| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: rgerhards at hq.adiscon.com (Rainer Gerhards) Subject: JAP back doored Drew & others, Read on, this is not the usual rant... I think we need to keep two things separate: 1. the behaviour of the JAP team 2. the German law system If we discuss #1, I am fully in agreement with you - they have screwed up. I tried to research the actual court order, but unfortunately it is not online. What I found was interesting, though. If you look at their statements in the excellent independent Heise news site, you will see a lot of insight. It is in German, but you can run it through babelfish.altavista.com - the translation is good enough to get the idea... http://www.heise.de/newsticker/data/uma-19.08.03-001/ The bottom line is that at least I read it in that way that the kind of cooperated because (as they said) they found it reasonable to do so. But this is not the failure of the German law system - it is the projects failure... And, BTW, I don't have an issue with them trying to monitor a suspect criminal (the child pornography site), but the fact that they are still saying the service is totally anonymous, which simply is a lie. But coming to #2... > Carnivore is supposed to only tap suspects, not everyone. Yes, and this is exactly what happens here. *If* you trust their statemenst (I don't) then they are only tap those suspects that are trying to access a (suspect) criminal site. The more I think about it, the more it is exactly the same as with phone taping, carnivore ... You name it. Look at phone tapping. I assume even in the US the FBI can get a court order to tap a suspect criminal's phone line if there is sufficient evidence. Now let's assume they have this court order. Now you, the innocent, try to contact this suspect criminal (e.g. to order some child for sexual abuse ;)). Even though there is no court order against you, you are still tapped. Now let's assume that you really tried to "order" a child for sexual absuse. I Germany, you can become presecuted in this case, even though that court order was not specifically to tap you but the person you called. I am note sure if that is the same in the US. As a side note, every user of the phone system could potentially have been tapped if he had called the party. Now look at JAP. As I do not see any reason to defned the JAP project (#1 above), let's simply assume there statement is correct and only a single target IP is tapped. Let's further assume this is actually a site that offers child pornography. I assume this is forbidden in the US, too, but again, I am not sure about this (it also doesn't matter, because you are using a German server, so local law applies *to this server* - not you). OK, so any internet user is at risk at being tapped - as is any phone user in the above sample. However, as with the phone, the tap only "engages" if the innocent child pornography user tries to connect to the suspect criminal's servers (that one under the tap order). Now the "innocent" user is recorded. If he haden't "called" that server, nothing would have happened. You get the idea? I think technically what happens is very similar to the risk any phone user runs when using the phone system... What makes the big difference, though, is that nobody really beliefes the phone system is secure - but the JAP project made you believe you were totally anonymous. Effectivly, they were breaching their user's risk... But, honestly, isn't it a little too simple thinking to trust your privacy to a remote project in a foreign country (whom's laws you don't know) which is funded by the gouvernment? As some pointed out, code review does not help here as you are in need of some server ressources and you can't verify the code that actually runs on those servers. The only good thing the JAP team made was to make that modified source public. Just think about, they had simply had installed the tap and nobody would have noticed... I think this re-strenghtens an old wisdom: never trust somebody else but yourself with your security ;) Just think about the potential of a corrupt mix... What they could do with all the traffic passing by. And keep in mind, there can be criminals among those that run mixes (I have to admit that every now and then some criminals were found among German policie offiecers as probably everywhere else in the world). > Carnivore captures on the addresses and subject lines of > emails, not even the content. I think (but don't know) JAP captures only the IP addresses. This will also keep you away from German jurisdiction. Let's theoretically think they only capture your IP address. So they need the cooperation of your ISP. No big deal if you are in Germany. But you in the US are protected from German police by the virtue of your citizenship and location. However... If German police talks to US police and a US judge finds the request reasonable, then you will as will be reached by the German police. But all of this within the boundaries of the US law system. Fortunately, again, you are still protected by US jurisdiction which will ultimately decide if that is a valid request. Of course, things change when you enter German soil (and you have been identified before), but this is the same in any country including the US. > You compare this to the German police forcing German > developers to secretly trojanize German software. Again, although I am not a lawyer, I doubt it is possible to force a developer to install a backdoor or trojanize software. In this case, if you look at #1 above, it was not really forced. Even if there was a court order, it was not defended by the JAP team. If they had, it would have created much more publicity and taken quite a while... This reminds me a little bit of PGP: In the intial days, there were many threads and court orders. But there was Phil Zimermann who defended all of them. If there had been a Phil Zimmerman an JAP, things may look different now. And, yes, I have to admit I think there are more Phil Zimmermanns in the US than over here... This case teaches us one important point: it is dagerous to believe anyone who is promising you privacy AND doing this via eiter software you can't review or ressources you don't control. And keep in mind that your ability to review software does not only mean you have access to the source but the time and ability to actually understand what it does - every part of it... One second finding is - I think - interesting: the Internet is finally becoming mainstream which means law enforcement also begins to understand it and begins to use it. IMHO, this has pros and cons. But it is a fact that we need to become aware of. In a few years, POTS will be legacy and all tapping will be done by tapping IP traffic. I guess we have better chances to keep privacy - but we need to be aware of this changing world. Finally, a personal opinion on this case: while I find that JAP has severely failed and the law enforcement system is working reasonably well, I also think that in suspect crime cases as this (IF it is the truth), it is actually justified to tap aspecific site's users. It is as much justified as I think it is important to stop terrorist from conductiong their crimes, whereever they try to strike. I hope I haven't provided too much noise, but I really think this thread has reminded us of some basics and changes that we may slowly forget... Rainer
Powered by blists - more mailing lists