David Boyes wrote: >No, I'm referring to devices installed in a CO (with or without the >acquiescence of the telco in question, usually with) where they can >benefit from high-volume data capture. Their purpose is to intercept >traffic flows at a carrier-grade scale, and are not generally available >to the public at large. Cf the AT&T SFO traffic diversion operation for >one semi-public example. If they'd like to read more, >https://en.wikipedia.org/wiki/Palantir_Technologies has a pretty good >(if sanitized) look at what they do and how. Note especially the client >list, and the case study on Ghostnet.
>We're talking about state-level actors here. If they want your traffic, >they can get access to it legally if they want to, and a NSL (or >equivalent) is an effective way to mute that it happened. In many places >on the globe, the operation of the SS7 STPs connecting the national >network to the international infrastructure falls under the same rules >(the old ITU and CCITT rules still operate), which are very deferential >to law enforcement with the proper paperwork. That's part of the ongoing >fuss in the UK and Australia wanting to force-engineer a >CALEA-compatible master key into any cryptographic implementation in use >within their borders; they don't like being shut out of the ability to >read traffic in transit. I believe we're talking about different things. What you're describing isn't civilian use of TLS. It's probably stream-cipher stuff (which is weaker anyway) and in any case is within the telco system. Nobody is going to crack TLS, even with lots and lots of data. Telco equipment is indeed designed to be easily tapped. Laws like CALEA in the US and its equivalent in other countries require this. But that does absolutely no good against encrypted traffic that's encrypted before it hits the telco networks. This is why guys like national governments use malware/APT to bypass encryption-because they can't actually crack it. And it's why governments like the ones in Australia and the UK are trying to mandate workarounds to TLS: because they can't crack it today. Cheers, -- ...phsiii Phil Smith III ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
