Slashdot Mirror
Tap-Tap-Tapping the Net
The IETF will be considering building wiretapping into internet protocols (see previous slashdot story) tonight at their conference; the Washington Post has a story on the subject. A great many civil liberties and technically-oriented organizations have signed onto an Open Letter urging the IETF to reject any attempt to build snooping into the net.
Secondly, why should we care? Anyone doing anything illicit will be using encryption anyway. So catching criminals isn't the issue here. Hell, I frequently use PGP for stuff that I don't consider sensitive - like sending source back and fourth between my friends. The only use for a wiretapping protocol will be to let the l335 h4x0r d00ds have a reign of terror on the 'net.
I say to hell with the IETF - Let the chips fall where they may (and they will fall!).--
What with this and the recent stories about echelon, it is high time we started encrypting everything that we hold dear. Unfortuneately, we can't encrypt everything on the internet.
There was a story some time back about Freedom, a web encrption scheme that encrypts all communication between your PC and the servers you are communicating with. Does anyone have a link, or more info? I have lost mine since then.
Computers can only simulate determinism. ~Hermetic.
Hmm, how do I connect to other computers? SSH.
What if I need to talk about important stuff on IRC? Encrypted DCC Chat.
File Transfers? Easy, compress with a password.
Any kind of protocol for this would be easy to break past. Just remember, they can't watch everyone all the time so they won't watch most of the people any of the time. Encryption wouldn't even have to be extremely strong...just powerful enough for them to not be able to look directly at it. There's FAR too much information out there to decode it all.
- How do the IETF propose to wiretap -AND- have strong PtP IPSec encryption?
- How do the IETF propose to locate packets, given that routers decide paths on-the-fly?
- How do the IETF propose to enforce this, when they are not a regulatory body? In fact, the strongest the IETF can do is release an RFC, which is just that - a request for comments.
- Who, exactly, is going to implement this wiretapping protocol? Even if the entire backbone used it, all you need do is tunnel through and the protocol becomes useless.
- What protections can the IETF impose, which guarantee that the wiretapping would even work, even assuming you -could- find all the fragments of all the packets and re-assemble them all? It's easy enough to modify a TCP/IP stack. A few tweaks here, a few tweaks there, and you're sending valid data which the sniffer will reject, but which your intended recipient will accept.
In balance, I think it's useless, pointless and stupid. Stick to IPv6 promotion. That's useful. This isn't.It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The Clipper chip initiative was supposed to be no big deal, because the government would only use it when they had reason to suspect. When people got upset, a smaller group of people said, "Well, the NSA can probably crack your messages anyway, so why not give them your keys?" (Now, of course, it's being shown that maybe we *aren't* so far behind the NSA-- they probably *can't* break some of the stuff out there!).
The response was simple: Just because somebody can open up an envelope doesn't mean that we send all our mail on post cards. The envelope may *not* help privacy in a lot of cases, but we still use it. It's a matter of principle-- just because somebody can violate your privacy, there is no reason to openly invite them to do so!
Some people have been saying that the government is able to listen in on our communications anyway, so why not add in a provision to allow them to do it more easily?
Simple: we can't *condone* a violation of privacy. Scott McNealy may say that we have no privacy, so get over it, but I'll bet he'd raise all holy hell if one of his employees were to read through all his e-mail.
By implementing a standard that would allow the government the ability to snoop in on our conversations, we are not only condoning such action, but encouraging it! Never, at any time, should we encourage the government to (with or without permission) monitor our communications!
Just my $0.02
Can be patched with fair sucess at another.
For example, I think it'd be harder to make IPv6 less secure than IPv4, but we have layers on top of IPv4 that are sufficently secure.
On another related point: will the relaxation on exporting cryptographic source lead to the 'secure linux' patch being merged with the main kernel tree any time soon? Or are there other problems with the patch?
-Yarn - Rio Karma: Excellent
This isn't going to be very popular, but I'd really appreciate some responses from people who've dedicated much more energy to the analysis of these type of questions.
;-)
Now, I say this as a hardcore privacy advocate. I'm not the enemy. I'm a theorist, who wants to know:
Is wiretapping evil?
By that, I mean do people have an intrinsic right to privacy that doesn't end when they begin violating the rights of others?
After all, few of us would complain about the subpeonas that have been delivered unto Tobacco Companies, Microsoft, and hopefully RealNetworks. Subpeonas are after the fact violations of privacy--society is demanding some chunk of personal information from the subpeona'd party. Steganography is designed to defeat such information gathering techniques...but the existence of the technology doesn't mean subpeonas must be evil.
Nor too does the existence of wiretapping prevention technology automatically make wiretaps illegal.
From what I've been able to discern from the literature, there's a slant towards arguing that wiretapping should be difficult--essentially, so it's only used for cases where national security is at risk. Can a system be designed where it is intrinsically difficult, but not impossible for society to spy on certain individuals' communications?
Again, I'm the guy at work who is the point man on SSH, on custom designed secured VPN proxy links(believe me, that actually makes sense), and all these types of technology. But I'm also the guy that, when his friend was attacked by somebody who called her on the phone a half hour before, ran to campus Information Technology demanding the phone logs(and was oh-so-irate when they wouldn't let me write the simple Perl scripts necessary to extract them from the logging port on the switch. And people wonder why IT hates me.
Screaming about how child molestors are being used to justify widespread Big Brother monitoring is all too appropriate...but begs the question, what about the child molestors? Is it possible to shield everyone but expose those who society does need exposed?
At least a government intrinsically possesses citizen oversight. Corporations and "Mafia" style operations have no such limitations, and flourish quite well under power vacuums. A government that cannot keep tabs on such organizations is arguably irrelevant to them--just look at Russia lately.
Sooner or later, I'm going to be taken to task over the secure technologies I'm personally involved with designing and deploying, and I want to be able to reply with something I believe in. I want to be able to defend my position, and I need your help to do so.
So, is wiretapping evil?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
It seems that (according to the Washington Post story) companies who make communications equipment were worried about the Feds requiring their equipment to comply.
This leads me to wonder: Since this has arisen because of IP telephony, is it possible that traditional phone companies, fearing a loss of business to entities who don't comply with wiretap laws, are pushing this proposal? Seems like an interesting conspiracy theory at least.
Anyway, the IETF will probably kill this bad idea.
Fizz
Obviously, this would have to be only the first step; outlawing implementations w/o the trapdoor would have to follow or we'd all just ignore it. Outlawing all other forms of encryption would be necessary too. I don't -think- that there's a chance in hell we'd let it get that far, but I'm not taking any chances. Between the DVD-blowup and this nonsense and the censorship issues, I just went and signed up to be a member of the EFF. Lots of us are tech professionals. I, at least, can put off a memory upgrade on my linux box for a few more weeks for a little piece of mind.
--Parity
--Parity
'Card carrying' member of the EFF.
The IETF, contrary to many posts here,
(1) isn't the bad guys, and
(2) probably will decide to ignore wiretapping concerns in protocol definitions
The question the IETF is debating the answer to is, roughly, "should wiretapping laws (of varoius countries) be considered a factor in protocol designs." It's a good and important question to ask and folks shouldn't demonize them for asking it.
That having been said, the answer will probably -- quite sensibly -- be "no."
--G
I hate to tell you all of this, but this is not echelon. This is not a grand government plot. This is about the application of existing law-enforcement techniques (wiretapping phones) to new technology (wiretapping information transactions). The same procedures for getting a wiretap on a phone will be required for getting a wiretap on information transactions.
So, what, exactly, is the problem? Unless you are a criminal, and quite a significant one, you have nothing to fear from the FBI. If you did have something to fear from the FBI, your phone would be wiretapped already, your house will be bugged, and your actions monitored. And no, the FBI does not have the manpower to listen into your phone unless you are quite the bad*ss. Even then, a federal judge has to approve the warrant (the legal document, not the band) that will allow them to wiretap you.
While I feel there are some security issues introduced by this, I hardly think that it isn't worth the value given. I mean, on one hand, some incompetent sysadmin gets his system hacked (and it would have been anyway), or we can't get the information needed to convict dangerous criminals.
I hate to be this way, but I feel that some /.ers are law-enforcement luddites. On one hand, they believe technology is great, and we can use it in new and exciting ways. On the other hand, they believe law-enforcement shouldn't be allowed to expand their existing abilities to take new technologies into account.
I'm just rambling anyway -- really, if ISP's would really be required by law to provide wiretapping capabilities to the FBI, they'll have to figure out some way to do it, regardless of what the IETF says or does.
Jack Valenti and the MPAA are to technology as the Boston strangler is to the woman home alone
I'll worry when the temple is rebuilt. There's a great big mosque there right now. Until then, party time.
If tits were wings it'd be flying around.
Stop for a moment and imagine the government's ideal scenario. They want unhampered access to as many forms of communication as possible. At the same time, they want people to think their communications are secure. That way, people will talk openly, and they can gather more information on the bad guys.
So they say.
How far does it go, though? Take a few sample cases...
Frankly, I think the government can shove wiretapping up its ass. Joe Average is the one who really gets the brunt of their scrutiny. Is our society so paranoid that we must spy on our own people? That's not the kind of life I want, although it gets more that way every day.
Best regards,
SEAL
Tapping is already built into 'the net.'
Anybody ever look at the output from a packet sniffer?
Moreover, there are three key problems:
1. Any protocol for transmitting data, can also transmit encrypted data.
2. Any protocol is a software specification, and therefore must be adopted by the industry before having impact on the community.
3. Any Internet protocol must support the wide variety of computers on the Internet, including, old computers, legacy systems, and technology being deployed TODAY. Who's gonna upgrade software to facilitate snooping their data?
John
I feel safe with my data, and you can too. All you need is:
-Set up a dedicated secure linux firewall running IP_MASQ
-Install and configure CIPE. Here's the HOW-TO
That allows Virtual Private Networking with 128bit encryption. Its GPLed, and after you get it set up its incredibly fast (I use it over a cable modem). Its a lot more secure than a NFS+SAMBA solution.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probably cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
- Ammendment IV
It looks to me like they got it right the first time. Nowhere in there does the U.S. Government have the mandate to universally require wiretap ability, but may force it only on specific people or places when justified by probable cause with supporting testimony.
I've seen no politicians stand up and oppose this section of the Bill of Rights, yet far too many try to violate it. I think the U.S. would do well as a country if its politicians read the Constitution once through...
"should the IETF develop new protocols or modify existing protocols to support mechanisms whose primary purpose is to support wiretapping or other law enforcement activities"
"what should the IETF's position be on informational documents that explain how to perform message or data-stream interception without protocol modifications"
Ummmm.. I'm confused...
:-)
Since when the hell did IETF gain any form of actual control? They can release an RFC, right? BFD... It's not like they write any actual CODE or anything..
You don't want people spying on your communications? Use code that doesn't implement that spec. Wheeee!
Does anyone honestly think that, given a choice, an indiviual would choose a piece of software that is intentionally insecure? Really, given an actual, informed choice, mind you...
IETF has no real power. They can define the spec all they want, just don't use that spec. There's already specs out there which are not tapable. Use those instead. The whole point of the RFC system is "may the best protocol win", right? So.. May the best protocol win.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The IETF full-well knows that IPv6 will make wiretapping of the internet a moot point. "Yeah Mr. NSA, you can listen to ciphertext zip by, be my guest"...
My suspicion is that this is a way of saying "Nice doggy" to the 'powers that be', because the 'powers that be' can fund backbone upgrades, provide research grants, and lobby in favor of certain protocols and technologies...
This support from the federal government would mean a lot to the members of the IETF, and if the price of the support is providing a back door that leads nowhere, so be it.
The people on the IETF are not as dumb as those twisting their arms are.
Besides, what better way to convince big business to lobby for strong encryption than to show that lack thereof is tapable?
Slickness points to the IETF.
-- What you do today will cost you a day of your life.
Areas are now being color coded. It's on purpose, and it should be consistent within a topic.
:)
I suspect that Rob/Andover is trying to increase ad revenue by increasing membership. Making slashdot contain more eyecandy, thereby attracting AOL users like moths to a lamp.
I just hope that it's actually a bug-light.
Just ignore them. The colors should fade in 8 to 12 hours... Have a nice trip.
-- What you do today will cost you a day of your life.
No, the only people this would affect will be closed source OS users, notably the 90% of PC users who use Windows.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I use this solely between 3 private networks that need 128bit encryption. This is overkill for everyday usage.
We're different; mappers instead of packers, to use another metaphor recently seen on here. One day the Government could decide we're dangerous and should be tracked. Ever see the Sci Fi show about the kid who's killed because his IQ was too high? (Outer Limits, I think it was.) We innately distrust authority because we've seen what idiots buerocrats can be, from the school administration who classified us as "Learning-impared" because we didn't do well in classes that bored us to Pointy-hairs at any given company.
And just because you're paranoid doesn't mean they're not out to get you. Abuses of power within the various three letter agencies are well documented in the states. From the McCarthy witchunts to the surveilance of assorted leaders of the 1960's to the incidents just recently in WACO and Ruby Ridge, the proof is there that you can be eliminated or harassed for the rest of your life if you attract the wrong attention, even if you're innocent of any wrongdoing. The government and its agencies need lots of accountability and lots of roadblocks to keep such abuses to a minimum. And we need to make sure that every government keeps their hands the hell off the Internet, which will one day be the main medium for communication around the world, not because we're not afraid that criminals will use it and leave no tracks in the real world but because we're afraid that the government will use it to, say, silence a whistle blower who is trying to force some accountability.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Now, the problem with building in backdoors into the fundamental security of the Internet or any system is that it provides the possibility for abuse by both authorities and third party criminals (as opposed to the criminals who are the authorities). If somebody can get access to that back door they can create endless havoc.
The other problem is that with this back door so readily available, authorities will be very tempted to use the door without warrants. If they think you are a bad guy they can sniff your traffic get enough evidence then go get the warrant to get the rest of your traffic. And don't think they won't do it. There are countless cases of cops using wiretaps illegaly to get information and go after people who otherwise would not be prosecutable. In all likelyhood they would surrpeticiously just sniff all traffic for naughty bits, and nobody would be the wiser because it is all the kind of stuff locked up in the dark recesses of the FBI and NSA headquarters.
Nah I'm not paranoid...
---
This sig has been temporarily disconnected or is no longer in service