More on Cisco Building Surveillance into Routers 469
An anonymous reader writes "The company recently published a proposal that describes how it plans to embed 'lawful interception' capability into its products. Among the highlights: Eavesdropping 'must be undetectable,' and multiple police agencies conducting simultaneous wiretaps must not learn of one another. If an Internet provider uses encryption to preserve its customers' privacy and has access to the encryption keys, it must turn over the intercepted communications to police in a descrambled form." See our earlier story and the RFC for background.
Thank you slashdot! (Score:4, Interesting)
what about != U.S.A. ? (Score:3, Interesting)
Other countries. (Score:2, Interesting)
So what good is this (Score:1, Interesting)
If you are using decent key exchange protocols and encrypt your traffic?
And besides, aren't you worried that your stuff goes to some AOL server when you're using AIM? Wake up... Echelon does not exist, it's being built. Let's do something about it.
it only bothers the unknowing honest. (Score:5, Interesting)
If I simply send everything encrypted AND send lots of fake packets... I.E. random sized files that consist of the contents of
It's called hiding in a sea of garbage. Now write a nice small program that is a P2P sharing app (or a plug-in for one) that sends around some of those random files to other users (small ones 1-100K in size then keep your files in that size range)
Screw with them as they screw with you.
so a freenet node will completely hose this "eavesdropping system"
multiple hidden wiretaps... (Score:5, Interesting)
Re:Sigh. (Score:3, Interesting)
Actually I would think that the bigger hope is that the laws that are designed to prevent abuse of this type of tapping hold up. From a technical point of view, you absolutely don't want an "easy" way to do auditing. Again, looking at it from the standpoint of the "users" of this tapping ability, you want complete anonymity (i.e. you don't even want some curious sys admin to peek and see how many, if any, taps are currently going on.
But as a citizen, you would hope that if you get thrown in jail with some encriminating evidence derived from this sort of surveillence, that the authorities would had to have gotten a search warrant, which means that they would have to have some type of reasonble suspicion and to prove it to a judge. I know, it doesn't always work this way, but like I said, from the bigger picture, this isn't a technology issue, you really want the social/political side of this to "work".
encryption (Score:5, Interesting)
It's a 2-Sided Coin (Score:5, Interesting)
Re:Sigh. (Score:3, Interesting)
That's a terrible excuse. There is a huge difference if (one of) the world's largest maker of networking hardware implements traffic content surveillance, or if some miniscule manufacturer on Iceland does it.
I blame them, they shouldn't get their hands in this jar.
Luckily, we have alternatives (Score:5, Interesting)
That being said, Cisco knows that companies that used to buy from them will still probably buy from them. So this can't be a huge risk to their company. But the 'new features' would firmly embed government eavesdropping facilities in major ISPs, banks, large companies, schools, universities, etc.
Re:I don't see what the big deal is. (Score:5, Interesting)
DPUG Protocol (Score:2, Interesting)
Don't forget - this applies to the home, too (Score:0, Interesting)
Re:Sigh. (Score:5, Interesting)
Re:So, this outlaws quantum encryption then (Score:3, Interesting)
Re:Big brother (Score:5, Interesting)
The Democrats want to take away the second amendment rights. The Republicans want to take away the 1st, 4th, abortion, etc.
Wisen up and rise up. Revolution is the only way. Those in power will fight very hard to stay in power. You end up having to ask yourself one question: How much do you value the rights for which millions have fought and died for?
As for me, I'm going to just use a bit of double-think and forget that I had that thought, so I can go on being a happy little sheep in my comfy white-collar suburban world.
Re:Undetectable built-in backdoor (Score:2, Interesting)
The undetectability requirement is that the subject of a tap not be able to know they are being tapped. Also: there is a requirement that only authorized personnel be capable of seeing tap information, and not just any random NOC monkey. All of this is completely analogous to the implementation of CALEA requirements for the Bellheaded set.
But this is
Don't blame Cisco too quickly (Score:5, Interesting)
From the article:
Still, if you don't like Cisco's decision, remember that they're not the ones doing the snooping. Cisco is responding to its customers' requests, and if they don't, other hardware vendors will. Cisco's Internet draft may be titled "lawful interception," but there's no guarantee that the capability will always be used legally. If you're looking for someone to blame, consider Attorney General John Ashcroft, who asked for and received sweeping surveillance powers in the USA Patriot Act, along with your elected representatives in Congress, who gave those powers to him with virtually no debate.
(emphasis mine)
Re:Undetectable built-in backdoor (Score:5, Interesting)
A story (I believe) in "California Lawyer" from maybe 3 years ago noted that Kevin Poulsen, while phreaking, had managed to discover phone taps planted by the US Government in various foreign embassies, including South Africa. A condition of his release was that he was forbidden to discuss the details.
Re:Time to break out your own encryption (Score:5, Interesting)
That is a post to a Cypherpunks mailing list concerning a hypothetical device to crack the 1024 bit keys that are so widely used in ssh and the like. The "machine" would cost between several hundred million to a billion dollars and require a megawatt or so of power, but would make cracking those types of keys childs play.
Considering that spy agencies could spend up to 2 billion USD on satellites, they would be crazy to pass something like this up.
Food for thought...
Is less wiretap data better or worse? (Score:2, Interesting)
We have some capabilities in some of our equipment that will allow you to take all the traffic that goes across an interface and send it to another interface. Right now that is used in some cases as a lawful interception technology.
When we first started talking, some engineers said, "Let's turn this on and use that." I said, "Heavens no, if we can narrow the range of information, let's do it." Let's let our customers meet their requirements in as privacy-protecting a way as possible.
Cisco's idea is that by limiting the data coughed up to a "legal intercept", other people's data will not be included, thereby protecting their privacy.Of course by deluging the intercepters with huge amounts of everyone's data, we could argue that everyone's privacy is increased.
So which is better - more or less data?This is not as bad as it sounds (Score:5, Interesting)
Thus its not like itsa new form of intrusion or the ersoion of a sacred right. Moreover we have an extensive legal system that already know how to walk an acceptable line between preserving public order and unlawful searches and seizures. yes there are flagrant abuses of course, but the basic level of public expectaion and legal machinery is inplace to deal with this
Thus the real question is if the ascroft era people will try to use this as an end-run around the existing legal machinery. I paraphrase a former missouri senator who said (about carnavor-like intrusion) "I dont put a phone jack on the outside of my house so the feds can listen in when they please, so I dont want a jack on my internet connection for the same purpose". Ironically that senator was the John ascroft before he lost hisz relection bid to a dead man and became the worst attourney general ever including edwin meese. Now he chafes at these restrictions and does indeed want such a jack and the pre-emptive authority to use it without a court order, probable cause, or a defined list of evidence to be gathered.
Thus I welcome the cisco method since it formalizes what is now a covert and thus unmonitored process. thus this may bring the light of public scrutiniy and invite the invocation of past legal precedent.
performance (Score:3, Interesting)
on the face of it this is going to look like a provider outage i am thinking. since its completely 'transparent' even with multiple big brothers or any blakc hat people that might have jumped on the router as well i am thinking.
if nothing is going to show up in the interface statistics and nothing in the cpu is going to account for the activity. but when you look at your csu/dsu (or equivlent) you will see the activity.
maybe the best way to deal with this is to forget using the real traffic, but rather use the rfc that they propose for actual communication since its invisible to the other peers. sounds like a stealth vpn to me of sorts.
Re:I don't see what the big deal is. (Score:3, Interesting)
Whether this is good or bad for society is another matter, but it's been suggested that we'll simply need to adapt. Arguably, using information obtained through "privacy-invading" means is just childish immaturity, when you look at the big picture. Maybe our society just needs to grow out of that?
Fighting change in this area of technology only delays the inevitable and keeps the abilities in the hands of the surreptitious and those who *would* use it solely for their own benefit.
Something to think about...
Cisco is trying to prevent government intrusion (Score:1, Interesting)
No. Cisco is trying to self-regulate so they can perform IP "wiretapping" on their own terms. The arrival of IP telephony tapping at your local ISP is inevitible; Cisco would be foolish to ignore it.
I work for a telecom equipment manufacturer. (yes, one of the few remaining..) My current project is testing the feature on our TDM switch that supports CALEA. [fcc.gov] (hence the anonymous post..) The capabilities of CALEA-compliant systems do not greatly expand on the old-fashioned method of physically tapping a suspect's copper line. They just simplify the telephone company's ability to administer taps. Basically, it just brings wiretapping to the digital age.
One thing to note is that the telephone companies, not the law enforcement agencies, are the people administering the taps. It is this separation that protects us from over-zealous police. Before the telco creates a tap, they must receive a court order. If they don't have a judge's signature, they tell to agency to blow smoke.
The FBI is scared $hitless about the convergence of circuit and packet-switched networks. IP telephony is much easier to secure than twisted-pair. But, just as people can buy a set of encrypting handsets for their regular telephones, people can add encryption on top of their IP voice call. Its generally only the crooks that do that, but the capability exists for anyone to do so. In fact, its significantly easier in IP, which is why the FBI is so scared.
I'm not worried about Cisco's RFC. I would rather the rules for how to tap IP telephony come from a knowledgable IP player than from the FBI. If Cisco doesn't write the RFC and get some semblance of a working system, Congress (through the FBI) will write it, and THAT would be a disaster. If Cisco does it right, you can expect the RFC to become law. And we should also expect an OSS implementation so ISPs can continue using Linux routers instead of having to buy Cisco just for the tapping ability.
In fact, I smell a potential business op^H^H^H^H^H^H^H^H^H^H^H uh, never mind...
Since Open Source projects can't be bought (Score:4, Interesting)
I'd love to create some crypto traffic between my home box and work machine (besides the normal SSH, of course). The more white noise packets floating around out there, the better. TCP/IP spook fodder, if you will.
Better yet, is there an encrypted, routed "internet" I can plug into at will when I'm online, just to obfuscate my traffic a bit? Or is that what Freenet is about?
Re:Big brother (Score:4, Interesting)
Remember the Clipper Chip and encryption export controls? Supported by Clinton and Gore, opposed by Bush and Ashcroft. Republicans aren't great on civil liberties, but I strongly dispute the implication that Democrats are any better.
work separate from morality? (Score:3, Interesting)
First of all, this makes it sound like there was a law passed which specifies all routers must have this kind of capability. I sure have not heard about that.
It sounds like currently an ISP can be subpoenaed to find out what a particular person is sending. Currently, the ISP seems to provide complete logs and allows law enforcement to sort through it. This just sounds like bad practice of law. If we lived in John-Ashcroft's-wet-dream-land where every packet has a personal ID number on it which could not be forged or faked, sure you could ask for what a person sends. This is so far from the case that it is a joke. Even if I only use one computer and it has one IP address, what if someone else uses it? Even if the email has a name on it, what if it was forged? It would be laughably easy to plant evidence on, say, a business rival. Bottom line: computer are not very secure, in general. (Side note: sure, your computer may be very secure but visit, say, a law office. You may be surprised - even by very large law offices with nice wood panneling and mugs with the partner's names on them.)
If subpoenaed for John Q. Terrorist's internet activity, knowing what we know, we cannot hand anything over with a clean consience. If, on the other hand, all of IP address 64.22.xx.xx is subpoenaed, sure, we have to hand it over but we cannot say who did what with any great certainty.
Lastly, Mr. Baker seems to indicate providing a product is separate from morality. This is a very disjointed view of work - almost on the verge of: "what I do at work should be totally separate from morality." This is quite frightening. Perhaps this is too strong. He is clearly saying if the company follows the law, this is completely separate from morality. Again, this should be frightening: if you follow the law, morality is not at issue? The most obvious reaction is that if the law is wrong, in America, you have a responsibility to not follow it. Being part of a corporation does not absolve you of your duties as a citizen.
In my opinion, the workplace is where people are least moral (in my experience) and thus it is exactly where people need to be thinking of morality the most - certainly not separating it and arguing "we are just following the law".
Re:Big brother (Score:5, Interesting)
Solution to privacy invasion is MORE Technology. (Score:2, Interesting)
The other thing is, the network (inet) is more or less public and decentralized, which is DIFFERENT from Telco service which is more or less private and centralized, which makes it (anti privacy measures) much more difficult to implement, as one could route around the wiretap.
No, the only way the Feds/NWO/xIAA/etc could effectively wiretap networks is through a transperant bridge in the middle (between two routers). And a good sys admin, should be able to spot the increase in delay of such a solution.
Re:Undetectable built-in backdoor (Score:3, Interesting)
The "phreak" term for it is RemObS (short for Remote Observation System). These things really exist, contrary to many folks' opinion.
Re:Since when does LAWFUL intercept mean "Orwellia (Score:2, Interesting)
The Patriot, Patriot 2, and any other acts of the US or foreign governments that represent serious invasions of our privacy have nothing whatsoever to do with lawful intercept standards. If the government is sniffing you illegally or legally without good oversight, you're still getting fucked, anyway.
Remember Carnivore? That's actually a much, MUCH more invasive tool for lawful (or otherwise) intercept. A coherent standard, built into the router, would make Carnivore unnecessary and (probably) constitutionally impermissable as an over-broad surveillance tool.
Right now, if the FBI gets a warrant to sniff your Net traffic, they walk into your ISP's office with a warrant and plug their sniffer into a router. They'll probably use a filtering expression to just look at stuff heading to/from your IP address (as reported by the ISP), but maybe they won't. Maybe they'll capture raw traffic and parse it out later to get your packets, throwing out the rest.
For the ISP, this isn't really very fun. They have to give up control over their router to the Feds, because there isn't any developed protocol for describing lawful collection of data on a router. What if Special Agent Johnson doesn't know the Cisco 7600 series as well as he thinks? Whoops, there's some downtime for the ISP, and maybe a bill for a new router if something really gets fucked up.
And what if the tap has to stay in place for a while? Some wiretap orders persist for months. That means Agent Johnson will be hanging around and making you nervous at work for quite a while. He likes his coffee black with sugar, just so you know.
The new standard would allow an ISP or other company to look at a warrant, turn around to the router, and put the tap in place themselves. The FBI will ONLY see what they specify in the warrant, and the ISP gets to continue on serving up porn to the rest of us. No muss, no fuss, no incidental privacy violations.
IP stego or spoof system? (Score:2, Interesting)
From CodeCon, Invisible IRC networks, IP steganography etc:
http://codecon.deor.org/program.html
Of relevance here is http://peek-a-booty.org/ a privacy enhancement system described as a distributed anti-censorship application.
Covert channels in the TCP/IP Protocol:
http://www.firstmonday.dk/issues/issue2_5/rowla
This discusses a means to use IP to hide outgoing data for nefarious purposes, this could also be used to hide your personal outgoing data which is becoming a nefarious activity.
Many more hits on the web that I don't need to post here. I can and do use encrypted pipes, SSH, SSL, PGP etc. In the CodeCon URL, which is very interesting, there are numerous mentions of privacy enhancing software and methods.
Re:You Just Execised Your Free Speech Rights (Score:3, Interesting)
I knew that the US educational system was bad, but not as bad as you just demonstrated! I wrote a few lines and you can't even read them.
Let me recap: I wrote "The impose death penalty on minors." I missed a 'y' in there, but the sentence is clear, no? I didn't say I disagree with the death penalty, did I? No, I said 'minors'. But that is probably asking too much of your literacy to fathom.
And when it comes to the traffic ticket, a friend of mine forgot to pay his, was pulled over by the Police because of a suspended license due to non-payment (btw, nobody took the time to inform him that the license was suspended!) and hauled off to jail. I'm really happy that the Police caught a dangerous criminal and got him off the streets. Yikes!
And as another poster mentioned, don't try to oppose the war, because then you'll be thrown in jail (see a pattern here?) and the police demands you to answer questions that violates your rights.
Freedom and democracy? Don't even get me started on that bull. The problem is that the average American has not been further away from home than their neighbouring county and has no clue as to what is going on in the world. Try to watch a news channel here to see what is happening around the world? Impossible, because you get "The world news in 60 seconds!" Gee... Not much happening in the rest of the world I guess since you can fit it in 60 seconds!
Americans = World illiterate!