Wired News reports
<http://www.wired.com/politics/security/news/2007/08/wiretap?currentPage=all>
on what the Electronic Frontier Foundation has discovered
<http://www.eff.org/flag/061708CKK/> about the FBI wiretapping system
known called DCSNet, for Digital Collection System Network. It's easily
deployed with a few mouse clicks to monitor pen-registers and
trap-and-traces (a type of surveillance that collects signaling
information -- primarily the numbers dialed from a telephone -- but no
communications content) as well as the content of phone calls and text
messages.
The systems runs on Microsoft Windows, an operating system known for
security vulnerabilities, and is configured in such a way to exacerbate
them. An internal 2003 audit uncovered numerous security vulnerabilities
in DCSNet including:
* Inadequate logging
* Insufficient password management
* Lack of antivirus software (critical when running Windows)
* Unlimited numbers of incorrect passwords were allowed without
locking the machine (allowing for brute force password cracking)
* Shared logins rather than individual accounts
* The system requires user accounts have administrative privileges
in Windows, allowing a hacker who got into the machine to gain
complete control
Steven Bellovin, a Columbia University computer science professor and
longtime surveillance expert, observes that "Any time something is
tappable there is a risk .... when you start designing a system to be
wiretappable, you start to create a new vulnerability. A wiretap is, by
definition, a vulnerability from the point of the third party. The
question is, can you control it?"
#end
--
David Solomonoff, President
Internet Society of New York
[EMAIL PROTECTED]
isoc-ny.org
_______________________________________________
Discuss mailing list
[email protected]
http://lists.isoc-ny.org/mailman/listinfo/discuss
