IETF and wiretapping standards 121
Anonymous Coward writes "I just noticed that the IETF has sent out a request for discussion dealing with the implementation of wiretapping in Internet Protocols. The motivation is based on laws some Governments have about telecommunication systems." The message and subscription information to their discussion email list, punningly titled "Raven", are available on the web. Oh, and "some Governments" includes the U.S. and most other countries, so I hope the IETF will get some good feedback.
Wired article on IETF proposal (Score:1)
http://www.wired.com/news/p olitics/0,1283,31853,00.html [wired.com]
Re:AAAAARGHHHHHHHHH (Score:1)
Re:(Off-thread) Wiretapping, the premise (Score:1)
Developping industrial espionage (Score:1)
> to support mechanisms whose primary purpose is to support wiretapping
> or other law enforcement activities"
translates to:
"should the IETF develop new protocols or modify existing protocols
to support mechanisms whose primary purpose is to support wiretapping
or other industrial espionage activities"
And the Statement to the following is of course:
>"what should the IETF's position be on informational documents that
> explain how to perform message or data-stream interception without
> protocol modifications".
"Please teach me how to hack".
Re:Why is wiretapping a bad thing? (Score:1)
Most (all?) of this influence occurs at the legislative level, which is in fact one of the most open aspects of our government, open to all sorts of public scrutiny. Is this where your mistrust lies, or are you alluding to some other area of evil corporate influence?
Re:... (Score:1)
I think you would be surprised if you knew how inaccurate your assumption here is.
Re:The main problem... (Score:1)
The two algorithms I suggested - Skipjack and Rijndael - are considered about the strongest algorithms out there by the crypto specialists, from what few papers I have read. Those, and Serpent (another VERY nice algorithm) won't be breakable in any practical way for the next 50 years, minimum.
Skipjack is former DoD, I believe, and recently declassified. Rijndael and Serpent are competing as replacements for DES, and are through to round 2 of evaluation. So far, they are the hot favourites, for being both strong and fast to apply.
Wiretapping... (Score:1)
Re:IETF recommendations (Score:1)
as Internet gains more importance in the future, Internet freedom gains more importance too.
Re:One question? (Score:1)
Just think about it. If there was a reliable way to determine this, then the investigation would be ineffectual.
Re:The main problem... (Score:1)
Of course, we'd need to have a stream going in each direction. So maybe each person could throw in their mp3 collections or something... That way, you're sending legit data (albeit they could probably slam you for some sort of copyright violations), as well as what you really want to communicate.
I definitely agree that stego is much more useful for static information, which is why I didn't put any effort into coming up with a way to stego a 'net-phone conversation.
Hmmm...I wonder which of my friends would like to try this & annoy @Home.
Re:The main problem... (Score:1)
It's better to crypt with GPG and a huge key out in the plain open, than to use some amateur algorithm inside steganography and faked headers. Because if their computers can crack GPG in a year say, they could break "jimbob's cypherhack" on spare cycles overnight.
Some related news on CNN (Score:1)
Somehow this could be considered already has an wiretapping implementation
Re:The main problem... (Score:1)
Re:The main problem... (Score:1)
Support Dumb Networks (Score:1)
This tactic doesn't work when the network transports bits (IP with QoS) and the end users are responsible for encoding/decoding the audio. The end users can use any encoding or encryption scheme they desire without getting permission from the carrier or the government. The carrier doesn't have access to the raw audio, just a constant bit rate data stream.
Wiretapping... (Score:1)
Specific problems with the whole thing:
1. Supporting wiretapping 'protocols' adds the same security holes as any other back-door behaviour. If done right it's only 'a tiny bit' more insecure, but still.
2. If we have a 'Voice Over I/P Protocal w/wiretap' there's nothing to stop someone from writing a voice-over-IP program that sends a pre-recorded conversation to listening 'wiretaps' and another conversation to the other client.
(Presume, for example, that the 'wiretap' facility is a 'voice-over-ip' signature identifying the communicating parties... I design a 'spoof-voice-over-IP' that appends the real data to a valid voice-over-ip packet, or sends an untagged packet at the same time as tagged packet, or uses a sneaky algorithm to 'nest' voice2 data inside of the primary voice data, or... )
3. If people don't want it, they'll use something else. Speak-freely does voice over IP, and doesn't have any 'wiretapping' capability...
4. A certain segment of the population (ie, the crowd here at
what exactly is the IETF being asked to do? (Score:1)
What could the IETF (or a protocol defined by the IETF) do to make Internet communications easier to tap? In particular, what could they do when the communicating parties both know the protocol in use and are trying to spoof it?
Furthermore: in many countries, the law permits police wiretapping, but also places restrictions on its use. It doesn't seem fair for a protocol to make the wiretapping easier without also making it easier to enforce the restrictions. But then you'd need a protocol that could handle the various authorization, auditing, and verification requirements of hundreds of different political jurisdictions. Is this really practical?
In defense of myself (Score:1)
Govt. Backdoors Public - Film at 11... (Score:1)
Mark Twain, maybe?
(Off-thread) Wiretapping, the premise (Score:1)
The US government should have no right to wiretap. If the premise that they should have the right is valid, then they have the right to EVERY word you speak. You can't say anything without the government being able to hear it. Privacy is non-existant. The statement "There is no such thing as privacy anymore" is true. (Who was that, Scott McNeely?)
Modifications to my position for wiretapping pundits: ;)
"What about the kidnapper/child/whatever scenario"
Life sucks. Really, though, the whole concept of wiretapping in this situation should be rethought into a new pardigam. (I don't have time to type that up here
"Interstate communication, therefore under the jurisdiction of the Feds": ... technically, you don't have a *right* to privacy, do you? Where in the Constitiution do we have a right to say something to another person and nobody else can listen? If such an amendment existed, then this WOULD be an issue.....
Limit the right to only interstate calls and data transfer (based on target/destination, not path?). Thats still unconditional wiretapping, you say? Similar to the "feds" having the right to monitor anything you say across state lines. Now the true problem arises
anyone up for drafting the next amendment to the constitution?
Re:Why is wiretapping a bad thing? (Score:1)
cheers,
Bobzibub.
Why? (Score:1)
It doesn't make sense if some particular person or group of people is targeted - it would always be much simpler just to tap their *connection* to the internet, which is probably already covered by the telephony legislation.
The only other alternative I can see is automated 'eavesdropping' looking for keywords etc
Re:IETF is always open -- give them a chance (Score:1)
Perhaps some of the posters here who have reasoned comments to contribute to this discussion might consider joining the IETF.
Turn up to a meeting (4 per year), or subscribe to one of the mailing lists and start posting useful comments to the ongoing discussion. That's it, you are a member just by participation.
Unfortunately for the conspiracy theorists, there are no initiation ceremonies, and no cabalistic membership application procedure. Sorry guys, you will just need to go back to tracking down the Illuminati!
Some people would say that you have to join a magic "inner circle" of the IETF before your voice counts. I'm going to let the Slashdot readers in on a huge secret here - if your contributions generally are on topic and contain way more signal than noise, the "inner circle" will be glad to have you!
Having attended an IETF meeting, I can vouch for the attendees in general being highly intelligent, professional engineers, with good ethical and moral standards. If they don't agree with a proposed standard, you will not have to wait for the reasoned arguments against the standard to come flooding in.
Personally, I applaud the IESG for encouraging early debate on wiretap issues. To ignore these issues would run the risk of being caught out by new legislation, followed by hasty implementation of a poorly planned set of technologies designed to appease the governments such that the Internet is allowed to continue to operate in a useful fashion.
IESG / IETF did not pull these issues out of thin air - these are real issues and can/must not be ignored. I wonder how many of the people posting negative comments about the IETF have actually bothered to look at the web site: http://www.ietf.org/ [ietf.org]
Don't use Skipjack! (Score:1)
Skipjack is not a good choice for several reasons:
--
POTS (Score:1)
Re:Why is wiretapping a bad thing? (Score:1)
I personally think that it is:
E) : the government(s) are being influenced by a group or several groups that are in fact continuously trying to ruin the lives of citizens.
I am not bothered by the few people you refer to in C, because they are very government specific, so this statement is not an issue when looking at the governments in general.
Yes, I agree that A and B are probably both true, but that they are not primarily responsible for (my) mistrust.
The capability is already there (Score:1)
There is no point to adding monitoring 'features' at the protocol level. The end user controls the content, just as they do with a POT's line. On a POT's line I can talk plainly, in code, use a modem, tap morse code, etc. With TCP/IP I can send pain text, encryped text, sound, video, etc. Having a hole in the protocol will have little impact on how easy it is for law enforcement to _understand_ what is being transmitted.
Sorry, but look at what we do, not our PR (Score:1)
US dominance and lack of privacy (Score:1)
However, in many states of the US, it's illegal to record conversations over wires, as Linda Tripp now nows. Washington State, Virginia, a bunch of others. If a packet stream passes from or to one of these states, it's illegal under US law to tap the conversation, encrypted or not, if it represents the digitized information of a voice conversation, without the permission of BOTH (or ALL if more than two) parties. Exceptions exist for one-way conversations like TV or radio, in that implicit consent has been given with the radio and TV licenses.
Isn't it nice to know... (Score:1)
Re: (Score:1)
Re:... (Score:1)
We have to assume that the person isn't using encryption, because wiretapping an encrypted line is rather pointless.
So we are talking about unsophisticated users (and whether or not the would-be targets are sophisticated is another story altogether, which if anyone bothered to listen to me, we'd discuss first). Unsophisticated users will typically have one connection to the internet, and not do any fancy tunneling to a crowd [att.com].
So there is one very obvious place to place a tap -- the isp. IMHO, any nation that wants to wiretap its digital populace should just require ISPs to provide law-enforcement the ability to selectively tap users. This would be a much more localised solution than working the requirements into an RFC.
Re:The main problem... (Score:1)
However, it's not quite what I had in mind; It trades availible peak bandwith against easing the restriction against encryption, while I was suggesting trading average bandwidth against traffic analysis. Chaffing solves the problem of exporting crypto; I was pointing out the problem of "why are you communicating _now_?"
Of course, you could do both -- this is probably what you meant no? -- where we send plain multiplexed text most of the time, and then every so often slip in a secret message. Sure, that'd work.
Johan
Re:The main problem... (Score:1)
I dunno. For this to work,
a) the audio stream would have to be very natural, both in its a1) existence, a2) content, and a3) timing ("hey! why is Jimbob discussing fashion with the prez in the middle of a war?")
b) we would have to communicate the details of the stego some how, in some non-suspicious manner. Req A makes this hard to do, and if we had such a channel, we really wouldn't need stego in the first place.
requirement A is so hard to get right, that you might as well just go for an "open" attack against traffic analysis. Send each other random encrypted messages every day. Even when you have nothing to say. Random length, random time.
Since messages are sent almost constantly, attackers will be unable to draw correlations between trafic and outside action. In intelligence, knowing who is communicating is almost as important as what they are saying, I'd imagine.
The recipient will of course be able to identify the meaningless messages from the real (by virtue of the meaningless ones not decrypting), but attackers will not know which messages to attack.
Traditional stego (hiding stuff in the low-order bits) is mostly useful for hiding the plans for nuclear devices in my collection of mountain vista JPGs.
Johan
Re:The main problem... (Score:1)
Johan
Re:The main problem... {sortakinda on topic} (Score:1)
Acutally, I remember hearing that PGP inventor Phil Zimmermann (it may have been someone else) wrote a phone scrambler that used your PC's sound card. Can anyone back me up on this?
In response to the "Raven" article, I think the standard should not include hooks for tapping; if a goverment wants to spy on it's citizens, make it an effort to do so. Internet standards are there to "get the job done" efficiently and quickly, not to advance political agenda. The internet is a global entity and as such, should not be intimidated by the local bully (which happens to be the U.S. in this case).
---Complaints may be directed to
Re:Wiretapping... (Score:1)
Re:*sigh* I wish anti-crypto FUD would go away. (Score:1)
Poor choice of words on my part.
Re:Wiretapping... (Score:1)
--
Hey, thats a pretty good error for only 6 digits ! (Score:1)
Relative error = AbsErr / X = 8.4913e-8
Percentage Error = RelErr*100 = 0.0000084913
Damn, I wish had known about that ratio when I was still back in school/college/university.
(And who said numerical analysis wasn't usefull
Re:The main problem... (Score:1)
[rde said]...If I were planning an illegal activity over the internet, you can be damn sure I'd use 1024 bit pgp encryption. It wouldn't matter a damn what wiretapping facilities were in place if all they could read was encrypted crap. They'd only be able to read the mail of the innocent and the naive.
[kbyrd replied] I totally agree here. With traditional communication media (telephone, snail mail, speaking face to face), encryption isn't as easily available (how many of you have a voice scrambling system for your phone?). On the 'net, encryption IS easily available. If you believe that wiretapping should be allowed at all, it makes sense to be able to wire tap phones, the average phone call is difficult to encrypt cheaply. With the net, encryption is (usually) free and easily available, especially if you're talking about email. I don't see that wiretaping has as much of a benifit here.Excellent answer to a difficult question... (Score:1)
However, a quick way to lose my respect would be to ignore the discussion that has been initiated and bow to political/social/economical pressure from either direction. Let's hope they continue what they have started here and make the right decision, not the Politically Correct or expedient one.
Re:The main problem... (Score:1)
Things like:
who sent it
where is it going
when was it sent
when was it received
how fast was the response delivered
what patterns arise over the long term (i.e. how often is data exhanged, is it periodic...)
how do the involved parties act before and after these exchanges
etc. etc. etc.
There is also a lot that is not encrypted, such as email headers and so forth that could be read and analyzed for any possibly useful info.
You are also asuming that techniques such as quantum computing which could be used to crack conventional codes are indefinately far away in the future. However if you combine something like IPv6 (with the built in MAC codes) and the (likely) eventuality of quantum computing then you have neither encryption nor anonymity.
Quantum crypto is often held up as the answer to quantum comptuers, however the way in which quantum crypto works pretty much rules out the internet (unless all you want to do is real time communications over satelites only (assuming that free-air quantum crypto becomes a reality and is available to anyone), and that isn't really an internet situation). That means that there will be no such thing as effective crypto for things such as email and so forth. (NOTE: Before I get flamed to death, I should note that there are systems that you could create that would leverage quantum crypto together with the internet, but they would require a seperate, non internet connection between parties (in most cases) to establish secure transfer of OTPs and so forth).
You should plan for the maximum possible privacy and try for both unbreakable encryption and anonymity. Better yet, communicate without making it obvious that you are doing so. Use a combination of encrypted data and proprietary steganography. It is hard to eavesdrop if you don't know that people are having a coversation.
Re:Big Brother... (Score:1)
PS. Is there a device that will allow for scrambling of voice. I had a prank pulled on me by some rather unscruplious persons who used such a technique.
Re:The main problem... (Score:1)
One way around this... (Score:1)
Re:Adding wiretapping to the protocols? (Score:1)
Re:The main problem... (Score:1)
_________
Sometimes, when I'm feelin' bored, I like to take a necrotic equine and assault it physically.
Re:Cracker (Score:1)
jsm
Re:Cracker (Score:1)
Big brother? (Score:1)
Did you mean 'hacker' or 'cracker'?
Do you know the diffrence? I don't think you do.
Big Brother... (Score:1)
-- .sig files go when they die?
Child: Mommy, where do
Mother: HELL! Straight to hell!
I've never been the same since.
Re:Big Brother... (Score:1)
Actually... :-)
If you don't count the title:
'Is Watching.' = 11 characters
'bananarama.' = 11 characters
If you count the space in 'Is Watching,' it comes out to be 11. So this is at best more and at worst the same length as my spam block. Thanks for playing.
Deitheres
-- .sig files go when they die?
Child: Mommy, where do
Mother: HELL! Straight to hell!
I've never been the same since.
Re:Big Brother... (Score:1)
"Learn to become Invisible. /.? Hehehehe.
How? By posting anonymously on
Charlie
-- .sig files go when they die?
Child: Mommy, where do
Mother: HELL! Straight to hell!
I've never been the same since.
Re:AAAAARGHHHHHHHHH (Score:1)
(for all practical terrestial purposes, Pi is 355/113. A nice clean factor of two integers. I discovered that for myself using a SR-56 Calculator Program I wrote in the late 70's, before I could afford a computer)
IETF Wiretapping (Score:1)
Re:is this really a big deal? (Score:1)
Re:Huh? (Score:1)
*sigh* I wish anti-crypto FUD would go away. (Score:2)
--
Huh? (Score:2)
When you fill out one of those forms to enter to win a free car, the fine print tells us that they're planning on collecting and using that information for marketing. In fact, unless the fine print explicitely states otherwise, you can usually assume that the company you're giving your information to will or reserves the right to use your information for marketing reasons. Again, this is perfectly legal.
I understand and agree with that, but that has nothing to do with my post.
Please elaborate.
IETF is always open -- give them a chance (Score:2)
That's their purpose.
You can bet that the members and coordinators are pretty intelligent folk. They're not going to adopt things unless they've given it a lot of thought.
Let's PLEASE not get worked up over any of this when the IETF is just starting its discussion. These people are not stupid people. Let's try and give them the benefit of the doubt that they are working in the Internet's best interests.
Re:Jurisdiction and Warrents (Score:2)
Re:is this really a big deal? (Score:2)
Always read the fine print.
It would be illegal for a company to collect this type of information via any sort of Internet wiretap "backdoors". I imagine it'd be illegal to even attempt to use these backdoors at all, in fact (and detectable, to an extent). Before you pipe up and tell me that there are companies that break the law every day, I'd like you to name one that regularly performs the equivalent of wiretaps on normal people with the intent to hurt them or make a profit from the information they gleam.
Things like this only happen in conspiracy theories and the occasionally B-rated movie.
Re:Why is wiretapping a bad thing? (Score:2)
If you believe you cannot in good faith trust the government that governs you, that your government is consistently acting against your wishes and the wishes of your community, out of malice or otherwise, it's high time you overthrew that government.
More likely, your mistrust might be easily corrected. There are several reasons a person might not trust his government. A) The government might be making decisions based on information the citizen does not understand or have at his disposal; B) The government might not be making decisions with as much information as they need, causing it to make poor decisions; C) A small number of people may have gotten a lot of bad publicity and have been ousted in the past for abusing their positions in government; D) The government might be hell-bent on ruining the lives of the citizens it's elected to govern.
I'm tempted to say A and B are the dominant factors here. (Perhaps a bit of C as well, but that can't be helped.)
I'll leave it as an exercise to the reader on how they might take a more active role in their government to resolve these deficiencies.
Re:The main problem... (Score:2)
(a) The two algorithms I suggested - Skipjack and Rijndael - are considered about the strongest algorithms out there by the crypto specialists, from what few papers I have read. Those, and Serpent (another VERY nice algorithm) won't be breakable in any practical way for the next 50 years, minimum.
Skipjack is former DoD, I believe, and recently declassified. Rijndael and Serpent are competing as replacements for DES, and are through to round 2 of evaluation. So far, they are the hot favourites, for being both strong and fast to apply.
(b) If the crypto experts know what to crack, they have advantages over not knowing what they're cracking. Those advantages are that any potential weaknesses in the algorithm are known in advance, and knowing how to apply the generated key to the encrypted message. Remember, these are AUTOMATED systems, not manual ones. That means that either ALL known algorithms are applied, OR the message is parsed and the most probable algorithm is used. Either way, if you trick the system into applying the wrong algorithm, it won't detect that unless a human agent intervenes. BUT, if you're clever and ensure that the message decodes into something seemingly valid, when an incorrect algorithm of your choice is applied, the system won't alert a human agent that something is wrong. It'll think the message is cracked, and move onto the next one.
Re:The main problem... (Score:2)
Skipjack has, likewise, been analysed, since the DoD declassified it. I believe it's considered as strong as Serpent, though it's unpopular because of it's origins.
Re:The main problem... (Score:2)
Re:The main problem... (Score:2)
(This would only be usable IF the compression reduced the transmission time by AT LEAST as much as you were adding spacing to make it inaudible.)
Re:Isn't it nice to know... (Score:2)
refer them to another RFC (Score:2)
For the curious who don't want to follow the line, that's RFC 2401.
as to what it talks about, you'll just have to have a look, 'cause I'm not telling :)
Re:The main problem... (Score:2)
I've not seen any credible claims that any of the NIST candidates are believed to be more secure than triple-DES.
Re:is this really a big deal? (Score:2)
If everyone would bother playing with simple, widely available tools like traceroute, everyone would discover that in reality, traffic between two given hosts tends to traverse the exact same route for long periods of time (typically at least hours or days).
Government "rights" (Score:2)
This may seem like nitpicking, but it's actually a very important distinction, because forgetting it leads people down the path where they believe that the government is in the position to grant certain rights to the people, and nothing could be further from the truth.
The people have rights, and the most that the government is supposed to have power to do is to place certain minimal limits on those rights.
One of the major reasons the Bill of Rights was controversial was not because anyone thought that the ideas therein were bad, but because they were afraid that if they enumerated certain rights of the people, that the people (and government) would start to believe that the people had only those rights, and that they were somehow granted by the government. In order to placate those concerns, the Tenth Amendment was added, but unfortunately despite that people (and government) have in fact fallen into exactly that trap.
Here's a brief article [brouhaha.com] I recently wrote about this subject.
Re:The main problem... (Score:2)
One of the first things I learned when I set out to learn about crypto was that you should always assume the enemy knows the algorithm you're using. It basically boils down to a strong algorithm will remain strong, even when the attacker has knowledge of what's being used, while a weak one won't matter anyway.
There are programs that will help to mask PGP messages by stripping off the standard headers on the encrypted messages (which generally means you need to know who sent the message, and to which key). This helps to slow down attackers, but it's not going to keep a determined attacker from figuring out what you're using.
The point where stripping off headers will really help is if you're trying to hide the encrypted stream in another data stream (steganography). But I'm not sure how practical it would be to use stego for a real-time phone conversation between 2 or more people.
Here we go again... (Score:2)
on wiretapping?
A technical protocol? Then sorry. Russia saw this with proposal SORM-1. A very good document in their technical aspects but completely outdated. The proposed technology was nearly 5-year old and no one was agreeing to follow it. And the discussion that followed made the FSB to drop any ideas to make it reality. They didn't publish why
but we can infer from proposal SORM-2:
Technologies change. To force a specific wiretapping protocol may "kill" the technological advance.
You have a technical wiretapping protocol that everyone knows about. So will just the government use it? And how to secure it? And if someone really breaks in? Can we manage to measure the damage?
Can we wiretap telephones? Yes. Can we wiretap IP? Sure. Can we wiretap WWW? Of course. Can you wiretap everything? ARE YOU MAD???
Today wiretapping 100 seems easy. Tomorrow we may face the fact that every home has its TV set and its Internet connection. And whatever concern we may face in relation to security we can't follow everybody. Even 1 person is enough for weeks of work. Specially if he is some kind of geek or hacker.
Well these were some of the arguments I saw in discussions. I deliberately avoided to state here any moral and imoral parts of the discussion. However I can say that a broad part of the people agreed to allow FSB to follow criminals on the Net.
The result was SORM-2. I can't say it was perfect. Maybe far from it. But it possessed a principal difference. It didn't carry anymore things about technical protocols and obligations. It was mostly a "List of principles" regulating the behaviour of FSB and ISPs in situations where wiretapping was required. One important point was that FSB was required to get a court order to proceed any wiretapping on Internet. Besides any technical aspect should be regulated in common by the ISP and FSB in mostly a case-to-case basis.
Sincerly I think that soon or later the lawmakers will realize that they should go this way. But then, I think it's not IETF problem to consider about wiretapping.
Apart from this. A teological aspect. Somehow, States are trying to know everything. However every theology teaches us that only God knows everything. So it seems that, anyway, these attempts are doomed. Or will they try to wiretap God?
is this really a big deal? (Score:2)
I never understood the concerns over "Internet wiretapping". Every packet you send over the Internet goes through an unpredictable path to its destination. And everyone knows this. That's why everything that's critical should be encrypted.
So why is government "wiretapping" (call it what it is: packet sniffing) such a big deal? Twelve year old script kiddies already do this all the time.
The main problem... (Score:2)
So what should be done? I don't have the breadth of knowledge to give an authoritative or complete reply, but my inclination would be to maximise security (and hence privacy) and leave the wiretapping considerations to individual governments and ISPs.
Here's why...
If I were planning an illegal activity over the internet, you can be damn sure I'd use 1024 bit pgp encryption. It wouldn't matter a damn what wiretapping facilities were in place if all they could read was encrypted crap. They'd only be able to read the mail of the innocent and the naive.
If the government can get in, so can other people. Back doors are by their very nature insecure.
Re:AAAAARGHHHHHHHHH (Score:2)
And companies won't leave the internet alone because most of the internet is theirs! There may be a few charitable nodes out there, but 95% of the internet is owned by a commercial entity or funded through government taxes. Saying you want companies to leave the internet alone is like saying you want commercial publishers to leave the newspapers alone.
Moderation is not policy (Score:2)
No. It is an example of someone having an opinion that you do not agree with. There is a difference.
Moderation does not exist to ensure that only people who agree with you get read. It exists to promote interesting and insightful posts while filtering flamebait, offtopic, and other pointless posts.
In short: Freedom of speech. Not correctness of speech.
Build in technical safeguards (Score:2)
For example, imagine a router which would only tee traffic to another port if presented with a electronic signed by a judge and specifically naming the port(s) to be watched. Obviously this would imply a proper PKI for the judiciary, but hey, if they want our co-operation they'd better put their own house in order first.
Paul.
Why is wiretapping a bad thing? (Score:2)
1. It makes discrimination very easy. This would be an issue in case of war for instance (think about what happened to the Jews).
2. We just don't trust the authorities, do we!?
It seems like people are afraid the FBI, CIA, Police, NSA and others will use the wiretapping against honest people; and not just to get the bad people.
I think we are quite some way from BigBrother, but I hope people realize that the current government also is far from trustworthy.
Both problems are not easily solved. --include standard quote here about this being beyond the scope of this simple email-- What we might think about right now is the needless overhead this is going to present to routers, firewalls etc. :)
I don't think the government is going to compensate with financial support for increasing bandwidth
Looking on the bright side: Hackers can have a load of fun exploiting it during the first few years, and sensitive data can still be encrypted. ;)
There is a name for this... (Score:2)
Either you trust the crypto or you don't. If you don't: don't use it. If you do, then use it, and while you at it send your worst enemy the source code to the program, a book about the crypto as a taunt, and some recommendations on good hardware. And then have fun when he realizes you chose "won't" rather "chances are".
(this is an example of very bad moderating btw...)
-
Re:IETF recommendations (Score:2)
I am well aware of the EITFs role, and that they have no actual authorative power. That is my point, don't dare to compromise on this issues: if we can't get standards that are not designed from the ground up for the purpose of infringing on our basic rights, then let the EITF make whatever standards they want and screw using them.
If it reaches the point that there is no other option but to develop some sort of "standards" for this crap, then those standards should be disregarded.
-
Re:US dominance and lack of privacy (Score:2)
No, you have got this backwards. The fear is not that that America will water down other countries regulations, but the opposite. America has some of the strictest laws in democratic when it comes to mandatory government holes in Telecom equipment.
You have been brainwashed for too long...
-
Re:IETF recommendations (Score:2)
f the IETF decides that it will implement some way of "digital wiretapping" with whatever existing/new standards, I highly urge every to tell the IETF to FUCK OFF.
If the IETF is such a spineless, worthless, puppet of an organization that it gives into these demands by the American government (and don't fool yourself, we all know who is really making these demands), then I think the Internet is a hell of a lot better off without it: standards or no.
Screw "OPTIONAL", these are human rights issues, not things to compromise on. Shame on the IETF for opening up for it, shame on you for suggesting it, and shame on Slashdot for putting this at the top of this discussion. For once I am not proud to be a
-
the role of the IETF (Score:2)
Set standards for the best technical reasons. Explain to governments why they shouldn't block adoption of those standards. Wave "bye-bye" in your rear-view mirror to those nations who choose to block them, as the rest of the world speeds off into the future.
Idiots! All encryption is breakable! (Score:2)
All encryption is breakable, it MUST be in cleartext before its being sent and it MUST be in cleartext when its read. Encryption won't help if they have a bug in the keyboard, they have compromised the machine, or if they have a bug on the display device.
Of course, thats inconvienent, perhaps a little dangerous. Its not easy to put dozens of bugs all over the place like that, to monitor many people. It requires effort, money, work..
So here's the interesting question. *Why* do they want it to be so easy, so cheap, so convienent to monitor tens, thousands, or millions of encrypted communications all at the same time? Why is the old-fashioned bug so bad? Why do they want the extreme convienence of monitoring the nation? Why do they want to build an infrastructure that makes it possible to monitor the entire nation's communication network?
Please, enlighten me..
Re:AAAAARGHHHHHHHHH (Score:2)
Re:IETF recommendations (Score:2)
However, let me clearly state that I am in no way in favor of this kind of violation of privacies. I'm saying that if things come to the point that there is no other option but to develop some sort of "standards" for this crap, there should be at least an attempt to prevent them from being REQUIRED.
I guess I've just learned better than to expect that the world is all going to be sunshine and light. Governments don't care about their citizens anymore, and corporations don't care about their customers. Power and money are what talk. It's unlikely that a group of essentially volunteers are going to make significant headway against world governments and multinational corporations in basic human rights issues.
If you expect the rest of the world to play fair, may I politely inform you that you have some growing up to do. "Death before dishonor!" sounds nice on a tombstone, but in reality, discretion is often the better part of valor. If you can't stand up to them directly, maybe the next best step is to do what you can and live to fight another day.
-=-=-=-=-
Re:Cracker (Score:2)
jsm
Jurisdiction and Warrents (Score:2)
Nice to see the IETF is being open about this .. (Score:3)
The mailing list is public. You can subscribe here [ietf.org] and read the archives here [ietf.org]. This, IMHO, is good. The existing posts on the list are, for the most part, high quality, constructive and thoughtful. One would hope that this being posted to Slashdot doesn't change that.
... (Score:3)
The second reason it's uneconomical is because it's alot easier to place a hardware bug into current systems (plug in a system board, replace the network card with a lookalike and a transmitter, tempest, etc) than to tap the upstream site(s) they will be using.
The third and final reason it's uneconomical is because this all assumes the would-be criminal isn't using encryption - and if he's savvy he likely is. So what's the point? They wouldn't be able to spy on the criminals anyway - just the average american who thinks IE and outlook express are the greatest programs ever.
Soooo... my take on it? The feds want to monitor domestic communications, because anything else is impractical - too expensive even for the Big Three.
--
Re:The main problem... (Score:3)
I have to disagree with this statement. If you pay any attention to the crypto world, especially lately with the US gov't trying to find a new standard for encryption to replace DES and all its associated conversations, you should understand that the reason encryption algorithms become "popular" and "standard" is because they are subjected to brutal levels of scrutiny and analysis to determine their ability to withstand the various attacks to which you can subject crypto algorithms. The ones that stand up the best to this sort of hammering are the ones that tend to become widely used simply because they can stand up to the worst sorts of attacks the smartest people in crypto can come up with.
Saying "using a non-standard algorithm is more secure than a standard one" is just as bad as saying "security through obscurity works." It might, but then again it might not. The whole point is that you just don't know, while with the routines that have been publically anaylzed, you do know, at least to a reasonable measure.
And as far as what sort of computing power the Governments might have (The U.S. and Japan in particular since they seem to produce the largest number of the most powerful supercomputers), there's a lot of "scare" noise being thrown about that I personally don't put much faith in. Most of the crypto algorithms are such that it would take a dramatic mathematical breakthrough to really crack them rather than just more horsepower. If it's the difference between not cracking a code before the heat death of the universe and getting into it just after the sun collapses into a brown dwarf, i'm not going to worry.
-=-=-=-=-
Re:The main problem... (Score:4)
I wouldn't be so quick to use PGP, or GPG, in such a circumstance. PGP headers, sure, but it makes no sense to give the cracking team clues as to how the message might be broken.
If you want real security, use a non-standard algorithm (Skipjack or Rijndael are good for this) to encrypt the message. Put a fake key and PGP headers round it, and finally run it through a steganography package.
If the message is found, the chances are that they'd attack the key. If they broke the code and got the key, they're no better off, as it won't work. (If you're =really= clever, reverse engineer a key that =appears= to work, generating a valid, but meaningless, message when applied.) Alternatively, they might try to attack the message itself. No good, as you're not using any of the algorithms the package you claim to be using has.
It (almost) doesn't matter how good the actual algorithm is, if you can convince potential attackers that you're using something else entirely. You only need to be concerned if they discover the deception and fathom out (somehow) what system you really have used. Even then, you aren't entirely vulnerable. A strong algorithm is going to take a long time to break, and there are plenty of twists you can add. (eg: Store the message backwards, or swap adjacent letters, to try and fool algorithms for detecting possible keys into recording a false negative.)
The problem is that Governments don't NEED to care about encryption. They've ultra-powerful computers capable of feats that would blow the socks off Seymore Cray if he were still alive. (Mind you, if ghosts need socks, they still might!) So long as the Governments can get the raw packets, they're home and dry. Almost. They use computers to break codes. Computers are fast, but notoriously stupid. An ingenious cryptographer should be able to deceive even the fastest, most powerful code-breaking computers in the world to report false positives. Do that, and trick the operators into using the wrong decryption algorithms, you have some limited influence over what those operators see.
If governments want to tap (Score:4)
Not to mention that people who really want to have private conversations still will be able to, by piggybacking on top of (or tunneling with) "truly" secure protocols. There are internet phone apps that use PGP, will probably ones that use GPG, there are secure ytalk's floating around, etc.
The hell with government observation. It's their problem if they can't read my mail, or tap my phone, not mine, nor my ISP's.
The IETF, bowing down to opening up holes in secure protocols, will IMHO, completely invalidate any stance they have about any commitment to security. After all, would you buy a safe which is secure, "except for this spot right here, which will only be cut through by Authorized Personnel [or anyone else who tries]"?
Compromising security for the sole purpose of being friendly to government is ridiculous. Do you think they'd reciprocate on their own security so that we can tap into their communications? Of course not. But then, who ever said life was fair?
Even compromising security so that something will be accepted for use in multiple countries doesn't work. What self-respecting nation would want to use something that has backdoors the US (or any other) government can use to eavesdrop on its citizenry? Even when told, "We won't do it unless we have to. We mean it this time. You can trust us. Would we lie? Again?" I seriously doubt anyone with even a modicum of concern would believe that, or use a backdoored protocol.
Just look at the Clipper chip, the export version of Lotus Notes, etc. How many do you see in widespread deployment?
My personal feelings are echoed by the statement (Jefferson?) that people who choose to give up some freedom for security deserve neither. And yes, I would rather see a criminal get away with a crime to avoid sacrificing any innocent's privacy, since only dumb criminals would use dumb protocols to begin with.
Re:IETF recommendations (seek ompages) (Score:4)
We are non-profit, grass-roots, and in the crucial early stages of development.
Our goal is to develop a publically available VPN based on IPv6 and IPSec. We hope to be a public domain for serving 21st Cent. things likes VoIP, application servers, anonymizing proxies. We also seek to make cheap computers and free (speech) software available to low income families and individuals.
I invite you to see www.ompages.com. If privacy is an issue for you and you want to do more than 'write your local congressman', for example, by donating skills, equipment and resources to the public works project to build a secure network then join us. There is no leader, you can start your own project on ompages that furthers our goals of private networks and global technology proliferation. There will be no public network where individual privacy rights are the prime goal unless intelligent and experienced sys admins, programmers and web-masters get on the ball and make it happen. Talk is cheap; we can do this.
We must speak with one international voice against privacy intrusions to the IETF. If the IETF won't give us the privacy protections that are our birth rights, then we must implement our own. In fact, AOL users should not be subjected to the hoodwinking they are receiving. It is our duty as technically educated net citizens to give them the services they have now in a much more secure environment. Our priority is not the bottom-line; it's the line that must be maintained between individuality and government sponsored controls. This is no small task, but then again, neither is freedom. The U.S. claims to be governed by the people; ompages.com is.
Adding wiretapping to the protocols? (Score:4)
My though is that putting wiretap capabilities into the lowest levels of the protocols is useless. So you can tap the IPv6 packet layer. So what? I'll just use SSL above that, or PGP-encrypt my mail, and your tap is useless.
There's also this: countries feel they need the Internet. Perhaps it's time to use the leverage this gives. Make no allowances in the protocols for wiretapping and the like, and give various countries a choice: allow people their privacy, or you will not be able to interoperate with the Internet. As noted above there are too many ways the people the governments could legitimately tap can bypass any hooks in the protocols, and why should the Internet protocols be designed to even potentially compromise the privacy of those who aren't legitimate targets?
IETF recommendations (Score:5)
That way, if a company wants to implement and sell a product that meets the standard in a way that fascistic governments who don't believe in personal freedoms will let them build and sell them, they can do so by implementing the "OPTIONAL" Backdoor parts of the spec.
Those groups who prefer security over letting Uncle Sam (or whichever hacker group out there is simply smart enough to read the specs and implement their own snooping software that follows the "RFC-'1984' - Government Backdoors into Network Protocols" spec) from eavesdropping, like the OpenBSD guys, can simply ignore the "OPTIONAL" part of the spec that outlines the backdoor without breaking the entire thing.
Sorry for the emotionally-loaded phrasing, but this kind of crap really gets me steamed. I'm amazed on a daily basis at how willing our governments are (especially here in the US) to simply trample our civil/constitutional rights for the Holy purpose of "National Security" whatever that means.
-=-=-=-=-