Slashdot Mirror
AT&T's Plan to Play Internet Cop
Ponca City, We Love You writes "Tim Wu has an interesting (and funny) article on Slate that says that AT&T's recent proposal to examine all the traffic it carries for potential violations of US intellectual property laws is not just bad but corporate seppuku bad. At present AT&T is shielded by a federal law they wrote themselves that provides they have no liability for 'Transitory Digital Network Communications' — content AT&T carries over the Internet. To maintain that immunity, AT&T must transmit data 'without selection of the material by the service provider' and 'without modification of its content' but if AT&T gets into the business of choosing what content travels over its network, it runs the serious risk of losing its all-important immunity. 'As the world's largest gatekeeper,' Wu writes, 'AT&T would immediately become the world's largest target for copyright infringement lawsuits.' ATT's new strategy 'exposes it to so much potential liability that adopting it would arguably violate AT&T's fiduciary duty to its shareholders,' concludes Wu."
Nothing new here
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Yea, that's the whole point of the article, you should really try and read it ;-)
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
I think you misunderstand how a Virtual Private Network works. The first thing you must understand is that there is not spoon^W ports. Once you realize that there are no ports, then you only need to route packets over a secure channel that's indistinguishable from valid business. Is this user networking with his small-business employer, or a pirate spreading illegal wares? Impossible to tell from the traffic itself.
Javascript + Nintendo DSi = DSiCade
Listen, they paid enough to get the common-carrier laws written so they would be immune from prosecution. What makes anybody think they won't just buy new laws that allow them to police traffic but still enjoy immunity? They are doing it for the children, after all...
This issue isn't just limited to AT&T customers. It affects everyone because AT&T is a tier 1 provider, meaning that they provide backbone access for several ISPs. They are looking to sniff *all* traffic, not just traffic of their DSL customers.
Nick
"A plan fiendishly clever in its intricacies"- Homer Simpson
You must be new. The law will just change to be in AT&T's favour before that ever happens.
I know that ssh takes steps to store the public keys and warn you if they've changed. Why would it bother doing that if man-in-the-middle attacks aren't possible?
Party A contacts party B, and gives out its public key. This can be completely, 100% "in the clear". Party B replies with its public key. Party A uses party B's public key to encrypt a random number, and sends it to Party B. Party B decrypts this random value, and re-encrypts this random value with Party A's public key, sending it on to Party A.My understanding is as follows:
Party A contacts Party B and sends it's public key. Party E (evil guy) intercepts this public key and replaces it with his own. Party B replies with his public key, which is also intercepted and replaced. Party A and B are now "encrypting" the traffic with the public key provided by Party E, whom decrypts it, and re-encrypts it with the original public keys provided by A and B prior to forwarding that traffic on to them. Party E now has access to the complete conversation between A and B whom are none the wiser, unless they have an outside method of verifying the keys they received.
I fail to see how an exchange of a random number stops this, when Party A never actually received Party B's key to begin with, because said key was replaced by Party E.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Mind pointing out which section of that answers my question, because I don't see it? If you are transferring the keys across the internet then they are vulnerable to being intercepted and replaced with a different key. I fail to see how you stop this without a trusted source that can sign (or otherwise vouch for) the encryption keys used for that session.
How about the first paragraph... "Out-of-band is a technical term with different uses in communications and telecommunication. It refers to communications which occur outside of a previously established communications method or channel." Seeing as how this is a discussion about AT&T messing with stuff in the communication channel, I would think it was obvious. OOB communications would be a thumb drive, shipping a configured router, telling you the shared key over the phone (not AT&T phone), or a properly encrypted e-mail.
In a nutshell, a "man-in-the-middle" attack is no more to be feared than a "dictionary" attack on a password: the attack only works if the security is implemented poorly. In the same way that you wouldn't say, "They use a password? How useless --simply do a dictionary attack!", you would not say, "Encryption? Just do a man-in-the-middle attack!"For the same reason that they warn you when you change your password: "Your password is too short!" or "Your password is dictionary-guessable!" etc. Why would it bother doing that if dictionary attacks aren't possible?
You said:This is a common question about public key encryption. I'm going to quote my own post:
Hope that clarifies things for anyone who's still confused about WHY public key encryption works. The GP poster is correct.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
To give a very abbreviated answer, the network effect for this has not yet taken off. There has been no technical barrier to widespread encryption for over a decade, but there are two social barriers which remain to be overcome:
-
Education
-
Sequence
So, there's an elaborate sequence of events, each with a big activation threshold, that have to be crossed in order to trigger the network effect. Until you see a lot of cryptographically signed emails, for example, you can safely assume that there are not yet a lot of encrypted emails in circulation. And the same will be comparably true of any other encrypted protocol.In order for you to use crypto, you have to know how it works. Most other technologies are not like this, in that they can just kind of operate in the background. But cryptographic communications operate between defined endpoints, and you are one of those endpoints. Understanding takes considerable effort. At minimum, people need to understand how asymmetric crypto works in both message signing and message encryption, and they also must develop some insight into what motivates key distribution, because otherwise they won't be able to make sense of the public key infrastructure in which they must participate. I think it's important enough that ultimately it will be taught as part of the standard school curriculum. But we're a long way from that at the moment.
Message encryption is the last in a fairly involved series of steps. This delays the network effect. Participants first have to generate their cryptographic keys and then have them signed by a trusted third party. Then they have to begin signing their own messages with them. As these messages go out, a side effect is to distribute the public keys which are in turn necessary for message encryption. Finally, participants can begin to encrypt messages.
This explains why adoption has proven to be very slow. There have been many early adopters, of course, but so far evidently not enough to inspire the public at large.
The good news is that we've seen this kind of phenomenon lots of times before. The Internet itself was widely ignored for a long time, despite being completely satisfactory from a technical perspective. Something eventually kicks it into public awareness, and then, if those of us who engineer these things have done our job right, it takes off without a backwards glance.
Parity: What to do when the weekend comes.