Slashdot Mirror
FBI Complains About Wiretapping Difficulties Due To Web Services
c0lo writes with news that the Federal Bureau of Investigation is lamenting the difficulty in executing wiretaps because of "web-based e-mail, social-networking and peer-to-peer services."
"President Barack Obama's administration is debating ways to deal with Web-based services not covered by traditional wiretap laws, including incentives for companies to build in surveillance capabilities, said Valerie Caproni, general counsel at the FBI. Many Internet services are not covered by the Communications Assistance for Law Enforcement Act (CALEA), which requires traditional telecom carriers to allow law enforcement agencies real-time access to communications after a court has issued a wiretap order, she told members of a subcommittee of the US House of Representatives Judiciary Committee. But Caproni told lawmakers she was not asking for expanded CALEA powers. And she stopped short of calling for rules requiring Web-based communication providers to build in so-called back doors allowing law enforcement access to their software, although she said she's optimistic the US government can find incentives for companies to 'have intercept solutions engineered into their systems.'"
They're here to serve us, not the other way around. History shows that when you give the FBI increased investigative powers, those powers are used not to prevent the next 9/11 or OKC bombing, but to spy on dangerous subversives as Martin Luther King and John Lennon.
With power should come responsibility, or at least accountability. The FBI has shown neither.
Would peer to peer services which offer end to end encryption like Skype be required to re-engineer their software to allow government wiretaps? This could be the end of personal use encryption as we know it.
Only criminals use encryption. If you're not doing anything wrong, what is there to hide?
Nothing, of course. Unless you're part of the goverment. In that case, you're hiding information to protect your citizens.
"Science can amuse and fascinate us all, but it is engineering that changes the world. " - Asimov.
allow me to say this:
"PLEASE! WE'VE BEEN WAITING FOR IT!"
Ok, on a more serious note, how long do you think 'til such a backdoor will be sniffed out and abused by people with even less concern for constitutional rights and fewer qualms to abuse such a privilege?
Think about it for a split second. What qualities would such a backdoor have to have? First, it would have to work with all such providers, every single network, and you may rest assured that it will have to follow some standard and possibly even be accessible with a single set of login credentials. And second, the provider would of course not be allowed to monitor or even log such an access to keep them from possibly noticing such an access (of course, only to make sure that no "inside man" could warn the bad guys).
Can anyone, or everyone, here see the possible value for MUCH worse guys?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If I was an evil politician, I would create and leverage US tax law to provide the economic incentive to those that provide ease-of-wiretapping features into their products. I could sell the bill as a way to further save lives and money as a result of less time and effort spent capturing communications.
But, I'm a nice guy. So I could never run for office.
Life is not for the lazy.
Oh cry me a river!
You'll need an Environmental Impact Statement before you can do that, citizen.
Faster! Faster! Faster would be better!
I can think of about 84,000 good reasons we don't want to make pushbutton law enforcement any easier than it already is.
Watching people is supposed to be resource intensive, that's what makes sure they only do it when it's absolutely necessary.
Here's an idea, I will build in a police API to tap the web messages BUT it will automatically CC all requests to the EFF, ACLU, and Wikileaks. By using the API they agree to the CC up front.
I'm guessing it will be the world's least used police back door.
That's worth several lolz but then you'd have to deal with OSHAs noise level regulations... :)
And here we are seeing a wave of democracy sweeping the Arab world, facilitated in part by these very technologies. At the same time, the U.S. government is positioning itself to prevent those very tools being used against it.
There are still those here who will say that it's hyperbole, but the same tipping point is approaching here. Our real rulers (hint: neither political party, but those behind both) are getting nervous and moving to keep their grip on our society. They have perpetrated the most massive theft in the history of mankind, absconding with trillions of dollars of our money, selling our children into a lifetime of debt servitude while theirs party on; they know it, and we know it, and they're starting to realize that we know it too.
Do what you can, with what you have, where you are.
http://wiki.debian.org/FreedomBox
Inspired by Eben Moglen's vision of a small, cheap and simple computer that serves freedom in the home. We are building a Debian based platform for distributed applications.
Freedom Box is about:
* privacy
* control
* ease of use
* dehierarchicalization
Vision Statement
We live in a world where our use of the network is mediated by organizations that often do not have our best interests at heart. By building software that does not rely on a central service, we can regain control and privacy. By keeping our data in our homes, we gain useful legal protections over it. By giving back power to the users over their networks and machines, we are returning the Internet to its intended peer-to-peer architecture.
In order to bring about the new network order, it is paramount that it is easy to convert to it. The hardware it runs on must be cheap. The software it runs on must be easy to install and administrate by anybody. It must be easy to transition from existing services.
Skype has been on the Infandous Imperial Elite's "Must-Crack" list for a couple of years now. German Intelligence tried first and soon gave up. Then the DoD's DARPA publicly offered a US$50K reward to the black-hatter - *any* black-hatter - who could ably provide *any* Man-In-The-Middle (MitM) solution at all, sans physical access to the box in question.
See http://theregister.co.uk for chronology and related details; just search the site for "Skype" and there you are. Seems Dynamic Key Encryption, when executed on-the-fly in realtime, is one tough nut to crack hands-off. As for Skype Corporation ever being Judicially Forced to backdoor the product:
1) If it were so ordered, well there goes Skype Inc's entire business model. I reckon the matter'd be tied up in court for a while afore any breach i' th' hull ever be allowed, Cap'n. ;)
2) Trust our own homegrown Practical Privacy Providers to come out with a block-um-out add-on widgit right quick anyway, if ever 1) above be implemented. (It's only 65536 ports and there is little likelihood of hardship-in-identification, methinks.)
On reflection, this rises to mind: A really healthy resistance effort, once sparked and fueled by such intrusion attempts as this hypothetical instance, just might simultaneously stop the tap-stream, spoof the outbound IP addy *and* spue forth a fine smelly-brown stream of plaintext keywords of the "Spook-bait" persuasion. (Virginia Langley knows the vocabulary very well, of course.) Indeed: As the Imperial Criminal USAn Police Globalization State attempts each additional intrusive advance in its greedily tyrannical drive to Control Just Everything, more and more able and goodhearted Sovereign Forced-Underclass Citizens the world around shall surely take up the Rallying Cry from Heaven: "DON'T TOUCH MY JUNK!!!!"
Sorted! I'll get me coat now. And that is all! 0{:-)o
Would peer to peer services which offer end to end encryption like Skype be required to re-engineer their software to allow government wiretaps? This could be the end of personal use encryption as we know it.
They can't really stop personal use encryption at this point. Skype isn't fully open source, but that doesn't mean there can't or doesn't exist open source P2P encrypted communications software. And even if the official maintainers of that software were required to add a back door, the idea that no one would distribute a version with the back door removed is laughable. It's like trying to suppress DeCSS. Moreover, OpenSSL and OpenSSH are BSD licensed -- it's not like adding strong encryption to a communications app is rocket science. (Although for crying out loud, can somebody please fix the OpenSSL documentation?)
I would also expect Skype to strongly resist efforts to make them add a back door, if only because of the damage it would do to their reputation. Everybody knows that back doors are truck-sized security vulnerabilities that tempt black hats like chocolate cake tempts Michael Moore. People use Skype for confidential communications because it appears to be secure. Make it notoriously insecure and an alternative will appear which people will use instead.
Of course, that isn't to say that this proposal is puppies and unicorns and nobody needs to oppose it. People who demand good security -- including criminals -- will use software that has good security and no back doors. But there is still a need to protect innocent fools from organized criminals. Making the software that the average fool uses substantially less secure has the potential to make organized criminals much more effective -- remember, most people aren't terrorists, so intentionally creating a vulnerability that impacts both stupid innocents and stupid criminals will disproportionally impact the innocents because there are more of them.
Here's how it works:
1. Identify the individual you want to spy on. ...
2. Identify the web services you want to spy via.
3. Obtain the SSL certificates of the web services.
3. Gag & Order the certificate authorities named in the SSL certs to create the FBI/NSA a new fake trusted cert.
4. Use the unwarranted wire-tap systems already in place to "Man in the Middle" any connections the individual makes to the web services you wish t spy on.
5. Return the fake cert to the individual, and re-encrypt the data to the web service using the real cert.
6. Spy on the individual as much as you like.
7.
8. Oppress!
Note: If the CA is not a US company, then simply use Verisign or other US company to creat the fake certs -- No one checks to see if the cert is actually the one that the domain normally uses...
CAs can make certificates without the domain owner's permissions -- As long as the certificate authorities don't need the domain owner's permission to generate certificates the SECURITY THEATER of SSL will remain intact.
Also Note: FF > Preferences > Advanced > Security Tab > View Certificates > CNNIC ROOT
This is the root certificate that China will use in these types of MITM attacks.
P.S. Remember when a large portion of the Internet was "accidentally" routed through China?
If you don't have anything to hide, why buy curtains?
Fascism begins when the efficiency of the Government becomes more important than the Rights of the People.
And it is always sold the same way.
They want to "protect" you from the "enemy".
So you need to do your part and give up some rights (just for a little while) to make it easier to find the "enemy" hiding among you.
If you aren't supporting their team ... that means you're
a. supporting the "enemy's" team
b. delusional / stupid
c. secretly hate us and really are hoping the "enemy" wins
I think there are good arguments for giving them the power,
Such as? Despite what the media may try to represent, in real life there are few cases of "evil" people walking free because of legal protections when compared to the many people who have their constitutional rights abused because of this power. The right to expression is also followed by a right to secrecy just as the right to vote is followed by a right to secret ballot. Imagine how less free elections would be if everyone would know who and what you voted for (as ordinary citizens in elections, not as members of congress voting on bills). Just as the right to vote comes the right to be anonymous about what you vote for, so should the right to have secure and secret communication. Of course, just like you can tell everyone who you voted for, so can others hear, listen or read what you communicate, but the right to be anonymous (if one chooses) is needed to ensure a free society.
Taxation is legalized theft, no more, no less.
You are aware that your emails are sent in plain text unless you only send email to people whose servers support an encrypted connection? Most do not.
STARTTLS has been around for awhile now. Are you sure that "most" servers don't support it?
A lot of larger financial institutions are even beginning to require other companies they do business with to enforce TLS encryption when communicating with them (so, for example, if you do business with JP Morgan/Chase, they want you to configure your outgoing SMTP server to refuse to deliver mail to JPMC's servers if a TLS connection fails, bouncing the message to the sender instead of falling back to plain text).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
>If you're not doing anything wrong, what is there to hide?
Wrong answer: If I'm not doing anything wrong, then are you doing looking?
Everybody's got something to hide, but most do not have anything illegal to hide. Every person should have the right to at least some data that's completely private to all others. Seems like it is a basic human right. At least until they develop direct brain-reading, which probably isn't too far from now.