Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
Christopher L. Morrow wrote: shiny side out one hopes? Seriously though, I'm not a telco/phone person, but I was once told that the phone switch equipment does the tap 'automagically' to special ds-1 facilities inn LEA-land... which means the cell phone can be wrapped in anything you'd like. If the calls get completed a copy is silently made to the right folks (not the nsa, they aren't LEA). At least from the experiences I've indirectly gained, if the call terminates on a switch with tap gear, it's similar to a SPAN port. Not only does the recipient's phone ring, but the magic phone rings and outputs the information from both sides of the call, while inputting nothing. The federal folks spent big money to have the switch manufacturers implement the software functionality, but the telcos do have to acquire the equipment (or rights to it via contract). It was funny watching Siemens try to tell our employee (former Siemens employee, and experienced in CALEA) that we'd have to buy the feature...it was less than an hour before they were calling back asking to be able to add the feature. :) pt
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sun, 7 Aug 2005, Hannigan, Martin wrote: > > Folks may find it useful to review > > [ SNIP ] > > The place to get the authoritative word is direct from the > AskCALEA folks here: http://www.askcalea.net/ - and of course > you can discuss with your telecom lawyers. Ah, the same people who wrote the documents I referenced earlier. I assume you have read them now.
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
In message <[EMAIL PROTECTED] om>, "Hannigan, Martin" writes: > > >The place to get the authoritative word is direct from the >AskCALEA folks here: http://www.askcalea.net/ - and of course >you can discuss with your telecom lawyers. > I haven't had a chance to read the final order yet. The NPRM is at http://www.cdt.org/digi_tele/20040923nprm.pdf ; some objections -- quite persuasive, by my reading -- are at http://www.cdt.org/digi_tele/20041221joint.pdf --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> > That is IF you even get an order. The brunt of the work is > > at the tier1's. This is like DDOS. LEC's have to do it, but > > they frequently misinterpret the requirements and scale and > > end up spending money they never had to. Misinterpretation is > > a big problem for CALEA, technically speaking. > > First time anyone has every accused tier 1's of spending > money they didn't > need too. Let me lower the reading comprehension level for you. I said that tier1's bear the brunt of the orders, and insinuated that tier2's get less orders. They do. Many midwest/rural CLEC's get NO orders. They must still be compliant. > > Folks may find it useful to review [ SNIP ] The place to get the authoritative word is direct from the AskCALEA folks here: http://www.askcalea.net/ - and of course you can discuss with your telecom lawyers. You may be confusing terminology though, which is understandable. I can't find a government official calling defining the applicability of the law a "wish list" so I'll leave that to the gentle readers to determine. -M<
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> That is IF you even get an order. The brunt of the work is > at the tier1's. This is like DDOS. LEC's have to do it, but > they frequently misinterpret the requirements and scale and > end up spending money they never had to. Misinterpretation is > a big problem for CALEA, technically speaking. First time anyone has every accused tier 1's of spending money they didn't need too. Folks may find it useful to review Electronic Surveillance Needs for Public IP Network Access Service Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVOP) Service to see the wish list directly from the horse's mouth. This is unrelated to the previous "punch list" items.
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> > > > On Sat, 6 Aug 2005, Matt Ghali wrote: > > > > > On Sat, 6 Aug 2005, Joshua Brady wrote: > > > > the FBI can call the NSA anytime they want without a tap order and > > get them to trigger ECHELON when your voice is apparant on any > > line. > > > > > > Not me, I wrapped my cellphone in tin foil. > > shiny side out one hopes? Seriously though, I'm not a > telco/phone person, > but I was once told that the phone switch equipment does the tap > 'automagically' to special ds-1 facilities inn LEA-land... > which means the > cell phone can be wrapped in anything you'd like. If the calls get > completed a copy is silently made to the right folks (not the > nsa, they > aren't LEA). Sort of. It has to be provisioned like any other service, (that's most of the X.25 portion that people were talking about) but it's a protocol(J-STD) enabled between the carrier and the LEA. It can be DS1, or it could be VPN. The capture is near real time content and data. -M<
RE: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> I think the EFF is missing the important part of the wish > list items. The punch list is law. If you are talking about the applicability of CALEA, that's different. > The > wish list items aren't for wiretaps, but defining as many things as > possible as "non-content." Its important for network > operators because > they will end up doing a lot more work digging through packets for > non-content information, and important for lawyers because it > lessens the > legal requirements for non-content information. What is the > "expectation > of privacy" of non-content information? ObNANOG: Archicture, operation, cost. CALEA doesn't dictate architecture. Political issues aside, and attempting to stick with operations as this is NANOG, the major issue for carriers regardless of size is that this that compliance is an expense. The cost of an implementation for a medium sized carrier is upwards of 1MM. Maintenance runs at ~200K per year for a similiar installation not coupling in legal and operations costs. That is IF you even get an order. The brunt of the work is at the tier1's. This is like DDOS. LEC's have to do it, but they frequently misinterpret the requirements and scale and end up spending money they never had to. Misinterpretation is a big problem for CALEA, technically speaking. -M<
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 6 Aug 2005, Matt Ghali wrote: > > On Sat, 6 Aug 2005, Joshua Brady wrote: > > the FBI can call the NSA anytime they want without a tap order and > get them to trigger ECHELON when your voice is apparant on any > line. > > > Not me, I wrapped my cellphone in tin foil. shiny side out one hopes? Seriously though, I'm not a telco/phone person, but I was once told that the phone switch equipment does the tap 'automagically' to special ds-1 facilities inn LEA-land... which means the cell phone can be wrapped in anything you'd like. If the calls get completed a copy is silently made to the right folks (not the nsa, they aren't LEA).
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 6 Aug 2005, Tony Li wrote: > > > Practically, what this means is that the government will be asking > > broadband providers > > - as well as companies that manufacture devices used for broadband > > communications – to build insecure backdoors into their networks, > > imperiling the privacy and security of citizens on the Internet. > > > I'm sorry, but this is simply an unsupportable statement. What is > required of routers is that the provider be able to configure the device > to make copies of certain packets to a monitoring port. Assuming that > the monitoring port is duly managed, how does this qualify as "insecure"? > hopefully sticking some header on that packet to determine input interface/lsp as well. hopefully also not dumping to a physical interface, but to a 'vpn' interface so truckrolls to kalamazoo don't have to happen each time 'elterrorista' moves from internet cafe' to internet cafe' please :) no real 'security' implications in the copy though, sure. (assuming appropriate controls on config changes exist, and controls on the exit point/storage of the copied data.
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 06 Aug 2005 22:22:29 PDT, Tony Li said: > > It qualifies as "insecure" because if that rather dubious assumption fails > > to > > be true, you have a big problem. > > If any port on a router is not duly managed, you have a big problem. Right. But usually, security experts call something that's one typo away from being duly managed "a problem waiting to happen" rather than "secure". On Sun, 07 Aug 2005 08:59:33 +0200, [EMAIL PROTECTED] said: > Then you'll have to conclude that a lot of managed switches are insecure > since they include some form of packet mirroring capability. See "problem waiting to happen", above.. :) pgpN5qE33ay82.pgp Description: PGP signature
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 6 Aug 2005, Tony Li wrote: > I'm sorry, but this is simply an unsupportable statement. What is > required of routers is that the provider be able to configure the device > to make copies of certain packets to a monitoring port. Assuming that > the monitoring port is duly managed, how does this qualify as "insecure"? Unfortunately, things are never as simple as they appear. The department of justice/fbi/dea/etc wish lists have been published/leaked with a suitable google search. Port mirroring may not be considered sufficient. I think the EFF is missing the important part of the wish list items. The wish list items aren't for wiretaps, but defining as many things as possible as "non-content." Its important for network operators because they will end up doing a lot more work digging through packets for non-content information, and important for lawyers because it lessens the legal requirements for non-content information. What is the "expectation of privacy" of non-content information?
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
[EMAIL PROTECTED] wrote: Then you'll have to conclude that a lot of managed switches are insecure since they include some form of packet mirroring capability. Not to mention most of the routers. They usually can make the copies to an IP tunnel also. Pete
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sun, 7 Aug 2005 [EMAIL PROTECTED] wrote: Agreed. However, in this case it matches a fature I've wanted for years. Being able to mirror packets to a different port is pretty common for managed switches, and is rather useful sometimes in tracking abuse and similar. I *want* the same capability for my routers. ...but your particular routers already have this capability, and it's been there for quite a while too, haven't you read the documentation? :) http://www.juniper.net/techpubs/software/junos/junos71/swconfig71-services/html/flow-monitoring-config17.html /leg
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> but every feature has its cost in complexity and resources to build > and maintain. resources are finite and complexity has super-linear > cost. so i would much prefer that the vendors concentrate on the > features *i* want . and i am quite skeptical of features which > non-paying non-customers want. Agreed. However, in this case it matches a fature I've wanted for years. Being able to mirror packets to a different port is pretty common for managed switches, and is rather useful sometimes in tracking abuse and similar. I *want* the same capability for my routers. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> > I'm sorry, but this is simply an unsupportable statement. What is > > required of routers is that the provider be able to configure the device > > to make copies of certain packets to a monitoring port. Assuming that > > the monitoring port is duly managed, how does this qualify as "insecure"? > > It qualifies as "insecure" because if that rather dubious assumption fails to > be true, you have a big problem. Then you'll have to conclude that a lot of managed switches are insecure since they include some form of packet mirroring capability. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 6 Aug 2005, Joshua Brady wrote: the FBI can call the NSA anytime they want without a tap order and get them to trigger ECHELON when your voice is apparant on any line. Not me, I wrapped my cellphone in tin foil. [EMAIL PROTECTED]< The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
>>I'm sorry, but this is simply an unsupportable statement. What is >>required of routers is that the provider be able to configure the device >>to make copies of certain packets to a monitoring port. Assuming that >>the monitoring port is duly managed, how does this qualify as "insecure"? > > > It qualifies as "insecure" because if that rather dubious assumption fails to > be true, you have a big problem. If any port on a router is not duly managed, you have a big problem. Tony
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 06 Aug 2005 17:26:23 PDT, Tony Li said: > I'm sorry, but this is simply an unsupportable statement. What is > required of routers is that the provider be able to configure the device > to make copies of certain packets to a monitoring port. Assuming that > the monitoring port is duly managed, how does this qualify as "insecure"? It qualifies as "insecure" because if that rather dubious assumption fails to be true, you have a big problem. pgptUY5oa87ow.pgp Description: PGP signature
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On 8/6/05, Tony Li <[EMAIL PROTECTED]> wrote: > > > > i opine that some features are innovation and others not. i.e., > > x.25 support on modern kit seems a not innovative and a waste of > > resources i would rather see applied elsewhere. Who said the user end needs to support a "tap" being done? They can just force ISP's to log everything at the headend. Your phone doesn't need a specialized device to tap it right now does it; cell phones either; the FBI can call the NSA anytime they want without a tap order and get them to trigger ECHELON when your voice is apparant on any line. -- Joshua Brady
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> i opine that some features are innovation and others not. i.e., > x.25 support on modern kit seems a not innovative and a waste of > resources i would rather see applied elsewhere. Probably a fairer characterization. > but every feature has its cost in complexity and resources to build > and maintain. resources are finite and complexity has super-linear > cost. so i would much prefer that the vendors concentrate on the > features *i* want . and i am quite skeptical of features which > non-paying non-customers want. Well, I'm even skeptical of features that paying customers want. But that doesn't pay the bills. ;-) While complexity has super-linear cost, not all features introduce significant complexity. It's very much a function of the architecture. In a highly partitioned, loosely coupled system, adding a feature that interacts with only a single other component in a trivial way may be quite simple. In a monolithic system, adding a feature that permeates the system may be so complex as to be unimplementable. The features to avoid are those where the complexity cost outweighs the revenue. If only we could evaluate this properly! ;-) Tony
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
On Sat, 6 Aug 2005, Randy Bush wrote: It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements. As opposed to hobbling innovation by meeting customer requirements? who's paying the bill? and sorry to hear from a vendor that meeting the customers' requirements is such a negative thing. randy We all pay the bill with higher equipment costs, the maintenance of configurations, and possible storage costs. CALEA was bound to include VoIP services - given the definition telecom carrier in the act; however, as I recall -- and I may be wrong -- when CALEA was first passed the carriers were given tax breaks and subsidies to implement changes. Is such financial help being offered today? --sjk
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements. >>> As opposed to hobbling innovation by meeting customer requirements? >> who's paying the bill? and sorry to hear from a vendor that meeting >> the customers' requirements is such a negative thing. > You mistake my meaning, Randy. Implementing features ARE innovation. > Not hobbling it. sorry if i misinterpreted. i opine that some features are innovation and others not. i.e., x.25 support on modern kit seems a not innovative and a waste of resources i would rather see applied elsewhere. but every feature has its cost in complexity and resources to build and maintain. resources are finite and complexity has super-linear cost. so i would much prefer that the vendors concentrate on the features *i* want . and i am quite skeptical of features which non-paying non-customers want. randy
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
>>>It also hobbles technical innovation by forcing companies involved in >>>broadband to redesign their products to meet government requirements. >> >>As opposed to hobbling innovation by meeting customer requirements? > > > who's paying the bill? and sorry to hear from a vendor that meeting > the customers' requirements is such a negative thing. You mistake my meaning, Randy. Implementing features ARE innovation. Not hobbling it. Tony
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
>> It also hobbles technical innovation by forcing companies involved in >> broadband to redesign their products to meet government requirements. > > As opposed to hobbling innovation by meeting customer requirements? who's paying the bill? and sorry to hear from a vendor that meeting the customers' requirements is such a negative thing. randy
Re: FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
> Practically, what this means is that the government will be asking broadband > providers > - as well as companies that manufacture devices used for broadband > communications – to build insecure backdoors into their networks, > imperiling the privacy and security of citizens on the Internet. I'm sorry, but this is simply an unsupportable statement. What is required of routers is that the provider be able to configure the device to make copies of certain packets to a monitoring port. Assuming that the monitoring port is duly managed, how does this qualify as "insecure"? > It also hobbles technical innovation by forcing companies involved in > broadband to redesign their products to meet government requirements. As opposed to hobbling innovation by meeting customer requirements? There are many issues with CALEA that one can object to, primarily having to do with the checks necessary to ensure that appropriate warrants are obtained and that the traffic is appropriately filtered before monitoring. I'm disappointed that EFF is so off the mark here. Tony
FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for In ternet Services
Via the EFF website. [snip] Today the Federal Communications Commission (FCC) issued a release announcing its new rule expanding the reach of the Communications Assistance to Law Enforcement Act (CALEA). The ruling is a reinterpretation of the scope of CALEA and will force Internet broadband providers and certain voice-over-IP (VoIP) providers to build backdoors into their networks that make it easier for law enforcement to wiretap them. The Electronic Frontier Foundation (EFF) has argued against this expansion of CALEA in several rounds of comments to the FCC on its proposed rule. CALEA, a law passed in the early 1990s, mandated that all telephone providers build tappability into their networks, but expressly ruled out information services like broadband. Under the new ruling from the FCC, this tappability now extends to Internet broadband providers as well. Practically, what this means is that the government will be asking broadband providers - as well as companies that manufacture devices used for broadband communications to build insecure backdoors into their networks, imperiling the privacy and security of citizens on the Internet. It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements. "Expanding CALEA to the Internet is contrary to the statute and is a fundamentally flawed public policy," said Kurt Opsahl, EFF staff attorney. "This misguided tech mandate endangers the privacy of innocent people, stifles innovation and risks the functionality of the Internet as a forum for free and open expression." [snip] http://www.eff.org/news/archives/2005_08.php#003876 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
