[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Speak of the Devil

On Thu, 18 May 2006, Mike Perry wrote:

A few varying thoughts here:

I can't speak for the british government, but if someone came to me and said "someone is using your SSL-enabled webmail system to traffic kiddie porn" and felt that somehow the easiest way to sniff their traffic was with my private key (as opposed to just asking me to tap their spool dir, tar up their homedir, and gladly hand over any information associated with them), I'd be more than willing to cooperate. With probable cause. I know warrants are difficult, but I come from a law enforcement family.

Sadly, the truth here is that if someone is using my server, then the fedgov HAS to act as if I am in on this, and will likely blow their investigation if they contact me -- at least this is how procedural rules are set up for them.

I've investigated kiddie porn complaints on my network, and let me say this in total seriousness -- while we've all seen the maxim-like young looking models that are just recently 18 (hell, they advertise on regular cable here in the states)...every once in a while you come across a site like the ones in question that is so blatant, so disgusting -- where there's no question in your mind that yes, that's thirteen. Following that, there's a fit of nausea and a willingness to research some drug or amount of voltage that can remove the images you've just seen from your mind. I'm told the sensation is about ten times worse if you're a parent.

With that said, however...

There's nothing stopping governments from logging the traffic (possibly at a higher level, like the upstream level) and then getting a subpoena for whatever key was used to encrypt it.

The PROBLEM with this method is that once the length of the warrant has expired, 99 percent of people out there DO NOT check CRL's. I myself am guilty of this. I.e. once the government HAS your key, they've got it for the lifetime of your cert -- and while you can certainly retire that cert from use, there's no way to prevent the now-compromised cert and key from being used creatively for the remainder of the validity period.

Or am I wrong here?


British govt just started pushing for Part III of RIPA citing
terrorism and kiddie porn as major reasons to require people to
disclose encryption keys...


Seems we may have a strong ally on our side on this one. International
bankers might not want the local police requiring them to hand over
keys either, though they certainly have enough political influence to
stop investigations before they start I'm sure...

The UK Crypto thread that spawned this article is here:

One can only hope that the Bill of Rights is enough to keep this
bullshit out of the US, but who knows.


"Don't be so depressed dear."

"I have no endorphins, what am I supposed to do?"

-DM and SK, February 10th, 1999

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org