David G. Koontz
Thu, 30 Aug 2007 10:31:19 -0700
Perry E. Metzger wrote: > The blogs of Matt Blaze, Steve Bellovin and Bruce Schneier all linked > to this article today. It is rather disturbing. > > http://www.wired.com/politics/security/news/2007/08/wiretap > I downloaded the docs this morning and poke through them. http://www.eff.org/flag/061708CKK/
One thing to keep in mind, is that the DCS-3000 is the lowest security system in the family. I looked for security vulnerabilities right away, and it looks like it could be exploited by an insider. It does use the DCSNET which is purported to be encrypted. The (Cisco) routers interconnecting the system components use static routes. Lots of security through obscurity, not letting the public know what software is used for remote administration.http://www.eff.org/flag/061708CKK/070207_dcs01.pdf , page 43: 7.2.4.4.3 Remote Diagnostics The SBIT team utilizes| redacted |o remotely control the DCS 3000 systems deployed in the ERF and the other locations for maintenance and repair purposes. The usernames and passwords used on the system are strictly controlled and only provided on a need-to-know basis| redacted | configured to utilize the security mechanism available with the software, including the| redacted | mechanism and other security mechanisms. -- I don't think you can extrapolate insecurity forward to the DCS-5000 used for national security intercepts. That system handles classified information, where the DCS-3000 doesn't. Some of the later documents available on the eff web site show the certification process and paperwork for the DCS-3000. While it's mostly eyewash, it at least indicates someone in the FBI knows something on the subject. I think you can even find the buzz phrase "Information Assurance" in their somewhere. Handling classified information on computer systems is under the direct auspices of the NSA (and yes the Director of the FBI could 'waiver', they'd borrow the expertise, instead). http://goliath.ecnext.com/coms2/gi_0199-3379543/FBI-Will-Use-Unique-New.html Publication: PR Newswire Publication Date: 22-OCT-03 Delivery: Immediate Online Access Author: Article Excerpt HERNDON, Va., Oct. 22 /PRNewswire/ -- Sprint announced today that it has been awarded a new 36-month contract to provide secure IP Virtual Private Network (VPN) services to Federal Bureau of Investigation (FBI) sites across the country to support the FBI's Digital Collection System Network (DCSNet). The VPN services will be delivered using the "government- grade" Sprint peerless IP network, a unique national network that has... Apparently as a result of some concerns by law enforcement that their surveillance targets were changing behavior as soon as they were being targeted by Carnivore, (this came out shortly after 9/11). Seems running the system was contracted out to a company in Virginia, where at least some personnel apparently had other agendas: http://www.foxnews.com/story/0,2933,40747,00.html (no longer valid, from 2001) see http://www.whatreallyhappened.com/Israeli-Spying-Part-3.htm ... The manufacturers have continuing access to the computers so they can service them and keep them free of glitches. This process was authorized by the 1994 Communications Assistance for Law Enforcement Act, or CALEA. Senior government officials have now told Fox News that while CALEA made wiretapping easier, it has led to a system that is seriously vulnerable to compromise, and may have undermined the whole wiretapping system. Indeed, Fox News has learned that Attorney General John Ashcroft and FBI Director Robert Mueller were both warned Oct. 18 in a hand-delivered letter from 15 local, state and federal law enforcement officials, who complained that "law enforcement's current electronic surveillance capabilities are less effective today than they were at the time CALEA was enacted." -- The flip side of the loss of privacy, the bunnies getting wise when you bring out the shotgun. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]