Navigation
Images
Random Image
christmas 026
Recent comments
- Pictures
2 years 38 weeks ago - but where
2 years 38 weeks ago - Pictures
2 years 39 weeks ago - what?
2 years 39 weeks ago - File Sorting
2 years 43 weeks ago - When you own the field
2 years 47 weeks ago - RE: What about stateowned ISP?
2 years 47 weeks ago - What about state owned ISPs?
2 years 47 weeks ago
Recent blog posts
Syndicate
User login
Monitoring "Cyber-Cafes" + Giving up privacy ! = Stopping terrorism
Mumbai police will be able to monitor cyber-cafes in the city. Got this via Bruce Schneier's blog.
Okay, so I have a couple of problems with the attempt at preventing terrorism by doing this. Wasted resources, privacy concerns, easily circumvented, over-confidence in the program, and it just won't work.
Wasted Resources
From the article:
The Mumbai police will soon have khabris deployed (not physically) at over 500 (ed: emphasis mine) cyber cafes in the city. A new software will allows cops to swoop down on terrorists the moment a keystroke is pressed at any cyber cafe across the city.
So the police are going to watch the goings on of every single person at all times at five hundred places? Just like they watch every traffic light at all times here in the U.S. ? Yeah, that is just a colossal waste of a police officer's time. More likely they will log everything and then try to shift through it all when "something" happens. Ten bucks says it is not a crime having to do with terrorism. It is impractical to monitor that much data and expect to catch anything in real time. People doing the watching can't stay focused enough and it is a bad idea to try to keep them on task. Frustration will set in and you will always fighting a losing battle with staff. Let's say they automate it. They get a great indexing tool that can look all the traffic, in real time, put it all together, and generate and alert when there is really suspicious going on. How many hits do you think they are going get on people discussing "bomb" just on IRC the day after an attack somewhere else in the world? Police are going to be rolled out all day on false positives, or worse, stop reacting to anything from it because it is wrong so often.
Easily Circumvented
Let's see what are some ways of getting around all of this pesky government snooping.....Oh yes encryption. SSL VPNs, Tor, Proxies, Steganography (which there is no evidence terroists use, but I would), OTR, the list goes on and on. The problem of keeping communications private has been solved multiple times and multiple ways by the computer industry. Put those apps on a USB stick, or a Linux LiveCD and you have your app. Hell, google chat has a web client so you cannopt over https the entire time and you are done. Traffic analysis you say? Tor will fix that for you.
Privacy Concerns
Where do I begin?! The system gets hacked and people lose their identities, police abuse their authority and use it for non-terrorist stuff *cough* FBI *cough*, corrupt police track people for personal gain, corrupt techs track people for personal gain. That is just off the top of my head. Not only that, now a person who wants to operate a cyber cafe needs to register with the police. They can be punished if they do not follow the police guide lines, so if someone in their shop does any of the above, can the cafe operator be nailed? Imagine that in the U.S. MORE beauracracy, just what we need.
It just does not work
Too much info. Big time smart people have been working on a way of indexing information and giving it meaning for years. Google, Yahoo, Microsoft, IBM, people like that. I would imaging that CARMS is along those lines, but no one has yet to solve the problem of giving it all meaning meaning easily yet. See the above on false positives.
Comments
What about state owned ISPs?
I don't know if the country you're talking about has a state owned ISP, but if so that would defeat many of the security/privacy solutions you've mentioned. Basically you'd be dealing with a government that makes the rules and owns the playing field, there aren't many ways to get around that.
RE: What about stateowned ISP?
It is in India I beleive.
So what if it state owned? The FBI has stated that they cannot break the OpenPGP protocol, so they have to circumnavigate it with key loggers to get pass phrases. Local police can now break RSA? Also, if they lock down all kinds of internet traffic, like Tor, from entering or leaving a country you are now blocking all kinds of development for you country. China does not do that even, because they do not want to block internet growth. OTR, OpenPGP, VPNs all still work within a closed internet. SSL encryption would be impossible to block, unless they do deep packet inspection, because then internet commerce would not work.
When you own the field
I think you may have missed my point. If you own and control every part of a system that a user's traffic *must* pass through you can perform all kinds of surreptitious things. Say you wanted to be a man in the middle, do deep packet inspection or force resends of vulnerable packets. Given a protocol and a target it wouldn't be that hard to figure out what was going on if you controlled all of the parameters. You could taint DNS, sniff key exchanges and keep traffic records however long you want.
Saying that the American government (or any other) isn't capable of doing something just because they claim they can't is about the most ignorant thing I've heard all week.Pull your head out and find a tinfoil hat if you want to think critically about security
ISPs that are state owned have the money and motivation to change the rules.
Post new comment