[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Oct 14 meeting Agenda? (DC Cypherpunks)

>>I figure that as long as we are going to receive...
>>       ? a commercial message from Digex ?
>>We might be able to tap their knowledge base in assesing
>>the various risks and rewards available by using a Commercial
>>After all, with the FBI and Scientologists waging war on
>>the Internet ( capturing keystroaks, siezing computers,
>>and rummaging through everyones E-mail ), There may be a
>>way to make life a little more interesting for them.

>I will be glad to send in my two cents worth - I am not sure that
>I understand the question though.

While, I believe in strong crypto for everyone (what cypherpunks doesn't),
I also believe that much can be done to prevent the wholesale snooping
of Commercial ISP customers data.  I believe that this data is snooped
because the ISP's and large number of customers (ignorant of security)
make this data too easy a target (cost effective).

While the NSA may follow it's motto (In GOD we trust, the rest we monitor).
Others may take hostile actions agenst someone whose password or
personal information has been obtained. (ex. drain bank account, or just
send spam)

Some questions that I would like to ask...

1 - Assuming that someone from an agengy or someone pretending to
    be from an agency wanted to capture one or all the ISP customers
    key presses.  What method would they use ?

    Would they capture the data at the phone company?
    Would they tap the raw data stream at the initial ISP router ?
    Would they route IP packets from the initial ISP router through their
        own equipment before arriving at the ISP maching running the shell
        account ?
    Would they use a Trojin Shell (or telnetd) on a shell account ?
    Would they inform the ISP and get his help or root access ?

2 - What methods could be put into place by the ISP or it's customers
    to help prevent this snooping activity ?

    Perhaps an alternative login method (like deslogin or idealogin)
        trying to protect data through the phone company and IP route
        to the target machine.
    Perhaps having a crypto checksum on the shell (telnetd) to detect
        trojin software.
    Perhaps sendmail could public key encrypt mail on it's way to the
        customers directory.
    Perhaps just raising the customer awareness of security issues
        and methods at the ISP.  This could affect the mainstream
        user (joe sixpack) as well as the PGP user.
    Perhaps ISPs could offer a data archive service/site (foreign site)
        where data in the form of PGP encrypted E-mail can be saved and
        retrieved via a robot (something like majordomo).  That way,
        if your home computer breaks, burns, is stolen, or siezed. You
        can still retrieve your data at a later time.

Granted these methods do not prevent a determined attacker from squashing
an ISP cutomer.  However, it does raise the cost of the effort to single
out a user and attack him rather that grab cleartext from everyone.