IETF Rejects Wiretapping 143
Declan McCullagh of Wired covered the IETF meeting last night, and his report notes that the IETF rejected creating any sort of wiretapping standard. However, the companies who build routers and similar networking fundamentals stated that they would still move ahead with implementing tap-ability into their equipment - so the IETF action is a hollow victory, your internet communications will still be easily tappable.
Pseudo-Justification (Score:5)
Herein lies the problem. As long as people can see one use for something, all the adverse effects become secondary. Some criminals are caught by wiretaps, so everyone should be tappable.
This may be a specious argument, but if you nuke a city (say, Seattle), then you'll kill millions of innocent people. But it's okay, because you'll get some criminals, who'll never mug an old lady again.
Good sense prevails. Will the market agree? (Score:2)
Now most of us are not in a position to select basic infrastructure equipment for the Net. Will those who are be allowed not to choose routers that aren't wiretap-enabled? Or will official and not-so-official pressure force them to?
Vendors taking part in experiment (Score:5)
The way I see it, since there will very clearly be other vendors who do not insert taping abilities into their equipment, the ones that do are going to find out just how important an issue this is to the people who buy their equipment.
Most IT people I know have a thing about civil liberties, and I suspect that those companies that put backdoors into their products are going to get hurt in the marketplace because of their decisions (as long are there are alternatives to their products). It will be very interesting to see if the people who buy the network equipment will be willing to put up with a back door, or if they will simply find ways around it (the most obvious of which is to simply not buy the goods with the back doors built in).
Let the experiment begin...
Not really (Score:2)
Re:Good sense prevails. Will the market agree? (Score:1)
Wiretapping in Routers.. (Score:5)
This is just plain _wrong_. Does anyone else have flashbacks to big brother, or is it just me? Why would a private organization have _any_ responsibility to the FBI to make things "easily tappable". If it's easy for them, is it easy for any 'ol hacker to as well? Just telnet in, "come get your 0day logs here!"
This sort of thing in private industry makes me just plain sick to my stomach - I'm not an american, but I worry because this nuttiness finds it's way north of the border sooner or later. I thought america was supposed to be the land of the free, yet as an outside observer I see your rights getting quickly taken away in the name of either a drug-free (even your politicians smoke dope!) or protecting children (duh, that's what parents are for).
For example, in Canada, almost _no_ organization will require drug testing for engineering work - yet this is the opposite case in the US. Perhaps when they start looking for DNA samples, protests will start?
Federal screwing with the internet has to stop. Making the internet easy for the feds probably will make it possible for any MORON to play with your router logs.
Answer with your wallet - don't buy hardware that supports features like this. Until people stand up, you'll continue to get walked over. But why worry, you have nothing to hide, right?
Instead, buy hardware that supports idiot-friendly secure encryption, and I don't mean 48 bit DES, either. If the net is encrypted, who gives a flying @#$@# who's listening. They can get a court order to make you turn over your keys - just like they can do for your house.
Kudos..
So what? (Score:1)
Just Encrypt. (Score:1)
Why? (Score:1)
If everything important or illegal ends up being encrypted without back doors in the encryption method, why will they still want to tap? My guess it is for those not knowledgable enough to encrypt their conversations. Criminals can do some pretty stupid stuff. Just watch America's Dumbest Criminals, if it is still running on the air.
Spooks (Score:3)
The Echelon *email* concerns have always struck me as an unfeasible approach, given tapping the wire itself is (or at least has been) so much more achievable than getting ISPs to help the spooks in an organised fashion.
I wish I could recall the URL for the public guardians_of_the_law-ISP dialogue that went on in the UK a few months back, made this whole set of points about ISPs incurring costs for spook-work and jurisdictional difficulties and lack of guardians_of_the_law technical know-how.
And I also recall thinking how it was all a blind, given the spooks can almost certainly do all this stuff when they want to anyway.
To be honest it must be like herding cats getting the ISPs to pitch in when the spooks want, but the major carriers and infrastructure companies...they can be arm-twisted much more effectively.
Certainly that's the situation that sems to pertain here in the UK with BT, GCHQ, the NSA and the old-boys network.
The IETF, as a body of erudite folk, knows that it can specify, and pontificate and stay well on the side of right, (well, spooks are sinister aren't they?) and get away with it because the spooks have other ways to get what they want. Heck even though the IETF tries to be de jure, the Interenet itself tends to be de facto so whetever will be, will be.
Guess we'll need IPsec, and ssh and whatever else we can get even more than ever now the router giants are kow-towing along with the wire-owners.
Score one for the spooks.
Re:Wiretapping in Routers.. (Score:2)
They have a different definition of the word "free".
They can get a court order to make you turn over your keys
"Sorry your Honor, the drive died and took the keys with it. It also affected the floppy backups in the closet."
Re:So what? (Score:1)
This way IP analyses becomes much more difficult. This is especially true if the re-router has a lot of traffic, and intoduces random delays before sending packets back out into the world.
Why the vendors may have to do this .... (Score:4)
So support you local Mom&Pop ISP!
Wiretapping: A Blow to National Security. (Score:3)
The new threats of encryption and internet manifest new challenges to the NSA and FBI. There have been new challenges emerging every generation since people baked messages into clay envelopes two thousand years ago. We need to sieze creativity to solve the problem, not brute force.
Human nature prefers the easy way of using the advantages we gained from the genius at Bletchy Park, from half a century of great SIGINT, and from one of the largest factories of intelligence
operations ever made. Human nature prefers to work with well understood technology and process.
Still, our continued intelligence community lies in countering emerging change by intelligence, guile, and advancement. If we allow our intelligence groups to become lazy, relying on ever great search powers, then they will be useless and clueless when a major threat arises.
If we permit NSA and FBI to have wiretapping capabilities, they will be lazy, useless, and clueless to prevent concerted attacks on the US.
A Devout Capitalist
Profit motivates invention
So the first thing you ask a potential ISP is .... (Score:2)
Of course even then you can trust them .... safety is in big numbers ...
Re:Wiretapping in Routers.. (Score:2)
2. I don't, and won't, work for any company that requires drug testing, and oppose the war on drugs.
3. I'm American.
4. Whereas, 1, 2, and 3 at least some Americans are responsive to these things.
The problem with drug-testing, is that, basically, companies have wide discretion in what they can require of their employees. The options of response are to work on drug legalization, or work to pass a law that specifically takes away a companies right to make you take a drug test as a condition of employment.
Erm. And I think our cops just bust down the door. Well, -usually- they knock first, wait five seconds, and -then- bust down the door (at least as seen on the real-cop shows, I've never been in an 'actual' bust of any kind.)
Anyway, on the issue at hand... as long as this is only low-level protocols, screw it, I'll just encrypt my data. Secure encryption schemes -assume- a 'man-in-the-middle' (wiretap) attack to start with, so we know how to deal with this. Encrypt and ignore.
I'd rather there were no 'wire-tap protocols' to start with, though. Damage to router security isn't something that makes me sleep well at night.
--Parity
even if... (Score:1)
drug tests (Score:1)
If drug testing is common in engineering jobs in the States I'd like to know, so I don't go to work and find myself forced to resign, because I'll be damned if I have to pee in a cup for somebody to tell if I'm a good worker.
--
Australian IP Wiretapping (Score:2)
The obligations outlined to ISP's in that meeting were that once a valid warrant had been issued, ISP's were obligated to Nb>capture all the packets entering and leaving a users account. Those packets would then be turned over to the Police force whose responsibility it would be to decode them. The ISP would not have to decrypt or de-encode them only capture them as they went from the router to the modem.
These cases were in the prosecuting of Child Porn offenders.
Just some food for thought
Re:even if... (Score:3)
send and who to. That is why they want to be able
to trace encrypted data from its entry point onto
the network and out across it. That is why right
now they have PC class boxes tapping big dialup
ISPs all over the EU and Im sure the US.
In the EU its probably even an offence for the
ISP to admit to it. Internet offices and giant web
email sites are the dream target of these people,
after all if you use hotmail like sites you come
to them and they can analyse your email and other
email in bulk really easily
Alan
Re:Spooks (Score:1)
Think about it for a while. Done right only quantum crypto defeats tapping the wire, while wiretapping higher-level protocols relies on a whole mess of technical know-how at the tap-point, (rather than back at the spook-cave) and collusion with multiple bodies (both human and corporate).
What's a spook gonna do?
Nuking Seattle is obviously wrong (Score:2)
I would have said D.C., but that's probably a threat to the President and I'd have the Secret Service on my ass and have to give them my por^H^H^Hcomputer files.
(note to the humor impaired: I don't condone nuking anybody or even killing anybody for that matter, even criminals. I know Microsoft is mostly in another town next to Redmond.)
--
Tapped routers? (Score:1)
To look at it from a different angle, though - if wiretapping becomes common, maybe people will have more motivation to develop and implement stronger security and cryptography measures.
-lx
Why - taxation is the big one (Score:4)
emailed around the same time you learn stuff,
much like phones. Why did the husband mail his
wifes murderers hotmail account a day before etc..
Thats the crime angle. The big one is the tax
angle. Uncle Sam's nightmare scenario goes like
this.
IBM, Microsoft, GE and other big vendors all use
people like Visa. Visa start doing encrypted
transactions. Companies start neglecting to
mention this kind of fund transfer in their tax
returns.
Next stage. A company like Visa creates a private
cryptographically managed currency of their own.
Everyone opts to use it and hard crypto, the
US tax man only sees transactions into US
currency space.
Shortly after the USA bankrupted by massive tax
revenue basically suffers a total collapse of
government power.
Welfare collapses leading to riots. The army cant
be paid, healthcare goes totally cash upfront, the
education system fails.
Whether a massive loss of Government is good or
bad is a complex political question to most people
but if you are a politician its easily answered
Alan
Re:Nuking Seattle is obviously wrong (Score:1)
Note for the humour impaired: I really mean it. I say we take off, and nuke the site from orbit. It's the only way to be sure.
Said in a Tommy Lee Jones voice... (Score:2)
In effect, it would take taps on EVERY one of those to catch any data that comes through, because as I understand it, anything sent through the net could take multiple paths (which is why video over the net sucks).
And good luck catching it in time. While the net may not be lightning quick, it's still VERY fast on a good pipe. Much faster than a person on foot, a package in the mail, or someone talking on the phone.
I say, good luck trying to tap anything. What you do get would be encrypted most likely.
Yeah, but... (Score:2)
My local Mom&Pop ISP got bought out by RCN...
--Parity
Re:Wiretapping in Routers.. (Score:5)
If they are tapping routers in the States then any information that goes through them is compromised as well.
Do people think that just because the person on the other end is Canadian(or anywhere other than the states) they are just going to let it go. NO, they are going to log whatever pleases them.
And because we don't decide which routers our transmissions go through we don't know if we are being listened in on. Is it coming to the point that if we want privacy that we have to encrypt every transmission we send?
Well it just looks like the States is losing it's right to call itself "The Land of the Free!"
Re:even if... (Score:1)
but even if it were found that I contacted someone who bombed the white house and then they tried to pin a bombing in my town on me.. all that they'd have is circumstancial. which still leaves room for reasonable doubt. but... i duno. still kinda a pain to be hastled.
Re:drug tests (Score:1)
it seems really common in big huge corporations that adopted lame assed hysterical policies in the 80's and haven't updated them to match the geek shortage of the 90's.
don't worry though, they would tell you about it before you were hired, so you wouldn't get stuck in a position where you accept a job and then are suprised with a drug test down the road. you would have ample oppertunity to reject their offer and tell them exactly why.
fyi, i haven't head of engineers getting the "periodic, random, at-any-point-in-the-future" type tests. so you'll always have the option of "selling-out" and submiting to the one-time test, if you're desperate for a job. (so long as you can keep it cool for a few weeks)
Re:Vendors taking part in experiment (Score:2)
As voice over IP and other routed protocols becomes more prevalent, it is possible that the government will require the ability to wiretap these communications. Industries under such fiat will have to chose the wiretap-enabled version.
Large IP networks providing secure VPN services for businesses will almost certainly chose the software without such wiretapping capacity.
Vendors will produce whatever their customers will buy. If any customer requires a backdoor (via government fiat or otherwise), every vendor will have that feature faster than you can say 'eavesdrop'.
I agree 100% (Score:2)
This can get really tricky when local, national and global politics get involved. Industries lobby to hide information from the consumers when full disclosure would cost sales.
ben and jerries had to fight to be allowed to mark their ice cream as "bovine growth hormone free" since such labeling had been made illegal in the US.
but remember that the world trade organization has been getting heavily involved in this area and has gloal juristiction, so canada isn't completely safe from this madness
Re:So what? (Score:1)
Well, they don't be able to eavesdrop on criminals, so yeah, it's useless for law enforcement. But they (both law enforcement and criminals) will be able to eavesdrop on honest folk (since most honest folk still don't encrypt), so they'll be able to blackmail everyone, sell industrial secrets, etc, so it's dangerous.
Useless and dangerous -- what a great combo!
---
Re:Wiretapping in Routers.. (Score:2)
The problem with drug testing is that a lot of companies test for legal and prescription drugs, too. Anti-depressants. High blood pressure medications. And so on.
My friends won't encrypt because it's inconvenient (Score:1)
We still need popular mailers to get PGP support. I still can't get my Unix and Mac using friends to switch to using PGP for everyday chatting, because they use Elm and Claris Emailer.
I figure I might be able to talk my Unix friend into mutt (or something else -- other suggestions?). But what about the Mac guy? Anyone know of any Mac mail programs that easily support PGP?
---
Re:even if... (Score:3)
--
Fore Systems - tee-hee (Score:2)
IT decides that this would be a great time to switch from the old I-forgot-the-brand hub to the newer and better one from Fore. After the switch, NOBODY could even log in. 200+ engineers standing around drinking coffee - this time with a good excuse. So we went back to the old hub, and all was well for the rest of the day.
Today I lost faith in anything that comes out of Fore Systems, hardware, comments, anything.
Some comments. (Score:1)
Just like not all phonetapping is done by the goverment, not all wiretapping has to be done by the government either. Companies can choose to tap the phones of their employees; they might also want to be able to wiretap their routers. And before you say "Well, they shouldn't", I say "Yes, they shouldn't, and wouldn't it be nice if they had no reason for it?".
-- Abigail
But why? (Score:1)
Hrmph. (Score:2)
Hey, look on the bright side. You saw what kinds of problems lack of interoperability caused in the early UN*X products - remember how fractured that was, and how hard it was to get anything working? *evil grin* Now the FBI gets to get some of that. Hope they find a solution.. they got a few trillion to waste on developing ways to get around incompatible standards, right? *very evil grin*
--
Re:Wiretapping in Routers.. (Score:2)
The problem with drug testing is that a lot of companies test for legal and prescription drugs, too. Anti-depressants. High blood pressure medications. And so on.
Hrmmm. I didn't know that. Any references would be appreciated, even to the information-grubbing NY Times. Unfortunately, since the ADA only applies to un-corrected disabilites, and anyone on medication presumably has his or her problem 'corrected' that probably means that the companies are in the legal (though not the ethical, imo) right to do this, and to fire those employees they consider unacceptable.
Oh, well. I still won't work for companies that drug-test. And I'm arrogant enough to think that that -is- a loss for them.
--Parity
Re:Fore Systems - tee-hee (Score:1)
What good came out of Seattle (Score:1)
What good came out of Seattle (Score:1)
Okay, nuke it!
IETF, IAB, IESG did not issue a statement (Score:2)
There was definitly a lot of opposition to the wiretapping proposal, but there was some support for it as well. Recordings of the multicasting of the plenary will be available at imj.gatech.edu [gatech.edu]. Need the multicast tools to view it.
Hardware vs. Software Tapping (Score:2)
OTOH, if a protocol (software) is made tappable, then ALL hardware that passes or processes that protocol becomes a potential tap point.
It seems to me that keeping the protocols tight is the way to go, and then require taps to be applied only on and at compliant hardware.
With hardware, most features, such as tappability, can be disabled as part of the hardware setup and configuration. With a protocol, there is no such protection, no "off" switch. Either the protocol traffic matches spec and is passed, or it violates the spec and is dropped.
Finally, if someone wants to tap your digital communications, they must first ensure that your packets pass through a piece of hardware that is enabled for providing taps. That, in turn, may require that router tables be altered, or additional hardware be installed, both of which may be detected in a variety of ways. And that may let you know that you are being tapped, though it would not tell you by whom or why.
So, tappable hardware would appear to have a close analog to land-line telephones, which have supported taps since their inception, and have fairly good legal protections in place. A broken protocol would be more like listening to an analog cell phone conversation: Almost anyone could do it.
Re:My friends won't encrypt because it's inconveni (Score:2)
Claris Emailer 2.0 supports PGP quite nicely, if you can manage to track down a copy.
Eudora also supports PGP.
Re:My friends won't encrypt because it's inconveni (Score:1)
Piss sniffers (Score:1)
I think you should be allowed to piss on anyone who wants you to piss in a cup.
"Oh, and here's a shit sample, too. No extra charge."
*smear*
Fucking Nazis.
Re:So what? (Score:1)
Re:Why - taxation is the big one (Score:2)
Uh, why can't the government change the tax law? Companies will still have records which the government can ask to see. Companies will still have large office compounds which the government can (with a warrant) search.
Welfare collapses leading to riots. The army cant be paid, healthcare goes totally cash upfront, the education system fails.
You mean the collapse of the Soviet Union? Though the last item has already happened in America. :)
More than our rights (Score:1)
ISP's DEMAND tapping for GOOD Reasons! (Score:2)
ISP's use the very same wire tapping feature to debug such mundane things as debugging why a customers' PPP dialup isn't succeeding! He said that their equipment had ALWAYS had this feature for the very simple reason that the customers (ISP's) demand it!
Someone early said that just because there is one legit reason for a feature -that the possibility for abuse are far greater and should be the deciding factor. Isn't this the VERY same argument being used by the DVD consortium against the CSS code release??????
Hmmm....
Re:My friends won't encrypt because it's inconveni (Score:1)
Thank you. :-) I'll suggest those to him.
---
Re:Said in a Tommy Lee Jones voice... (Score:1)
Assuming the target in question is an individual running through an ISP, the tapper would probably go directly to that person's ISP, plug into the router, and listen to all the traffic going into and coming out of that person's connection. No need for the network hunt, no need for the Bond-style tracing equipment. It's amazingly straightforward.
As for encryption, the US authorities have two ways of getting you: assuming you're Joe Q. User, you'll either be using no encryption or light (40-bit) encryption. If they really want to, the Government can break through that in next to no time (a matter of weeks, at most.) If you're using more than 40-bit encryption, all they need to do is wait for one of your encrypted messages to leave the U.S. Then, they can either nail you on the spot for violating encryption export laws or wait for a few more messages to pile up to hit you. Once they do this, they can simply demand you decrypt the message (or suffer a less sympathetic stance in court.) If they want to get shady, they could even "alter" the ISP's routing table so that some of your packets just happen to bounce off a server in Lybia before moving on to your Grandma's house. Giving them a router tap only makes it easier.
Folks, this is why you {en,de}crypt at both ends. (Score:1)
Points along the middle of the net have always historically been assumed to be insecure. It's jest being officially announced now. For the users at the end of the com traffic, nothing has really changed. Just encrypt send decrypt and you'll always be safe.
I would like to see all web sites running SSL all of the time and for plaintext HTML to disappear. The major Linux distros could make this easier and expediate the changeover by preconfiguring a secure SSL default apache setup and redirecting all requests to port 80 to the secure page for backwards compatibility.
am i the only one (Score:1)
It's happening, unfortunately (Score:1)
I'm a software engineer working for a data networking company, and I'm working on our project for residential Voice over IP - so I have some knowledge of these issues.
Basically, the Communications Assistance to Law Enforcement Agencies (CALEA) act passed by the US Congress in 1994, requires "telecommunications providers" to provide tappability on any and all telephone calls they may carry. There are also some reasonably stringent requirements on the nature of the tappability, so a token effort will not suffice. For any residential phone service to be approved by the FCC, it will have to satisfy the requirements of CALEA. Companies or the IETF really have no say in the matter. The only people who can change this are Congress (not even the Supreme Court, unfortunately, because they have already ruled federally approved wiretapping to be legal).
Now, this applies only to so-called "telecommunications providers", i.e. people who provide a phone jack in your house (be it through a DSL line, cable modem, or whatever). If the phone signalling protocols are modified to perform this function, then they will also end up affecting all signalled calls going through voice/data routers - whether they are signalled from black phones or from PCs masquerading as phones. Again, this will almost certainly happen.
The only place where there isn't an existing law is for tapping data flows on the Internet (which may happen to be voice flows, perhaps through a conferencing tool like NetMeeting). The issue was raised that these flows will have to be policeable. Further, given the current federal stance on wiretapping and information gathering, it is a near-certainty that the FBI will move to have a law enacted which enables them to tap any data flow (identifiable by a source/destination IP and/or port number). Congress will have no trouble in passing this law. Again, once it is a law, the IETF or anybody else will have no say in the matter. ISPs will require this feature to stay licensed, and therefore networking companies (i.e. us) will have to implement it in order to stay in business.
Just about everybody in my company who works on this is pretty much unanimously unhappy about it. Some people have even advocated not implementing CALEA-compliant tapping capabilities just to "see what happens". Needless to say, that will not happen. That doesn't stop us from thinking that it sucks, though.
--
I wanted to call myself Anonymous Coward, but it was already taken by somebody.
Oh puh-leeez (Score:1)
The real effect of making current tax systems impossible to administer will be simpler and more transparent tax systems. Making life for the tax man easier has never made anyone else's life simpler or easier.
What really makes the above prediction seem ridiculous is the fact that the U.S. grew to become a world power while taxing at a rate less than one-third the current rate. It is much more likely that any large decline in taxation would bring on a new golden age rather than a disaster.
Bad Reporting (Score:2)
I'm sending this from the IETF meeting network in the Omni Shoreham hotel in Washington D.C. I was present for the entire discussion yesterday evening. This article is misleading, a definitive and final decision by the IETF was not made.
This discussion, held during the regular plenary session which is part of every IETF meeting, was simply another form of input to the IESG (Internet Engineering Steering Group) and IAB (Internet Advisory Board). The "vote" was not exactly as the reporter said, I'd say the number of abstentions was close to (maybe even greater than) the number of people opposing aiding wire-tapping. The reporter does not seem to understand the IETF method of discussion and consensus building.
For much better coverage of this story, I suggest reading the Network World [networkworld.com] article. It does a much better job of reflecting reality as I remember it.
Re:Wiretapping in Routers.. (Score:1)
The options of response are ... to pass a law that specifically takes away a companies right to make you take a drug test as a condition of employment.
What about the companies that check your financial records? Isn't it the legitimate right of the companies to protect themselves from the people who are deemed "vulnerable" enough to sell sensitive information?
The point is that whoever gives you money can attach strings to that money - and there's no way short of global boycott (yeah, dream on!) to stop these practices. I used to work for a small "non-testing" company, but when we were contracted by an investment bank, everybody who worked on the project had to fill out those scary SEC forms.
It's sad and scary, but there's no stopping it unless you can just print money in your basement.
KMACYOYO (Score:2)
Re:Vendors taking part in experiment (Score:1)
I also imagine that there will pretty quickly be hardware hacks published which disable this "feature" on long respected hardware like cisco.
Me? I'll hold on to my 2500 router for as long as possible
Re:Fore Systems - tee-hee (Score:2)
As they say 'not my yob'.. I'm just a luser on the company network.
Pretty embarassing though - I should know that we're running. I'll have to get educated in the morning...
Re:Said in a Tommy Lee Jones voice... (Score:1)
I was under the impression that sending something encrypted out of the country was perfectly legal. Exporting crypto software is illegal.
Don't we already have this? (Score:2)
NOT a hollow victory. (Score:1)
OF COURSE the companies will please the spooks.
In any event, if you really want to prevent tapping, you MUST encrypt. End of story. The standards are there, the software is there, use it.
Nate
(mildly OT) Re:Just Encrypt. (Score:1)
But you should note, a 128 bit RSA key can be cracked in no time. A better idea is 128-bit or longer conventional encryption keys, and 2048 bit or longer RSA keys (I would say 1024 bit, but recent factoring successes with 512-bit keys are making that number look a bit less secure, as 768-bit keys already are getting feasible to crack.)
Nate
Re:My friends won't encrypt because it's inconveni (Score:1)
We still need popular mailers to get PGP support. I still can't get my Unix and Mac using friends to switch to using PGP for everyday chatting, because they use Elm and Claris Emailer.
Elm-ME+ 2.4pl25ME+60-1 has PGP support.
Not hollow at all... (Score:4)
I don't think this is a hollow victory at all, even if the companies go ahead and screw us over with or without the IETF (Did you ever think better of them? The state and the industry have been each others whores for the better part of this century.)
However, this battle was never about whether they are tapping Internet nodes or not. The Internet is already tappable. The FBI can do it, a skilled hacker can do it, and the NSA is most probably already doing it. If you want your communications to be secure: encrypt them. If you don't, there is no reason to think that people aren't, or to argue that they shouldn't be, listening.
What this was about was the integrity of the IETF, and by extension the Internet community. I think that if the IETF had gone ahead with this, many of the ideals that have driven the Internet until today would have been run over once and for all. A yes to collaboration would have been a confirmation that the Net and Web had become nothing more than a PR playground for Disney and Microsoft. But by rejecting this, the IETF has showed that there is more to it than that: that there is still a thread of revolution in the very nature of connectivity, even if you have to dig through a lot of dancing baloney to find it.
That is not a hollow victory...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
You are all paranoid. (Score:2)
Police and law enforcement officials have been able to tap phone lines almost since the phone was invented. Do any of you still use the telephone? It's even easier to listen in on open-air conversations. Do any of you still speak in public?
Bottom line: It's not that big a deal. Don't get so worked up over it!
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Interesting but... (Score:2)
Lets all keep in mind that there are two different methods for tapping communications over the internet.
Method one: Use a physical device attatched to the router in order to monitor traffic. However, keep in mind that this method requires no special hardware on the router side of things. Anyone could build a device to work with current routers to do this will little trouble. Remember: TCP is an unecrpyted protocol, everythings plaintext..even your passwords.
Method: A software based tap built into the software of the router than can be activated remotely. This is the one that would have to be "implemented" and it is the most scary because if it can be done remotely by the FBI, it can be done remotely by ANYONE. Just as long as someone is significantly motiviated enough to figure out a way to break the security (and I think its been proven time and time again that any security can be broken if there is reason enough to and with enough time).
If it's method two that they want to implement then we should all get off our asses and bitch like hell. This jepordizes what little security that tcp has besides just being a blatant violation of privacy.
Just wait till the first cracker figures out the scheme and starts watching .gov routers for telnet logins/passwords. I wonder if Big Brother will be too keen on this idea after that.
-Cyberllama
It's ironic, if you think about it... (Score:1)
The internet has never been circuit switched. You shouldn't really have a reasonable expectation of privacy, and I mean that in a literal, not a legal, sense.
People can "tap" your "line". Somebody who wants to illicitly eavesdrop on this connection I'm using right now could simply rent a house in vaguely the same part of town and get a modified cable modem. If he had his own nifty equipment, he wouldn't even have to get the cable modem, just a cable link. for about $300 a month, the guy could listen to everything I have to say.
People with different types of connections, I'm sure, could imagine similar scenarios.
My point is that no-one assumes that their connection is clean, and that it's a bad assumption to make even if your line is *almost* proveably clean. Entire families of crypto protocols are based on the assumption of a dirty, tapped line.
So, if that's the assumption we should be making anyway, then what's the matter with allowing wiretapping?
It's sort of like the security situation with closed-source software, really. Assuming that disallowing wiretapping will keep people from it is kind of like assuming that because you don't give out the source code, no-one will find any holes in it.
It's a brave new world, but I think that we're pretty well ideologically equipped to handle it.
(Famous last words....:)
Also, I wrote a daemon that lets you use the RealMagic Remote under Linux, if anybody's interested. I just wanted to say that. okay. i'll go now...
Re:It's happening, unfortunately (Score:1)
Besides, incompetence by one company doesn't mean no wiretapping, it just means loss of sales by that company. Planned, industry-wide incompetence is not incompetence - it's collusion, and is a criminal offence when performed against the state.
Re:So what? (Score:1)
Creeping Totalitarianism (Score:1)
As long as technology didn't threaten to empower the masses, Those In Power didn't worry too much about _true_ democracy. Freedom was a nice myth to perpetuate to keep the proletariat happy.
Now that technology could enable* such marvels as online voting, the elite (not 3l33t lest I confuse the script kiddies out there) and powerful are getting worried something might actually shift the balance of power and control (Cokie Roberts' reaction [wired.com] to the spectre of online voting is a prime example of this... how dare those uneducated workers threaten the Rich and Powerful!)
Expect more of this as the net threatens to replace centralized control (mainframe model) with a more "distributed" model of social governance.
-an expatriate 'merican, happy to be abroad.
*whether the apathetic american public will switch their sitcoms off long enough to actually learn something about current events and political developments is another question beyond the scope of this rant.
Re:drug tests (Score:1)
Re:Folks, this is why you {en,de}crypt at both end (Score:1)
Is this really a viable solution? I disagree with the moderator's opinion that the parent posting is "insightful".
Is someone going to create a trusted root CA that distributes server certificates free for the asking and that the major browsers are going to recognize as a valid signer by default? Or maybe Verisign will change their business strategy and just give away certs for asking nicely =)
And what about accessibility? Not everyone has an SSL-enabled web browser, let alone a 128 bit browser (I mean, it seems silly to get everyone to use http over SSL if we're not going to push for everyone to use 128 bit, eh?). My mom can use a web browser without much difficulty, but she probably isn't going to visit fortify.net [fortify.net] to upgrade her browser to 128 bit. People who use speech readers with text-only browsers like Lynx [browser.org] may not be so keen to have to compile in SSL support themselves to be able to access the web. I don't think I have SSL support on my Palm either. Does WebTV have SSL support? blah blah blah etc etc etc....
There's the whole SSL performance issue too I suppose for those of us still trying to make cheap web servers out of leftover 486s (although if you were really hot and bothered by performance perhaps you wouldn't be using a 486 =)).
And this particular discussion is wasting its energies by focusing on what we as information providers or end-users can do to make up for government efforts to build tap-ability into our networks.
technology of wiretapping (Score:3)
First of all, there already is a wiretapping standard called RMON. In particular, RMONv2 provides most of what law enforcement would want. RMON allows filtered packet capture, so it would be easy to configure the system to filter for a specific IP address and shunt it over to a buffer. One could easily monitor dialups this way. RMONv2 allows for fairly efficient monitoring (in its alMatrixTable) of source-destination address pairs along with an identification of the protocol (Something Japan requires, and which could easily be used to track down hackers who attempt to bounce attacks through chains of machines designed to conseal the true source).
A non-RMON solution would presumably copy packets destined to a certain IP address to be copied to another location. Presumably, this would entail simply encapsulating the IP packet inside another and shipping it off to FBI headquarters.
It seems interesting that most /.ers are against it. It seems that natural geek paranoia is winning out over geek superiority. I generally would support it, simply because I use encryption, but I know that stupid people don't. Stupid criminals really annoy me, and such constraints have no effect on ubergeeks who use encryption anyway.
Finally, there is a really good FAQ on the technology of wiretapping at: http://www.robertgraham.com/pubs /sniffing-faq.html [robertgraham.com]. The information in this document could help you wiretap your own network and spy on your neighbors, though of course such activity is completely illegal and I would never encourage it.
Why not a list? (Score:2)
IETF does have a say! (Score:2)
This won't keep it from happening, but it will force the "standard" to be developed elsewhere. And if we're lucky, instead of one "standard", there will be a bunch (that's the great thing about standards: there are so many to choose from), so that it will be a big hassle for the FBI to actually use it.
I'm not opposing the implementation of lawful court-ordered wiretaps. But CALEA makes it really easy for them to do clandestine, unlawful wiretaps, and anything that makes this more trouble than it's worth is a good thing.
CALEA was represented to the public as simply a way to ensure that the FBI would continue to have the same wiretapping capabilities that they've traditionally had on analog phone systems. But if you read the text of the act, you'll see that it goes way beyond what would be needed for that. It gives them broad new powers far beyond what they had before, and if they happen to "accidentally" abuse these powers, it provides little to no recourse for the injured party. Anyone who doesn't think that the government is trying to create a police state should definitely read the law.
[I'm not suggesting a giant conspiracy. It doesn't take that. It just takes the cumulative effort of thousands of individual government workers who want to make the government's job easier. Some of those workers have good intentions, but the road to hell... Remember: the job of the police is only easy in a police state.]
The problem with wiretapping features... (Score:1)
Besides, if I was organising drugs, firearms shipments or any other illegal activity by Internet I'd make damn sure I understood enough about encryption to make it hard for them.
Re:Wiretapping in Routers.. (Score:1)
Re:drug tests (Score:1)
Government doesn't like people with sensitive information doing drugs, because it turns out that (this way, not the reverse) people involved in espionage have a very high propensity, statistically, towards being involved in drugs.
If you're a normal company, I think it's stupid to have drug tests, unless somebody's really suspect and it affects their performance. However, for sensitive government work, people kind of get killed when people leak information. I'd rather have my privacy violated than have some poor underpaid 18-year old get shot.
The one bad thing is that you can't seek help from your employer or the government if you have a drug problem, because if you do you will lose your job too. :(
Re:But why? (Score:1)
This is equivalent to the FBI showing up at a u-stor-it with a warrant, signed by a federal judge, and says "hey, I want to check so-and-so's u-stor-it container."
Or, the feds showing up at your place with a warrant, because you are a bad*ss or they mistake you for being one. You are kind of obligated by law to honor a warrant, unless you want to get thrown in the can yourself.
That's why ISP's want wiretapping on routers :)
In addition, it is not impossible to believe that most people who don't read /. (and me, I'm the only one who reads /. and still trusts the government) actually believe that, God forbid, the FBI really spends most of its time tracking down dangerous criminals.
Re:Not hollow at all, 1 more reason (Score:1)
//rdj
Re:Shockwave Rider... (Score:1)
This has already happened (Score:1)
We produced a device that had similar function except that it was about the size of a Palm Pilot and could work with any normal telephone. You just plugged the hand jack into it and then plug it into the base. What happened to this device?
I got to help with the job of opening everyone of them up and installing a extra IC so that your friendly US Uncle could listen in on them. Does anyone remember 'Clipper'. I've actually handled those ICs. The rumor was that the FBI paid millions for us to do this (basically bought all the units we had produced). Needless to say, production of the unit ceased almost immediately. And the unit was very quickly fogotten by most.
There are no large corporations that can go up against the Feds and win. The executives know this and won't even try.
REFUSE TO PURCHASE IF NOT INFORMED (Score:1)
If my company wanted the government snooping around our network we would have issued them a username and password.
$nyper
Re:You are all paranoid. (Score:1)
Umm.. Security Hole!!! HELLO! (Score:1)
I find this seriously disturbing, does anyone agree?
Re:Just Encrypt. (Score:1)
I do have https available for my primary domain but I didn't offer that to my customers accept at additional cost. When was the last time you did random browsing using Secure Sockets instead of HTTP?
Personally I use SSH for all interactive connections and file transfers, but that doesn't help me when I'm reading news, or surfing the web.
The big win in the decision to not include wiretap friendly additions to IPV6 is that we don't have to worry about things such as "has this been recorded yet?" and "User level sender authentication." Think of a protocol where each packet had a "Law enforcement has copy" flag and that flag was a cryptographic checksum of the contents of the packet plus some enforcement "cookie". When that packet arrives at a "tap" point it would be recorded and the field filled in. If the field is not properly set, the packet is first sent to a "tap point" to be recorded. In other words, the talk session that I run between two local machines in the clear might suddenly become tapped. Not because Johnny Law produced a warrent and physically tapped my home lan, but because the protocol suddenly says "Send a copy of this to the tap point."
Or think of each packet sent having an authentication requirement. I.e. Every single packet sent via IPV6 belonging to some one person. It is pretty easy to see where that might generate targetted taps, or it might just generate lists of "suspects". Think about what happens if getting packets from a "rape victem support site" would mean that some where, somebody knows that you went to that site. The privacy issues are huge.
So what happened is that the IETF has made a decision that says "We aren't going to allow the protocol to have these types of things." That doesn't mean that Fore doesn't put an option in thier ATM switch that says "send a copy of every packet recieved down this pipe." It just means that at the protocol level we don't have to directly worry about tapping.
Ok, now it is a family issue :) (Score:1)
Protest that there seatbelt law! (Score:2)
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:Wiretapping in Routers.. (Score:3)
One of the dirty little secrets about drug testing is that the testing companies are pushing for coverage of a large variety of drugs on the theory that there are a lot of prescription drugs that can be abused. Employers don't mind this sort of testing because it allows them to gather more medical information about the employee. There are a lot of legal problems with just coming out and asking employees about what drugs they take under the ADA even now.
Some indication of this can be seen in here:
http://www.shrm.org/hrmagazine/articles/0298cov
The following reference describes setting up a drug free workplace that includes random testing, with possible testing for prescription drigs.
http://www.smartbiz.com/sbs/arts/lll5.htm
Here is a reference that mentions that Upjohn Co. tests for some prescription drugs:
http://www.cesar.umd.edu/wrkp/docs/UPJOHN.txt
And for Motorola:
http://paranoia.lycaeum.org/war.on.drugs/drug.t
Drug testing is a real problem. I wish I had the ability to select employers like you do, but given my profession and age I am kind of stuck with whomever I can find.
Re:So what? (Score:1)
When worlds collide... (Score:1)
First, let me congratulate the IETF on Doing the Right Thing.
Now let me try to explain why anyone would even think of adding wiretap capability to an Internet protocol, what it means, and what we can do about it.
Why wiretap? The FCC and other global regulatory agencies require the ability to wiretap voice networks. This is known as the Communications Assistance for Law Enforcement Act (CALEA). If you want more info check out the FCC site [fcc.gov] .
Ok, great, this is a done deal with the telephone network. But what the hell does this have to do with the IETF?
Voice over IP technologies have effectively made any IP network into a telephone network. As carriers start to deploy VoIP solutions using their own IP based networks, they still must support federal regulations such as CALEA. So it makes sense for the IETF to add CALEA support into VoIP protocols, right?
I think not.
What would it mean if we started applying the rules and regulations of the telephony network to an IP network? Would we end up applying all of them? Where is the line between a telephony carrier's IP network and the Internet? Where is the line between wiretapping voice and wiretapping data?
The line is where we draw it.
Unfortunately, anyone hoping to sell equipment to telephony carriers has to provide CALEA support. This is why router companies have to add CALEA functionality to their products. At least that (hopefully) limits the effective jurisdiction of wiretapping to carrier networks. We absolutely do not have to subject the Internet to these regulations.
What can we do? We can petition and support the IETF in NOT adding wiretap capability to Internet protocols. We can use PGP or other encryption to keep our communications secure, and show the futility of wiretapping on the net. We can write to politicians, and the FCC, and tell them what we think.
I like to think of it as the separation of church and state. If we're going to have freedom online, we need to prevent the regulations of other media (telephone, television, radio) from creeping in.
Thanks to the IETF and all of you for drawing the line, and defending it.
Re:drug tests (Score:2)
For all other purposes, though, chemical drug testing (urinalysis, hair tests, and so on) is just stupid. Impairment testing [lycaeum.org] is the only sensible option.
Re:even if... (Score:1)
pth
My name is not spam, it's patrick
Re:Shockwave Rider... (Score:2)
Are there any signs that we are *NOT* going to end up in a world similar to the one described in the book?!
I think Brunner was overly optimistic. I haven't seen any signs of a town with street names like 'Mean Free Path', and if 10 9's existed, it would be tapped.