOIP connection? I think that might not be permitted as it is now 3rd party traffic and may be an illegal wiretap of a Vontage customer. A look at the keeper of the phone number assignments would indicate a Vontage phone number is not a Comcast subscriber number.

Re:Quick and Dirty Summary

Doesnt matter, Vonage and all VOIP Providers must be CALEA Complient or huge fines are given. Basically put, great job on having VOIP but they have the same access to VOIP as your traditional copper land lines now. Tough luck.

This is a rough overview... http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

Re:Quick and Dirty Summary

[Technician]

Doesnt matter, Vonage and all VOIP Providers must be CALEA Complient or huge fines are given.

correction Vontage and all US VOIP Providers must

There fixed it. From you link..
"The Communications Assistance for Law Enforcement Act (CALEA) is a United States wiretapping law passed in 1994 "

Vontage is US based. Where is Ekiga which ships with Ubuntu based?
http://ekiga.org/index.php?rub=3&pos=0&faqpage=x149.html
"1.1.4. What is it compatible with?
Ekiga is compatible with any software, device or router supporting SIP or H.323. It includes SwissVoice, CISCO, SNOM, ... IP Phones, but also software like Windows Messenger, Netmeeting, SJPhone, Eyebeam, X-Lite, ... or also the Asterisk popular IPBX, as well as any other commercial or Open Source IPBX."

How many of these supported services is directly under CALEA?

Vontage may be CALEA Complient. Not everyone is under US rule. Not all VOIP service is commercialy provided.

Re:Quick and Dirty Summary

I wonder why "child abuse" is a separate reason. Isn't that covered by search warrant? Or does that mean that if law enforcement says the magic words "child abuse" that they will provide the information without requiring a search warrant?

Re:Quick and Dirty Summary

[mathwhiz99atucb]

Interesting point. But then again, like anything else in our society, if you say that you are doing something "for the children" or to "protect the children" then to oppose it means you hate children... you don't hate children do you?

Re:Quick and Dirty Summary

[Kadin2048]

Depending on how you're using Ekiga (seriously, could they have found a more difficult to pronounce name?) you could still be sending your traffic through a CALEA-compliant (and thus snoopable) network.

Ekiga is just the client program that runs on your computer; it is to VoIP what Firefox is to the WWW. The client program isn't (generally) where tapping occurs; law enforcement does that in the network, where it's harder to detect. So the question isn't whether you use Ekiga, it's who do you use for an ISP, and who do you use for SIP-to-POTS service?

If you use one of the major US ISP's, you have to look no further than them for the authorities' way into your traffic, since they can provide ways to tap the SIP traffic directly if it's unencrypted (and I don't think most SIP implementations support encryption, more shame on them). It's not terribly hard to pick out the right packets if you're sniffing the connection. So even if you're calling from your computer to your friend's computer completely via SIP, never going near the POTS network, you could still be snooped.

If you use a SIP-to-POTS gateway service (allowing you to call landline numbers from your SIP phone), that provider -- if it's based in the US -- almost certainly is CALEA-compliant and will provide a way to tap. I'm fairly certain that whoever does Ekiga.net's gateway service (Diamondcard.us?) is either CALEA-compliant themselves, or whoever they buy POTS circuits from is.

To be frank, it's a fool's errand to try and avoid CALEA by switching providers. If you want to talk with people in the U.S., your traffic is going to go through a network that's CALEA-compliant and can be snooped on. It may be marginally more difficult right now for authorities to snoop on a completely IP-based, SIP conversation than on a POTS one, but this will probably change as law enforcement becomes more comfortable with the technology.

The solution, IMO, for a person desiring private communication, is not to rely on the security of the data channel, but to create that security using encryption for the conversation itself. Zfone is Phil Zimmerman's modern update to PGPfone, and works in conjunction with most SIP clients at the protocol stack level to encrypt the SIP stream. It looks pretty slick, although I haven't played with it much myself. There seem to be versions available for Mac, Linux, and Windows. Sadly, the code is not GPL, so it will probably never appear in mainstream Linux distributions.

Yay for Viral PR

[vprasad]

Yay for viral PR provided by Comcast... nice handbook... how much different is it from the "real" handbook?

other quotes

"At present I shall only give you my Opinion that tho' your Reasonings are subtle, and may prevail with some Readers, you will not succeed so as to change the general Sentiments of Mankind on that Subject, and the Consequence of printing this Piece will be a great deal of Odium drawn upon your self, Mischief to you and no Benefit to others. He that spits against the Wind, spits in his own Face. "

Since when did policies matter?

[GodfatherofSoul]

If you've been paying attention to the news, the service providers simply cave into the government's demands for personal information then cry for legislation to retroactively exonerate them when they're caught breaking the law. Policies, legally-binding agreements, and laws mean jack in the current environment.

Nevertheless...

Comcast is *the* Devil.

PARENT IS TRUE

[speaker+of+the+truth]

Shame they had to add some flamebait into thei post.

Cox

[DanielBoz]

For any interested here is the equivalent info on Cox Communications: http://www.cox.com/policy/leainformation/default.asp http://www.cox.com/policy/leainformation/CoxLawfulInterceptWorksheet.pdf

Clarification please...

[shaitand]

'and cable records can only be retrieved upon a court order'

Are they saying that comcast will hand over identity and ip records WITHOUT a court order? The only 'balanced' policy would be to turn over nothing to law enforcement without a court order and even then to oppose the order if possible.

Comcast's words are compared to others' actions

[dpbsmith]

"All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records."

Apples and oranges. "Monk" is comparing Comcast's words to AT&T's actions..

It's nice to know that Comcast is able to write a policy manual that follows the law, but surely a written policy telling employees to break the law would trigger a minor scandal.

Anyone who's ever been in a large organization is familiar with lip-service CYA written policies.

How seriously does Comcast take this policy? Do they give training sessions to the people who need to implement it? Do they back up or undercut the people who go "by the book?"

there won't be russia - u.s. mars mission

look what russia is doing. tsar putin has created a new empire and cold war to go with it, killing free press and political freedom. would-be emperor bush is helping by not taking his head out of his ass for bit of fresh air and the religious right are screaming for crusades. the iss is likely the last bit of space cooperation between the two that you will see.

Verification

I was told more-or-less the same thing when I interviewed at comcast earlier this year.
They also do not monitor outbound traffic at all unless for diagnostic purposes or because of a warrant. I was told, point blank, that they simply 'do not want to know' what is going on with their subscribers.

And to be frank, I can't say that I blame them. Collecting subscriber usage data is more of a liability than anything else these days.

Weight of authority? And anonymity isn't a defense

[TwoHundredOk]

Where did they obtain this allegedly confidential document? If it was leaked, could it have been done exactly for this kind of publicity on internet message boards? And, even if it is authentic, just because these are their policies does not mean that this is how things are handled within the company. Also, it disturbs me that Comcast, an ISP, would use pixelated graphics for its in-house confidential handbooks. Also also, to wit, hiding in anonymity (as other posters have suggested) can only work for so long. To do so is to rely on the inadequacy of their aggregating technology. What /.er would bet on the inadequacy of technology? We must protect our privacy now, otherwise we will condone a world where we lose our rights to it.

That's a bad idea.

[Kadin2048]

If you have OS X 10.4, you can make your own certificates. Yes, you can do this. However, it's a pretty poor idea.

S/MIME is designed to work with centralized Certificate Authorities. If you roll your own CA and issue yourself a self-signed certificate, you'll be able to sign stuff, but people who receive your messages will get a big "BAD SIGNATURE" error or warning, because they won't have your CA in their trusted chain. In order to get it to work, you'd need to get them the CA certificate, and they'd need to import it into their trusted root database. (Which is a security risk -- you do not want to encourage clueless users to start importing certs from every idiot they want to talk to into their Trusted Root.)

It is much better to just get a personal certificate from Thawte or several of the other places online that give them out. Thawte is aimed at people who want authenticated communication; it's not anonymous and in fact they require some form of Government ID in order to issue one. If you want to use S/MIME anonymously or pseudonymously, you're better off going to OpenCA and getting one through them. (Their CA cert isn't included by default in most browsers and OSes like Thawte's is, but at least your correspondents only need to import one additional certificate to recognize yours, and it comes from a basically legitimate institution. That's a lot better than importing random people's CA certs into your root DB.)

Re:That's a bad idea.

[frdmfghtr]

S/MIME is designed to work with centralized Certificate Authorities. If you roll your own CA and issue yourself a self-signed certificate, you'll be able to sign stuff, but people who receive your messages will get a big "BAD SIGNATURE" error or warning, because they won't have your CA in their trusted chain. In order to get it to work, you'd need to get them the CA certificate, and they'd need to import it into their trusted root database. (Which is a security risk -- you do not want to encourage clueless users to start importing certs from every idiot they want to talk to into their Trusted Root.)

Rather than having to install another root certificate, why not just manually verify the certificate with the sender and manually adjust the trust setting?

When I used PGP in Windows, there was an option to set the trust level of the sender's key. When I open up a certificate in Keychain Access in OS X, I can manually set the trust level of the certificate. If I get a certificate that isn't signed by a CA, why can't I contact the certificate owner through some trusted means and verify the certificate that way?

Perhaps I don't understand completely how certificates are issued/trusted, but that's how I see it; if I generate it and use it, recipients can contact me directly to verify it and manually set the trust level. I know that I, and only I, have a copy of the private key, since I generated it locally.

OT: Guns in Iraq

[Kadin2048]

The rule is one rifle (AK-47 or similar) per household for protection, no heavy weapons, explosives, or caches of weapons.

The military isn't so stupid as to ban civilian ownership of all weapons; it would just make the population more exposed -- not just to foreign hostiles, but also to sectarian violence, and the usual criminal elements -- rather than safer.

Oblig. PATRIOT Act fact.

[jackpot777]

http://en.wikipedia.org/wiki/Cheetah's

Gentlemen's clubs are the enemies of Good Americans(TM) and so it's probably right that the PATRIOT Act be used to spy on their owners.

After all, the ladies inside wear g-strings. What do they have to hide?...

Vontage ?

[sodul]

Off topic: why do you keep referring to Vonage as Vontage ?

Logs = invasion of privacy

It's an invasion of privacy that they log identifiable information at all... if anything it should just be generalized information for debugging purposes and that's it.

Thank you for your diligence

[gr8scot]

But just as many people deciding to vote the same way can change a government, a large number of people deciding to make the snoopers' jobs (even slightly more) difficult would quickly outpace their resources available for the task.

Stealing a car and selling it for parts can be lucrative, I hear, once you meet the wrong people. For most thieves, stealing car radios is a more practical goal. Some car owners respond to the existence of car stereo thieves by leaving their doors unlocked, their windows rolled down except during rainfall, and their stereos only loosely fastened to the mounting bracket. I prefer to make thievery of my property, which includes my data, difficult.

Re:Thank you for your diligence

Dear Diligence: I'm trying to think of the parallels in my life to leaving doors unlocked, windows rolled-down, and car stereos held loosely to dashboards when it to comes the scrapbook-themed layout of kiddie porn that wallpapers the background of my Windows 98 Desktop, the daily correspondence I have with Osama, and my worldwide Al Qaida address book. -Jeneric Bozo-

PS: Isn't there seemless plug n' play applet available for encryption.

Re:Thank you for your diligence

Dear Diligence: Do you think I'm worried about your unlocked doors, open windows or loosely-mounted car stereos when I have daily correspondence with Osama, a worlwide Al-Qaida address directory, and a scrapbook of kiddie porn for a Windows desktop theme?

-Jeneric "BusterGates" Bozo-

That works for some applications.

[Kadin2048]

Yes, you can do this. (And in fact, I think this is the way to go on a lot of crypto, e.g., PGPfone or OTR Messaging's fingerprint-verification systems that don't require any PKI.)

However, for email, you may and probably do want to talk to a lot of people that you may never meet in person or communicate with any other way. This makes verifying a lot of individual fingerprints cumbersome -- but if you don't have any other method for proving authenticity, you create a massive security hole for MITM attacks.

So you pretty much need some way of verifying that the public key you're being given matches the intended recipient of the message, without going to the recipient and verifying it out-of-band for each new person you want to communicate with. This requires some form of PKI; either a web of trust where lots of individuals verify each others' identity, and you can find trust paths through the web to virtually everyone else (in theory), or you have centralized "trusted authorities" whose reputation is based on verifying others' identities. PGP uses the first method (mostly), S/MIME uses the second (again, mostly). Either one can sort of be used the other way around -- Thawte's personal certificates utilize a web of trust, and you can have psuedo-authorities using PGP by setting the weight of their trust very high, so that anyone they verify is considered OK. But they both function best when they're used according to their designs.

If you only want to talk to one person securely, then sure, you can generate your own certificate, they can do the same, you can exchange them and verify the fingerprints through some hard-to-forge method (like voice phone). But this only works if you can recognize each others' voices. If you're trying to communicate with someone you've never met before, it's vulnerable to spoofing and MITM (you try to call them, but instead of them, you get the attacker posing as them; likewise, they try to call you, and instead get someone posing as you). It's not a scalable solution.

But for instant messages, where you're probably communicating over and over with a relatively small group of people, and even telephony in many instances, it would be fine. But email in particular is probably not a good match for infrastructure-less PK crypto.