Re: What's the best way to wiretap a network?
In article [EMAIL PROTECTED], Kurt Erik Lindqvist [EMAIL PROTECTED] writes (Although I now what the NA...stands for I have to ask) Plenty of NANOs will have bits of network in the EU (or indeed within the remit of the Cybercrime Convention which the USA has signed but not ratified). So the EU part is only the tapping requirement? The charging scheme is local? Or did I miss all of this? EU law tends to say things about privacy, human rights, and so on. It outlaws wiretaps, but then has exemptions to allow individual states to pass wiretap laws if they feel there's a law enforcement need. Nothing about cost recovery. The Cybercrime Convention (a Treaty of the Council of Europe - which is not the EU - and not a law in its own right) has an article (#21) *requiring* ratifying states [1] to implement wiretapping, but is also silent on the cost recovery issue, which would be a matter for the individual state's legislature. [1] Only 4 relatively minor states so far, so the Treaty isn't even in force yet: http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=185CM=DF= -- Roland Perry
Re: What's the best way to wiretap a network?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (Although I now what the NA...stands for I have to ask) From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework. There's nothing in the new EU Communications Framework (or indeed elsewhere in EU law) that controls whether or not operators can charge for wiretaps. It's a country by country thing. Complicated by some countries that claim to re-imburse, actually being chronically bad at paying the invoices. So the EU part is only the tapping requirement? The charging scheme is local? Or did I miss all of this? - kurtis - -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQBC5ZKarNKXTPFCVEQIXMgCgx9GfYC+KS43lvfqUAW94bwRGH8sAoLk7 Pss7/MQctcapaNOWAL0Au6V1 =Ei2W -END PGP SIGNATURE-
Re: What's the best way to wiretap a network?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2004-01-20, at 22.19, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], William Allen Simpson writes: Eriks Rugelis wrote: On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site. This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play. Right, at least in the U.S. See section 4(e) of http://www4.law.cornell.edu/uscode/18/2518.html From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework. - - kurtis - -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQA43VaarNKXTPFCVEQLymQCgtgsN2rvN5zZ2lsbBTvi9VNnXYS8AoJyL 8z7bI+SOn3g4aGAb2lh6S2jk =XUQj -END PGP SIGNATURE-
Re: What's the best way to wiretap a network?
On 21.01 09:24, Kurt Erik Lindqvist wrote: From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework. Slightly off topic: This is being fought by ISPs and civil rights groups all over the place here. It is amazing how much brain-damage is defended by EU Framework these days. It is also amazing how much national politicians and pressure groups can assert things about *neighboring* countries that are blatantly wrong or totally out-of-date. In the EU political structures and processes still have to be built; it is a new thing. Daniel
Re: What's the best way to wiretap a network?
On Tue, 20 Jan 2004, William Allen Simpson wrote: This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play. Oh, I wish, I wish In NL, law dictates any telecommunicatins device (as defined amongst things as anything with an IP address) neds to be tappable. Infrastructure costs are not reimbursed. Only operational costs for enabling/disabling are reimbursed here. Paul, who wished he was at a certain IX when the LEA's came and asked for *all* traffic.
Re: What's the best way to wiretap a network?
In article [EMAIL PROTECTED], Kurt Erik Lindqvist [EMAIL PROTECTED] writes From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework. There's nothing in the new EU Communications Framework (or indeed elsewhere in EU law) that controls whether or not operators can charge for wiretaps. It's a country by country thing. Complicated by some countries that claim to re-imburse, actually being chronically bad at paying the invoices. In the UK, for example, the current situation is that running costs are re-imbursed, and network upgrades to be wire-tap ready can benefit from a one-off grant (but new networks must be designed to be wire-tap ready at the operator's expense). -- Roland Perry
Re: What's the best way to wiretap a network?
Sean Donelan wrote: Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk? 'Best' rarely has a straight-forward answer. ;-) Lawful access is subject to many of the same scaling issues which we confront in building up our networks. Solutions which can work well for 'small' access or hosting providers may not be sensible for larger scale environment. If you have only a low rate of warrants to process per year, and if your facilities are few in number and/or geographically close together, and if your 'optimum' point of tap insertion happens to be a link which can be reasonably traced without very expensive ASIC-based gear and if your operation can tolerate breaking open the link to insert the tap, and if the law enforcement types agree that the surveillance target is unlikely to notice the link going down to insert the tap... then in-line taps such as Finisar or NetOptics can be quite sensible. If your operation can tolerate the continuing presence of the in-line tap and you only ever need a small number of them then leaving the taps permanently installed may be entirely reasonable. On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site. Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.) You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs. Eriks --- Eriks Rugelis -- Senior Consultant Netidea Inc. Voice: +1 416 876 0740 63 Charlton Boulevard,FAX:+1 416 250 5532 North York, Ontario, E-mail: [EMAIL PROTECTED] Canada M2M 1C1 PGP public key is here: http://members.rogers.com/eriks.rugelis/certs/pgp.htm
Re: What's the best way to wiretap a network?
Scott C. McGrath On Tue, 20 Jan 2004, Eriks Rugelis wrote: Sean Donelan wrote: Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk? 'Best' rarely has a straight-forward answer. ;-) Lawful access is subject to many of the same scaling issues which we confront in building up our networks. Solutions which can work well for 'small' access or hosting providers may not be sensible for larger scale environment. If you have only a low rate of warrants to process per year, and if your facilities are few in number and/or geographically close together, and if your 'optimum' point of tap insertion happens to be a link which can be reasonably traced without very expensive ASIC-based gear and if your operation can tolerate breaking open the link to insert the tap, and if the law enforcement types agree that the surveillance target is unlikely to notice the link going down to insert the tap... then in-line taps such as Finisar or NetOptics can be quite sensible. If your operation can tolerate the continuing presence of the in-line tap and you only ever need a small number of them then leaving the taps permanently installed may be entirely reasonable. On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site. Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.) Using cisco's feature set on a uBR it would be cable intercept interface x/y Target MAC Logging Server IP port as an example of lawful access on infrastructure equipment You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs. Eriks --- Eriks Rugelis -- Senior Consultant Netidea Inc. Voice: +1 416 876 0740 63 Charlton Boulevard,FAX:+1 416 250 5532 North York, Ontario, E-mail: [EMAIL PROTECTED] Canada M2M 1C1 PGP public key is here: http://members.rogers.com/eriks.rugelis/certs/pgp.htm
Re: What's the best way to wiretap a network?
Eriks Rugelis wrote: On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site. This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play. Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.) You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs. Whatever they are willing to pay for -- a good fit for the business environment is the largest effort and highest cost, as the overhead and administrative charges should enough to be profitable. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: What's the best way to wiretap a network?
In message [EMAIL PROTECTED], William Allen Simpson writes: Eriks Rugelis wrote: On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site. This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play. Right, at least in the U.S. See section 4(e) of http://www4.law.cornell.edu/uscode/18/2518.html --Steve Bellovin, http://www.research.att.com/~smb
Re: What's the best way to wiretap a network?
On Sat, 2004-01-17 at 21:08, Sean Donelan wrote: Assuming lawful purposes, what is the best way to tap a network undetectable The best way to go undetectable is easy, run the sniffer without an IP address. The best way to tap a network varies with your setup. If your repeated, just plug in and go. If your switched (which most of us are), you need to figure out how to get in the middle of the data stream you want to monitor. The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. You can plug a mini-hub in line and use that as a tap point to monitor the stream. Up side is its cheap and easy. Down side is you have to drop to half duplex. Not a problem in most situations but in some the drop in performance can be an issue. Many switch vendors include a copy or mirror port that allows you to replicate all traffic to and from a specific port, to some other port where you can plug in your sniffer. Up side here is ease of configuration. If you want to start monitoring a different port its a simple configuration change within your switch. Down side is you could end up missing packets (I've run into this myself). Seems when some/many switches get busy the first thing they stop doing is copying packets to the mirror port. There are tools out there like Dsniff and Ettercap that allow you to sniff in a switched environment. I recommend you avoid them because they tend to either work or hose your network. You don't want to DoS yourself. ;-) to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk? Sniffing is a passive function so its always possible you are going to miss data. It all depends on the capabilities of the box recording the packets. As for risk, that's always there as well. For example check the Bugtraq archives and you are going to find exploits that work against tools like Tcpdump and Snort. The attacks go after the way the software processes the packet. So even if you are running without an IP address its possible that someone with malicious intent can DoS the box. HTH, C
Re: What's the best way to wiretap a network?
Assuming lawful purposes, what is the best way to tap a network undetectable ... The best solution I've found is to use an Ethernet tap. It allows you to piggy back off of an existing connection and monitor all the traffic going to and from that system. Its pretty undetectable, does not use any additional switch ports, and allows you to run full duplex. A number of vendors sell them and a Google will give you sites on how to make them. ... i hadn't thought of making my own -- that sounds like a fun project. for f-root, we've (isc) been installing the netoptics version of this: http://www.netoptics.com/products/product_family.asp?cid=1Section=productssid=439813.237927026menuitem=1 works great. it's basically a hub, but with the interesting feature of letting you monitor TX and RX separately, and full duplex is preserved. (it takes 2x100Mbit to fully monitor a full duplex 100Mbit link.) it also fails into connected mode if power is dropped. so if both power blobs die, you lose monitoring, but not connectivity. there are also 1000-TX, 1000-SX, DS3, sonet and other versions, plus combos. i'm fairly sure that this is what law enforcement uses for wiretap warrants. -- Paul Vixie
Re: What's the best way to wiretap a network?
In message [EMAIL PROTECTED], Paul Vixie writes: i'm fairly sure that this is what law enforcement uses for wiretap warrants. I believe you're correct. In fact, I first learned of these devices from government documents during the Carnivore discussions a few years ago. --Steve Bellovin, http://www.research.att.com/~smb
Re: What's the best way to wiretap a network?
You can plug a mini-hub in line and use that as a tap point to monitor the stream. Up side is its cheap and easy. Down side is you have to drop to half duplex. Not a problem in most situations but in some the drop in performance can be an issue. Don't throw out your old hubs. It's hard to find a 10/100 hub for sale any more. Even the cheap consumer devices are switches. I picked up a $25 hub at Fry's a few weeks ago just in case I ever wanted to casually snoop some traffic. But Fry's is sold out. The netoptics.com link posted was priceless. I'm always wary of simple products that are expensive enough to have a request for quote, rather than a price, on their web page.
Re: What's the best way to wiretap a network?
On Sun, 18 Jan 2004, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Paul Vixie writes: i'm fairly sure that this is what law enforcement uses for wiretap warrants. I believe you're correct. In fact, I first learned of these devices from government documents during the Carnivore discussions a few years ago. Lots of people seem to be making the assumption that all networks work the same way or everyone wants the same data. Tapping an OC192 SONET circuit is expensive, but relatively straightforward. Tapping a V.92 analog modem is expensive and not straightforward. Tapping WiFi-to-WiFi traffic is cheap, but only if you are local. A sniffer on an upstream switch won't see the traffic below a network access point. But a Title III warrant for full content is relatively difficult to obtain in the US. The public reports filed with the courts show a small percentage of wiretaps require full content. What's also interesting is if you read the various public submissions to many different working groups since the Carnivore discussions a few years a go, you'll notice a dramatic re-definition of more and more data as call identification information instead of content. The public proposals also seems to be somewhat arbitrary which provider gets tasked with collecting the wiretap data. Should the first mile or last mile or middle mile provider be tasked with isolating call identification information and decoding it? So what is the best way to wiretap a target using public WiFi hotspots connected through multiple wholesale providers and service providers to collect call identificaiton information to call identification information about who the target is communicating with through multiple application protocols including Webmail, IM and massively multi-player role playing games.
Re: What's the best way to wiretap a network?
I'd have to say this depends on the media involved. ethernet switches allow the monitoring of specific ports (or entire vlans) in most cases. This can be done without impact (assuming nobody goofs on the ethernet switch config) to other people and limit the scope of packets inspected. Various vendors have their own monitoring solutions and port replication features. I seem to recall one customer of my employer saying how much they enjoyed the ability to tcpdump/inspect traffic on their Juniper routers. (with regards to a DoS attack we were working on tracking). - Jared On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote: Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk? -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: What's the best way to wiretap a network?
We've been using Shomiti taps for several years with good effect. All they do is copy all the data going through a segment (100bT in our case) to two ports, one for inbound, another for outbound. Now Finisar, they sell both copper and fiber taps for a variety of media, including Ethernet from 10Mbps to 10Gbps. They have been rock-solid, never missing a packet, and isolate the sniffer from the rest of the network. Of course, you then need to choose a packet analyzer/IDS to use with the tap. Doug On Sat, 17 Jan 2004, Jared Mauch wrote: I'd have to say this depends on the media involved. ethernet switches allow the monitoring of specific ports (or entire vlans) in most cases. This can be done without impact (assuming nobody goofs on the ethernet switch config) to other people and limit the scope of packets inspected. Various vendors have their own monitoring solutions and port replication features. I seem to recall one customer of my employer saying how much they enjoyed the ability to tcpdump/inspect traffic on their Juniper routers. (with regards to a DoS attack we were working on tracking). - Jared On Sat, Jan 17, 2004 at 09:08:22PM -0500, Sean Donelan wrote: Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk? -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
