Hi, ISOCNZ have a working group looking at Internet Surveillance, and are attempting to decide on a position from which to make recommendations to the Government. It hasn't been running long. http://listserver.actrix.co.nz/mailman/listinfo/isocnz-iswg There was some noise in the press about police powers with respect to internet surveillance recently (although not much signal). I'm trying to look at the operational impact of legislation in this area. Ignoring the philosophical debate about what is and what isn't appropriate about surveillance in general, or about police powers to gather evidence from ISPs: + suppose the police have sufficient cause to be suspicious about the antics of one of your customers that they obtain a court order which entitles them to "tap their internet traffic". Suppose you decided (or were compelled) to facilitate the "tap". o what is reasonable for them to tap? Incoming (to-customer) e-mail? Outgoing (from-customer) e-mail? A complete packet dump? o If you have customers who don't have static IP addresses, is it feasible to collect data from an individual subscriber without collecting it from a whole bunch of others at the same time? o would you be happy letting someone from the police connect her own equipment to your network in order to gather the evidence the court order entitled them to collect? Would you prefer to do it yourself? o would your company expect to be reimbursed for the time spent facilitating the "tap"? o how easy would it be for you to insert something in your network to capture all packets to/from one of your customers? (scale of 1 [trivial] to 10 [impossible]) o assuming it was possible, how much inconvenience would it cause to other customers to put the tap in place? (scale of 1 [none] to 10 [take them off the air for the duration of the tap]) + suppose all interception of network traffic was prohibited across the board without a court order; i.e. you were compelled to shift your customers' traffic blindfolded, and were absolutely not allowed to look at it. Would this be feasible? How much troubleshooting would be impossible under these kinds of conditions? + do you have a clause in your contract with your customers which permits you to inspect customer traffic for operational (or other) purposes? + are you aware of hooks in your network hardware which are designed to allow customer traffic to be intercepted? Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Mr Abley, I belive the Royal Canadian Moose Corps Electronic Counter-intelligence Division in Ottawa would like you to present yourself so as to assist them with their enquiry into subversive activities on Internet mailing lists. Told you that job with Osama Bin-Laden Networks would backfire! %-> -----Original Message----- %-> From: owner-nznog(a)list.waikato.ac.nz %-> [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Joe Abley %-> Sent: Tuesday, 7 November 2000 5:22 a.m. %-> To: nznog(a)list.waikato.ac.nz %-> Subject: Internet Surveillance %-> %-> %-> Hi, %-> %-> ISOCNZ have a working group looking at Internet Surveillance, %-> and are attempting to decide on a position from which to make %-> recommendations to the Government. It hasn't been running %-> long. %-> %-> http://listserver.actrix.co.nz/mailman/listinfo/isocnz-iswg %-> %-> There was some noise in the press about police powers with %-> respect to internet surveillance recently (although not much %-> signal). %-> %-> I'm trying to look at the operational impact of legislation in %-> this area. Ignoring the philosophical debate about what is and %-> what isn't appropriate about surveillance in general, or about %-> police powers to gather evidence from ISPs: %-> %-> + suppose the police have sufficient cause to be suspicious %-> about the antics of one of your customers that they obtain %-> a court order which entitles them to "tap their internet %-> traffic". Suppose you decided (or were compelled) to %-> facilitate the "tap". %-> %-> o what is reasonable for them to tap? Incoming (to-customer) %-> e-mail? Outgoing (from-customer) e-mail? A complete packet %-> dump? %-> %-> o If you have customers who don't have static IP addresses, %-> is it feasible to collect data from an individual subscriber %-> without collecting it from a whole bunch of others at the %-> same time? %-> %-> o would you be happy letting someone from the police connect %-> her own equipment to your network in order to gather the %-> evidence the court order entitled them to collect? Would %-> you prefer to do it yourself? %-> %-> o would your company expect to be reimbursed for the time %-> spent facilitating the "tap"? %-> %-> o how easy would it be for you to insert something in your %-> network to capture all packets to/from one of your customers? %-> (scale of 1 [trivial] to 10 [impossible]) %-> %-> o assuming it was possible, how much inconvenience would it %-> cause to other customers to put the tap in place? (scale of %-> 1 [none] to 10 [take them off the air for the duration of %-> the tap]) %-> %-> + suppose all interception of network traffic was prohibited %-> across the board without a court order; i.e. you were compelled %-> to shift your customers' traffic blindfolded, and were absolutely %-> not allowed to look at it. Would this be feasible? How much %-> troubleshooting would be impossible under these kinds of %-> conditions? %-> %-> + do you have a clause in your contract with your customers which %-> permits you to inspect customer traffic for operational (or %-> other) purposes? %-> %-> + are you aware of hooks in your network hardware which are %-> designed to allow customer traffic to be intercepted? %-> %-> %-> Joe %-> --------- %-> To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz %-> where the body of your message reads: %-> unsubscribe nznog --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Mon, Nov 06, 2000 at 11:22:12AM -0500, Joe Abley wrote:
ISOCNZ have a working group looking at Internet Surveillance, and are attempting to decide on a position from which to make recommendations to the Government. It hasn't been running long.
http://listserver.actrix.co.nz/mailman/listinfo/isocnz-iswg
There was some noise in the press about police powers with respect to internet surveillance recently (although not much signal).
I'm trying to look at the operational impact of legislation in this area. Ignoring the philosophical debate about what is and what isn't appropriate about surveillance in general, or about police powers to gather evidence from ISPs:
[stuff]
Well, I've had a couple of responses, but hardly any. I assume that this means either: + ISPs don't care about this issue at all + ISPs are too busy with real work to worry about it right now + ISPs have no confidence that anything ISOCNZ can say or do on the subject will ever come to anything anyway Show of hands? :) Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
number 2, it has to work it's way up the list of priorities, hopefully this week. Well, I've had a couple of responses, but hardly any. I assume that this means either: + ISPs don't care about this issue at all + ISPs are too busy with real work to worry about it right now + ISPs have no confidence that anything ISOCNZ can say or do on the subject will ever come to anything anyway Show of hands? :) Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Just thinking about it, BT charge the police a hell of a lot to do a phone tap, its likely if ISP's had to do track all the traffic it would be a justifiable situation if we put the cost at doing such suitably high... I don't see it being all that difficult to do though, just expensive. I'm happy about catching anyone trading in child porn and serious crimes. I think there needs to be some limits though... Just one thing, what are they going to do about people using prepaid internet on prepaid cellular to do there naughtyness... Regards Shane
-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Tony Wicks Sent: Monday, 13 November 2000 6:43 a.m. To: nznog(a)list.waikato.ac.nz Subject: RE: Internet Surveillance
number 2, it has to work it's way up the list of priorities, hopefully this week.
Well, I've had a couple of responses, but hardly any. I assume that this means either:
+ ISPs don't care about this issue at all
+ ISPs are too busy with real work to worry about it right now
+ ISPs have no confidence that anything ISOCNZ can say or do on the subject will ever come to anything anyway
Show of hands? :)
Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Mon, Nov 13, 2000 at 08:53:43AM +1300, Shane Cole wrote:
Just one thing, what are they going to do about people using prepaid ^^^^^^^ internet on prepaid cellular to do there naughtyness...
Prepaid? --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Overseas you can buy prepaid internet cards and of course you can buy prepaid cellular phones that are data capable, there you have an anonymous internet access account (or at the least false information) being accessed via an anonymous phone number. Thoughts?
-----Original Message----- From: Joe Abley [mailto:jabley(a)automagic.org] Sent: Monday, 13 November 2000 9:01 a.m. To: Shane Cole Cc: nznog(a)list.waikato.ac.nz Subject: Re: Internet Surveillance
On Mon, Nov 13, 2000 at 08:53:43AM +1300, Shane Cole wrote:
Just one thing, what are they going to do about people using prepaid ^^^^^^^ internet on prepaid cellular to do there naughtyness...
Prepaid?
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Asia Online selling prepaid internet, in conjunction with Vodafone. I hope they've got a large abuse team... On Sun, 12 Nov 2000, Joe Abley wrote:
On Mon, Nov 13, 2000 at 08:53:43AM +1300, Shane Cole wrote:
Just one thing, what are they going to do about people using prepaid ^^^^^^^ internet on prepaid cellular to do there naughtyness...
Prepaid? --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
#2, will try to get to it soon
-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Joe Abley Sent: Monday, November 13, 2000 6:05 To: nznog(a)list.waikato.ac.nz Subject: Re: Internet Surveillance
On Mon, Nov 06, 2000 at 11:22:12AM -0500, Joe Abley wrote:
ISOCNZ have a working group looking at Internet Surveillance, and are attempting to decide on a position from which to make recommendations to the Government. It hasn't been running long.
http://listserver.actrix.co.nz/mailman/listinfo/isocnz-iswg
There was some noise in the press about police powers with respect to internet surveillance recently (although not much signal).
I'm trying to look at the operational impact of legislation in this area. Ignoring the philosophical debate about what is and what isn't appropriate about surveillance in general, or about police powers to gather evidence from ISPs:
[stuff]
Well, I've had a couple of responses, but hardly any. I assume that this means either:
+ ISPs don't care about this issue at all
+ ISPs are too busy with real work to worry about it right now
+ ISPs have no confidence that anything ISOCNZ can say or do on the subject will ever come to anything anyway
Show of hands? :)
Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
#2 - I'll try to get to it this week -----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Joe Abley Sent: Monday, 13 November 2000 06:05 To: nznog(a)list.waikato.ac.nz Subject: Re: Internet Surveillance On Mon, Nov 06, 2000 at 11:22:12AM -0500, Joe Abley wrote:
ISOCNZ have a working group looking at Internet Surveillance, and are attempting to decide on a position from which to make recommendations to the Government. It hasn't been running long.
http://listserver.actrix.co.nz/mailman/listinfo/isocnz-iswg
There was some noise in the press about police powers with respect to internet surveillance recently (although not much signal).
I'm trying to look at the operational impact of legislation in this area. Ignoring the philosophical debate about what is and what isn't appropriate about surveillance in general, or about police powers to gather evidence from ISPs:
[stuff]
Well, I've had a couple of responses, but hardly any. I assume that this means either: + ISPs don't care about this issue at all + ISPs are too busy with real work to worry about it right now + ISPs have no confidence that anything ISOCNZ can say or do on the subject will ever come to anything anyway Show of hands? :) Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
There seems to be a few things going on in this list of late including discussions on: * Internet Surveillance * Metting of admins without the pointy haired * NZ admins contact list Internet Surveillance: Joe Abley tried to stir things up by posting thse as reasons why no responses so far:
+ ISPs don't care about this issue at all
+ ISPs are too busy with real work to worry about it right now yes But I am sure if it is important enough people will give it their attention. Otherwise we stand to lose control over this.
+ ISPs have no confidence that anything ISOCNZ can say or do on the subject will ever come to anything anyway I am not sure what ISOCNZ can do on this topic. I think they may be able to get ISPs together to talk about it and perhaps arrange a meeting with the decision makers on the Govt end to discuss the issue.
In this I can see that while most of us think it is a good idea, there are other issues to be considered including * What this involves (in terms of cost of labour and technology, ability etc) * process There's also other issues that are not so cut and dried and that probably includes legal and privacy issues as well as whether each of us stand in this issue in terms of rights, freedom etc. (No I don't want to tread on this) Does anyone feel the need to meet with DIA (and whoever else in the govt) who know the technicalities of this to discuss the issue? Does anyone feel the need to discuss with people overseas who have worked in the field of tracking down hackers and taking them to jail? I've half mentioned this to someone in the US. IF there's a demand I can pursue this further. Where do people stand on each issue? For example I think it is one thing to track something the police have a warrent for than to act on their suspicions. I also don't believe in scanning emails for particular text strings to perhaps highlight possible problems (and I know this isn't effective especially with people being able to use pgp etc) What if someone is using encrypted or securirty like ssh/ssl/pgp/ and whatever other encryption there is. Where do you stand on port scanning? For example some say there's nothing wrong with portscanning - it is what they do with the information after they scan. Others say if they port scan they must be guilty or told off. Do all IRC servers have to log their traffic? It is not unknown for people to work in groups. We often face this on Undernet. So some script kiddie is pissed off. He tells his mates in their channel and before you can blink you get attacks from all over the place. I am not active on this frontline but can introduce you to the ones that are. At what cost are you going to do this? Can network admins be protected and remain anonymous? Or will they be named? Yes there's a cost. While in most cases the problem is found and sorted out. However if you get a bad lot or a particularly big team, the cost could be huge. One may say "I'll do anything". However can you bear the cost if it breaks up your marriage or drives your business to the ground? Sounds a bit extreme? Yes. Have either happened? Yes to both. Meeting - Yes please NZ Admins contact list People have been talking about it. Some have made a start. An email arrived on Friday with the code for the US netops list. (URL of that list is http://puck.nether.net/netops/ ) So if we want something like this in NZ, I can spend some time trying to get it going etc. (and if I can't I have offers of help for this) So please raise hands if you want it. regards lin --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, Nov 14, 2000 at 12:00:46AM +1300, Lin Nah wrote:
Internet Surveillance: [snip] I am not sure what ISOCNZ can do on this topic. I think they may be able to get ISPs together to talk about it and perhaps arrange a meeting with the decision makers on the Govt end to discuss the issue.
ISOCNZ plan to make a submission to the government about it. If they don't get any input from operators, the submission will be somewhat devoid of operational content. Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Does anyone feel the need to meet with DIA (and whoever else in the govt) who know the technicalities of this to discuss the issue?
I think a meeting would be a good idea.. perhaps a proper confrence on this issue in NZ would be a good plan... if we can get enough interest we could perhaps organise a convention room somewhere and have a proper NZ internet security and the Law confrence with some of the important people in this feild in NZ attending.
I also don't believe in scanning emails for particular text strings to perhaps highlight possible problems (and I know this isn't effective especially with people being able to use pgp etc)
What if someone is using encrypted or securirty like ssh/ssl/pgp/ and whatever other encryption there is.
This issue is one I think needs to be looked at... I persoanlly use PGP for many e-mails with vendors overseas when transmitting commecially sensative information. Lets say the NZ police decide to look at all my e-mials. Do they have the right to say "Give us your passphrase.. here's a warrant" and if I say. "No bugger off" do I run the risk of imprisonment for "Opposeing police business"
Where do you stand on port scanning? For example some say there's nothing wrong with portscanning - it is what they do with the information after they scan. Others say if they port scan they must be guilty or told off.
And what about ISP's scanning their customers? It could be said to be a security issue. I used my parents ISP in the US and got portscanned from their NS server 2 times in one hour.. thinking they might have been hacked I called them and apparently they do it as a "service to their customers" They scan for open BO, netbus and other hacker things such as default redhat installs. Is this a breech of privacy?
Meeting - Yes please
Agreed perhaps a security and the law conferance.. I'ld be happy to help organise this.
So please raise hands if you want it.
Raise. Chris Rigby Senior Systems Engineer IHUG - Into the Internet --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
I too think some serious discussion needs to take place around this.
Thanks Chris for the offer (I could prolly help out if in AK)
So my hand raised too.
Chris O'Donoghue
----- Original Message -----
From: "Chris Rigby"
Agreed perhaps a security and the law conferance.. I'ld be happy to help organise this.
So please raise hands if you want it.
Raise.
Chris Rigby Senior Systems Engineer IHUG - Into the Internet
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
I just spoke to the lecturer to taught the data security paper when I took it at uni. To cut the long story short... He is currently trying to get a meeting / seminar set up so we can hear it from the horses mouth. I don't doubt he can pull it off as he does have contacts. It is planned for sometime towards the end of this month. It will be publicised under the U of Auckland faculty of COmmerce and the NZ Information Security Forum (which he is the chair of and I was subtly reminded that my membership had lapsed for nearly 2 years). Anyway he was in a meeting and couldn't talk. I'll try to get hold of him tomorrow to find out more. If it sounds like what we need then I'll make sure you hear of the meeting. If doesn't, I'll see if I can organise a 2nd meeting with the same people but more in the forum we need (eg he can hold the one that general public may be interested in and we have another for the techies?) That all depends on what I hear wrt his plans. Will keep everyone posted. regards Lin --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Chris Rigby wrote:
Does anyone feel the need to meet with DIA (and whoever else in the govt) who know the technicalities of this to discuss the issue?
Much of this is being driven by the need for the Government officials to be in-line with the email surveillence now being legislated/proposed in various other countries. Legislation was recently passed in the UK to require the ISP's to provide a surveillence feed if required to do so by the Authorities. The question of costs, and the technical wisdom of providing such a feed was completely sidestepped. The situation is currently that NZ, if it wishes to continue to be a member of "the US/UK/EU security club" will need to put in place this legislation, or simply be excluded from all the security info that the club provides. (lets take a positive view, and assume much of this info is to do with drug smuggling, human smuggling, illegal arms trade etc etc). Since the authorities are likely to wish to continue their club membership, then one way or another, the powers to tap email/web/data will be put in place. The fact that it is incredibly technically difficult to do, with many routes out of the country, and widespread use of encryption technology makes it very difficult to decrypt any messages. This supposes of course that a message can be extracted intact from the millions of packets flying around. There is no mention yet of the fact that ISP's do not store anything, so how to deal with the storage issue......
Lets say the NZ police decide to look at all my e-mials. Do they have the right to say "Give us your passphrase.. here's a warrant" and if I say. "No bugger off" do I run the risk of imprisonment for "Opposeing police business"
If you oppose a validly issued warrant, then..... What would organising a conference do, apart from encouraging them? I think it would be more appropriate to let sleeping dogs lie, encourage widespread use of PGP, and wait until the first request comes, and then attempt to mould the resulting technical requirement. IMHO, I am intrigued by the idea that the authorities can actually deal with the sheer volume of data, and reconstruct it into anything useful. Rgds Roger De Salis, speaking for myself only, and neither Cisco nor ISOCNZ.
I think a meeting would be a good idea.. perhaps a proper confrence on this issue in NZ would be a good plan... if we can get enough interest we could perhaps organise a convention room somewhere and have a proper NZ internet security and the Law confrence with some of the important people in this feild in NZ attending.
I also don't believe in scanning emails for particular text strings to perhaps highlight possible problems (and I know this isn't effective especially with people being able to use pgp etc)
What if someone is using encrypted or securirty like ssh/ssl/pgp/ and whatever other encryption there is.
This issue is one I think needs to be looked at... I persoanlly use PGP for many e-mails with vendors overseas when transmitting commecially sensative information.
Lets say the NZ police decide to look at all my e-mials. Do they have the right to say "Give us your passphrase.. here's a warrant" and if I say. "No bugger off" do I run the risk of imprisonment for "Opposeing police business"
Where do you stand on port scanning? For example some say there's nothing wrong with portscanning - it is what they do with the information after they scan. Others say if they port scan they must be guilty or told off.
And what about ISP's scanning their customers? It could be said to be a security issue. I used my parents ISP in the US and got portscanned from their NS server 2 times in one hour.. thinking they might have been hacked I called them and apparently they do it as a "service to their customers" They scan for open BO, netbus and other hacker things such as default redhat installs. Is this a breech of privacy?
Meeting - Yes please
Agreed perhaps a security and the law conferance.. I'ld be happy to help organise this.
So please raise hands if you want it.
Raise.
Chris Rigby Senior Systems Engineer IHUG - Into the Internet
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
-- \_ Roger De Salis Cisco Systems NZ Ltd
Personally, I have no problems complying with a search warrant. What does concern me is that the Govt may decide to pass a bill that is a copy of the UK RIP bill. It is a vague piece of legislation, and is open to abuse. It is surprising that it was actually passed, given the outcry it caused. A well thought out piece of legislation would go a long way towards protecting us, as service providers, without draconian infringement of the end user's personal rights. The RIP bill has done a lot to hurt the e-commerce industry in the UK. Hopefully, Govt will actually think (rare concept) and consult the industry before putting something in place that makes our lives even more difficult. After all, if you have a fully meshed network, do you really want to introduce single points of failure just so GCSB/SIS/Police/(insert dept here) can sniff traffic? Gordon Smith Network Operations Manager Morenet Ltd. Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On 16 Nov 2000, at 7:48, Gordon Smith wrote:
Hopefully, Govt will actually think (rare concept) and consult the industry before putting something in place that makes our lives even more difficult. After all, if you have a fully meshed network, do you really want to introduce single points of failure just so GCSB/SIS/Police/(insert dept here) can sniff traffic?
In some cases, the opposition may be more help than the government. They actually have a net-savy person in there, David Farrar (admission: yes, I know him). So if the government does start proposing things which are actually unworkable, it may make sense to let both the government and the opposition know what the problems are. If it helps, I'm in Wellington and I'm quite prepared to assist with any lobbying or fronting up in front of committees etc. I've done it before at local government level, if that's any training. -- Dan Langille The FreeBSD Diary - http://www.freebsddiary.org/ FreshPorts - http://freshports.org/ --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, 16 Nov 2000 07:57:57 +1300, Dan Langille wrote:
On 16 Nov 2000, at 7:48, Gordon Smith wrote:
Hopefully, Govt will actually think (rare concept) and consult the industry before putting something in place that makes our lives even more difficult. After all, if you have a fully meshed network, do you really want to introduce single points of failure just so GCSB/SIS/Police/(insert dept here) can sniff traffic?
In some cases, the opposition may be more help than the government. They actually have a net-savy person in there, David Farrar (admission: yes, I know him). So if the government does start proposing things which are actually unworkable, it may make sense to let both the government and the opposition know what the problems are.
I lurk on this list also :-) I don't see this as a party political issue but certainly have an interest in making sure any legislation is both technically feasible and desirable. There has been some talk of a meeting in probably Auckland where ISP technical staff could talk with Minister/MPs and Advisers on these issues to try and obtain a win/win outcome. I think this is a laudable idea and will be happy to try and ensure the Opposition members of the Select Cmte would be there. Even if one has such a meeting it will be important for people to make formal submissions to the select cmte. If there are enough from Auckland they will travel up to hear them probably. ISOCNZ will certainly be doing a submission and ISPs should (IMO) consider whether they have the resources to do their own submission or contribute to ISOCNZ's one (or both). I am happy to advise people who wish to make a submission on any procedural stuff - there are booklets etc which are helpful. Like I said I don't see this as a political issue as much as using the political process to make sure the eventual legislation is sensible and does not pose an unfair burden on ISPs or allow arbitrary searching of individual's e-mails etc without due legal process. DPF ________________________________________________________________________ <david at farrar dot com> NZ Usenet FAQs - http://www.dpf.ac.nz/usenet/nz ICQ 29964527 --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, 14 Nov 2000, Lin Nah wrote:
Where do people stand on each issue? For example I think it is one thing to track something the police have a warrent for than to act on their suspicions. I also don't believe in scanning emails for particular text strings to perhaps highlight possible problems (and I know this isn't effective especially with people being able to use pgp etc)
What if someone is using encrypted or securirty like ssh/ssl/pgp/ and whatever other encryption there is.
Where do you stand on port scanning? For example some say there's nothing wrong with portscanning - it is what they do with the information after they scan. Others say if they port scan they must be guilty or told off.
Do all IRC servers have to log their traffic? It is not unknown for people to work in groups. We often face this on Undernet. So some script kiddie is pissed off. He tells his mates in their channel and before you can blink you get attacks from all over the place. I am not active on this frontline but can introduce you to the ones that are.
See, my understanding of the whole issue was that the police and friends want the ability, with a warrant, to monitor the activity of specific users. There is no plans for big brother to be scanning your email for occurances of "Helen Clark" and "Kill". I personally have no problem with the police being able to collect information persuant to a warrant. This means the police bring a warrant and a box. The box gets set up to do it's thing (whatever that may be) for the time the warrant says. Then the box and the police go away. An important distinction is that this should not mean that ISPs have to maintain any traffic records for users to present at a later date. Of course the police would have to pay any costs incurred and there are issues surrounding their access to ISP's networks (ie they are only getting what they say they are, not any other data). Also, if they are going to use the internet to get data about 'real world' crimes I think they should also take the step of implimenting computer crime laws. There is also the issue of implied guilt, if I am being monitored and I receive a PGP email, which I can't (or won't) divulge the key for, what happens then? How is that handled? I personally would really like to hear from the DIA/Police about the specifics of exactly what it is they are proposing... -- Dylan Reeve - dylan(a)wibble.net "Um, yeah." --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Nov 15, 2000 at 14:04 +1300, Dylan Reeve wrote:
I personally would really like to hear from the DIA/Police about the specifics of exactly what it is they are proposing...
I've seen my old employer mentioned a couple of times in respect of the proposals, but I doubt they are greatly involved. In their crusade against objectionable material, they have never seemed, IMHO, particularly constrained by the law, and given the general obloquoy reserved for those who prey on those we leave so vulnerable, most ISPs have rolled over and given them practically carte blanch, warrant or no. It will probably, and appropriately, be Justice and Police who are most involved in this, though I'm sure there are those in DIA who would like expansion of their powers, along with the tens, (or is it hundreds?) of State flunkies from Agriculture to Customs who's enforcement responsibities hugely outweigh your rights to not be home invaded by the State.
Dylan Reeve - dylan(a)wibble.net
Hamish. -- Some people approach every problem with an open mouth. -- Adlai Stevenson --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 11:22 AM -0500 6/11/00, Joe Abley wrote:
I'm trying to look at the operational impact of legislation in this area. Ignoring the philosophical debate about what is and what isn't appropriate about surveillance in general, or about police powers to gather evidence from ISPs:
[After not a lot of people responded, Joe attempted to shame us into replying. For the record, I'm too busy (excuse #2)]
+ suppose the police have sufficient cause to be suspicious about the antics of one of your customers that they obtain a court order which entitles them to "tap their internet traffic". Suppose you decided (or were compelled) to facilitate the "tap".
o what is reasonable for them to tap? Incoming (to-customer) e-mail? Outgoing (from-customer) e-mail? A complete packet dump?
Email, probably. A complete packet dump could present problems. I would be unwilling to do anything that would cost us money--without appropriate recompense---or that would impact network performance---in any event. I am unwilling to slow my STM-1024 down to V.24 speeds so I can wiretap.
o would you be happy letting someone from the police connect her own equipment to your network in order to gather the evidence the court order entitled them to collect? Would you prefer to do it yourself?
In general, no. I doubt their laptop has a suitable STM-1024 interface. Where possible, yes, under our supervision.
o would your company expect to be reimbursed for the time spent facilitating the "tap"?
Of course. Actually, I'd expect that my company could and therefor should just write the cost off to civic welfare, but I think that a struggling ISP might not appreciate having to stump up overtime for several people to make the tap work.
o how easy would it be for you to insert something in your network to capture all packets to/from one of your customers? (scale of 1 [trivial] to 10 [impossible])
1-10. It depends on which customer and where in the network.
+ suppose all interception of network traffic was prohibited across the board without a court order; i.e. you were compelled to shift your customers' traffic blindfolded, and were absolutely not allowed to look at it. Would this be feasible? How much troubleshooting would be impossible under these kinds of conditions?
Depends on how it's worded. In the extreme case, if I can't look at my customers' packets, I (my routers) can't read the address headers and the packets never make it past the first RJ-45! I would consider the wording in the current radio regs for amateurs has the right flavour. In the event that you intercept communications not intended for you, you are required to act as if you had not in fact intercepted the communications. In particular you must not communicate them to a third party. What's the statement? "Hard cases make bad law"? I shudder to think how to draught legislation that accurately and unambiguously sets out the rights and obligations of all parties and also keep up with technology. Let's just promote PGP a lot :-) -- Michael Newbery Technical Specialist Telstra Saturn Tel: +64-4-939 5102 Mobile:02-939 5102 Fax:+64-4-939 5100 --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (16)
-
Chris O'Donoghue -
Chris Rigby -
Dan Langille -
DPF -
Dylan Reeve -
Gordon Smith -
Hamish MacEwan -
Jeremy Clyma -
Joe Abley -
Juha Saarinen -
Lin Nah -
Michael Newbery -
Philip Beckmann -
Roger De Salis -
Shane Cole -
Tony Wicks