So what is the real story here? Is all, most, some of our international Internet traffic being intercepted by various governments? Is it only international traffic that is at issue or is domestic traffic within the US subject to routine eavesdropping without a court order? For years I've been telling people that while there was some risk that traffic on the Internet could be intercepted, that the risk was greatest at the ends of a connection and that as long as they were working with a reputable ISP that there was almost no risk that anyone was eavesdropping on the traffic from the more central networks. I've also been telling people that data "at rest" on disks or stored in servers is much more at risk than data "in motion" as it moves across the Internet. Have I been misleading people? -Jeff Ogden Merit
From http://dailynews.yahoo.com/h/ap/20000223/wl/eu_espionage_1.html
Wednesday February 23 9:50 AM ET
Report Details Vast Spy Network
By CONSTANT BRAND Associated Press Writer
BRUSSELS, Belgium (AP) - A U.S.-led communications monitoring network is intercepting ``billions of messages per hour'' including telephone calls, fax transmissions and private e-mails, according to a European Parliament report made public Wednesday.
``We are not talking about a trivial thing here ... we cannot stop them, they will continue,'' said Ducan Campbell, author of the special parliament-commissioned report on the Echelon spy-network.
Campbell said that the intelligence network monitors and intercepts sensitive European-wide commercial communications. ``The level of use is getting out of control,'' he told a packed hearing of the Parliament's Committee for Justice and Home Affairs.
He said Canada, Britain, Australia and New Zealand are also involved in Echelon. Other nations including France and Germany also participate in a lower level in the spy-network which dates back 50 years to the beginning of the Cold War.
``The capacity of the filtering systems is enormous,'' Campbell said. He added that most international internet communications are being routed through the United States and through nine known U.S. National Security Agency interception sites.
Intelligence facilities located in the five countries can intercept fax, e-mail or telephone communications easily he said. Campbell urged the European Union to take action to protect against unwanted interception of communications, which he said were violations of human rights.
Committee chairman Graham Watson said he wanted to be sure the international surveillance system was not abusing its powers.
Campbell said Microsoft, IBM, and a certain ``large American microchip maker'' were providing certain product features which allow the interception of information flow.
Campbell said he did not know whether the U.S. corporations were benefitting from the information gathering but said previous commercial espionage resulted in the collapse of several European contracts in the airline industry - both military and commercial.
On Thu, Feb 24, 2000 at 08:21:13AM -0500, Jeff Ogden wrote:
So what is the real story here? Is all, most, some of our international Internet traffic being intercepted by various governments? Is it only international traffic that is at issue or is domestic traffic within the US subject to routine eavesdropping without a court order?
i have been operating under the assumption that someone, somewhere could be listening in on the traffic of the internet. it could be government (local or foreign). it could be a script kiddie that managed to weasel into a core facility without being noticed. it could be an employee of a core facility doing it on a whim. these days i don't imagine it would be difficult to weed through the traffic and narrow the focus down to individual users or groups of users. i guess the trick is to make sure that you don't become a target. either don't say/do anyting that would make you a target or become more vigilent about using ssh/pgp/ssl/etc/etc in your communications. -- [ Jim Mercer jim@reptiles.org +1 416 506-0654 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
Duh. The various spook services and police agencies have ALWAYS had a tendency to "listen in". The problem is, most folks don't care. However, isn't this why you've killed telnetd, and most of inet.conf; forwarding all ports through SSH and firewalling the rest? Every packet on the network should be encrypted, even internal ones. This will devalue nonsense, like CALEA, to the level it deserves. Wire-tap won't do 'em much good when there is military-grade encryption on the line <grin>.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jeff Ogden Sent: Thursday, February 24, 2000 5:21 AM
So what is the real story here? Is all, most, some of our international Internet traffic being intercepted by various governments? Is it only international traffic that is at issue or is domestic traffic within the US subject to routine eavesdropping without a court order?
For years I've been telling people that while there was some risk that traffic on the Internet could be intercepted, that the risk was greatest at the ends of a connection and that as long as they were working with a reputable ISP that there was almost no risk that anyone was eavesdropping on the traffic from the more central networks. I've also been telling people that data "at rest" on disks or stored in servers is much more at risk than data "in motion" as it moves across the Internet. Have I been misleading people?
-Jeff Ogden Merit
From http://dailynews.yahoo.com/h/ap/20000223/wl/eu_espionage_1.html
Wednesday February 23 9:50 AM ET
Report Details Vast Spy Network
By CONSTANT BRAND Associated Press Writer
BRUSSELS, Belgium (AP) - A U.S.-led communications monitoring network is intercepting ``billions of messages per hour'' including telephone calls, fax transmissions and private e-mails, according to a European Parliament report made public Wednesday.
``We are not talking about a trivial thing here ... we cannot stop them, they will continue,'' said Ducan Campbell, author of the special parliament-commissioned report on the Echelon spy-network.
Campbell said that the intelligence network monitors and intercepts sensitive European-wide commercial communications. ``The level of use is getting out of control,'' he told a packed hearing of the Parliament's Committee for Justice and Home Affairs.
He said Canada, Britain, Australia and New Zealand are also involved in Echelon. Other nations including France and Germany also participate in a lower level in the spy-network which dates back 50 years to the beginning of the Cold War.
``The capacity of the filtering systems is enormous,'' Campbell said. He added that most international internet communications are being routed through the United States and through nine known U.S. National Security Agency interception sites.
Intelligence facilities located in the five countries can intercept fax, e-mail or telephone communications easily he said. Campbell urged the European Union to take action to protect against unwanted interception of communications, which he said were violations of human rights.
Committee chairman Graham Watson said he wanted to be sure the international surveillance system was not abusing its powers.
Campbell said Microsoft, IBM, and a certain ``large American microchip maker'' were providing certain product features which allow the interception of information flow.
Campbell said he did not know whether the U.S. corporations were benefitting from the information gathering but said previous commercial espionage resulted in the collapse of several European contracts in the airline industry - both military and commercial.
Well in a worse case scenario passing around encryption software is as easy as warez is for the software pirates so no government will ever stop peoples privacy as long as their outlaws that will stand up to tyrants. It is the case of history that the oppressed rise up against the masters that is why our country now wants to disarm the nation before the criminals in the halls of Congress see A Second American Revolution for the Usurpation of the ConStitution of These United States. "Roeland M.J. Meyer" wrote:
Duh. The various spook services and police agencies have ALWAYS had a tendency to "listen in". The problem is, most folks don't care. However, isn't this why you've killed telnetd, and most of inet.conf; forwarding all ports through SSH and firewalling the rest? Every packet on the network should be encrypted, even internal ones. This will devalue nonsense, like CALEA, to the level it deserves. Wire-tap won't do 'em much good when there is military-grade encryption on the line <grin>.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jeff Ogden Sent: Thursday, February 24, 2000 5:21 AM
So what is the real story here? Is all, most, some of our international Internet traffic being intercepted by various governments? Is it only international traffic that is at issue or is domestic traffic within the US subject to routine eavesdropping without a court order?
For years I've been telling people that while there was some risk that traffic on the Internet could be intercepted, that the risk was greatest at the ends of a connection and that as long as they were working with a reputable ISP that there was almost no risk that anyone was eavesdropping on the traffic from the more central networks. I've also been telling people that data "at rest" on disks or stored in servers is much more at risk than data "in motion" as it moves across the Internet. Have I been misleading people?
-Jeff Ogden Merit
From http://dailynews.yahoo.com/h/ap/20000223/wl/eu_espionage_1.html
Wednesday February 23 9:50 AM ET
Report Details Vast Spy Network
By CONSTANT BRAND Associated Press Writer
BRUSSELS, Belgium (AP) - A U.S.-led communications monitoring network is intercepting ``billions of messages per hour'' including telephone calls, fax transmissions and private e-mails, according to a European Parliament report made public Wednesday.
``We are not talking about a trivial thing here ... we cannot stop them, they will continue,'' said Ducan Campbell, author of the special parliament-commissioned report on the Echelon spy-network.
Campbell said that the intelligence network monitors and intercepts sensitive European-wide commercial communications. ``The level of use is getting out of control,'' he told a packed hearing of the Parliament's Committee for Justice and Home Affairs.
He said Canada, Britain, Australia and New Zealand are also involved in Echelon. Other nations including France and Germany also participate in a lower level in the spy-network which dates back 50 years to the beginning of the Cold War.
``The capacity of the filtering systems is enormous,'' Campbell said. He added that most international internet communications are being routed through the United States and through nine known U.S. National Security Agency interception sites.
Intelligence facilities located in the five countries can intercept fax, e-mail or telephone communications easily he said. Campbell urged the European Union to take action to protect against unwanted interception of communications, which he said were violations of human rights.
Committee chairman Graham Watson said he wanted to be sure the international surveillance system was not abusing its powers.
Campbell said Microsoft, IBM, and a certain ``large American microchip maker'' were providing certain product features which allow the interception of information flow.
Campbell said he did not know whether the U.S. corporations were benefitting from the information gathering but said previous commercial espionage resulted in the collapse of several European contracts in the airline industry - both military and commercial.
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
Jeff Ogden wrote:
So what is the real story here? Is all, most, some of our international Internet traffic being intercepted by various governments? Is it only international traffic that is at issue or is domestic traffic within the US subject to routine eavesdropping without a court order?
The US government has had listening devices at the MAEs/NAPs for years. They have also patented techniques for sorting and classifying conversations, which appear to be applicable to Internet traffic. As for other governments, haven't you heard Moscowitz's Chrysler story?
Have I been misleading people?
While Merit has done an admirable job internally of organizing its networks, so that customer traffic doesn't pass by client machines and would be difficult to monitor, other ISPs and companies are not so diligent. WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
: > So what is the real story here? Is all, most, some of our : > international Internet traffic being intercepted by various : > governments? Is it only international traffic that is at issue or is : > domestic traffic within the US subject to routine eavesdropping : > without a court order? : > : The US government has had listening devices at the MAEs/NAPs for years. : They have also patented techniques for sorting and classifying : conversations, which appear to be applicable to Internet traffic. : : As for other governments, haven't you heard Moscowitz's Chrysler story? : : : > Have I been misleading people? : > : While Merit has done an admirable job internally of organizing its : networks, so that customer traffic doesn't pass by client machines : and would be difficult to monitor, other ISPs and companies are not : so diligent. Specifically, what have Merit, and presumably yourself done that any reasonably clued ISP hasn't? Aside from responsible subneting, and standard non-intrusive filtering, what can be done? It seems to me that beyond that, the burden of safeguarding data falls on the end-user. -brian
On Thu, 24 Feb 2000 23:03:44 EST, Brian Wallingford said:
Specifically, what have Merit, and presumably yourself done that any reasonably clued ISP hasn't? Aside from responsible subneting, and standard non-intrusive filtering, what can be done? It seems to me that beyond that, the burden of safeguarding data falls on the end-user.
Sorry to preach to the choir, but... ;) "reasonably clued" seems to be too much to ask from far too many ISPs. Smurf came along in what, 1996? And www.pulltheplug.com and www.netscan.org both are finding enough networks STILL vulnerable that they find it interesting to tabulate. The guys at pulltheplug.com found an x.x.131.63 address that returned 1,924 replies on a PING. Truly scary, that many hosts on a /26 ;) I truly hope that something is SERIOUSLY broken in pulltheplug's methodology, except... For bonus points, trying to 'dig' for the SOA for the PTR zone gets a 'servfail', although the x.x.130.x and x.x.132.x PTR SOA's map to the same ns.<nameremoved>.net machine. You have to get down to 53rd on pulltheplug's list before you get to under 200 replies. And the guy hasn't started on arin/ripe/apnic allocated space yet. If ISPs and users had clues, we wouldn't have as big a potential DDoS problem. Oh, and this just in: The network staff at JMU (a university up the road from us) have found an in-the-wild Windows trin00. Details at: http://www.jmu.edu/info-security/engineering/issues/wintrino.htm And there's an estimate 76M hosts on the Internet. Probably 80% of them are Windows. It's gonna be a LONG summer, guys.... Valdis Kletnieks Operating Systems Analyst Virginia Tech
[ Lengthy, but it's not like I'd bother you daily. ,-) ] On Fri, 25 Feb 2000 Valdis.Kletnieks@vt.edu wrote:
Smurf came along in what, 1996? And www.pulltheplug.com and www.netscan.org both are finding enough networks STILL vulnerable that they find it interesting to tabulate.
Indeed. Though, smurf seems to be becoming too old-fashioned for people to bother using it anymore. At least here the greater problem is with DDoS, because no clear rulesets can be established to prevent it to the degree necessary as is obvious. I'm betting DDoS will become even more of a headache when IPv6 gains wider usage and simultaneously as taking advantage of the v4 smurf-amplifiers just won't do the job anymore. Kids seem to be finding their way to IPv6, just as well, as days pass. For a while it seemed like a puzzling security by obscurity thing when I transferred a bunch of my hosts to IPv6 only. Admittedly the tcp/ip-stack still wants a v4 IP, but that I have under 192.168.x and plays by itself no great risk. It was a setback of a kind for the people trying to pester the box, they would mostly have to stick to the easily modified tools that do not exploit any direct problems with the protocol, instead they just go for exhausting the CPU by bugging the services running on the box. That is - if they manage to get IPv6 set up for themselves. I'm very much thinking it's a good time for people to begin looking at IPv6 and its basics if all haven't done it yet. It would be a shame if the bad guys had been on the road with the protocol for longer than some of us. ,) Also, there's still time for a little thinking on how things are to be done with no need to rush, time to let things evolve.
[...pulltheplug...]
under 200 replies. And the guy hasn't started on arin/ripe/apnic allocated space yet.
I may be missing something obvious, but I was actually under the impression the scanning was already all complete until they go for a rerun later. Everything down to /26's have been mapped, as far as I recall.
If ISPs and users had clues, we wouldn't have as big a potential DDoS problem. Oh, and this just in:
Notably users. I'm currently trying to deal with PPark (PrettyPark, a Windows virus|trojan). It automatically spreads itself via e-mail and keeps gaining more and more infections by the day. It is nasty. It wouldn't be much of my cake, but the virus unfortunately has been set to connect to one of the servers I administer to receive attack-coordinates and all that (the server refuses them right after they have been succesfully identified on connect). Doesn't sound quite nasty? It is - just to put people on the scale, we have _ninety-thousand_ unique hosts rapidly connecting to our server and practically bringing the server's accessibility down to its knees. If 90 000 of them opening a connection a server can do that, I must wonder what is their practical efficiency if people were to ever have control over them and use them for malicious purposes. Some weeks ago, I did a compilation of ISPs/TLDs involved. I, however, stripped the hostnames out to protect the innocent and to stop people from misusing that information. Brief stats are available at http://www.vip.fi/~viha/Stats/PPark_ISP.txt and http://www.vip.fi/~viha/Stats/PPark_TLD.txt These are Windows-hosts, not running any virus-detection by the looks of it. Some quotes might include -- % cat PPark_ISP.txt | egrep -i "\\.(gov|mil|int)"|head -3 10 navy.mil 4 nih.gov 4 army.mil % cat PPark_ISP.txt | head -3 4389 aol.com 4172 hinet.net 1732 com.sg Oh, before you suggest routing them to null - be warned we have tried a few things. We were quite lucky, and most of them only showed a quick way to a table overflow. As for contacting antiviral-companies, the one we were in contact with didn't show much but the compulsory 'I see.'
Valdis Kletnieks
-- IPv6 Solutions | Security Coordination Ville(viha@cryptlink.net, "Cryptlink Networking");
On Thu, 24 Feb 2000, Brian Wallingford wrote: | Specifically, what have Merit, and presumably yourself done that any | reasonably clued ISP hasn't? Aside from responsible subneting, and | standard non-intrusive filtering, what can be done? It seems to me that | beyond that, the burden of safeguarding data falls on the end-user. | Obviously, you have never visited any of the less clueful ISPs ;) Some ISPs that started with 10Mbps hubs have moved up to 100Mbps hubs. For their servers, and co-location customers. Some ISPs vlan each customer. Many do something in between both extremes. (Not that giving each customer a separate vlan is by any means extreme!!!) (Not to waste your reading time too much, but this was a topic of concern for me. Currently I use a combination of 8 port OpenBSD router plus vlans on OpenBSD to handle all ethernet connectivity in my building!) --- Reverend Chris Cappuccio http://www.dqc.org/~chris/
At Thursday 01:00 PM 2/24/00 , William Allen Simpson wrote:
The US government has had listening devices at the MAEs/NAPs for years.
Given that these are frequented places, I am gladly accepting anon-remailed material proving the existence of such listening equipment. JPEG's, GIFs, rack numbers and floor plans marking their locations, pictures of time-lapse security cameras showing the men in black installing the crap, pictures of their vehicles in the parking lot, license plate numbers, agent names. If there is really a number of such IMHO unlawful taps, it'll be hard to contain information about them, unless they've dug themselves close to the fiber and are bending & eavesdropping that fiber outside of the MAEs. Such taps are not trivial, and their physical dimensions make it hard to hide them to the trained fiber installer's eye. Again, this is a solicitation to provide material to me solely aimed at endangering national security, or whatever lie they want the public to believe today :) No more secrets.
They have also patented techniques for sorting and classifying conversations, which appear to be applicable to Internet traffic.
As for other governments, haven't you heard Moscowitz's Chrysler story?
And then there was the story of a german company producing devices to generate alternate sources of energy (was it windmills or solar cells?) that was very surprised to find that a US company had filed for a patent with the guts of all their technical stuff not too soon after they had faxed some essential parts of it from one place in Germany to another. The US patent was reportedly upheld, but I wonder if they ever dared to bring civil suit for theft of trade secrets. Needless to say this company is a very eager user of Swiss-made encryption products at this point. bye,Kai ps: reportedly, NDB.com got DDOS'd today. Overloading the NSA's illegal eavesdropping taps one at a time.
Drugs are bad, m'k? In the same spirit of "request of proof":
And then there was the story of a german company producing devices to generate alternate sources of energy (was it windmills or solar cells?) that was very surprised to find that a US company had filed for a patent with the guts of all their technical stuff not too soon after they had faxed some essential parts of it from one place in Germany to another. The US patent was reportedly upheld, but I wonder if they ever dared to bring civil suit for theft of trade secrets. Needless to say this company is a very eager user of Swiss-made encryption products at this point.
Please prove via txt, Jpegs, Gifs, Mpegs, men in black hunched over seedy fax machines saying "You speak German? Damn Sour Krauts!" or any other such. Also, POs reflecting purchase of swiss encryption products, and an explanation of why they buy equipment inferior to the Israelis. Lastly, a note from Mom saying it's OK for Kai to post rabble-rousing to nanog, because, well, we're less than 45 days out of April 1.
bye,Kai
ps: reportedly, NDB.com got DDOS'd today. Overloading the NSA's illegal eavesdropping taps one at a time.
Are you in league with Dean and mr IPv8 gatekeeper? E
Thanks for all the private messages (I guess), but you all certainly know that I get at least as much email as you do, and if it's important enough to write you a personal reply, then it's important enough to send to the list.... ==== First, the Moskowitz story, excerpted. If you want the whole thing, buy him lunch, he's a nice guy -- just remember he eats kosher. Chrysler owned a big share of an Austrian company (now, Chrysler is owned by a German company, how time flies). They started running IPSec on the international link. They got a call from the French, saying it is/was illegal to send encrypted data over their lines. Chrysler had to reroute its link, through Italy as best I remember. This confirms several things, not the least of which is the French are monitoring commercial data circuits. ==== No, I've never been inside any MAE/NAP, and I have no photographs of men in black. But, besides the abundant persistent rumors, I've been on privacy panels hosted by my local congresscritters. And, I'm told by said congresscritters that the administration brags about their monitoring of Internet traffic at the international exchange points, as an indication of their wonderful efficacy in tracking pernicious activities, such as terrorists, pornographers, gambling, gun, and alcohol sales, and asked for more funding in last year's appropriations cycle. They also claim that commercial information is removed. This confirms several things, not the least of which is that there is intercepted commercial data to be removed. I presume that the techniques used are similar to the French. And not too different from their investigations of me, still classified secret. The files refer to email messages and excerpt voice conversations, none of which they got from court orders served upon me! The small parts of these I've been able to get under FOIA are posted on the net -- mostly blacked out -- but careful reading indicates that the investigation began after the posting of an internet-draft for PPP CHAP, back when it was called the "cryptographic handshake authentication protocol". Securing the net considered harmful.... Please FOIA your own FBI files before you tell me that I'm paranoid. Be prepared to pester them for 6 years to meet their statutory 20 day deadline. ==== Some patents have been widely circulated, being number 5,937,422 among others. Remember that the patent office can keep patents secret when they affect "national security". I presume, based on my experience, that in addition to those alcohol peddlers, the semantic trees search for "security" and "cryptography". ==== Merit has been around longer than most ISPs. They have had machines compromised. They have had machines attacked by DoS. They serve college campuses. They have a clue coefficient. 'nuff said. WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
This confirms several things, not the least of which is the French are monitoring commercial data circuits.
Hadn't wanted to jump into this conversation until this was brought up. It is a widely confirmed fact (call the State Department Travel Section) that since the Cold War ended, France has been utilizing its government funded intelligence organization to supply industrial information to French business interests. This includes, but is not limited to cleaning personnel at very reputable hotels opening locked luggage, photocopying documents, and taking pictures of anything remotely interesting. Anyone considered important by the U.S. State Department should be receiving warnings about this before they travel anyway.
For years I've been telling people that while there was some risk that traffic on the Internet could be intercepted, that the risk was greatest at the ends of a connection and that as long as they were working with a reputable ISP that there was almost no risk that anyone was eavesdropping on the traffic from the more central networks. I've also been telling people that data "at rest" on disks or stored in servers is much more at risk than data "in motion" as it moves across the Internet. Have I been misleading people?
What does everyine think those silly lead times for local tails (especially in Europe) are for ? Menwith Hill (sp?) et al. needs a nice schedule of new capacity so that it can be planned in. Even Telefonica cannot actually take 3 months to really provision a tail circuit. Peter
participants (13)
-
Brian Wallingford
-
Chris Cappuccio
-
Deepak Jain
-
Ehud Gavron
-
Henry R. Linneweh
-
Jeff Ogden
-
Jim Mercer
-
Kai Schlichting
-
Peter Galbavy
-
Roeland M.J. Meyer
-
Valdis.Kletnieks@vt.edu
-
Ville
-
William Allen Simpson