[VOIPSEC] Governments employing MiTM attacks against SSL
J. Oquendo
sil at infiltrated.net
Tue Apr 20 13:48:14 CDT 2010
Dustin D. Trammell wrote:
>
> A recent conversation that I was privy to on a private mailing list full
> of .gov types indicated that at a point in time some years ago, it
> actually became cheaper and less troublesome to simply perform bulk
> surveillance. This sentiment was also echoed in public recently, but I
> can't seem to find the reference.
>
> Essentially, the argument states that the cost of surveillance used to
> increase with the number of people you were performing surveillance on,
> which makes sense. Now however, due to the advances in technology, it's
> cheaper and easier to simply watch everyone, and the cost increases with
> the number of people that you /exclude/ from the surveillance. This may
> or may not apply to telephony currently as you still legally need a
> warrant to wire-tap a line, but regarding data traversing the Internet,
> it's likely more reasonable to assume that someone *is* watching rather
> than that someone *isn't*.
>
>
The average cost of a wiretap (VoIP excluded) ranged between $49,000 -
$62,000 from 1994 - 2004 [1] since we're talking data now (VoIP) the
entire MITM thread is kind of moot unless the data is going through a
VPN Tunnel in which... So what? You'd see endpoints, INVITES, BYES,
etc., for voice, what about MIKEY, etc the device mentioned in this
original thread does nothing against/for them. ZRTP [2] anyone?
The arguments for/against mass taps is obvious as day and night and was
addressed/spoken/griped/whine about when Carnivore came to light [3,4].
More money was spent by "worriers" of how evil Carnivore is/was, how
evil Narus + AT&T is/was [6] and yet to date, I have not read one
instance of abuse where someone was wrongfully incarcerated over, even
wrongfully arrested over any Carnivore, Narus, FISA taps. Surely any
defense lawyer would love to get the meaty details aired (abuse) as it
would assist their case: "The gov and their illegal tapping!" To date,
all I've heard concerning abusive tapping came from phonesex deprived -
or overstimulated (your choice) - [7] soldiers abusing their positions.
So if you went with common sense/logic, it would make all the more sense
to mass surveil rather than fork off 30-40k for tapping a single
individual.
[1] http://www.uscourts.gov/wiretap04/2004WireTap.pdf
[2] http://tools.ietf.org/html/draft-zimmermann-avt-zrtp-17
[3] http://www.law.indiana.edu/fclj/pubs/v54/no3/Dunham.pdf
[4] http://linkinghub.elsevier.com/retrieve/pii/S0267364904000184
[5] http://en.wikipedia.org/wiki/Carnivore_%28FBI%29
[6] http://www.wired.com/science/discoveries/news/2006/04/70619
[7] http://abcnews.go.com/Blotter/story?id=5987804&page=1
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
More information about the Voipsec
mailing list