Using Open Switches To Defeat NSA Backdoors
Companies such as Cisco and Huawei have faced allegations that their routers and switches contain backdoors – ways of getting around security features – installed at the behest of their respective national governments. Any such backdoors would be difficult to detect, some software experts say, because the software used to run those components is proprietary, and thus not open to inspection by third parties. Networking equipment based on the Open Compute standard would be more open to inspection because it is based mainly on open source software, say advocates. “Many of the recent backdoors in closed-source switches would have been easy to spot in open source software,” said Johannes B. Ullrich, the dean of research at SANS Institute, a security certification company, in an email to CIO Journal.
Huawei said it is committed to pursuing open industry standards to further interoperability, innovation and competition, and is an active participant in global technical standards groups as well as the open source community. Cisco didn’t respond to a request for comment for this story. It has said in the past that it is committed to interoperability and adherence to industry standards.
Cumulus Networks makes Open Compute-based software for network switches. While not all of the software is open source, a very large percentage of it is, said J.R. Rivers, co-founder and CEO at Cumulus Networks. “The parts that you could break into are all open source,” he told CIO Journal. “Technologies like the [open source] Linux kernel are really good because so many people look at it, attack it and hack it,” he said. As a consequence, problems get fixed and the software keeps getting better, he added.
While Open Compute switches may make it easier to spot backdoors, there are still some security concerns. First, Open Compute switches use some of the same components as proprietary switches. They come from original equipment manufacturers with a chipset and low-level operating software. Any vulnerabilities coming from OEMs would also impact Open Compute switches, said Mr. Ullrich.
Today there are no tests to certify that chips being integrated into open servers or other hardware are clear of backdoors or malware, said Ron Williams, vice president of operations at Riot Games, in an email. Riot Games buys Open Compute servers and is interested in buying network switches based on the standards. He said he expects the issue of certification to be resolved this year.
Facebook last week told CIO Journal it plans to move this year to switches based on the new standards and stop purchasing gear from conventional networking suppliers.
FBI Surveillance Backdoor Also Open To Hackers
This past May, according to news reports, the FBI lobbied the White House not to oppose a new piece of legislation the FBI's lawyers had drafted.
The proposed law would force companies such as Facebook, Google, Microsoft and Twitter to build "backdoors" into their software so that law-enforcement agencies could eavesdrop on communications.
But privacy advocates say building backdoors into communications software and hardware may create more problems than it solves for law enforcement — and may make the country more vulnerable to cyber attacks.
Hand Over The Keys:
The FBI would neither confirm nor deny the existence of the legislation or its White House visit, but it's something the bureau has nonetheless been asking Congress for.
"It is critically important that we have the ability to intercept electronic communications with court approval," FBI General Counsel Valerie Caproni told a House subcommittee in February 2011. "We confront, with increasing frequency, service providers who do not fully comply with court orders in a timely and efficient manner."
Caproni cited the cases of a South American arms-trafficking ring that used encrypted communications and a pimp who lured underage girls into his prostitution ring through social networking.
The prosecution of both cases, she said, was hampered by the inability of law enforcement to eavesdrop on the suspects.
More recently, Twitter has resisted the New York City Police Department's demands that it turn over records pertaining to its users. Such headaches would be forgotten if the FBI's proposed law were to be passed.
In December, FBI Director Robert Mueller testified to Congress that there was a real risk of law enforcement "going dark" — losing the ability to intercept communications.
"A growing gap exists between the statutory authority of law enforcement to intercept electronic communications pursuant to court order and our practical ability to intercept those communications," Mueller said.
In other words, the technology now available to criminals, terrorists and ordinary citizens is outstripping the ability of the FBI and other law-enforcement organizations to listen in.
[10 Ways the Government Watches You]
The Law As It Now Stands
The proposed legislation would amend a 1994 law called the Communications Assistance for Law Enforcement Act (CALEA).
CALEA is the reason the phone company can allow police to tap calls at the switching substation, where the calls are routed, rather than have someone install a bug in a house. The law was expanded in 2004 to include broadband Internet providers.
Ever since the Pretty Good Privacy encryption program for email was introduced in the early 1990s, encryption has been widely available to the general public. Encryption used to take up a lot of computing power, but the processing speed of current devices makes it easy.
Research In Motion's Blackberry Messenger service, for example, is so strongly encrypted that the governments of India and the United Arab Emirates have demanded the company provide the keys to decoding the messages. (RIM has partially complied.)
The Internet-based international telephone-and-video-chat service Skype also encrypts calls, though there are ways to defeat it. Many privacy advocates worry that Microsoft's recent acquisition of Skype means that the government will soon have keys to decrypt its communications.
Even so, the FBI says there are still obstacles.
"Many communications providers are not required to build or maintain intercept capabilities in their ever-changing networks," Mueller told the House and Senate Judiciary Committees in May. "As a result, they are too often not equipped to respond to information sought pursuant to a lawful court order. … We must ensure that the laws by which we operate keep pace with new threats and new technology."
Basically, that means the phone companies and device makers aren't forced to build in eavesdropping ability for law enforcement.
If The FBI Gets In, Can Hackers Too?
Right now the law applies to telecom providers — phone companies — but the FBI is seeking to expand the definition. (It's important to note that nobody is looking to change the law that a search warrant be required to wiretap anyone.)
That may speed up gathering evidence. But it can also leave the good guys vulnerable, said Chris Calabrese, legislative counsel at the American Civil Liberties Union in Washington, D.C.
"In Greece, the prime minister's phone calls were being tapped," Calabrese said, referring to a 2005 incident in which high-level Greek government officials found their phones had been hacked.
While it was likely that a rival intelligence agency had done it, the access to the systems was given by the same sort of "backdoor" as the FBI is seeking.
Calabrese added that it's debatable as to whether law enforcement really needs additional surveillance capabilities.
Other methods already exist — for example, encrypted communications can be tapped if an FBI agent or police officer gets access to a suspect's computer, and a keylogger would reveal all of the suspect's passwords quickly.
It's also possible to eavesdrop on communications at the "switch" level by asking a telecom provider for access.
"They can get a lot of this via AT&T," Calabrese said. "Is it really worth re-architecting the Internet?"
(Last month, nine U.S. cellular carriers revealed that they had received more than 1 million law-enforcement requests for customer data in 2011.)
Peter Eckersley, technology projects director at the Electronic Frontier Foundation, a digital-rights advocacy group in San Francisco, said the problem is that when you build any vulnerability into a system, security decreases significantly.
In other words, a built-in backdoor won't stay a secret for long, and a good hacker will learn to exploit it.
Stewart Baker, a former assistant secretary of policy at the Department of Homeland Security, disagreed with Calabrese and Eckersley.
"I would not judge all lawful intercept features based on the Greek experience any more than I’d judge government management of the economy based on the Greek experience," Baker told SecurityNewsDaily in an email.
Traditional methods of surveillance are more "hit or miss," Baker said. "Keyloggers aren't as easy as you imagine."
As for the vulnerabilities introduced by backdoors, Baker said that careful monitoring can prevent them from being used by criminals or abused by law enforcement.
[Is the TrapWire Surveillance System Spying on Americans?]
The Power May Already Be There
Michael Gregg, president and chief operating officer of Superior Solutions, an IT security consulting firm in Houston, has done penetration testing and training for federal agencies, including law enforcement.
"The federal government presently has a wide array of tools that can be used to monitor voice communications, cellphones and electronic data on the Internet," Gregg said. "While built-in backdoors would make it much easier for the government to monitor communications in real time, the real question is: Would such technology be abused and used to limit free speech?"
Gregg's concerns become especially salient with the prospect of backdoors being built directly into websites. An oppressive government might use it to monitor visitors to the site.
Some new technologies actually make it easier for the FBI, or anyone else, to track where one goes online. Internet Protocol version 6, the upcoming universal Internet standard, makes it possible to link an Internet address to a machine's unique network hardware.
"Advertisers, criminals, they would all be able to see it," Eckersley said.
Some operating systems — Windows 7 and Apple's OS X and iOS among them — add privacy features to IPv6 that generate random Internet addresses. But Eckersley noted that the implementation is not universal.
To him, that fact makes the FBI's claim that it needs new backdoors all the more surprising.
"It's sort of Orwellian when they say they need more surveillance capability in the face of that," Eckersley said.
Monty Henry, Owner
Additional Resources:
* A List Of Companies Where NSA Has A "Backdoor": (Apple, Dell, Microsoft, HP., Cisco..)
* What is BitCoin and How Does It Work?
Next-Generation Bug / Microwave / ELF / Spy Phone / GSM And Camera Detectors (Buy, Rent, Layaway) tinyurl.com/2eo8mlz Open...
— Spy Store Rentals (@MontyHenry1)
Nanny IP (Internet) Cameras, GPS Trackers, Bug Detectors and Listening Devices, etc, (Buy / Rent / Layaway): tinyurl.com/396jlw6...
— Spy Store Rentals (@MontyHenry1)
NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA.
Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.
NOW, look in on your home, second home, lake house or office anytime, anywhere from any internet connected PC/Lap-top or Internet active cell phone, including iphone or PDA: http://www.dpl-surveillance-equipment.com/wireless_hidden_cameras.html
Watch your child's caregiver while sitting at a traffic light or lunch meeting, or check on your business security from the other side of the world. Our built-in hidden video features all digital transmissions providing a crystal clear image with zero interference. With the IP receiver stream your video over the internet through your router, and view on either a PC or smart phone. Designed exclusively for DPL-Surveillance-Equipment, these IP hidden wireless cameras come with multiple features to make the user's experience hassle-free.
• Remote Video Access
• Video is Recorded Locally To An Installed SD Card (2GB SD Card included)
• Email Notifications (Motion Alerts, Camera Failure, IP Address Change, SD Card Full)
• Live Monitoring, Recording And Event Playback Via Internet
• Back-up SD Storage Up To 32GB (SD Not Included)
• Digital Wireless Transmission (No Camera Interference)
• View LIVE On Your SmartPhone!
Includes:
* Nanny Cameras w/ Remote View
* Wireless IP Receiver
* Remote Control
* A/C Adaptor
* 2GB SD Card
* USB Receiver
FACT SHEET: HIDDEN NANNY-SPY (VIEW VIA THE INTERNET) CAMERAS
Specifications:
Receiver Specs:
* Transmission Range of 500 ft Line Of Sight
* Uses 53 Channels Resulting In No Interference
* 12V Power Consumption
* RCA Output
* Supports up to 32gig SD
Camera Specs:
* 640x480 / 320x240 up to 30fps
* Image Sensor: 1/4" Micron Sensor
* Resolution: 720x480 Pixels
* S/N Ratio: 45 db
* Sensitivity: 11.5V/lux-s @ 550nm
* Video System: NTSC
* White Balance: Auto Tracking
• Video is Recorded Locally To An Installed SD Card (2GB SD Card included)
• Email Notifications (Motion Alerts, Camera Failure, IP Address Change, SD Card Full)
• Live Monitoring, Recording And Event Playback Via Internet
• Back-up SD Storage Up To 32GB (SD Not Included)
• Digital Wireless Transmission (No Camera Interference)
• View LIVE On Your SmartPhone!
Includes:
* Nanny Cameras w/ Remote View
* Wireless IP Receiver
* Remote Control
* A/C Adaptor
* 2GB SD Card
* USB Receiver
FACT SHEET: HIDDEN NANNY-SPY (VIEW VIA THE INTERNET) CAMERAS
Specifications:
Receiver Specs:
* Transmission Range of 500 ft Line Of Sight
* Uses 53 Channels Resulting In No Interference
* 12V Power Consumption
* RCA Output
* Supports up to 32gig SD
Camera Specs:
* 640x480 / 320x240 up to 30fps
* Image Sensor: 1/4" Micron Sensor
* Resolution: 720x480 Pixels
* S/N Ratio: 45 db
* Sensitivity: 11.5V/lux-s @ 550nm
* Video System: NTSC
* White Balance: Auto Tracking
Make Your Own Nanny Cameras: Make Tons Of Money In A Booming, Nearly Recession-Proof Industry!
Your Primary Customers Include But Are Not Limited To Anyone In The Private Investigator, Government, Law Enforcement And/Or Intelligence Agencies Fields!
* You Buy Our DVR Boards And We'll Build Your Products! (Optional)
* You Buy Our DVR Boards And We'll Build Your Products! (Optional)
Our New Layaway Plan Adds Convenience For Online Shoppers
DPL-Surveillance-Equipment's
layaway plan makes it easy for you to buy the products and services
that you want by paying for them through manageable monthly payments
that you set. Our intuitive calculator allows you to break down your
order's purchase price into smaller payment amounts. Payments can be
automatically deducted from your bank account or made in cash using
MoneyGram® ExpressPayment® Services and you will receive your order once
it's paid in full. Use it to plan and budget for holiday purchases,
anniversaries, birthdays, vacations and more!
DPL-Surveillance-Equipment's
Customers can now use the convenience of layaway online to help them
get through these tough economic times.
We all shop now
and then just to face a hard reality -- big credit card bills. However,
our latest financing innovation can help you avoid that. Find out why
more and more shoppers are checking out DPL-Surveillance-Equipment's
e-layaway plan.
If you're drooling over a new nanny
camera, longing for a GPS tracker, or wishing for that spy watch, but
you're strapped for cash and can't afford to do credit, do what Jennie
Kheen did. She bought her iPod docking station (hidden camera
w/motion-activated DVR) online using our convenient lay-away plan.
Our
online layaway plan works like the old-fashioned service stores used to
offer. But, in Kheen's case, she went to
DPL-Surveillance-Equipment.com, found the iPod docking station (hidden
camera w/motion-activated DVR), then set up a payment plan.
"It's automatically drawn from my account," she said. "I have a budget, $208.00 a month.
In
three months, Kheen had paid off the $650.00 iPod docking station. She
paid another 3.9 percent service fee, which amounted to about $25.35
(plus $12.00 for shipping) for a total of $687.35.
"You
pay a little bit each month," Kheen said. "It's paid off when you get
it and you don't have it lingering over your head. It's great."
Flexible
payment terms and automated payments make our layaway plan an
affordable and fiscally responsible alternative to credit cards.
1. Register:
It's quick, easy and FREE! No credit check required!
2. Shop:
Select
the items or service you want and choose "e-layaway" as your payment
option. Our payment calculator makes it easy for you to set up your
payment terms.
3. Make Payments:
Payments are made on the schedule YOU set. Check your order status or adjust your payments online in a secure environment.
4. Receive Products:
Receive the product shortly after your last payment. The best part, it's paid in full... NO DEBT.
More Buying Power:
*
Our lay-away plan offers a safe and affordable payment alternative
without tying up your credit or subjecting the purchase to high-interest
credit card fees.
No Credit Checks or Special Qualifications:
* Anyone 18 years old or older can join. All you need is an active bank account.
Freedom From Credit Cards:
*
If you are near or beyond your credit limit or simply want to avoid
high interest credit card fees, our e-layaway is the smart choice for
you.
Flexible Payment Schedules:
*
Similar to traditional layaway, e-layaway lets you make regular payments
towards merchandise, with delivery upon payment in full. Payments are
automatically deducted from your bank account or made in cash using
MoneyGram® ExpressPayment®
A Tool for Planning Ahead:
*
Our e-layaway makes it easy for smart shoppers like you to plan ahead
and buy items such as bug detectors, nanny cameras, audio bugs, gps
trackers, and more!
No Hidden Charges or Mounting Interest:
Our
e-layaway makes shopping painless by eliminating hidden charges and
monthly interest fees. Our customers pay a flat transaction fee on the
initial purchase price.
NO RISK:
* You have the right to cancel any purchase and will receive a refund less a cancellation fee. See website for details.
Security and Identity Protection:
DPL-Surveillance-Equipment
has partnered with trusted experts like McAfee and IDology to ensure
the security and integrity of every transaction. Identity verification
measures are integrated into our e-layaway system to prevent fraudulent
purchases.
Note: Simply Choose e-Lay-Away as a "Payment Option" in The Shopping Cart
DPL-Surveillance-Equipment.com
is a world leader in providing surveillance and security products and
services to Government, Law Enforcement, Private Investigators, small
and large companies worldwide. We have one of the largest varieties of
state-of-the-art surveillance and counter-surveillance equipment
including Personal Protection
and Bug Detection Products.
Buy, rent or lease the same
state-of-the-art surveillance and security equipment Detectives, PI's,
the CIA and FBI use. Take back control!
DPL-Surveillance-Equipment.com
Phone: (1888) 344-3742 Toll Free USA
Local: (818) 344-3742
Fax (775) 249-9320
Monty@DPL-Surveillance-Equipment.com
Google+ and Gmail
DPLSURVE
Twitter
DPLSURVE
MSN
Monty@DPL-Surveillance-Equipment.com
AOL Instant Messenger
DPLSURVE32
Skype
Montyl32
Yahoo Instant Messenger
Montyi32
Alternate Email Address
montyi32@yahoo.com
Join my Yahoo Group!
My RSS Feed
Phone: (1888) 344-3742 Toll Free USA
Local: (818) 344-3742
Fax (775) 249-9320
Monty@DPL-Surveillance-Equipment.com
Google+ and Gmail
DPLSURVE
DPLSURVE
MSN
Monty@DPL-Surveillance-Equipment.com
AOL Instant Messenger
DPLSURVE32
Skype
Montyl32
Yahoo Instant Messenger
Montyi32
Alternate Email Address
montyi32@yahoo.com
Join my Yahoo Group!
My RSS Feed
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.
<< Home