Re: DOJ proposes US data-rentention law.
At 18:57 21/06/2002 -0700, John Young wrote: Data retention is being done now by programs and services which cache data to ease loading on servers and networks. [...] John, As a systems administrator @ an ISP, I can tell flat out that the software you describe has nothing to do with ISP services. The software provides caching services for telecom companies (ie. billing, WAP, voice mail alerts etc). I see nothing that mentions typical ISP services, like e-mail or web-browsing. It is software designed to impress the executive level with pie charts and promises of reduced hardware costs. No one likes spending $50k on a NAS or Fibre Channel / RAID 10 box. Next time John, I suggest you turn your sites on caching software like Squid. Know what? I'm not even afraid to provide the URL! http://www.squid-cache.org .. you may even discover it has US Intelligence Community(tm) links, dating back many years! Incredible, huh? ISP's like the one I work for use Squid to save on bandwidth costs by caching oft-visited websites. Unfortunately, we (like most if not all ISP's) cannot afford the massive disk arrays (or the space they would take up, even the electricity) that would be necessary to retain data *for one day*. Geez, I don't think the government gonna like that. That's doesn't even bring us to the technical abilities of all the different pieces of software that must be re-written (en masse) to satisfy government desires. For instance, let's try e-mail software.. There are numerous companies and individuals who offer their own versions of e-mail server software. Microsoft's Exchange and Ipswitch's IMail for the Windows crowd who like spending lots of money, or Qmail, Postfix, Exim and even Sendmail for the Unix crowd. There are dozen's more, but you get the point. All that software will need to be rewritten. Then all the e-mail servers will need to be upgraded and tested. THEN more disk space added just to handle all the extraneous information like from who and to, from where (say originating IP and from what server host and IP) etc etc etc ad nauseam. Whoops! Let's not forget tape backups! I'm buying 3M stock come Monday! But what happens if we have a disk failure and the logs are lost? Hmm... Anyway, that is just for e-mail.. Imagine what HTTP, or FTP, or whatever can't-live-without service someone invents in the future? Data retention is unworkable even to the biggest of companies. Even the NSA cannot store that kind of data without a significant (and secret) budget. The only ones deriving any benefit from this are law enforcement and computer hardware commercial software manufacturers. Maybe its an economic stimulus package in disguise? -- Steve. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOJ proposes US data-rentention law.
At 17:37 22/06/2002 -0400, [EMAIL PROTECTED] wrote: Not arguing, but the hardware cost curve for storage has a shorter halving time than the cost curve for CPU (Moore's Law) and the corresponding halving time for bandwidth is shorter still. You've got a point. Storage is becoming less and less expensive per gigabyte, especially for IDE drives. If you're using a RAID set up, IDE doesn't cut it, SCSI is the way to go (for now). SCSI is a lot cheaper than it used to be, but it's still over $1000 for a single 70gig drive in Canada. For maximum redundancy in one rack-mount server, RAID 10 is the way to go. That means for every 1 drive, there must be an an exact duplicate. Costs can increase exponentially. That said, storage isn't the only expense when creating a large, fast and redundant file server (especially for caching). The fastest way to get data from a computer to the file server is via fibre channel. And fibre channel hardware isn't cheap. Last time I looked, a DIY RAID 10 system with 15 drives (1 hot-standby), case and fibre channel capability was ~ $30-35k. For each workstation that connects to it, there is a ~1k charge for the fibre channel client card. Don't even go near a fibre channel switch, they run $10-15k apiece, and don't handle more than 10-15 connections. Plus cabling. See, it adds up -- and that's just for one unit. To do the kind of data retention proposed in th EU, that is the kind of hardware that would be necessary. Plus a rack of tape backup drives running 24x7. Perhaps this sounds extreme, and it very well could be. My concern isn't so much based on what the law says must be retained, the penalties if the data isn't retained are what worry me. Could a system or network administrator be charged if the data is unavailable? What if their is a plausible reason (ie. hardware failed a year ago, fire)? What if the company cannot afford it? What charges are brought against the company? These questions are the reality for sysadmins in the EU. If Canada implemented a data retention law, I would be extremely concerned about my personal liability as well as corporate -- Canada already can charge a network administrator who the police believe is negligent in blocking (and removing) copyrighted software from computers he/she is responsible. It has happened. My understanding it has to do with an RCMP settlement over the PROMIS software scandal, but that's another topic. -- Steve - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
