From: dcopley at eeye.com (Drew Copley)
Subject: JAP back doored

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> -----Original Message-----
> From: Rainer Gerhards [mailto:rgerhards@...adiscon.com] 
> Sent: Monday, August 25, 2003 12:37 PM
> To: Drew Copley; Gary E. Miller
> Cc: Florian Weimer; full-disclosure@...ts.netsys.com; wb@...ern.de
> Subject: RE: [Full-Disclosure] JAP back doored
> 
> 
> Drew & others,
> 
> Read on, this is not the usual rant... 
> 
> I think we need to keep two things separate:
> 
> 1. the behaviour of the JAP team
> 2. the German law system 
> 
> If we discuss #1, I am fully in agreement with you - they 
> have screwed up. I tried to research the actual court order, 
> but unfortunately it is not online. What I found was 
> interesting, though. If you look at their statements in the 
> excellent independent Heise news site, you will see a lot of 
> insight. It is in German, but you can run it through 
> babelfish.altavista.com - the translation is good enough to 
> get the idea...
> 
> http://www.heise.de/newsticker/data/uma-19.08.03-001/

Graci. 

Further, their comments on the Usenet are here:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=26e1a3d6.0308210701.4e6b2d15%40posting.google.com&rnum=1&prev=/groups%3Fq%3DJAP%2BGerman%2Bgroup:alt.2600.*%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26group%3Dalt.2600.*%26selm%3D26e1a3d6.0308210701.4e6b2d15%2540posting.google.com%26rnum%3D1

Here is the guy that went through the code and discovered this, which elicted a response, apparently:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=26e1a3d6.0308210701.4e6b2d15%40posting.google.com&rnum=1&prev=/groups%3Fq%3DJAP%2BGerman%2Bgroup:alt.2600.*%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26group%3Dalt.2600.*%26selm%3D26e1a3d6.0308210701.4e6b2d15%2540posting.google.com%26rnum%3D1

Odd how quick their response is. 2600 is a massive group full of sporge and spam and crap.

> 
> The bottom line is that at least I read it in that way that 
> the kind of cooperated because (as they said) they found it 
> reasonable to do so. But this is not the failure of the 
> German law system - it is the projects failure... 
> 
> And, BTW, I don't have an issue with them trying to monitor a 
> suspect criminal (the child pornography site), but the fact 
> that they are still saying the service is totally anonymous, 
> which simply is a lie.

Graci.

Yes, I appreciate this, and this is why I am motivated here, because I have authored some anonymizing applications under my offline nick... And I belong to an organization which does this.

But, the implications for this kind of thing are far reaching. 

My primary concern is that you will have serious dissidents using these systems, the "legitimate" users. These individuals may be a thorn in the side of their respective governments. They may be targetting through one of these systems, if they could bribe someone. If law enforcement takes over these systems secretly, then the whole chance for bribery is not out there and their network becomes ruined -- finished.

People could get killed. Families could get kidnapped and ransomed. Family members could get tortured to death. 

I hate to present such scenarios, but this is what we are talking about when we are discussing these systems and the potential for legitimate users to use them.


But, I am not na?ve. While I believe most people using these systems are just the paranoid, there will be a lot of people doing truly horrible things through these systems. This presents a huge attraction for the police of many nations. Maybe some of these individuals could even help them save far more lives. But, if you already know someone is this much of a suspect, you can hack their system. Why trojanize an application secretly to get them when you can just surveil them personally?



> 
> But coming to #2... 
> > Carnivore is supposed to only tap suspects, not everyone.
> 
> Yes, and this is exactly what happens here. *If* you trust 
> their statemenst (I don't) then they are only tap those 
> suspects that are trying to access a (suspect) criminal site. 

It is difficult to tap "everyone" at the ISP level. That is a lot of juice coming through the wires.

Last I read, this was not the case. I hear rumors to the contrary here, but I do not see evidence to the contrary. Regardless, I do not think the government has no right to tap their own wires. I said as much for Germany. They have a right to tap their own wires. What those rights are, this is an internal matter I am not interested in. Hopefully, Germans, as US, will oppose such matters.

The opposition for carnivore doing more than it has claimed has been an issue of the utmost national interest, an issue handled within Congress, no less, if I recall. 



> The more I think about it, the more it is exactly the same as 
> with phone taping, carnivore ... You name it.
> 
> Look at phone tapping. I assume even in the US the FBI can 
> get a court order to tap a suspect criminal's phone line if 
> there is sufficient evidence. Now let's assume they have this 
> court order. Now you, the innocent, try to contact this 
> suspect criminal (e.g. to order some child for sexual abuse 
> ;)). Even though there is no court order against you, you are 
> still tapped. Now let's assume that you really tried to 
> "order" a child for sexual absuse. I Germany, you can become 
> presecuted in this case, even though that court order was not 
> specifically to tap you but the person you called. I am note 
> sure if that is the same in the US. As a side note, every 
> user of the phone system could potentially have been tapped 
> if he had called the party.

In US, any personal or non-criminal related phone conversation may not be listened to. They time everything, and if there is no criminal related conversation, they switch off for a few minutes, then check back in.

I think, though, your argument is correct. Actually, I would guess this is how the judge saw it, rather than understanding it more as it is.

> 
> Now look at JAP. As I do not see any reason to defned the JAP 
> project (#1 above), let's simply assume there statement is 
> correct and only a single target IP is tapped. Let's further 
> assume this is actually a site that offers child pornography. 
> I assume this is forbidden in the US, too, but again, I am 
> not sure about this (it also doesn't matter, because you are 
> using a German server, so local law applies *to this
> server* - not you). OK, so any internet user is at risk at 
> being tapped
> - as is any phone user in the above sample. However, as with 
> the phone, the tap only "engages" if the innocent child 
> pornography user tries to connect to the suspect criminal's 
> servers (that one under the tap order). Now the "innocent" 
> user is recorded. If he haden't "called" that server, nothing 
> would have happened. 

That, actually, is a good point. I am not opposed to this kind of model. Who would be that in anyway cares about security as opposed to crime?

Indeed, I should be entirely fair and note that this is what the case was. It remains theoritical only that they might have gone further than this. But, as they were just looking for contact to a single url... And this url may have been some heinous site... Maybe they did have a right to do this, if this is all they did do.

Maybe the individual or group of individuals they were looking for... Maybe they threatened some lives here.

I do not disagree with this, though I still find the method abhorrent. You need to tap someone, hack their system. Don't do something like this. If this was not a case of utmost emergancy or where it could save lives, my anger would continue.


> 
> You get the idea? I think technically what happens is very 
> similar to the risk any phone user runs when using the phone system...
> 
> What makes the big difference, though, is that nobody really 
> beliefes the phone system is secure - but the JAP project 
> made you believe you were totally anonymous. Effectivly, they 
> were breaching their user's risk... But, honestly, isn't it a 
> little too simple thinking to trust your privacy to a remote 
> project in a foreign country (whom's laws you don't know) 
> which is funded by the gouvernment? As some pointed out, code 
> review does not help here as you are in need of some server 
> ressources and you can't verify the code that actually runs 
> on those servers. The only good thing the JAP team made was 
> to make that modified source public. Just think about, they 
> had simply had installed the tap and nobody would have noticed...
> 

I don't agree that trust was misplaced. I don't think ordinary users should have to deal with this. There must be a rigid code of honor. People should be tested on these matters.



> I think this re-strenghtens an old wisdom: never trust 
> somebody else but yourself with your security ;) Just think 
> about the potential of a corrupt mix... What they could do 
> with all the traffic passing by. And keep in mind, there can 
> be criminals among those that run mixes (I have to admit that 
> every now and then some criminals were found among German 
> policie offiecers as probably everywhere else in the world).


I never trust anyone, but it helps that I never break the law.

It is corrupt officers which is exactly my fear about this matter.

> 
> > Carnivore captures on the addresses and subject lines of
> > emails, not even the content.
> 
> I think (but don't know) JAP captures only the IP addresses. 
> This will also keep you away from German jurisdiction. Let's 
> theoretically think they only capture your IP address. So 
> they need the cooperation of your ISP. No big deal if you are 
> in Germany. But you in the US are protected from German 
> police by the virtue of your citizenship and location. 
> However... If German police talks to US police and a US judge 
> finds the request reasonable, then you will as will be 
> reached by the German police. But all of this within the 
> boundaries of the US law system. Fortunately, again, you are 
> still protected by US jurisdiction which will ultimately 
> decide if that is a valid request. Of course, things change 
> when you enter German soil (and you have been identified 
> before), but this is the same in any country including the US. 

This is all possibly true and would make the system less abhorrent, of course.

But, regardless, I do not believe developers should be forced to trojanize their code - ever - unless it will save the world from nuclear armageddon. My impression, however, is that this was for some petty crime.



> 
> > You compare this to the German police forcing German
> > developers to secretly trojanize German software.
> 
> Again, although I am not a lawyer, I doubt it is possible to 
> force a developer to install a backdoor or trojanize 
> software. In this case, if you look at #1 above, it was not 
> really forced. Even if there was a court order, it was not 
> defended by the JAP team. If they had, it would have created 
> much more publicity and taken quite a while...

It is very possible I was entirely misled and that they were not forced to do this. If this is the case, this is good, though their statements and actions I have seen have implied they have been.

> 
> This reminds me a little bit of PGP: In the intial days, 
> there were many threads and court orders. But there was Phil 
> Zimermann who defended all of them. If there had been a Phil 
> Zimmerman an JAP, things may look different now. And, yes, I 
> have to admit I think there are more Phil Zimmermanns in the 
> US than over here...
> 

Paranoia is an American icon.

> This case teaches us one important point: it is dagerous to 
> believe anyone who is promising you privacy AND doing this 
> via eiter software you can't review or ressources you don't 
> control. And keep in mind that your ability to review 
> software does not only mean you have access to the source but 
> the time and ability to actually understand what it does
> - every part of it...

Indeed.

> 
> One second finding is - I think - interesting: the Internet 
> is finally becoming mainstream which means law enforcement 
> also begins to understand it and begins to use it. IMHO, this 
> has pros and cons. But it is a fact that we need to become 
> aware of. In a few years, POTS will be legacy and all tapping 
> will be done by tapping IP traffic. I guess we have better 
> chances to keep privacy - but we need to be aware of this 
> changing world.
> 
> Finally, a personal opinion on this case: while I find that 
> JAP has severely failed and the law enforcement system is 
> working reasonably well, I also think that in suspect crime 
> cases as this (IF it is the truth), it is actually justified 
> to tap aspecific site's users. It is as much justified as I 
> think it is important to stop terrorist from conductiong 
> their crimes, whereever they try to strike.

I think it is justified to use zero day to hack an user's site, depending on the seriousness of the crime. Let's be real, there are some seriously bad people out there. 

But, I think that the tendancy to throw out a wide net like cops often do here is sheer incompetence and laziness. Such things may seem to work for a bit, but for how much longer? And, it just shows how they don't know how to hack in the first place. They are cops, they don't know this? Hackers know this, why don't they? 

Some may think I am anti-crime, in this regards, I could not be stronger for crime. It is just that you have to do it right. It is a massive difficulty to deal with these things, I understand that. But, you have to really try to play right. 

If, it is true, that they were desperately trying to get someone very dangerous in this... If it is true that they were doing an one shot deal... If this move would have saved lives... I would not be against it. Who would? But, I will admit this, and it is good of you to note this may be the possibility.



> 
> I hope I haven't provided too much noise, but I really think 
> this thread has reminded us of some basics and changes that 
> we may slowly forget...
> 
> Rainer
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0qrtQkWkugjEnC3EQJcUgCff8riZ2gVrNHDWXw7MXBTEi+fBcQAnAwd
iwAXLZAipLQSkYyqFhZw7ebX
=nGMX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists