At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network."Note that the US Government knows since 1998 how to eavesdrop without being noticed.
Wednesday, 27 August 2008
The Internet's Biggest Security Hole Revealed
Slashdot runs the following story:
Thursday, 14 August 2008
UK Gov't Proposes Massive Internet Snooping, Data Storage
Slashdoted story on PC Pro UK:
The Government will store "a billion incidents of data exchange a day" as details of every text, email and browsing session in the UK are recorded under new proposals published yesterday.
The information will be made available to police forces in order to crack down on serious crime, but will also be accessible by local councils, health authorities and even Ofsted and the Post Office.
Tuesday, 5 August 2008
Information is "imported" can now be intercepted without a warrant
Shameless copy paste from http://www.cs.columbia.edu/~smb/blog/2008-07/2008-07-10.html
FISA and Border Searches of Laptops
10 July 2008
There's been a lot of attention paid recently to the issue of laptop searches at borders, including a congressional hearing and a New York Times editorial. I've seen articles with advice on how to protect your data under such circumstances; generally speaking, the advice boils down to "delete what you can, encrypt the rest, hope that Customs officials don't compel production of your key, and securely clean up the deleted files". If you need sensitive information while you're traveling, the usual suggestion is to download it over a secure connection, per the EFF:
Another option is to bring a clean laptop and get the information you need over the internet once you arrive at your destination, send your work product back, and then delete the data before returning to the United States. Historically, the Foreign Intelligence Surveillance Act (FISA) generally prohibited warrantless interception of this information exchange. However, the Protect America Act amended FISA so that surveillance of people reasonably believed to be located outside the United States no longer requires a warrant. Your email or telnet session can now be intercepted without a warrant. If all you are concerned about is keeping border agents from rummaging through your revealing vacation photos, you may not care. If you are dealing with trade secrets or confidential client data, an encrypted VPN is a better solution.
But is it?
When a laptop is searched, the customs agents are not looking for drugs embedded in the batteries or for whether or not the connectors have too much gold on the contacts. Rather, they're looking for information.
In that sense, it would seem to make little difference if the information is "imported" into the US via a physical laptop or via a VPN, or for that matter by a web connection. The right to search a laptop for information, then, is equivalent to the right to tap any and all international connections, without a warrant or probable cause. (More precisely, one always has a constitutional protection against "unreasonable" search and seizure; the issue is what the definition of "unreasonable" is.)
Subscribe to:
Posts (Atom)