Re: What's the best way to wiretap a network?
Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
'Best' rarely has a straight-forward answer. ;-) Lawful access is subject to many of the same scaling issues which we confront in building up our networks. Solutions which can work well for 'small' access or hosting providers may not be sensible for larger scale environment. If you have only a low rate of warrants to process per year, and if your facilities are few in number and/or geographically close together, and if your 'optimum' point of tap insertion happens to be a link which can be reasonably traced without very expensive ASIC-based gear and if your operation can tolerate breaking open the link to insert the tap, and if the law enforcement types agree that the surveillance target is unlikely to notice the link going down to insert the tap... then in-line taps such as Finisar or NetOptics can be quite sensible. If your operation can tolerate the continuing presence of the in-line tap and you only ever need a small number of them then leaving the taps permanently installed may be entirely reasonable. On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site. Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.) You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs. Eriks --- Eriks Rugelis -- Senior Consultant Netidea Inc. Voice: +1 416 876 0740 63 Charlton Boulevard, FAX: +1 416 250 5532 North York, Ontario, E-mail: eriks@netideainc.ca Canada M2M 1C1 PGP public key is here: http://members.rogers.com/eriks.rugelis/certs/pgp.htm
Scott C. McGrath On Tue, 20 Jan 2004, Eriks Rugelis wrote:
Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
'Best' rarely has a straight-forward answer. ;-)
Lawful access is subject to many of the same scaling issues which we confront in building up our networks. Solutions which can work well for 'small' access or hosting providers may not be sensible for larger scale environment.
If you have only a low rate of warrants to process per year, and if your facilities are few in number and/or geographically close together, and if your 'optimum' point of tap insertion happens to be a link which can be reasonably traced without very expensive ASIC-based gear and if your operation can tolerate breaking open the link to insert the tap, and if the law enforcement types agree that the surveillance target is unlikely to notice the link going down to insert the tap...
then in-line taps such as Finisar or NetOptics can be quite sensible.
If your operation can tolerate the continuing presence of the in-line tap and you only ever need a small number of them then leaving the taps permanently installed may be entirely reasonable.
On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site.
Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.)
Using cisco's feature set on a uBR it would be cable intercept interface x/y <Target MAC> <Logging Server IP> <port> as an example of lawful access on infrastructure equipment
You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs.
Eriks --- Eriks Rugelis -- Senior Consultant Netidea Inc. Voice: +1 416 876 0740 63 Charlton Boulevard, FAX: +1 416 250 5532 North York, Ontario, E-mail: eriks@netideainc.ca Canada M2M 1C1
PGP public key is here: http://members.rogers.com/eriks.rugelis/certs/pgp.htm
Eriks Rugelis wrote:
On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site.
This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play.
Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.)
You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs.
Whatever they are willing to pay for -- a good fit for the business environment is the largest effort and highest cost, as the overhead and administrative charges should enough to be profitable. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
In message <400D9745.76839304@greendragon.com>, William Allen Simpson writes:
Eriks Rugelis wrote:
On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site.
This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play.
Right, at least in the U.S. See section 4(e) of http://www4.law.cornell.edu/uscode/18/2518.html --Steve Bellovin, http://www.research.att.com/~smb
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2004-01-20, at 22.19, Steven M. Bellovin wrote:
In message <400D9745.76839304@greendragon.com>, William Allen Simpson writes:
Eriks Rugelis wrote:
On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site.
This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play.
Right, at least in the U.S. See section 4(e) of http://www4.law.cornell.edu/uscode/18/2518.html
From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework. - - kurtis - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQA43VaarNKXTPFCVEQLymQCgtgsN2rvN5zZ2lsbBTvi9VNnXYS8AoJyL 8z7bI+SOn3g4aGAb2lh6S2jk =XUQj -----END PGP SIGNATURE-----
On 21.01 09:24, Kurt Erik Lindqvist wrote:
From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework.
Slightly off topic: This is being fought by ISPs and civil rights groups all over the place here. It is amazing how much brain-damage is defended by "EU Framework" these days. It is also amazing how much national politicians and pressure groups can assert things about *neighboring* countries that are blatantly wrong or totally out-of-date. In the EU political structures and processes still have to be built; it is a new thing. Daniel
In article <468B1BFA-4BEB-11D8-BCF8-000A95928574@kurtis.pp.se>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se> writes
From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework.
There's nothing in the new EU Communications Framework (or indeed elsewhere in EU law) that controls whether or not operators can charge for wiretaps. It's a country by country thing. Complicated by some countries that claim to re-imburse, actually being chronically bad at paying the invoices. In the UK, for example, the current situation is that running costs are re-imbursed, and network upgrades to be wire-tap ready can benefit from a one-off grant (but new networks must be designed to be wire-tap ready at the operator's expense). -- Roland Perry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (Although I now what the NA...stands for I have to ask)
From the initial discussions in Sweden around the new electronic communications act, it seems as if the operators are obliged to provide tapping free of charge. If this turns out to be the case, I guess it is pretty much the same all over Europe as the law is supposed to be based on a EU framework.
There's nothing in the new EU Communications Framework (or indeed elsewhere in EU law) that controls whether or not operators can charge for wiretaps. It's a country by country thing. Complicated by some countries that claim to re-imburse, actually being chronically bad at paying the invoices.
So the EU part is only the tapping requirement? The charging scheme is local? Or did I miss all of this? - kurtis - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQBC5ZKarNKXTPFCVEQIXMgCgx9GfYC+KS43lvfqUAW94bwRGH8sAoLk7 Pss7/MQctcapaNOWAL0Au6V1 =Ei2W -----END PGP SIGNATURE-----
In article <FA668400-4D69-11D8-BCF8-000A95928574@kurtis.pp.se>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se> writes
(Although I now what the NA...stands for I have to ask)
Plenty of NANOs will have bits of network in the EU (or indeed within the remit of the Cybercrime Convention which the USA has signed but not ratified).
So the EU part is only the tapping requirement? The charging scheme is local? Or did I miss all of this?
EU law tends to say things about privacy, human rights, and so on. It outlaws wiretaps, but then has exemptions to allow individual states to pass wiretap laws if they feel there's a law enforcement need. Nothing about cost recovery. The Cybercrime Convention (a Treaty of the Council of Europe - which is not the EU - and not a law in its own right) has an article (#21) *requiring* ratifying states [1] to implement wiretapping, but is also silent on the cost recovery issue, which would be a matter for the individual state's legislature. [1] Only 4 relatively minor states so far, so the Treaty isn't even in force yet: http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=185&CM=&DF= -- Roland Perry
On Tue, 20 Jan 2004, William Allen Simpson wrote:
This is a feature, not a bug. Law enforcement is required to pay -- up front -- all costs of tapping. No pay, no play.
Oh, I wish, I wish.... In NL, law dictates any telecommunicatins device (as defined amongst things as "anything with an IP address") neds to be tappable. Infrastructure costs are not reimbursed. Only operational costs for enabling/disabling are reimbursed here. Paul, who wished he was at a certain IX when the LEA's came and asked for *all* traffic.
participants (8)
-
Daniel Karrenberg
-
Eriks Rugelis
-
Kurt Erik Lindqvist
-
Paul Wouters
-
Roland Perry
-
Scott McGrath
-
Steven M. Bellovin
-
William Allen Simpson