Re: [OT] Online privacy, police to have free access to IP addresses
On Mon, Aug 20, 2007 at 02:22:51AM +0200, Moshe Leibovitch wrote: I'm wonder if the Israeli law allows you to encrypt your communications over public channels. I wouldn't shock me to find out the even this discussion is illegal :) There was a law that permitted encryption by private parties only if you declared your intention to encrypt to a specific government agency with enough notice (actual time specified, but I don't remember it), for them to refuse you permission. The law was changed or dropped when WiFi was really allowed here (November 2003). Until that time it was limited to 1 or two channels without encryption. I remember at that time trying to download the Linux drivers for a 3Com WiFi USB dongle and being redirected to a page saying that 3Com would not not allow me to download the drivers as they contained encryption and it was illegal in my country. A few months later they changed their code and fixed it. Note that the dongle, complete with a Windows driver CD, was sold to me legally by the Bug Shoppe. I am not sure, but I think that the change to the law also allows https connections. I wonder how many people who panic at the FUD* accompanying the bill use a web based email service such as GMAIL or HOTMAIL or YAHOOMAIL where they routinely scan your email and data mine it. Of course your definition of what data mining yields may be very different than mine, see the Simpson's movie. :-) It's not just data mining email, one of the people on this list, and I won't name them if they wish to remain out of the discussion, around 4 years ago worked for a startup that almost produced a product that data mined real time communicaitons. The company failed before releasing their product beacuse the vulture capital fund beind them failed when the bubble burst, but by now either the prinicpals behind the company or someone else has probably produced a similar product. Geoff. * As the old saying goes, just because you are paranoid does not mean that they are not out to get you. -- Geoffrey S. Mendelson, Jerusalem, Israel [EMAIL PROTECTED] N3OWJ/4X1GM IL Voice: (07)-7424-1667 U.S. Voice: 1-215-821-1838 Visit my 'blog at http://geoffstechno.livejournal.com/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: [OT] Online privacy, police to have free access to IP addresses
Nadav Har'El wrote: It doesn't make us a totalitarian state, unless the police actually (ab)uses this power, and so far, I don't think that it actually does. Exactly, but that's just the point... in any sane democracy there are structures in place to prevent such abuses taking place. Like before I gave my example of police needing to obtain a search warrant before they can break into someone's house, they need to prove that such action is necessary to someone other than themselves, and be able to back up their claim. If that wasn't the case, do you not think the ability to search people's houses would be abused? Such power needs to be monitored; its a matter of protecting our society from human nature. So, with the new law, I don't think suddenly all our rights are going to be abused... but I can see the police using this new system more and more often, each time with less and less hard reason... until such use is common place and unmonitored (unmonitored within the police, that is... seeing as they are already right now getting rid of any higher power to check up on them). And I think that process, no matter how many years it will take, will lead to a totalitarian system, and that's why I think no other democracy in the entire world is allowing such a thing. Moshe Leibovitch wrote: I'm wonder if the Israeli law allows you to encrypt your communications over public channels. I wouldn't shock me to find out the even this discussion is illegal :) Yes, discussing such policies could indeed be dangerous, especially since there is enough information in a typical email message received from this list to - with the new system in place - get your full name, address and every other detail about you. Actually by subscribing to this list and writing a simple script and letting it run for a month or so, you could have everyone's full details ready and waiting to arrest this cell which could threaten the police's reputation (and could be arrested for an illegal discussion). Yes, an extreme and hypothetical example, and I think very unlikely, but still *possible* - and that should worry you :) [EMAIL PROTECTED] wrote: In addition, stop using your ISP's email, use either GMAIL or HOTMAIL or whatever you like. As YBA suggested, encrypt email. Use steganography. Use pigeons. Any webmail = good. Whatever you like = bad. Don't forget on usual SMTP communications, the mail server will record the sender IP address and time the email was received from it. That's enough info with the new law to get your full name, address, etc. With webmail, the webserver connects to the mail server and so the recorded address is 'localhost'... I wouldn't use webmail in Israel though :) Don't forget you'll need to use a proxy server outside of Israel for any website in Israel which records your IP address, and any website in the world which could display your IP address (e.g. a wiki if aren't registered, or forget to log in.. big mistake :)). Network security is nothing new for me, I can't imagine too many major changes to my regular routine... it will just be a shit feeling thinking that the people I'm now protecting myself against are the people who are meant to be protecting me! Gadi -- Gadi Cohen aka Kinslayer [EMAIL PROTECTED] www.wastelands.net Freelance admin/coding/design HABONIM DROR linux/fantasy enthusiast KeyID 0x93F26EF5: 256A 1FC7 AA2B 6A8F 1D9B 6A5A 4403 F34B 93F2 6EF5 = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: [OT] Online privacy, police to have free access to IP addresses
slightly less [OT] - read to the end. On Mon, 2007-08-20 at 02:22 +0200, Moshe Leibovitch wrote: I'm wonder if the Israeli law allows you to encrypt your communications over public channels. I wouldn't shock me to find out the even this discussion is illegal :) Some relevant links: http://www.mod.gov.il/pages/encryption/tzofen.asp http://www.law.co.il/showarticles.php?d=harticle=58 http://www.law.co.il/showarticles.php?d=harticle=132 http://www.law.co.il/showarticles.php?d=harticle=133 http://www.law.co.il/showarticles.php?d=harticle=134 List of encryption means that can be legally (ab)used by the public without the need for a specific license: http://www.mod.gov.il/pages/encryption/docs/Free-means.xls (Microsoft Excel format) Note that this list contains specific products (including stuff I wasn't aware had encryption in it), and - as much as I can see - doesn't include any open source software. Note that it can be argued that any open source software by its nature cannot be declared a free encryption mean according to its definition in the encryption law (see: http://www.mod.gov.il/encryption/#6 ) as it can be modified and combined, so any open source software has to be relicensed per version or compilation or something. -- Oded = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: [OT] Online privacy, police to have free access to IP addresses
Geoffrey S. Mendelson [EMAIL PROTECTED] writes: It's not just data mining email, one of the people on this list, and I won't name them if they wish to remain out of the discussion, around 4 years ago worked for a startup that almost produced a product that data mined real time communicaitons. I was going to stay out of the discussion, but I think you mean me, Geoff, right? If so, we were not such bad guys - we didn't mine the contents, nor were we actually interested in the values of any packet header fields. The purpose of the product was to distinguish between different types of traffic (e.g., between D?DoS and legitimate traffic) in real time, and differentiation was all that mattered. The company failed before releasing their product beacuse the vulture capital fund beind them failed when the bubble burst, We got out starting capital after the bubble had burst and their bankruptcy was, as far as I can tell, due to other reasons. but by now either the prinicpals behind the company or someone else has probably produced a similar product. Certainly not us - the principals. We are all into other things now... Over the last 5 years we got quite a few calls (including from the now recovered VC) saying there is real need for the technology, where are you? - Elsewhere. Now, since Geoff invited me to the discussion on the topic in question... We all routinely use encryption in many situations: cell phones, ssh to remote hosts, secure web connections from Amazon to banks, you name it. So far I have had no run-ins with government agencies because of that. If I understand the article linked to by the OP, the proposed law does not authorize continuous data mining of everybody's communications. From the article, it looks to me that if the law is passed it will be much easier for the police to find out who the wiretapped suspect was talking to or sent an email (possibly encrypted) to at a specific time. For that, they want a reverse map of phone numbers (IP addresses, etc.) to names/IDs/addresses that can be easily queried without a court order. This is, in principle, worrying. I assume that today if the police wiretap someone's internet connection then to see who got the email sent at 20:47 on 2007/08/20 they will have to go to an ISP who, I hope, will want to see a court order. If anyone of us calls an ISP and complains about break-in attempts, spam, or whatever from am IP address the ISP may take action against the owner, but they won't tell you who it is. With this new law, at least the police won't have to ask ISP for the info. I don't like it, personally. Besides potential abuse by government agencies random people can draw attention if anyone, including criminals, decide to subvert the system. E.g., if you suspect that your email may be intercepted, encrypt every email and send it to N different IP addresses. It will only be decrypted by the intended recipient who has the key, but if the police decide to check who it was sent to they will be either swamped or start investigating innocents, depending on N. Or send the email to a permissive mailing list or newsgroup that won't ban you as quickly as linux-il moderators. Or get really inventive in some other way. Come to think of it, I don't know if our AI technology Geoff alluded to would be of any help to the police differentiating real recipients from bogus ones... Unfortunately, I suspect that our lawmakers don't get sufficient information or feedback from people who both understand the technical side of things and are sufficiently concerned about privacy. A couple of months ago I was invited to a session of the Science Committee of the Knesset. The topic was totally different, but there was only one person, representing an NGO, who asked the (sole) MK for guidance on related privacy issues. The overwhelming majority of the participants were shamelessly touting their products many of which subverted privacy in various ways. If this law has been discussed at a Knesset Committee I expect that the discussion was totally dominated by sales reps offering to build the DB in the best possible way. Oh, maybe I should go to the Knesset and offer our AI technology to support the proposed legislation?... -- Oleg Goldshmidt | [EMAIL PROTECTED] | http://www.goldshmidt.org = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: [OT] Online privacy, police to have free access to IP addresses
On Mon, 20 Aug 2007 18:59:17 Oded Arbel wrote: slightly less [OT] - read to the end. On Mon, 2007-08-20 at 02:22 +0200, Moshe Leibovitch wrote: I'm wonder if the Israeli law allows you to encrypt your communications over public channels. I wouldn't shock me to find out the even this discussion is illegal :) Some relevant links: http://www.mod.gov.il/pages/encryption/tzofen.asp http://www.law.co.il/showarticles.php?d=harticle=58 http://www.law.co.il/showarticles.php?d=harticle=132 http://www.law.co.il/showarticles.php?d=harticle=133 http://www.law.co.il/showarticles.php?d=harticle=134 List of encryption means that can be legally (ab)used by the public without the need for a specific license: http://www.mod.gov.il/pages/encryption/docs/Free-means.xls (Microsoft Excel format) Note that this list contains specific products (including stuff I wasn't aware had encryption in it), and - as much as I can see - doesn't include any open source software. Note that it can be argued that any open source software by its nature cannot be declared a free encryption mean according to its definition in the encryption law (see: http://www.mod.gov.il/encryption/#6 ) as it can be modified and combined, so any open source software has to be relicensed per version or compilation or something. I have an (official ?) email from the IMOD Encryption Control Director that exempt any individual or company that uses e-mail encryption for its own needs, as long as the user or company is not in encryption business. Ehud. -- - Yoram Cohen e-mail - -- From: Yoram Cohen - IMOD Encryption Control Director [EMAIL PROTECTED] To: Ehud Karni [EMAIL PROTECTED] Cc: Gil Mor - IMOD [EMAIL PROTECTED] References: [EMAIL PROTECTED] X-Received-Date: 19:13:27 16/07/06 +0300 (on sw-gib) Subject: Re: Use of PGP and GnuPG for mail encryption Date: Sun, 16 Jul 2006 18:11:28 +0200 MIME-Version: 1.0 ,שלום אהוד .בהמשך לשיחתנו הטלפוני מהיום ולשאלתך בנושא שימוש באמצעי הצפנה .ללא קשר למוצר או לתקן הצפנה מסויים .מדיניות משרד הביטחון הינה שניתן לעשות שימוש באמצעי הצפנה לצורך הגנה על מידע של אדם פרטי או חברה, כל זמן שמדובר בשימוש עצמי .שימוש עצמי משמעותו שימוש באמצעי ההצפנה לצרכים פנימיים של חברה ועובדיה או לשימש אישי בלבד של אדם פרטי .כל זמן שאלו (החברה או האדם הפרטי) אינם מפתחים, מוכרים, מפיצים, או עוסקים ביצוא מסחרי של אמצעי הצפנה - לא נדרש לכך רשיון עיסוק בהצפנה http://www.mod.gov.il/encryption/hakdama.asp :במדיניות הפיקוח תוכל לעיין באתר http://www.mod.gov.il/encryption/rishuy.asp :ספציפית שימוש עצמי .לעיתים התרחיש הטכנולוגי אינו חד משמעי ולא ברור לחברה האם הינו נופל בגדר שימוש עצמי או שדרוש רשיון לפעילות לכן אנו ממליצים לפנות בכל שאלה בנושא או ספק למשרדנו ,בברכה יורם -- Yoram Cohen Encryption Control Director - Ministry of Defense - Israel Department of Defense Export Controls D.D.E.C 6977499 - 3 - 972 Tel: 972 - 3 - 6977458 Fax: http://www.mod.gov.il/encryption/ mailto: [EMAIL PROTECTED] Mail: P.O.B 7093, Hakirya, Tel-Aviv 61070 Israel -- - Original Message - From: Ehud Karni To: יורם כהן Sent: Sunday, July 16, 2006 4:22 PM Subject: Use of PGP and GnuPG for mail encryption ,שלום יורם .ראשית, תודה על תשובתך המהירה לפנייתי הטלפונית להצפנה (GnuPG או) PGP-הייתי רוצה לקבל ממך אשור (כפי שמסרת לי בטלפון) ששימוש ב .של דואר מותרת על פי צו ההצפנה ואינה מצריכה אשור מיוחד .כיון שאני יועץ לחברות שונות אבקש במיוחד התיחסות האם אשור זה חל גם לגבי חברות מסחריות הבעיה לוחצת מאוד כיון שהחברות בהן מדובר מעבירות נתונים פיננסים לגבי עובדיהן (נתונים המוגנים על פי חוק הפרטיות). כמו כן קיימת דרישת סודיות עי רואי החשבון בעיקר בגלל תנאי סרביאנס-אוקסלי .הנכפים עלינו ,בכבוד רב ,אהוד קרני מומחה ויועץ למערכות יוניקס -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: [OT] Online privacy, police to have free access to IP addresses
On Mon, 2007-08-20 at 22:17 +0300, Ehud Karni wrote: I have an (official ?) email from the IMOD Encryption Control Director that exempt any individual or company that uses e-mail encryption for its own needs, as long as the user or company is not in encryption business. This is very interesting. Not that I doubt the sincerity of the official from the ministry of defense, but this email - to the best of my understanding - does not exempt two very common uses of open source encryption technology: * A consultant (such as yourself) that in a commercial setting helps another company is setting up encryption based on open source software (which is not explicitly allowed in the list of allowed means). This falls under מוכרים. * Anyone that hosts a mirror of open source software collection, some of it uses encryption (like any Linux distribution). This looks to me to fall under the מפיצים clause in the original email. As a consultant I find it troubling that by choosing open source software over commercial software for setting up basic services for customers (such as encrypted e-mail, backup and/or remote access) I can find myself in danger of being in violation of the encryption law. -- Oded To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]