Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

IETF and wiretapping standards 121

Anonymous Coward writes "I just noticed that the IETF has sent out a request for discussion dealing with the implementation of wiretapping in Internet Protocols. The motivation is based on laws some Governments have about telecommunication systems." The message and subscription information to their discussion email list, punningly titled "Raven", are available on the web. Oh, and "some Governments" includes the U.S. and most other countries, so I hope the IETF will get some good feedback.
This discussion has been archived. No new comments can be posted.

IETF and wiretapping standards

Comments Filter:
  • by Anonymous Coward
    Wired has just posted a story on the IETF wiretapping proposal, with comments from the chairman of IETF.

    http://www.wired.com/news/p olitics/0,1283,31853,00.html [wired.com]

  • by Anonymous Coward
    The 1899 pi attempt was rooted in mathematical sophistication, not ignorance. The legislature had just passed an inventory tax on grain, which was predominantly stored in round silos. The farm lobby hated the tax and was trying to slip a 5% (.14/3.14) reduction in the tax past the urban lobby with a rounding ploy. There happened to be a reporter from New York present who apparently didn't understand the politics involved, and stories about "those dumb yocals out in the boonies" play well among the urban hick crowd, so that story got written into the folklore. The local papers got it right with headlines about the how the reduction in the grain tax was defeated.
  • by Anonymous Coward
    Now the true problem arises ... technically, you don't have a *right* to privacy, do you? Where in the Constitiution do we have a right to say something to another person and nobody else can listen? If such an amendment existed, then this WOULD be an issue..... 4th Amendment The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized. This does not use the word privacy, but it damn sure sounds like it to me. This applies to the feds. 9th Amendment The enumeration in the Constitution of certain rights shall not be construed to deny or disparage others retained by the people. Just because there is no word "privacy" in the Constitution does not mean that there is no right. 14th Amendment Sect. 1. All persons born or naturalized in the United States, and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law, nor deny any person within its jurisdiction the equal protection of the laws. This applies the full protections of the Constitution to the actions of state governments. Local governments also appear to be affected, but I haven't looked up any of the historical context to determine if that is by design or by judicial extension. IANAL, thank God
  • >"should the IETF develop new protocols or modify existing protocols
    > to support mechanisms whose primary purpose is to support wiretapping
    > or other law enforcement activities"

    translates to:
    "should the IETF develop new protocols or modify existing protocols
    to support mechanisms whose primary purpose is to support wiretapping
    or other industrial espionage activities"

    And the Statement to the following is of course:

    >"what should the IETF's position be on informational documents that
    > explain how to perform message or data-stream interception without
    > protocol modifications".

    "Please teach me how to hack".

  • Not that I'm arguing with you, but:

    Most (all?) of this influence occurs at the legislative level, which is in fact one of the most open aspects of our government, open to all sorts of public scrutiny. Is this where your mistrust lies, or are you alluding to some other area of evil corporate influence?
  • And mind you no sysadmin is going to let the feds anywhere near his hardware without making a big fuss over it - likely the whole 'net will know exactly which ISPs, routes, backbones, and servers are 'bugged'.

    I think you would be surprised if you knew how inaccurate your assumption here is.
  • That would be true if: (a) I were suggesting using amateur algorithms, and (b) the crackers could determine the algorithm used.

    The two algorithms I suggested - Skipjack and Rijndael - are considered about the strongest algorithms out there by the crypto specialists, from what few papers I have read. Those, and Serpent (another VERY nice algorithm) won't be breakable in any practical way for the next 50 years, minimum.

    Skipjack is former DoD, I believe, and recently declassified. Rijndael and Serpent are competing as replacements for DES, and are through to round 2 of evaluation. So far, they are the hot favourites, for being both strong and fast to apply.

  • I don't understand it. Wires should be plucked, not tapped. Ask any guitarist. Mind you, piano players would probably say otherwise.
  • now we have goot opportunity to make more freedom in the future because the "only" thing we have to do is at least defend existing freedom of Internet against "wiretapping & co.".

    as Internet gains more importance in the future, Internet freedom gains more importance too.

  • No. Aynone who tells you there is a reliably way to determine that is trying to placate you.

    Just think about it. If there was a reliable way to determine this, then the investigation would be ineffectual.

  • If we wanted to divorce ourselves from having to use stego w/i audio data, we could probably set up a nice (though likely high-bandwidth) stream using something along the lines of chaffing and winnowing (see this article [slashdot.org] and this article [slashdot.org]) to hide the audio stream.

    Of course, we'd need to have a stream going in each direction. So maybe each person could throw in their mp3 collections or something... That way, you're sending legit data (albeit they could probably slam you for some sort of copyright violations), as well as what you really want to communicate.

    I definitely agree that stego is much more useful for static information, which is why I didn't put any effort into coming up with a way to stego a 'net-phone conversation.

    Hmmm...I wonder which of my friends would like to try this & annoy @Home. :-)
  • I'm no expert either, but one thing I've consistently seen pointed out in what I've read is: a weak algorithm is weak period. a strong algorithm is strong period - so long as the hard-to-reverse part hasn't been bypassed.

    It's better to crypt with GPG and a huge key out in the plain open, than to use some amateur algorithm inside steganography and faked headers. Because if their computers can crack GPG in a year say, they could break "jimbob's cypherhack" on spare cycles overnight.
  • http://cnn.com/TECH/computing/9910/12/internet.pri vacy.ap/index.html

    Somehow this could be considered already has an wiretapping implementation
  • It's been said over and over. Security through obscurity does not work. Also, Skipjack was designed by the gubment.. if that's who you are hiding from, I would use something they didn't have their fingers in :)
  • Skipjack is approved by the NSA for classified data up to the SECRET level. That means that it isn't a total piece of crap. It has some nice features that lend itself to running on simple CPUs with minimal memory.
  • The feds have gotten away with mandating "wiretap friendly" voice networks because of the pressure they can apply to a centralized entity such as a phone or wireless company. This is why none of the digital wireless systems support strong encryption.

    This tactic doesn't work when the network transports bits (IP with QoS) and the end users are responsible for encoding/decoding the audio. The end users can use any encoding or encryption scheme they desire without getting permission from the carrier or the government. The carrier doesn't have access to the raw audio, just a constant bit rate data stream.

  • There's no sane reason to burden the protocol with 'wiretapping' capabilities. If the gov't wants to 'wiretap' my IP connections they should be required to go to my ISP and physically listen in on the line - with a warrant, of course.

    Specific problems with the whole thing:

    1. Supporting wiretapping 'protocols' adds the same security holes as any other back-door behaviour. If done right it's only 'a tiny bit' more insecure, but still.

    2. If we have a 'Voice Over I/P Protocal w/wiretap' there's nothing to stop someone from writing a voice-over-IP program that sends a pre-recorded conversation to listening 'wiretaps' and another conversation to the other client.
    (Presume, for example, that the 'wiretap' facility is a 'voice-over-ip' signature identifying the communicating parties... I design a 'spoof-voice-over-IP' that appends the real data to a valid voice-over-ip packet, or sends an untagged packet at the same time as tagged packet, or uses a sneaky algorithm to 'nest' voice2 data inside of the primary voice data, or... )

    3. If people don't want it, they'll use something else. Speak-freely does voice over IP, and doesn't have any 'wiretapping' capability...

    4. A certain segment of the population (ie, the crowd here at /.) is probably going to refuse to use anything with backdoors, and indeed, eventually write an encrypted-voice-over-ip without backdoors if the 'standard' voice-over-ip has backdoors...
  • Setting aside the ethical questions for a moment...

    What could the IETF (or a protocol defined by the IETF) do to make Internet communications easier to tap? In particular, what could they do when the communicating parties both know the protocol in use and are trying to spoof it?

    Furthermore: in many countries, the law permits police wiretapping, but also places restrictions on its use. It doesn't seem fair for a protocol to make the wiretapping easier without also making it easier to enforce the restrictions. But then you'd need a protocol that could handle the various authorization, auditing, and verification requirements of hundreds of different political jurisdictions. Is this really practical?

  • Yes, I suppose you are right, that the companies do own the internet. Still, I'm pissed off about haw thay are treating it and us. and the Pi thing was just a comparison thing, get over it. I didn't mean that they were CURRENTLY doing that, nar did I mean 3.24. I MEANT 3.14. Again, get over it.
  • Something about "lubricating the intrusion of the government into the body politic"...

    Mark Twain, maybe?
  • This has nothing to do with the protocol, but wiretapping in general. Seriously, this article is a non-issue. We don't have privacy, it has been (and will continue to be) stripped from us. The trick is, it's legal to circumvent laws and obtain privacy (at a non-monetary cost). What we should be doing, instead of trying to forge privacy against the advancing "Feds", is yelling our lungs out to get that privacy back.

    The US government should have no right to wiretap. If the premise that they should have the right is valid, then they have the right to EVERY word you speak. You can't say anything without the government being able to hear it. Privacy is non-existant. The statement "There is no such thing as privacy anymore" is true. (Who was that, Scott McNeely?)

    Modifications to my position for wiretapping pundits:
    "What about the kidnapper/child/whatever scenario"
    Life sucks. Really, though, the whole concept of wiretapping in this situation should be rethought into a new pardigam. (I don't have time to type that up here ;)

    "Interstate communication, therefore under the jurisdiction of the Feds":
    Limit the right to only interstate calls and data transfer (based on target/destination, not path?). Thats still unconditional wiretapping, you say? Similar to the "feds" having the right to monitor anything you say across state lines. Now the true problem arises ... technically, you don't have a *right* to privacy, do you? Where in the Constitiution do we have a right to say something to another person and nobody else can listen? If such an amendment existed, then this WOULD be an issue.....
    anyone up for drafting the next amendment to the constitution?

  • 3. as a citizen one must be concerned about not simply the "government of the day" but ones 20-30-40 years in the future. Giving today's relatively benine(sp?) government these powers is not such a big deal. 25 years or so down the road, when a nasty government inherits these powers-- *then* we will suffer the consequences... Far fetched? I'd bet that Pakastan's military is busy rounding up those they deem undesirable right now.


    cheers,
    Bobzibub.


  • by splog ( 21459 )
    What I don't understand is why any Government would want to do this.

    It doesn't make sense if some particular person or group of people is targeted - it would always be much simpler just to tap their *connection* to the internet, which is probably already covered by the telephony legislation.

    The only other alternative I can see is automated 'eavesdropping' looking for keywords etc .. To do this the tapping must be widespread enough get a fair proportion of the packets from any one message. This would be prohibitevly complicated/expensive.
  • Well said!

    Perhaps some of the posters here who have reasoned comments to contribute to this discussion might consider joining the IETF.

    Turn up to a meeting (4 per year), or subscribe to one of the mailing lists and start posting useful comments to the ongoing discussion. That's it, you are a member just by participation.

    Unfortunately for the conspiracy theorists, there are no initiation ceremonies, and no cabalistic membership application procedure. Sorry guys, you will just need to go back to tracking down the Illuminati!

    Some people would say that you have to join a magic "inner circle" of the IETF before your voice counts. I'm going to let the Slashdot readers in on a huge secret here - if your contributions generally are on topic and contain way more signal than noise, the "inner circle" will be glad to have you!

    Having attended an IETF meeting, I can vouch for the attendees in general being highly intelligent, professional engineers, with good ethical and moral standards. If they don't agree with a proposed standard, you will not have to wait for the reasoned arguments against the standard to come flooding in.

    Personally, I applaud the IESG for encouraging early debate on wiretap issues. To ignore these issues would run the risk of being caught out by new legislation, followed by hasty implementation of a poorly planned set of technologies designed to appease the governments such that the Internet is allowed to continue to operate in a useful fashion.

    IESG / IETF did not pull these issues out of thin air - these are real issues and can/must not be ignored. I wonder how many of the people posting negative comments about the IETF have actually bothered to look at the web site: http://www.ietf.org/ [ietf.org]

  • Skipjack is not a good choice for several reasons:

    1. Skipjack only has an 80 bit key. Even 3DES, at 112 bits, is better than that. Last year, Deep Crack [cryptography.com] broke a DES key in 56 hours, and the machine cost under $250,000. Assuming the government spent an even billion on a similar machine for Skipjack, they could brute force a key in 26 years. This is unacceptable for the truely paranoid. Rijndael, or any of the other AES candidates [nist.gov], has key sizes of 128, 192, and 256 bits. With a 256 bit key, a brute force search would require more energy than could be obtained by converting all the matter in the solar system.
    2. Skipjack has a 64 bit blocksize. As long as you're going with a non-standard algorithm, you might as well use one of the AES candidates which all have 128 bit block sizes.
    3. Skipjack doesn't seem to have been sufficiently overengineered to inspire confidence. A version of Skipjack reduced from 32 to 31 rounds can be broken slightly faster than through brute force (look here [technion.ac.il] for details). This isn't a fatal weakness by itself, but it doesn't exactly look good either.
    4. If you're woried about the government trying to read your mail, then not using an algorithm they came up with (and thus know more about than anyone else) is just plain common sense.

    --
  • by JatTDB ( 29747 )
    Just for clarification, it's POTS, not POT's...it stands for Plain Old Telephone Service.

  • There are several reasons a person might not trust his government...A..B..C..D:
    I personally think that it is:

    E) : the government(s) are being influenced by a group or several groups that are in fact continuously trying to ruin the lives of citizens.

    I am not bothered by the few people you refer to in C, because they are very government specific, so this statement is not an issue when looking at the governments in general.

    Yes, I agree that A and B are probably both true, but that they are not primarily responsible for (my) mistrust.

  • The base TCP/IP protocol can already be 'tapped' with a sniffer.

    There is no point to adding monitoring 'features' at the protocol level. The end user controls the content, just as they do with a POT's line. On a POT's line I can talk plainly, in code, use a modem, tap morse code, etc. With TCP/IP I can send pain text, encryped text, sound, video, etc. Having a hole in the protocol will have little impact on how easy it is for law enforcement to _understand_ what is being transmitted.

  • Wrong. In practice we do water down other countries regulations requiring privacy, except for our insistence on having back doors into cryptographic specs, which our companies can't reveal. We have the biggest mandatory govt holes in our Telecom equipment licensed for Telecom than any other Euro country. And we have no protection of individual records, whereas the EU requires all countries that trade data with them to protect EU citizen's privacy rights, as well as permit the citizen to view the data. We forced the EU to sign off on our data specs and ignore the fact that we sell off our own people's private medical and commercial data, even though they didn't want to, in that we could then publish it.

  • I think you're correct that, sadly, the US tends to win out in the privacy debates, watering down other countries' more strict regulations "for the good of the market".

    However, in many states of the US, it's illegal to record conversations over wires, as Linda Tripp now nows. Washington State, Virginia, a bunch of others. If a packet stream passes from or to one of these states, it's illegal under US law to tap the conversation, encrypted or not, if it represents the digitized information of a voice conversation, without the permission of BOTH (or ALL if more than two) parties. Exceptions exist for one-way conversations like TV or radio, in that implicit consent has been given with the radio and TV licenses.

  • that they're working on a standard to spy on us?
  • Comment removed based on user account deletion
  • not really.

    We have to assume that the person isn't using encryption, because wiretapping an encrypted line is rather pointless.

    So we are talking about unsophisticated users (and whether or not the would-be targets are sophisticated is another story altogether, which if anyone bothered to listen to me, we'd discuss first). Unsophisticated users will typically have one connection to the internet, and not do any fancy tunneling to a crowd [att.com].

    So there is one very obvious place to place a tap -- the isp. IMHO, any nation that wants to wiretap its digital populace should just require ISPs to provide law-enforcement the ability to selectively tap users. This would be a much more localised solution than working the requirements into an RFC.
  • Winnowing and Chaffing is pretty damn smart. I must have missed the original article when it first came out. Thanks for pointing it out.

    However, it's not quite what I had in mind; It trades availible peak bandwith against easing the restriction against encryption, while I was suggesting trading average bandwidth against traffic analysis. Chaffing solves the problem of exporting crypto; I was pointing out the problem of "why are you communicating _now_?"

    Of course, you could do both -- this is probably what you meant no? -- where we send plain multiplexed text most of the time, and then every so often slip in a secret message. Sure, that'd work.

    Johan
  • well...

    I dunno. For this to work,
    a) the audio stream would have to be very natural, both in its a1) existence, a2) content, and a3) timing ("hey! why is Jimbob discussing fashion with the prez in the middle of a war?")
    b) we would have to communicate the details of the stego some how, in some non-suspicious manner. Req A makes this hard to do, and if we had such a channel, we really wouldn't need stego in the first place.

    requirement A is so hard to get right, that you might as well just go for an "open" attack against traffic analysis. Send each other random encrypted messages every day. Even when you have nothing to say. Random length, random time.

    Since messages are sent almost constantly, attackers will be unable to draw correlations between trafic and outside action. In intelligence, knowing who is communicating is almost as important as what they are saying, I'd imagine.

    The recipient will of course be able to identify the meaningless messages from the real (by virtue of the meaningless ones not decrypting), but attackers will not know which messages to attack.

    Traditional stego (hiding stuff in the low-order bits) is mostly useful for hiding the plans for nuclear devices in my collection of mountain vista JPGs.

    Johan
  • Oh, and I should add: req a1 implies that the existence of the random messages is not suspicious.

    Johan
  • [Kbyrd Said] "...how many of you have a voice scrambling system for your phone"?



    Acutally, I remember hearing that PGP inventor Phil Zimmermann (it may have been someone else) wrote a phone scrambler that used your PC's sound card. Can anyone back me up on this?

    In response to the "Raven" article, I think the standard should not include hooks for tapping; if a goverment wants to spy on it's citizens, make it an effort to do so. Internet standards are there to "get the job done" efficiently and quickly, not to advance political agenda. The internet is a global entity and as such, should not be intimidated by the local bully (which happens to be the U.S. in this case).


    ---Complaints may be directed to /dev/hell


  • Actually, as a guitarist, quite often they ARE tapped (hammerons, etc). And cellos are bowed (and there's something really sexy about the cello, so something must be said for that . . .).
  • Oops, I stand corrected.

    Poor choice of words on my part.
  • No, it's okay, you can tap guitar strings against the frets just using your fingers. It makes a different sound, usually a horrible one unless you are Michael Hedges or Stevie Ray Vaughan or Jimi Hendrix ... HEY! WAITAMINUTE! THEY'RE ALL DEAD!! Coincidence......? Dang this wiretapping stuff is more subtle than I thought... dangerous too...
    --
  • Absolute Error = (Xo - X) = (355/133 - pi) = 2.66764e-7

    Relative error = AbsErr / X = 8.4913e-8

    Percentage Error = RelErr*100 = 0.0000084913

    Damn, I wish had known about that ratio when I was still back in school/college/university.

    (And who said numerical analysis wasn't usefull ;-)
  • [rde said]...If I were planning an illegal activity over the internet, you can be damn sure I'd use 1024 bit pgp encryption. It wouldn't matter a damn what wiretapping facilities were in place if all they could read was encrypted crap. They'd only be able to read the mail of the innocent and the naive.

    [kbyrd replied] I totally agree here. With traditional communication media (telephone, snail mail, speaking face to face), encryption isn't as easily available (how many of you have a voice scrambling system for your phone?). On the 'net, encryption IS easily available. If you believe that wiretapping should be allowed at all, it makes sense to be able to wire tap phones, the average phone call is difficult to encrypt cheaply. With the net, encryption is (usually) free and easily available, especially if you're talking about email. I don't see that wiretaping has as much of a benifit here.
  • The IETF has earned my respect for even considering this question in an open and public forum. It is a difficult question and one that certainly requires much thought and discussion. The world would be a much better place if everytime a major issue such as this arose people would stop to consider their actions and solicit advice.

    However, a quick way to lose my respect would be to ignore the discussion that has been initiated and bow to political/social/economical pressure from either direction. Let's hope they continue what they have started here and make the right decision, not the Politically Correct or expedient one.
  • You forget trafic analysis. There is an awful lot of information that can be gained by analyzing trafic that passes around between computers.

    Things like:
    who sent it
    where is it going
    when was it sent
    when was it received
    how fast was the response delivered
    what patterns arise over the long term (i.e. how often is data exhanged, is it periodic...)
    how do the involved parties act before and after these exchanges
    etc. etc. etc.

    There is also a lot that is not encrypted, such as email headers and so forth that could be read and analyzed for any possibly useful info.

    You are also asuming that techniques such as quantum computing which could be used to crack conventional codes are indefinately far away in the future. However if you combine something like IPv6 (with the built in MAC codes) and the (likely) eventuality of quantum computing then you have neither encryption nor anonymity.

    Quantum crypto is often held up as the answer to quantum comptuers, however the way in which quantum crypto works pretty much rules out the internet (unless all you want to do is real time communications over satelites only (assuming that free-air quantum crypto becomes a reality and is available to anyone), and that isn't really an internet situation). That means that there will be no such thing as effective crypto for things such as email and so forth. (NOTE: Before I get flamed to death, I should note that there are systems that you could create that would leverage quantum crypto together with the internet, but they would require a seperate, non internet connection between parties (in most cases) to establish secure transfer of OTPs and so forth).

    You should plan for the maximum possible privacy and try for both unbreakable encryption and anonymity. Better yet, communicate without making it obvious that you are doing so. Use a combination of encrypted data and proprietary steganography. It is hard to eavesdrop if you don't know that people are having a coversation.

  • I have always maintained that if a person were to do something even in a society that watches constantly they would miss a great deal. For example if I wanted to say steal from some store you would take out the security system wear all black clothes (similar to swat), wear gloves, use a glass cutter, voice scrambler etc. Get in and get out. If someone tries to stop you get an automatic weapon with a silencer.

    PS. Is there a device that will allow for scrambling of voice. I had a prank pulled on me by some rather unscruplious persons who used such a technique.
  • I would like to get my hands one one of those things (refering to the phone device).
  • encrypted IP over IP
  • I agree with you. This could be a very good barganing tool. I some how doubt the government will see it this way though. And as previously suggested what if we just used encrypted ip over ip? wouldn't that defeat the purpose of the tap? If they grab some encrypted packets isn't that all they get, some encypted packets? I seriously doubt that anyone who is going to commit a crime that has any sence about them would communicate out in the open with out any encryption or anything.
  • And I can get my hands on Skipjack how?

    _________
    Sometimes, when I'm feelin' bored, I like to take a necrotic equine and assault it physically.
  • I am a coward and I am offended that you use the word "Coward" to describe people who merely can't be bothered to get an account. But I'm not, like trying to make a big deal out of it, or anything.

    jsm
  • I am offended that you use the term cracker to refer to a person who illegally breaks into computer systems. Everyone knows that the term cracker refers to white southerners.
  • America seems to be heading that way. "you have the freedom of speech in all forms (speech, press) but you can't export crypto." Assult weapons and knives longer than 5.5" are illegal. There go the first and second amendments. Now we have those 50" screens. all we need is big brother to complete the picture. Wait, Big Brother, Uncle Sam. Now all they need to do is start vaporizing 'unorthradox'(sp) people. Then we will have 1984. My guess? George Orwell undershot the date by ~40 years. Everyone fear 2024!

    Did you mean 'hacker' or 'cracker'?
    Do you know the diffrence? I don't think you do.

  • Is Watching.

    --
    Child: Mommy, where do .sig files go when they die?
    Mother: HELL! Straight to hell!
    I've never been the same since.

  • Actually...
    If you don't count the title:
    'Is Watching.' = 11 characters
    'bananarama.' = 11 characters
    If you count the space in 'Is Watching,' it comes out to be 11. So this is at best more and at worst the same length as my spam block. Thanks for playing. :-)

    Deitheres


    --
    Child: Mommy, where do .sig files go when they die?
    Mother: HELL! Straight to hell!
    I've never been the same since.

  • "Learn to become Invisible.
    How? By posting anonymously on /.? Hehehehe.

    Charlie


    --
    Child: Mommy, where do .sig files go when they die?
    Mother: HELL! Straight to hell!
    I've never been the same since.

  • The people in Indiana who wanted to change Pi to 3 are the people with the same level of ignorance as someone who would refer to the government as a company, i.e. "the government and all the other companies." 3.24?? Where did you hear Pi approximated as that?!?

    (for all practical terrestial purposes, Pi is 355/113. A nice clean factor of two integers. I discovered that for myself using a SR-56 Calculator Program I wrote in the late 70's, before I could afford a computer)

  • How about a trade? They can tap our lines and know everything about us as soon as the gov't let's us tap their lines and know everything about them. E-V-E-R-Y-T-H-I-N-G! Tit for tat...
  • Where do you think mailing lists come from? Mass marketing compaines. I've compiled thousands of lists from current customers, based on various criteria specified by whoever payed the bills. Just because it's not on our phones yet, doesn't mean they're not going to do it. How the hell do you think talemarketers know what kind of promotions to offer you? DUH! Companies will not admit they are collecting information by any means necessary because they know it will bring a pubil outcry about vilation of privacy. So don't go strutting around with your little holier-than-thou attitude in this house, pal.
  • I truly hope find this. You had asked to make an example of a company that does this with the internet already. I can think of 2. One is a marketing firm in new england I used to work at, the other is a power station that collects the data from the links it's customers hit to determine what they are looking at and for how long. Then the company solicits these people based on what products and services they downloaded information on.
  • All encryption is *not* breakable (meaning not all of it is, not that none of it is). It's all circumventable, sure, but that's not the same thing. Please don't spread this bogus idea any further.
    --
  • by Fastolfe ( 1470 )
    What does this have to do with my legal vs. illegal argument? Collecting information in this fashion is perfectly legal and I totally agree that this happens all the time. When a company installs sniffing equipment on data and voice communications lines as suggested, it becomes quite illegal and I can't imagine a company doing this. It seems like a hell of a lot of risk (major fines and prison terms) for such a trivial gain (some marketing information).

    When you fill out one of those forms to enter to win a free car, the fine print tells us that they're planning on collecting and using that information for marketing. In fact, unless the fine print explicitely states otherwise, you can usually assume that the company you're giving your information to will or reserves the right to use your information for marketing reasons. Again, this is perfectly legal.

    I understand and agree with that, but that has nothing to do with my post.

    Please elaborate.
  • The IETF is not yet another evil corporation here. They're an open INTERNATIONAL community devoted to keeping the Internet's infrastructure running smoothly and evolving.

    That's their purpose.

    You can bet that the members and coordinators are pretty intelligent folk. They're not going to adopt things unless they've given it a lot of thought.

    Let's PLEASE not get worked up over any of this when the IETF is just starting its discussion. These people are not stupid people. Let's try and give them the benefit of the doubt that they are working in the Internet's best interests.
  • I believe that, technically, since the data passes through the US, the US has the ability ("right"?) to monitor in some fashion. I'm not sure if there are legal issues here, but you can bet that other countries are doing precisely the same thing.
  • The difference is that information like this is collected legally.

    Always read the fine print.

    It would be illegal for a company to collect this type of information via any sort of Internet wiretap "backdoors". I imagine it'd be illegal to even attempt to use these backdoors at all, in fact (and detectable, to an extent). Before you pipe up and tell me that there are companies that break the law every day, I'd like you to name one that regularly performs the equivalent of wiretaps on normal people with the intent to hurt them or make a profit from the information they gleam.

    Things like this only happen in conspiracy theories and the occasionally B-rated movie.
  • I think we are quite some way from BigBrother, but I hope people realize that the current government also is far from trustworthy.

    If you believe you cannot in good faith trust the government that governs you, that your government is consistently acting against your wishes and the wishes of your community, out of malice or otherwise, it's high time you overthrew that government.

    More likely, your mistrust might be easily corrected. There are several reasons a person might not trust his government. A) The government might be making decisions based on information the citizen does not understand or have at his disposal; B) The government might not be making decisions with as much information as they need, causing it to make poor decisions; C) A small number of people may have gotten a lot of bad publicity and have been ousted in the past for abusing their positions in government; D) The government might be hell-bent on ruining the lives of the citizens it's elected to govern.

    I'm tempted to say A and B are the dominant factors here. (Perhaps a bit of C as well, but that can't be helped.)

    I'll leave it as an exercise to the reader on how they might take a more active role in their government to resolve these deficiencies.
  • That would be true if: (a) I were suggesting using amateur algorithms, and (b) the crackers could determine the algorithm used.

    (a) The two algorithms I suggested - Skipjack and Rijndael - are considered about the strongest algorithms out there by the crypto specialists, from what few papers I have read. Those, and Serpent (another VERY nice algorithm) won't be breakable in any practical way for the next 50 years, minimum.

    Skipjack is former DoD, I believe, and recently declassified. Rijndael and Serpent are competing as replacements for DES, and are through to round 2 of evaluation. So far, they are the hot favourites, for being both strong and fast to apply.

    (b) If the crypto experts know what to crack, they have advantages over not knowing what they're cracking. Those advantages are that any potential weaknesses in the algorithm are known in advance, and knowing how to apply the generated key to the encrypted message. Remember, these are AUTOMATED systems, not manual ones. That means that either ALL known algorithms are applied, OR the message is parsed and the most probable algorithm is used. Either way, if you trick the system into applying the wrong algorithm, it won't detect that unless a human agent intervenes. BUT, if you're clever and ensure that the message decodes into something seemingly valid, when an incorrect algorithm of your choice is applied, the system won't alert a human agent that something is wrong. It'll think the message is cracked, and move onto the next one.

  • I think you'll find that Rijndael (and Serpent) are the two hot favourites for the US Gov't's attempts to replace DES. Hardly obscure! And certainly well-tested! On the other hand, they are =STILL= non-standard, in that PGP doesn't use them and so no automatic script for cracking PGP messages will apply those algorithms.

    Skipjack has, likewise, been analysed, since the DoD declassified it. I believe it's considered as strong as Serpent, though it's unpopular because of it's origins.

  • Same way I did. Use a search engine, and download it from one of the International crypto archives. I also found an excellent postscript document on how it works, too. If I can remember the archive I fetched it from, before this falls off today's listings, I'll follow up with the address.
  • Digitise, compress, and transmit in the lower audible frequencies, spaced out so that it was not recognisable (by the human ear) as being present. Then, overlay a totally harmless audio stream. Reverse the process at the other end.

    (This would only be usable IF the compression reduced the transmission time by AT LEAST as much as you were adding spacing to make it inaudible.)

  • Depends. Microsoft might adopt, embrace and extend it, thus breaking all the world's Government's espionage systems. Hmmmm. That's a thought!!! Hey, Mr Gates! Can I have a quick word with you...? There's this feature I'd like you to add....
  • I'd like to refer them to this [nsf.net] RFC. I don't suppose it would help though.

    For the curious who don't want to follow the line, that's RFC 2401.

    as to what it talks about, you'll just have to have a look, 'cause I'm not telling :)

  • attempts to replace DES. Hardly obscure! And certainly well-tested!
    Well-tested? Hardly! They've only been publicly described for a few years. If you talk the the experts, they'll tell you to use triple-DES, because DES has withstood decades of attacks, and there still aren't any attacks against it that are significantly more computationally efficient than brute force. Since a 56-bit key is demonstrably short enough to be readily cracked by brute force, going to triple-DES is advised.

    I've not seen any credible claims that any of the NIST candidates are believed to be more secure than triple-DES.

  • Every packet you send over the Internet goes through an unpredictable path to its destination. And
    everyone knows this.
    Well, then, everyone is wrong.

    If everyone would bother playing with simple, widely available tools like traceroute, everyone would discover that in reality, traffic between two given hosts tends to traverse the exact same route for long periods of time (typically at least hours or days).

  • The US government should have no right to wiretap.
    The US government has no rights of any kind. They only have limited powers granted to them by the people in the Constitution.

    This may seem like nitpicking, but it's actually a very important distinction, because forgetting it leads people down the path where they believe that the government is in the position to grant certain rights to the people, and nothing could be further from the truth.

    The people have rights, and the most that the government is supposed to have power to do is to place certain minimal limits on those rights.

    One of the major reasons the Bill of Rights was controversial was not because anyone thought that the ideas therein were bad, but because they were afraid that if they enumerated certain rights of the people, that the people (and government) would start to believe that the people had only those rights, and that they were somehow granted by the government. In order to placate those concerns, the Tenth Amendment was added, but unfortunately despite that people (and government) have in fact fallen into exactly that trap.

    Here's a brief article [brouhaha.com] I recently wrote about this subject.

  • I wouldn't be so quick to use PGP, or GPG, in such a circumstance. PGP headers, sure, but it makes no sense to give the cracking team clues as to how the message might be broken.


    One of the first things I learned when I set out to learn about crypto was that you should always assume the enemy knows the algorithm you're using. It basically boils down to a strong algorithm will remain strong, even when the attacker has knowledge of what's being used, while a weak one won't matter anyway.

    There are programs that will help to mask PGP messages by stripping off the standard headers on the encrypted messages (which generally means you need to know who sent the message, and to which key). This helps to slow down attackers, but it's not going to keep a determined attacker from figuring out what you're using.

    The point where stripping off headers will really help is if you're trying to hide the encrypted stream in another data stream (steganography). But I'm not sure how practical it would be to use stego for a real-time phone conversation between 2 or more people.
  • Ok what will IETF consider as their "particpation"
    on wiretapping?

    A technical protocol? Then sorry. Russia saw this with proposal SORM-1. A very good document in their technical aspects but completely outdated. The proposed technology was nearly 5-year old and no one was agreeing to follow it. And the discussion that followed made the FSB to drop any ideas to make it reality. They didn't publish why
    but we can infer from proposal SORM-2:

    Technologies change. To force a specific wiretapping protocol may "kill" the technological advance.

    You have a technical wiretapping protocol that everyone knows about. So will just the government use it? And how to secure it? And if someone really breaks in? Can we manage to measure the damage?

    Can we wiretap telephones? Yes. Can we wiretap IP? Sure. Can we wiretap WWW? Of course. Can you wiretap everything? ARE YOU MAD???

    Today wiretapping 100 seems easy. Tomorrow we may face the fact that every home has its TV set and its Internet connection. And whatever concern we may face in relation to security we can't follow everybody. Even 1 person is enough for weeks of work. Specially if he is some kind of geek or hacker.


    Well these were some of the arguments I saw in discussions. I deliberately avoided to state here any moral and imoral parts of the discussion. However I can say that a broad part of the people agreed to allow FSB to follow criminals on the Net.

    The result was SORM-2. I can't say it was perfect. Maybe far from it. But it possessed a principal difference. It didn't carry anymore things about technical protocols and obligations. It was mostly a "List of principles" regulating the behaviour of FSB and ISPs in situations where wiretapping was required. One important point was that FSB was required to get a court order to proceed any wiretapping on Internet. Besides any technical aspect should be regulated in common by the ISP and FSB in mostly a case-to-case basis.

    Sincerly I think that soon or later the lawmakers will realize that they should go this way. But then, I think it's not IETF problem to consider about wiretapping.

    Apart from this. A teological aspect. Somehow, States are trying to know everything. However every theology teaches us that only God knows everything. So it seems that, anyway, these attempts are doomed. Or will they try to wiretap God?
  • I never understood the concerns over "Internet wiretapping". Every packet you send over the Internet goes through an unpredictable path to its destination. And everyone knows this. That's why everything that's critical should be encrypted.

    So why is government "wiretapping" (call it what it is: packet sniffing) such a big deal? Twelve year old script kiddies already do this all the time.

  • ...as I see it is that given american dominance over the internet, US considerations may be given primacy. Which may well contravene existing laws in other countries.
    So what should be done? I don't have the breadth of knowledge to give an authoritative or complete reply, but my inclination would be to maximise security (and hence privacy) and leave the wiretapping considerations to individual governments and ISPs.
    Here's why...

    If I were planning an illegal activity over the internet, you can be damn sure I'd use 1024 bit pgp encryption. It wouldn't matter a damn what wiretapping facilities were in place if all they could read was encrypted crap. They'd only be able to read the mail of the innocent and the naive.

    If the government can get in, so can other people. Back doors are by their very nature insecure.

  • The government is not a company. By saying "and all other" you are implying that they are equivalent. This is nonsense. The government has sole monopoly over the creation and enforcement of laws and the imposition and collection of taxes. If there are any companies that have these priviledges, then they do so because a government have them to them.

    And companies won't leave the internet alone because most of the internet is theirs! There may be a few charitable nodes out there, but 95% of the internet is owned by a commercial entity or funded through government taxes. Saying you want companies to leave the internet alone is like saying you want commercial publishers to leave the newspapers alone.
  • (this is an example of very bad moderating btw...)

    No. It is an example of someone having an opinion that you do not agree with. There is a difference.

    Moderation does not exist to ensure that only people who agree with you get read. It exists to promote interesting and insightful posts while filtering flamebait, offtopic, and other pointless posts.

    In short: Freedom of speech. Not correctness of speech.
  • Seems to me that the IETF could build in technical safeguards which governments or private firms would not have a motive to include.

    For example, imagine a router which would only tee traffic to another port if presented with a electronic signed by a judge and specifically naming the port(s) to be watched. Obviously this would imply a proper PKI for the judiciary, but hey, if they want our co-operation they'd better put their own house in order first.

    Paul.

  • I can think of 2 reasons why wiretapping would be somthing to be concerned about.

    1. It makes discrimination very easy. This would be an issue in case of war for instance (think about what happened to the Jews).

    2. We just don't trust the authorities, do we!?
    It seems like people are afraid the FBI, CIA, Police, NSA and others will use the wiretapping against honest people; and not just to get the bad people.
    I think we are quite some way from BigBrother, but I hope people realize that the current government also is far from trustworthy.

    Both problems are not easily solved. --include standard quote here about this being beyond the scope of this simple email-- What we might think about right now is the needless overhead this is going to present to routers, firewalls etc.
    I don't think the government is going to compensate with financial support for increasing bandwidth :)

    Looking on the bright side: Hackers can have a load of fun exploiting it during the first few years, and sensitive data can still be encrypted. ;)

  • ... its called "security by obscurity". Its highly regarded in the security world as a valuable way to, well, screw yourself over.

    Either you trust the crypto or you don't. If you don't: don't use it. If you do, then use it, and while you at it send your worst enemy the source code to the program, a book about the crypto as a taunt, and some recommendations on good hardware. And then have fun when he realizes you chose "won't" rather "chances are".

    (this is an example of very bad moderating btw...)

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.

  • I am well aware of the EITFs role, and that they have no actual authorative power. That is my point, don't dare to compromise on this issues: if we can't get standards that are not designed from the ground up for the purpose of infringing on our basic rights, then let the EITF make whatever standards they want and screw using them.

    If it reaches the point that there is no other option but to develop some sort of "standards" for this crap, then those standards should be disregarded.

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.

  • No, you have got this backwards. The fear is not that that America will water down other countries regulations, but the opposite. America has some of the strictest laws in democratic when it comes to mandatory government holes in Telecom equipment.

    You have been brainwashed for too long...

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • I
    f the IETF decides that it will implement some way of "digital wiretapping" with whatever existing/new standards, I highly urge every to tell the IETF to FUCK OFF.

    If the IETF is such a spineless, worthless, puppet of an organization that it gives into these demands by the American government (and don't fool yourself, we all know who is really making these demands), then I think the Internet is a hell of a lot better off without it: standards or no.

    Screw "OPTIONAL", these are human rights issues, not things to compromise on. Shame on the IETF for opening up for it, shame on you for suggesting it, and shame on Slashdot for putting this at the top of this discussion. For once I am not proud to be a /.er.

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • The IETF should provide technological leadership to the global community, not follow the shortsighted whims of backwards national governments. If some group of religious fundamentalists came to power and decided that packets containing "666" were evil, or that no data stream should even coincidently contain the ASCII encoding for "Jehovah" or the UniCode for a Koran verse, would the IETF change standards to fit their wishes?

    Set standards for the best technical reasons. Explain to governments why they shouldn't block adoption of those standards. Wave "bye-bye" in your rear-view mirror to those nations who choose to block them, as the rest of the world speeds off into the future.

  • Why is it that governments and all forget the fundamental problem with encryption? No matter how good the cypher, how good the encryption, whether it be Enigma, DES, or even a OTP..... It is breakable.

    All encryption is breakable, it MUST be in cleartext before its being sent and it MUST be in cleartext when its read. Encryption won't help if they have a bug in the keyboard, they have compromised the machine, or if they have a bug on the display device.

    Of course, thats inconvienent, perhaps a little dangerous. Its not easy to put dozens of bugs all over the place like that, to monitor many people. It requires effort, money, work..

    So here's the interesting question. *Why* do they want it to be so easy, so cheap, so convienent to monitor tens, thousands, or millions of encrypted communications all at the same time? Why is the old-fashioned bug so bad? Why do they want the extreme convienence of monitoring the nation? Why do they want to build an infrastructure that makes it possible to monitor the entire nation's communication network?

    Please, enlighten me..
  • I believe the year was 1899 when the Indiana tried to declare pi as being equal to 4, not 3 or 3.24. (Apparently somewhere in the soup of numbers that is pi, there are several consecutive nines, and the good folks in Indiana figured theyd just round up...)
  • Remember, the IETF doesn't really have any "official powers." Have you read the message that's linked to in this article? They're asking for comment on whether they should take a political stand. I'm assuming that if they have no feedback saying "Don't cave in!" and only feedback saying "Cave in!" they're going to follow popular opinion and cave in. If you don't like the idea of standardized eavesdropping, then by all means let them know and let me make the polite observation that a cogent and well-thought out argument will make a lot more impact that obscenity.

    However, let me clearly state that I am in no way in favor of this kind of violation of privacies. I'm saying that if things come to the point that there is no other option but to develop some sort of "standards" for this crap, there should be at least an attempt to prevent them from being REQUIRED.

    I guess I've just learned better than to expect that the world is all going to be sunshine and light. Governments don't care about their citizens anymore, and corporations don't care about their customers. Power and money are what talk. It's unlikely that a group of essentially volunteers are going to make significant headway against world governments and multinational corporations in basic human rights issues.

    If you expect the rest of the world to play fair, may I politely inform you that you have some growing up to do. "Death before dishonor!" sounds nice on a tombstone, but in reality, discretion is often the better part of valor. If you can't stand up to them directly, maybe the next best step is to do what you can and live to fight another day.

    -=-=-=-=-

  • I'm a white southerner and I am offended that you use use the term "southerners" to refer to inhabitants of the southern United States of America.

    jsm
  • Given the nature of routing, particularly on the internet, how would it be determined who would have jurisdiction to perform said "wiretapping" of the VOIP call in question? The call between a guy in Paris and his buddy in Tokyo may very well pass through the US - would the US then be allowed to tap the call? If not, what would stop them? Given a back door into VOIP, I could easily sniff, and hence, listen to / decode other people's calls. The Governments of the world may argue that this power would only be used for legitimate means, and through legally established channels. Don't believe them. All powers given to a Government will eventually be abused. The harder it is to get caught, the more frequent abuse will be. Humans are by nature curious, and Governments are by nature distrustful.
  • The mailing list is public. You can subscribe here [ietf.org] and read the archives here [ietf.org]. This, IMHO, is good. The existing posts on the list are, for the most part, high quality, constructive and thoughtful. One would hope that this being posted to Slashdot doesn't change that.

  • by Signal 11 ( 7608 ) on Tuesday October 12, 1999 @10:09AM (#1619939)
    Wiretapping is impractical. There are several reasons for this:
    • uneconomical
    • uneconomical
    • uneconomical
    :^) Get my point? It's not economical because you would need to tap several thousand points around the internet in order to get a good 'sample' - and if somebody routes using a backbone or connection that isn't tapped... oh well. And mind you no sysadmin is going to let the feds anywhere near his hardware without making a big fuss over it - likely the whole 'net will know exactly which ISPs, routes, backbones, and servers are 'bugged'. Even then.. just use an 'untapped' route as a proxy - just like telnet proxying that many crackers employ.

    The second reason it's uneconomical is because it's alot easier to place a hardware bug into current systems (plug in a system board, replace the network card with a lookalike and a transmitter, tempest, etc) than to tap the upstream site(s) they will be using.

    The third and final reason it's uneconomical is because this all assumes the would-be criminal isn't using encryption - and if he's savvy he likely is. So what's the point? They wouldn't be able to spy on the criminals anyway - just the average american who thinks IE and outlook express are the greatest programs ever.

    Soooo... my take on it? The feds want to monitor domestic communications, because anything else is impractical - too expensive even for the Big Three.

    --

  • by Ledge Kindred ( 82988 ) on Tuesday October 12, 1999 @10:22AM (#1619940)
    You say, "If you want real security, use a non-standard algorithm (Skipjack or Rijndael are good for this) to encrypt the message."

    I have to disagree with this statement. If you pay any attention to the crypto world, especially lately with the US gov't trying to find a new standard for encryption to replace DES and all its associated conversations, you should understand that the reason encryption algorithms become "popular" and "standard" is because they are subjected to brutal levels of scrutiny and analysis to determine their ability to withstand the various attacks to which you can subject crypto algorithms. The ones that stand up the best to this sort of hammering are the ones that tend to become widely used simply because they can stand up to the worst sorts of attacks the smartest people in crypto can come up with.

    Saying "using a non-standard algorithm is more secure than a standard one" is just as bad as saying "security through obscurity works." It might, but then again it might not. The whole point is that you just don't know, while with the routines that have been publically anaylzed, you do know, at least to a reasonable measure.

    And as far as what sort of computing power the Governments might have (The U.S. and Japan in particular since they seem to produce the largest number of the most powerful supercomputers), there's a lot of "scare" noise being thrown about that I personally don't put much faith in. Most of the crypto algorithms are such that it would take a dramatic mathematical breakthrough to really crack them rather than just more horsepower. If it's the difference between not cracking a code before the heat death of the universe and getting into it just after the sun collapses into a brown dwarf, i'm not going to worry.

    -=-=-=-=-

  • by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Tuesday October 12, 1999 @10:01AM (#1619941) Homepage Journal
    *Disclaimer* I am NOT an encryption expert. I am NOT even an armchair expert. The limit of my knowledge is limited experience and what passes for intelligence. At least, according to some amoeba.

    I wouldn't be so quick to use PGP, or GPG, in such a circumstance. PGP headers, sure, but it makes no sense to give the cracking team clues as to how the message might be broken.

    If you want real security, use a non-standard algorithm (Skipjack or Rijndael are good for this) to encrypt the message. Put a fake key and PGP headers round it, and finally run it through a steganography package.

    If the message is found, the chances are that they'd attack the key. If they broke the code and got the key, they're no better off, as it won't work. (If you're =really= clever, reverse engineer a key that =appears= to work, generating a valid, but meaningless, message when applied.) Alternatively, they might try to attack the message itself. No good, as you're not using any of the algorithms the package you claim to be using has.

    It (almost) doesn't matter how good the actual algorithm is, if you can convince potential attackers that you're using something else entirely. You only need to be concerned if they discover the deception and fathom out (somehow) what system you really have used. Even then, you aren't entirely vulnerable. A strong algorithm is going to take a long time to break, and there are plenty of twists you can add. (eg: Store the message backwards, or swap adjacent letters, to try and fool algorithms for detecting possible keys into recording a false negative.)

    The problem is that Governments don't NEED to care about encryption. They've ultra-powerful computers capable of feats that would blow the socks off Seymore Cray if he were still alive. (Mind you, if ghosts need socks, they still might!) So long as the Governments can get the raw packets, they're home and dry. Almost. They use computers to break codes. Computers are fast, but notoriously stupid. An ingenious cryptographer should be able to deceive even the fastest, most powerful code-breaking computers in the world to report false positives. Do that, and trick the operators into using the wrong decryption algorithms, you have some limited influence over what those operators see.

  • by emag ( 4640 ) <slashdot AT gurski DOT org> on Tuesday October 12, 1999 @10:27AM (#1619942) Homepage
    then they should do it themselves, instead of mandating that everyone make it "easy" for them. Especially here in the United States of Amerika, nothing says I need to make it easy for anyone to understand what I'm saying.

    Not to mention that people who really want to have private conversations still will be able to, by piggybacking on top of (or tunneling with) "truly" secure protocols. There are internet phone apps that use PGP, will probably ones that use GPG, there are secure ytalk's floating around, etc.

    The hell with government observation. It's their problem if they can't read my mail, or tap my phone, not mine, nor my ISP's.

    The IETF, bowing down to opening up holes in secure protocols, will IMHO, completely invalidate any stance they have about any commitment to security. After all, would you buy a safe which is secure, "except for this spot right here, which will only be cut through by Authorized Personnel [or anyone else who tries]"?

    Compromising security for the sole purpose of being friendly to government is ridiculous. Do you think they'd reciprocate on their own security so that we can tap into their communications? Of course not. But then, who ever said life was fair?

    Even compromising security so that something will be accepted for use in multiple countries doesn't work. What self-respecting nation would want to use something that has backdoors the US (or any other) government can use to eavesdrop on its citizenry? Even when told, "We won't do it unless we have to. We mean it this time. You can trust us. Would we lie? Again?" I seriously doubt anyone with even a modicum of concern would believe that, or use a backdoored protocol.

    Just look at the Clipper chip, the export version of Lotus Notes, etc. How many do you see in widespread deployment?

    My personal feelings are echoed by the statement (Jefferson?) that people who choose to give up some freedom for security deserve neither. And yes, I would rather see a criminal get away with a crime to avoid sacrificing any innocent's privacy, since only dumb criminals would use dumb protocols to begin with.
  • by NatePuri ( 9870 ) on Tuesday October 12, 1999 @11:26AM (#1619943) Homepage

    We are non-profit, grass-roots, and in the crucial early stages of development.

    Our goal is to develop a publically available VPN based on IPv6 and IPSec. We hope to be a public domain for serving 21st Cent. things likes VoIP, application servers, anonymizing proxies. We also seek to make cheap computers and free (speech) software available to low income families and individuals.

    I invite you to see www.ompages.com. If privacy is an issue for you and you want to do more than 'write your local congressman', for example, by donating skills, equipment and resources to the public works project to build a secure network then join us. There is no leader, you can start your own project on ompages that furthers our goals of private networks and global technology proliferation. There will be no public network where individual privacy rights are the prime goal unless intelligent and experienced sys admins, programmers and web-masters get on the ball and make it happen. Talk is cheap; we can do this.

    We must speak with one international voice against privacy intrusions to the IETF. If the IETF won't give us the privacy protections that are our birth rights, then we must implement our own. In fact, AOL users should not be subjected to the hoodwinking they are receiving. It is our duty as technically educated net citizens to give them the services they have now in a much more secure environment. Our priority is not the bottom-line; it's the line that must be maintained between individuality and government sponsored controls. This is no small task, but then again, neither is freedom. The U.S. claims to be governed by the people; ompages.com is.

  • by Todd Knarr ( 15451 ) on Tuesday October 12, 1999 @09:53AM (#1619944) Homepage

    My though is that putting wiretap capabilities into the lowest levels of the protocols is useless. So you can tap the IPv6 packet layer. So what? I'll just use SSL above that, or PGP-encrypt my mail, and your tap is useless.

    There's also this: countries feel they need the Internet. Perhaps it's time to use the leverage this gives. Make no allowances in the protocols for wiretapping and the like, and give various countries a choice: allow people their privacy, or you will not be able to interoperate with the Internet. As noted above there are too many ways the people the governments could legitimately tap can bypass any hooks in the protocols, and why should the Internet protocols be designed to even potentially compromise the privacy of those who aren't legitimate targets?

  • by Ledge Kindred ( 82988 ) on Tuesday October 12, 1999 @10:05AM (#1619945)
    If the IETF gets feedback indicating that they will have to figure out some way of implementing "digital wiretapping" with whatever existing/new standards, I highly urge everyone to recommend that they place them into the "MAY" or "OPTIONAL" categories of the specs.

    That way, if a company wants to implement and sell a product that meets the standard in a way that fascistic governments who don't believe in personal freedoms will let them build and sell them, they can do so by implementing the "OPTIONAL" Backdoor parts of the spec.

    Those groups who prefer security over letting Uncle Sam (or whichever hacker group out there is simply smart enough to read the specs and implement their own snooping software that follows the "RFC-'1984' - Government Backdoors into Network Protocols" spec) from eavesdropping, like the OpenBSD guys, can simply ignore the "OPTIONAL" part of the spec that outlines the backdoor without breaking the entire thing.

    Sorry for the emotionally-loaded phrasing, but this kind of crap really gets me steamed. I'm amazed on a daily basis at how willing our governments are (especially here in the US) to simply trample our civil/constitutional rights for the Holy purpose of "National Security" whatever that means.

    -=-=-=-=-

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...