Thanks for posting this Butch! It illustrates a number of things that I've believed from early on:
1. The ISP will know a actual intercept subpoena is coming before they receive it. 2. The LEA staff requesting the subpoena are generally less technically savvy than most service providers. 3. The LEA would like the ISP to have all the CALEA "I's" dotted and "T's" crossed, but are willing to work with a cooperative provider. Can you verify that they ISPs got their direct expenses back from the LEAs? That would be valuable information to have! I DO believe that the LEAs will become more technically aware over time. I also believe that they will be less forgiving of providers who do not have a CALEA plan over time. Regards, Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Butch Evans Sent: Friday, November 30, 2007 3:57 AM To: Wispa List Subject: [WISPA] CALEA I just wanted to make a brief post relating a few experiences relating to the CALEA "scare" that was recently the "talk of the town" (so to speak). I should preface this post with a bit of information that will give some insight into how common (or not) law enforcement will or will not use CALEA to get information from you/us. I have about 225 customers in my database. I work on a regular basis for about 15-20 of those each week. Since April, I have worked 4 cases with my customers (actually, it was 6, but 3 were related) that were filed as CALEA actions. Of these cases, 3 of my customers were using Mikrotik and 1 was using ImageStream. I can't reveal anything related to the cases, but I wanted to help people understand what kind of information we are being asked for under CALEA, and what that translates to in terms of capability requirements. 1. The first subpeona wanted to know who had a specific IP at a certain time and date. That was all that was requested. This particular WISP has about 450 customers, and about 225 of those are using private IPs that are natted at the border. It so happened that the IP we were requested information about was the NAT IP. I called the officer who had requested the data and explained the situation to him. After an hour or so, he understood that there is nothing we could do without more information. The case was an ongoing thing, and he was tracking contact to a specific website, so we were able to determine a specific customer who was using that website. We did not tell the officer who it was, but we DID explain how he needed to word his subpoena so that we COULD get him what he wanted. After he got the legal jargon to match the technical requirements of our capabilities, we were able to capture and provide him with the communications he was needing. 2. The next 3 were related to one another (sort of). In this case, the subpeona asked for customer billing records and login information for the past year for 3 IP addresses. We had part of this information (this WISP used public IP addresses for all his customers). Since the subpeona requested historical information, we were somewhat limited in what we could provide, but we did get the required information and LEA was happy. 3. The other 2 were not related but were similar. They asked for telephone information that the targets made between a couple of dates in the past. Since the WISPs in both cases were not the provider of the VoIP (they were just the transport) service, we explained to the LEA that the information they are seeking would not be available at the WISP, eventually they went elsewhere for their information (I guess), but the WISPs, in the end, did not provide ANY customer data to the LEA. The point I am making here is that all of the information requested in all 3 cases, was easily obtainable using equipment available within the WISP networks already. We used information that the Mikrotik and/or Imagestream enabled us to gather, log files and RADIUS logs to gather login information and capturing of data along with their business records to answer all 6 subpeonas (7 if you count the one that had to be re-done). In all cases, the law enforcement officer who was our first contact was not technically capable of understanding what they wanted/needed, but without fail, there WERE people at the agencies involved who were. Of these subpeonas, 3 were from the FBI, 2 were local LE and 1 was homeland security. Incidentally, none of these WISPs spent any extra money to be compliant (other than some legal work that had to be done). Billing for my time cost less than $350 (much less in some cases) to help gather necessary information. All of these (I think) ended up billing these costs to the LEA and as far as I know, they got their direct expenses back. I got another call today to assist with a subpoena and it got me thinking about the others. I just thought this information may be useful/educational to some on this list. -- Butch Evans Network Engineering and Security Consulting 573-276-2879 http://www.butchevans.com/ My calendar: http://tinyurl.com/y24ad6 Training Partners: http://tinyurl.com/smfkf Mikrotik Certified Consultant http://www.mikrotik.com/consultants.html ---------------------------------------------------------------------------- ---- WISPA Wants You! Join today! http://signup.wispa.org/ ---------------------------------------------------------------------------- ---- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
