
Wiretapping the Internet - pietrofmaggi
http://www.schneier.com/blog/archives/2010/09/wiretapping_the.html
======
ErrantX
This is the sort of thing that we get told will make my job easier.

Take from the horse mouth; complete crap.

Which is why you probably won't find anyone in the security or forensics
business that thinks this is a good solution.

One of my trainers told me something to me when I first started working on LE
cases. He pointed out that catching criminals can only be made so easy before
it becomes detrimental. And that point is either when the tools can be used by
anyone (i.e. not specialist investigators) or when the tools begin to
facilitate crime.

~~~
chris_l
Care to give us an example of your last point? I'm not sure what you're
getting at.

~~~
Hoff
Reducing the traditional ten-button numeric keypad for entering your access
code can be simplified for law enforcement use by removing nine of the
buttons.

Unfortunately, this LE optimization also eases the effort required by the
burglars.

Or requiring WEP encryption.

Or requiring that all passkeys be registered, and all be stored on an LE
database, and where a nefarious user can capture hundreds or thousands of
keys...

------
scrrr
If product x has a backdoor, this backdoor will also be used by bad people. It
can also be cracked and there will always be product y without a backdoor.
Don't the legislators see this? Or are criminals statistically really that
lazy that they will still use mobile phones even though they are compromised.

According to "The Wire" they often even put extra layers of encryption
security, anyway. Such behavior would make that legislation even more useless,
as it would indeed only target the innocent that don't take extra precautions.

~~~
chopsueyar
Are you taking about Season 1, crossing the fives?

~~~
pchristensen
Season 5 how Marlo arranges meets and pickups was a good example of extra
security.

 __SPOILER ALERT __

Marlo (the drug lord) sent picture messages of a clock to arrange meetings.
The hour and minute hands corresponded to the letter and number axes of a
common Baltimore map and the second hand tells what page. The dealers would
look up the coordinates on a map to find out where to meet. The cops broke it
because they had (illegal) wiretaps on _everyone's_ phones, and they had
illegally allocated lots of extra manpower to tail _all_ of the suspected drug
dealers around the clock.

 __END SPOILER __

~~~
SkyMarshal
Moral of the story: If you're a CEO or drug lord, too many meetings will kill
your business.

------
awakeasleep
Conspiracy theory: Whoever is behind this doesn't really want every company to
rewrite all their software with back doors.

Instead, a 'reasonable' request will be substituted after the initial uproar.

~~~
brlewis
That's no conspiracy theory. A conspiracy involves secret collaboration.

The well-known negotiation technique of anchoring is all that theory is. It
seems plausible to me.

~~~
awakeasleep
Do you have any idea where it could be leading? I've been thinking about it on
and off for the past few days but nothing comes to mind, I don't have enough
context to form any opinion.

I'd sure love to hear what Schneier thinks about it.

~~~
brlewis
I don't know where it's leading, or if it's even leading anywhere. For some
people, gaining power over others is an end unto itself, not a means leading
to some other end.

~~~
awakeasleep
I meant, what 'reasonable' thing will our gvernment ask for after being
rebuked for this outrageous request

------
zacharypinter
I particularly like his analogy:

"It's like the FBI demanding that no automobiles drive above 50 mph, so they
can more easily pursue getaway cars. It might or might not work -- but,
regardless, the cost to society of the resulting slowdown would be enormous."

~~~
xtho
You like the analogy because a speed limit of 50 would result in a decrease of
fatalities due to car accidents? I guess that's what he meant with "cost to
society" since IIRC more fatalities result in a higher gross national product.

~~~
uxp
I think the "cost to society" would be more directly attributed to the
increased time of travel for people and goods traveling on roadways.

The only increase in GDP that can be attributed to roadway accidents is due to
the spending of medical care, which often times is loaned or from insurance,
which is not a stable and reliable way to increase GDP over the long term.
Overall, fatalities decrease GDP.

~~~
xtho
> "cost to society" would be more directly attributed to the increased time of
> travel

That's probably what he meant but it's not necessarily how you have to read
the quote in the parent comment. I'm still not convinced that a speed limit of
50 would by a bad thing but maybe that's a cultural thing. My memories of my
economics class are fading so I cannot counter your argument about the
stability of the increase.

------
narrator
This reminds me of the clipper chip episode back during the Clinton
administration, except it's actually worse.

------
iuguy
Sniffing the open Internet. Yes, that's feasible to a point (where there isn't
more data sniffed than can be reasonably mined, or more data than can be
reasonably sniffed).

Putting backdoors into products is commercial suicide for any crypto company
to publicly acknowledge. If this goes through, then the simple way to view it
is that any product supported by the US for export cannot be assured against
having a backdoor.

In the UK, for the advanced crypto stuff, a government agency gives you key
material. They have the keys, that way if anything sensitive goes missing they
have the ability to attribute while recovering, but the crypto isn't exposed.
For everyone in the commercial world well, you're on your own. There's more
than one way to skin a cat.

------
marstall
All the government is asking for here is a continuation of the status quo.
it's always had the ability to wiretap phones, but people don't use phones as
much anymore - they use IM, Facebook, etc. to hatch their devious plots.

Wiretapping - analog or digital - requires a judge's approval in this country.
Sure, it can be abused. But do we in the IT world really want to be providing
an untraceable means of communication for the next 9/11 bombers? Or, for that
matter, white collar criminals, bank robbers, etc.?

To me providing checks and balances on the governments ability to snoop on
civilians lives shouldn't be a technology arms race. It should be based on an
engaged citizenry that keeps watch on its elected officials, making sure they
are acting within the law.

~~~
abalashov
_But do we in the IT world really want to be providing an untraceable means of
communication for the next 9/11 bombers? Or, for that matter, white collar
criminals, bank robbers, etc.?_

Yes, we do.

Sometimes it is an inevitable consequence of the march of technological
progress that certain legal and civil artifacts of previous eras must fall
away, and we need to let that run its natural course, instead of trying to put
up pointless and ineffectual -- but costly and frightening -- bureaucratic
boondoggles in its way.

As various articles on the subject have pointed out, it's fundamentally
antithetical to the decentralised core architecture of the Internet and the
whole technology stack on which it is founded to have tap points like this, as
if it had the hierarchical and highly centralised, despotic technical,
political and economic properties of the public switched telephone network
(PSTN).

There's no getting around the changes that it brings: unprecedentedly powerful
encryption in the hands of ordinary consumers, complicated encapsulation and
tunneling schemes, a great deal of indirection and ad-hoc, peer-to-peer
negotiation. We will just have to live with the fact that secure end-to-end
electronic communication that is not accessible by law enforcement are
available to anyone who _really_ wants it. For the most part, this is good
news for privacy, civil rights and protection from information crime; in a few
extremely marginal cases, like terrorist plotters and whatnot, this is bad,
but we can't have our cake and eat it too. Trying to stop it in the manner
proposed is a pointless waste of time.

But as we all know, these ideas can still exact crippling costs in money, time
and energy when government imposes bureaucratic requirements, especially when
they are so anachronistic (as they are, in this case) as to be instantly
relegated to the realm of the symbolic. Nobody can realistically comply with
the aims of this initiative, but depending on how far it goes, everyone will
have to go through the motions of compliance, as we do with so many other
narrowly conceived regulations thought up by idiot politicians that are wildly
out of phase with actually-existing technical reality. It reminds me of the
phrase "we pretend to work, and they pretend to pay us" from my native USSR.

As we repeatedly see, small companies have the most to lose, because they
don't have nearly as much resources to sustain certain manifold illusions or
charades that private business has to sustain in relation to the on-paper
regulatory demands of innumerable government agencies and oversight bodies.
When government dreams up something like CALEA, it's a lot like SOX; the
amount of paper-pushing, slippery abstraction and byzantine process
engineering in the resulting specification is something that, provided
compliance to the letter is even logically possible, only big companies that
operate processes on an enormous scale (and with enormous liquidity!) can
stand implement. Everybody else, virtually by definition, is just too poor to
play in the Big Boys' pond. It's still a meaningless boondoggle that doesn't
actually accomplish anything concretely useful, but, for example, ILECs like
AT&T, Verizon, Qwest, etc. can at least appear to comply.

It also paves the way to selective enforcement for purposes of extortion or
official harassment, and the various other well-known consequences of making
implausible laws.

~~~
marstall
well - it's also possible to scramble calls on the PSTN network, but criminals
often don't avail themselves of this ability. Which is presumably also the
case on the internet. Hence a 'basic' level of IP wiretapping would still be
useful to crime investigators.

~~~
abalashov
They already have the basic. What they are terrified of is precisely that
technological change and decentralisation has compromised their ability to do
"non-basic" wiretapping, and want to roll back those gains.

Also, scrambling calls on the PSTN requires somewhat non-ubiquitous - if not
necessarily any longer prohibitively expensive - acoustic coupling equipment.
By comparison, PGP, VPNs, and TLS are much easier for an average person to
use. To some extent, everyone uses these things whether they consciously
sought to or not, at least in the case of TLS certainly.

