[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) FC: Reply from Dutch technologist to column about Cisco,
------- Forwarded message follows -------
Date sent: Wed, 23 Apr 2003 12:00:21 -0400
To: politech@politechbot.com
From: Declan McCullagh <declan@well.com>
Subject: FC: Reply from Dutch technologist to column about Cisco,
wiretapping
Copies to: paul@xtdnet.nl, gnu@toad.com
Send reply to: declan@well.com
[Lots of details and interesting suggestions. Keep reading. --Declan]
---
Date: Wed, 23 Apr 2003 15:35:23 +0200 (MET DST)
From: Paul Wouters <paul@xtdnet.nl>
To: Declan McCullagh <declan@well.com>
cc: Fred Baker <fred@cisco.com>, John Gilmore <gnu@toad.com>
Subject: Re: FC: Weekly column: Cisco's wiretapping plans, int'v with
Fred Baker
Declan,
I am a concerned Dutch citizen, keeping a public eye on the
wiretapping situation there, especially since we were, until Cisco
announced their plans, far "ahead" of the world (even before 9-11).
Articles I have written on this subject are availble online, often in
dutch and English, and include:
http://www.fnl.nl/ct-nl/archief2001/ct2001-06/ct200106032033.htm
(Dutch) http://www.opentap.org/ct/ct.aftappen-eng.html (English)
http://www.fnl.nl/ct/archief2002/ct2002-12/aftappen.htm (English)
http://www.opentap.org/ccc/ (English)
In response to your article "Inside Cisco's eavesdropping apparatus"
on http://news.com.com/2010-1071-997528.html?tag=fd_nc_1 I have a few
comments to make:
First you quote Baker saying:
> We've had direct contact with the FBI and other agencies. When I
was in > Holland I (spoke at a conference with the head of the
equivalent of the > country's Central Intelligence Agency). The fact
that he came out and > said something made the 8 o'clock news. I had
a meeting with him and > some of his people a few days later to
figure out what he wanted and > what he intended to do with this. As
an engineer I wanted to understand > a customer's problem.
The 8 o'clock newsitem Baker is referring to can be seen at:
http://www.xtdnet.nl/paul/fb.mpg
Only the introduction is Dutch, the remainder is in English with Dutch
subtitles
Let me put this a bit in context though. Baker spoke at the ISOC
on januari 16, 2002. I was there as well. Baker explained that any
wiretapping technology should not go into the protocols (eg TCP/IP)
themselves, because it would make the internet infrastructure weaker.
It is the same argument as the Clipper chip. Backdoors are bad. Escrow
keys leaking out would mean an international disaster. Baker, or
rather the IETF, made a conscious decision not to weaken the
protocols, even though the LEA's (Lawful Enforcement Agencies) wanted
this. Baker did acknowledge that some sort of wiretapping needed to
exist for those LEA's. But he would not comment on what he or Cisco
deemed to be the solution, except that Cisco was working on it.
The boasting of our Dutch CIA being present is really out of context.
Our intelligence agencies have been going through various
reorganisation rounds, with the Old generation leaving (Dr. van
Leeuwen) and new people settling in. Veenstra was just doing some PR
for the BVD. Both the military intelligence and the civil intelligence
units had ben revamped, now called MIVD (Militaire Inlichtingen en
Veiligheids Dienst) and AIVD (Algemene Inlichtingen en Veiligheids
Dienst). Note the difference between "binnelandse" (Internal affairs)
and "algemene" (generic). By now, we also know that our government
"needed" more and better SIGINT to protect against fundamentalists and
terrorists. A new organisation, the NSO (Nationale SIGINT Organisatie)
was setup to cater for those post 9-11 worries.
All that Veenstra said that day was that they had an "extreme focus on
terrorist activity". That took about 10 to 15 minutes. How ironic
that only four months later Pim Fortuyn, the leader of the new
political party LPF that rose from nothing to become the second
largest political party in the Netherlands, was shot dead.
Unfortunately, the secret nature of LEA's can explain both failure and
success as a reason for more power and money.
One of the other things I would like to comment on is Baker's remark
in the news item that he didn't believe "new laws were being made". I
think by now it has become quite obvious that all Western governments
are quickly morphing into a police state. Though I will let others
comment on the "no new laws" statement Baker made regarding the US
situation, I will comment on the Dutch situation. In the last four
years, most of the "temporary laws" (In Dutch "nood-verordeningen")
protecting big events such as the Eurpoean soccer Championship or our
Royal Wedding are still in place. Any engineer walking in the center
of Amsterdam after 7pm officially violates one of these laws if he
carries a screwdriver with him. In the entire downtown area of
Rotterdam and Amsterdam you can be "preventatively searched". Without
any cause or suspicion. By being in the center of Amsterdam you must
be a criminal.
But let me get back onto the topic of wiretapping. We now know Cisco
would like to implement a wiretapping solution in their hardware,
instead of in the protocols. From a first cursory glance over the
document, it seems that Baker's draft complies with the ETSI norm. The
Netherlands already has such a system in place. It is called Transport
of Intercepted IP Traffic (TIIT) of which the (secret!) specifications
can be found on http://www.opentap.org/ The one line explanation of
the system is "Digitally signed XML warrant goes in, tapping data
comes out". The government stressed that it would never automate
tapping without involvig the ISP.
The experiences with this system are currently fairly limited. The
government is tapping about 100kb continiously, with peaks going to
0.5 to 1 mbit. These figures are based on their public router
statistics. Bits of Freedom (www.bof.nl) tried to obtain numbers on
the telephone and internet taps using the Dutch version of the Freedom
of Information Act, but despite a government reimbursement system for
telco's, it claimed it had no central registration of these taps, the
government didn't want or need these numbers themselves, and therefor
these numbers do not exist, and cannot be obtained by worried
citizens.
NLIP (www.nlip.nl), the Dutch branche organisation of ISP's, has a
long history of behind doors negotiations with the government on
behalve of their members. The government swept away their 'demands'.
So they have foccused their effords on making tapping as cheap as
possible for their members instead (while publicly not stating that
they are no longer "nationally involved". Unfortunately, they do still
seem to be used as an excuse by the government to claim "they are
talking to the ISPs". This kind of conflict of interest (ISP's
involved in law making only secondary to their own reduction of
expenses) is very dangerous. Two weeks ago I also learned, indirectly
through this NLIP, that the government is writing up a decree (Dutch:
"Algemene Maatregel van Bestuur"), that is, a law that does not need
the aprovement of parlemant, that will allow LEA's to control the
tapping equiptment of ISP's remotely. The goal is to reduce the number
of people who know about a tap. The side effect (or one could argue
that this is in fact the intended effect) is that the legal system
will be bypassed completely. The ISP doesn't know when it is tapping
its customers, and cannot check the validity of the warrant. We will
just "have to trust them".
But can we? Only two months ago, the Dutch had their own version of
"FoxNews" when the program Zembla reported that the Dutch tapping room
is completely outsourced to a questionable Israeli company:
http://www.opentap.org/zembla/ (Dutch)
http://www.fnl.nl/ct/archief2002/ct2002-12/aftappen.htm
http://www.opentap.org/foxnews/
Comverse (sorry, Verint-systems) has to come in and
fix/repair/maintain the digital tapping rooms very regularly. They
hook up Hebrew keyboards and no one knows what they are doing. An
anonymous source within Comverse told c't magainze (www.fnl.nl/ct)
that 9.1GB Sony MO disks are used:
http://www.sony.net/Products/DataMedia/products/525MO/91GBMO.pdf And
that they can put 240 hour of conversations on one such MO using the
following codec: http://www.vidicode.nl/Dutch/scr_nl.htm
So even if our government means well, our data apparently leaks out
anyway. (Then again, the Wassenaar Agreement the Netherlands signed
includes Israel anyway, so Israel could just order their own taps from
our government anyway). But worse, the Zembla newsitem also showed
that the police had manipulated evidence. This became painfully
obvious when one of the "intercepted GSM phone calls" was heard pulse
dailing (Remember those days when dialing was done with a dial?)
I have long ago come to the conclusion that yes, tapping is a
neccessary evil. We need to accomodate this. But it is of vital
importance that tapping does NOT become an automatic system that only
involves LEA's. There is a valid reason that LEA's don't trust LEA's.
That is why they want to be able to tap each other, and that is the
reason for the ETSI demand for multiple parallel invisible taps. We
should not play their game. LEA's have their own, secret, agenda.
Back to Mr. Baker,
Mr Baker also mentions:
> What we're doing is putting the capability in a separate image so
you > know what you're getting when you get it. Under U.S. law, if
you have > that ability, you could be required to use it. Our service
provider > customers have asked us not to put it in the standard
image, so that > they can't be forced to use it.
Though this seems like a reasonable stance, let's not forget that a
far more important argument for Cisco is that putting a tapping image
in their Cisco's per default would cause two thirds of the worlds to
no longer buy Cisco. This is coming dangerously close to putting
"Trusted computing" into the router. I am sure it's trusted, but who
owns the device? It is of vital importance that any tapping
accomodating protocol is completely free and open, so that opensource
implementations can be written.
The solution?
In the TIIT specification, there is a special function to ensure
that the tap is still working properly. Ever 64 packets or 5 minutes,
a cryptographical checksum is generated by the tapping box over the
intercepted data, and also send to the LEA. This is to ensure the
integrity of the datastream to the LEA. I believe that the ISP should
not only be allowed, but should be forced to keep those checksums
themselves. Those can then later on be given to the courts to
determine any evidence tampering by the police. And it also ensures
that the ISP will always know about a tap in his network, and will
always have the means to check the legality of such a tap. I sincerely
hope Mr. Baker will add something similar into his Cisco's. If he does
not, ISP's will be prevented from checking the legality of warrants,
and on top of it they will face a rush of LEA's taking over their
Cisco's.
If we are not allowed to investigate the correctness of a warrant, nor
the proper functioning of our LEA's, then we might as well end the
charade of the courtroom and admit that we have chosen to live in a
police state.
Paul Wouters
Opentap
----------------------------------------------------------------------
--- POLITECH -- Declan McCullagh's politics and technology mailing
list You may redistribute this message freely if you include this
notice.
----------------------------------------------------------------------
--- To subscribe to Politech:
http://www.politechbot.com/info/subscribe.html This message is
archived at http://www.politechbot.com/ Declan McCullagh's photographs
are at http://www.mccullagh.org/ Like Politech? Make a donation here:
http://www.politechbot.com/donate/
----------------------------------------------------------------------
---
------- End of forwarded message -------
--
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de