[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Oct 14 meeting Agenda ? (DC Cypherpunks)
> >>I figure that as long as we are going to receive...
> >> ? a commercial message from Digex ?
> >>We might be able to tap their knowledge base in assesing
> >>the various risks and rewards available by using a Commercial
> >>After all, with the FBI and Scientologists waging war on
> >>the Internet ( capturing keystroaks, siezing computers,
> >>and rummaging through everyones E-mail ), There may be a
> >>way to make life a little more interesting for them.
> >I will be glad to send in my two cents worth - I am not sure that
> >I understand the question though.
> While, I believe in strong crypto for everyone (what cypherpunks doesn't),
> I also believe that much can be done to prevent the wholesale snooping
> of Commercial ISP customers data. I believe that this data is snooped
> because the ISP's and large number of customers (ignorant of security)
> make this data too easy a target (cost effective).
> While the NSA may follow it's motto (In GOD we trust, the rest we monitor).
> Others may take hostile actions agenst someone whose password or
> personal information has been obtained. (ex. drain bank account, or just
> send spam)
> Some questions that I would like to ask...
> 1 - Assuming that someone from an agengy or someone pretending to
> be from an agency wanted to capture one or all the ISP customers
> key presses. What method would they use ?
> Would they capture the data at the phone company?
> Would they tap the raw data stream at the initial ISP router ?
> Would they route IP packets from the initial ISP router through their
> own equipment before arriving at the ISP maching running the shell
> account ?
> Would they use a Trojin Shell (or telnetd) on a shell account ?
> Would they inform the ISP and get his help or root access ?
> 2 - What methods could be put into place by the ISP or it's customers
> to help prevent this snooping activity ?
> Perhaps an alternative login method (like deslogin or idealogin)
> trying to protect data through the phone company and IP route
> to the target machine.
> Perhaps having a crypto checksum on the shell (telnetd) to detect
> trojin software.
> Perhaps sendmail could public key encrypt mail on it's way to the
> customers directory.
> Perhaps just raising the customer awareness of security issues
> and methods at the ISP. This could affect the mainstream
> user (joe sixpack) as well as the PGP user.
> Perhaps ISPs could offer a data archive service/site (foreign site)
> where data in the form of PGP encrypted E-mail can be saved and
> retrieved via a robot (something like majordomo). That way,
> if your home computer breaks, burns, is stolen, or siezed. You
> can still retrieve your data at a later time.
> Granted these methods do not prevent a determined attacker from squashing
> an ISP cutomer. However, it does raise the cost of the effort to single
> out a user and attack him rather that grab cleartext from everyone.