Slashdot Mirror
IETF Rejects Wiretapping
Declan McCullagh of Wired covered the IETF meeting last night, and his report notes that the IETF rejected creating any sort of wiretapping standard. However, the companies who build routers and similar networking fundamentals stated that they would still move ahead with implementing tap-ability into their equipment - so the IETF action is a hollow victory, your internet communications will still be easily tappable.
"I'm a little concerned about [this anti-wiretap sentiment]. Clearly not all wiretapping is illegitimate," one Cisco engineer said.
Herein lies the problem. As long as people can see one use for something, all the adverse effects become secondary. Some criminals are caught by wiretaps, so everyone should be tappable.
This may be a specious argument, but if you nuke a city (say, Seattle), then you'll kill millions of innocent people. But it's okay, because you'll get some criminals, who'll never mug an old lady again.
Now most of us are not in a position to select basic infrastructure equipment for the Net. Will those who are be allowed not to choose routers that aren't wiretap-enabled? Or will official and not-so-official pressure force them to?
It seems to me that the vendors who decided to continue with plans to make their equipment tapable are voluntarily taking part in a very strange experiment.
The way I see it, since there will very clearly be other vendors who do not insert taping abilities into their equipment, the ones that do are going to find out just how important an issue this is to the people who buy their equipment.
Most IT people I know have a thing about civil liberties, and I suspect that those companies that put backdoors into their products are going to get hurt in the marketplace because of their decisions (as long are there are alternatives to their products). It will be very interesting to see if the people who buy the network equipment will be willing to put up with a back door, or if they will simply find ways around it (the most obvious of which is to simply not buy the goods with the back doors built in).
Let the experiment begin...
Impossible = A fun challenge
Cisco can implement wiretapping in their IP telephony devices, however this can't affect any of non-telephony traffic or even telephony traffic that doesn't use their devices. In other words, people who will want to have secure channel still will have secure channel as long as they don't use normal voice over the phone (that never was secure in the first place). What IETF was asked for was modification of protocols, so wiretapping could be achieved on any protocol's implementation -- what will definitely defeat security.
Contrary to the popular belief, there indeed is no God.
This is just plain _wrong_. Does anyone else have flashbacks to big brother, or is it just me? Why would a private organization have _any_ responsibility to the FBI to make things "easily tappable". If it's easy for them, is it easy for any 'ol hacker to as well? Just telnet in, "come get your 0day logs here!"
This sort of thing in private industry makes me just plain sick to my stomach - I'm not an american, but I worry because this nuttiness finds it's way north of the border sooner or later. I thought america was supposed to be the land of the free, yet as an outside observer I see your rights getting quickly taken away in the name of either a drug-free (even your politicians smoke dope!) or protecting children (duh, that's what parents are for).
For example, in Canada, almost _no_ organization will require drug testing for engineering work - yet this is the opposite case in the US. Perhaps when they start looking for DNA samples, protests will start?
Federal screwing with the internet has to stop. Making the internet easy for the feds probably will make it possible for any MORON to play with your router logs.
Answer with your wallet - don't buy hardware that supports features like this. Until people stand up, you'll continue to get walked over. But why worry, you have nothing to hide, right?
Instead, buy hardware that supports idiot-friendly secure encryption, and I don't mean 48 bit DES, either. If the net is encrypted, who gives a flying @#$@# who's listening. They can get a court order to make you turn over your keys - just like they can do for your house.
Kudos..
..don't panic
The Echelon *email* concerns have always struck me as an unfeasible approach, given tapping the wire itself is (or at least has been) so much more achievable than getting ISPs to help the spooks in an organised fashion.
I wish I could recall the URL for the public guardians_of_the_law-ISP dialogue that went on in the UK a few months back, made this whole set of points about ISPs incurring costs for spook-work and jurisdictional difficulties and lack of guardians_of_the_law technical know-how.
And I also recall thinking how it was all a blind, given the spooks can almost certainly do all this stuff when they want to anyway.
To be honest it must be like herding cats getting the ISPs to pitch in when the spooks want, but the major carriers and infrastructure companies...they can be arm-twisted much more effectively.
Certainly that's the situation that sems to pertain here in the UK with BT, GCHQ, the NSA and the old-boys network.
The IETF, as a body of erudite folk, knows that it can specify, and pontificate and stay well on the side of right, (well, spooks are sinister aren't they?) and get away with it because the spooks have other ways to get what they want. Heck even though the IETF tries to be de jure, the Interenet itself tends to be de facto so whetever will be, will be.
Guess we'll need IPsec, and ssh and whatever else we can get even more than ever now the router giants are kow-towing along with the wire-owners.
Score one for the spooks.
...an Englishman in London.
So support you local Mom&Pop ISP!
Requiring wiretapping capabilities hurts the national security of our country.
The new threats of encryption and internet manifest new challenges to the NSA and FBI. There have been new challenges emerging every generation since people baked messages into clay envelopes two thousand years ago. We need to sieze creativity to solve the problem, not brute force.
Human nature prefers the easy way of using the advantages we gained from the genius at Bletchy Park, from half a century of great SIGINT, and from one of the largest factories of intelligence
operations ever made. Human nature prefers to work with well understood technology and process.
Still, our continued intelligence community lies in countering emerging change by intelligence, guile, and advancement. If we allow our intelligence groups to become lazy, relying on ever great search powers, then they will be useless and clueless when a major threat arises.
If we permit NSA and FBI to have wiretapping capabilities, they will be lazy, useless, and clueless to prevent concerted attacks on the US.
A Devout Capitalist
Profit motivates invention
Profit motivates invention.
Of course even then you can trust them .... safety is in big numbers ...
At an IIA meeting in Sydney Australia around March or April, there were a couple of speakers from the NS W Police Service - Child Protection Enforcement Agency.
The obligations outlined to ISP's in that meeting were that once a valid warrant had been issued, ISP's were obligated to Nb>capture all the packets entering and leaving a users account. Those packets would then be turned over to the Police force whose responsibility it would be to decode them. The ISP would not have to decrypt or de-encode them only capture them as they went from the router to the modem.
These cases were in the prosecuting of Child Porn offenders.
Just some food for thought
The MyTh - I am a figment of the Imagination - [Im Probably even not here]
They don't care what you send, they care when you
send and who to. That is why they want to be able
to trace encrypted data from its entry point onto
the network and out across it. That is why right
now they have PC class boxes tapping big dialup
ISPs all over the EU and Im sure the US.
In the EU its probably even an offence for the
ISP to admit to it. Internet offices and giant web
email sites are the dream target of these people,
after all if you use hotmail like sites you come
to them and they can analyse your email and other
email in bulk really easily
Alan
but Redmond on the other hand....
I would have said D.C., but that's probably a threat to the President and I'd have the Secret Service on my ass and have to give them my por^H^H^Hcomputer files.
(note to the humor impaired: I don't condone nuking anybody or even killing anybody for that matter, even criminals. I know Microsoft is mostly in another town next to Redmond.)
--
"L'IT c'est moi!"
If you catch a criminal and you look who he
emailed around the same time you learn stuff,
much like phones. Why did the husband mail his
wifes murderers hotmail account a day before etc..
Thats the crime angle. The big one is the tax
angle. Uncle Sam's nightmare scenario goes like
this.
IBM, Microsoft, GE and other big vendors all use
people like Visa. Visa start doing encrypted
transactions. Companies start neglecting to
mention this kind of fund transfer in their tax
returns.
Next stage. A company like Visa creates a private
cryptographically managed currency of their own.
Everyone opts to use it and hard crypto, the
US tax man only sees transactions into US
currency space.
Shortly after the USA bankrupted by massive tax
revenue basically suffers a total collapse of
government power.
Welfare collapses leading to riots. The army cant
be paid, healthcare goes totally cash upfront, the
education system fails.
Whether a massive loss of Government is good or
bad is a complex political question to most people
but if you are a politician its easily answered
Alan
"I want a tap on every router, gateway, firewall, bridge, hub, NIC, in every ISP, MIS, TS, and IS department in a 50 mile radius. That packet is not getting away from us!"
In effect, it would take taps on EVERY one of those to catch any data that comes through, because as I understand it, anything sent through the net could take multiple paths (which is why video over the net sucks).
And good luck catching it in time. While the net may not be lightning quick, it's still VERY fast on a good pipe. Much faster than a person on foot, a package in the mail, or someone talking on the phone.
I say, good luck trying to tap anything. What you do get would be encrypted most likely.
So support you local Mom&Pop ISP!
My local Mom&Pop ISP got bought out by RCN...
--Parity
--Parity
'Card carrying' member of the EFF.
But, in general, it isn't always easy to vote w/ your dollars. 1st you have to know that the issue exists. Then you have to figure out if the company you're dealing with is producing the product or service in the way you want.
This can get really tricky when local, national and global politics get involved. Industries lobby to hide information from the consumers when full disclosure would cost sales.
ben and jerries had to fight to be allowed to mark their ice cream as "bovine growth hormone free" since such labeling had been made illegal in the US.
but remember that the world trade organization has been getting heavily involved in this area and has gloal juristiction, so canada isn't completely safe from this madness
- bridgette
The admissability or strength of wiretap evidence isn't the real issue. After all, if there is a criminal case in a court it means that the government is pretty much playing by the rules. What is much more of a concern, and the reason the Bill of Rights was drafted in the first place, is the ease with which the government can probe and harass private citizens without a specific suspicion or for suspicions of political, not criminal activity.
--
"L'IT c'est moi!"
Just today, our work network suffered an 'IP event'. Packets were getting dropped on the floor left and right for about a quarter of the workstations on the segment. Can't ping off-site, can't ping on-site, can only ping loopback, can't read slashdot!!! Turns out the hub went goofy and the higher number ports were squirly.
IT decides that this would be a great time to switch from the old I-forgot-the-brand hub to the newer and better one from Fore. After the switch, NOBODY could even log in. 200+ engineers standing around drinking coffee - this time with a good excuse. So we went back to the old hub, and all was well for the rest of the day.
Today I lost faith in anything that comes out of Fore Systems, hardware, comments, anything.
-- What you do today will cost you a day of your life.
Hey, look on the bright side. You saw what kinds of problems lack of interoperability caused in the early UN*X products - remember how fractured that was, and how hard it was to get anything working? *evil grin* Now the FBI gets to get some of that. Hope they find a solution.. they got a few trillion to waste on developing ways to get around incompatible standards, right? *very evil grin*
--
Being at the plenary last night, neither the IETF, IAB, nor the IESG issued a formal statement last night. Slashdot may want to go with a more reliable news source.
There was definitly a lot of opposition to the wiretapping proposal, but there was some support for it as well. Recordings of the multicasting of the plenary will be available at imj.gatech.edu. Need the multicast tools to view it.
OTOH, if a protocol (software) is made tappable, then ALL hardware that passes or processes that protocol becomes a potential tap point.
It seems to me that keeping the protocols tight is the way to go, and then require taps to be applied only on and at compliant hardware.
With hardware, most features, such as tappability, can be disabled as part of the hardware setup and configuration. With a protocol, there is no such protection, no "off" switch. Either the protocol traffic matches spec and is passed, or it violates the spec and is dropped.
Finally, if someone wants to tap your digital communications, they must first ensure that your packets pass through a piece of hardware that is enabled for providing taps. That, in turn, may require that router tables be altered, or additional hardware be installed, both of which may be detected in a variety of ways. And that may let you know that you are being tapped, though it would not tell you by whom or why.
So, tappable hardware would appear to have a close analog to land-line telephones, which have supported taps since their inception, and have fairly good legal protections in place. A broken protocol would be more like listening to an analog cell phone conversation: Almost anyone could do it.
Claris Emailer 2.0 supports PGP quite nicely, if you can manage to track down a copy.
Eudora also supports PGP.
But then again, I could be wrong.
I had a very fun lunch with an OLD friend of mine who happens to be another Linux fanatic of long standing AND involved in a major router company. This topic was one of the many we covered and I learned something.
ISP's use the very same wire tapping feature to debug such mundane things as debugging why a customers' PPP dialup isn't succeeding! He said that their equipment had ALWAYS had this feature for the very simple reason that the customers (ISP's) demand it!
Someone early said that just because there is one legit reason for a feature -that the possibility for abuse are far greater and should be the deciding factor. Isn't this the VERY same argument being used by the DVD consortium against the CSS code release??????
Hmmm....
Have you compiled your kernel today??
I'm sending this from the IETF meeting network in the Omni Shoreham hotel in Washington D.C. I was present for the entire discussion yesterday evening. This article is misleading, a definitive and final decision by the IETF was not made.
This discussion, held during the regular plenary session which is part of every IETF meeting, was simply another form of input to the IESG (Internet Engineering Steering Group) and IAB (Internet Advisory Board). The "vote" was not exactly as the reporter said, I'd say the number of abstentions was close to (maybe even greater than) the number of people opposing aiding wire-tapping. The reporter does not seem to understand the IETF method of discussion and consensus building.
For much better coverage of this story, I suggest reading the Network World article. It does a much better job of reflecting reality as I remember it.
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
My ISP, if they wanted to, could fire up tcpdump or any other sniffer on the market and listen to all my packets right now. You don't need anything special on the router or anywhere else to get this capability. And if I decided to encrypt all my outbound traffic, nothing on the router would make a damn bit of difference over what we already have. So any router manufacturer who implements this feature on the router will simply be weakening the security infrastructure for no appreciable gain. And I think that's funny.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I don't think this is a hollow victory at all, even if the companies go ahead and screw us over with or without the IETF (Did you ever think better of them? The state and the industry have been each others whores for the better part of this century.)
However, this battle was never about whether they are tapping Internet nodes or not. The Internet is already tappable. The FBI can do it, a skilled hacker can do it, and the NSA is most probably already doing it. If you want your communications to be secure: encrypt them. If you don't, there is no reason to think that people aren't, or to argue that they shouldn't be, listening.
What this was about was the integrity of the IETF, and by extension the Internet community. I think that if the IETF had gone ahead with this, many of the ideals that have driven the Internet until today would have been run over once and for all. A yes to collaboration would have been a confirmation that the Net and Web had become nothing more than a PR playground for Disney and Microsoft. But by rejecting this, the IETF has showed that there is more to it than that: that there is still a thread of revolution in the very nature of connectivity, even if you have to dig through a lot of dancing baloney to find it.
That is not a hollow victory...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Police and law enforcement officials have been able to tap phone lines almost since the phone was invented. Do any of you still use the telephone? It's even easier to listen in on open-air conversations. Do any of you still speak in public?
Bottom line: It's not that big a deal. Don't get so worked up over it!
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Lets all keep in mind that there are two different methods for tapping communications over the internet.
Method one: Use a physical device attatched to the router in order to monitor traffic. However, keep in mind that this method requires no special hardware on the router side of things. Anyone could build a device to work with current routers to do this will little trouble. Remember: TCP is an unecrpyted protocol, everythings plaintext..even your passwords.
Method: A software based tap built into the software of the router than can be activated remotely. This is the one that would have to be "implemented" and it is the most scary because if it can be done remotely by the FBI, it can be done remotely by ANYONE. Just as long as someone is significantly motiviated enough to figure out a way to break the security (and I think its been proven time and time again that any security can be broken if there is reason enough to and with enough time).
If it's method two that they want to implement then we should all get off our asses and bitch like hell. This jepordizes what little security that tcp has besides just being a blatant violation of privacy.
Just wait till the first cracker figures out the scheme and starts watching .gov routers for telnet logins/passwords. I wonder if Big Brother will be too keen on this idea after that.
-Cyberllama
First of all, there already is a wiretapping standard called RMON. In particular, RMONv2 provides most of what law enforcement would want. RMON allows filtered packet capture, so it would be easy to configure the system to filter for a specific IP address and shunt it over to a buffer. One could easily monitor dialups this way. RMONv2 allows for fairly efficient monitoring (in its alMatrixTable) of source-destination address pairs along with an identification of the protocol (Something Japan requires, and which could easily be used to track down hackers who attempt to bounce attacks through chains of machines designed to conseal the true source).
A non-RMON solution would presumably copy packets destined to a certain IP address to be copied to another location. Presumably, this would entail simply encapsulating the IP packet inside another and shipping it off to FBI headquarters.
It seems interesting that most /.ers are against it. It seems that natural geek paranoia is winning out over geek superiority. I generally would support it, simply because I use encryption, but I know that stupid people don't. Stupid criminals really annoy me, and such constraints have no effect on ubergeeks who use encryption anyway.
Finally, there is a really good FAQ on the technology of wiretapping at: http://www.robertgraham.com/pubs /sniffing-faq.html. The information in this document could help you wiretap your own network and spy on your neighbors, though of course such activity is completely illegal and I would never encourage it.
Why not put up a list of companies that includes wiretap abilities in their products? When sales starts hurting, they may not be inclined to include this in there products any longer? I would gladly give up some space on one of my web servers for that purpose.
This won't keep it from happening, but it will force the "standard" to be developed elsewhere. And if we're lucky, instead of one "standard", there will be a bunch (that's the great thing about standards: there are so many to choose from), so that it will be a big hassle for the FBI to actually use it.
I'm not opposing the implementation of lawful court-ordered wiretaps. But CALEA makes it really easy for them to do clandestine, unlawful wiretaps, and anything that makes this more trouble than it's worth is a good thing.
CALEA was represented to the public as simply a way to ensure that the FBI would continue to have the same wiretapping capabilities that they've traditionally had on analog phone systems. But if you read the text of the act, you'll see that it goes way beyond what would be needed for that. It gives them broad new powers far beyond what they had before, and if they happen to "accidentally" abuse these powers, it provides little to no recourse for the injured party. Anyone who doesn't think that the government is trying to create a police state should definitely read the law.
[I'm not suggesting a giant conspiracy. It doesn't take that. It just takes the cumulative effort of thousands of individual government workers who want to make the government's job easier. Some of those workers have good intentions, but the road to hell... Remember: the job of the police is only easy in a police state.]
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
For all other purposes, though, chemical drug testing (urinalysis, hair tests, and so on) is just stupid. Impairment testing is the only sensible option.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Everyone gives William Gibson credit for inventing cyberpunk. Wrong. John Brunner did it 10 years earlier with Shockwave Rider and Stand on Zanzibar.
Are there any signs that we are *NOT* going to end up in a world similar to the one described in the book?!
I think Brunner was overly optimistic. I haven't seen any signs of a town with street names like 'Mean Free Path', and if 10 9's existed, it would be tapped.