Has fingers directly in servers of top Internet content companies,
dates to 2007. Happily, none of the companies listed are transport
networks:
Cheers,
-- jra
I've always just assumed that if it's in electronic form,
someone else is either reading it now, has already read
it, or will read it as soon as I walk away from the screen.
Much less stress in life that way. 
Matt
> Has fingers directly in servers of top Internet content companies,
> dates to 2007. Happily, none of the companies listed are transport
> networks:I've always just assumed that if it's in electronic form, someone else is either
reading it now, has already read it, or will read it as soon as I walk away from
the screen.
So, you are comfortable just giving up your right to privacy? It's just the way it is?
I'm sorry, I am not as accepting of that fact as you are. I am disappointed and disgusted that this is, and has been, going on. Our government is failing us.
complacency is always the easiest path.
many abuse@ mailboxes follow the same policy.
-Dan
Things like PGP, TrueCrypt, and Tor help a lot in leveling the
playing field at least somewhat.
But I'm sure you all knew that already.
Agreed. I can already pretty much just assume this widespread
surveillance is going on.
The Bluffdale, Utah facility isn't being built to store nothing.
It's happening whether we like it or not.
When I care about my privacy, I know that I have to take matters into
my own hands.
GnuPG and TLS are mine and your friends. Use them together. Use them in peace.
Cheers,
jof (0x8F8CAD3D)
Knowing its going on, knowing nothing online is secret != OK with it, it
mealy understand the way things are.
-jim
Could you be certain that TWC, Comcast, Qwest/CenturyLink could not be
involved?
Pay attention. None of the ones *listed* are transport networks.
Doesn't mean they're not involved but unlisted (as of yet).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ ..... ] Happily, none of the companies listed are transport
networks:
Could you be certain that TWC, Comcast, Qwest/CenturyLink could not be
involved?Pay attention. None of the ones *listed* are transport networks.
Doesn't mean they're not involved but unlisted (as of yet).
Umm... CALEA. They've *already* had access for quite some time.
Jeff
While there's a whole political aspect of electing people who pass better laws, NANOG is not a political action forum.
However many of the people on NANOG are in positions to affect positive change at their respective employers.
- Implement HTTPS for all services.
- Implement PGP for e-mail.
- Implement S/MIME for e-mail.
- Build cloud services that encrypt on the client machine, using a key that is only kept on the client machine.
- Create better UI frameworks for managing keys and identities.
- Align data retention policies with the law.
- Scrutinize and reject defective government legal requests.
- When allowed by law, charge law enforcement for access to data.
- Lobby for more sane laws applied to your area of business.
The high tech industry has often made the government's job easy, not by intention but by laziness. Keeping your customer's data secure should be a proud marketing point.
*Vladis: * </sarcasm on> I thank you for waking me up in class! I am
impressed - your finely tuned language hair "has picked-up" the
distinctions. Further, I am quite certain that the "listing" will be
more inclusive/explicative in the next round. </sarcasm off>
/************************************************
* Dr. Robert Mathews, D.Phil.
* Distinguished Senior Research Scholar
* National Security Affairs & U.S Industrial Preparedness
* Office of Scientific Inquiry and Applications
* University of Hawai'i
* Secure Messaging/Voice/Video available/
However many of the people on NANOG are in positions to affect positive change at their respective employers.
- Implement HTTPS for all services.
- Implement PGP for e-mail.
- Implement S/MIME for e-mail.
- Build cloud services that encrypt on the client machine, using a key that is only kept on the client machine.
- Create better UI frameworks for managing keys and identities.
- Align data retention policies with the law.
- Scrutinize and reject defective government legal requests.
- When allowed by law, charge law enforcement for access to data.
- Lobby for more sane laws applied to your area of business.
Being an AGENT or AGENCY of Change is not an activity most are CAPABLE
of effectively thinking about, let alone acting upon. The act of
effectively initiating change will take far more than passing a few
emails, memos, or having a few lengthy conversation at the water
cooler. Implementation of some, most, or all of the offered
suggestions - while good (even essential), involves wholistic thinking,
planning, proper budgeting, coordinating expertise and tasking - well
beyond present day operational limits for a lot of shops.
The high tech industry has often made the government's job easy, not by intention but by laziness. Keeping your customer's data secure should be a proud marketing point.
Laziness aside, permit me to humbly note that emphasis on COMPLIANCE
(with sane or insane laws) alone, neither ENSURES, nor ASSURES security
for oneself or one's customers.
All the best
/--
AFAIK, CALEA doesn't by default collect data for everyone on their network.
You use the word 'access' which doesn't convey anything to me - a network
switch might have access to all the data on the network but you might only
see some of it.
Should law enforcement have easy access to some data? Absolutely. If my
phone is ever stolen, I want the next cop car driving by the thief's
location to retrieve my phone and pick up the thief. But I'd prefer some
fat dude in an office not see pictures my grandmother emails to me.
Is there a way to do both? Sure. The way I'd like it done is to make all
requests for data open and respond to FOIA requests within a month. Or,
easier option - any data LE requests goes online. This way, if you have a
reason to request data for a whole state and your family happens to live
there, you know that the conversation between your family will also be
publicly available so will be more likely to limit the scope.
Knowing its going on, knowing nothing online is secret != OK with it, it
mealy understand the way things are.While there's a whole political aspect of electing people who pass better laws, NANOG is not a political action forum.
However many of the people on NANOG are in positions to affect positive change at their respective employers.
- Implement HTTPS for all services.
not just externally exposed services --
or use some form of strong crypto on your inter-data center traffic.
<tinfoilhat>
Just wait until we find out dark and lit private fiber is getting vampired.
</tinfoilhat>
<tinfoilhat>
Just wait until we find out dark and lit private fiber is getting vampired.
</tinfoilhat>
well, that's exactly and the only thing what would not surprise me, given the eff suit
and mark klein's testimony about room 421a full of narus taps. mark klein is an
utterly convincing and credible guy on this subject of tapping transit traffic.
but the ability to assemble intelligence out of taps on providers' internal connections
would require reverse engineering the ever changing protocols of all of those providers.
and at least at one of the providers named, where i worked on security and abuse,
it was hard for us, ourselves, to quickly mash up data from various internal services
and lines of business that were almost completely siloed --
data typically wasn't exposed widely and stayed within a particular
server or data center absent a logged in session by the user.
were these guys scraping the screens of non-ssl sessions of interest in real time?
with asymmetric routing, it's hard to reassemble both sides of a conversation, say
in IM. one side might come in via a vip and the other side go out through the default
route, shortest path. only *on* a specific internal server might you see the entire
conversation. typically only the engineers who worked on that application would
log on or even know what to look for.
and also, only $20m/year? in my experience, the govt cannot do anything like this
addressing even a single provider for that little money.
and pretty much denials all around. so at the moment, i don't believe it.
(and i hope it's not true, or i might have to leave this industry in utter disgust
because i didn't notice this going on in about 8 years at that provider and it was
utterly contrary to the expressed culture.
take up beekeeping, or alcohol, or something.).
The "oh well, it happens, who cares, guess you need PGP" comments on
this thread are idiotic. Some of you would benefit from reading the text
of the 4th Amendment:
"The right of the people to be secure in their persons, houses, papers,
and effects, against unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon probable cause,
supported by Oath or affirmation, and particularly describing the place
to be searched, and the persons or things to be seized"
The Washington Post mentioned some "safeguards"... but those were
pathetic. Why? They seemed to be similar to the following analogy:
"we'll keep that video camera in your home, recording your every move,
and we promise we'll close our eyes when reviewing the tape whenever it
shows you naked". THAT is essentially what they're saying. The access
described by both the Washington Post and The Guardian is essentially
unfettered/unmetered/unmonitored.
Just as a doctors take the "hippocratic oath" to maintain decent
standards which are to the benefit of modern civilization... shouldn't
IT/Networking/Internet professionals (NANOG readers!!!) have standards
that, hopefully, distinguishes us from... say... the State-run ISP of
North Korea.
And if these allegations are true... then...
I have a difficult time believing that there was no "quid pro quo"
involved. Especially since such companies risk a backlash and huge loss
of customers if/when this gets out. So I don't think they'd do this
without some kind of return in favor. Did they get special tax
treatment? Tarp money of any kind (maybe to a parent company)? Easing of
regulation enforcement?
If there was "quid pro quo", then what a bunch of F'ing whores, selling
their own customers down the river... to make a buck... and potentially
contributing to a future tyranny. Sure, the US government probably only
use this to catch the bad guys today... but what would a *corrupt*
adminstration do with such data in the future... stick the IRS on their
political enemies? (oh, wait, that just happened... hmmmm)
<tinfoilhat>
Just wait until we find out dark and lit private fiber is getting vampired.
</tinfoilhat>
I'm not even assuming it, I'm convinced. In Sweden, we have a law,
that makes what NSA/FBI did illegal while at the same time legalising,
after some scrutiny, the practice of tapping traffic that passes Sweden
and is not both originated by and destined to Swedes. . We're pretty
good at selling transit abroad. Eastward. Go figure. Combine that with
our NSA buddy, the FRA (http://www.fra.se) actively attempting to hire
WDM experience and there is enough circumstantial data that I'm convinced
it's being done.
Also, what agencies like NSA, GCHQ and FRA have done for ages is listening
to a broad spectrum of RF data with their aerials. Moving it into fiber
is just keeping pace with the technology.
Another historical fact is that the FRA has its roots in a extremely
successful wiretapping operation in WW2, where the German teleprinter
traffic between Norway (occupied) and Germany was passed on leased lines
through western Sweden. Cross-border wiretap.
In conclusion; I'm convinced.
> > Has fingers directly in servers of top Internet content companies,
> > dates to 2007. Happily, none of the companies listed are transport
> > networks:
>
> I've always just assumed that if it's in electronic form, someone else is either
> reading it now, has already read it, or will read it as soon as I walk away from
> the screen.So, you are comfortable just giving up your right to privacy? It's just the way it is?
If you want to exercise your right to privacy, use end to
end encryption and onion remixing networks to hamper
traffic analysis.
Everything else is for the hopelessly gullible.
I'm sorry, I am not as accepting of that fact as you are. I am disappointed and disgusted that this is, and has been, going on. Our government is failing us.
What government is this, kemo sabe? Nanog has a global audience.