Slashdot Mirror
IETF Rejects Wiretapping
Declan McCullagh of Wired covered the IETF meeting last night, and his report notes that the IETF rejected creating any sort of wiretapping standard. However, the companies who build routers and similar networking fundamentals stated that they would still move ahead with implementing tap-ability into their equipment - so the IETF action is a hollow victory, your internet communications will still be easily tappable.
"I'm a little concerned about [this anti-wiretap sentiment]. Clearly not all wiretapping is illegitimate," one Cisco engineer said.
Herein lies the problem. As long as people can see one use for something, all the adverse effects become secondary. Some criminals are caught by wiretaps, so everyone should be tappable.
This may be a specious argument, but if you nuke a city (say, Seattle), then you'll kill millions of innocent people. But it's okay, because you'll get some criminals, who'll never mug an old lady again.
Now most of us are not in a position to select basic infrastructure equipment for the Net. Will those who are be allowed not to choose routers that aren't wiretap-enabled? Or will official and not-so-official pressure force them to?
It seems to me that the vendors who decided to continue with plans to make their equipment tapable are voluntarily taking part in a very strange experiment.
The way I see it, since there will very clearly be other vendors who do not insert taping abilities into their equipment, the ones that do are going to find out just how important an issue this is to the people who buy their equipment.
Most IT people I know have a thing about civil liberties, and I suspect that those companies that put backdoors into their products are going to get hurt in the marketplace because of their decisions (as long are there are alternatives to their products). It will be very interesting to see if the people who buy the network equipment will be willing to put up with a back door, or if they will simply find ways around it (the most obvious of which is to simply not buy the goods with the back doors built in).
Let the experiment begin...
Impossible = A fun challenge
Cisco can implement wiretapping in their IP telephony devices, however this can't affect any of non-telephony traffic or even telephony traffic that doesn't use their devices. In other words, people who will want to have secure channel still will have secure channel as long as they don't use normal voice over the phone (that never was secure in the first place). What IETF was asked for was modification of protocols, so wiretapping could be achieved on any protocol's implementation -- what will definitely defeat security.
Contrary to the popular belief, there indeed is no God.
This is just plain _wrong_. Does anyone else have flashbacks to big brother, or is it just me? Why would a private organization have _any_ responsibility to the FBI to make things "easily tappable". If it's easy for them, is it easy for any 'ol hacker to as well? Just telnet in, "come get your 0day logs here!"
This sort of thing in private industry makes me just plain sick to my stomach - I'm not an american, but I worry because this nuttiness finds it's way north of the border sooner or later. I thought america was supposed to be the land of the free, yet as an outside observer I see your rights getting quickly taken away in the name of either a drug-free (even your politicians smoke dope!) or protecting children (duh, that's what parents are for).
For example, in Canada, almost _no_ organization will require drug testing for engineering work - yet this is the opposite case in the US. Perhaps when they start looking for DNA samples, protests will start?
Federal screwing with the internet has to stop. Making the internet easy for the feds probably will make it possible for any MORON to play with your router logs.
Answer with your wallet - don't buy hardware that supports features like this. Until people stand up, you'll continue to get walked over. But why worry, you have nothing to hide, right?
Instead, buy hardware that supports idiot-friendly secure encryption, and I don't mean 48 bit DES, either. If the net is encrypted, who gives a flying @#$@# who's listening. They can get a court order to make you turn over your keys - just like they can do for your house.
Kudos..
..don't panic
Correct me if I'm wrong, but shouldn't good encryption make any sort of wiretapping pretty much useless? Granted the government could find out that you sent packets to a given IP, but they wouldn't know what you were saying?
It's really quite simple. All you have to do to make the wiretapping useless is to encrypt everything using strong encryption (ie 128 bit or longer RSA keys). So SSH, PGP, and other tools it is. Now all that needs to be done is make all web servers secure.
...si hoc legere nimium eruditionis habes...
Why are they so interested in tapping my extremely important, encrypted, grocery list?
If everything important or illegal ends up being encrypted without back doors in the encryption method, why will they still want to tap? My guess it is for those not knowledgable enough to encrypt their conversations. Criminals can do some pretty stupid stuff. Just watch America's Dumbest Criminals, if it is still running on the air.
The Echelon *email* concerns have always struck me as an unfeasible approach, given tapping the wire itself is (or at least has been) so much more achievable than getting ISPs to help the spooks in an organised fashion.
I wish I could recall the URL for the public guardians_of_the_law-ISP dialogue that went on in the UK a few months back, made this whole set of points about ISPs incurring costs for spook-work and jurisdictional difficulties and lack of guardians_of_the_law technical know-how.
And I also recall thinking how it was all a blind, given the spooks can almost certainly do all this stuff when they want to anyway.
To be honest it must be like herding cats getting the ISPs to pitch in when the spooks want, but the major carriers and infrastructure companies...they can be arm-twisted much more effectively.
Certainly that's the situation that sems to pertain here in the UK with BT, GCHQ, the NSA and the old-boys network.
The IETF, as a body of erudite folk, knows that it can specify, and pontificate and stay well on the side of right, (well, spooks are sinister aren't they?) and get away with it because the spooks have other ways to get what they want. Heck even though the IETF tries to be de jure, the Interenet itself tends to be de facto so whetever will be, will be.
Guess we'll need IPsec, and ssh and whatever else we can get even more than ever now the router giants are kow-towing along with the wire-owners.
Score one for the spooks.
...an Englishman in London.
I'll say it one last time: Use SSH.
Get it. Use it. Turn the encryption up as high as your paranoia likes. Get it, use it, and stop worrying about packet sniffing. You have plenty of other things to worry about...
-Ben
So support you local Mom&Pop ISP!
Requiring wiretapping capabilities hurts the national security of our country.
The new threats of encryption and internet manifest new challenges to the NSA and FBI. There have been new challenges emerging every generation since people baked messages into clay envelopes two thousand years ago. We need to sieze creativity to solve the problem, not brute force.
Human nature prefers the easy way of using the advantages we gained from the genius at Bletchy Park, from half a century of great SIGINT, and from one of the largest factories of intelligence
operations ever made. Human nature prefers to work with well understood technology and process.
Still, our continued intelligence community lies in countering emerging change by intelligence, guile, and advancement. If we allow our intelligence groups to become lazy, relying on ever great search powers, then they will be useless and clueless when a major threat arises.
If we permit NSA and FBI to have wiretapping capabilities, they will be lazy, useless, and clueless to prevent concerted attacks on the US.
A Devout Capitalist
Profit motivates invention
Profit motivates invention.
Of course even then you can trust them .... safety is in big numbers ...
tapping is good. it helps people get away from things like drugs,pornografy,rape,and like helps the children and stuff. people you can trust the fbi,cia,and nsa and stuff...there here to protect us!!! they are good for people!!! this tapping will be good cuz it will totally eliminate terrorism!!! 100% gone!!! and it will stop all child pornografy!!! support this and buy stuff that is tappable!!! it will bring like world peace and stuff!!! tapping is cool!!!! i hope im being tapped!!! ok like i have to go now cuz like this man says i have to take medication or something!!! i think hes from the cia!!! i can trust him!!!
even if they implement some wiretapping feature users can still choose to encrypt the data that is transmitted. I mean, arent they forgetting that? Anyone who is serious about their security - hense worth tapping - is going to encrypt their stuff. sure it could be cracked, but that takes a lota money and makes minor individual privacy issues go away cuz they're not guna spend 100 grand to crack some pirates email heh.
While there is a lot of uneccessary drug testing going on in the US, I don't think there are many companies that demand drug tests for engineers or other white collar workers. Too many of their productive employees would have to be let go.
If drug testing is common in engineering jobs in the States I'd like to know, so I don't go to work and find myself forced to resign, because I'll be damned if I have to pee in a cup for somebody to tell if I'm a good worker.
--
"L'IT c'est moi!"
At an IIA meeting in Sydney Australia around March or April, there were a couple of speakers from the NS W Police Service - Child Protection Enforcement Agency.
The obligations outlined to ISP's in that meeting were that once a valid warrant had been issued, ISP's were obligated to Nb>capture all the packets entering and leaving a users account. Those packets would then be turned over to the Police force whose responsibility it would be to decode them. The ISP would not have to decrypt or de-encode them only capture them as they went from the router to the modem.
These cases were in the prosecuting of Child Porn offenders.
Just some food for thought
The MyTh - I am a figment of the Imagination - [Im Probably even not here]
but Redmond on the other hand....
I would have said D.C., but that's probably a threat to the President and I'd have the Secret Service on my ass and have to give them my por^H^H^Hcomputer files.
(note to the humor impaired: I don't condone nuking anybody or even killing anybody for that matter, even criminals. I know Microsoft is mostly in another town next to Redmond.)
--
"L'IT c'est moi!"
THERE ARE TO BE NO tR0lLz HERE! tR0lLz ARE ILLEGAL . QUIT BEING A GOD DAMNED tR0lL AND BREAKING THE LAW!
MODERATION RECOMMENDATIONS:
Score: 5, Insightful
Sounds like it's time to start rolling your own routers. Whip one up with OpenBSD, and use IPSEC and SSH for everything possible. Show the industry that if they're intent on building in wiretapping, we won't give them our money.
To look at it from a different angle, though - if wiretapping becomes common, maybe people will have more motivation to develop and implement stronger security and cryptography measures.
-lx
If you catch a criminal and you look who he
emailed around the same time you learn stuff,
much like phones. Why did the husband mail his
wifes murderers hotmail account a day before etc..
Thats the crime angle. The big one is the tax
angle. Uncle Sam's nightmare scenario goes like
this.
IBM, Microsoft, GE and other big vendors all use
people like Visa. Visa start doing encrypted
transactions. Companies start neglecting to
mention this kind of fund transfer in their tax
returns.
Next stage. A company like Visa creates a private
cryptographically managed currency of their own.
Everyone opts to use it and hard crypto, the
US tax man only sees transactions into US
currency space.
Shortly after the USA bankrupted by massive tax
revenue basically suffers a total collapse of
government power.
Welfare collapses leading to riots. The army cant
be paid, healthcare goes totally cash upfront, the
education system fails.
Whether a massive loss of Government is good or
bad is a complex political question to most people
but if you are a politician its easily answered
Alan
"I want a tap on every router, gateway, firewall, bridge, hub, NIC, in every ISP, MIS, TS, and IS department in a 50 mile radius. That packet is not getting away from us!"
In effect, it would take taps on EVERY one of those to catch any data that comes through, because as I understand it, anything sent through the net could take multiple paths (which is why video over the net sucks).
And good luck catching it in time. While the net may not be lightning quick, it's still VERY fast on a good pipe. Much faster than a person on foot, a package in the mail, or someone talking on the phone.
I say, good luck trying to tap anything. What you do get would be encrypted most likely.
So support you local Mom&Pop ISP!
My local Mom&Pop ISP got bought out by RCN...
--Parity
--Parity
'Card carrying' member of the EFF.
did'nt the us gov pass a law that requires telco equipment manufactures to incorporate 'clear text access capabilities' into their products if they want to sell them in the states?
did they not also pay the telecom industry giants $500,000,000 to implement this?
gunderwo@hotmail.com
i think ne 1 who uses encriptoin should b put in jail 4 life. it cauzez terrorizm witch sux
But, in general, it isn't always easy to vote w/ your dollars. 1st you have to know that the issue exists. Then you have to figure out if the company you're dealing with is producing the product or service in the way you want.
This can get really tricky when local, national and global politics get involved. Industries lobby to hide information from the consumers when full disclosure would cost sales.
ben and jerries had to fight to be allowed to mark their ice cream as "bovine growth hormone free" since such labeling had been made illegal in the US.
but remember that the world trade organization has been getting heavily involved in this area and has gloal juristiction, so canada isn't completely safe from this madness
- bridgette
We still need popular mailers to get PGP support. I still can't get my Unix and Mac using friends to switch to using PGP for everyday chatting, because they use Elm and Claris Emailer.
I figure I might be able to talk my Unix friend into mutt (or something else -- other suggestions?). But what about the Mac guy? Anyone know of any Mac mail programs that easily support PGP?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Just today, our work network suffered an 'IP event'. Packets were getting dropped on the floor left and right for about a quarter of the workstations on the segment. Can't ping off-site, can't ping on-site, can only ping loopback, can't read slashdot!!! Turns out the hub went goofy and the higher number ports were squirly.
IT decides that this would be a great time to switch from the old I-forgot-the-brand hub to the newer and better one from Fore. After the switch, NOBODY could even log in. 200+ engineers standing around drinking coffee - this time with a good excuse. So we went back to the old hub, and all was well for the rest of the day.
Today I lost faith in anything that comes out of Fore Systems, hardware, comments, anything.
-- What you do today will cost you a day of your life.
Just like not all phonetapping is done by the goverment, not all wiretapping has to be done by the government either. Companies can choose to tap the phones of their employees; they might also want to be able to wiretap their routers. And before you say "Well, they shouldn't", I say "Yes, they shouldn't, and wouldn't it be nice if they had no reason for it?".
-- Abigail
Y'know, usually I vote along against the whole Big Brother project but not when it plays against our improvement of the web. I do a lot of network admin and I am always trying to tweak things here and there. Without the ability to snoop I couldn't diagnose which server out of 100 is acting up. Give me more control of router logs and let me clean up this awful network of hodge podge NT systems dirtying up my network. -Camelot is a silly place.
What purpose does it serve for the hardware companies to implement the ability for wire tapping in their equipment? Does the government give them an easier time with taxes or other stuff if they go and comply with non-existant standards, or what? I don't get it.
SuPz.orG
Hey, look on the bright side. You saw what kinds of problems lack of interoperability caused in the early UN*X products - remember how fractured that was, and how hard it was to get anything working? *evil grin* Now the FBI gets to get some of that. Hope they find a solution.. they got a few trillion to waste on developing ways to get around incompatible standards, right? *very evil grin*
--
Okay, nuke it!
Being at the plenary last night, neither the IETF, IAB, nor the IESG issued a formal statement last night. Slashdot may want to go with a more reliable news source.
There was definitly a lot of opposition to the wiretapping proposal, but there was some support for it as well. Recordings of the multicasting of the plenary will be available at imj.gatech.edu. Need the multicast tools to view it.
OTOH, if a protocol (software) is made tappable, then ALL hardware that passes or processes that protocol becomes a potential tap point.
It seems to me that keeping the protocols tight is the way to go, and then require taps to be applied only on and at compliant hardware.
With hardware, most features, such as tappability, can be disabled as part of the hardware setup and configuration. With a protocol, there is no such protection, no "off" switch. Either the protocol traffic matches spec and is passed, or it violates the spec and is dropped.
Finally, if someone wants to tap your digital communications, they must first ensure that your packets pass through a piece of hardware that is enabled for providing taps. That, in turn, may require that router tables be altered, or additional hardware be installed, both of which may be detected in a variety of ways. And that may let you know that you are being tapped, though it would not tell you by whom or why.
So, tappable hardware would appear to have a close analog to land-line telephones, which have supported taps since their inception, and have fairly good legal protections in place. A broken protocol would be more like listening to an analog cell phone conversation: Almost anyone could do it.
Claris Emailer 2.0 supports PGP quite nicely, if you can manage to track down a copy.
Eudora also supports PGP.
But then again, I could be wrong.
Isn't there a version of Eudora for mac?
I think you should be allowed to piss on anyone who wants you to piss in a cup.
"Oh, and here's a shit sample, too. No extra charge."
*smear*
Fucking Nazis.
There are many more questions associated with these types of policies. Which countries are going to have access to these protocols? This will have to cause problems when it comes to setting encryption limits on exports. Obviously if only the US can snoop other governments will want high encryption. There will be the demand and the the US gov won't let our country supply. On top of everything how can it be legal for the companies to continue this. I'm going to petition the UCLA to stop companies from doing this. When the goverment does it it's bad enough but there is no way the private sector could initiate something like this on their own legally.
I had a very fun lunch with an OLD friend of mine who happens to be another Linux fanatic of long standing AND involved in a major router company. This topic was one of the many we covered and I learned something.
ISP's use the very same wire tapping feature to debug such mundane things as debugging why a customers' PPP dialup isn't succeeding! He said that their equipment had ALWAYS had this feature for the very simple reason that the customers (ISP's) demand it!
Someone early said that just because there is one legit reason for a feature -that the possibility for abuse are far greater and should be the deciding factor. Isn't this the VERY same argument being used by the DVD consortium against the CSS code release??????
Hmmm....
Have you compiled your kernel today??
Thank you. :-) I'll suggest those to him.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Points along the middle of the net have always historically been assumed to be insecure. It's jest being officially announced now. For the users at the end of the com traffic, nothing has really changed. Just encrypt send decrypt and you'll always be safe.
I would like to see all web sites running SSL all of the time and for plaintext HTML to disappear. The major Linux distros could make this easier and expediate the changeover by preconfiguring a secure SSL default apache setup and redirecting all requests to port 80 to the secure page for backwards compatibility.
who is better satisfied with a low score than an high one?
A lot of companies have these policies as it is a condition of getting government contracts.
I'm a software engineer working for a data networking company, and I'm working on our project for residential Voice over IP - so I have some knowledge of these issues.
Basically, the Communications Assistance to Law Enforcement Agencies (CALEA) act passed by the US Congress in 1994, requires "telecommunications providers" to provide tappability on any and all telephone calls they may carry. There are also some reasonably stringent requirements on the nature of the tappability, so a token effort will not suffice. For any residential phone service to be approved by the FCC, it will have to satisfy the requirements of CALEA. Companies or the IETF really have no say in the matter. The only people who can change this are Congress (not even the Supreme Court, unfortunately, because they have already ruled federally approved wiretapping to be legal).
Now, this applies only to so-called "telecommunications providers", i.e. people who provide a phone jack in your house (be it through a DSL line, cable modem, or whatever). If the phone signalling protocols are modified to perform this function, then they will also end up affecting all signalled calls going through voice/data routers - whether they are signalled from black phones or from PCs masquerading as phones. Again, this will almost certainly happen.
The only place where there isn't an existing law is for tapping data flows on the Internet (which may happen to be voice flows, perhaps through a conferencing tool like NetMeeting). The issue was raised that these flows will have to be policeable. Further, given the current federal stance on wiretapping and information gathering, it is a near-certainty that the FBI will move to have a law enacted which enables them to tap any data flow (identifiable by a source/destination IP and/or port number). Congress will have no trouble in passing this law. Again, once it is a law, the IETF or anybody else will have no say in the matter. ISPs will require this feature to stay licensed, and therefore networking companies (i.e. us) will have to implement it in order to stay in business.
Just about everybody in my company who works on this is pretty much unanimously unhappy about it. Some people have even advocated not implementing CALEA-compliant tapping capabilities just to "see what happens". Needless to say, that will not happen. That doesn't stop us from thinking that it sucks, though.
--
I wanted to call myself Anonymous Coward, but it was already taken by somebody.
- I wanted to call myself Anonymous Coward, but that name was already taken by somebody
The real effect of making current tax systems impossible to administer will be simpler and more transparent tax systems. Making life for the tax man easier has never made anyone else's life simpler or easier.
What really makes the above prediction seem ridiculous is the fact that the U.S. grew to become a world power while taxing at a rate less than one-third the current rate. It is much more likely that any large decline in taxation would bring on a new golden age rather than a disaster.
I wrote parts of this stuff
I'm sending this from the IETF meeting network in the Omni Shoreham hotel in Washington D.C. I was present for the entire discussion yesterday evening. This article is misleading, a definitive and final decision by the IETF was not made.
This discussion, held during the regular plenary session which is part of every IETF meeting, was simply another form of input to the IESG (Internet Engineering Steering Group) and IAB (Internet Advisory Board). The "vote" was not exactly as the reporter said, I'd say the number of abstentions was close to (maybe even greater than) the number of people opposing aiding wire-tapping. The reporter does not seem to understand the IETF method of discussion and consensus building.
For much better coverage of this story, I suggest reading the Network World article. It does a much better job of reflecting reality as I remember it.
Networks of Steel my ass. If you need it up and you need it to STAY up you need shit from Cisco. Our Cisco stuff keeps going and going and going long after the crap from Bay and Cabletron has died.
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
slashdot is loading faster for me, maybe the colors keep the non-nerds out.
My ISP, if they wanted to, could fire up tcpdump or any other sniffer on the market and listen to all my packets right now. You don't need anything special on the router or anywhere else to get this capability. And if I decided to encrypt all my outbound traffic, nothing on the router would make a damn bit of difference over what we already have. So any router manufacturer who implements this feature on the router will simply be weakening the security infrastructure for no appreciable gain. And I think that's funny.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
OF COURSE the companies will please the spooks.
In any event, if you really want to prevent tapping, you MUST encrypt. End of story. The standards are there, the software is there, use it.
Nate
But you should note, a 128 bit RSA key can be cracked in no time. A better idea is 128-bit or longer conventional encryption keys, and 2048 bit or longer RSA keys (I would say 1024 bit, but recent factoring successes with 512-bit keys are making that number look a bit less secure, as 768-bit keys already are getting feasible to crack.)
Nate
We still need popular mailers to get PGP support. I still can't get my Unix and Mac using friends to switch to using PGP for everyday chatting, because they use Elm and Claris Emailer.
Elm-ME+ 2.4pl25ME+60-1 has PGP support.
I don't think this is a hollow victory at all, even if the companies go ahead and screw us over with or without the IETF (Did you ever think better of them? The state and the industry have been each others whores for the better part of this century.)
However, this battle was never about whether they are tapping Internet nodes or not. The Internet is already tappable. The FBI can do it, a skilled hacker can do it, and the NSA is most probably already doing it. If you want your communications to be secure: encrypt them. If you don't, there is no reason to think that people aren't, or to argue that they shouldn't be, listening.
What this was about was the integrity of the IETF, and by extension the Internet community. I think that if the IETF had gone ahead with this, many of the ideals that have driven the Internet until today would have been run over once and for all. A yes to collaboration would have been a confirmation that the Net and Web had become nothing more than a PR playground for Disney and Microsoft. But by rejecting this, the IETF has showed that there is more to it than that: that there is still a thread of revolution in the very nature of connectivity, even if you have to dig through a lot of dancing baloney to find it.
That is not a hollow victory...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Police and law enforcement officials have been able to tap phone lines almost since the phone was invented. Do any of you still use the telephone? It's even easier to listen in on open-air conversations. Do any of you still speak in public?
Bottom line: It's not that big a deal. Don't get so worked up over it!
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Lets all keep in mind that there are two different methods for tapping communications over the internet.
Method one: Use a physical device attatched to the router in order to monitor traffic. However, keep in mind that this method requires no special hardware on the router side of things. Anyone could build a device to work with current routers to do this will little trouble. Remember: TCP is an unecrpyted protocol, everythings plaintext..even your passwords.
Method: A software based tap built into the software of the router than can be activated remotely. This is the one that would have to be "implemented" and it is the most scary because if it can be done remotely by the FBI, it can be done remotely by ANYONE. Just as long as someone is significantly motiviated enough to figure out a way to break the security (and I think its been proven time and time again that any security can be broken if there is reason enough to and with enough time).
If it's method two that they want to implement then we should all get off our asses and bitch like hell. This jepordizes what little security that tcp has besides just being a blatant violation of privacy.
Just wait till the first cracker figures out the scheme and starts watching .gov routers for telnet logins/passwords. I wonder if Big Brother will be too keen on this idea after that.
-Cyberllama
I'm not really sure that I see what the problem is here. I'm all for wiretapping, and here's why:
The internet has never been circuit switched. You shouldn't really have a reasonable expectation of privacy, and I mean that in a literal, not a legal, sense.
People can "tap" your "line". Somebody who wants to illicitly eavesdrop on this connection I'm using right now could simply rent a house in vaguely the same part of town and get a modified cable modem. If he had his own nifty equipment, he wouldn't even have to get the cable modem, just a cable link. for about $300 a month, the guy could listen to everything I have to say.
People with different types of connections, I'm sure, could imagine similar scenarios.
My point is that no-one assumes that their connection is clean, and that it's a bad assumption to make even if your line is *almost* proveably clean. Entire families of crypto protocols are based on the assumption of a dirty, tapped line.
So, if that's the assumption we should be making anyway, then what's the matter with allowing wiretapping?
It's sort of like the security situation with closed-source software, really. Assuming that disallowing wiretapping will keep people from it is kind of like assuming that because you don't give out the source code, no-one will find any holes in it.
It's a brave new world, but I think that we're pretty well ideologically equipped to handle it.
(Famous last words....:)
Also, I wrote a daemon that lets you use the RealMagic Remote under Linux, if anybody's interested. I just wanted to say that. okay. i'll go now...
-k. ^-^ ^D
Creeping elegance in app development... creeping totalitarianism in development of society.
As long as technology didn't threaten to empower the masses, Those In Power didn't worry too much about _true_ democracy. Freedom was a nice myth to perpetuate to keep the proletariat happy.
Now that technology could enable* such marvels as online voting, the elite (not 3l33t lest I confuse the script kiddies out there) and powerful are getting worried something might actually shift the balance of power and control (Cokie Roberts' reaction to the spectre of online voting is a prime example of this... how dare those uneducated workers threaten the Rich and Powerful!)
Expect more of this as the net threatens to replace centralized control (mainframe model) with a more "distributed" model of social governance.
-an expatriate 'merican, happy to be abroad.
*whether the apathetic american public will switch their sitcoms off long enough to actually learn something about current events and political developments is another question beyond the scope of this rant.
Is this really a viable solution? I disagree with the moderator's opinion that the parent posting is "insightful".
Is someone going to create a trusted root CA that distributes server certificates free for the asking and that the major browsers are going to recognize as a valid signer by default? Or maybe Verisign will change their business strategy and just give away certs for asking nicely =)
And what about accessibility? Not everyone has an SSL-enabled web browser, let alone a 128 bit browser (I mean, it seems silly to get everyone to use http over SSL if we're not going to push for everyone to use 128 bit, eh?). My mom can use a web browser without much difficulty, but she probably isn't going to visit fortify.net to upgrade her browser to 128 bit. People who use speech readers with text-only browsers like Lynx may not be so keen to have to compile in SSL support themselves to be able to access the web. I don't think I have SSL support on my Palm either. Does WebTV have SSL support? blah blah blah etc etc etc....
There's the whole SSL performance issue too I suppose for those of us still trying to make cheap web servers out of leftover 486s (although if you were really hot and bothered by performance perhaps you wouldn't be using a 486 =)).
And this particular discussion is wasting its energies by focusing on what we as information providers or end-users can do to make up for government efforts to build tap-ability into our networks.
First of all, there already is a wiretapping standard called RMON. In particular, RMONv2 provides most of what law enforcement would want. RMON allows filtered packet capture, so it would be easy to configure the system to filter for a specific IP address and shunt it over to a buffer. One could easily monitor dialups this way. RMONv2 allows for fairly efficient monitoring (in its alMatrixTable) of source-destination address pairs along with an identification of the protocol (Something Japan requires, and which could easily be used to track down hackers who attempt to bounce attacks through chains of machines designed to conseal the true source).
A non-RMON solution would presumably copy packets destined to a certain IP address to be copied to another location. Presumably, this would entail simply encapsulating the IP packet inside another and shipping it off to FBI headquarters.
It seems interesting that most /.ers are against it. It seems that natural geek paranoia is winning out over geek superiority. I generally would support it, simply because I use encryption, but I know that stupid people don't. Stupid criminals really annoy me, and such constraints have no effect on ubergeeks who use encryption anyway.
Finally, there is a really good FAQ on the technology of wiretapping at: http://www.robertgraham.com/pubs /sniffing-faq.html. The information in this document could help you wiretap your own network and spy on your neighbors, though of course such activity is completely illegal and I would never encourage it.
Why not put up a list of companies that includes wiretap abilities in their products? When sales starts hurting, they may not be inclined to include this in there products any longer? I would gladly give up some space on one of my web servers for that purpose.
This won't keep it from happening, but it will force the "standard" to be developed elsewhere. And if we're lucky, instead of one "standard", there will be a bunch (that's the great thing about standards: there are so many to choose from), so that it will be a big hassle for the FBI to actually use it.
I'm not opposing the implementation of lawful court-ordered wiretaps. But CALEA makes it really easy for them to do clandestine, unlawful wiretaps, and anything that makes this more trouble than it's worth is a good thing.
CALEA was represented to the public as simply a way to ensure that the FBI would continue to have the same wiretapping capabilities that they've traditionally had on analog phone systems. But if you read the text of the act, you'll see that it goes way beyond what would be needed for that. It gives them broad new powers far beyond what they had before, and if they happen to "accidentally" abuse these powers, it provides little to no recourse for the injured party. Anyone who doesn't think that the government is trying to create a police state should definitely read the law.
[I'm not suggesting a giant conspiracy. It doesn't take that. It just takes the cumulative effort of thousands of individual government workers who want to make the government's job easier. Some of those workers have good intentions, but the road to hell... Remember: the job of the police is only easy in a police state.]
Holy fuck, is Elm-ME+ 2.4pl25ME+60-1 a version number? Maybe the MS 'yearly' naming scheme isn't that bad after all... hehe
..is they probably make a nice entry point for illegal entry onto the system by people who aren't as nice as those wonderful NSA guys.
Besides, if I was organising drugs, firearms shipments or any other illegal activity by Internet I'd make damn sure I understood enough about encryption to make it hard for them.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
a national government failed to impose its will on an in essence international organization. As it should be. a national government can control institutions in their country, but not outside.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Is it only me whom this reminds so much of the "Shockwave Rider", by John Brunner? Has anyone here read the book lately? Are there any signs that we are *NOT* going to end up in a world similar to the one described in the book?!
I write an application that implements voice over ip and strong crypto and release it into the public domain? I mean, this would not be all that complicated to do, and who is going to stop it?
Hmm. Maybe I should start writing one?
I worked at an AT&T plant a few years ago in Whitsett, NC as a tester. We produced telephone encryption devices which sold mostly to the government. If you watch Air Force One, the large telephone that Indiana Jones uses in the plane's control room after he was captured by the terrorist was produced by us.
We produced a device that had similar function except that it was about the size of a Palm Pilot and could work with any normal telephone. You just plugged the hand jack into it and then plug it into the base. What happened to this device?
I got to help with the job of opening everyone of them up and installing a extra IC so that your friendly US Uncle could listen in on them. Does anyone remember 'Clipper'. I've actually handled those ICs. The rumor was that the FBI paid millions for us to do this (basically bought all the units we had produced). Needless to say, production of the unit ceased almost immediately. And the unit was very quickly fogotten by most.
There are no large corporations that can go up against the Feds and win. The executives know this and won't even try.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Currently, my cmpany lives and dies by cisco equipment. But I tell you what come IP v.6 if the extent of the wire tapping method is not explained to me by the manufacturer in great detail. I will replace all of our cisco devices with that of another corporation. I love Cisco's product but I will not allow them to compromise the network security of my company. No matter how good their intentions are.
If my company wanted the government snooping around our network we would have issued them a username and password.
$nyper
"Help me Obi-/.-Kenobi,your my only hope!" -$
But hey, it must be okay, it saved hundreds of thousands of Mercans... probably.
I could be over looking something here... but arent they just introducing a huge security hole into anything that is built with "easy tappabiliy" If the government can implement it, i'm sure someone who is smarter and maybe not so honest (not that our govt is a prime example of honesty) can hack into a router and at the very least have some fun!
I find this seriously disturbing, does anyone agree?
My dad was that Fore Engineer (Brian Rosen). On Fore's products. All though i hve no first hand knowledge on how stable / reliable they really are. I urge you not to speak ass on this issue. Im sure some people have had problems with their products, but that happens with every company / product availiable. Cisco, 3Com , whoever. Dont take the word of people posting on Slashdot. Read some real facts from people who test products like these. Since Fore has grown an inredible amount ,and continues to grow it leads me to beleive they are doing something right. THe are the number 1 ATM switch manufacturer in the world. There is my spirl on the issue. -Zack Rosen
-Zacker
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
First, let me congratulate the IETF on Doing the Right Thing.
Now let me try to explain why anyone would even think of adding wiretap capability to an Internet protocol, what it means, and what we can do about it.
Why wiretap? The FCC and other global regulatory agencies require the ability to wiretap voice networks. This is known as the Communications Assistance for Law Enforcement Act (CALEA). If you want more info check out the FCC site .
Ok, great, this is a done deal with the telephone network. But what the hell does this have to do with the IETF?
Voice over IP technologies have effectively made any IP network into a telephone network. As carriers start to deploy VoIP solutions using their own IP based networks, they still must support federal regulations such as CALEA. So it makes sense for the IETF to add CALEA support into VoIP protocols, right?
I think not.
What would it mean if we started applying the rules and regulations of the telephony network to an IP network? Would we end up applying all of them? Where is the line between a telephony carrier's IP network and the Internet? Where is the line between wiretapping voice and wiretapping data?
The line is where we draw it.
Unfortunately, anyone hoping to sell equipment to telephony carriers has to provide CALEA support. This is why router companies have to add CALEA functionality to their products. At least that (hopefully) limits the effective jurisdiction of wiretapping to carrier networks. We absolutely do not have to subject the Internet to these regulations.
What can we do? We can petition and support the IETF in NOT adding wiretap capability to Internet protocols. We can use PGP or other encryption to keep our communications secure, and show the futility of wiretapping on the net. We can write to politicians, and the FCC, and tell them what we think.
I like to think of it as the separation of church and state. If we're going to have freedom online, we need to prevent the regulations of other media (telephone, television, radio) from creeping in.
Thanks to the IETF and all of you for drawing the line, and defending it.
The early bird gets the worm, but the second mouse gets the cheese.
You know I was sure that this already existed in the form of good logging on your servers, session logging firewalls, and sniffers. Why reinvent the wheel?
Any idiot can type "apt-get install lynx-ssl" what's the problem?
lynx-ssl works fine on my 486 here.
You dont know "pain to be hassled" until you've lived it. :( This is by no means a trivial matter.